The U.S. Education Department failed to conduct timely, effective investigations of potential violations of the nation’s main student-data-privacy law, allowing a years-long backlog of unresolved cases to pile up without any mechanism for effectively tracking the number or status of the complaints it received.
That’s according to a scathing new audit from the department’s own Inspector General, released this week.
According to the audit, the department’s privacy office in September 2017 had on its books 285 open investigations of complaints made under the Family Educational Rights and Privacy Act, or FERPA.
Nearly a third of those complaints were more than two years old, the audit found. In 31 cases during the 2017 fiscal year, the department completed investigations, but failed to officially close them, because the necessary paperwork was left to languish on managers’ desks for as long as eight months. Even the two-dozen investigations the office did officially close took an average of more than two years to complete.
“The Privacy Office is not meeting its statutory obligation to appropriately enforce FERPA and resolve FERPA complaints,” the Inspector General concluded. “Complainants’ privacy rights are also not appropriately protected as FERPA intends.”
Privacy advocates said the findings validate longstanding criticism of a process that has for years left parents frustrated and infuriated.
“They’ve felt completely left in the lurch,” said activist Leonie Haimson, the co-chair of the Parent Coalition for Student Privacy. “Parents have these very serious complaints about their kids’ privacy having been violated, and they go through the trouble of filing complaints, but they just sit for years without any kind of substantive response.”
The Inspector General’s report included a number of recommendations for improvement, including allocating “appropriate resources” to FERPA enforcement, implementing modern software to track complaints, and halting the practice of designating some cases as indefinitely inactive.
Department officials said they agreed with the suggestions and have already begun taking steps to address the problems.
Education Secretary Betsy DeVos “takes the recommendations in the OIG’s report seriously and is committed to ensuring the resources and mechanisms are in place for the Department to meet its legal obligation under FERPA,” department spokeswoman Elizabeth Hill said in a statement.
Enforcing FERPA
Passed in 1974, the Family Educational Rights and Privacy Act gives parents the right to access their children’s educational records and to seek changes in records they believe to be inaccurate.
Under the law, schools must generally obtain written consent before releasing any part of a student’s educational record to third parties, although a number of exceptions apply.
According to the Inspector General audit, FERPA violations can harm children by exposing them to bullying or harassment, damaging their chances of graduating or finding employment, or by allowing their personal information to be improperly shared with vendors or other third parties.
Because of such risks, parents who believe their child’s FERPA rights have been violated have the right to file complaints with the U.S. Education Department. Such complaints could focus on instances in which an individual student believes that his or her personal information was improperly shared, for example. Or, the complaints could be more wide-reaching, as in a recent case involving Pennsylvania’s Agora Cyber Charter School, which was found to have been improperly demanding that its 8,000 students waive their FERPA rights as a condition of enrollment.
The education department is required by law to have an office charged with processing and investigating those complaints.
For decades, though, there has been a massive backlog, according to the Inspector General audit. The Agora case, for example, took five years to resolve.
Reasons for the delays include insufficient staff and resources, unresolved policy issues, and increasing volume and complexity of complaints, the audit found.
The Inspector General also criticized the department’s privacy office for not sufficiently prioritizing its enforcement role.
In 2015, for example, the office received authority to hire five new staff members, but ultimately assigned the majority of them to work on providing states and school districts with FERPA-related technical assistance, training, and policy guidance.
“Although these other FERPA activities are important and can lead to fewer complaints in the future, it is critical that the privacy office focus its attention to timely and effectively resolve FERPA complaints,” the audit reads.
That raised concerns from some in the education world, who said the best approach would be to make sure that enforcement and technical-assistance work both get the resources they need.
“We don’t think the solution is to rob Peter to pay Paul,” said Paige Kowalski, an executive vice president for the Data Quality Campaign.
“A complaint is often the only recourse a parent has when they feel their child’s privacy has been violated,” she said. “But the department will never get ahead of its backlog if it’s not also effectively delivering supports.”
‘A Massive Loss of Trust’
In the meantime, though, the problems caused by the backlog have been far-reaching, said Amelia Vance, the director of education privacy and policy counsel at the Future of Privacy Forum, a Washington think tank.
“There’s been a massive lost of trust, and a massive assumption that FERPA is toothless because of a lack of concrete enforcement actions,” Vance said.
The department, for example, has never exercised its right to cut off all federal funds to a school or district as the result of FERPA violations, she said. Nor have any third parties, such as vendors, been banned from working with schools for up to five years, as the law allows.
Vance also called it “mind-boggling” that privacy officials in the education department were unable to tell the Inspector General how many open cases they had, the result of not having any real system for tracking the complaints prior to 2017.
Still, there have been signs of recent progress.
In recent months, Secretary DeVos has moved to reorganize the department’s privacy functions and direct staff to focus their efforts on reducing the backlog of FERPA complaints. According to Hill, the education department spokeswoman, there has been a 43 percent reduction in the number of pending cases since May.
The Inspector General’s report also included a detailed response from Denise L. Carter, the acting assistant secretary in the department’s Office of Management, which oversees the privacy office.
The department generally concurred with the findings and its recommendations. Carter wrote:
- Additional staff have already been reassigned to assist with processing FERPA complaints. The director of the compliance office was replaced with someone with “extensive FERPA expertise” and project-management experience.
- The Office of Management is currently working to identify and implement a new complaint-tracking system. It will also soon begin using a new performance-management dashboard system to better track the work of the office as a whole, as well as individual staff.
- Complaints will no longer indefinitely be designated as “inactive,” and cases that were previously coded in that way have already been re-examined and addressed.
- Multiple steps have been taken to improve communication with parents who file FERPA complaints, including automating the processes of letting people know their complaints have been received and dismissed.
- The department is moving towards evaluating and responding to complaints based on their seriousness and the risks they present, rather than based solely on when they come in.
And, notably, the department agreed with the Inspector General that it should begin conducting “self-initiated” investigations in response to potential FERPA violations, rather than solely working in response to parents’ complaints.
The first such investigation has already begun, the department acknowledged, although a request for details went unanswered.
Even if such action results only in a letter telling a school or third party not to engage in specific conduct anymore, that would be valuable, Vance said.
“It can be a lesson for everyone else in the country,” she said. “This is what FERPA does and does not allow.”
See also:
Reorganization of U.S. Ed. Department’s Privacy Office to Take Effect in Early 2019
Beyond FERPA: Five Tips For Protecting Student Data
Stronger Data-Privacy Protections for Students and Teachers Needed, Report Argues