Why EPIC is Suing the Department of Education –and Why They Should Win   Leave a comment

The U.S. Department of Education has been sued.

EPIC (The Electronic Privacy Information Center) sued the Dept. of Education– for 30+ reasons.  Good reasons.  Read them!  http://epic.org/apa/ferpa/EPIC-FERPA-Complaint.pdf

EPIC (Electronic Privacy Information Center)

The lawsuit is happening under the Administrative Procedure Act and says the Dept. of Education exceeded its statutory authority and acted out of accordance with law.

EPIC (Electronic Privacy Information Center)

The Department of Education has answered the suit:


The Dept. of Education doesn’t defend itself very well in the above link/answer.  The Dept. of Ed doesn’t even claim it did act in accordance with law.  The Dept. of Education just replied that that EPIC “lacks standing to bring these claims.”  Oh, what a weak answer.  So the claims are right, but EPIC can’t be the one to say so?  HELLO, Congress, where are you?!

Congress wrote FERPA in the 1970s.  We need Congress to defend this family privacy law now.  The reasons that Congress and the State of Utah created strong FERPA policies in the first place were wise and wonderful.

I spoke with Marc Rotenberg, Esquire, today, from EPIC.  He told me that they are working through August on briefs and that I could get more information on the lawsuit from Khalia Barnes, the point person on this case.

I will keep you posted when I hear from her.

Until then, let me share what I do know so far, about the reasons that EPIC (Electronic Privacy Information Center) is suing the federal government over the new Jan. 2012 FERPA regulatory changes.

This interesting document http://epic.org/privacy/student/EPIC_FERPA_Comments.pdf  was submitted by EPIC, when the new FERPA regulations were just a proposal last year –before the Obama-Duncan administration made the federal FERPA regulatory changes in January 2012, without Congressional approval or knowledge.  This document is also a succinct explanation of what’s wrong with Obama-Duncan (executive branch) changing FERPA regulations without getting Congress to approve it and make it a real law, rather than just an unapproved regulation.


It says:

On I.D. Numbers:

“Congress has explicitly limited ‘directory information’ to: the student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.

The agency proposes to add student ID numbers.”

On the unlawful release of student data:

Congress “prohibits the nonconsensual release of students’ educational records, including the ‘personally identifiable information contained therein.’ Congress imposed this ‘direct obligation’ under the law ‘to protect the privacy of [student] records by preventing unauthorized access by third parties.’ Congress also provided specific exemptions in FERPA.The ED’s proposals expand a number of FERPA’s exemptions, reinterpreting the statutory terms “authorized representative,” “education program,” and “directory information.”

These proposals remove affirmative legal duties for state and local educational facilities to protect private student data.

On SLDS tracking (State Longitudinal Data Systems) tracking:

“Congress has yet to alter its stance on FERPA legislative safeguards, a prerequisite for the agency’s tracking of ‘soft data’ and other non-academic characteristics, charting them with SLDS, and sharing the results with non-academic institutions.”

On redefining terms that used to protect us:

The agency aims to stretch the term “authorized representatives” past its breaking point, designating non-governmental actors as “representatives” of state educational institutions… authorized representatives would not be under the direct control of the educational authorities that provide them access to private student data.”

On allowing almost anyone to call themselves an educational program with rights to access data:

The new FERPA regulations … [now call] …”educational programs” any single “program” that is principally engaged in the provision of education, including, but not limited to early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, regardless of whether the program is administered by an education authority.

Foreshadowing the ED’s lax enforcement of this provision, the agency provides an example that fails even to fall within its own expansive list: “[f]or example, in many States, State-level health and human services departments administer early childhood education programs, including early intervention programs.

On effectively forcing parents of sick children to give up their privacy rights:

For parents struggling to meet the needs of developmentally disadvantaged child during an economic recession, these regulations would present a Hobson’s choice: forego government assistance that can help your child or expose intimate information about the child, and furthermore your entire “living situation,” to any number of newly appointed and barely regulated “authorized representatives.” The agency states that “education may begin before kindergarten and may involve learning outside of postsecondary institutions.”

In conclusion, the EPIC comments said:

Proper interpretations of FERPA would, at a minimum: (1) recognize the clearly stated and legally binding intent Congress expressed in FERPA that prioritizes the protection of student data and restricts uses for non-academic purposes; (2) restrict “authorized representatives” to regulated entities that are under direct agency control via Congress’s FERPA funding sanctions; (3) propose only specific expansions of “educational programs” that are justified by recent educational developments and solely engaged in educational purposes; and (4) precede any expansion of third party access to student information with a comprehensive security assessment that doing so will not alter any baseline risk of identity theft, student re-identification, or unlawful disclosure of sensitive student data. EPIC anticipates the agency’s specific and substantive responses to each of these proposals. The current NPRM is contrary to law, exceeds the scope of the agency’s rulemaking authority, and should be withdrawn.


Comments are welcome here.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: