On March 12, 2020, the US Department of Education (ED) released FAQ guidance for all schools subject to the student privacy requirements of the Family Educational Rights and Privacy Act (FERPA) related to implementing plans to react to the COVID-19 pandemic. This guidance is applicable to both K-12 and postsecondary schools.
The FAQ directs school officials to “work with their state and local public health officials to determine the information needed to address this public health concern. Understanding how, what and when information can be shared is a critical part of preparedness.”
A primary focus of the FAQ is to provide additional information regarding the health and safety exception to FERPA’s general rule that student (or parent) consent is required before disclosing personally identifiable information (PII) to third parties.
Institutions have broad discretion to use reasonable judgment on disclosures
Although FERPA requires that an institution have concerns about a specific (and not general) health or safety threat, given current conditions caused by COVID-19 across the US it is likely that most institutions currently meet this standard if they determine that sharing of PII with appropriate state or local health officials is in the interest of mitigating the risk to students or others in the community.
ED reiterates prior guidance that it “will not substitute its judgment for that of the educational agency or institution so that the educational agency or institution may bring appropriate resources to bear on the situation, provided that, based on the information available at the time of the educational agency’s or institution’s determination, there is a rational basis for such determination.”
FERPA permits the sharing of de-identified and aggregate information
Even if an institution determines that the health and safety exception is not an appropriate rationale for sharing of PII in a particular instance, ED reminds schools that FERPA does not prohibit the sharing of de-identified or aggregate information so long as it is not reasonably identifiable to an individual or small group of individuals.
Notifications in instances where a student or staff member tests positive for COVID-19
ED generally recommends that institutions not share PII of a student who tests positive or is otherwise suspected of having COVID-19 or any disease except as appropriate for health or safety emergencies or to medical personnel as set forth above.
General notices to parents, staff or community members should be on a de-identified basis to the maximum extent possible. However, schools may use discretion to notify limited individuals if they determine that particular students have had close contact with a diagnosed individual.
Note that FERPA does not apply to teachers or staff members. However, state employment and medical privacy laws may also impact the ability to share information on an identifiable basis.
Privacy in an online learning environment
In response to the pandemic, many institutions are rapidly moving to shift from classroom to online learning environments. Importantly, institutions must make sure that they are taking data privacy and security considerations into account when moving into an online environment. This includes taking steps designed to ensure the security of sensitive data transmitted electronically. Watch for our forthcoming post on data privacy in an online environment, which will also include links to our previous posts on this topic.
As institutions build out their response to COVID-19, they should make sure that they have a written policy setting out criteria for the sharing of student PII with state and local officials, medical personnel and others in the community. This policy should be appropriately communicated to relevant staff members and assessed at regular intervals given the constantly changing facts on the ground.