The Michigan Daily article “Accidental grade leak a breach of federal law” failed to mention a little-known but key fact about these regulations. It also provides an important opportunity to consider the University of Michigan’s failure to establish a culture that values student privacy.
The Family Educational Rights and Privacy Act, which governs the privacy of educational records, is a largely toothless piece of legislation. If a university violates FERPA, it’s up to the Department of Education to ensure the university modifies its behavior. It can do so only by threatening to remove federal funding, which it can do only if the university refuses to comply.
What are the chances the federal government is going to deprive a university of funding for biomedical research and student financial aid over a privacy violation? According to the Student Press Law Center, there hasn’t been a single case of a university losing such funding. Courts have ruled that students whose privacy rights have been violated have no right to sue their educational institutions. This removes the University’s strongest incentive to ensure privacy rights are protected — liability.
We already live in an educational system too encumbered by bureaucracy and fears of liability. To add to this would be dangerous. This isolated accidental disclosure of students’ grades in a single course, while unfortunate, shouldn’t lead to hundreds of lawsuits against the University. But the weakness of these laws does encourage a perfunctory and often cavalier attitude to privacy, as two other recent incidents show.
For many years, the University’s online directory publicly revealed students’ memberships in e-mail lists. While some list memberships were relatively innocuous, others — such as memberships in LGBT, religious and political e-mail lists — deserved privacy. After the new MCommunity directory made this problem more visible, it took the University’s IT department months to acknowledge and fix the problem. When I contacted the IT department July 2011, I met a wall of intransigence, and only after significant pressure from the faculty senate were improvements made. Worse yet, these problems had been known for almost a decade.
A second example of the University’s facile attitude to student privacy occurred when it released GSI evaluations under a FOIA request from the Daily in winter 2011. The university had an obligation to protect the privacy of its graduate student instructors, whose teaching often forms a crucial part of their education as future professors.
Many of these evaluations should have been protected from an FOIA request by FERPA, since they constituted educational records for those who teach as part of their educational program. When I contacted the University’s legal counsel about this last year, they admitted that they failed to screen for this. Had FERPA been stronger — if, for example, the University would have been liable to lawsuits from GSIs — or, more importantly, if the University had a culture that truly respected privacy, these mistakes might not have been made.
A slightly stronger FERPA might help matters more than it hurts, but universities like Michigan should hold themselves to a higher standard than the federal regulations anyway. We don’t need more red tape or more antagonism between the various members of the community.
Rather, we need a culture where all parts of the university work together to uphold the University’s core values, values that must include privacy along with academic freedom, education and the pursuit of knowledge.