MEMBER QUESTION

As we transformed to fully/largely remote learning and pulled all student work and interactions onto Google platforms, a question has arisen about the intersection between student privacy and parent access to student accounts. Currently, if a parent is given their child's google log in information, they will have access to far more than ever in the past. Because of authentication agreements, library records, database access, all stored documents, any Google classroom the student is enrolled in, classlists for those classrooms, comments from teachers, peer work on group projects...this is likely not an exhaustive list!

My 2 biggest areas of concern are 1) access to library check outs and 2) ability to see that a student is enrolled in a classroom for the Gay Straight Alliance (GSA) at the school and the entire class list of other members.

I am told by my administrators that FERPA allows for parents to be given student log in information. The RAQ, post "Topic: Patron Confidentiality in School Libraries - 5/6/2019" gave very good information but both the online aspect and the myriad of elements that are exposed with that single password compel me to seek more details. Thank you!

WNYLRC ATTORNEY'S RESPONSE

Thank you for this careful and thoughtful question.  As we rush to migrate education to online, the small details can get overlooked.  As the member writes, information that used to be safeguarded in physical files or with separate passwords is increasingly accessible via a "one-stop shop."

Depending on the type of information involved, any number of ethical, privacy, and legal concerns can be impacted.

In this question, the member focuses on two types of information: library records, and FERPA-protected "education records."

For library records, there is an overlap of legal concerns—an overlap that was thoroughly discussed in the 5/6/19 answer the member cites.  In that reply, we established that depending on how a school/school library is set up, parent/guardian access to this information might be allowed--but it’s a question that should never be left to chance (it should always be answered by a school’s FERPA and library privileges policies).

To that answer, and considering the spirit of the times, I'd simply add: any librarian out there, operating in elementary and secondary education, should be lauded when they raise privacy concerns.  Librarians should work with IT departments and procurement professionals to ensure data management and automation enable the separately governed access to a student's library records.  Even when access is legally allowed by a system, it is still good to emphasize the privacy of library records.

Here are several examples of how this can be done:

• Including privacy considerations in “Requests for Proposals” (RFP’s) and quotes for automation and other data management software that will hold library or student records;
• Training both library and IT staff to keep the division of different types of records with different access parameters at top of mind (“Remember, library records aren’t just protected by FERPA and ED 2-d”);
• Ensuring that release and parental permission forms distinguish between and properly govern access to different types of records;
• When making quick changes based on pandemic exigencies,^[1] ensuring at least one person is tasked with assessing if the implementation conforms with applicable institutional ethics, policies, and privacy regulations.
• Using deliberate awareness tools, such as a pop-up window that appears prior to enabling access to library files, saying "Student library records are confidential under state law.  Only properly authorized parties should view these records," is a good way to distinguish access to library information from other education records.^[2]

For any educator reading this and thinking “Uh-oh,” if the horse is out of the barn, it is never too late to adopt some retroactive corrections.  When parental access is as plenary as the member describes, if there is a confirmed issue (such as access to one student’s enrollment records leading to access to all students’ enrollment records^[3]) working with IT to address the specific utility hosting that information, and how it can be further locked down, is the only solution.

There will be times when addressing an issue like the ones raised by the member is simply not within the authority of the person concerned.  A concerned librarian or educator might even find themselves rebuffed when they try to ring the alarm! When that happens, it is time to kick it upstairs.  Each school should have a FERPA officer, and at least one senior administrator whose role is associated with enforcing a code of ethics or policies on privacy.  Concerns of this type are all appropriate to direct to such an administrator.

No one engineers a FERPA or privacy violation on purpose, but unwitting violations can happen when the learning environment has to change fast.  Being alert and ready to identify and correct concerns as soon as they emerge is critical.  Thanks for a solid question that shows how it's done.