School districts must consider the sanctity and privacy of data they maintain, as a recent decision underscores from the New York State Education Department’s Office of the Chief Privacy Officer. This alert explains the recent decision, a prior guidance opinion and considerations for school districts going forward.

In Re North Shore: FERPA, Education Law 2-d and Directories

In Re North Shore was issued December 1, 2021. It examined the interplay between education records protected under Education Law 2-d and directory information under FERPA.

Education Law 2-d relies on the FERPA definition of personal information in a student record, defined as:

“(a) The student’s name; (b) The name of the student’s parent or other family members; (c) The address of the student or student’s family; (d) A personal identifier, such as the student’s social security number, student number, or biometric record; (e) Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name; (f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or (g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.” [34 CFR § 99.3]

FERPA protects this information from disclosure unless: 1) there is proper consent to the disclosure for the student who is the data subject; 2) the disclosure falls into certain predefined exceptions; or 3) the information has previously been designated by the District as “Directory Information.”

This last method is usually achieved by designating the information as “Directory Information.”

FERPA defines Directory Information to include:

Information contained in an education record of a student which would not generally be considered harmful or an invasion of privacy if disclosed. It includes, but is not limited to, the student's name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended. [34 CFR § 99.3]

Directory Information may be disclosed if parents and eligible students are advised of:

• The types of information being designated as directory information
• The right to object or refuse the disclosure of the information for their child
• The time period within which this objection must be made after the scope of directory information has been published.

New York State Education Law 2-d adds a fourth standard for security and privacy:

• The disclosure must benefit students and the education See Education Law § 2-d(5)(b)(1).

Months prior to In Re North Shore, on August 5, 2020, NYSED’s Chief Privacy Officer (CPO) issued a guidance opinion on the interplay between FERPA and Education Law 2-d in the context of a FOIL request. There, the request sought primarily Directory Information, but the CPO opined a response would not benefit either the student or the District. The CPO found providing the full name, mailing address, date of birth and optional phone number of recent graduates to an alliance seeking to educate these students about their right to vote did not meet the additional test of “benefit to the student or education agency” to warrant the disclosure even though this information had previously been identified as Directory Information under FERPA.

Disclosure of Directory Information

The importance of “benefit to student and District” was further explained in In Re North Shore. There, the District released the names of students’ parents to the teachers’ union in response to a FOIL request. In this instance, the CPO found parent names were not listed as directory information; and the notice identifying directory information never disclosed that any of the information listed as directory information would be used for the political purpose of a district vote.

These decisions are interesting because in the earlier advisory opinion, the CPO emphasized the final test of benefit to the student and education agency as the defining test to determine whether education records could be released for use in an election whereas in the more recent In re North Shore opinion, the focus was on prior notice to data subjects on how their information would be used.

These recent opinions offer helpful guidance to school districts. It behooves districts to carefully review and update its notice provided to parents and eligible students when defining the data elements that comprise Directory Information as well and the listed purposes for which the information will be disclosed.

It is clear that the decision of In re North Shore and the August 2020 guidance opinion will be relied upon by the CPO to determine the appropriateness of any disclosure of this information. Practically, the more types of information identified as Directory Information in the notice and the broader its allowed purposes for disclosure are defined, the less risk a District will face following any disclosure.

Broad definitions of Directory Information limit liability following a security incident since the types of information most likely to be exposed will have previously been identified as information that is publicly available. Clearly some information, such as social security numbers or financial information could and should not be identified as Directory Information. Where possible, Districts should consider describing these data elements broadly (while recognizing that FOIL requests could ask for directory information).

Data privacy and security obligations are changing daily.