March 11, 2005
J. Chris Toe, Ph.D.
1133 15th Street, NW, Suite 300
Washington, DC 20005
Complaint No. XXXX
Family Educational Rights and Privacy Act
Dear Dr. Toe:
This is to inform you of our finding in the complaint filed by [Student] (Student) alleging that Strayer University (University) violated rights afforded to her under the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g and 34 CFR Part 99. Our letter dated September 8, 2004, notified you that the Student had filed a timely complaint with this Office alleging that [Employee], an employee of the University at its Montgomery County, Maryland campus, accessed the University's computerized database, without the Student's consent, in order to obtain personal information about the Student, such as her name, address, date of birth, height, weight, and drivers license number, for use in filing a personal complaint against the Student with the local police. Your October 4, 2004, response provided the following additional information:
1) [Employee] and the Student had a disagreement on November 17, 2003, regarding student use of the admissions office fax machine. Two days later, on November 19, [Employee] and the Student "exchanged unpleasantries and [Student] allegedly threw a brass business cardholder at [Employee]. [Employee] felt threatened and called the police to report the incident."
2) [ ], Regional Director for the University's Maryland campuses, spoke with the Student on November 19, 2003, and advised her to continue her courses but avoid the admissions office where [Employee] worked. Unfortunately, [Employee] and the Student continued to bother each other and had minor disagreements in early December of 2003.
3) On December 19, 2003, the University convened a meeting to attempt to resolve the situation. In attendance were the Student; [Employee]; [ ], Vice President of Human Resources; [ ], Dean of Student Affairs; [ ]; [ ], Campus Manager of the Montgomery County Campus; [ ], Campus Dean of the Montgomery County Campus; the Student's sister, [ ]; and the Student's attorney. University representatives reviewed all incidents in detail and determined that both [Employee] and the Student demonstrated poor behavior.
4) Shortly after the December 19 meeting, [Employee] dropped the assault charges against the Student. The Student then filed a civil suit against [Employee] in the District Court of Maryland alleging that [Employee] falsely accused her of assault. The Student's civil suit was subsequently dismissed on the merits.
Included with your October 4, 2004, letter were a copy of the following documents:
1) [Employee]'s position description (Admissions Assistant);
2) Event Report prepared by the Montgomery County, Maryland, Department of Police dated November 20, 2003, summarizing [Employee]'s assault allegations against the Student;
3) Supplement to the Event Report prepared by the Montgomery County, Maryland, Department of Police dated December 16, 2003, indicating that the Student was charged with second degree assault and trial in district court was set for January 30, 2004;
4) Excerpts from the University's 2004 Catalog containing its "Notice of Crime on Campus";
5) Excerpts from the University's 2004 Student Handbook that contains its "Release of Student Information Policy"; and
6) "Dear Students" email dated October 1, 2003, from the University regarding the same "Release of Student Information Policy."
Your October 4, 2004, letter states that the University did not violate FERPA for the following reasons:
1) While University policy is to encourage employees to call 911 if they feel unsafe at any time while on campus, [Employee] did not inform the University prior to filing the police report against the Student. [Employee]'s actions with regard to the criminal complaint were her own and not those of the University.
2) If [Employee] used the University's computer system to assist her in filing this report, these actions were not authorized by the University. However, there is no evidence that [Employee] in fact used the University computer system for this purpose.
3) Even if [Employee] used the University's computer system and was authorized by the University to do so, this action, along with [Employee]'s subsequent redisclosure of information about the Student to the police department without the Student's consent does not violate FERPA because [Employee] was a "school official" with a "legitimate educational interest" as defined under § 99.31 of the FERPA regulations. In particular, [Employee] served as an admissions assistant for the University, and accessing the University's computer system is specified as one of the duties of this position.
4) [Employee]'s actions were also authorized under § 99.31(a)(10) of the FERPA regulations because the Student's alleged assault on [Employee] constituted a "health or safety emergency." You explained that "[t]he safety of the University's students and employees is of the utmost importance and criminal behavior of any form on University property is not tolerated. The University does not hesitate to call the police if it has reason to suspect any person poses a danger to the campus community." The police report filed by [Employee] indicates that [Employee] had a bruise on her right chest from the incident. The investigating police officer found the account sufficiently credible to file a report and issue a warrant for the Student, and the University regards disclosure of basic identifying information about the Student to the police in these circumstances to constitute a "textbook case for a 'health or safety emergency.'"
5) Information that [Employee] provided to the police about the Student was limited to the Student's name; date of birth; estimated height and weight; eye color; hair color; and address. You stated that the University does not maintain information on the height, weight, and eye and hair color of its students and that, therefore, [Employee] likely provided this information based on her own observations.
6) The Student's driver's license number is not indicated anywhere on the police report, as the Student alleged. Further, the University does not maintain this information on its students.
7) The University takes its obligations under FERPA very seriously and makes a concerted effort to educate both students and staff regarding this important legislation. FERPA notices are provided to students as required and requests to restrict the release of directory information are processed by the records department and indicated in the University's computer system. Requests for release of student information are approved by either the University's records department or legal counsel.
In response to follow-up questions from this Office, on February 4, 2005, the University provided additional information about its directory information policies and indicated that at some point the Student opted-out of directory information disclosures. The University noted again that the Student's driver's license number does not appear in any police reports concerning this matter and clarified that it does not maintain student driver's license numbers in the computer system to which [Employee] had access. University did not inquire whether
[Employee] used the University's computer system to access information about the Student during its December 19, 2003, meeting with the Student, and [Employee] is no longer employed by the University.
FERPA provides that an educational agency or institution may not have a policy or practice of disclosing education records, or personally identifiable information from education records other than directory information, without the prior written consent of a parent or eligible [Student], except as provided in § 99.31 of the regulations. 20 U.S.C. § 1232g(b)(1) and (b)(2); 34 CFR § 99.30(a). (An "eligible student" is one who is at least 18 years of age or attends a postsecondary institution. See 34 CFR § 99.3.) "Education records" are defined as records that are 1) directly related to a student; and 2) maintained by an educational agency or institution or by a party acting for the agency or institution. See 34 CFR § 99.3. "Disclosure" means "to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records to any party, by any means, including oral, written, or electronic means." See 34 CFR § 99.3.
One of the exceptions to the prior written consent requirement in FERPA allows an agency or institution to disclose certain information that has been designated as "directory information" accordance with § 99.37 of the regulations. "Directory information" includes a student's name, address, date of birth, and other information that generally is not considered harmful or an invasion of privacy if disclosed. See 34 CFR § 99.3 ("Directory information"). However, students have a right to block or opt-out of directory information disclosures under § 99.37(a)(2).
The Student alleged that [Employee] accessed the University's database and obtained personal information including the Student's name, address, date of birth, height, weight, and driver's license number for use in filing the police report in question. This information is considered part of the Student's education records to the extent that the University maintains it in its computerized database or elsewhere.
The Event Report and Supplement prepared by the police department contain the Student's name; address; race; sex; date of birth; estimated height; estimated weight; eye color; length and color of hair; description of facial hair; and description of clothing. Neither document contains the Student's driver's license number. The University stated that it does not maintain information on its students' height, weight, and eye and hair color and, therefore, we conclude that if [Employee] provided this information to the police, it was based on own personal knowledge or observations and not the Student's education records. Similarly, we conclude that [Employee] did not obtain the Student's driver's license number from the University's database and disclose it to the police, as alleged, both because that information does not appear on any of the police reports and because it was not maintained in any system to which [Employee] had access. While [Employee] did have access to the Student's name and race in the University's database, we are unable to conclude that [Employee] obtained and disclosed this information from the Student's education records rather than [Employee]'s own personal knowledge and observations.
The only other information about the Student that appears in the police reports is her address and date of birth, which are items that could be disclosed without consent under FERPA as directory information. While we are unable to make a conclusive determination, we think it likely that [Employee] obtained and disclosed the Student's address and date of birth from the University's computerized database, as alleged, because it is undisputed that she had access to that information and because there is no evidence and little likelihood that she got it directly from the Student or some other source. Further, even assuming that directory information could be disclosed without consent for purposes of making a police report, the University is unable to determine whether the Student opted-out of directory information disclosures before or after
[Employee]'s alleged disclosures.
As explained below, and apart from any consideration of directory information disclosures, the University's response indicates that it may have a policy or practice of disclosing education records without prior written consent in violation of FERPA. In particular, the University asserted in its defense that:
[E]ven if one assumes that [Employee] accessed the University's computer system and [Employee]'s actions were authorized by the University, the accessing of [the Student's] information by [Employee] and the release of this information to the police do not constitute violations of § 99.30 of the FERPA regulations because [Employee] was a 'school official' as defined by § 99.31 of the FERPA regulations and the disclosure to law enforcement officials was in the context of a 'health and safety emergency' as provided by § 99.31(a)(10) and § 99.36 of the FERPA regulations.
As you noted in your letter, pursuant to § 99.31(a)(1) of the FERPA regulations, prior consent is not required to disclose education records to "school officials" with "legitimate educational interests." In accordance with 34 CFR § 99.7(a)(3)(iii), the University provides annual notification to its students regarding who constitutes a school official and what constitutes a legitimate educational interest. I have enclosed a copy of the FERPA notification sent to the University's students in 2003. This notice provides in relevant part:
A school official is a person employed by the University in an administrative, supervisory, academic, research, or support staff position (including law enforcement unit personnel and health staff); a person or company with whom the University has contracted (such as an attorney, auditor, financial aid processing agent, or collection agent); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.
[Employee] served as an Admissions Assistant for the University. I have enclosed a copy of the University's job description for this position. You will note that accessing the University's computer system is part of these duties. This information should clearly demonstrate that [Employee] was a 'school official' as defined above and that she had a 'legitimate educational interest' to access [the Student's] educational records.
(Emphases added.) As noted above, the University asserts that [Employee]'s actions were also authorized under § 99.31(a)(10) of the FERPA regulations because the Student's alleged assault on [Employee] constituted a "textbook case for a 'health or safety emergency.'"
As explained below, we reject the University's assertion that [Employee]'s actions were authorized under § 99.31(a)(10) as a "health or safety emergency" because the information it presented does not support a conclusion that there was, in fact, an emergency. FERPA allows an educational agency or institution to disclose personally identifiable information from education records, without prior written consent, "in connection with an emergency [to] appropriate persons if the knowledge of such information is necessary to protect the health or safety of the student or other persons." 20 U.S.C. § 1232g(b)(1)(I); 34 CFR §§ 99.31(a)(10) and 99.36.
Congress added this exception to the written consent requirement when FERPA was first amended, on December 13, 1974. The legislative history demonstrates Congress' intent to limit application of the "health or safety" exception to exceptional circumstances --
Finally, under certain emergency situations it may become necessary for an educational agency or institution to release personal information to protect the health or safety of the student or other students. In the case of the outbreak of an epidemic, it is unrealistic to expect an educational official to seek consent from every parent before a health warning can be issued. On the other hand, a blanket exception for "health or safety" could lead to unnecessary dissemination of personal information. Therefore, in order to assure that there are adequate safeguards on this exception, the amendments provided that the Secretary shall promulgate regulations to implement this subsection. It is expected that he will strictly limit the applicability of this exception.
Joint Statement in Explanation of Buckley/Pell Amendment, 120 Cong. Rec. S21489, Dec. 13, 1974. (These amendments were made retroactive to November 19, 1974, the date on which FERPA became effective.)
Section 99.31(a)(10) of the regulations provides that the disclosure must be "in connection with a health or safety emergency" under the following additional conditions:
An educational agency or institution may disclose personally identifiable information from an education record to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.
34 CFR § 99.36(a)(emphases added.) In accordance with Congressional direction, the regulations provide further that these requirements will be strictly construed. 34 CFR § 99.36(c).
The Department has consistently interpreted this provision narrowly by limiting its application to a specific situation that presents imminent danger to students or other members of the community, or that requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals. While the exception is not limited to emergencies caused by terrorist attacks, the Department's Guidance on "Recent Amendments to [FERPA] Relating to Anti-Terrorism Activities," issued by this Office on April 12, 2002, provides a useful and relevant summary of our interpretation (emphasis added):
[T]he health or safety exception would apply to nonconsensual disclosures to appropriate persons in the case of a smallpox, anthrax or other bioterrorism attack. This exception also would apply to nonconsensual disclosures to appropriate persons in the case of another terrorist attach such as the September 11 attack. However, any release must be narrowly tailored considering the immediacy, magnitude, and specificity of information concerning the emergency. As the legislative history indicates, this exception is temporally limited to the period of the emergency and generally will not allow for a blanket release of personally identifiable information from a student's education records.
Under the health and safety exception school officials may share relevant information with "appropriate parties," that is, those parties whose knowledge of the information is necessary to provide immediate protection of the health and safety of the student or other individuals. (Citations omitted.) Typically, law enforcement officials, public health officials, and trained medical personnel are the types of parties to whom information may be disclosed under this FERPA exception....
The educational agency or institution has the responsibility to make the initial determination of whether a disclosure is necessary to protect the health or safety of the student or other individuals. ...
By way of example, in accordance with these principles we concluded in a 1994 letter that a student's suicidal statements, coupled with unsafe conduct and threats against another student, constitute a "health or safety emergency" under FERPA. However, we also noted that this exception does not support a general or blanket exception in every case in which a student utters a threat. More recently, in 2002 we advised that a school district could disclose information from education records to the Pennsylvania Department of Health, without written consent, where six students had died of unknown causes within the previous five months. These facts indicated that the district faced a specific and grave emergency situation that required immediate intervention by the Department of Health to protect the health and safety of students and others in the school district.
With regard to reports required under state law, in 2000 we advised a state senator about a potential conflict between FERPA and a state law that requires a school to notify the appropriate law enforcement agency immediately if it receives a request for the records of a child who has been reported missing, and then notify the requesting school that the child has been reported missing and is the subject of an ongoing law enforcement investigation. Once again noting that the "health and safety emergency" exception generally does not allow a blanket release of personally identifiable, non-directory information from education records, we concluded that FERPA would allow school personnel to comply with this law
only if the school has made a case-by-case determination that there is a present and imminent threat or danger to the student or that information from education records is needed to avert or diffuse serious threats to the safety or health of a student....In the case of a missing child, we agree that law enforcement officials would constitute an appropriate party for the disclosure assuming that the school has first determined that a threat or imminent danger to the child exists.
May 8, 2000, letter to Pennsylvania State Senator Stewart J. Greenleaf (emphases added.)
In summary, an educational agency or institution may disclose personally identifiable, non-directory information from education records under the "health or safety emergency" exception only if it has determined, on a case-by-case basis, that a specific situation presents imminent danger or threat to students or other members of the community, or requires an immediate need for information in order to avert or diffuse serious threats to the safety or health of a student or other individuals. Any release must be narrowly tailored considering the immediacy and magnitude of the emergency and must be made only to parties who can address the specific emergency in question. This exception is temporally limited to the period of the emergency and generally does not allow a blanket release of personally identifiable information from a student's education records to comply with general requirements under State law.
The police Event Report states that the alleged incident took place on November 19, 2003, but that [Employee] did not report the matter until the following day, November 20. While the University states that its policy is to encourage employees to call 911 if they feel unsafe on campus, there is no evidence that [Employee] called 911 on November 19, while she was still in the Admissions Office. Rather, documentation shows that she chose instead to file a report with the local police the following day, November 20. Further, as stated above, an educational agency or institution has the responsibility to make the initial determination of whether a disclosure is necessary to protect the health or safety of the student or other individuals. In this case, there is no indication that the University attempted to verify whether [Employee] did indeed disclose information from the Student's education records to the police for "health and safety emergency" purposes and then record the disclosure as required under § 99.32(a)(1) of the regulations. In these circumstances, we decline to find that [Employee]'s disclosure of information from education records, if any, without the Student's written consent was authorized under the health and safety emergency exception.
Another exception to the prior written consent requirement allows "school officials" to have access to a student's education records, without prior written consent, under § 99.31(a)(1) of the regulations, but only if they have a "legitimate educational interest." The University denies that it authorized [Employee] to file a criminal complaint against the Student, and there is no indication that the University was aware of [Employee]'s decision to file the complaint until some time after she had actually done so. However, the University argues that [Employee]'s professional duties as "admissions assistant" include "accessing the University's computer system" and, therefore, even if [Employee] had in fact accessed the Student's records to obtain information about the Student to file a police report, the disclosure would not violate FERPA because of the nature of [Employee]'s professional duties.
The University's own 2003 FERPA notification provides that an official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility. FERPA does not allow teachers and other school officials to use their lawful authority (and actual ability) to access a student's education records for anything other than "legitimate educational interests." Indeed, given that it is virtually impossible to use physical or technological safeguards to prevent authorized users from using their access to education records for unauthorized purposes, it is important that an educational agency or institution establish and enforce policies and procedures, including appropriate training, to help ensure that school officials do not in fact misuse education records for their own purposes.
As discussed above, [Employee] had no legitimate interest in accessing the Student's education records to file a police report given that the circumstances did not rise to the level of a "health or safety emergency" under FERPA. Further, we are concerned that the University appears to have a policy or practice of allowing school officials to obtain access to education records in violation of FERPA because of its assertion that a school official who is authorized to obtain access to students' education records for legitimate educational purposes may use that authority to obtain access and disclose information where no legitimate educational purpose or other FERPA exception applies.
In accordance with § 99.66(c) of the regulations, in order to close this investigation the University must ensure that staff, faculty, and other school officials who have access to education records under § 99.31(a)(1) of the regulations understand the limits imposed by FERPA on their access to and disclosure of education records without a student's prior written consent. The University may inform appropriate school officials through training or a written memorandum. Please notify this Office of the date and manner that the University informed school officials of this FERPA requirement. Your voluntary compliance will allow us to issue you a written decision closing this investigation in accordance with § 99.67(b). You may direct your response to Frances Moran of my staff at:
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202-5920
Thank you for your continued cooperation with regard to the resolution of this complaint.
LeRoy S. Rooker
Family Policy Compliance Office