Skip Navigation

Chapter 7—Privacy and Confidentiality


Privacy ≠ Confidentiality

Though often confused, there is a distinction between privacy and confidentiality. “Privacy refers to an individual’s right to withhold information, that is, not to divulge information to anyone else. Confidentiality refers to the handling of information that has been obtained by a second party.”

(National Postsecondary Education Cooperative 1998)

To reach their potential, LDSs must be used to collect, maintain, and make student- and staff-level data available to a wide variety of audiences. Teachers, students, principals, legislators, researchers, postsecondary administrators, and others can benefit from access to longitudinal data (see chapter 5 of Book One: What is an LDS?). However, while these data can greatly enhance the ability to efficiently allocate resources and improve programs, instruction, and achievement, the sensitivity of personally identifiable information and the need to protect it cannot be overstated.

Individual privacy must be safeguarded in compliance with federal and state laws and regulations; and unauthorized and unlawful access must be prevented. Procedures should therefore be developed to allow secure and appropriate data sharing with organizations and users throughout the education community and beyond. While there has been debate and uncertainty over how best to protect privacy without limiting research and data access, many states have demonstrated that an effective balance can be struck. This chapter provides a basic overview of issues and relevant laws about data protection.

Federal Privacy Laws


Don’t take it from us!

Information offered here on these federal laws should not be considered legally binding interpretations. Given the complex and dynamic nature of these laws, specific questions about student record confidentiality should be referred to the appropriate federal office (e.g., the Family Policy Compliance Office), or your agency’s legal or administrative agents. For additional resources on privacy issues, see Appendix C.

This chapter provides brief overviews of the four key federal laws that directly affect the data collected and maintained by education agencies. These are the Family Educational Rights and Privacy Act (FERPA), which applies to the vast majority of education data; and the Health Insurance Portability and Accountability Act (HIPAA), the Individuals with Disabilities Education Act (IDEA), and the National School Lunch Act (NSLA), which apply to education data in some cases. Though the details of these laws and their official interpretations do not spell out every detail, they do provide basic guidelines on what data can be shared, with whom, and under what circumstances. State policies and laws often work out some of the implementation issues, and sometimes add further privacy protections.

Personally identifiable information

Before reviewing the privacy laws of import, which data are affected should be clarified. These privacy laws put no restrictions on data sharing if all individually identifiable information is removed from the records. According to the FERPA regulations, “personally identifiable information” includes, but is not limited to, the following *:

  • the student’s name;
  • the name of the student’s parent or other family members;
  • the address of the student or student’s family;
  • a personal identifier, such as the student’s Social Security number, student number, or biometric record;
  • other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name;
  • other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty (see below); or
  • information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
In some cases, even when the more obvious personal information is removed from individual student records, users may still be able to match individuals to their records when those students’ characteristics are rare or unique. For example, the only female Asian 3rd grader enrolled in a school will be easily identifiable in a data set, even if all of the obvious personally identifiable information is removed from her record. In cases like these, state and local staff need to take a proactive approach to preventing such invasions of privacy, using techniques such as perturbation, encryption, redaction, or deletion of data to maintain the confidentiality of private information.

NCES has more detailed information... dictionary

...about protecting education data:

Agencies may also need to manipulate aggregate data sets or performance reports that include groups of less than a specified number of students—5 or 10, for example—to avoid exposing an individual student’s score or other personal information. In practice, agencies may choose to suppress all the information about a small subgroup, or combine subgroups to raise the number or percentage of students reported in a group. This minimum n should be large enough to protect privacy and ensure statistical reliability, while also avoiding the loss of too much detail (ESP Solutions 2008). Similarly, agencies should also manipulate their data sets or reports if certain percentages are too large. For instance, if 100 percent of students in a school are eligible for free or reduced-price meals, users will know the eligibility status for every student in that school. In this case, the percentage may be artificially decreased to create uncertainty about who is eligible and, thus, protect students’ privacy.

The Forum has more detailed information… dictionary

...about FERPA and HIPPA::

Visit the Forum’s FERPA resources page for more information.

Note: A revised Forum publication on privacy is being developed.

Once personally identifiable information has been removed or manipulated as necessary, the resulting anonymized data may be shared with the public without consent according to FERPA. However, some states restrict access even to these anonymized data to varying degrees.

dictionary images
Anonymized data are previously identifiable data that have been de-identified and for which a code or other link no longer exists. An investigator would not be able to link anonymized information back to a specific individual.

(Glossary of Common Terms in the Health Insurance Portability and Accountability Act of 1996 (HIPAA)).

Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act of 1974, commonly referred to as FERPA, is a federal law intended to protect the privacy of student education records. The law applies to all education institutions that receive federal funding under programs administered by the U.S. Department of Education.

FERPA has increasingly become an important issue in the education community, especially recently because of the emerging implications of LDS development and data sharing. As a result of the rapid advance of technology and the expansion in data collection and demand, a rising level of uncertainty has surrounded the law’s implementation. FERPA generally prohibits agencies from sharing personally identifiable information without written consent (though a number of exceptions are made), and many agencies have been reluctant to share data in some instances for fear of infringing on their students’ rights. While this hesitancy is often justifiable, in some cases agencies may be overly cautious and withhold information based on too strict an interpretation of the law. This roadblock to data access has been a continuing source of frustration for many potential users, primarily education researchers. And, it might be possible to use FERPA as an excuse not to release data that might portray the education system in an unfavorable light (Viadero 2006).

Written when most individual education records were maintained on paper at the local level, FERPA’s authors did not consider modern electronic records or statewide LDSs. To keep up with the evolution of technology and culture, the U.S. Department of Education has offered subsequent interpretations of FERPA, allowing the education community to progress while still honoring the law. In 2008, for example, a revised interpretation of FERPA was issued to clarify many of the ambiguities and remove some of the roadblocks that existed in previous regulations. Of major significance were expanded disclosure rights to state education agencies, effectively paving the way for easier access to statewide student-level data (previously, only districts were granted disclosure rights, a limitation that, among other concerns, hindered researchers seeking to compile significant samples of student data). Additionally, the new regulations refined guidance concerning disclosure of student information to parents, third parties, former schools, state auditors, and research institutions; recordation (recordkeeping for each disclosure); data sharing among K–16 education institutions; de-identification of shared records; and the use of Social Security numbers.

While the new regulations were intended, at least in part, to strike a balance between the protection of student privacy and the facilitation of valuable research, questions about the law remain. These uncertainties center primarily on the particulars of sharing P–12 data with researchers, postsecondary institutions, students’ former schools or districts, and other state agencies such as workforce and social service agencies (Education Counsel 2008). Further clarifications may be necessary to reconcile the law with the federal government’s goal of fostering the development and effective use of statewide, student-level LDSs.

Health Insurance Portability and Accountability Act

The Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is intended to protect the confidentiality of individual health records. In general, elementary and secondary schools and districts are not subject to HIPAA, because even if they qualify as a “covered entity,” any health-related data they maintain are considered “education records” subject to FERPA. FERPA takes precedence even for records created by school nurses or other healthcare providers, if they are under the direct control of the school. Most schools and districts must comply with HIPAA only when they request medical records from an outside health care provider. Once those data are received from the outside health care provider and in the education institution’s possession, they are considered education records and become subject to FERPA. Private schools that do not receive funding from the U.S. Department of Education are the most common exception. In this case, any health-related data about students or others who receive health care services are considered “protected health information” and must be protected in compliance with HIPAA.

Individuals with Disabilities Education Act

Records on students in special education programs are subject to the privacy requirements of the Individuals with Disabilities Education Act (IDEA). The IDEA requirements include many of the same protections provided by FERPA, with a few differences related to the handling of student records and several additional requirements. For instance, information on a student’s disability cannot be shared without parental consent. Institutions subject to both FERPA and IDEA must comply with the privacy provisions of both laws. Considerable overlap between the laws simplifies this task.

National School Lunch Act

Data on students’ eligibility for free and reduced-price meals, and information obtained as part of the National School Lunch Program of the U.S. Department of Agriculture, are covered by confidentiality restrictions in the National School Lunch Act (NSLA). While also subject to FERPA, the privacy restrictions of the NSLA are stricter in two cases: free and reduced-price meal eligibility. The sharing of individually identifiable information obtained during the eligibility process is, with some exceptions, prohibited without parental consent. However, in some cases, eligibility and other information about the student’s household may be shared with select individuals and programs, such as some assessment programs (e.g., the National Assessment of Educational Progress). In most states, though, these data may be made available to users if all personally identifiable information has been removed.

State Laws

Many states have established their own laws and policies that either mirror, or expand on, the basic guidelines provided by federal laws. For instance, some states have issued laws dealing with areas within FERPA they considered ambiguous. They may, for example, have defined authorized disclosures more specifically, established a process for approving disclosures through written agreements, specified roles and responsibilities for protecting privacy, or allowed the use of Social Security numbers as student identifiers. Other states have passed laws that explicitly permit certain data sharing between the K–12 and postsecondary sectors, among state education agencies, or with other state agencies such as workforce or social service agencies. On the other hand, some states have enacted laws that are more stringent than the federal laws. For instance, they may prohibit data sharing that would be permitted under the current interpretation of FERPA, such as disclosures from the state education agency to districts receiving a transfer student, or to teachers about their students. To ensure a balance is struck, states should review their existing privacy laws, regulations, and guidelines so that they will not inhibit effective use of the student-level data they intend to make available through their LDS.

(Sources: DQC 2007, Hill 2008, and Nunn et al. 2006)


* Source: Federal Register (Dec. 9, 2008)