FERPA Directory Information as Anchor Data

3 min read

I'm currently working on a longer piece about education technology, the "school official" designation, parental consent, and how these legal definitions get frayed in practice. There has been a lot of attention paid to the school official designation in recent weeks, which is good. However, there have also been some inaccuracies and overstatements, and an unrealistic focus on one company - Google - in these conversations. While the actions of Google are interesting and very relevant because of their size and reach, we should not focus exclusively here on one company: the practices Google uses are widespread, and as we pursue better privacy practice we are better off identifying practices and habvits that need to improve, rather than playing whackamole with companies.

But, the process of writing this longer (not yet finished) piece has also spurred me on to finally get some thoughts out on directory information. As described in this FERPA directory information model form, "Directory information, which is information that is generally not considered harmful or an invasion of privacy if released, can also be disclosed to outside organizations without a parent’s prior written consent."

The list of information included as part of directory information - or "information that is generally not considered harmful or an invasion of privacy if released" - is pretty complete:

  • Student's name
  • Address
  • Telephone listing
  • Electronic mail address
  • Photograph
  • Date and place of birth
  • Major field of study
  • Dates of attendance
  • Grade level
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • The most recent educational agency or institution attended
  • Student ID number, user ID, or other unique personal identifier used to communicate in electronic systems
  • A student ID number or other unique personal identifier that is displayed on a student ID badge

If this information was compromised as part of a data breach, it would be considered substantial - yet, this information about children can be shared without parental consent, for their entire K12 experience.

Directory information data is accurate, high quality data. It places a person in a school. It ties them to a location. It provides a list of friends or acquaintances (kids in the same year at the same school). It provides a date and place of birth. It can provide a unique ID that could appear in other data systems - a boon for data enhancement via recombination. It includes a photo, and can include their height and weight. It's also worth noting that each school district identifies directory information differently, so some schools might share less information than what is listed in the model letter.

This data is updated annually, so that over the thirteen years of a child's K12 education, the data trail of directory information provides a comprehensive snapshot of a child's life from age 5 to 18.

Or, to put it in the words of Experian, directory information can be used to presort our high school students into those more likely to be "American Royalty" or those who are "Small Town Shallow Pockets".

While FERPA does allow parents to opt out of this data sharing, parental rights are often poorly understood.

As it currently stands, directory information creates an accurate, high quality dataset that provides the foundation for uses ranging from identity theft to profiling. While the standard argument in favor of easy sharing of directory information generally center around creating yearbooks, school play brochures, and media coverage of student athletes, we need to celebrate student accomplishments without compromising student privacy. To achieve that, we should reconsider how we handle directory information.