The Jossey-Bass
Higher and Adult Education Series

for
DAN GEPHART

Preface

A New Approach and Perspective on FERPA

WHENEVER I CONDUCT training on the federal Family Educational Rights and Privacy Act (FERPA), I find it especially beneficial for participants to include the three basic components I identified in “Managing the Privacy of Student Records,” my very first FERPA workshop for UCLA.

First of all, since the goal of FERPA training is to educate ourselves on the federal regulations to ensure our policies and practices are in compliance, we need to establish a common ground for our language and terms. Even the structure of the regulations themselves acknowledges this important point, providing an extensive introductory section (34 CFR §99.3) to define terms used within the regulatory text. Many of us in education are familiar with terms such as student, attendance, and academic record. Not all of our definitions agree, however, prompting the need to be specific about our terms before we can go on to talk about legal requirements that incorporate and depend upon the specific meanings of those terms.

The second portion of FERPA training is the exposition of the requirements and parameters of FERPA—what we, as education officials, are required to do to remain in compliance with the regulations. I used the word parameters here because FERPA, like other regulations, is not composed exclusively of mandates—those unequivocal, binding requirements that dictate compliance. Recognizing the differences and traditions that exist among institutions and educational communities, FERPA includes areas in which only general guidance on establishing policy and practice is given. These are the permissions within FERPA—those actions that are permitted, but not required of education officials.

ELEMENTS OF SUCCESSFUL FERPA TRAINING

• Review of definitions and language

• Understanding and application of FERPA

• Developing FERPA decision-making abilities

While it is important to understand the language, intent, and requirements of the regulations, it is also important for education officials to develop their own decision-making abilities. To be effective in carrying out their academic or student services functions, administrators need to develop an expertise in using FERPA to make decisions in their everyday transactions at the school, college, university, or other educational setting. The use of examples or scenarios for developing such expertise is extremely helpful in this regard.

Having provided FERPA training since 2000, I have become aware of yet another area that has become increasingly important and vital to include in our educational initiatives about FERPA: context. And by context, I mean that education officials—especially those who develop policy or make public relations decisions about student information—need to recognize and maintain a big picture appreciation of the economic, political, and philosophical dialogue in which—and from which—FERPA arises.

For many of our frontline staff, it is probably sufficient for them to be cognizant of the federal regulations and the institutional policies that impact how they perform their work. With adequate training and ongoing professional development, our people become empowered to take initiative in making decisions that ensure efficient and effective student services. But for managers and policy makers, a broader and deeper understanding of FERPA and privacy is required. Managers may be confronted with situations for which there are no clear directions, either in office policy or in FERPA. Policy makers, who essentially set the standards for institutional practice, cannot successfully create procedure or provide direction without some understanding and appreciation for the broader context of privacy from which FERPA emerges.

Participants in my FERPA workshops have included admissions and recruiting professionals, information technology technicians and programmers, financial services accountants, and customer services staff. Some of these individuals do not have responsibilities that explicitly involve the disclosure of information from education records. Yet, the perception exists, and rightfully so, that FERPA touches all aspects of education records, and there is a hunger for knowledge and guidance on records management concerns such as records creation, access, disclosure, retention, and destruction. While FERPA may not address these issues directly, the privacy concerns and the political dialogue from which FERPA arose give considerable and reliable guidance on many of these areas.

In this book, I have endeavored to provide a new, more comprehensive approach to FERPA for education officials throughout our colleges, universities, and other educational organizations. Education officials from the K-12 environment will also find much of the information in this book helpful, although the guidance offered in the application of the regulations is given with a focus on higher education.

With the incorporation of the extensive amendments proposed and incorporated into FERPA in December 2008, this book presents FERPA from the vantage point of a quote that has been a part of my own education and has often been ascribed to the great 13th-century thinker, St. Thomas Aquinas: “Intelligence is the ability to see implication.”

In the pages that follow, I have attempted to summarize the thrust of the dialogue on privacy for education officials, highlighting some of the primary concerns and events that led to the codification of American legislation on privacy. This is not a legal history of privacy but rather an overview with a definite slant toward the concerns of privacy in education. Within that context, and prompted by the same predisposition for identifying implications, FERPA, infused by the extensive amendments of 2008, is explored in its language and terms, as well as in its application and guidance.

This book is not necessarily intended to be read cover to cover, although the chapters and unfolding of this presentation have been arranged with a definite intent and direction. For those readers interested in a specific aspect of FERPA or seeking guidance regarding the implications and requirements of the regulations, there are sufficient guideposts throughout the book for you to begin from any perspective or interest.

To assist in this exploration of FERPA, I will use three types of information summaries throughout this text.

• FERPA citations

• Visual aids

• Sidebars

The first instructional aid is the FERPA citation, direct quotes from the regulations themselves, including the specific regulatory reference. The FERPA citations, enclosed with a dotted-line border (as illustrated below), are presented because “legalese,” or the language of the law, is often subject to interpretation. And interpretation may differ between individuals, attorneys, and even the courts. Providing you with the exact FERPA citation under discussion allows you to make your own assessment of the interpretations and guidance provided in this volume.

The purpose of this part is to set out requirements for the protection of privacy of parents and students under section 444 of the General Education Provisions Act, as amended.

§99.2

As an additional benefit, the complete text of the FERPA legislation is provided in Appendix I of this book.

Visual aids are meant to organize information in such a way as to facilitate your understanding or grasp of the material. If this were an in-person presentation, most of the visual aids would be PowerPoint slides accompanying the verbal presentation of this material.

In some cases, the visual aids are tables of information, organized for ease in understanding and contrast. But there are also other kinds of visual aids that are included throughout this volume, such as samples of disclosure language, excerpts from forms, and sample procedures. For consistency, visual aids are presented in boxes that are bound by a single, continuous line. An example of a visual aid is the one at the beginning of this Preface entitled “Elements of Successful FERPA Training.”

The last type of instructional aid is the Sidebar. These summaries offer additional information regarding initiatives, organizations, entities, or individuals that are mentioned in the text. While not critical to understanding the information in the primary flow of the text, the sidebars are intended to elaborate on content and so encourage a deeper exploration or appreciation of the subject, people, or events depicted in these short reports. Sidebars are bound with a double-border. An example of a sidebar is the one entitled “FERPA Legislation” below.

Now, some readers may think all of this information too overwhelming and perhaps ultimately irrelevant. After all, I have been confronted in some of my workshops with the attitude that invariably cries, “Just tell me what I have to know. That’s all! Just tell me what I have to know to get my job done and be in compliance.” Indeed, my goal is to accomplish this mission—but, it is also more.

One of my primary values as an educator or trainer is to help participants develop the ability to make their own decisions, to become confident and empowered in performing their daily job responsibilities. That is the reason for this broader, more multifaceted approach to training about FERPA.

FERPA Legislation

In the canon of U.S. Law, FERPA is codified at 20 USC §1232g and assigned to 34 CFR §99.

The “USC” in the first citation refers to the U.S. Code. FERPA is cataloged at Title 20, Chapter 31, Subchapter III, Part 4, §1232g of the U.S. Code. The U.S. Code establishes the policy from which the regulations flow in the CFR.

CFR refers to the Code of Federal Regulations, the catalog of legislative literature approved and passed into law by the federal government. §99, or Part 99, is the particular section of the 34th index or volume that is specifically FERPA. Whenever text in the regulatory language refers to FERPA as a whole, it means 34 CFR §99 and may use the phrase “this part.”

References to paragraphs or regulatory citations from sections of the CFR are often prefaced with the legal section icon: §. Once context within a particular CFR is established, as with 34 CFR §99, specific citations to language within the regulations may be indicated as simply §99 and the specific citation. Throughout this publication, direct quotes from the FERPA regulations are so listed.

When I was facilitating Franklin Covey workshops, one of the quotes we often referenced came from the ancient Chinese philosopher Lao Tzu. He said this:

Give a man a fish and you feed him for a day;

Teach him how to fish and you feed him for a lifetime.

My goal is not just to tell you what you need to know right now to do a job and be in compliance with FERPA. My goal is to help you develop your own expertise about FERPA, to empower you with the knowledge and confidence to perform your academic and student services functions with assurance and confidence. Aware of the implications of both our actions and our decisions, we ensure that how we comply with FERPA echoes the spirit and the unique values and missions of our individual institutions.

Therein lies the excitement and joy of education and continuing professional development!

Clifford A. Ramirez

Cliff Ramirez & Associates

Cliffordramirez@aol.com

(909) 208-1452

Acknowledgments

NUMEROUS AUTHORITIES AND resources were consulted for the composition and compilation of content for this book. Some are resources that I have used consistently in my training and in the writing of my previous books. Most are listed in the Bibliography and Resources section of this book. However, there are a few that have been my primary sources for information and for inspiration in the development of this book.

Official legislative material from the U.S. National Archives and Records Administration, including the Federal Register, were the primary sources for the text of the regulations and of their amendments.

Other government websites, including those of the White House, Congress, and the U.S. Senate, were consulted for information regarding legislation, enforcement, and the historical background of legislative sponsorship. For the chronology of privacy legislation and initiatives, the Electronic Privacy Information Center (EPIC) and the Privacy Rights Clearinghouse yielded a wealth of practical information and further additional resources.

The U.S. Department of Education, specifically its website and the training efforts of LeRoy Rooker, former director of the Family Policy Compliance Office (FPCO), have been the primary foundation for information and resources on FERPA. Notably, it is the Department of Education which has jurisdiction for the interpretation and enforcement of FERPA.

Publications and the website literature of the American Association of Collegiate Registrars and Admissions Officers (AACRAO) and the Council on Law in Higher Education (CLHE) were consulted in the interpretation and application of FERPA.

Lastly, the questions and comments of colleagues at my training programs and through other consultations contributed to the development and expansion of the practical tools and guides for the application of FERPA.

About the Author

CLIFFORD A. RAMIREZ has worked in higher education for almost 20 years and is the founder and president of his own training and consulting company, Cliff Ramirez & Associates (). The company, founded in 2004, offers higher education consulting in the areas of FERPA, registrar and student services, leadership and organizational development, and records management.

Working primarily in registrar operations, Cliff spent 14 years at UCLA. For two of his years at UCLA, Cliff assumed an additional part-time appointment as a staff welfare coordinator, becoming certified as a Franklin Covey facilitator and laboring in the areas of professional development, organizational climate, and staff representation. Cliff has also worked in the registrar ’s offices of both Pomona College and Antioch University Los Angeles. In addition, he was interim director of Admissions and Financial Aid at Antioch University Los Angeles.

Cliff has been active and visible in organizations such as the Pacific Association of Collegiate Registrars and Admissions Officers (PACRAO), the American Association of Collegiate Registrars and Admissions Officers (AACRAO), the Council on Law in Higher Education (CLHE), and the UCLA Administrators and Supervisors Association (ASA). He served as the 2003 president of PACRAO and was elected to multiple terms as ASA president. Cliff has been a member of numerous committees and editorial boards, most recently for CLHE’s newsletter the Regulatory Advisor. Cliff has also served on the advisory board for LRP Publications’ The Successful Registrar. Cliff is the founder of three prestigious institutes: the PACRAO Emerging Professionals Institute (EPI) in 2003, the ASA Leadership Development Institute in 1997, and the UC Management and Leadership (UCML) Conference in 1995.

In the year 2000, Cliff assumed the post of manager for Training and Communication Services in the Registrar ’s Office at UCLA. Charged with FERPA training responsibilities, Cliff created a four-hour workshop entitled “Managing the Privacy of Student Records” and went on to publish his textbook and the facilitator’s guide for this workshop through LRP Publications. He has written two other books—The FERPA Transition: Helping Parents Adjust to Higher Education Records Laws (2004) and Records Management in Higher Education (2006), the latter in collaboration with colleague Linda Arquieta-Herrera. Most recently, he worked with attorney Aileen Gelpi on updates to The FERPA Answer Book for Higher Education Professionals.

Cliff is a regular presenter on FERPA at workshops, conferences, and other professional development events. Cliff has been featured in numerous national audio conferences, as well as in webinars and a training video.

A native of Southern California, Cliff attended the University of Notre Dame, from which he graduated cum laude with a B.A. in English. Cliff attended the Jesuit School of Theology at the Graduate Theological Union in Berkeley, California, while studying for the Roman Catholic priesthood. He worked in the banking industry for 12 years, in both Northern and Southern California, before coming to higher education.

Currently, Cliff is the FERPA expert for College Parents of America and on the advisory board for Docufide, Inc. He is a member of the Registrars and Enrollment Services Consulting for Colleges and Universities (RESCCU) team and is affiliated with Painted Dreams Ranch (PDR) Enterprises, the records management and customer services consulting company of colleague Linda Arquieta-Herrera.

Chapter 1

FERPA and the Regulatory Universe of Privacy

WHEN THE FEDERAL Family Educational Rights and Privacy Act (FERPA) was germinating in the legislative consciousness of Washington, the nation—and, indeed, the entire world—was immersed in an intense dialogue and heated debate about how to manage the explosion of information and data in every facet of government, business, and industry.

Who was keeping information about private individuals? How were they storing, maintaining, and releasing that information? What rights allowed them to do so? And what rights did private citizens have in this escalating inundation of unsupervised and unregulated data and information?

No one shall be subject to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to protection of the law against such interference or attacks.

—UNIVERSAL DECLARATION OF HUMAN RIGHTS,

United Nations, 1948

From the global and national discourse on privacy, legislation emerged in the United States that, however different in format from its European counterparts, sought to establish and ensure universal tenets for information and records management that would impact every sector of our society.

For the higher education community, FERPA has had the dominant impact. But as American society and campus operations have become increasingly complex, other legislation has affected institutional policy and procedure so that a thorough understanding and appreciation of the privacy debate is necessary to ensure comprehensiveness and compliance in our daily practice and work responsibilities.

Toward the Codification of Privacy Rights

The Constitution of the United States recognizes the privacy of United States citizens as an inalienable right, both explicitly and implicitly. The Fourth Amendment codifies the right of individuals “to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures” and goes on to set limits and specifications for such searches and seizures. Privacy advocates have also used the First Amendment right to free assembly and provisions in both the Ninth and Fourteenth Amendments to further base legal challenges supporting the privacy of individuals.

Wheaton v. Peters

Wheaton v. Peters, in 1834, is considered the first ruling by the U.S. Supreme Court on copyright. The case involved two reporters of the courts in Pennsylvania—Henry Wheaton and his successor, Richard Peters. Wheaton had compiled court rulings, arguments, and summations in a set of 24 volumes for use by attorneys. When Peters took over, he continued to provide the same service but streamlined the content of Wheaton’s earlier work. Reduced to just six volumes of materials, Peters’ less expensive work quickly became more popular than Wheaton’s.

After Wheaton sued Peters in the Pennsylvania courts and lost, he appealed his case to the Supreme Court. The Supreme Court, however, upheld the lower court’s ruling and, in essence, created legislation regarding copyright that set written work apart from patents for inventions and other creations. The Court upheld the property of writers but also held that individuals could not hold copyrights on the decisions and rulings of the court system.

In 1890, attorneys Samuel Warren and Louis Brandeis, founders of the distinguished Boston law firm Nutter, McClennan, & Fish, published an article in the Harvard Law Review entitled “The Right to Privacy.” In addition to coining the expression “the right to privacy,” the article is considered the first publication to argue for individual privacy and to advocate for legislation that would provide legal protections and remedies against the invasion of privacy. Warren and Brandeis incorporated the phrase “the right to be let alone” in their text, quoting the 1834 Supreme Court case of Wheaton v. Peters and A Treatise on the Law of Torts, a 1888 textbook by T. M. Cooley. In these initial platforms on privacy, the contention was generally viewed as one between the private individual and government.

In fact, the dialogue on privacy has frequently focused on the relationship between government and private citizens. Historians often summarize the immigration to the New World as an escape from a European system that was attempting to fetter the private citizen and deprive him of personal and public freedoms. Against the prospect of such tyranny and control, the American Revolution was waged and a new nation forged.

As American society evolved, the fledging nation would experience and be forced to deal with many of the same challenges that have faced governments since the dawn of civilization. With advances in industry, technology, and business practice, the privacy debate would arise again in a new context.

In the years following World War II, distrust and suspicion swelled across America in response to widespread government initiatives to conduct national census activities. The compilation of a massive database about private citizens raised fear and anxiety about the potential misuse of such data. European immigrants, in the shadow of the Holocaust and the attempted extinction of the Jews, were wary of government interest in ethnicity and religious affiliation. In truth, memories were still all too recent regarding the branding, stamping, and tattooing practices inflicted upon prisoners in the Auschwitz concentration camp complex. The post-World War II population of the United States included many, citizen and refugee alike, who had witnessed or escaped the crimes of Nazi Germany.

The introduction and use of any type of national identification system in the United States was an understandable cause for concern. After all, even in the United States, ethnic identification efforts had already been used to locate Japanese immigrants for relocation and internment during the Pacific conflict.

In the wake of World War II, Europe had quickly organized efforts to protect the privacy of citizens against big government. In 1970, the German centralization of computer records regarding citizens spawned the first privacy laws. Sweden passed the first national data protection law in 1973 and initiated a process to issue national identity (ID) cards. A similar initiative was launched in Great Britain as England centralized the issuance of national drivers’ licenses.

As country after country embarked upon its own privacy legislation, it became apparent to the Europeans that national initiatives would soon impact international economic trade. A British company that had applied to produce magnetic stripes for Sweden’s ID cards was denied the contract because in Sweden’s evaluation, British law did not provide sufficient protections for the privacy of information about Swedish citizens. To facilitate trade and commerce among the European nations, an initiative was launched to establish international agreements on privacy, trade, and communication.

On January 28, 1981, the Council on European Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data came together in Strasbourg, France, setting into motion the events that would lead to the first international law on data protection. The Data Protection Act was ratified and enacted on October 1, 1985, in France, Germany, Norway, Spain, and Sweden. Other Europeans countries would subsequently follow. Then, in 1995, the European Union’s Data Protection Directive was adopted.

Council of Europe

The Council of Europe was founded in 1949 with the objective of promoting and facilitating unity among the nations of Europe.The council’s specific goal is developing throughout Europe “common and democratic principles based on the European Convention on Human Rights.”

Headquartered in Strasbourg, France, the council comprises 47 member countries.The council also claims five observer countries: the Holy See, the United States, Canada, Japan, and Mexico.

The council’s website is .

Despite the national and international legislative developments, however, it soon became apparent, through assessments and surveys conducted throughout Europe, that individual citizens remained unaware of their personal rights and protections. This was a tremendous concern for the Council of Europe, which had incorporated public education into its mission.

On January 28, 2007, the first Data Protection Day was held throughout Europe. Organized by the Council of Europe, the intent of the celebration was to commemorate the beginning of dialogue on privacy and individual protections and to educate citizens throughout the continent about their rights. Individual member nations were encouraged to determine, budget for, and sponsor educational and social events for their citizens. The council’s website was used as an organizational base to compile a listing of events throughout Europe and to promote unity for the multinational initiative.

The Adoption of Fair Information Practices

With the exception of some European influences, the story of privacy in America took a somewhat different course.

It was a long time before the work of Warren and Brandeis would significantly impact legal thought in America. Despite foundations in the U.S. Constitution, privacy was essentially left to state and local courts, leading to inconsistencies across court jurisdictions. In many views, privacy was understood as a personal right, one that ends with the death of an individual and one that only generated legal action when an invasion of privacy was determined to have occurred. Because privacy was viewed as a personal right, corporations and partnerships were judged to possess no particular right to privacy.

Louis Dembitz Brandeis

Born in 1856 in Louisville, Kentucky, Louis Dembitz Brandeis was an attorney, Supreme Court Justice, and prominent advocate for free speech, privacy, women’s rights, trade unions, and the minimum wage.

Attending schools in Louisville and Dresden, Germany, Brandeis graduated from Harvard University. He practiced law in Boston before being appointed to the U.S. Supreme Court by President Woodrow Wilson in 1916. He was the first Jewish Supreme Court Justice in U.S. history and was the leader of the American Zionist movement. In addition to influencing Wilson’s New Freedom economic doctrine, Brandeis published two important works in 1914: Other People’s Money and How the Bankers Use It and Business-A Profession.

Upon his death in 1941, Brandeis was cremated and his remains were transported to the Louis D. Brandeis Law School at the University of Louisville, where many of his personal files are archived. In 1948, Brandeis University was founded in Waltham, Massachusetts, and named in his honor.

These premises would be challenged over the years through cases that would be heard by courts at every level. It was not until Olmstead v. United States that Brandeis would once again incorporate the phrase “the right to be left alone” in his legal arguments. From those 1928 proceedings, the first wiretapping case heard by the U.S. Supreme Court, concerns about privacy exploded, eventually expanding beyond mere protection against government inquiry.

In 1965, a Special Inquiry on Invasion of Privacy was convened by the U.S. House of Representatives. The House Committee on Government Operations examined a diverse variety of activities where the privacy of citizens could potentially be invaded and violated. The areas probed focused upon operations within the federal government, including the psychological testing of employees and applicants, the use of data from farm census questionnaires, and the confidentiality of federal investigations, employee files, and income tax returns. The committee’s scrutiny extended to an examination of surveillance practices at government facilities, including electronic eavesdropping, mail deceptions, prying into private trash, and even to the existence of strategic peepholes.

Underlying those discussions in the mid-1960s was the emerging realization that, with the advent of computers and technology, the stage was being set for the formation of a national database on U.S. citizens. With personally identifiable information (PII) about individuals being systematically collected by a number of federal agencies, it would not be difficult or inconceivable to compile, collate, and index data to create extensive and comprehensive profiles about private citizens.

The real danger is the gradual erosion of individual liberties through automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable.

—US PRIVACY STUDY COMMISSION (1977)

Agencies were already using social security numbers (SSN) as an index. Establishing the SSN as a “standard universal identifier” (SUI) would facilitate the creation of a national database and its speedy population with vital and confidential information. No one could be sure about how much data sharing was occurring between agencies of the federal government. And given the fact that the government was comprised of numerous agencies, who would challenge the appropriateness of such information sharing, especially since it was all supposed to be one government?

Social Security Numbers

The social security number (SSN) was established in 1936, when the New Deal Social Security Program was enacted through the Social Security Act (42 USC §405(c)(2)). Initially established as a means to track individual accounts within the Social Security Program, the number has since become a national identification (ID) number, beginning with its usage by the U.S. Army and the Air Force in 1969.

Initially, individuals did not need an SSN until the age of 14 or when an individual could first participate in the work force and file federal income taxes. By 1986, the minimum age was lowered to 5, since dependent children could be claimed on federal income tax forms. By 1990, age 1, or as soon as possible after birth, became the norm for procuring an SSN.

The nine-digit structure of the SSN is delineated AAA-GG-SSSS. The AAA, or area number, refers to a geographical region, not necessarily a state. By 1973, area numbers were based upon zip codes.The group number (GG) is used to provide natural breaks in blocks of allocated numbers. The SSSS is the serial number assigned to specific individuals. There are some number structures that are not used in the SSN. These include all zeroes in any one of the numbers groupings, numbers beginning with 666, and certain number sequences that have been set aside for advertisement purposes.

Social security accounts were established to provide for the economic welfare of citizens. The first laws for public welfare date back to the English Poor Law of 1601, which the colonists brought with them to the New World. In his last pamphlet, Agrarian Justice, Thomas Paine, in 1795, argued for the establishment of a public system to provide economic security for citizens. But the first systematic program was not devised until 1862 when legislation established the Civil War Pension Program, designed to care for soldiers after the war and for the widows and children of disabled soldiers. Despite numerous amendments through the early 1900s, the program was never extended to the general public.

As far back as 1862, company pension programs sought to address economic security for workers.The Alfred Dolge Company, a producer of pianos and organs, was one of the first to establish such a program. As late as 1932, however, less than 15% of the work force was covered by any type of pension program.

The Social Security Program began making its first payments in 1937, initially in single, lump sums to the beneficiary. In 1939, an amendment to the Social Security Act established the monthly payment system, which has been in use since 1940.

The availability of information, questions about the transmission and access of data, and the security of information were issues that cried out for answers and raised concerns for many citizens. But in the early and mid-1960s, an organized platform for dialogue and activism was essentially nonexistent in the United States. A model would soon emerge from Europe, however, where international commerce would drive the discussion and compel the first privacy laws regarding personal information.

Concerns about privacy, databases, and information access continued into the next decade. As already mentioned, privacy became a global concern that expressed itself in different ways and in a variety of arenas—in medical, financial, commercial, and communications.

In Europe, Sweden took the lead with strategies and dialogue that evolved into the adoption of what became known as the Fair Information Practices. Privacy Commissioners were soon designated in a number of European countries, as well as in Canada, Australia, New Zealand, Japan, and Hong Kong.

The Fair Information Practices would strongly influence the development of privacy legislation in the United States. Among the privacy discussions taking place in the early 1970s was one that focused on the privacy of medical records in the wake of mounting computerization. A task force was convened under the direction of the U.S. Department of Health, Education, and Welfare (HEW) and, in 1973, it issued a report entitled “Records, Computers, and the Rights of Citizens.”

The HEW report is significant in the development of and its influence on privacy legislation in the United States. Its achievements included the following.

• Code of Fair Information Practices. The report established a Code of Fair Information Practices, based upon practices developed and established in Europe. This code set the standards and defined benchmarks for best practices in privacy legislation and records and information management.

• Privacy Legislation. The report recommended that Congress pass legislation to adopt the code for all organizations maintaining automated personal data systems. The recommendations included not only requirements for the documented specification of protections and safeguards but a mandate for annual disclosures of policy and practice to the public.

• Restrictions on Using the Social Security Number. Concerned with the potential of using the SSN to establish a standard universal identifier (SUI), the report recommended that the SSN should be used only where absolutely necessary or where existing legislation already required the use of the SSN. Further, the report stipulated that no citizen should be compelled to provide an SSN unless required by Congressional ruling.

All of these provisions directly influenced the passage of the Privacy Act of 1974, as well as the numerous privacy regulations that followed. Of prime importance was the codification of the Fair Information Practices, not only as a precursor to subsequent privacy legislation and records management initiatives but as a qualification of the United States’ participation in the global economy.

The U.S. Code of Fair Information Practices

The 1973 HEW task force identified five key components in its Code of Fair Information Practices. A generation after their adoption, these practices may seem logical and self-evident. However, one must remember that the political, economic, and technological climate of the early 1970s was a very different landscape from that of our 21st century. The code not only influenced subsequent privacy legislation but provided a solid foundation for best practice and for determining policy and procedure in records and information management in nearly every U.S. industry.

A brief examination of the Code of Fair Information Practices will contribute to a deeper understanding of FERPA as well as provide some guidance for policy development strategies in all areas of college and university administration.

The first two Fair Information Practices are a prohibition against secrecy and a mandate to disclose the existence of a database and its contents to the population about whom the database is compiling information. Any entity that collects and maintains personally identifiable information about individuals must disclose to its clients and to the public the fact that information is being collected. Recordkeeping systems cannot remain secret or private. Individuals have a right to know that information is being kept about them—and, moreover, to know what information is being collected and how that information is being used.

The third tenet is designed to prevent secondary or “further disclosure” of collected information. Further disclosure refers to the release of information beyond the recordkeeper, beyond those authorized to access the data, including the individual identified by the data. Entities that gather or receive data cannot use the information for anything other than for the purpose that was initially disclosed to the subjects of the data. In order to disclose information for any other purpose, the recordkeeper must first obtain the consent of the individual or individuals identified by the data.

CODE OF FAIR INFORMATION PRACTICES

• Database Existence. A recordkeeping system that compiles and stores personally identifiable information about individuals must not be kept secret.

• Primary Usage. Individuals whose personally identifiable information is being collected and stored have a right to know what information is being kept and how it is being used.

• Secondary Usage. Individuals must be able to prevent recordkeepers from disclosing personally identifiable information about themselves without their consent.

• Amendments. Individuals must be able to correct or amend personally identifiable information that is being stored about them.

• Security Protections. Organizations that collect and store personally identifiable information about individuals must ensure that data will only be available for internal use and must take precautions to prevent the misuse of that data.

Because nothing is perfect, and because inaccurate or incorrect data can easily make its way into any information system, individuals have a right to seek to amend the information that is being kept about them. This fourth practice implies that individuals must have some access to inspect the information that is being collected about them. Otherwise, how would individuals become aware of inaccuracies? More to the point, the code advocates distinct processes that allow individuals to request amendments to the content of records that are being maintained.

Lastly, recordkeepers have a responsibility to provide security protections for the data they keep. They must ensure that the information collected will only be used for the purposes disclosed. Further, they must take the necessary precautions to prevent the misuse, misappropriation, and unauthorized access of data. Initially, these security concerns focused on physical access. By the end of the 20th century, however, electronic access would create the need for technological and virtual protections as well.

All of these practices are represented in the Privacy Act of 1974 and are evident in subsequent U.S. privacy legislation, such as the Fair Credit Reporting Act and FERPA.

The Privacy Act of 1974

On the heels of the HEW report and the country’s adoption of the Code of Fair Information Practices, both the U.S. House of Representatives and the U.S. Senate entertained separate and distinct legislative debates on privacy. Both were narrowly focused on the privacy of information that was being collected and maintained by agencies of the federal government. And both produced two somewhat different proposals for privacy in America.

HR 16373 was the proposal initiated in the House of Representatives, while S 3418 represented the Senate’s effort. While the Senate bill was viewed as the more rigorous in its requirements, the House bill was criticized as harsher in its application of consequences or penalties. The House bill required that damages or penalties could only be assessed against the government if a violation was demonstrated as “willful, arbitrary, or capricious.” But the House bill also proposed the creation of a Privacy Protection Commission to oversee the implementation and enforcement of its legislation.

The privacy and dignity of our citizens [are] being whittled away by sometimes imperceptible steps. Taken individually, each step may be of little consequence. But when viewed as a whole, there begins to emerge a society quite unlike any we have seen—a society in which government may intrude into the secret regions of a [person’s] life.

—ASSOCIATE JUSTICE WILLIAM ORVILLE DOUGLAS

The bill that President Gerald Ford signed in December 1974, and which passed into law the following year, was a compromise between the proposals of the House and the Senate. The Senate passed the amended legislation, known as the Privacy Act of 1974, on December 17. It was ratified the next day by the House of Representatives.

The Privacy Protection Commission, originally proposed by the House bill, was reduced to a Privacy Protection Study Commission, with only advisory responsibilities. It had neither oversight nor enforcement authorities. In 1977, however, the commission published its “Personal Privacy in an Information Society” report, detailing its concerns regarding inadequacies of the Privacy Act of 1974. Among these was the definition of “system of records,” which limited application of the act to systems in which data retrieval was accessed by name, SSN, or some other personal identifier. Further, public disclosure in the act was tied to publication in the government’s Federal Register, which the commission judged too limited in its circulation and accessibility.

Features of the Privacy Act of 1974 included the following.

Application. The act applied only to certain agencies of the federal government and had no impact on state and local governments. Curiously enough, although the Office of the President was covered by the act, the act applied to neither the House nor the Senate.

Appeals for Amendment. Assuring individuals that they can seek to amend records, the act stipulated that if a request for amendment is refused, the recordkeeper must advise the individual of an appeal process and allow 30 days for an appeal to be submitted. Individuals may also provide a statement to the recordkeeper detailing their objections to any record and that statement must be retained and disclosed by the recordkeeper whenever the disputed record is disclosed.

Disclosures without Consent. The act detailed exceptions to its requirement of prior consent for further disclosure of information beyond the purpose for which the data was initially collected. Among the exceptions is one for “routine use” by government agencies, which critics claim has been abused over the years.

Retention Requirements. To ensure an audit trail, records of disclosures must be retained for a period of five years. With the exception of records detailing disclosures for law enforcement purposes, these records of disclosure must be made available for inspection whenever requested by the individual identified in the records.

Data Minimization. Agencies must maintain only those records that are “relevant and necessary” to accomplish their purposes. The intent was to prohibit the collection and maintenance of information for which the agency had no right or privilege to maintain.

Data Sharing Limitations. Agencies that share data must do so by written agreement, detailing purposes, legal authority, data matching practices, and other information relevant to the exchange of information. The agreement must be renewed every 18 months and must be made available to the public, the Committee on Government Affairs of the Senate, and the Committee on Government Operations in the House.

Right to Sue. Individuals can sue to have their records amended and can recover reasonable attorney fees and litigation costs from the United States government. Courts can also rule against agencies for any violation of other parts of the Privacy Act if the violation is determined to be “intentional or willful.” In addition to reasonable attorney fees and costs, the act specified that individuals could recover no less than $1,000.

Section 1983: Right to Sue

Section 1983 of Title 42 of the U.S. Code has its beginnings in the Ku Klux Klan Act of 1871 and the Civil Rights Act of 1872. Requested of Congress by President Ulysses S. Grant, the legislation was enacted as an emergency measure against the growing racial violence and social unrest that struck the Southern states following the end of the Civil War.

More than a century later, Section 1983 continues to serve as the basis by which citizens enforce their Constitutional rights.

Every person who, under color of any statute, ordinance, regulation, custom, or usage of any State or Territory or the District of Columbia, subjects, or causes to be subjected, any citizen of the United States or other person within the jurisdiction thereof to the deprivation of any rights, privileges, or immunities secured by the Constitution and laws, shall be liable to the party injured in an action at law, suit in equity, or other proper proceeding for redress.

Criminal Penalties. A number of criminal actions and penalties are defined. Government employees who knowingly and willfully disclose personally identifiable information may be found guilty of a misdemeanor and be fined up to a maximum of $5,000. Agencies may be fined up to the same maximum amount for failure to disclose the existence of their systems of records. In addition, the act provided that anyone who requests records under false pretenses may be found guilty of a misdemeanor and fined a maximum of $5,000.

Use of the SSN. No federal, state, or local agency can require anyone to provide a social security number, unless such disclosure is required by federal statute. Agencies that require individuals to provide an SSN must disclose by what legal authority the requirement is being made.

Oversight. The director of the Office of Management and Budget (OMB) was designated to have oversight authority for the implementation and enforcement of the Privacy Act of 1974.

U.S. Office of Management and Budget

The United States Office of Management and Budget (OMB) is the largest office within the Executive Office of the President of the United States (EOP) and is a cabinet-level office. It performs administrative responsibilities for the White House by overseeing the activities of the many federal agencies.The OMB gathers data for the President’s annual budget as well as communicates with the agencies.

The OMB is run by six managers, all of whom are appointed by the President and approved by the Senate. Among the directors are the administrators of the Office of Information and Regulatory Affairs, the Office of Federal Procurement Policy, and the Office of Federal Financial Management.

The OMB’s website is .

Sector Approach to Privacy

Except for the adoption of the Code of Fair Information Practices, the United States embarked upon an approach to privacy that differed significantly from the European approach. Whereas European strategy consisted of comprehensive legislation and the national designation of privacy secretaries or ministers, the U.S. undertook what has been called a sector approach to privacy. That is, the development and enforcement of privacy standards in the United States is achieved through a mixture of federal, state, and local legislation as well as through self-regulation within the various sectors of business and industry.

Examples of Privacy Initiatives in the United States

Each facet of American enterprise has developed its own legislation to address specific issues within its unique operations. Federal regulations were established where economic and informational transactions involved either government recordkeepers or national and international business endeavors. State and local governments developed geographically specific policies and rules that, while limited to a defined jurisdiction, have also contributed to broader debates and inspired adaptations in arenas beyond their original applicability.