Electronically Sending Personally Identifiable Information to Unsecured Email Address May Violate FERPA

Summary:

On September 30, 2019, the Student Privacy Policy Office found that a Kentucky school district violated the Family Educational Rights and Privacy Act (“FERPA”) by sending an email with personally identifiable information to an email address that was accessible by more than the student’s parent. (119 LRP 43518).

Facts:

The band director at a Kentucky school district (“District”) sent an email to a student’s parent regarding the student’s removal from band. The email was sent to the parent’s work email address, not the personal address that was provided to the District when the parents initially completed the student’s registration.

The District argued that no disclosure occurred because the email account was owned and used by the student’s parent. However, the email account that the District sent the information to was regularly accessed and used by 16 other individuals.  Also, the student’s parent never provided consent to permit the District to send personally identifiable information to the work email address. Therefore, the Student Privacy Policy Office found a violation of FERPA and ordered the District to undergo additional training and ensure proper notification to families regarding their FERPA rights.

Discussion:

School closures due to the COVID-19 pandemic have forced local educational agencies (“LEA”) to rely more heavily on electronic communication. However, FERPA and other privacy provisions still apply to communication of personally identifiable information.

IDEA regulations also explicitly give LEAs the option to send notices required by IDEA to parents via email as long as the parent “elects to receive notices … by an electronic mail communication [and] the [district] makes that option available.” (34 CFR §300.505.) Nonetheless, given the potential ramifications for not sending notice, LEAs will need to consider how to document the fact that notice was sent and that parents have elected to receive notices via a particular email address. For many families, email should be sufficient provided that the parent has elected to receive notices via email. However, for other families, who may not regularly use email or have access to email, mailing a hard copy may be necessary.

As such, LEAs should take care to confirm email addresses with parents to ensure: 1) that the email is secure and private; and 2) that the parent consents to use that email address. It may be convenient to immediately reply to an email received from a parent from an email address that is different than the email provided by the parent as the appropriate means of contact. However, as this guidance points out, an LEA should still confirm consent to receive sensitive information, including notices, at that address prior to sending to ensure that private information remains confidential.