Protecting College Records: Schools Routinely Hand Out Private Student Data

As students step foot onto college campuses this summer, valuable and personally identifiable information about them may be leaving the hallowed halls of their university without their permission.

While education records of students are required to be kept private under the Family Educational Rights and Privacy Act of 1974, universities are still permitted to share data that is considered “directory information” with just about anyone who asks for it.

Courses taken, attendance, honors, awards, degrees and grades are all considered education records under the law. Names, contact information including phone numbers and email addresses, on campus and home addresses, parents names, date of birth, photos and copies of identification cards, and even some medical records fall under the category of directory information—the type of information that would might be published in a student directory or athletic program.

It’s also available if just about anyone comes calling for it, and students have little recourse to prevent it from being shared. Leah Figueroa, a data analyst who has worked in higher education for 13 years, said an interview with Naked Security that schools often don’t take the time to verify the veracity of a request and simply share information with those who ask.

Figueroa, who works at a community college, said her school gets about 90,000 student record requests every year, most of which are fulfilled without question. Freedom of Information Act requests are put under even less scrutiny.

While plenty of the requests come from legitimate sources like researchers or other colleges, others come from sources that students likely wouldn’t want their information shared with. Markets, creditors, debt collection agencies and loan services can all gather intel on a students who are likely to be plagued by student loans and potentially vulnerable to predatory practices.

In a worst-case scenario, the information could be requested by an abusive current or former spouse or significant other or a stalker who wants to find out exactly where a student lives on campus.

The only current option for students to protect that information is to opt in to a “privacy hold”—an option that most students don’t even know they have. There is currently no standardized practice for informing students about the option or about how students can go about exercising it.

There have been some efforts to protect student data, including a 2014 effort made by the Electronic Privacy Information Center to create a Student Privacy Bill of Rights. The proposal called for improved access for students to access and amend their information, limits on collection and retention of records, and a ban on student data being used for generalized or targeted advertising.

While the bill of rights hasn’t been adopted on its own, states and universities have improved their data protection practices in recent years. Between 2013 and 2016, 36 states passed 73 student data privacy bills into law.

Until additional steps are taken to make concrete the process in which students can control their data—and those options are made clear to the students—there are still concerns about the accessibility of personally identifiable information being shared by universities. Students are advised to ask about their ability to place a privacy hold on their information if they are concerned about their data.