chevron-down Created with Sketch Beta.
July 01, 2008

Student Privacy versus Campus Security: An Overstated Conflict

by Daniel Silverman

Some commentators viewed the April 2007 shootings that killed thirty-two people at Virginia Polytechnic Institute and State University (Virginia Tech) as illustrative of a direct conflict between student privacy and campus security. Their claim was that privacy protection laws had prevented various Virginia Tech employees who had been concerned about Seung-Hui Cho, the Virginia Tech shooter—including professors, residence life staff members, counselors, and campus police officers—from sharing information with each other. Further, these commentators argue that this inability to pass on information potentially diminished the Virginia Tech administration’s ability to prevent the shootings.

In Griswold v. Connecticut , 381 U.S. 479 (1965), the U.S. Supreme Court recognized a constitutional right to privacy. Because an important goal of higher education is to prepare students to take their place as citizens and to participate in civic life, it is important that students experience constitutional freedoms as part of their education. Privacy in particular is important because it promotes the development of autonomy, another goal of higher education.

While tension certainly exists between the values of student privacy and campus security, characterizing them as directly in conflict would be inaccurate. The Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, the major statute governing student privacy, protects against disclosure of student records but also provides plenty of opportunities for information sharing in situations where campus security may be implicated. In addition, an argument that student privacy and campus security are in direct conflict rests on the implicit assumption that campuses are unsafe because, if campuses were safe, there would be no need to worry about student privacy threatening campus security. But this assumption is false: campuses are, for the most part, safe.

Understanding FERPA and Related Laws

FERPA is the federal statute that limits the disclosure of education records for all college students. In 1974, when Senator James Buckley introduced the bill on the Senate floor, he could not have predicted that it would become central to the debate about a balance between the privacy of college students and campus security. Testimony from the Congressional Record in 1974 suggests that the primary goal of the act was to ensure that students (and their parents) in K-12 schools had access to their school records. Buckley and other supporters of the bill felt family access to school records was especially important in light of the tendency for schools to subject their students to invasive surveys about their home lives and then disclose the results of those surveys to the government and other agencies. The Congressional Record offers no evidence that the drafters of the law were at all concerned about the disclosing of educational records by one school employee to another. Nothing from the Congressional Record suggests that any of the bill’s supporters were interested in the issue of the protection or access to educational records at colleges and universities.

Nevertheless, since this inconspicuous birth, FERPA has become an important topic in the field of higher education law. Although not the subject of much litigation (possibly because it does not provide a right of private action), and virtually unknown to practitioners outside the field, college and university lawyers devote substantial resources to creating and maintaining student records policies that comply with this confusing statute.

FERPA prohibits the disclosure of “education records,” a broad term that includes both academic records, such as grades and course schedules, and nonacademic records, such as financial and student discipline records. However, FERPA lists exceptions to this prohibition that allow schools to disclose educational records without the consent of the student. For example, FERPA includes a “health and safety” exception that allows for the disclosure of education records to appropriate parties—which could include administrators, professors, students, or parents—if knowledge of the information is necessary to protect the health and safety of the student or others on campus. A reasonable, good faith judgment that the party receiving the disclosure is appropriate must motivate a disclosure under this provision, and the provision generally allows disclosures only to a limited number of recipients.

In addition, FERPA permits disclosure of education records from one “school official” to another as long as the recipient of the information has a “legitimate educational interest” in it. The statute and accompanying regulations allow institutions broad discretion in defining these terms. “School officials” can refer to almost any school employee, even nonpermanent ones. It can even include students serving on committees and contractors acting on behalf of institutions. A “legitimate educational interest” does not have to be academic. Anything relevant to a school official’s job may be a legitimate educational interest. Therefore, schools can craft records policies allowing for robust information sharing between any campus employees whose jobs relate in some way to campus safety.

Other FERPA exceptions provide further opportunities for disclosure to parents. If a student is under the age of twenty-one, the school may notify parents of violations of the school’s alcohol policy. If a student of any age has been claimed by a parent as a dependent for tax purposes on the parent’s most recent federal income tax return, the school also may disclose education records without the student’s consent.

Although FERPA defines education records broadly, schools may disclose potentially relevant information that the act does not cover. FERPA does not cover any records that either commissioned police officers or noncommissioned campus security forces create. The records must have been generated, at least in part, for law enforcement purposes and only remain outside FERPA to the extent that the law enforcement agency maintains them. If a campus police officer were to disclose a report on a student to, say, the dean of students, then the dean’s copy of the record would become an education record and FERPA would apply to any further disclosures by the dean.

FERPA also does not cover personal observations about a student as long as the person making the observations expresses the observations verbally. For example, a professor could call a colleague and express concern about a student’s lack of participation in class. However, if either the professor making or receiving the observation were to write it down, this written document would then likely become an education record and FERPA protections would apply. The personal knowledge itself would remain unrestricted, even though there is a record.

In short, FERPA does not block information sharing in the context of campus security. The many exceptions to the law provide a number of opportunities for campus employees to share information about a student who worries them. From a practical perspective, though, this confusing and frequently misunderstood law poses a challenge for campus employees to implement. Such employees are not the only ones who have found the law difficult to understand; a congressional attempt to modify the law also demonstrated a misunderstanding of it.

In May 2007, a bill to amend FERPA was introduced. The well-intentioned bill, called the Mental Health Security for America’s Families in Education Act of 2007, H.R. 2220, would have added an additional provision to FERPA regarding the disclosure of information to parents about students who, for mental health reasons, may be a danger to their own health and safety or to the health and safety of others on campus. This superfluous amendment makes disclosure even more difficult for schools than the current law because, under the amendment, the school could only disclose if the student was a tax dependent and if a “licensed mental health professional” had provided written certification that the student posed a significant risk of harm to others and that the disclosure to the parents would help to alleviate that risk. Because of this higher disclosure burden, it is unlikely that it would have served to expand FERPA’s existing provisions. It would not have been a harmless statute, however, because it would have added to the complexity of FERPA compliance, which is one way that FERPA can clash with campus security. The bill never got out of subcommittee, but a slightly modified and equally superfluous version of it appears in the Higher Education Opportunity Act, Pub. L. No. 110-315, which Congress approved in July.

Although FERPA is the major statute governing student privacy, other laws on the subject also exist. At the federal level, one provision in the Health Insurance Portability and Accountability Act (HIPAA), 42 U.S.C. § 1320d et seq., may provide some additional protection for students’ medical records in some contexts, but that is currently unclear. Medical professionals on campus also face patient-doctor confidentiality provisions and codes of professional ethics that address privacy of medical records. According to Robert Ellis Smith’s Compilation of State and Federal Privacy Laws , approximately forty-eight states have their own medical privacy laws and approximately thirty-five have student record privacy laws. The interaction between FERPA, HIPAA, and state confidentiality laws is complicated and unsettled. For example, many state confidentiality laws only allow the disclosure of medical records when the threat to the patient or others’ health is more serious or imminent than the relatively low “health and safety” hurdle that FERPA provides. However, FERPA is more relevant to a discussion of student privacy rights and campus safety because it governs a greater percentage of relevant campus employees than HIPAA or the state medical privacy laws do.

Assessing Campus Safety

All in all, student privacy law does not pose a significant obstacle to campus security. Another problem with the characterization of a direct conflict between privacy and campus security is that it rests on the false assumption that campuses are unsafe. In fact, campuses generally are safe. As nationally renowned criminologist James Alan Fox noted in USA Today on August 28, 2007, and in The Chronicle of Higher Education on February 29, 2008, statistics show that college students are one hundred times more likely to die from suicide or alcohol than they are from a shooting on campus. The data showed that of those shootings that occurred on campuses, most were the result of common criminal activity, as in the case of a botched drug deal. Few were mass shootings in which both the shooter and his or her victims were members of the campus community and in which the shooter seemed to pick victims randomly. Fox noted that in most metropolitan areas a college student’s chances of death by homicide are lower on campus.

Fox also argues that overpublicizing campus shootings can inspire others to attempt such shootings and unnecessarily raise the anxiety level of students. Furthermore, some common steps that colleges and universities have taken to increase campus safety are unlikely to be effective. Because many campus shootings occur in one area and occur quickly, campus lockdown procedures, for example, do little to prevent or
mitigate the damages from a campus shooting. Colleges and universities might increase physical security with the heightened use of campus security guards, metal detectors, and more restrictive policies for off-campus guests. Yet these measures detract from the freedom that many college students want from their college experience. If campus safety were a widespread problem, perhaps a trade-off between safety and freedom would make sense. But given that campuses are basically safe, such a trade-off becomes less reasonable.

What Conclusions Can Be Drawn?

If the shootings at Virginia Tech do not illustrate a direct conflict between student privacy and campus security, what do they show? First, they show that Virginia Tech was profoundly unlucky. Virginia Governor Tim Kaine commissioned a detailed investigation and report on the shootings. The report in part analyzed Cho’s time at Virginia Tech and his many interactions with a variety of administrators, counselors, and professors who had expressed concern about him. Overall, it seems accurate to characterize their actions as diligent, caring, and professional. Several creative writing professors, for example, met with him regularly and suggested that he take further advantage of campus counseling services. Students with mental illness and behavioral problems are not unusual on campuses. Cho exhibited some warning signs, but many other students displaying similar tendencies have not engaged in mass shootings. In fact, according to the governor’s report, two mental health professionals who evaluated Cho just two days apart in December 2005 disagreed on whether he presented a danger to himself. The tragic shootings were an utterly unpredictable event.

Second, the Virginia Tech shootings and the commentary thereafter demonstrated how difficult FERPA is to administer. Well-meaning and hardworking administrators at Virginia Tech may not have realized that FERPA allows so much leeway to share information in cases where campus safety may be implicated. FERPA has confused administrators at campuses across the country, but it is not the only complicated law facing campuses. In the future, when pondering the merits of further regulation of colleges, Congress and relevant agencies should consider the difficulty such institutions face in implementing complex laws, particularly when Congress neglects to provide funding for them.

Third, the shootings call attention to a more general fear of litigation that affects administrators at many campuses. Even if information sharing could have violated FERPA at Virginia Tech, administrators need to recognize that all lawsuits are not equally damaging to a school. FERPA provides no private right of action. If the Department of Education finds that a school violates FERPA, it can decrease federal funding or even terminate it, though that is more a theoretical than a real threat. In fact, it has never happened. Even if the department were to cut off the funding it provides to a given school, the school could still receive federal funding from other sources. Wrongful death suits, on the other hand, are a more immediate and likely result of such a horrific event.

Finally, the shootings raise fundamental questions about the legal relationship between a college and its
students. Higher education law in earlier times developed according to the principle of in loco parentis. Under this framework, colleges and students approximated a parent-child relationship. Students expected their college to protect them and, in return, colleges placed certain restrictions on their students. Starting in the 1960s, this balance began to shift as students saw themselves as full-fledged adults and no longer wanted to cede control to campus administrators. The principles of contract law, through which the student and school contracted with each other for educational services, began to replace in loco parentis across the field of higher education law. Some responses to the Virginia Tech shootings may indicate a desire to revert to earlier attitudes.

Those who blame Virginia Tech administrators for not preventing the shootings demonstrate a belief that colleges and universities should do more to protect their students. It is less clear if advocates of that position are willing to recognize the trade-off between student security and student freedom. Even though no direct conflict exists between student privacy and campus security, a general trade-off exists between freedom and safety. If students want maximum freedom, they need to accept increased risk to their safety. If students want increased protection, they have to be willing to accept limits on their freedom. Different students will answer this question differently, and individual colleges may differ on the particular mix of freedom and protection provided to students. When students fail to recognize this give and take, they are likely to be dissatisfied with whatever particular mix their school offers.

Another factor influencing this shift is the growing demographic of so-called helicopter parents who remain heavily involved in their children’s daily lives, even during their college careers. Neither the traditional doctrine of in loco parentis nor the 1960s-influenced contract relationship between school and student fit exactly with the helicopter parents’ conception of the student-school relationship. Similar to the in loco parentis doctrine, the helicopter parenting model categorizes college students as something less than independent adults but assumes that the student’s actual parent, as well as the college, should fill in the gap. This helicopter parenting model adds to the uncertainty that characterizes the legal relationship between students and their schools.

The shootings at Virginia Tech provide another forum to debate the merits of the potentially competing approaches to higher education law because each approach offers a distinct analytical framework through which one can evaluate the shootings. Furthermore, until educational policy makers reach a consensus on the legal relationship between students and their schools, it is difficult to take measures that might prevent further incidents like the tragedy at Virginia Tech.

Daniel Silverman

Daniel Silverman is a third year law student at Boston College in Newton, Massachusetts. He wrote this article during a summer internship at the American Council on Education.