Under the “new and improved” FERPA, NYSED is permitted to store your child’s PII and outsource it anywhere in the world!
FERPA makes no distinctions based on State or international lines.
While FERPA purports to hold the disclosing entity legally accountable for protecting the confidentiality of PII from education records, the reality is FERPA does not explicitly require that education data be stored within the U.S leaving sensitive student information virtually vulnerable (no pun intended).
Although storing sensitive education records, including medical, behavioral, assessment, and related information in special education case files, within the U.S. is encouraged and considered a best practice by the USDE to ensures that they are subject to U.S. jurisdiction, FERPA does NOT require that the PII be stored in country leaving schools. Given hefty storage fees, Im guessing this will be pretty attractive option.
And for the sound effect: Cha-ching!
No really. Press play- http://youtu.be/Wj_OmtqVLxY
It is important to be aware that it is often difficult to take enforcement actions against entities outside of the U.S. under U.S. privacy laws and regulations, and to hold these entities legally accountable for violations of contracts or written agreements so any outsourced PII material would undoubtedly be thief/hacker heaven!
Think Im exaggerating or being a drama queen? Nope. I wish I was, but sad to say Its all true.
Which best the question, does NYSED intend to sell our kids out……literally?
Read for yourself:
Privacy Technical Assistance Center (US Department of Education):
Question: Does FERPA require that confidential information in the cloud be stored within the United States? Is there a best practice?
Answer: The preamble to the December 2, 2011, amendments to the FERPA regulations states the following in response to a comment on this general subject: “FERPA makes no distinctions based on State or international lines. However, transfers of PII from education records across international boundaries, in particular, can raise legal concerns about the Department’s ability to enforce FERPA requirements against parties in foreign countries. It is important to keep in mind that for a data disclosure to be made without prior written consent under FERPA, the disclosure must meet all of the requirements under the exceptions to FERPA’s general consent requirement. For example, if the conditions under the audit or evaluation exception in FERPA are met, a State educational authority could designate an entity in a different State as an authorized representative for the purpose of conducting an audit or evaluation of the Federal- or State-supported education programs in either State. The disclosure of PII from education records is not restricted by geographic boundaries. However, disclosure of PII from education records for an audit or evaluation of a Federal- or State-supported education program is permitted only under the written agreement requirements in § 99.35(a)(3) that apply to that exception. Under these requirements, the disclosing entity would need to take reasonable methods to ensure to the greatest extent practicable that its authorized representative is in compliance with FERPA, as is explained further under the Reasonable Methods (§ 99.35(a)(2)) section in this preamble. More specifically, an LEA could designate a university in another State as an authorized representative in order to disclose, without consent, PII from education records on its former students to the university. The university then may disclose, without consent, transcript data on these former students to the LEA to permit the LEA to evaluate how effectively the LEA prepared its students for success in postsecondary education” (Family Educational Rights and Privacy, Final Rule. 76 Federal Register 75611-75612 [December 2, 2011]). While FERPA does not explicitly require that education data be stored within the U.S., it does hold the disclosing entity legally accountable for protecting the confidentiality of PII from education records. This includes compliance with the “direct control” requirement that applies to schools and LEAs disclosing PII from education records under the “school official” exception, and the requirement for written agreements and the use of reasonable methods to ensure that the information is adequately protected that applies to SEAs disclosing PII from education records to their authorized representatives under the ￼ ￼Page 5 of 8
“audit or evaluation” exception. Regardless of which exception is used, it is important to be aware that it is often difficult to take enforcement actions against entities outside of the U.S. under U.S. privacy laws and regulations, and to hold these entities legally accountable for violations of contracts or written agreements. Therefore, storing sensitive education records, including medical, behavioral, assessment, and related information in special education case files, within the U.S. would be considered a best practice as it ensures that they are subject to U.S. jurisdiction.