“Your data’s yours no matter on whose server it lives.” - Senator Ron Wyden (D-OR), 9/15/14
As companies and government entities continue to collect personal data en masse for business purposes and criminal investigations, remarks such as Sen. Wyden's are beginning to resonate with the public.
Much personal data is collected with the aid of existing laws--like the Electronic Communications Privacy Act of 1986 and the ‘third-party doctrine,’ a legal precedent established in the 1979 Supreme Court Decision Smith v. Maryland which stated that an individuals have no “expectation of privacy” regarding the numbers they dial since any telephone service would then have to relay those numbers and hence log them for legitimate business purposes.
Senator Wyden, along with many other like-minded lawmakers and technology groups, argue that the laws and precedents established decades ago do not adequately account for the current digital age of information. Historically, 4th Amendment ‘search and seizure’ protections have applied to physical documents and locations, but it has been a much different story for digital information, as any quick internet search can confirm. For example, Microsoft challenged the U.S Government over the government’s right to inspect data from customer emails held in data centers abroad. This is an interesting case since it could have a significant impact on international data jurisdiction, but ultimately the fact that Microsoft is being held in contempt of court for refusing to hand over the information illustrates that under current U.S law and court opinion, personal information stored by any third party is not very difficult for separate entities to obtain, and it is not considered private.
Given the amount of personal information that can be shared amongst entities in the digital sphere without explicit consent, should institutions be wary of using third-party vendors for records storage or email service?
The short answer is no, since the Family Educational Rights and Privacy Act (FERPA) provides a set of legal requirements that protect education records contained within the hosted systems regardless of who maintains them. But the onus is still on the institution to lay out the explicit terms of service.
“Any discussion concerning the world of vendor contracting needs to start with the understanding that FERPA is technology neutral so long as any resulting disclosures are FERPA compliant," said LeRoy Rooker, Senior Fellow and resident FERPA expert at AACRAO.
Regardless of how or where the information on students is stored, FERPA requires that the institution own and control the education record, which includes emails.
“At a minimum, vendor contracts should include terms relating to the ownership of the data being stored, the status of deleted information, how data will be protected, and limitations of the use of data,” Rooker said.
There are number of exceptions to obtaining consent that have to do with using data contained within the record. The 2012 Amendments made sharing information to parties with a ‘legitimate educational interest’ much easier so that state and federal education agencies could “evaluate education programs… and contribute to a culture of innovation and continuous improvement in education” (2012 AACRAO FERPA Guide, 184). And of course, if a warrant is issued for information in an education record it must be complied with. However, for every exception to signed consent used to disclose, a record must be maintained of each disclosure and a reasonable effort must be made to notify the student before the disclosure, either through an annual notification or direct contact, if applicable. In short, regardless where data lives it is still the student’s (and protected by the institution).
Legislation in the works could change the status quo for the larger consumer network. Senator Wyden has introduced a bipartisan bill that would require warrants to use Global Positioning System Data when tracking individuals (right now, no warrant is necessary to use such data in connection with criminal investigations). Other bills go farther still, such as the USA FREEDOM Act and the Do Not Track Online Act, which require more stringent control and recordation of data collection and use without consent by the government and by companies, respectively. In fact, some lawmakers are not happy with the amount of information that can currently be shared under FERPA; to wit: the Protecting Student Privacy Act of 2014 would amend FERPA to ensure that student data handled by private companies would have even stricter requirements to ensure they are secure. However, given the current pace of legislative output, it may be a while before any change is affected.
If you would like more information on FERPA and third-party contractors, feel free to ask the FERPA Professor, email ferpa@aacrao.org, check out the 2012 AACRAO FERPA Guide, or keep reading AACRAO Connect!