An Intro to FERPA and Tableau Platform Considerations: Part 1
The Family Education Rights and Privacy Act (FERPA) frequently arises when an educational institution or agency is evaluating the Tableau platform. This series serves as cursory introduction to the topic. The first post provides context and background on FERPA. Easy-to-overlook pitfalls of a simple, public-facing use-case are considered in the second post. The series is intended to be most helpful to new Tableau platform users, though more advanced users may find interest in the Tableau features highlighted.
A Cautionary Note and Limitations to the Information Provided
It is hoped readers (particularly those new to the topic) will find this material a helpful starting point on FERPA and Tableau. However, given the complexity of FERPA, these posts do not — nor are they intended to — serve as legal or policy guidance. Simply put: I am not qualified to make such recommendations for your institution. Decisions related to education record management should be made with the awareness and advice of your institution or agency’s appropriate compliance team, which may include legal counsel. Many institutions have specialized (and extremely helpful!) administrators that specialize in FERPA compliance and similar regulations.
Identify and engage with your institution’s appropriate internal parties before making purchase or implementation decisions that may have FERPA implications. The potential institutional risks related to FERPA violations are significant; the Act states that violators may be at risk of losing eligibility for federal funding. For quick reference in your future conversations, here are Tableau’s license and service agreements https://www.tableau.com/legal and security details https://www.tableau.com/security.
Background on FERPA
The Family Education Rights and Privacy Act of 1974 instructs educational institutions and agencies on the protection and disclosure of educational records. Generally speaking, the federal law prohibits the disclosure of personally identifiable information (PII) without the prior consent of a parent or the student if over the age of 18.
More specifically, FERPA defines three basic rights for students or former students:
- To inspect their own records, except for confidential letters of recommendation and financial records of parents;
- request correction; and
- restrict access to personally identifiable information.
It is the third right that is the most complicated and common reason FERPA considerations are raised in context of the Tableau platform. Institutions may be found in violation for either inappropriate disclosure or withholding of applicable education records. For these reasons, it is an inseparable topic when discussing the data and analytics strategy of an institution.
Disclosure of Personally Identifiable Information
Clearly, the ability to protect privacy is a major focus of the Act as it’s in the name. Collected information that could be used on its own or in combination to distinguish an individual falls under the heading of protected PII. Some protected PII attributes are readily identifiable, such as a student’s name or student identification number. Other attributes are less distinct, qualified based on the ability of a third-party to reasonably identify an individual.
The attributes protected from non-compliant disclosure include:
- Student name;
- Student’s parent or other family members;
- Address of the student or student’s family;
- Other personal identifier, such as the student’s social security number, student number, or biometric record;
- Other indirect identifiers, such as the student’s date of birth, place of origin, or mother’s maiden name;
- Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; and
- Information requested by a person the education agency or institution believes knows the identity of the student to whom the education record relates (Family Education Rights, 1974, Part 99.30).
What constitutes “disclosure” of information? According to the Act, “Disclosure means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means, to any party except the party identified as the party that provided or created the record” (Family Education Rights, 1974, Part 99.3). In the context of Tableau, governing access to underlying data and the visuals produced is an important consideration tied to disclosure.
Disclosure Request Recordkeeping
Related, institutions have recordkeeping requirements around the request and disclosure of educational records. An institution “must maintain a record of each request for access to and each disclosure of personally identifiable information from the education records of each student” (Family Education Rights, 1974, Part 99.31). Request and disclosure records are to be retained as long as the educational records are maintained.
Exceptions to Prior Consent for Disclosure Requirements
Simple enough, right? Adding complexity to compliance efforts, there are exceptions to the disclosure restrictions and limitations on the types of information covered under FERPA’s umbrella. Among others, exceptions include:
- Directory information (if appropriate notice and consent given);
- Others within the institution (“school officials”) who have a “legitimate educational interest” for the information in order to perform their job. “Reasonable methods” must be in place to ensure appropriate controls for such access — physical, technological or policy;
- Contractors, consultants or volunteers that the institution has outsourced institutional services or functions that would otherwise use employees;
- Health or safety emergency;
- Law enforcement unit records;
- Victims of crimes or non-forcible sex offenses after disciplinary action has concluded;
- Parents of students under 21 who violated any law or policy concerning the use or possession of alcohol or controlled substance;
- Compliance with a judicial order or subpoena, as long as reasonable effort to contact the student was taken first;
- Student is a dependent for tax purposes under IRS rules;
- Personal knowledge or observation not based on information contained in an educational record;
- De-identified records and information (Family Education Rights, 1974, Part 99.31).
At this point, whether or not you’ve started using Tableau you may be thinking of data sets that fall into the above mentioned criteria. Such data likely includes student names, ids, addresses, and phone numbers in addition to valuable metrics or counts, e.g., earned course credit or account balance. Perhaps you’ve had someone outside of your division ask if you could pass along this dataset. You may have paused to question how much “sanitizing” of the data must be done before sharing.
Striking the right balance between protecting student privacy and supporting the people and mission of the institution can be a time-consuming and nerve-racking procedure, particularly if data is shared in such manner on a regular basis. However, the risks of inattention or disregard are significant.
Violation reporting and enforcement of FERPA
So far I’ve touched on the aspects of what does or does not constitute compliance with FERPA. But what happens in the event student names or other PII are improperly released? Further, who is responsible for enforcement of the Act’s provisions?
FERPA compliance is enforced by the Family Policy Compliance Office (FPCO), part of the Department of Education. While FERPA establishes rights for students it does not establish a private right of action. Instead, the FPCO takes action on violations. This means an individual who believes their FERPA rights have been violated may seek recourse by submitting a complaint to the FPCO for investigation.
What does the volume and resolution of FERPA complaints look like? In 2018, an audit by the U.S. Department of Education, Office of the Inspector General focused on the effectiveness of FPCO to investigate and respond to complaints. The audit found evidence of a significant complaint bottleneck, a 2+ year backlog of open investigations, and mis-prioritized allocation of funding toward training and outreach programs.
Regardless, the potential risk to institutions of FERPA violations is not taken lightly – entities found in violation of FERPA are at risk of losing eligibility for federal funding.
Up Next: FERPA Compliance Considerations in a Public Facing Viz
FERPA questions typically center around the Tableau Online, Tableau Server or Tableau Public products, rather than Tableau Desktop or Tableau Prep Builder. This is because Tableau Online, Tableau Server and Tableau Public are the sharing and collaboration functions of the Tableau platform, i.e., they provide access to data beyond the original author. The broader and less restricted the access to shared content the greater the potential risk of FERPA non-compliance.
In the subsequent posts on this topic, I’ll examine two scenarios related to publishing public facing content. The two approaches illustrate how Tableau’s products intersect with FERPA compliance considerations. I’ll call out some common missteps, as well as highlight features that can help manage and govern sensitive information. The scenarios focus on a common public facing use-case: an interactive institutional factbook. I’ll also touch on the subtopics of privacy suppression for small n’s, extract aggregation, and Tableau’s embedded analytics solution.
Ready for a deeper dive into FERPA? See the listed references for this post. The Department of Education’s FERPA website in particular includes a library of articles delving into nuances of FERPA that may be relevant to your situation.
Family Education Rights and Privacy Act of 1974, 20 U.S.C. § 1232g: 34 CFR Part 99 (1974).
U.S. Department of Education, Office of Inspector General. (2018). Office of the Privacy Officer’s Processing of Family Educational Rights and Privacy Act Complaints (ED-OIG/A09R0008). Retrieved from https://www2.ed.gov/about/offices/list/oig/auditreports/fy2019/a09r0008.pdf
U.S Department of Education, (2018, March 1). Family Compliance Office (FPCO) Home. Retrieved April 4, 2020, from https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html