July 18, 2014; Minnesota State Colleges and Universities
7/18/2014 10:14:43 AM
Note: In 2023, the legislature amended Minnesota Statutes section 13.32, subdivision 5, to limit what data may be designated as directory or limited directory information. This statutory change does not apply to post secondary institutions.
This is an opinion of the Commissioner of Administration issued pursuant to Minnesota Statutes, section 13.072 (2013). It is based on the facts and information available to the Commissioner as described below.
Facts and Procedural History:On June 4, 2014, the Information Policy Analysis Division (IPAD) received an advisory opinion request from Kristine Legler Kaplan, Deputy General Counsel for Minnesota State Colleges and Universities (MnSCU). In her letter, Ms. Kaplan asked the Commissioner to issue an advisory opinion regarding the treatment of certain data that the entity maintains. Ms. Kaplan provided a summary of the facts as follows: On behalf of Minnesota State Colleges and Universities (MnSCU), I am writing to request an Advisory Opinion on a matter concerning the interplay between the Minnesota Government Data Practices Act (MGDPA) and the federal Family Educational Rights and Privacy Act (FERPA)... The regulations implementing FERPA have, in many respects, been incorporated into the MGDPA to avoid inconsistency between the state and federal laws. Among those incorporated regulations is 34 [Code of Federal Regulations] 99.31, which enumerates exceptions to the general rule [e.g. directory info] that student consent is required for a college or university to release personally identifiable student information to third parties.
Issue:Based on Ms. Kaplan's opinion request, the Commissioner agreed to address the following issue:
Discussion:As noted by Ms. Kaplan above, both Minnesota and federal law govern access to data about students. Minnesota Statutes, section 13.32, classifies educational data and incorporates much of the federal Family Educational Rights and Privacy Act (FERPA), 20 USC 1232g, and its implementing regulations, 34 CFR Part 99. In general, data about students are private and may not be released without consent. (See section 13.32, subdivision 3.) However, section 13.32, subdivision 5, classifies data designated as directory information pursuant to 34 CFR 99.37(a), as public data. Directory information "means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed." (See 34 CFR 99.3). Directory information may include a student's name, address, photograph, and participation in sports or activities, among other data elements. (See Advisory Opinions 01-078, 04-011, 04-065, and 09-021, which discuss directory information further.) The 2011 changes to the regulations implementing FERPA, described by Ms. Kaplan, allow for educational agencies and institutions to designate "limited directory information." 34 CFR 99.37(d) provides: In its public notice to parents and eligible students in attendance at the agency or institution that is described in paragraph (a) of this section, an educational agency or institution may specify that disclosure of directory information will be limited to specific parties, for specific purposes, or both. When an educational agency or institution specifies that disclosure of directory information will be limited to specific parties, for specific purposes, or both, the educational agency or institution must limit its directory information disclosures to those specified in its public notice that is described in paragraph (a) of this section. In her opinion request, Ms. Kaplan wrote: In part because of the MGDPA's "all-or-nothing" rule on public data, a number of MnSCU schools have adopted very limited definitions of directory data in order to protect their students from unwanted contacts, such as marketing campaigns, or even targeting for criminal acts. Such a policy creates administrative barriers and prevents colleges and universities from "disclosing" student information for educationally-related purposes without additional consent procedures. For example, a two-year college that does not list mailing addresses as directory information is limited in providing that contact information to MnSCU universities to assist in recruitment for four-year college degree programs; a university that does not include photos as directory information cannot create a graduation program with photos absent specific consent; and MnSCU schools must seek consent to provide student email addresses to other students or their affiliated foundations unless they are directory information also available to the general public.
The Commissioner agrees that MnSCU, as well as other educational agencies and institutions, may designate limited directory information consistent with Chapter 13. However, with regard to access to such data, Chapter 13 is preempted by the FERPA regulations. (Where a state and a federal law conflict, the federal law governs. See also Advisory Opinion 04-068, discussing FERPA's preemption of the six month limitation on a data subject's access to data pursuant to Minnesota Statutes, section 13.04, subdivision 3.) Limited directory information is one of the few situations where the federal government has provided greater privacy protection for certain data than the State. Therefore, unlike general directory information, which is accessible to anyone, for any reason, educational agencies and institutions may restrict access to limited directory information to those specific parties and/or for those specific purposes identified in the annual FERPA notice. Consequently, entities that choose to designate limited directory information may have two sets of data: one that is general directory information and one that is limited directory information (pursuant to 34 CFR 99.37(d)). Opinion:Based on the facts and information provided, the Commissioner's opinion on the issue Ms. Kaplan raised is as follows:
Spencer Cronk
Dated: July 18, 2014 |
Educational data
Limited directory information
