The Michigan legislature has enacted two new laws, effective March 22, 2017, due to changes in technology and practices as they relate to student information. These statutes make management of student record information more challenging for schools. Under MCL 380.1136, Michigan schools will be required to manage the release of student education record information (including directory information) they would otherwise be permitted to disclose under the Family Education Rights and Privacy Act ("FERPA") in a manner that is much more restrictive than currently permitted by FERPA. Under MCL 388.1239, the operators of internet websites, online services, online applications or mobile applications used primarily in the K-12 setting are required to take steps to ensure their programs do not target students for advertising by using student information captured by the programs.

Tightening FERPA Permissions

A review of FERPA

To understand the new requirements under MCL 380.1136, it is first necessary to undergo a brief review of FERPA. Under FERPA, school districts may designate certain student education record information as "directory information," and then, provided they annually give parents an opportunity to opt out, disclose that information to third parties seeking the directory information. 

A non-exhaustive list of the type of data that is defined as directory information would be: the student's name, address, telephone listing, electronic mail address, photograph, date and place of birth, major field of study, dates of attendance, grade level, participation in officially recognized activities and sports, weight and height of members of athletic teams, degrees, honors,awards received, and the most recent educational agency or institution attended.

The purpose of the directory information exception to FERPA's overall prohibition on disclosure of student education record information is to permit schools to, for example, compile playbills, yearbooks, honor roll lists, athletic rosters and programs, and the like. Provided the information that the school chooses to define as directory information is annually provided to parents by way of a disclosure process and the parents have a chance to opt out of the release of directory information, this data may be released freely.

States are allowed to more tightly regulate student education record information, provided they do not undo the protections afforded by FERPA.

To that end, the Michigan legislature already has taken steps to restrict the use of directory information if the purpose of the use is for marketing or solicitation. Under the Freedom of Information Act, "a public body that is a [public K-12 educational institution] shall exempt from disclosure directory information...requested for the purpose of surveys, marketing or solicitation, unless the public body determines that the use is consistent with the educational mission of the public body and beneficial to the affected students."  MCL 15.243(2).

In addition to the restrictions and protections in FERPA related to directory information and the restriction requiring the schools to exempt directory information from release under Michigan's FOIA if it will be used for marketing purposes and the like, the legislature has recently enacted further restrictions on the use and release of directory information.  

It is very important to note that, although this new law places additional requirements on school districts dealing with the use of directory information and other education record information, it does not change the requirements under FERPA related to the use of directory and education record information. The FERPA exemptions, and the requirements related to those exemptions, as well as the necessity for data-sharing agreements in the circumstances dictated by FERPA, remain unchanged.

New restrictions on education record information

Under MCL 380.1136, school districts, intermediate school districts, public school academies, and educational management organizations are prohibited from selling or otherwise providing to a for-profit business entity any personally identifiable information that is part of a pupil's education records. While not directly specified, this prohibition would also apply to directory information protected by FERPA. The prohibition is not applicable to the provision of student personally identifiable information from a public school academy to an educational management organization with which it has a contract, providing information necessary for standardized testing, or providing to a person information necessary for the provision of educational support services to a pupil, provided that person is under a contract with a public K-12 educational institution.

Disclosure of use of education record information

Further, subject to certain exceptions, in the event of a pupil's parent or guardian request, a public K-12 educational institution is required to disclose to that parent or guardian any personally identifiable information concerning the pupil that is collected or created by the institution as part of the pupil's education records. Additionally, the public K-12 educational institution is required to disclose to a pupil's parent or guardian, upon request, the specific information disclosed, the name and contact information of each person, agency, or organization to which the information has been disclosed, and the legitimate reason that the person, agency, or other organization had in obtaining the information. Under FERPA, schools are required to keep a disclosure log for disclosures of education record information that is not directory information. The new Michigan legislation would essentially require the disclosure log to include tracking of the disclosures of directory information as well.

Schools have 30 days to respond to parental requests, and schools may not bill requestors for any necessary redactions.

Additional notifications and opt-out

Schools are required to develop a list of uses for which they would disclose directory information and an opt out form in which parents may selectively opt their student out of having directory information disclosed for any one or more of the items on the list of uses. The opt out form must be presented to the parent or guardian within the first 30 days of a school year and, thereafter, upon request.

New Requirements for Operators of K-12 Computer Programs

In response to the uptick in so-called "targeted advertising," in which vendors collect information from internet users based on their online behavior (such as visiting certain internet websites, purchasing services on the internet, or depositing personal information through the internet), the Michigan legislature has enacted safeguards related to students who must use online or computer-based services as a result of their attendance in a public school.

Under MCL 388.1291, the "student online personal protection act," certain operators of computer applications and programs that use certain "covered information," defined below, are prohibited from engaging in targeted advertising, using information to amass a profile about a student (except in furtherance of K-12 school purposes), sell or rent a student's information, or disclose covered information, except for purposes directly related to the K-12 school purpose, regulatory and other compliance.

"Covered information," as defined by the statute, means personally identifiable information or material in any media or format that is provided to an operator of a computer program by a parent, guardian or student in the course of the use of the site, service or application for K-12 school purposes, created or provided by an employee or agent of a K-12 school for K-12 school purposes, or gathered by the operator through the operation of the site, service or application for K-12 school purposes. Personally identifiable information includes information in the student's educational record or electronic mail, first and last name, home address, telephone number, electronic mail address or other information that allows physical or online contacts, discipline records, test results, special education data, juvenile dependency records, grades, evaluations, criminal records, medical records, health records, social security number, biometric information, disabilities, socioeconomic information, food purchases, political affiliations, religious information, text messages, documents, student identifiers, search activity, photos, voice recordings, or geolocation information.

Operators of computer programs used in the K-12 setting are required to maintain reasonable security procedures and practices appropriate to the nature of the covered information and protect that covered information from unauthorized access, destruction, use, modification or disclosure, and to delete a student's covered information if the K-12 school requests deletion of covered information under the control of the K-12 school.

Conclusion

The uses of student data and the ability of computer programs and applications to capture and archive student data have caused the Michigan legislature to create detailed safeguards for student education record information.

Schools would be prudent to review their policies to ensure ongoing compliance with these new statutes.