On December 8, 2020, the Privacy & Confidentiality Section Steering Committee hosted a webinar with Heather Briston called “It’s Not as Bad as You Think – Navigating Privacy and Confidentiality Issues in Archival Collections.” Briston, JD, MSI, is the University Archivist and Head of Curators and Collections at the University of California, Los Angeles. View Heather’s slides and the anonymized notes.
We had more than 200 attendees and received fantastic questions on topics including FERPA, HIPAA, PII, social media, third party privacy, and Indigenous records. Because we ran out of time to answer all of them during the webinar, we shared your questions with Heather afterwards and compiled her responses into this multi-part blog series. In part one, Heather addressed general privacy issues. In part two, she covers FERPA, HIPAA, and records law. We’ll continue posting the other Q&A’s with Heather over the next few weeks, so stay tuned.
Q1. My repository, as part of our school’s archive, holds examples of student work that displays a grade and comments. They are studio work and beautiful examples of the school’s history of pedagogy that span back to the late 1800s. They are highly requested for display and publication. Sometimes the “grade” is from an external competition and not for their coursework. Also the grades are generally high (the school chose to collect only high quality work). Now there are conversations to conduct a digitization project. Can you point us to some guidelines or workarounds?
A1. This is a great question. It comes up a lot. You have more wiggle room for those that were externally graded in competition, because that is not the grading of the institution that you represent. Also, while there is no legal end-date in the law, it is common practice across universities that they are more open with those student materials that are for a student that they are certain is dead. I have often seen repositories that draw a line at documents where the student would be 115 years old, as it’s pretty rare that people are older than that. It’s trickier when we’re putting materials on the web. Ideally posting items without showing the grade would be an excellent first step, also posting only things where you’re sure people are dead. This is also a public relations risk analysis for those students who may be living – is it better for alumni relations to make some announcements in the next alumni circular about your intentions and give someone the opportunity to opt out? It’s always important to remember any PR blow back that might result even when you can do something, and weighing that in your choices. Also, as with any digitization project you would want to have a clear takedown policy that is well understood within the repository so that complaints can be treated swiftly and equitably.
Q2. What about student work collected by an instructor?
A2. If the students and the instructor are or were a part of your institution – e.g. – your institution’s student records, then FERPA applies. It doesn’t matter whether a faculty, instructor or department holds the records, the federal law still applies.
Q3. Using student records to answer genealogy – is it ever legally permissible to share the record card or must I extrapolate the data in perpetuity?
A3. Technically under FERPA, the prohibition under the law lasts forever (a potential advocacy role for the Privacy & Confidentiality and College & University Archives Sections?). However, in practice, as I noted in a question above, most repositories pick an artificial date after which they are confident that any student would have passed by this point, and they are more likely to make copies of record cards for genealogists and other researchers. Again, there is more risk if they’re put online, and it should be a documented decision of the repository.
Q4. What things do you consider when you are evaluating whether or not you should open records? I am thinking of records that would specifically be protected by FERPA but were created long before FERPA was a thing or after FERPA has expired.
A4. The thing about Federal laws, and particularly for FERPA and HIPPA, the law explicitly did not have any kind of grandfather clause for records already in existence, so they apply to any records that fit within the definition of the law, no matter when they were created. Also, as I note in previous responses – currently FERPA coverage and requirements do not end, unlike HIPAA, and there are no safe harbor actions outlined in the FERPA law. However, as I note above many colleges and universities have created their own access policies based on a combination of the institution’s risk tolerance and a confidence that anything they’re providing access to is of someone who is long deceased.
Q5. I’m the archivist for an independent school that has been in existence for over 200 years, and I have care of the permanent student records of deceased alumni. My understanding is that FERPA applies only to records of living students and alumni. When responding to family inquiries about ancestors or relatives who attended the school, we share dates of attendance, previous school(s), clubs and interests, etc., but use discretion in choosing what other information to share with the family member, generally not revealing grades or other such records that have remained in the file. We had someone ask us to confirm whether her deceased brother – as family lore had it – got a perfect score on his SAT. He did not, so I simply gave her that answer rather than the exact score. Is this an overall good approach – using our own judgment?
A5. FERPA applies to all students who have attended an institution – whether they are living or not, and whether they graduated or not, and as written the prohibitions on access without permission have no end. However, as you see in the responses above, your approach is similar to those of other repositories that have decided that their risk tolerance is such that records that fulfill certain parameters – such as the person is deceased – is fine for providing access. My one addition here would be to insure that this is a policy that is written down in your repository and is clear so that it is applied uniformly across all requests and individuals.
Q6. How do I know if my institution is covered by HIPAA?
A6. This documentation from the NIH does a good job of outlining which institutions or parts of institutions are: covered entities and subject to HIPAA; hybrid entities where some parts are covered and others are not, but this has been specifically articulated; or business associates of a covered entity which requires having a legal agreement to define how records are managed.
While this specifically relates to HIPAA and its requirements which lasts for life plus 50 years for an individual, there are usually health and medical privacy laws on the books for every state that operate during the lifetime of an individual.
Q7. What laws are federal-regulated versus state regarding privacy issues?
A7. There is no one rule of thumb, but there are by far fewer Federal laws that apply uniformly across the country, than there are state laws that deal with issues of privacy. Since privacy is an issue of individual liberty it is most often regulated at the state level. While many states have similar laws that cover topics like defamation, slander and the four basic laws that are set out in the 2nd Restatement of Torts – publically placing someone in a false light, intrusion upon seclusion, appropriation of name or likeness, or publication of private facts. However, these are the most common rules and coverage can vary by state. For example, California has very strong privacy laws relating to data protection.
Q8. What is the best/easiest way to research state privacy laws? Hopefully, without having to read the entire code looking for the privacy bits.
A8. Unfortunately I am not aware of a good one stop shop/guide for state privacy laws, the biggest challenge being that across all of the states there are at least 600 different laws relating to aspects of privacy. States law’s run the gamut from personal privacy, medical privacy, data/digital privacy, financial privacy, etc. This is also a growing area of law as use of technology often leads to new aspects of privacy law after it becomes better understood, both the possible uses and abuses.