Electronically Sending Personally Identifiable Information to Unsecured Email Address May Violate FERPA
Author: Michael Tucker, Attorney at Law
The band director at a Kentucky school district (“District”) sent an email to a student’s parent regarding the student’s removal from band. The email was sent to the parent’s work email address, not the personal address that was provided to the District when the parents initially completed the student’s registration.
School closures due to the COVID-19 pandemic have forced local educational agencies (“LEA”) to rely more heavily on electronic communication. However, FERPA and other privacy provisions still apply to communication of personally identifiable information.
IDEA regulations also explicitly give LEAs the option to send notices required by IDEA to parents via email as long as the parent “elects to receive notices … by an electronic mail communication [and] the [district] makes that option available.” (34 CFR §300.505.) Nonetheless, given the potential ramifications for not sending notice, LEAs will need to consider how to document the fact that notice was sent and that parents have elected to receive notices via a particular email address. For many families, email should be sufficient provided that the parent has elected to receive notices via email. However, for other families, who may not regularly use email or have access to email, mailing a hard copy may be necessary.
As such, LEAs should take care to confirm email addresses with parents to ensure: 1) that the email is secure and private; and 2) that the parent consents to use that email address. It may be convenient to immediately reply to an email received from a parent from an email address that is different than the email provided by the parent as the appropriate means of contact. However, as this guidance points out, an LEA should still confirm consent to receive sensitive information, including notices, at that address prior to sending to ensure that private information remains confidential.