The modern basis of legal privacy protection was established under the Privacy Act of 1974. This federal law made it impossible for federal agencies to arbitrarily misuse records without informing individuals. Prior to this, a number of federal agencies used all sorts documentation on individuals for inappropriate purposes. Edgar J. Hoover, the first Director of the Federal Bureau of Investigation, was notorious for such practices, and President Richard Nixon pushed the matter to such a limit that the Privacy Act was passed after Nixon resigned from office.
Family Educational Rights and Privacy Act
Under the American federal system, privacy is caught up in a number of laws. The one that impacts the education system the most is the Family Educational Rights and Privacy Act, or FERPA. This piece of national legislation was passed and enacted in 1974. It addressed concerns about kids’ school records and who could have access to them. It also addressed how those records could be used by agencies aside from the school itself. This included grade transcripts and all their integrated information, report cards, behavior and discipline documents, identification information, and even classes taken or scheduled. One of the fundamental changes the Family Educational Rights and Privacy Act instituted was the requirement that any request of a student’s records had to be made in writing to identify the requesting individual. It also required a parent’s approval and consent before the records could be shared by the school.
Access by a parent
In practice, this Privacy Act has created a few practical hurdles for parents as well. Every once in a while, children refuse to cooperate and provide their parents with their school records. This often occurs during the teenage years and with children in split family homes. FERPA requires a school to make such record available to a legal parent within 45 days of a request. A number of states have shortened that period and made it even more responsive than the federal law. The same Act allows parents to review their child’s school records at the school as well, similar to how one can review their personal records in their place of employment at the personnel office.
Access by a third party
When it comes to third parties accessing a child’s school records, the federal law basically makes it illegal for schools to distribute student information on their own discretion. The information can only be released with a parent’s approval. There are exceptions, of course. This includes school administration needs between school offices, sending information to a new school a child is transferring to, sharing information with state or federal school regulators, internal office sharing, and law enforcement. Further, basic student directory information is free to share to anyone. This data includes a student’s name, contact information, email, dates of attendance and what grade a student is in at the time or if graduated. The exact details vary from school to school. This directory data is usually noticed at the beginning of the school and, if parents don’t object, the student’s data is included. Otherwise, parents have to opt out to remove their child’s data.
The federal law makes big changes on student data when the child turns 18 years of age. At this point, usually in college, the data belongs to the student. Parents generally have no access at all unless the student consents. However, there are some exceptions as well. If the parents claim the student as a tax dependent, they can get financial data access. Health or emergency information can be shared on a sick or injured child. If the student broke a law or is being investigated and is under 21 years, parents can be notified by the school, usually when the issue involves drugs or alcohol.
US Vs. British Approach to a Privacy Act
Comparing the US approach to privacy to that in the UK signals a number of differences. First off, the UK has no specific, absolute rule of privacy per se for individuals. This is a fundamental protection unavailable to British citizens which has dramatically shaped the way their lives are impacted by monitoring today. Instead, the Human Rights Act of 1998 specifies that people have a right to their private life being respected. Generally, this infers that people will be left alone. However, within the wording of the Act, public agencies are allowed to snoop and monitor where it is a matter of internal security, public safety, investigation or prevention of crime, and to protect the rights of others.
While people might have interpreted this as a general right to privacy, British courts have flat-out said that is incorrect. First, the courts have explicitly stated there is no civil action for an invasion of privacy.
Privacy Breaches in the UK
However, British law does offer protection where data and information are clearly understood to be confidential and the release becomes a breach of confidence. This requires an agreement or requirement that all parties involved understood the data was to be kept private, one party releases the information, and another party is injured by it. Even then, there is not a crime per se. The injured party has to sue the breach actor for the injury recovery.
A third nuance in British law involved the release and misuse of confidential information. Under these circumstances, no agreement is needed. The data just needs to be established as confidential. If a party then releases the data or misuses it, they become legally liable by default.
The Data Protection Act
The British legal system updated privacy laws when the Data Protection Act of 1998 was passed. This law required agencies and organizations to comply with specified data protection, including the elimination of records no longer needed for reasonable use. This law also clamped down on such information being used by third parties without the approval of the information owner. Similar to other civil laws, the Data Protection Act is one that has to be enforced by the injured party by lawsuit. However, a number of early parties have been successful at exacting significant recoveries from organizations that didn’t comply with the Act.
How the UK deals with privacy still remains fundamentally different than in the US, but in practice the two are closing ranks fast. From a law enforcement perspective, both nations are taking great advantage of access to electronic information stored and preserved in a number of databases. This includes employer files, phone company records, government agencies at all levels, and available Internet information, such as that compiled by social media sites and search engines. Much of this information is available for a price, and law enforcement has become quite adept at figuring out where to obtain this information and how to utilize it.
As a result, one of the biggest breakthroughs in information and privacy challenges has been that of data mining. Where previously patterns and trends of a person’s behavior has been hidden in mounts and mounts of records, agencies are now figuring out how to leverage those files quickly and identify pre-determined red flags. This practice is spreading as agencies become more and more familiar with data mining tools and how to use them effectively. Schools are no exception.
The legal system is slow to catch up, but it does respond. In the last two years, US interests have been newly restrained by the need to obtain a subpoena before using monitoring devices on individuals that have not previously been identified under warrants. This has affected both location tools as well as digital monitoring tools. On the other hand, British interests have been suspended to proactively find and sterilize terrorist problems before they’ve had a chance to act, often by exercising invasive monitoring. These tools are predominantly reserved to law enforcement for now, but they are becoming widely available and easy to purchase, making them more and more attractive to schools, other government agencies and private business. As a result, individual privacy is becoming a bit of a dinosaur in the modern world and will continue down that path. Individuals will become the sole party responsible for restricting their data, and they will have to live with limitations when unwilling to share to enjoy modern benefits.