Below is a letter to the editor that I submitted October 25, 2012, to the Michigan Daily regarding an article on the accidental disclosure of students' grades in the course. An edited version of the letter was published on November 1, 2012, and is available here. Below is my original submission, which includes a few points edited out by the Daily and retains my original language.
To the Daily:
Your article about the release of students' grades in violation of privacy laws ("Accidental Grade Leak a Breach of Federal Law", 10/25/12) failed to mention a little-known but key fact about these regulations. It also provides an important opportunity to consider UM's failure to establish a culture that values student privacy.
FERPA, which governs the privacy of educational records, is a largely toothless piece of legislation. If a university is found to be in violation of FERPA, it's up to the Department of Education to ensure that the university modifies its behavior. It can do so only by threatening to remove federal funding, which it can do only if the university refuses to comply. What are the chances the federal government is going to deprive a university of all of its millions of important dollars funding biomedical research and student financial aid over a privacy violation? According to the Student Press Law Center, there hasn't been a single case of a university losing such funding. Crucially, courts have ruled that students whose privacy rights have been violated have no right to sue their educational institutions; this removes the strongest incentive--fear of liability--for universities to ensure privacy rights are protected.
We already live in an educational system too encumbered by bureaucratic regulations and fears of liability. To add needlessly to this would be dangerous, and certainly this isolated accidental disclosure of students' grades in a single course, while unfortunate, shouldn't lead to hundreds of lawsuits against the university. But the weakness of these laws does encourage this university's perfunctory and often cavalier attitude to privacy, as two other recent incidents show.
For many years, the university's online directory publicly revealed students' memberships in email lists. While some list memberships were relatively innocuous, others--such as student (and faculty and staff) memberships in LGBT, religious, and political email lists--certainly deserved privacy. After the new MCommunity directory made this problem more visible, it took the university's IT department months to acknowledge and fix this problem. Indeed, when I contacted the IT department to express my concerns in July 2011, I met a wall of intransigence, and only after significant pressure from the faculty senate were improvements made. (Worse yet, these problems had been known for almost a decade; on January 13, 2004, The Daily reported on similar privacy flaws!)
A second example of the university's overly facile attitude to student privacy occurred when the university released GSI evaluations under a FOIA request from The Daily in winter 2011. I'm not at all blaming The Daily for pursuing its journalistic mission in seeking this information, since the relative performance of GSIs and professors at teaching is of public interest. (It so happened that The Daily's analyses of the data were unfortunately error-laden and misleading, and arguably The Daily could have better balanced graduate student privacy against the public interest by aggregating evaluation data, but these points are not relevant to my argument here.) The university, however, had an obligation to protect the privacy of its graduate student instructors, whose teaching often forms a crucial part of their education as future professors. (Indeed, the argument that teaching is part of graduate students' educational experience is precisely the argument universities make across the country against graduate student unionization.) Many of these evaluations should have been protected from an FOIA request by FERPA, since they constituted educational records for those who teach as part of their educational program; when I contacted the university's legal counsel about this last year, they admitted that they had failed to screen for this. Had FERPA been stronger--if for example the university would have been liable to lawsuits from GSIs--or, more importantly, if the university had a culture that truly respected privacy, I imagine these mistakes would not have been made.
A slightly stronger FERPA might help matters more than it hurts, but universities like UM should hold themselves to a higher standard than the federal regulations anyway. What we need is not more red tape and bureaucracy, nor is it more antagonism between the various constituencies of the university--faculty, administrators, support staff, GSIs, and undergrads. Rather, we need a culture where all parts of the university work together to uphold the university's core values, values that must include privacy along with academic freedom, education, and the pursuit of knowledge.
Ph.D. Student, Department of Mathematics