We omitted the child’s name. We redacted all of the personal information. We’re OK….right?

Yesterday we told you about the case from New York where a Director of Pupil Services is facing possible personal liability for disclosing confidential medical and educational records without parental consent.  The court held that the Director might be liable for this, but whether that will actually happen will be decided later.  One of the issues the court will eventually have to deal with is the fact that much of the student’s information was redacted.

At this early stage of the litigation, the court addressed this issue in a footnote:

Notwithstanding Defendants’ claim that “the district redacted personally identifiable information from the records in the referral packets,” the Court must accept as true Plaintiffs’ allegation that “the redacted documentation contained personally traceable information which was sufficient to identify the individual and, indeed, one of the recipients of the documents was able to identify the student based on the documents.”

In other words, redaction does not always get the job done.  FERPA regulations define “Personally Identifiable Information” to include:

Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.  34 CFR 99.3.

If a “reasonable person” in your “school community” is likely to be able to figure out who you are talking about, then you have not redacted enough.  You have disclosed “Personally Identifiable Information” without ever using the student’s name.

The case is W.A. v. Hendrick Hudson Central School District.  We found it at 67 IDELR 178 (S.D.N.Y. 2016).


 File this one under:  CONFIDENTIALITY

Tomorrow: a regular family feud breaks out at the ARD meeting.