Insights & Resources

    Back To Insights & Resources
    Redaction

    Can your redactions be reversed?

    School officials take their duty to protect personally identifiable student information (PII) pretty seriously. Yet sometimes, despite best intentions, confidential student information is disclosed by school districts. One such disclosure occurred in connection with the Marjory Stoneman Douglas High School shooter.

    So, what happened? According to media reports, the Broward County Public School District hired a consultant to analyze the school district’s practices after the shootings. A court ordered that a redacted version of the consultant’s report be released. In complying with this order, school officials used software to redact PII from the report. However, when the recipients of the report converted the document into another computer file, the conversion removed the redactions. As a result, a significant amount of personally identifiable student information about the shooter was released.

    How can you avoid a similar result when you respond to requests for educational records and need to redact confidential information? As you likely know, both federal law, the Family Educational Rights and Privacy Act (FERPA), and state law, Ohio Revised Code Section 3319.321, prohibit your district from releasing PII, unless there is an exception that would permit the release of such information. Therefore, if you receive a record request and discover that the record contains PII, you need to determine how and if you can redact all of the PII contained in the responsive documents, as well as any other information protected by exceptions to the Public Records Act. Once you make such redactions, you are then required to release the rest of the record.

    The FERPA regulations define PII to include the following:

    1. The student's name
    2. The name of the student's parent or other family members
    3. The address of the student or student's family
    4. A personal identifier, such as the student's social security number, student number or biometric record
    5. Other indirect identifiers, such as the student's date of birth, place of birth and mother's maiden name
    6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty
    7. Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates

    Unless you have consent to release PII, or unless a FERPA or state law exception applies, such as directory information, you cannot release the information.

    If you have determined that the information can be released, but redactions are necessary, you must determine how you will prepare the redacted record. Since many requests require you to provide electronic versions of records, it is important to familiarize yourself with the options for redacting electronic records, including the available software programs that can assist with these redactions.

    Successful electronic record redaction not only requires knowledge of the program being used to redact but also its limits. Many programs like Adobe Acrobat are not yet smart enough to detect and redact PII. Additionally, many programs still require manual processes that are prone to human mistakes. Employees may think they are redacting correctly or producing documents properly, but often the process leaves significant room for error – from both a technological and clerical standpoint. For example, PDF documents are constructed with layers of text and images. Using the built-in redaction tool merely puts a mask over an image or text. It is not a foolproof method of redaction, since it essentially adds another layer to the document. The layer could ultimately – and easily – be peeled back to reveal what’s underneath.

    Of course, this is only one of the many problems with redacting electronic records. For instance, it does no good to redact a student’s name from the text if it appears in metadata that you inadvertently release.

    Given these issues and the frequency of record requests, it is important for building leaders to understand the legal requirements and limitations of redaction software programs and to work with IT teams to navigate the potential pitfalls when redacting electronic records. We also recommend instituting quality control procedures and integrating human review in such procedures to ensure that no protected information slips through the cracks.

    For more information regarding proper redactions, we recommend Adobe Acobat’s white paper on using redactions.

    This article was reprinted from the “Legal Update” that was distributed to OASSA (Ohio Association of Secondary School Administrators) members. 

    Download PDF