Many institutions are reporting receipt of a letter dated June 26, 2017 from the New York Office of Campus Safety with an attached Notice of Audit (“Notice”) pursuant to New York Education Law Article 129-B (N.Y. Educ. Law §§ 6439–6449). The Notice seeks data submissions relating to the provision of Article 129-B and it includes 23 separate requests for information and documentation. The response to the Notice must be postmarked no later than July 7, 2017.
This audit comes at a time when key institutional personnel, including student affairs professionals, are away from the office on vacation and some institutions are closed. In addition, the short turnaround requested (fewer than 10 calendar days over a major holiday weekend) gives very little time to gather the responsive materials, let alone review and redact them if necessary. The time period is far less than what is required to respond to a discovery demand under the New York Civil Practice Law and Rules.
We believe that it is unclear whether FERPA permits the release of personally identifiable student information to the New York Office of Campus Safety, which is an office of the New York Division of Criminal Justice Services and not an office of an education agency.
The Audit Request
The statute at § 6449 provides only for the collection of aggregate data, consistent with the statute’s emphasis on confidentiality and respect for the privacy of those involved in the process. Section 6449(3) emphasizes that, even when collecting aggregate information “the department shall not release the information, as provided for in this section, if it would compromise the confidentiality of reporting individuals or any other party….”
Eleven of the 13 requests in the Notice contain statutory references to the applicable section of Article 129-B as authority for the requested data. Two of the requests, numbers 9 and 10, contain no reference to the statute and there does not appear to be any specific section of the statute that supports the sensitive nature of the data sought in requests 9 and 10. Additionally, request number 4 seeks copies of all “no contact orders” issued by the institution, although there does not appear to be a statutory basis for such a request. Number 6(a) seeks data on all students subject to interim suspension, although that request also appears to be beyond the scope of the referenced statutory section.
Compliance Next Steps
Notwithstanding the unrealistic time frame to respond to the audit requests and credible questions about the statutory basis for specific requests, institutions must begin to prepare a response.
Request an Extension
We encourage institutions that do not anticipate that they will be able to comply with the aforementioned deadline to contact Deputy Director Stacey Hamilton by telephone to request an extension and follow up with a written request and/or confirmation.
Prepare Materials for Submission
Institutions should plan to submit easily accessible data such as policies, blank forms, website material by July 7, 2017, or the extended deadline, and include a cover letter indicating that, where applicable, additional materials will follow as soon as possible. In that cover letter, the institution may articulate the factors, if applicable, that make it difficult to respond within the narrow time frame allotted. One of those factors may be that the materials have to be carefully reviewed in order to redact confidential information in accordance with the privacy considerations emphasized in Article 129-B and other privacy laws.
We suggest that with regard to request numbers 1, 2, 3, 5, 6(b), 7, 8, 11, 12 and 13, institutions collect the documents and data developed over the past academic year (Fall 2016 to Spring 2017). Note that for request number 12 regarding campus climate assessments, institutions should exercise care when preparing a response to prevent the identification of any particular student.
Concerns with Respect to Disclosure
Request number 4 asks for information and documents regarding each request for a “no contact order” received by the institution. Institutions may decide to provide a copy of the institution’s template “no contact order” language, rather than specific orders, together with data on the number of orders issued and the number of orders that were changed. Although the New York State Office of Campus Safety appears to be seeking copies of specific “no contact orders” that include the names of the students, it is unclear that they have the right to this personally identifiable information under FERPA.
Similar consideration applies to request number 6(a). It may be acceptable in the initial response to provide aggregate data on interim suspensions and not data that could identify a specific student. In light of the statute’s emphasis on confidentiality and privacy, and the fact that the statute refers to aggregate data, the Office of Campus Safety may not have the authority to receive personally identifiable information.
A separate issue is the scope of request numbers 9 and 10, which seek an academic year’s worth of records relating to all reports of incidents covered by Article 129-B and all records involving misconduct hearings covered by Article 129-B. These requests are overly broad, are seriously inconsistent with the statute’s emphasis on confidentiality and privacy, and are not in accord with the statute’s authorization to collect aggregate data. Institutions should be consistent in the documentation provided for each case and should make sure information does not contain personally identifiable information about students while this issue remains unresolved.
In a letter to the Office of Campus Safety dated June 29, 2017, the Commission on Independent Colleges & Universities in New York (CICU) has raised the question of redacting personal information pertaining to students.
If you have questions please contact a member of our Higher Education Group.