United States District Court, N.D. Illinois, Eastern Division
June 2, 2015
UNITED STATES OF AMERICA, ex rel. LIZETTE MUNOZ and WESLEY FRENDT, Plaintiffs/Relators,
COMPUTER SYSTEMS INSTITUTE, INC., Defendant.
Judge Robert M. Dow
MEMORANDUM OPINION AND ORDER
SHEILA FINNEGAN United States Magistrate Judge
Plaintiffs-Relators (“Relators”) have brought this qui tam action on behalf of the United States of America alleging that their former employer, Defendant Computer Systems Institute, Inc. (“CSI”), a for-profit educational institution, violated the False Claims Act, 31 U.S.C. § 3729 et seq., by making a number of misrepresentations to the Department of Education, its accrediting agencies, and prospective students. Relators allege that these misrepresentations enabled CSI to secure student financial aid in the form of loans and grants from the federal government.
In the course of discovery, Relators asked CSI to produce a variety of information about its former students over the four-year period from January 2008 through December 2011, including: student ID, date of birth, graduation credential (i.e., high school diploma, GED or Ability to Benefit), attendance, course of study, and non-Title IV loan tuition paid by a student or on a student’s behalf. Relators claim that this data is necessary to enable them to perform statistical analyses that will prove CSI made false statements about (1) student job placement rates, (2) student eligibility to take certification examinations without a high school diploma or GED, (3) commissions and bonuses paid to Admissions Representatives, and (4) the amount of revenue CSI derives from non-Title IV program funds. CSI objects that the information is overly burdensome to produce because the school must first give each former student notice and an opportunity to opt out pursuant to the Family Educational Rights and Privacy Act (“FERPA”). Relators respond that notice is not required for former students when, as they claim here, the data in question all constitute “directory information” under the statute.
For the reasons set forth here, the Court finds that FERPA does not require an educational institution to notify former students prior to disclosing directory information, and CSI’s objection in that regard is overruled. The Court also finds that for purposes of this case, directory information includes student ID, date of birth, course of study, and time period when a student attended CSI (but not specific dates the student attended each class). It also includes whether the student has been awarded a high school diploma or GED, but not whether the student took and passed the Ability to Benefit (ATB) test to qualify for student aid. Likewise, tuition payments made by ESL students do not qualify as directory information under the statute.
A. Notice and Opt Out Requirements Under FERPA
FERPA “was adopted to address systematic . . . violations of students’ privacy by unauthorized releases of sensitive information in their educational records.” Daniel S. v. Board of Educ. of York Community High Sch., 152 F.Supp.2d 949, 954 (N.D. Ill. 2001) (quoting Jensen v. Reeves, 45 F.Supp.2d 1265, 1276 (D. Utah 1999)). In that regard, schools and educational institutions that receive federal financial assistance are not allowed to disclose “personally identifiable information other than directory information . . . without parental consent.” Disability Rights Wisconsin, Inc. v. State of Wisconsin Dep’t of Public Instruction, 463 F.3d 719, 730 (7th Cir. 2006). Personally identifiable information includes, without limitation, “the students’ names, names of their parents or other family members, the addresses of the students or their family, any personal identifiers such as social security numbers or student numbers, a list of personal characteristics that would make the students’ identities easily traceable or any other information that would make the students’ identities easily traceable.” Id. (citing 20 U.S.C. § 1232g; 34 C.F.R. § 99.3).
Directory information is “a type of personally identifiable information not usually considered harmful [or an invasion of privacy] if disclosed.” Id.; 34 C.F.R. § 99.3. It includes, but is not limited to, the student’s name; address; telephone number; email address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance (e.g., academic years, semesters or quarters when enrolled); degrees, honors, and awards received; and the most recent educational agency or institution attended. 34 C.F.R. § 99.3. An educational institution is allowed to disclose “directory information” if:
it has given public notice to parents of students in attendance and eligible students in attendance at the institution of:
(1) the types of personally identifiable information the agency has designated as directory information;
(2) the right to refuse to let the institution disclose any or all of those types of information about the student; and
(3) the period of time to notify the institution in writing that he or she does not want any or all of those types of information about the student designated as directory information.
34 C.F.R. § 99.37(a). The rule is different for former students. Specifically, an educational institution
may disclose directory information about former students without complying with the notice and opt out conditions in paragraph (a) of this section. However, the agency or institution must continue to honor any valid request to opt out of the disclosure of directory information made while a student was in attendance unless the student rescinds the opt out request.
34 C.F.R. § 99.37(b).
“Under FERPA, each educational institution can choose whether to make the various categories of directory information public or not.” Electronic Privacy Info. Ctr. v. United States Dep’t of Educ., 48 F.Supp. 3d 1, 20 (D.D.C. 2014). Prior to May 2011, CSI did not designate any student identifier as directory information, choosing to forego the ability to disclose such information. As a result, CSI did not provide students in attendance at the time either with notice that such information may be disclosed or with an opportunity to opt out. Between May and December 2011, CSI changed its policy and decided that instead of designating nothing as directory information, it would designate the following student identifiers: student name; address; telephone number; email address; enrollment status; program of study; photograph; degrees and awards received; and dates of attendance (the “2011 categories”). (Doc. 149, at 10). Students attending CSI from May through December 2011 received notice of these categories and a chance to opt out as required by section 99.37(a).
Relators are seeking information relating to former students who attended CSI before January 2012. CSI has agreed that pursuant to section 99.37(b), it may produce the 2011 categories of directory information for any student who did not opt out between May and December 2011. The question is whether CSI may also produce other categories of directory information for those same students, or produce any directory information for students in attendance before May 2011 who never had a chance to opt out since nothing had been designated as directory information at the time.
CSI reads the statute to require that an educational institution never disclose any directory information of current or former students unless the institution has at some point (1) designated which student identifiers fall within that definition, and (2) given students notice and an opportunity to opt out. With respect to the designation element, CSI notes that directory information “comprises different categories of information depending on the categories of information that an institution chooses to publicly identify as ‘directory.’” (Doc. 149, at 10). The University of Illinois-Champaign, for example, designates date of birth as directory information. Academic Policies and Regulations, § 3-602(c) (http://studentcode.illinois.edu/article3part63-602.html, last visited May 20, 2015). The University of Michigan does not. University of Michigan Student Rights and Student Records (http://ro.umich.edu/ferpa/, last visited May 20, 2015). In CSI’s view, since it affirmatively designated only certain categories of directory information from May through December 2011, absent consent, it cannot disclose any other categories of information for students who received the notice and did not opt out. (Doc. 149, at 10).
The Court agrees that when it comes to current students, nothing may be disclosed as directory information unless an educational institution has given the proper notice, which includes designating the specific student identifiers that will be subject to release. See Electronic Privacy Info. Ctr., 48 F.Supp. 3d at 20 (“[I]t is within Georgetown University’s discretion to decide whether it will publicize student ID numbers by requiring that they be placed on a student badge.”). For this reason, students in attendance at CSI from May through December 2011 had to be notified about which categories of information CSI intended to disclose as directory information while they remained students. For example, had CSI failed to notify current students that it treated email addresses as directory information, then it would not have been allowed to disclose the email addresses of those students while they remained in attendance at CSI.
With respect to former students, however, educational institutions are expressly allowed to disclose “directory information” without complying with the notice and opt out requirements. 34 C.F.R. § 99.37(b). The regulations do not state that once an educational institution selects particular student identifiers as directory information, no other categories can qualify as directory information for its former students. Thus, CSI’s decision to designate certain categories as directory information in May 2011 has no bearing on whether identifiers that clearly fall within the statutory definition of directory information but have not been designated as such nonetheless may be disclosed for former students.
CSI insists that even if it is not limited to disclosing only those student identifiers it designated in May 2011, it still must give all former students an opportunity to opt out before any new categories of directory information are disclosed. This argument focuses on the second sentence of section 99.37(b), which states that educational institutions “must continue to honor any valid request to opt out of the disclosure of directory information made while a student was in attendance unless the student rescinds the opt out request.” CSI says that “for the regulation to make sense, there must have been public notice when the former students were attending the institution. Otherwise, the opportunity to object under FERPA would be meaningless.” (Doc. 149, at 12). The Court disagrees.
The regulations plainly state that educational institutions are allowed to disclose directory information of former students “without complying with the notice and opt out conditions.” 34 C.F.R. § 99.37(b). See also 73 F.R. 15574-01 (Mar. 24, 2008) (an educational institution “does not have to notify former students about its policy on directory information disclosures and their right to opt out.”). Though an educational institution must continue to honor opt outs made when students were in attendance there, the regulations do not mandate that students who were never given an opportunity to opt out (e.g., because the school did not designate any identifiers for disclosure at the time of attendance) receive a chance to opt out as former students. In fact, the regulations do not even require that educational institutions notify former students that they have changed the categories included as directory information. Thus, a now-former student who had an opportunity while enrolled to opt out but chose not to when directory information included only name, email address and major field of study, has no right to notice if, after graduation, the school decides to expand the definition to include other identifiers the student might find objectionable, such as address, photograph and date of birth. In such circumstances, where a now-outdated version of a prior notice suffices for purposes of section 99.37(b), it makes no sense to require an educational institution to notify former students about which identifiers may constitute directory information merely because the prior “definition” included none and the new definition includes every possible identifier listed in the statute.
The cases CSI relies on deal with current as opposed to former students and therefore are not instructive on this issue. See Electronic Privacy Info. Ctr., 48 F.Supp. 3d at 20 (addressing university decision to require that student ID numbers be placed on student badges); Zomba Recording LLC v. Does 1-15, No. 08 C 31-HRW, 2008 WL 10722357 (E.D. Ky. June 2, 2008) (requiring notice to current students before releasing their directory information pursuant to subpoena where “the record does not reflect whether [the university] provides the type of annual notice contemplated by FERPA.”).
The only possible exception is Alberts v. Wheeling Jesuit Univ., No. 5:09-CV-109, 2010 U.S. Dist. LEXIS 40816 (N.D.W.V. Mar. 29, 2010), where a former professor sought a list of names of students who attended faculty meetings in 2006-2007 (for use in a discrimination lawsuit). Id. at *11. The university argued that the names constituted “education records” that could not be disclosed under FERPA; the plaintiff responded merely that the names were relevant to his case. Id. The court held that the student names were not education records but did “qualify as directory information, which is subject to notice and time for objection” prior to disclosure. Id. at *12. Based on the dates involved (a February 2010 motion seeking names from 2006-2007), it is likely that the information related to former students. The court, however, did not indicate that these were former students, nor did it cite to or discuss section 99.37(a) or (b). For this reason, to the extent Alberts required that notice be given to former students, this Court does not find the holding persuasive.
B. Specific Student Identifiers
CSI argues that even if notice is not required prior to disclosing directory information associated with former students, it still must obtain student consent to disclose data that cannot be classified as directory information. CSI identifies six such categories: (1) student ID; (2) date of birth; (3) graduation credential; (4) non-Title IV tuition information; (5) dates of attendance; and (6) course of study.
1. Student IDs
FERPA provides that a student ID number may be considered directory information “if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a personal identification number (PIN), password or other factor known or possessed only by the authorized user.” 34 C.F.R. § 99.3. At a hearing on May 28, 2015, this Court determined from information provided by the parties that student ID numbers cannot be used to access education records without a password or PIN, meaning they constitute directory information. For the reasons discussed earlier, the fact that CSI chose not to designate student IDs as directory information until 2013, (Doc. 149, at 13), does not mean that former students must receive notice before CSI discloses their student IDs in this case.
2. Date of Birth
A student’s date of birth is expressly listed as an example of directory information. 34 C.F.R. § 99.3. CSI’s only basis for refusing to disclose date of birth is the fact that it has never designated date of birth as directory information. (Doc. 149, at 13). Once again, the Court does not find that argument persuasive. CSI also cites Richardson v. Board of Educ. of Huber Heights City Schools, No. 3:12-CV-00342, 2014 WL 8619228 (S.D. Ohio Mar. 11, 2014), for the proposition that “courts require that institutions redact date of birth before disclosing documents.” (Doc. 149, at 14). In Richardson, the court ordered the production of student disciplinary files in connection with a lawsuit seeking redress for a hazing incident, finding the documents relevant to the issues in the case. Id. at *1-2. The court also found, however, that personal identifiers, such as student ID numbers, dates of birth, addresses, and photographs had to be redacted prior to production. Id. at *3. Given that the Richardson court was addressing identifiers linked with disciplinary records, the case is not instructive as to whether date of birth, standing apart from any sensitive data, may constitute “directory information.” On the record presented, CSI may disclose the dates of birth of former students without giving them notice and an opportunity to opt out.
3. Graduation Credential
Relators want to know whether, at the time of enrollment, each particular student had a high school diploma or GED, or took and passed an Ability to Benefit (“ATB”) test administered by CSI (i.e., their “graduation credential”). CSI first objects, without supporting citation, that since it “maintains this information in students’ educational records, ” it is not “directory information” subject to disclosure. (Doc. 149, at 14). In the absence of any authority suggesting that information that otherwise qualifies as “directory information” loses that status if an educational institution decides to place the information in educational records, CSI’s argument in that regard is rejected.
CSI also contends that graduation credentials are not directory information in any event. It is true that the non-exhaustive list of directory information does not expressly include graduation credential, but Relators say the information is of the same type as “degrees, honors, and awards received; and the most recent educational agency or institution attended, ” all of which are expressly identified as directory information. (Doc. 146, at 12). The Court agrees that the phrase “degrees, honors and awards received” fairly encompasses whether a student received a high school diploma or its equivalency, a GED. The phrase is not, as CSI suggests, limited to degrees the student received from CSI. The diploma and GED data may be disclosed without prior notice to former students.
This Court is not persuaded, however, that information about whether a student passed an ATB test administered by CSI reasonably qualifies as directory information regarding a “graduation credential” (as Relators put it). This test is administered to students who do not have a diploma or GED in order for them to qualify to receive government financial aid awards. The definition of directory information does not include a list of standardized tests a student took – be it the SAT, ACT or ATB – and you would not expect to find such private information in a student directory. The Court recognizes that as a practical matter, process of elimination likely will allow Relators to determine which students took the ATB test in this case. Nevertheless, that information is not “directory information” and may not be disclosed absent student consent.
4. Non-Title IV Tuition Information
Relators also seek tuition payment information for students in the ESL program. The regulations do not include tuition payments as a type of directory information, but Relators claim that ESL tuition qualifies because it “is not of a confidential or sensitive nature and CSI does not treat it as such.” (Doc. 146, at 12). By way of example, Relators note that CSI “has a ‘net price calculator’ on its website where students can estimate tuition and fees and posts the fees for its ESL programs on its website.” (Id.) (citing CSI Tuition & Fees webpage, www.csinow.edu/esl/tuition-fees, last visited May 21, 2015). According to the webpage, tuition ranges from $3, 600 to $6, 000 per year, depending on the specific ESL program, plus quarterly book fees of between $90 and $150.
In the Court’s view, the fact that tuition rates for ESL programs are publicly available is insufficient to justify treating individual student tuition payments as directory information. Tuition payments are not the type of information that generally appears in a student directory, and disclosing individual financial data would be a clear invasion of privacy. CSI may not disclose ESL tuition payment information without first obtaining consent.
5. Dates of Attendance
As with date of birth, dates of attendance is expressly included as directory information and defined as follows: “the period of time during which a student attends or attended an educational agency or institution. Examples of dates of attendance include an academic year, a spring semester, or a first quarter.” 34 C.F.R. § 99.3. CSI may produce this attendance information without notice to former students. CSI’s argument that it cannot do so since it never designated dates of attendance as directory information is rejected for the reasons already stated. (Doc. 149, at 15).
Relators seek more than this, however, insisting that CSI also produce specific dates that each student was in class. As Relators explain, “CSI determines whether a student has started a program based on their attendance in the first five days, . . . and considers a student to have dropped out if not attending classes for more than 14 calendar days.” (Doc. 150, at 8 n.4) (citing CSI “Job Description: Admissions Representative, ” Doc. 150, Ex. E, at 73). The problem with Relators’ request is that pursuant to the FERPA regulations, the term dates of attendance “does not include specific daily records of a student’s attendance at an educational agency or institution.” 34 C.F.R. § 99.3. For this reason, CSI must obtain student consent before it produces daily attendance records.
6. Course of Study
Relators asked CSI to produce “courses” for each former student, prompting CSI to object that directory information does not include data about the individual courses a student took while at CSI. Relators have now clarified that they “do not seek data on the individual courses that former students took” but instead want to know the students’ “course of study, ” meaning the type of program each student pursued at CSI (e.g., the Healthcare Program, the Network Career Program, etc.). (Doc. 146, at 11). With this limitation, the Court agrees that course of study falls within the definition of directory information. See 34 C.F.R. § 99.3 (defining directory information to include “major field of study.”). (See also Doc. 149, at 13 n.4) (confirming that CSI itself designated “program of study” as directory information from May through December 2011). CSI’s assertion that it may only produce the program/course of study information for students who attended CSI between May and December 2011 is without merit, as already explained.
For the reasons stated above, CSI’s objection that it cannot produce directory information relating to former students without first providing notice and an opportunity to opt out under FERPA is overruled. CSI’s objections that certain of the requested student identifiers do not constitute directory information are sustained in part and overruled in part.