FCPS Lawyer John Foster Argues Against Making Parents Aware of Recent Unauthorized Disclosure of Student Records
This is a follow-up to the March 5, 2025, article “Another Year, Another Breach: Fairfax County Public Schools Fails—Again—to Secure Student Educational Records”.
As shared in the March 5, 2025, article, Fairfax County Public Schools (FCPS) mistakenly shared unredacted records of several students with a parent and the Virginia Department of Education’s (VDOE) Office of Dispute Resolution and Administrative Services (ODRAS).
Additional information:
Why did over three months pass between the unauthorized disclosure and the notifications to those impacted?
Instead of notifying the families and/or students impacted—as required by VDOE—FCPS chose to appeal VDOE’s decision and argue against notifying those impacted, because no parent looked at the records it disclosed. That’s not how the law works—and it’s not how families should be treated. In addition, FCPS Lawyer John Foster, whose name is on the appeal, stated:
“Human error, especially in a division the size of FCPS servicing hundreds of thousands of students, is unfortunately inevitable.”
Let that sink in.
A school district with nearly a decade of documented mishandling of confidential student records now states such “human errors” are inevitable.
Under FCPS’ reasoning, it would be acceptable for hospitals managing hundreds of thousands of confidential records to disclose them—as would it be for any of a number of federal agencies managing sensitive information—for nearly a decade.
And yet . . .
That’s not the case.
Somehow hospitals and agencies with more individuals manage to maintain records without all the “human mistakes” of FCPS.
FCPS’s argument stretches the law to avoid accountability—not to protect student rights or uphold transparency.
If FCPS can’t secure student records after nearly a decade of noncompliance, then one must ask: Who is being protected? Students or FCPS?
FCPS Argument: No Parent Accessed the Records, thus no FERPA Violation Occurred.
FCPS states:
“Although student records were inappropriately made accessible to Parent and ODRAS, to FCPS’ knowledge only ODRAS employees accessed the records. . . . It is FCPS’ position that because no student records were ever accessed by an unauthorized party without parental consent, no violation of FERPA or 8 VAC 20-81-170.G occurred.”
Reality:
FERPA does not require proof of access or misuse to trigger the need for corrective action, including parent notification. If a school knows or reasonably believes that PII from student records was disclosed without consent, it must address it. The unauthorized disclosure—not the actual access—is the trigger for a potential FERPA violation.
§ 99.2 states:
The purpose of this part is to set out requirements for the protection of privacy of parents and students under section 444 of the General Education Provisions Act, as amended.
FERPA defines disclosure broadly. Even if someone doesn’t read a student’s file, simply making it available without proper consent can be a violation.
§ 99.3 states:
Disclosure means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means, to any party except the party identified as the party that provided or created the record.
FCPS Argument: Disclosure to ODRAS is Not a FERPA Violation
FCPS argues:
“Disclosure of student records to ODRAS is not a FERPA violation.”
Reality:
§ 99.31(a)(3)(iii) and (iv) state:
“An educational agency or institution may disclose personally identifiable information from an education record of a student without the consent required by § 99.30 if the disclosure meets one or more of the following conditions: The disclosure is, subject to the requirements of § 99.35, to authorized representatives of (iii) The Secretary; or (iv) State and local educational authorities.”
§ 99.35 provides the conditions under which information can be disclosed to VDOE.
Disclosure to VDOE may be allowed under 34 C.F.R. § 99.31(a)(3)(iii)—but only when:
“Authorized representatives of the officials or agencies headed by officials listed in § 99.31(a)(3) may have access to education records in connection with an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.”
In addition, under IDEA, schools must protect the confidentiality of PII at collection, storage, disclosure, and destruction stages.
34 C.F.R. § 300.623 states:
(a) Each participating agency must protect the confidentiality of personally identifiable information at collection, storage, disclosure, and destruction stages.
(b) One official at each participating agency must assume responsibility for ensuring the confidentiality of any personally identifiable information.
(c) All persons collecting or using personally identifiable information must receive training or instruction regarding the State’s policies and procedures under §300.123 and 34 CFR part 99.
(d) Each participating agency must maintain, for public inspection, a current listing of the names and positions of those employees within the agency who may have access to personally identifiable information.
FCPS’s disclosure of unredacted student information—without prior consent for disclosure—was not “in connection with an audit or evaluation of Federal of State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.”
The fact that VDOE instructed FCPS to notify families suggests VDOE determined the disclosure went beyond what is allowed under FERPA and/or IDEA.