April 22, 2026 — Today the AAUP sent the following letter to administrators at Stanford, Ohio State, and UC San Diego urging institutional leaders to prioritize student privacy and academic independence over federal intimidation.
Subject: Advisory on Institutional Response Department of Justice Civil Rights Division Investigations and Protection of Personally Identifiable Information
On behalf of the American Association of University Professors (AAUP), we write to raise significant concerns about the university’s anticipated response to recent investigations initiated by the U.S. Department of Justice Civil Rights Division (DOJ) regarding admissions practices at health professional schools. We also offer guidance for the university’s response.
We recognize the university’s obligation to respond in good faith to lawful federal investigations. At the same time, DOJ’s requests for information are not subpoenas, and they are not self enforcing. The university remains free to resist overbroad and unduly burdensome requests. And it has a duty to protect students, applicants, faculty, and staff—particularly their safety and privacy. That duty must remain paramount in any institutional response.
Requests that seek personally identifiable information (PII), or that enable individuals to be identified through indirect means, present serious and immediate risks. Disclosure of such information may expose students and applicants to targeting, harassment, or discrimination, and may deter participation in academic programs and research activities, as well as applications to the university. In professional school contexts, where cohorts are small and highly identifiable, even limited disclosures can readily reveal individual identities. For these reasons, the university must approach any request for sensitive information with heightened scrutiny and limit compliance to what is strictly necessary and legally required.
As we detail below, neither Title VI of the Civil Rights Act of 1964 nor applicable civil rights statutes enforced by the DOJ require institutions of higher education to disclose personally identifiable information of applicants, students, faculty, or staff in order for the government to assess compliance with federal civil rights law. While DOJ investigations may fall within certain exceptions under the Family Educational Rights and Privacy Act (FERPA), those exceptions are not categorical and do not eliminate the university’s independent obligation to limit disclosure to information that is relevant, necessary, and narrowly tailored to the agency’s lawful purpose.
Much of the information reportedly sought—including applicant-level data such as test scores, geographic indicators, and familial or donor affiliations, as well as internal institutional communications—is not necessary to evaluate whether an institution has engaged in unlawful discrimination and is therefore of questionable relevance to a lawful investigation. Moreover, disclosure of such information, particularly where it enables identification of individuals, raises substantial privacy and safety concerns and may chill participation in admissions processes and academic life. Thus, in addition to statutory limitations, such disclosures may implicate First Amendment protections as well as applicable state law obligations.
1. DOJ Authority, FERPA Considerations, and Limits on Investigatory Scope
It is essential to distinguish between the existence of DOJ’s enforcement authority and the limits on how that authority may be exercised. DOJ enforces Title VI of the Civil Rights Act of 1964 and other federal civil rights statutes and may investigate whether recipients of federal funding have engaged in unlawful discrimination.
Although DOJ may seek information relevant to its investigations, that authority is not unlimited. Title VI gives DOJ authority to investigate institutional policies and practices; it does not provide a general mandate to review individual admissions decisions absent a specific evidentiary basis. Courts have recognized that students possess protected privacy interests in personal information maintained by educational institutions, and that improper disclosure may give rise to legal claims grounded in privacy and confidentiality principles.1
In addition, disclosure of internal evaluative materials—such as admissions deliberations, scoring methodologies, or committee discussions—would undermine the integrity and candor of institutional processes. Courts have long recognized the importance of protecting confidential, predecisional, and evaluative communications in order to preserve candid institutional decision-making.2 In the absence of a clearly articulated need for these sorts of communications, a university should not simply turn them over to an agency in response to a non-self-enforcing request.
Broad or categorical requests for personally identifiable information or internal evaluative materials are unlikely to satisfy relevance requirements where aggregate, de-identified, or non-deliberative data would suffice. Institutions are not required to comply with requests that are overly broad, insufficiently tailored, or that seek information not demonstrably necessary to the investigation.
2. Risks of Re-identification and the Primacy of De-identification
FERPA generally prohibits disclosure of personally identifiable information from student education records without consent, subject to limited and narrowly construed exceptions.3 Compliance with a federal investigation does not create a blanket exemption from these requirements; any disclosure must be justified under a specific exception and limited to the minimum necessary information. Overbroad disclosure may therefore constitute an independent violation of federal law, in addition to potential conflicts with state privacy protections and institutional confidentiality commitments.
These legal constraints are especially significant given the substantial risk of re-identification in admissions data. Even where requests do not explicitly seek names or direct identifiers, datasets containing variables such as test scores, geographic indicators (including ZIP codes), and familial or donor affiliations can, when combined, make individuals readily identifiable. In addition to potential privacy violations, disclosure of such information may expose individuals to targeting or harassment, and may undermine trust in admissions processes and institutional governance. These risks are particularly acute in medical and graduate education contexts, where applicant pools are relatively small and distinctive.
For these reasons, investigatory needs should ordinarily be satisfied through de-identified or aggregated data. As you know, agencies routinely accept anonymized datasets in which identifying information has been removed and any re-identification key is retained by the institution. Where identifiable data is requested, the university should require a specific, case-based justification demonstrating why de-identified information is insufficient. Absent such justification, anonymized or aggregated data should be presumed both sufficient and legally appropriate.
3. Misapplication of Supreme Court Precedent and Overbreadth of Requests
We further note that recent investigatory demands appear to rely, in part, on an expansive interpretation of the Supreme Court’s decision in Students for Fair Admissions, Inc. v. President & Fellows of Harvard Coll., 600 U.S. 181 (2023). While that decision imposes limitations on the consideration of race in admissions, it does not authorize sweeping governmental inquiries into institutional records or individual applicants absent a clear connection to unlawful discrimination.
The scope of information reportedly sought in these investigations—including, as listed above, multiple years of applicant-level data such as test scores, home ZIP codes, and familial relationships to alumni or donors, as well as internal communications regarding diversity, equity, and inclusion and correspondence with external entities—raises serious questions of relevance and proportionality. Much of this information is not inherently probative of unlawful admissions practices, particularly when requested in bulk and in identifiable or re-identifiable form.
Federal courts and legal scholars have widely interpreted Students for Fair Admissions as narrowly focused on specific admissions practices.4 Accordingly, requests premised on an expansive reading of that decision may exceed its scope. Institutions should independently assess whether each category of requested information is demonstrably necessary and decline or narrow requests that are not.
4. Constitutional Considerations
Requests that compel disclosure of personally identifiable information may also raise serious First Amendment concerns. Where disclosure facilitates the identification or targeting of individuals based on protected characteristics or associations, it may chill participation in academic life and infringe upon constitutionally protected freedoms.
Institutions that comply with overbroad or unjustified demands for identifying information risk becoming participants in conduct that burdens protected expression and association.
5. California-Specific Legal Protections and Institutional Obligations
For institutions operating in California, the legal obligations governing the protection of personally identifiable information are especially robust and must be considered independently of any federal investigatory demands.
Article I, Section 1 of the California Constitution expressly guarantees a right to privacy,5 which courts have interpreted as imposing affirmative duties on public and private institutions to safeguard personal information against unnecessary disclosure.6 California courts have also recognized that the improper disclosure of personal information may give rise to direct causes of action, including claims grounded in invasion of privacy and breach of confidentiality. As a result, the release of identifiable or re-identifiable admissions data—particularly in response to broad or insufficiently tailored requests—may expose the university to litigation risk under state law, in addition to any federal implications.
Conclusion
Protecting the safety and privacy of students, applicants, faculty, and staff is both a legal requirement and a core institutional responsibility. At the same time, these considerations implicate core principles long recognized by the American Association of University Professors, including academic freedom, institutional autonomy, and the integrity of faculty-driven decision-making. The AAUP’s 1940 Statement of Principles on Academic Freedom and Tenure and the 1966 Statement on Government of Colleges and Universities emphasize that academic judgments—such as admissions decisions and the evaluation of applicants—must remain grounded in professional expertise and free from undue external interference. The ability of universities to engage in candid, independent evaluation depends on maintaining the confidentiality of internal deliberations and protecting against pressures that could compromise the integrity of those processes.
In light of these considerations, and consistent with AAUP principles, we request that the university should approach all information requests with a disciplined and narrowly tailored framework that preserves both legal compliance and academic independence. Requests should be carefully evaluated to ensure that they are supported by a clear statement of relevance and legal authority, and that they fall within the requesting agency’s jurisdiction. Disclosures, where appropriate, should be limited to the minimum information necessary, with a strong preference for de-identified or aggregated data. The university should also maintain thorough documentation of its determinations regarding scope and disclosure, and should decline or seek modification of requests that are overly broad, insufficiently justified, or inconsistent with its obligations to protect privacy, confidentiality, and the integrity of academic decision-making.
We would welcome the opportunity to consult further as the university develops its response strategy.
Sincerely,
Veena Dubal, J.D., Ph.D.
General Counsel, AAUP National