FPCO Letters from 2002 through June 2007
This page indexes and contains links to technical assistance letters issued by the Office of the Chief Privacy Officer. The letters were obtained by a Freedom of Information request made by the Office of General Counsel at the Catholic University of America.
The letters linked to are those we thought would be of interest to the postsecondary community. The summaries on this page were contributed by Avanti Kulkarni, student legal intern. (CUA Columbus School of Law, Spring 2008)
Letters marked with an asterisk may also be found on the Office of the Chief Privacy Officer webpage.
Disclosure to State and Local Educational Authorities
May 23, 2005 letter to University of Alaska* re: whether the University may disclose education records to the State's Legislative Audit Division without obtaining consent from the affected students under FERPA.
August 8, 2005 letter to New Hampshire Department of Education re: whether NHDOE, in conducting a formal investigation of educator misconduct, can receive the names, telephone numbers, and other records of students who were the alleged victims from school districts.
July 11, 2005 letter to Western Kentucky University* re: whether state universities can disclose "student-specific final grade information" to the Kentucky Council on Postsecondary Education without student consent under FERPA. Also, assuming the disclosure does not violate FERPA, whether further or subsequent disclosure of personally identifiable information to third parties without student consent would be prohibited under FERPA.
March 3, 2005 letter to The California State University re: whether disclosure of student's social security numbers by California State University and the University of California to the California Postsecondary Education Commission for a variety of undislcosed analyses and potential research would violate FERPA.
This guidance directed to California State University (CSU) addresses the question as to whether or not FERPA prohibits the release of personally identifiable information (in this case social security numbers) of students to the California Postsecondary Education Commission (CPEC). CPEC is a statewide coordinating and planning board responsible for coordinating public, independent and private postsecondary education in the State and for providing policy analyses and recommendations to the Legislature and Governor. CPEC had requested the data to comply with a state law that required them to track student progress as well as the performance of postsecondary institutions. CSU and the University of California had resisted release, claiming that FERPA prohibited such a release.
FPCO concluded that CPEC qualified as a state or local educational authority under 99.31(a)(3) of FERPA, and that the data in question could be released to CPEC. The guidance was written with the understanding that the information from education records would not be redisclosed. The practice of California State and the University of California in the past had been to provide CPEC only data with personal identifiers removed. See also the March 9, 2005 FPCO follow up letter which advises that the IHE may use any appropriate means (including written agreements) to ensure that the recipient will use the information only in accord with FERPA requirements.
Disclosure to Third Parties
August 15, 2005 letter to University of North Dakota* re: whether the University "may provide information obtained from school records regarding violation of Federal Aviation Regulations to the Federal Aviation Administration without a student's permission."
Nov. 13, 2007 Letter to The Catholic University of America on Turnitin. This letter clarifies that an institution would not violate FERPA if they asked students to obtain an originality report from Turnitin or a similar plagiarism prevention service before they turn their papers in to the instructor. In this instance, the documents (under Falvo) would not yet be education records.
January 6, 2006 letter to St. Thomas Aquinas College re: whether faculty members can use a web-based plagiarism prevention service (www.turnitin.com) that requires scanning papers (with the student's name) into a database, where they become the property of the prevention service.
July 5, 2006 letter to The University of Wisconsin-Madison re: steps to take after a former teaching assistant violated FERPA. (Disclosure to Third Parties and University responsible for acts of agents)
October 11, 2005 letter to the American Association of Collegiate Registrars and Admissions Officers re: whether AACRAO and the National Student Clearinghouse could supply the names, current addresses, and telephone numbers of evacuated students to their home institutions on the Gulf Coast, as part of its effort to assist educational institutions in the Gulf Coast that were adversely affected by Hurricane Katrina and their students were allowed to register for courses without going through the regualar admissions process at colleges and universities across the nation.
Disclosure to an outside Contractor:
Q. A public university's separate auxiliary service corporation has outsourced its bookstore operations to a private, for-profit company. The private company offers a "credit" service to students for use in the bookstore based upon the student's financial aid. Private company requires access to students' financial aid information in order to provide this service. Annual FERPA notice to students states that disclosure of student education records may be given without students' consent to "school officials" with "legitimate educational interests" including companies with whom university has contracts. University has contract with its auxiliary service corporation but not with the private company. Auxiliary service corporation has access to certain types of student financial aid information and wants to share it with the private company. Can the university allow the the auxiliary service corporation to share student financial aid information with the private company?
A: No. Below is the text of an informal opinion letter from FPCO (Ingrid Brault) to a NACUA member institution.
This is in response to your email below and our recent telephone conversation regarding this issue. You explained that there is an independent bookstore, unaffiliated with your university, that pays the university a franchise fee for renting space on the campus to sell books to students in attendance. Currently, when a student goes to the bookstore and gives the cashier his or her student ID number and SSN, the cashier can access the student's loan balance account that the university maintains on the student. As you can see in this letter available on our online library - , an educational agency or institution must have direct control over an outside party it uses to perform institutional services, such as a bookstore, and to whom it wishes to disclose personally identifiable information from the student education records. This allows the agency or institution not only to control which school officials can gain access to education records, but it also ensures that the information obtained by these school officials is protected in a manner required by FERPA. From our conversation, your institution has not met these requirements with respect to the on-campus bookstore. That means that the university cannot ensure that an employee of the bookstore doesn't further disclose the education records that he or she views once the student provides a SSN and student ID. Furthermore, the university would be out of compliance if a bookstore employee gained access to any student's SSN and ID independent of the student, and in turn, used that information to view the student's financial aid information.
In the situation you describe, the bookstore is not performing an institutional service on the university's behalf. Rather, it is renting space on campus to provide its own service to students, that while necessary and useful, is not being conducted as a contracted agent of the university. Thus, short of entering the bookstore into a contractual agreement to perform its service on behalf of the university, the university will need the prior written consent of the student to disclose his or her education records, i.e financial records, to the bookstore. The consent must be in writing and must indicate that by providing a SSN and ID to the bookstore, the student authorizes the university to disclose the student's financial aid information to the bookstore in order to determine whether there are available funds to cover some or all costs of the books. This consent cannot be required, but must be optional when the student buys books from the on-campus bookstore. The FERPA requirements outlined above would apply equally to the off campus bookstore.
Security Breach and Policy or Practice of Violating FERPA
May 15, 2006 letter to The City University of New York re: reasonable and appropriate steps to take after protect the education records it maintains after a security breach resulted in the unauthorized release of student information.
February 16, 2005 letter to Texas Higher Education Coordinating Board re: steps taken after a laptop computer was stolen from the Board's building that may have stored personal information on students.
Disclosure in connection with Financial Aid
May 26, 2006 letter to Louisiana Student Financial Assistance Commission re: whether FERPA permits postsecondary institutions in Louisiana to disclose to the Commission enrollment and academic data about financial aid students.
Disclosure to a contractor for the university and conditions that apply
October 26, 2006 letter to Community College of Allegheny County re: whether disclosure of social security numbers by the College to alumni search agencies is permissible under FERPA.
Definition of Educational Agency
January 23, 2007 letter to the Minnesota Office of Higher Education re: whether the Minnesota Office of Higher Education is an "educational agency or institution" under FERPA.
April 11, 2005 letter to New Mexico Public Education Department The Navajo Nation's "Division of Dine Education" or DDE, is a tribal authority, does not have students in attendance, and does not recieve Federal educational funds, and thus is not an "educational agency or institution" under FERPA.
Records prior to adoption of FERPA
January 31, 2007 letter to Webber, Gaumer & Emanuel, P.C. re: whether historical records are "education records" under FERPA and whether educational or historical research falls within one of the FERPA exceptions to the written consent requirements.
Open Records Request and Disclosure to OAG
July 25, 2006 letter Office of the Texas Attorney General*, Open Records Division re: whether FERPA would permit a school district to disclose education records in unredacted form to the OAG for the purpose of making a determination on a complaint filed under the Texas Public Information Act.
Users Names and Passwords and Account ID Numbers and Non-Disclosure to Third Parties
July 13, 2006 letter to University of Medicine & Dentistry of New Jersey re: where the University has a joint degree program with another college, can the University require students to provide their username and password at the other college so that the University can quickly determine whether a student has met the joint degree requirements.
The query posed by U.Wisconsin River Falls to the U.S. Department of Education was whether or not a student account ID number (which is not the social security number) can be disclosed as directory information under FERPA. The FPCO had previously advised that such a number could not be disclosed as directory information. Given this past advice, web architects were faced with a quandry, as campus portals and single sign-on approaches to information systems, as well as electronic communication systems, required publication of the personal identifier used by students to access the system. In addition, may institutions use directory-based software and protocols for electronic collaboration by students and teachers, both within and among institutions, that require some form of public dissemination of a unique personal identifier.
Recognizing this problem, the FPCO, after reviewing in depth the fact situation at U.W. River Falls, stated as follows:
We believe that FERPA allows an institution to designate and disclose as "directory information" a unique personal identifier, such as a student's user or account logon ID (or an email address used as a logon ID), as long as the identifier cannot be used, standing alone, by unauthorized individuals to gain access to non-directory information from education records.>>>>>Conversely, if an institution allows a student to use a personal identifier to obtain access to education records without the use of a password or other factor to authenticate the student's identity (or if the identifier itself is also used to authenticate the student's identity), then that identifier may not be designated and disclosed as directory information under FERPA because it could result in the disclosure of protected information without meeting the written consent requirement.
Definition of eligible student
October 14, 2004 letter to National Accrediting Commission of Cosmetology Arts & Sciences re: whether, when NACCAS accredits postsecondary schools that may contract with a local high school or social services agency to train a group of vocational education students who still attend high school, these students are considered "eligible students" under FERPA even if they are under 18 years of age or wards of the court. Is written consent required to provide information on their attendance and academic progress to the high school's program director?
Health or Safety Exception
November 29, 2004 letter to The University of New Mexico* re: whether a state law that mandates that communicable diseases be reported "immediately" to the State Office of Epidemiology conflicts with FERPA for operation of the University's Student Health Center, which provides medical services to students.
Disclosure from Personal Knowledge v. Disclosure from the Education Record
February 11, 2005 letter to the University of Colorado at Boulder re: whether a state law that requires the University to report suspected crimes to law enforcement authorities is in conflict with FERPA.
links updated 6/26/08 rab