Q. Can we require psychologists on contract with the University to give us information on who they are seeing and how often? We need this information in order to determine how much money to reimburse them, and currently we are just taking them on their word.
A. I don't think there's anything in FERPA that would prohibit you from imposing that requirement or them from disclosing that information to you, but you'd also need to check your state medical confidentiality laws, which would also apply and may point to a different answer.
Q. Employment records disclosure; you mentioned if they are students first and employees second. Can you elaborate on how the Office of Human Resources should maintain student's employment records as it pertains to FERPA and proper disclosure.
A. If the employment of the student is conditioned upon the person's status as a student (e.g. work study) then the disclosure of the employment records of that student can only be to those school officials with a legitimate educational interest. The HR office needs to maintain the records (whether in paper or online) in such a way as to not disclose them to those without a legitimate educational interest. However, payroll and other departments that would have access to the student employee's record by virtue of their position and the task being performed, would fall into the category of a school official with a legitimate educational interest.
Q. May a career counselor have access to a student database that contains records on students other than the students to whom the counselor is providing guidance?
A. You may, consistent with FERPA, be able to permit access to the entire database for the counselor, provided that he/she is instructed not to access records of any student other than those who have given consent.
FERPA prohibits an institutional policy of "releasing" information, which does not necessarily include mere accessibility. Under FERPA, an official of an institution who has access to all student records (such as the Registrar) does not have the right to browse records that he/she has no job-related reason to view. It is the actual perusal of the record, not simply the ability to access it, that triggers FERPA. Obviously, there are concerns whenever any person has the potential to see records that he/she should not be looking at, but some level of trust has to exist in any system of confidential recordkeeping. The open question at this time is whether or not a computer information system must track access by those at the school with a legitimate educational interest.
Q. What is a "legitimate educational interest"?
A. A school official has a legitimate educational interest if the official is performing a task that is specified in his or her position description or contract agreement, performing a task related to a student's education or to discipline of a student, providing a service or benefit related to the student or student's family, or maintaining the safety and security of campus. An example would be an academic advisor to a student reviewing the student's record on what courses have been completed. This is related to the task of advising the student. The advisor would not be authorized to view records that are not relevant to the task at hand.
Q If the Vice President for Student Life asks me for a copy of a student's transcript, do I need to ask her why she needs the records, or can I presume a legitimate educational interest?
A Not everyone who asks for a record needs to be asked why they want it. The law requires that we assure that employees who access records have a legitimate educational interest in doing so. For administrators like the Provost, vice provosts, deans, assistant and associate deans, vice president for Student Life, you may presume that they can access student records within their province (e.g., all students for the Provost, all students in their schools for a dean) and that they are doing so with a legitimate educational interest. If a dean asked to see the record of a student outside of her school, you should ask why (and presumably she might say, "because the student has applied to transfer into my program"). Assume they have a legitimate educational interest until you have some information that causes you to think they might not. Even though everyone is supposed to have been trained on FERPA, it wouldn't hurt every once in awhile to ask them to assure you that they have a "legitimate educational interest," it reminds them of that requirement. Abuse, if it occurs at all, is probably most likely to occur with faculty who are not administrators, so push hardest to have departmental and deans office secretaries be asking that question of faculty.
Q. My computer grants me access to student records. Does this mean I am authorized to view all the available records and do not need to follow FERPA?
A. No. The confidentiality provisions of FERPA still apply, and a school official should only access a student's record if a legitimate educational interest exists with respect to that student, and only as to those portions necessary.
Q. When the phrase "dates of attendance" is used, does that mean the dates that a student has attended classes?
A. No, dates of attendance is defined as follows in the regulations: Dates of attendance. (a) The term means the period of time during which a student attends or attended an educational agency or institution. Examples of dates of attendance include an academic year, a spring semester, or a first quarter.
(b) The term does not include specific daily records of a student's attendance at an educational agency or institution. (34 CFR § 99.3)
Q. Many campuses now outsource small and large business systems, and an increasing number of systems supporting instruction. Many campuses are using the Shibboleth software (http://shibboleth.internet2.edu/) to
allow their community members to "authenticate locally" when accessing these applications. Shibboleth also allows a campus to release attribute information describing the browser user to the remote Service Provider. A campus can manage what information is released as a function of the specific SP being accessed, and a function of other attributes associated with the user. The Service Provider sites use this information to make access control decisions, and to personalize the use of the site. Recently, a growing number of SPs have appeared to support "collaborative work" -- a group of researchers (and students doing research) from multiple institutions working together on a shared problem. These sites want to know who the user is (via campus asserted attributes); just as importantly, the researchers WANT the campuses to assert this information so that their name is attached to their contributions. This is consistent with the culture and existing practice within the Higher Education/Research environment.
For students at US campuses, the Family Educational Rights and Privacy Act (FERPA) defines a legal framework governing how a campus can release information about individual students. A campus is required to identify a set of information as "directory information" (eg a student's name, local and home addresses, postal box, telephone number, electronic mail address, etc). A campus can publish and release directory information for a student unless a student elects to "opt out" of FERPA; in that case, the campus cannot release that student's directory information. Releasing directory information traditionally meant releasing information to a newspaper, or publishing this information (or a subset) in an online directory. Can this directory information as described above be released via Shibboleth to an outsourced Service Provider?
A. It is entirely legal for a campus to release to an outsourced Service Provider, via Shibboleth, any of the information it has classified as directory information, for any student who has not "opt'ed out". This information is already available via multiple means; Shibboleth is just a new mechanism for publishing this information. Using Shibboleth to publish this information is not materially different than publishing it via other means. Relevant FERPA provisions would be 99.3 "disclosure," 99.31(a)(11), and 99.37. While 99.33 generally limits the re-disclosure of student record information disclosed under various of the exceptions found in 99.31(a),99.33(c) specifically excludes those disclosures which are made under 99.31(a)(11).
(Answer courtesy of LeRoy Rooker, former director of FPCO and now Senior Fellow at AACRAO, in conjunction with and in respose to a question posed by Steven Carmody at Brown University.)
Q. We sometimes use photos of students in university publications. Can we add photographs and videos to the list of directory information, thus avoiding obtaining releases, at least for those who don't opt out of directory information?
A. This is a tricky issue. Adding still photographs and videos to the list of Directory Information, as suggested, is an approach to the FERPA privacy issue. But it does not address the other key legal issue: state laws (both statutory and common law) that make it unlawful to make use of names, portraits, and pictures of individuals "for advertising purposes or purposes of trade" without their written permission (or, in the case of minors, the permission of their parents or guardians).
What becomes centrally important here is the blurry line between "informational" and "promotional" in college and university websites and publications. If a photo is used for informational or news-reporting purposes (whether by a media outlet or by the college itself), the First Amendment trumps any state right of publicity. But if the publication is deemed to be for purposes of advertising or promotion, then a college would not necessarily be viewed differently from a box of Wheaties, and written permission may be necessary.
Every state has its own body of case law on his issue -- and the applicable law in any instance could potentially be that of the state of the student's permanent residence, rather than that of the college. The law is likely to be very fact-specific and is not entirely predictable. From a practical standpoint, therefore, any policy may involve risk-benefit tradeoffs. A general statement in the student handbook may suffice for crowd photos, even if they contain recognizable faces. But if you end up highlighting individual faces in publicity materials, the most prudent course may be to get specific written consent.
Answer courtesy of Zick Rubin, The Law Office of Zick Rubin (Zrubin@zickrubin.com).
Q.FERPA guidelines indicate that enrollment status is considered directory information. Is this true for admission status as well? · FERPA guidelines indicate that parents of college students do not have automatic access to their children's records, even if the child is still a minor. How should we respond when parents contact our office to inquire about the status of their child's application for admission? · Does a student who has been denied admission have a right to view their admission file? · We frequently receive requests from businesses outside of the university for the names and addresses of the new students who will be entering in the fall. Our response has been that this information is not public directory information until the students actually begin their class work, and they should direct their request for such lists to the Registrar's Office after fall classes have begun. Is this appropriate?
A. An applicant to a school is not yet a student under FERPA. There is no statutory right for a student to know his/her admission status until the school is ready to disclose that information. The same logic applies to a parent's request for information on admission. Even once the applicant matriculates, in the postsecondary setting, a parent does not have a right to information about the student. The school can simply follow school policy on what you wish to disclose, but FERPA does not dictate this. Admission status (as you seem to use the term) would not be directory information. It is not really part of FERPA, in this sense that prior to *attendance* FERPA does not come into play. Your response to outside businesses sounds just fine.
Q. Is directory information public information that can be released to a reporter?
A. Just because the institution has identified data as directory information does not mean it should be released to a reporter. This would be a policy decision, and there may be a wide variety of reasons not to release student information, even if directory, to a reporter. Check with your supervisor or call the University Registrar or the Office of General Counsel before responding to an inquiry from a reporter.
Q. Why do you classify date and place of birth as directory?
A. Date of birth and place of birth may be classified as directory information under FERPA. However, a school is not required to include these identifiers as directory information, nor is the school required to disclose these pieces of information to a requester. What you choose to identify as directory information is up to the school, as long as it is listed in the regulation at 34 CFR 99.3. Some schools may choose not to include date and place of birth as directory information on the theory that this type of data may be useful to someone who wishes to engage in identity theft.
Q.Under the 'broken locket requests', if identifying a student for purposes of degree verification is not permitted by use of the SSN, what other identifier can be used to confirm degrees which are not otherwise protected as well?
A. Identifiers that can be used would be any directory information, name, date of birth, date of last attendance, and student ID number if you have identified this in your policy as directory information. (note student ID number can only be directory information if it cannot be used to gain access to education records except when used with one or more other factors to authenticate the user's identity.
Q. You listed dates of attendance as directory information. Does that mean years attended or specific days/dates a student attended a class?
A. Dates of Attendance is meant to refer to years attended, and not to specific days a student is in class, or class schedule, which would not be directory information.
Q Does FERPA require the release of directory information?
A FERPA does not require the release of directory information, but allows the university to designate certain information as information that may be released without seeking written permission of the student. Note that each student is given an opportunity at registration to check a form indicating that they do not want any directory information released. Thus, before releasing directory information on a student, record custodians need to check the computer database to see if a file is flagged for non-release of directory information when responding to requests for same.
Q I have received a request to release a list of all law students to a professional organization soliciting memberships and subscriptions. The organization promises not to release the list or sell it to any for-profit agencies. Can a list be released?
A As a legal matter, a list with directory information only, can be released except for the names of those students who have requested that not even directory information be released. To whom the university releases such lists is a policy question. It certainly seems reasonable to release a list to the non-profit professional association for a graduate discipline that wishes to use the list to advertise their organization to students in that discipline.
Q We have received a request from the NAACP for a printout of all CUA 4th year students who are African-America. May we comply with this request?
A No. Race is not considered directory information, and release of this information, even for a benign purpose, would violate the law (Brown v. City of Oneonta, 106 F. 3d 1125 (2nd Cir. (1997)).
Q What are the rights of alumni with respect to holds on directory information?
A The key here is when the request is made. If a student, within the specified time period during his or her last opportunity as a student in attendance, requests under section 99.37 that directory information not be disclosed (i.e., the request is made while the person is still enrolled as a student), the institution must honor that request until otherwise notified. Thus, the student's request for non-disclosure must be honored even once the student graduates. For example, if the alumni office wants to disclose some of the former student's "directory information," it may not do so. However, an institution is not required by FERPA to honor a request by a former student that directory information not be disclosed when that request is made after the person is no longer an enrolled student and is made in the person's status as an alumnus. Further, the directory information provision does not apply to former students who attended institutions prior to the passage of FERPA in 1974, because they could not have such a hold in place on their records (i.e., the right to have non-disclosure didn't exist at the time they were a student) (information in answering this question was obtained from a 1991 presentation by LeRoy S. Rooker and re-published in "The Family Educational Rights and Privacy Act: A Legal Compendium" edited by Steven J. McDonald and published by the National Association of College and University Attorneys). NOTE FOR CATHOLIC UNIVERSITY: by policy, we do allow former students to ask the registrar, in writing, to request non-disclosure of directory information.
Q The University was presented yesterday with a search warrant for college records of a
former student. We explained FERPA and the carve out of advanced notification under CFR 99.31 (a) (9)(I & ii)(A) & (B). We thought we would get an amended warrant with the magic language. Instead the County Attorney is calling and insisting that the search warrant trumps and is not a "court order" nor a subpoena and we must comply without prior notification to the student (who is in jail on serious charges). He points out that you can't quash a search warrant prior to the search. He says that he does not have in his arsenal any power to issue a subpoena for investigation and the search warrant is his only tool. How do we proceed?
A. Mr. Rooker contacted our office and agreed that in this situation with the search warrant, the suggested solution of giving the former student shortened notice (we notified the student in jail by fax on Wednesday that he has until this Friday at 8:30 am) would meet the requirements of notification. The justification for such a short (or shorter) time span is that the legal system does not provide for pre-search warrant relief (such as a motion to quash) - instead relief is found after the warrant has issued and been carried out.
Q Once the institution has complied with a subpoena for law enforcement purposes, where does the institution store the subpoena itself? Should the subpoena be kept in the student file (where the student could eventually see it) or should the subpoena be forever kept separate? Should the subpoena be kept separate for a period of time with eventual placement in the student file?
A All subpoenas at CUA are handled by the Office of the General Counsel and stored there, along with related documents (e.g., correspondence related to the subpoena). The subpoena should not be placed in the student's file.
Q How can an institution capture dependent status of a student without asking for copies of a parent's income tax returns?
A The school can simply ask the student at the time of registration or even application for an incoming freshman or for transfer students. A Family Policy Compliance Office opinion letter dated October 29, 1993 and addressed to Mr. Robert Bienstock, Associate General Counsel at the University of New Mexico states the following:
Additionally, nothing in FERPA would preclude a university from requiring students to identify their status at the time of registration or even application for incoming freshman and transfer students. If an institution elects to adopt such a requirement, we believe that students should be advised of the reason why they are asked about their tax status as dependents and suggest the following or a similar statement to students.
Under FERPA, the University may disclose to parents information from the education records of a student who is "dependent" under the Federal tax laws without the student's consent. Have you been claimed by your parents as a dependent for Federal tax purposes?
Q Does FERPA prevent the release of information that is not gleaned from the student's education record? For example, a resident assistant advises the Vice President for Student Life that a student has attempted suicide. Can the VP relay this information to the student's parents?
A This information did not come from the student's written education record and thus is not covered by FERPA. An independent analysis separate from the FERPA analysis must be conducted before relaying information about students that might be considered confidential or sensitive. Note also that an educational agency or institution may disclose personally identifiable information from an education record to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.
Q If a parent calls me up on the phone to discuss how his child is doing in my class, should I ask them for a copy of their tax return before talking to them?
A FERPA, as noted above, does not prevent a general conversation about the student covering topics about which you have general knowledge. Two caveats, however. First, you should obtain enough information from the parent to verify that you are indeed talking to who you think you are talking to. You can always take a phone number and return the call if you need extra time to make this verification. Second, to the extent you are releasing information form the education record rather than from your personal knowledge, then you must verify the child is a dependent. Assistance on verifying dependency is available form the Registrar or the General Counsel. Note that release to the parents is always discretionary on the part of the institution, and no "right to access" exists for the parents of a dependent student at the postsecondary level.
Q Can an institution permit students and their parents to have electronic access to their school records by giving students and parents an access code consisting of the student's social security number plus a PIN which the institution initially establishes as the student's birth date? Students are advised that if they wish they can change the PIN so that only they (the students) have electronic access to their records.
A Automatic access for parents is not advised. If a parent sends or faxes the Registrar or General Counsel a copy of their most recent income tax return verifying that the student is a dependent, then the university may grant the parent access to the student's records. With respect to PIN numbers, the computer system at the university should generate a unique number for the student, and only the student should have access to that number. The University does not give out PINs over the phone, as it is too difficult to verify identity in this manner.
Q If high school students enroll in distance education courses through the university to obtain high school credit, are those students considered "eligible students" under FERPA such that their consent is required to release their grades and other records held by the university to parents and other requestors? Is the fact that they are receiving high school credit (as opposed to college credit) relevant?
A Regardless of the age of the student, the fact of enrollment in higher education is what determines what rules apply. Parents of the minor aged students who enroll with a college (either for college or high school credit) do not have automatic access to the student records as they do in the Elementary and Secondary years. The higher education institution needs to have students sign release forms allowing the parent to be advised of grades or show proof of dependency (tax).
Q If the student does not agree with the accuracy of the records, does the student have any recourse?
A The student needs to make a request to the appropriate official at the school to amend the records. If that request is denied, then the student is afforded a hearing under FERPA to challenge what he or she believes is a violation of his or her privacy rights, or to ask for a correction of an inaccurate or misleading record. The challenge may only be made to the correctness of the grade, and not the appropriateness of a grade. In other words, FERPA does not provide a cause of action or right to a hearing with respect to grades unless the basis for the challenge is ministerial error.
Q. Is there a problem under FERPA with outsourcing the provision of email accounts for students to Google? What about faculty and staff email, would this be any different?
A. Generally messages sitting in student accounts are not education records and thus there are not significant issues with outsourcing student e-mail through Google or another provider, beyond dealing with directory information opt outs.
Messages in faculty and staff accounts that are either a) from or to students, or b) contain personally identifiable information about students or are otherwise about students are education records. An outside entity to which you outsource faculty-staff email cannot use the portion of the email that constitutes education records for any purpose other than the purpose for which it was outsourced (i.e. to run your email system) which does not include anything that is done *for the benefit* of the outside entity, rather than for your benefit or on your behalf.
Data mining would fall within this prohibition, even if the focus of the data mining is on the account holder (a non-student) rather than the subject of those messages or the person at the other end of those messages (i.e. the student whose involvement makes them education records). This data mining would still constitute an improper use of the education records for *other purposes*.
The only way to disclose education records to an email vendor would be under the *school official* exception. It is not critical that the contract specifically designate the vendor as a school official or expressly reference 34 CFR 99.31 and 99.33. However it is critical that the contract make clear in some way that the vendor is under the school's direct control with respect to the use and maintenance of records and that it is subject to the limitations on both redisclosure and use.
Q. Google's general contract for outsourcing email to them requires that Google be able to advertise to the students through the "gmail" address. They are not re-disclosing but this would seem to be "another purpose" and prohibited. Is that correct?
A. Outsourcing student email is not likely to result in a violation of FERPA in the situation you describe. Student e-mail (that is, e-mail messages residing in student accounts) is not, in my view, "maintained" by the institution. It's student property, and our only real connection to it is that we have provided a space (a server) on which students are free to leave that property or not, as they deem fit. If that's enough to qualify as "maintained," then I think we have to take down all of the bulletin boards on which students post personally identifiable information, because it's really the same thing, and I just don't think that can be the case. Also, note that Google's contract actually provides that Google will *not* serve ads to students (though it's not clear whether it is engaged in data mining).
Q. Is the institution required to notify the student in the event educational records are inappropriately or inadvertently accessed or compromised?
A.FERPA does not require an educational agency or institution to notify students that information from their education records was stolen or otherwise subject to an unauthorized release, although it does require the agency or institution to maintain a record of each disclosure. 34 CFR 99.32(a)(1). (However, student notification may be required in these circumstances for postsecondary institutions under the Federal Trade Commission's Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information (``Safeguards Rule'') in 16 CFR part 314.) In any case, direct student notification may be advisable if the compromised data includes student SSNs and other identifying information that could lead to identity theft.
Q. Is a digital signature acceptable on FERPA consent to disclose forms?
A.Written consent may consist of a digital signature where the signature (1) Identifies and authenticates a particular person as the source of the electronic consent; and (2) Indicates such person's approval of the information contained in the electronic consent. See 34 CFR 99.30.
Q.Does a photograph of a face constitute a biometric record?
A. No, I do not think a photograph would be a biometric records, as it cannot be used for automated recognition of an individual. Biometric record, as used in the definition of personally identifiable information, means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting.
I think that's probably right today, but technology may change that over time, as computers get better at recognizing people from surveillance photos, presumably on the basis of "facial characteristics," which is one of the items listed in the definition.
Q.Can you describe how FERPA applies where individual faculty or staff members forward their school e-mail to an outside e-mail service (e.g. g-mail)
A. There's no clear answer to this one. In some ways, it's no different from the institution outsourcing its entire e-mail system to an e-mail provider, which raises all of the outsourcing requirements. In other ways, however, it's no different from when a faculty or staff member logs in to your system through his or her personal home ISP. In both cases, messages containing personally identifiable student information are flowing through parts of the Internet that you don't control. I hope that FERPA doesn't mean we can't do that, because then the only alternatives would be to stop it altogether or to encrypt everything (which would be quite cumbersome). It's also not really any different from when you send grade reports to students by paper mail, which I also hope continues to be a legal practice
Q. How do lost and found items such as notebooks, wallets, and PDAs fall under FERPA laws as they are "maintained" by various offices on campus?
A. Something is an education record if it is directly related to the student and maintained by the educational agency or institution. I tend not to think of lost and found items as being education records maintained by the institution.
Q. Can a school make the decision to allow access for all faculty and staff to include all student data - not just advisees and/or student in their classes - for the purposes of advising transfers from major to major within the school?
A. Here is the guidance from the preamble to the regulations on this point: "We believe that the standard of ``reasonable methods'' is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs. In order to establish a system driven by physical or technological access controls, a school would generally first determine when a school official has a legitimate educational interest in education records and then determine which physical or technological access controls are necessary to ensure that the official can access only those records." In short, the regulations don't tell the school it cannot set the system up in the manner you describe. You might need to combine this broad access with mandatory FERPA training for all staff.
Q. Please clarify an issue related to student authentication. Would it be acceptable/advisable or ill-advised to continue a process which uses a student ID (not SSN) and a student's DOB as a default PIN/password. Upon initial access, student must change PIN/Password.
A. Assuming the student ID number is not published and known to the broader community, and in light of the fact that the student is required (I am assuming by a system trigger) to change the password once he/she logs on, I think this would be reasonable.
Q. Can a student have their photo removed from the student information system?
A. The student would have to use the Challenge Hearing section of the FERPA policy.
Q We have received a subpoena where the requesting party is seeking to obtain all correspondence sent from a student's AOL account over the school's network. Is the correspondence an education record protected by FERPA?
A If you have copies of that e-mail correspondence in your possession (which is not clear from your inquiry, though it seems there is a good chance that you do not) and it is personally identifiable to the student (which, given the specificity of the request, it would seem to be regardless of whether it contains any such information on its face; simply turning it over will identify whose correspondence it is), then it meets the definition of "education records" and is subject to FERPA and its requirement that you give the student advance notice of compliance. There is no additional requirement that the correspondence be "educational". Answer courtesy of Steven McDonald, General Counsel, Rhode Island School of Design.
Q Can a student provide a FERPA waiver to release records via email?
A The general consensus is that a simple email would not suffice under FERPA as written consent for the release of education records. See the final guidance on electronic signatures issued by the Family Policy Compliance Office in April 2004. See also the Paper by CUA Assistant General Counsel Margaret O'Donnell on this topic for an in depth discussion of the issue..
Q Do FERPA restrictions apply to foreign nationals who are taking e-courses from a University while residing in their home country? We have requests from foreign governments and/or corporations who are paying for their employees to take such courses, and would like the University to provide information on grades/progress.
A Nothing in FERPA draws distinctions based on the location of the student. If the student is in attendance or has been in attendance at the institution ("attendance" not having a physical presence component), he/she is covered. Let these employers know that they may require employees to sign a privacy release for educational records as a condition for employer payment for the courses. FERPA does not permit educational institutions to require students to waive their rights as a condition of attendance, but it does not apply to employers who wish to impose such a requirement.
Q Our Student Records Office is contemplating allowing students/alumni to order and pay for transcripts over the web so long as the name on the credit card is the same as the name on the transcript (or there is a change of name form completed in the file for individuals who have gotten married or divorced or otherwise changed their name since attending the university). Currently, transcripts can be ordered in person or by mail, but a signature is required. Is anyone currently allowing ordering of transcripts with electronic payment, or considering it, and are there any thoughts on FERPA implications?
A This use of technology is compliant with FERPA if the transcript is being sent to the student and not to a third party. Current FPCO interpretation of FERPA is that in order to send information to a third party, a student signature is required. This can be a digital signature if the school has a process in place for digital signatures as required by the regulations. Note that if the transcript is to another school the student seeks to enroll in, then there is an exception in the regulations at 34 CFR 99.31(a) (2) that would allow the system described above. The university should have system in place to make sure person ordering the transcript is actually the student.
Q Can a PIN be used by a student to authorize release of a transcript to a third party?
A Over the years the Department of Education has received numerous inquiries as to whether some form of electronic consent and signature, including email, satisfies FERPA's written consent requirement. Final regulations effective May 21, 2004 were issued by the Department of Education. The regulations are technology neutral and offer guidance on when schools may accept electronic signatures from students for release of education records to third parties. The DOE plans to issue further guidance that will include examples of what might be an acceptable process under the regulations.
The final regulations adopted by the Department of Education on electronic signatures provide as follows:
Sec. 99.30 Under what conditions is prior consent required to
* * * * *
(d) "Signed and dated written consent'' under this part may include a record and signature in electronic form that--
(1) Identifies and authenticates a particular person as the source of the electronic consent; and
(2) Indicates such person's approval of the information contained in the electronic consent.
Note that the written consent requirements in § 99.30 do not apply, however, when eligible students obtain access to their own records. Indeed, when an institution is authorized to disclose information from education records without a signed and dated written consent, including disclosures to eligible students under § 99.31(a)(12), FERPA does not specify or restrict the method of disclosure. See 34 CFR § 99.31. In addition, the guidance below from the Department of Education would still be considered applicable to the safeguards that should apply when PINs are used to disclose information to students:
Institutions and agencies have long been required to establish and monitor reasonable and appropriate physical, technical, and administrative safeguards to protect against the unauthorized access to or disclosure of information from education records and to maintain the integrity of information in those records. FERPA does not mandate any specific method, such as encryption technology, for achieving these standards with electronic storage and disclosure of information from education records. However, reasonable and appropriate steps consistent with current technological developments should be used to control access to and safeguard the integrity of education records in electronic data storage and transmission, including the use of e-mail, Web sites, and other Internet protocols.
This Office has advised previously that an institution may use a PIN combined with the student identification number to authorize disclosure of information from education records directly to the eligible student, but only so long as the institution allows only the eligible student to have access to the PIN. If the institution allows anyone else, including administrative staff, to have access to a student's PIN, there can be no assurance that the disclosure will be made only to an authorized party as required under FERPA. Regardless of the methods an institution uses to allow students to obtain access to their records, the primary consideration is whether there is reasonable assurance that the information is accessible only to the student.
The integrity and security of data storage and transmission are essential to ensure that information is disclosed only to those who are authorized to receive it. In this regard, institutions are responsible for ensuring that the policies or practices they employ are in compliance with FERPA. (Click here for full letter)
Q Campus Programs has a message they want to send out to all students, and they ask the Systems Administrator to provide e-mail addresses for all students. What precautions should be taken in this instance to make sure there is FERPA compliance?
A If the list message is to reach all students, the person sending out the list should be reminded about the provisions in FERPA and university policy for placing a hold on directory information, which may include e-mail addresses if e-mail addresses are identified as directory information under the university student records policy. If e-mail is directory information, it does not matter if the e-mail addresses of the student recipients appear on the list along with the message as long as no student on the list requested a hold on such directory information. If the e-mails are not identified in the policy as directory information, the e-mail address may be considered personally identifiable information that is not subject to release without written permission from the student. If there is confidential information in an email going to more than one party, consider an alternative to an email, such as listserv distribution, or at least make sure that the distributor of the information understands how to use the blind cc field, so that an inadvertent disclosure of education record information does not occur.
Q The Assistant Dean of the Law School wants to post live streaming video of the Atrium of the Law School on the Law School's web site. Students routinely spend time hanging out in the Atrium. Is there a FERPA privacy issue here?
A As long as the School is not maintaining a record of this video, it would not be an education record under FERPA. Common law privacy principles or state privacy law might apply, and the best approach would be to give all Law School students (or others who might utilize the Atrium) notice of the practice of streaming this video on the web.
Q. What is the interaction if any of FERPA with various breach notification requirements?
A. FERPA and state breach-notification laws address different sets of information that may or may not overlap. FERPA protects "education records," a term that is quite broad (though nuanced) and includes almost all records colleges and universities maintain about their students, whether related to academics or not. State
breach-notification laws typically cover a narrower scope of information (often name in conjunction with social security, credit card, and/or driver license number) for a broader range of individuals (usually all state residents), but these vary by state. To our knowledge, no state breach-notification law explicitly cross-references FERPA or incorporates the concept of "education records," but some "education records" nevertheless may be covered by state breach-notification laws (for example, a list containing student names and social security numbers). Moreover, both FERPA and state breach-notification laws have exceptions (in the case of FERPA, the category called "directory information," which may be released publicly without consent) and sometimes exceptions to the exceptions (in the case of FERPA, the "opt out" provision for directory information). Whether a particular breach implicates FERPA, state law, or both will thus depend on exactly what data was released and how.
FERPA is not a breach-notification law and imposes no affirmative notification requirement. FERPA does, however, require that the institution maintain a record of each unauthorized disclosure, and this record must be available to students exercising their right, granted by FERPA, to examine their files. And if information that is
breached is covered by both FERPA and a state breach-notification law, the fact that there is no notification obligation under FERPA does not exempt the institution from complying with the state breach-notification law.
Regardless of whether an unauthorized release of information requires notification, the institution should conduct a review to determine why the incident occurred and to address any technical or procedural deficiencies that emerge.
In addition to FERPA and state breach-notification laws, unauthorized release of information may implicate other federal and state laws and regulations (such as Gramm-Leach-Bliley or HIPAA), especially if social security numbers are part of the release.
Legal requirements, whether based on FERPA or on state breach-notification laws (or, perhaps eventually, a federal breach-notification law), are only one consideration in determining whether to notify, who to notify, and how. Even if notification is not a legal requirement, your institution may decide for reasons of public relations, policy, or ethics that notification is an appropriate response.
Answer courtesy of Steve Worona, Independent Speaker, Consultant, and Steven J. McDonald, General Counsel, Rhode Island School of Design
Links checked and updated July 6th, 2010, FJL.