The Catholic University of America

 

Legitimate Educational Interest

Q. Can we require psychologists on contract with the University to give us information on who they are seeing and how often? We need this information in order to determine how much money to reimburse them, and currently we are just taking them on their word.

A. I don't think there's anything in FERPA that would prohibit you from imposing that requirement or them from disclosing that information to you, but you'd also need to check your state medical confidentiality laws, which would also apply and may point to a different answer. 

Q. Employment records disclosure; you mentioned if they are students first and employees second. Can you elaborate on how the Office of Human Resources should maintain student's employment records as it pertains to FERPA and proper disclosure.

A. If the employment of the student is conditioned upon the person's status as a student (e.g. work study) then the disclosure of the employment records of that student can only be to those school officials with a legitimate educational interest. The HR office needs to maintain the records (whether in paper or online) in such a way as to not disclose them to those without a legitimate educational interest. However, payroll and other departments that would have access to the student employee's record by virtue of their position and the task being performed, would fall into the category of a school official with a legitimate educational interest.

Q. May a career counselor have access to a student database that contains records on students other than the students to whom the counselor is providing guidance?

A. You may, consistent with FERPA, be able to permit access to the entire database for the counselor, provided that he/she is instructed not to access records of any student other than those who have given consent.

FERPA prohibits an institutional policy of "releasing" information, which does not necessarily include mere accessibility. Under FERPA, an official of an institution who has access to all student records (such as the Registrar) does not have the right to browse records that he/she has no job-related reason to view. It is the actual perusal of the record, not simply the ability to access it, that triggers FERPA. Obviously, there are concerns whenever any person has the potential to see records that he/she should not be looking at, but some level of trust has to exist in any system of confidential recordkeeping. The open question at this time is whether or not a computer information system must track access by those at the school with a legitimate educational interest.

Q. What is a "legitimate educational interest"?

A. A school official has a legitimate educational interest if the official is performing a task that is specified in his or her position description or contract agreement, performing a task related to a student's education or to discipline of a student, providing a service or benefit related to the student or student's family, or maintaining the safety and security of campus. An example would be an academic advisor to a student reviewing the student's record on what courses have been completed. This is related to the task of advising the student. The advisor would not be authorized to view records that are not relevant to the task at hand. 

Q If the Vice President for Student Life asks me for a copy of a student's transcript, do I need to ask her why she needs the records, or can I presume a legitimate educational interest? 

A Not everyone who asks for a record needs to be asked why they want it. The law requires that we assure that employees who access records have a legitimate educational interest in doing so. For administrators like the Provost, vice provosts, deans, assistant and associate deans, vice president for Student Life, you may presume that they can access student records within their province (e.g., all students for the Provost, all students in their schools for a dean) and that they are doing so with a legitimate educational interest. If a dean asked to see the record of a student outside of her school, you should ask why (and presumably she might say, "because the student has applied to transfer into my program"). Assume they have a legitimate educational interest until you have some information that causes you to think they might not. Even though everyone is supposed to have been trained on FERPA, it wouldn't hurt every once in awhile to ask them to assure you that they have a "legitimate educational interest," it reminds them of that requirement. Abuse, if it occurs at all, is probably most likely to occur with faculty who are not administrators, so push hardest to have departmental and deans office secretaries be asking that question of faculty.

Q. My computer grants me access to student records. Does this mean I am authorized to view all the available records and do not need to follow FERPA?

A. No. The confidentiality provisions of FERPA still apply, and a school official should only access a student's record if a legitimate educational interest exists with respect to that student, and only as to those portions necessary.

Directory Information

Q. When the phrase "dates of attendance" is used, does that mean the dates that a student has attended classes? 

A. No, dates of attendance is defined as follows in the regulations: Dates of attendance. (a) The term means the period of time during which a student attends or attended an educational agency or institution. Examples of dates of attendance include an academic year, a spring semester, or a first quarter.

(b) The term does not include specific daily records of a student's attendance at an educational agency or institution.  (34 CFR § 99.3)

Q. Many campuses now outsource small and large business systems, and an  increasing number of systems supporting instruction. Many campuses are  using the Shibboleth software (http://shibboleth.internet2.edu/) to
allow their community members to "authenticate locally" when accessing  these applications. Shibboleth also allows a campus to release  attribute information describing the browser user to the remote  Service Provider. A campus can manage what information is released as  a function of the specific SP being accessed, and a function of other  attributes associated with the user. The Service Provider sites use  this information to make access control decisions, and to personalize  the use of the site.
  Recently, a growing number of SPs have appeared to support  "collaborative work" -- a group of researchers (and students doing  research) from multiple institutions working together on a shared  problem. These sites want to know who the user is (via campus asserted  attributes); just as importantly, the researchers WANT the campuses to assert this information so that their name is attached to their  contributions. This is consistent with the culture and existing  practice within the Higher Education/Research environment.

For students at US campuses, the Family Educational Rights and Privacy Act (FERPA) defines a legal framework governing how a campus can  release information about individual students. A campus is required to  identify a set of information as "directory information" (eg a  student's name, local and home addresses, postal box, telephone  number, electronic mail address, etc). A campus can publish and  release directory information for a student unless a student elects to  "opt out" of FERPA; in that case, the campus cannot release that  student's directory information.  Releasing directory information traditionally meant releasing  information to a newspaper, or publishing this information (or a  subset) in an online directory. Can this directory information as described above be released via Shibboleth to an outsourced Service Provider?

A. It is entirely legal for  a campus to release to an outsourced Service Provider, via Shibboleth,  any of the information it has classified as directory information, for any student who has not "opt'ed out". This information is already available via multiple means; Shibboleth is just a new mechanism for publishing this information. Using Shibboleth to publish this information is not materially different than publishing it via other means. Relevant FERPA provisions would be 99.3 "disclosure," 99.31(a)(11), and 99.37.  While 99.33 generally limits the re-disclosure of student record information disclosed under various of the exceptions found in 99.31(a),99.33(c) specifically excludes those disclosures which are made under 99.31(a)(11).

(Answer courtesy of LeRoy Rooker, former director of FPCO and now Senior Fellow at AACRAO, in conjunction with and in respose to a question posed by Steven Carmody at Brown University.)

Q. We sometimes use photos of students in university publications. Can we add photographs and videos to the list of directory information, thus avoiding obtaining releases, at least for those who don't opt out of directory information?

A. This is a tricky issue. Adding still photographs and videos to the list of Directory Information, as suggested, is an approach to the FERPA privacy issue. But it does not address the other key legal issue: state laws (both statutory and common law) that make it unlawful to make use of names, portraits, and pictures of individuals "for advertising purposes or purposes of trade" without their written permission (or, in the case of minors, the permission of their parents or guardians).

What becomes centrally important here is the blurry line between "informational" and "promotional" in college and university websites and publications. If a photo is used for informational or news-reporting purposes (whether by a media outlet or by the college itself), the First Amendment trumps any state right of publicity. But if the publication is deemed to be for purposes of advertising or promotion, then a college would not necessarily be viewed differently from a box of Wheaties, and written permission may be necessary.

Every state has its own body of case law on his issue -- and the applicable law in any instance could potentially be that of the state of the student's permanent residence, rather than that of the college. The law is likely to be very fact-specific and is not entirely predictable. From a practical standpoint, therefore, any policy may involve risk-benefit tradeoffs. A general statement in the student handbook may suffice for crowd photos, even if they contain recognizable faces. But if you end up highlighting individual faces in publicity materials, the most prudent course may be to get specific written consent.

Answer courtesy of Zick Rubin, The Law Office of Zick Rubin (Zrubin@zickrubin.com).

Q.FERPA guidelines indicate that enrollment status is considered directory information. Is this true for admission status as well? · FERPA guidelines indicate that parents of college students do not have automatic access to their children's records, even if the child is still a minor. How should we respond when parents contact our office to inquire about the status of their child's application for admission? · Does a student who has been denied admission have a right to view their admission file? · We frequently receive requests from businesses outside of the university for the names and addresses of the new students who will be entering in the fall. Our response has been that this information is not public directory information until the students actually begin their class work, and they should direct their request for such lists to the Registrar's Office after fall classes have begun. Is this appropriate?

A. An applicant to a school is not yet a student under FERPA. There is no statutory right for a student to know his/her admission status until the school is ready to disclose that information. The same logic applies to a parent's request for information on admission. Even once the applicant matriculates, in the postsecondary setting, a parent does not have a right to information about the student. The school can simply follow school policy on what you wish to disclose, but FERPA does not dictate this. Admission status (as you seem to use the term) would not be directory information. It is not really part of FERPA, in this sense that prior to *attendance* FERPA does not come into play. Your response to outside businesses sounds just fine.

Q. Is directory information public information that can be released to a reporter?

A. Just because the institution has identified data as directory information does not mean it should be released to a reporter. This would be a policy decision, and there may be a wide variety of reasons not to release student information, even if directory, to a reporter. Check with your supervisor or call the University Registrar or the Office of General Counsel before responding to an inquiry from a reporter.

Q. Why do you classify date and place of birth as directory?

A. Date of birth and place of birth may be classified as directory information under FERPA. However, a school is not required to include these identifiers as directory information, nor is the school required to disclose these pieces of information to a requester. What you choose to identify as directory information is up to the school, as long as it is listed in the regulation at 34 CFR 99.3. Some schools may choose not to include date and place of birth as directory information on the theory that this type of data may be useful to someone who wishes to engage in identity theft.

Q.Under the 'broken locket requests', if identifying a student for purposes of degree verification is not permitted by use of the SSN, what other identifier can be used to confirm degrees which are not otherwise protected as well?

A. Identifiers that can be used would be any directory information, name, date of birth, date of last attendance, and student ID number if you have identified this in your policy as directory information. (note student ID number can only be directory information if it cannot be used to gain access to education records except when used with one or more other factors to authenticate the user's identity.

Q. You listed dates of attendance as directory information. Does that mean years attended or specific days/dates a student attended a class?

A. Dates of Attendance is meant to refer to years attended, and not to specific days a student is in class, or class schedule, which would not be directory information.

Q Does FERPA require the release of directory information?

A FERPA does not require the release of directory information, but allows the university to designate certain information as information that may be released without seeking written permission of the student. Note that each student is given an opportunity at registration to check a form indicating that they do not want any directory information released. Thus, before releasing directory information on a student, record custodians need to check the computer database to see if a file is flagged for non-release of directory information when responding to requests for same.

Q I have received a request to release a list of all law students to a professional organization soliciting memberships and subscriptions. The organization promises not to release the list or sell it to any for-profit agencies. Can a list be released?

A As a legal matter, a list with directory information only, can be released except for the names of those students who have requested that not even directory information be released. To whom the university releases such lists is a policy question. It certainly seems reasonable to release a list to the non-profit professional association for a graduate discipline that wishes to use the list to advertise their organization to students in that discipline.

Q We have received a request from the NAACP for a printout of all CUA 4th year students who are African-America. May we comply with this request?

A No. Race is not considered directory information, and release of this information, even for a benign purpose, would violate the law (Brown v. City of Oneonta, 106 F. 3d 1125 (2nd Cir. (1997)).

Q What are the rights of alumni with respect to holds on directory information?

A The key here is when the request is made. If a student, within the specified time period during his or her last opportunity as a student in attendance, requests under section 99.37 that directory information not be disclosed (i.e., the request is made while the person is still enrolled as a student), the institution must honor that request until otherwise notified. Thus, the student's request for non-disclosure must be honored even once the student graduates. For example, if the alumni office wants to disclose some of the former student's "directory information," it may not do so. However, an institution is not required by FERPA to honor a request by a former student that directory information not be disclosed when that request is made after the person is no longer an enrolled student and is made in the person's status as an alumnus. Further, the directory information provision does not apply to former students who attended institutions prior to the passage of FERPA in 1974, because they could not have such a hold in place on their records (i.e., the right to have non-disclosure didn't exist at the time they were a student) (information in answering this question was obtained from a 1991 presentation by LeRoy S. Rooker and re-published in "The Family Educational Rights and Privacy Act: A Legal Compendium" edited by Steven J. McDonald and published by the National Association of College and University Attorneys). NOTE FOR CATHOLIC UNIVERSITY: by policy, we do allow former students to ask the registrar, in writing, to request non-disclosure of directory information.

Pursuant to Judicial Order

Q. Has anyone else worked with the new version of Rule 45 that was amended on Dec. 1, 2013 as related to subpoena's for student records for federal cases in other jurisdictions?  Is service by mail now permitted even if not permitted locally?  If objections are filed, must we obtain a case number in our local jurisdiction to do so or is this something the requesting party will need to do if they seek to enforce?  Any other changes to be aware of from a FERPA perspective? (posted March 2014)

A. As I understand the new rule, subpoenas may now be served nationwide, which should eliminate almost all FERPA-based objections to federal subpoenas at this point -- they'll all be "lawfully issued" regardless of what court they come from.  If you have some other basis for objecting, such as burdensomeness or privilege, however, I believe that compliance will have to be sought in the court where you're located.

Answer courtesy of Steven J. McDonald, General Counsel, Rhode Island School of Design

Q. What happens if we receive a subpoena for a student's education records?

A. Please forward the subpoena to the Office of General Counsel. The OGC will review the subpoena for validity, and unless prohibited by the terms of the subpoena, will give the student an opportunity to quash the subpoena prior to disclosing the records. Do not furnish the information without involvement of the Office of General Counsel.

Q The University was presented yesterday with a search warrant for college records of a

former student. We explained FERPA and the carve out of advanced notification under CFR 99.31 (a) (9)(I & ii)(A) & (B). We thought we would get an amended warrant with the magic language. Instead the County Attorney is calling and insisting that the search warrant trumps and is not a "court order" nor a subpoena and we must comply without prior notification to the student (who is in jail on serious charges). He points out that you can't quash a search warrant prior to the search. He says that he does not have in his arsenal any power to issue a subpoena for investigation and the search warrant is his only tool. How do we proceed?

A. Mr. Rooker contacted our office and agreed that in this situation with the search warrant, the suggested solution of giving the former student shortened notice (we notified the student in jail by fax on Wednesday that he has until this Friday at 8:30 am) would meet the requirements of notification. The justification for such a short (or shorter) time span is that the legal system does not provide for pre-search warrant relief (such as a motion to quash) - instead relief is found after the warrant has issued and been carried out.

 

Q Once the institution has complied with a subpoena for law enforcement purposes, where does the institution store the subpoena itself? Should the subpoena be kept in the student file (where the student could eventually see it) or should the subpoena be forever kept separate? Should the subpoena be kept separate for a period of time with eventual placement in the student file?

 

A All subpoenas at CUA are handled by the Office of the General Counsel and stored there, along with related documents (e.g., correspondence related to the subpoena). The subpoena should not be placed in the student's file.

Release to Parents Without a Student's Consent

Q How can an institution capture dependent status of a student without asking for copies of a parent's income tax returns?

A The school can simply ask the student at the time of registration or even application for an incoming freshman or for transfer students. A Family Policy Compliance Office opinion letter dated October 29, 1993 and addressed to Mr. Robert Bienstock, Associate General Counsel at the University of New Mexico states the following:

Additionally, nothing in FERPA would preclude a university from requiring students to identify their status at the time of registration or even application for incoming freshman and transfer students. If an institution elects to adopt such a requirement, we believe that students should be advised of the reason why they are asked about their tax status as dependents and suggest the following or a similar statement to students.

Under FERPA, the University may disclose to parents information from the education records of a student who is "dependent" under the Federal tax laws without the student's consent. Have you been claimed by your parents as a dependent for Federal tax purposes?

Q Does FERPA prevent the release of information that is not gleaned from the student's education record? For example, a resident assistant advises the Vice President for Student Life that a student has attempted suicide. Can the VP relay this information to the student's parents?