Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment

Environment

FERPA
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

GLB/Security

Harassment

HIPAA

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar       Compliance Partners        Links

Presented at the NACUA Institute for Law & Higher Education

The Digital University Comes of Age:
E-Education, Communication, and Commerce
Washington, D.C. Nov. 1-2, 2001

 

FERPA in the Digital Age

Click Here for Talking Points

  Margaret O'Donnell, Consulting Attorney and Craig Parker, General Counsel

  The Catholic University of America
Washington, DC

"Perhaps the biggest problem faced by all concerned is the fact that we live today in a world of technologically recorded, maintained and communicated information." [1]

I. Introduction

In 2001 most colleges and universities store student record information on computers as part of a Student Information System. Questions about access to student information may be directed to a Systems Administrator rather than the Registrar, and it may be the Systems Administrator who decides whether a particular individual can have access, and if so, what level of access to grant. This outline addresses the issue of how an institution can utilize technologically recorded, maintained and communicated information in a manner consistent with the dictates of the Family Educational Rights and Privacy Act (FERPA).

 

FERPA has been amended on a number of occasions, but the amendments have not dealt with the unique electronic issues that have arisen in the last decade.  The basic questions remain the same. Is the document under discussion an "education record" and if so, can the record be shared or disclosed?

 

20 U.S.C. § 1232g (a) (4) defines education records as "those records, files, documents, and other materials which (i) contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.

 

It sounds simple, but as anyone who participates on NACUANET (the National Association of College and University Attorneys listserv) knows, questions about actual implementation abound. In addition, what is or is not an education record, and what the word "maintain" means with respect to an educational record is currently being briefed to the U.S. Supreme Court in the case of Owasso Independent School District v. Falvo[2]  The briefs filed in the case, including one by ACE and other educational organizations, offer a wide variety of potential interpretations of the statutory language. If the Court decides to address this topic (it may be that the Section 1983 issue will be the focus of the Court), then questions about the digital records issue may be clarified by guidance from on high.

 

The ubiquitous presence of computers will in some instances make compliance with FERPA easier, and in other instances computers will greatly complicate the question of whether or not the university is in a preventive stance where FERPA compliance is concerned. This outline will attempt to do four things:

 

·        Highlight what student record privacy issues (Section II) might confront college or university Systems Administrators  through scenarios that can be used for training of Systems Administrators and others who must decide whether or not to grant access to a certain record.

 

·        Provide answers on what is or is not a student record in the digital age (Section III)  to the extent answers exist.

 

·        If no answers are currently available, review a set of principles developed by AACRAO[3] and Educause [4] (Section IV) that can be used for working out an answer.

 

·        Provide an audit checklist (Section V) for digital FERPA compliance.

 

While this outline does not cover the FERPA basics, a brief summary is attached, including key definitions and a chart summarizing issues regarding release of student records.

 

II. Scenarios

 

II- 1. The head of the Commuter Student Association wants a list of all students who are commuters (including addresses and phone numbers, as well as e-mail address) so that a directory can be put together for use by Commuter Students. The information will be sent out to a vendor who will print a directory that can be sold for a nominal fee by the Commuter Student Association. This request is made to the Systems Administrator. How do you handle this request?

 

II-2. Students' grades are now accessible by the web when a student enters a password. A parent calls and wants to know the password so they can access the student's grades. The parent claims the student is a financial dependent, and in fact the financial aid records in the database indicate the student is indeed a dependent. Do you give the parent the student's password? Do you send them a print copy of the grades?

 

II-3.  The internal auditor asks the Systems Administrator for full access to all systems, including the students' grades. The Administrator queries why she needs access to the students' grades. The auditor responds that by Board Policy she is to have full access to all documents, and that if there are any questions, the General Counsel should be consulted. Must she be granted access at all levels, including student grades? The administrator is inclined to give her access to student financials, but not to grades.  What advice should the General Counsel give?

 

II-4. The Administrative Assistant at the Law School will be handling block enrollment at the law school, and has asked the Systems Administrator to give her computer access as part of the “Registrar Class” which is necessary for her to perform this task. If she is given access to the “Registrar Class”, the Administrative Assistant will have access to more  information than she needs to perform the specified task.  What should the Systems Administrator do?

 

II-5. A student is missing from the residence hall. The parents are worried and want the university to look at the student's electronic records to help them figure out where he/she is. Records of interest include: telnet logs (is the student checking mail from a remote location?), stored email messages that were not received/read by the student, the names and contact information of individuals with whom the student was communicating with electronically prior to disappearing (students, faculty, staff, and non affiliates). Questions include:

 

·        Does it matter how long the student is missing?

·        Is a missing person report necessary?

·        What if the campus police request this information, or local police?

·        What if the records are all on the student's personally owned computer in the residence hall room?

 

II-6. What if the student is also an employee? Can the student information system records be linked to avoid duplication of certain information? How much technical protection is necessary to make sure the employer does not see the student's academic records?  Or any record not necessary for the job?  Does it have to be on a different screen? What if the employee is a regular employee but was once (ten years earlier) a student? Can those records be linked? If so, how closely? Does it matter that a supervisor would be technically able to see grades earned ten years earlier? Is a policy against this enough? What records can't be linked and if they can't, how far apart must they be? If they can't be on the same screen can they be on different screens but technically accessible?

 

II-7. Can an IP address be considered directory information? If the Systems Administrator saves a list of students' IP addresses and names, is this personally identifiable information maintained by the institution and fully protected by FERPA? Is it directory information? Should the university have a policy that only generic names should be given to students' computers?  Would current law allow universities to identify IP addresses as directory information? (This is a separate question from whether or not this would be wise policy.) Directory information is information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. (34 CFR § 99.3)

 

II-8.  How much can the Systems Administrator do in the name of system maintenance? Is it OK for the Systems Administrator to routinely scan ports[5] for "problem activities"? This could be activities that use too much bandwidth (the next generation of NAPSTERS, etc., running a game server) or something illegal such as trafficking in obscene materials or gambling.  Would the answer change if the activity was simply something that was against university policy? Does the answer change if the Systems Administrator stores the information on his/her computer? What if the administrator actually shares the data with another party?  Does this logging and archiving of the logs represent a legitimate educational interest by the institution?

 

 

 

Educational institutions that provide Internet services for students, faculty, and staff qualify for certain protections under the DMCA (Digital Millennium Copyright Act) as ISPs (Internet Service Providers).  This is in relation to instances in which faculty or students make infringing material available on their networks. If the ISP complies with the takedown provisions on notification, then immunity is afforded to the institution with respect to liability for infringement.  Institutional ISPs lose their immunity for offenses committed by individual students and faculty who have been the subject of two previous complaints.  ISPs are also required to have policies of cutting off subscribers who repeatedly infringe copyrights. Does this legal requirement change the answer to the question as to whether logging and archiving of the logs represents a legitimate educational interest by the institution?

 

II-9. What implications does ESIGN have for written permission for FERPA?

 

II-10. A course is jointly taught at two universities.  Students register for the course at their home institution.  Electronic reserves for the course may only be accessed by students registered in the course.  Each institution's digital library has its own portion of reserve material.  Technicians plan to issue each student an electronic "credential", analogous to a university ID card, installed in the student's Web browser.  The credential identifies the student and the student's university but contains no other information about the student.  Whenever the reserve material is accessed, the electronic library receives the student's credential.  The electronic library then makes an electronic inquiry asking the student's home registration system whether the student is registered in the course.  Technicians responsible for the registration systems are concerned that FERPA prohibits the release of course-registration information outside the institution without explicit student permission.  Is it necessary to get all students to sign waivers before they sign up for the course?  Alternatively, is it enough for the institutions to inform students that registering in a joint course implies consent to release course-registration information to the second institution? Or perhaps the two universities can be considered as a single institution for the purpose of this course and thus be permitted to share course-related information on a "need to know" basis with no explicit or implicit permission required?

 

II-11. Suppose the university has a contract with a commercial website that determines whether student papers are plagiarized. Participating professors would require that student papers be submitted electronically and run through this website to see if they are plagiarized. The paper being checked will also be stored in the web site's electronic data bank, and future papers will be checked against it. Even though the contents won't be released, is there a FERPA issue here?

II-12. What level of access, if any, should be given to the campus police on the Student Information System?

 

II-13.  Here is a proposed contract with an entity that will provide electronic payment processing
services:

Merchant [the university] acknowledges and agrees that in the course of providing the Services, VeriSign will capture transaction and customer information ("Data") and that VeriSign shall be granted by Merchant the rights necessary for VeriSign's use of all such Data necessary to perform the Services requested by Merchant.  Furthermore, VeriSign shall be permitted to (i) maintain aggregated Data, and (ii) sublicense and distribute the Data to a third party under contract with VeriSign that provides credit card fraud prevention and scoring services, solely for such third party's internal use in developing its credit card fraud prevention modeling and fraud scoring.  All Data provided to such third party shall be subject to written agreement between VeriSign and such third party restricting disclosure of any Data to other third parties.

 

What language, if any, should be changed to make sure the arrangement is in compliance with FERPA?


II-14.  The university has recently begun to allow for credit card payments of tuition and other student fees over the web. The  Student Records Office is contemplating allowing students/alumni to order and pay for transcripts over the web so long as the name on the credit card is the same as the name on the transcript (or there is a change of name form completed in the file for individuals who have gotten married or divorced or otherwise changed their name since attending the university). Currently, transcripts can be ordered in person or by mail, but a signature is required. Does FERPA allow ordering of transcripts in the above described manner?"

 III. Digital Age questions and answers

 

III-1. The systems administrator gets a call from a parent who wants to place a FERPA hold on any online information on her daughter, an applicant to the university. What are the FERPA issues and how do you resolve this?

 

A. This is a trick question on several counts. First, a parent does not have the right to place a hold on directory information with respect to a postsecondary student. Second, an applicant to the university is not covered under the definition of student under FERPA. Thus a student cannot place a hold on or access the records maintained in his/her education file by the institution until he or she matriculates. The parent can be advised that once the student matriculates, a hold can be placed on the release of directory information by the student.  If the parent is concerned about a non-custodial parent having access to confidential financial information, the parent can be reassured that university policy does not require the release of confidential financial information about one parent to an ex-spouse. 

 

III-2.  Information about disciplinary action taken against a student was formerly stored on the back of the file copy of the transcript, and only those in the office who had access to the paper copy of the transcript could view the data. When requests for transcripts were filled, the back of the transcript was not copied.   Now the disciplinary data is entered into the system, and a number of users can see this information. Is this OK under FERPA?

 

A. As long as the parties who have access to the information have a legitimate need to know, keeping a copy of the information in the system is not a problem under FERPA. If the system is set up so that more parties than necessary (for example, a number of faculty and other administrators) have access to the information than would have traditionally been the case (student life administrators and judicial code personnel) then the university may need to consider creating a separate “information panel”  that is accessible only to personnel from the Dean of Student’s Office.

 

III-3. Campus Programs has a message they want to send out to all students, and they ask the Systems Administrator to provide e-mail addresses for all students. What precautions should be taken in this instance to make sure there is FERPA compliance?

 

A. If the list message is to reach all students, the person sending out the list should be reminded about the provisions in FERPA and university policy for placing a hold on directory information, which may include e-mail addresses if e-mail addresses are identified as directory information under the university student records policy. If e-mail is directory information, it does not matter if the e-mail addresses of the student recipients appear on the list along with the message as long as no student on the list requested a hold on such directory information. If the e-mails are not identified in the policy as directory information, the e-mail address may be considered personally identifiable information that is not subject to release without written permission from the student. 

 

III-4. Can a student provide consent via e-mail for a school to release records to a third party?

 

A. At this time it is the position of the Family Policy Compliance Office, U.S. Dept. of Education, (FPCO) that there must be a written consent. Faxed consents may also be honored.  At the April 2001 AACRAO meeting in Seattle, LeRoy Rooker advised that FPCO has not yet issued guidance on what form of electronic signature would meet FERPA requirements for a "signed and dated written consent" for disclosures to a third party, in part because they were evaluating whether the Federal "E-Sign" legislation applied to written consents under FERPA.

 

III-5. Is it permissible to allow a student or the student's parent to access their records online with a PIN number?

 

A. FPCO has taken the position that institutions may allow students to use their ID numbers and a secure PIN known only by the student to access their own records. As to giving a PIN to the parent, the analysis would be the same as in the paper world.  Ordinarily[6]  records should not be released to a parent absent consent. The first step would be to ask "Has the student provided consent for the parents to receive this record?"  If consent is not present, then the record should not be released unless 1) the university confirms the student is a dependent student as defined in section 152 of the Internal Revenue Code  and 2) the university decides as a matter of policy it wishes to make such information available. Note that 34 CFR§ 99.31 uses the word may rather than shall with respect to release of records, giving discretion about release to the institution.

 

As long as the university is careful to ascertain that the student is actually a dependent (this information is often on file with the financial aid office) then there should be no problem under FERPA with giving parents a PIN number to access that student’s grades or whatever other information the university decides as a matter of policy it wishes to make available to the parent. For security purposes, the university may need to give the parents a different PIN than the PIN given to the student. What needs to be stressed is the security of the system.  Security must be in place so that PIN requests do not result in release of records to parties other than the student or his or her parent. 

 

III-6. If high school students enroll in distance education courses through the university to obtain high school credit, are those students considered "eligible students" under FERPA such that their consent is required to release their grades and other records held by the university to parents and other requestors?  Is the fact that they are receiving high school credit (as opposed to college credit) relevant?

 

A. Regardless of the age of the student, the fact of enrollment in higher education is what determines what rules apply.  Parents of the minor aged students who enroll with a college (either for college or high school credit) do not have automatic access to the student records as they do in the Elementary and Secondary years. The higher education institution needs to have students sign release forms allowing the parent to be advised of grades or show proof of dependency (tax). 

 

III-7. The Assistant Dean of the Law School wants to post live streaming video of the Atrium of the Law School on the Law School’s web site. Students routinely spend time hanging out in the Atrium. Is there a  FERPA privacy issue here?

 

A. As long as the School is not maintaining a record of this video, it would not be an education record under FERPA. Common law privacy principles or state privacy law might apply, and the best approach would be to give all Law School students (or other students who might utilize the Atrium) notice of the practice of posting this video on the web.

 

IV. Answering questions where the answer is not codified or otherwise captured in current guidance

 

As can be seen from the questions/scenarios above, there are a thousand possible permutations when considering what is or is not an educational record in the digital age, and whether or not it can be disclosed under FERPA.  In 1997 Cause (now Educause) published a white paper in conjunction with AACRAO, that was entitled Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities. This paper can be accessed online and should be required reading for all university or college Systems Administrators. Section IV (p. 18) of the article sets out “Principles of Fair Information Practice and Policy”. The list includes notification; minimization; secondary use; nondisclosure and consent; need to know; data accuracy, inspection and review; information security, integrity and accountability; and education. A consideration of the above principles when addressing a question of disclosure probably goes beyond what is required by the law under FERPA, and may be more suited to a discussion of what type of privacy policy the university wants to have in place in addition to FERPA requirements. That distinction having been made, the principles set forth in the white paper may also be helpful in answering a FERPA question. 

 

Consider the scenario of the system administrator scanning ports. The following questions might be asked: Are the students notified that the systems administrator will be scanning ports? Are the students notified not to use their own name or room number when setting up an IP address? What information is the Systems Administrator collecting, and why is it being collected? What steps are taken to protect the confidentiality and integrity of the information?  Similarly, on the minimization issue, when the systems administrator is scanning ports, is the information stored on a university computer? What is the need to collect and maintain this information? What is the minimal amount of information that must be collected to ensure the integrity of the system? On the principle of need to know, how many persons within the computer center have access to information that might be obtained about students from the scanning of ports? Do they have a need to know this information? Is the student given a chance to inspect and review any data collected about him or her, and to challenge inaccuracies?

 

The answers to the above questions, once ascertained, can be put into policies maintained by the university (or the computer center) on student record privacy. 

 

V.  Audit checklist for digital FERPA compliance

 

q       Are all staff provided with FERPA training before being given access to student records online?

 

q       Are Systems Administrators provided with FERPA training tailored to questions such as who should be given access to online databases?

 

q       Does the university’s policy on FERPA state that FERPA applies to online data as well as paper data?

 

q       If there is a special admissions review process for students with disabilities, is information about disability status stored online? If so, who has access to this information, and who makes sure the information is removed once the admissions office is done with the admissions process for that group of applicants? For example, PeopleSoft has a box that allows staff in the admissions office to store data on applicants identifying whether or not a student has a disability. Failure to limit access to this data would be a violation of the Americans with Disabilities Act (ADA) [7], and failure to remove the information once it has served the admissions purpose and a student has matriculated would also be a violation of the ADA.  Allowing access to this data for anyone other than the disabilities coordinator or another party with a need to know would be a violation of FERPA once the student has been in attendance at the institution. [8]

 

q       Does the computer system used for storing student record information contain a process for collecting and sorting requests for holds on directory information? Do those who access directory information know how to tell who has placed a hold on release of such information, or how to run a query that will sort out holds from non-holds when necessary?

 

q       Are students assigned unique identifiers rather than social security numbers for purposes of student id numbers?

 

q       Is access to the system controlled by secure passwords?

 

q       Do students IP addresses contain personally identifiable information? If so, what systems are in place to protect that data?

 

q       Is the system capable of storing information about whether or not the student is a dependent for tax purposes? If so, is this information made available to faculty and other staff who may need to field questions from parents on a regular basis?

 

q       When purchasing (or designing) an online information system, are the requirements of FERPA taken into consideration?

 

q       What process exists at the university for complaints about online record violations?

 

q       Are students given notice about scanning of ports and other data collection activities at the university?

 

q       Has there been an informed decision addressing what level of access should be granted to staff/faculty when they are given access to an online student record system?

 

q       Does the system contain any reminder (an opening screen or some other device) that makes custodians of records mindful of FERPA responsibilities when accessing the system?

 

q       Does the Registrar stay in contact with the Systems Administrator on FERPA issues?

 

q       Are students given a chance to review and challenge the accuracy of electronic data collected about them to the extent it is personally identifiable, or used to make decisions about the student?

 

   

Resources

Sample inquiry in PeopleSoft that someone might write to find all females from New York (there would usually be joins to other tables to narrow the population, such as enrolled juniors); this query is just on PERSONAL_DATA, which is the "people" table).  The last line, FERPA = 'N', is needed to select only those who did not request FERPA privacy.

 

SELECT A.NAME, A.EMPLID

FROM PS_PERSONAL_DATA A

WHERE A.STATE = 'NY'

AND A.SEX = 'F'

AND A.FERPA = 'N'

 

 

The Office of Student Financial Assistance issued voluntary Standards for Electronic Signatures in Electronic Student Loan Transactions, which provide a safe harbor for lenders using various forms of electronic signatures on promissory notes and other transactions in the Federal student loan programs. See May 2001 GEN-01-06, Dear Partner Letter: Use of Electronic Signatures in the Federal Student Loan Programs (accessed Aug. 8, 2001).

 

Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities  (joint paper published in 1997 by Cause (now Educause) and AACRAO) (accessed Aug. 8, 2001).  This is a fabulous paper. At this point in time it remains the best help there is for universities trying to implement new student administration systems that are in compliance with FERPA.

 

Thanks to the following who provided scenarios/suggestions/questions for this outline:

 

Chuck Mann, Director of Business Services and Project Director for Administrative Systems, CUA

 

Noreen Duszynski, Senior Analyst and Systems Manager, Center for Planning and Information Technology, CUA

 

Art Cavanagh, Registrar at CUA

 

Dr. William Lantry, Director of Academic Services for the Center for Planning and Information Technology, CUA

 

Marjorie S. Hodges, Former Information Technology Counsel, Cornell University and past Program Director of The Cornell Computer Policy and Law Center

 

Steven Worona, ­­­­Director of Policy and Networking Programs, Educause, and Program Director of The Cornell Computer Policy and Law Center

 

Virginia E. Rezmierski, Ph.D., Adjunct Associate Professor, Gerald Ford School of Public Policy and the School of Information, University of Michigan, and one of the Co-Chairs involved in developing the white paper Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities

 

NACUANET participants who posted questions on FERPA

 

© The Catholic University of America (2001) CUA grants a non-exclusive right to reprint for all non-profit educational purposes.  

  OGC:/web/ferpa/ferpa in the digital age  9/14/01

[1]Quote from 120 Cong. Rec. 14,579 (May 14, 1974) from the introduction and debate on the Buckley Amendment, otherwise known as the Family Educational Rights and Privacy Act or FERPA, 20 U.S.C. § 1232g.

[2] 233 F. 3d 1203 (10th Cir. Oct. 4, 2000), cert. granted, Owasso Independent School District v. Falvo, ---S.Ct.---, 2001 WL 15965, 69 USLW 3481 (U.S. June 25, 2001) (NO. 00-1073). See the WestLaw Supreme Court briefs file for the amici briefs.

[3] The American Association of Collegiate Registrars and Admissions Officers

[4] The mission of EDUCAUSE is to advance higher education by promoting the intelligent use of information technology. 

[5] Ports are openings in the operating system that allow conductivity on a network. If you can identify a student by an IP address, you can then tell what systems they are running, and if they have set up a web server.

[6] This is not a situation that involves student health and safety.

[7] Any information collected by the university during admissions through the Special Admissions process must be kept confidential as a matter of federal non-discrimination law, and must be used only in connection with the university's special admissions process. 34 CFR § 104.42 Admissions and Recruitment

[8] 20 U.S.C. § 1232g (a) (6) states: For the purposes of this section, the term ''student'' includes any person with respect to whom an educational agency or institution maintains education records or personally identifiable information, but does not include a person who has not been in attendance at such agency or institution.

 

Talking Points For FERPA  Scenarios

1.  While the information requested is directory information, the fact that these students are commuters is not. If the commuter student association is run by students who might be considered as "school officials" under the university student record policy, then it might be OK to give directory information after checking to make sure no holds have been placed. Best approach would be an e-mail to the group to see if anyone objects to release of this information or does not want to be included in the directory.

2.      If the student is a dependent, a parent can be provided any information about his or her child, including a password the school might have.  Check to see what the university policy is on this issue. Release of the student’s PIN , while not prohibited under FERPA when the release is to a parent of a dependent student,  might not be a wise policy choice. Release of the PIN to someone other than the student will limit use of the student’s PIN. For example, FPCO has stated that institutions may allow students to use their ID numbers and a secure PIN known only by the student to access their own records. This use may not be permissible if the PIN is known to parties other than the student.

3.      Answer to this will require looking at what is a legitimate education interest, and who is a school official, under the University student record policy. If the policy is broad enough, and legitimate educational interest can be identified, access may be granted. Note that permitted access under the policy does not mean access is required. University administrators or counsel may choose to restrict access on a case by case basis without violating FERPA. Even if the auditor meets definition of a school official, General Counsel should advise that access be limited to that portion of the records in which the auditor has a legitimate educational interest.

4.      This is basically a cost-benefit analysis that needs to be performed. Access should be granted to the level needed to perform the task. If access above and beyond what is  necessary for performance of the employee’s task is provided, as necessitated by the system,  the employee should be reminded about the restraints imposed by FERPA.

5.      In this instance the health and safety emergency (34 CFR § 99.31(a) (10) and § 99.36) would justifiy accessing the records. This information may be shared with appropriate parties (those needed to provide immediate protection for student or others in community).  Usually this is law enforcement, medical personnel, and public health officials. Remember that this access should be recorded in the student’s file.

6.      A supervisor who looks up grades or attendance information about an employee who also happens to be a student would violate FERPA. Ideally such information would not be technically accessible. If that is not possible, supervisors should be reminded about the FERPA prohibition.

7.      Query whether an IP address is always tied to a particular student.  As the IP address typically identifies the computer, and the user may not always be the student, is the address personally identifiable information? Some would argue that it is as identifiable as a phone number, i.e. while there is no guarantee that the phone number equates with a certain person, but there is a strong likelihood that it does.

Directory Information is defined in 34 CFR § 99.3 in part as information contained in an education record of a student that would not be considered harmful or an invasion of privacy if disclosed. Computer savvy types would argue that an IP address should not be listed as directory information as harm could be caused by disclosure of this information. In the same vein, students should be advised to choose an anonymous IP address.

8.      To a certain extent what the systems administrator is doing is performing a legitimate educational interest. However, the school is relying on the administrator to use his/her good judgment on this issue. It may be useful to have policies that address the questions raised in Scenario 8.

9.      The Department of Education is considering this issue. In the future there may be regulations addressing what type of electronic signature might suffice under FERPA.

10.  Two schools can share this information when students are registered for a jointly taught course. See 34 CFR § 99.34(b)(1) (2), which states:

(b) An educational agency or institution may disclose an education record of a student in attendance to    another educational agency or institution if:

(1) The student is enrolled in or receives services from the other agency or institution; and

(2) The disclosure meets the requirements of paragraph (a) of this section.  In this instance the requirements of paragraph  (a) would be met by giving notice to the students that registering in a joint course implies consent to release course-registration information to the second institution.

11.  Commercial vendor is acting as an agent of the university in performing this service. Most likely allowable under FERPA. Consider having students sign consent to have their papers turned over to the service. May serve as a notice and deterrent.

12.  Check policy to make sure campus police are designated as school officials with legitimate educational interest. As long as they are, they should be able to access whatever information they need from the system to keep the campus safe.

13.  Disclosure to a third party of personally identifiable information would not be allowable under FERPA without a waiver or consent from the student. Until clarification obtained on this issue, if the  information is actually personally identifiable, get consent.

14.  This use of technology is compliant with FERPA if the transcript is being sent to the student and not to a third party. Current FPCO interpretation of FERPA is that in order to send information to a third party, a student signature is required.  The university should have system in place to make sure person ordering the transcript is actually the student.








links updated 6/26/08 rab



Last Revised 26-Jun-08 03:27 PM.