FERPA Snapshot

1
FERPA Snapshot

• Bradley R. Barnes, CISSP
• Chief Information Officer
• Oklahoma State University Center for Veterinary
  Health Sciences
• Bradley.r.barnes_at_okstate.edu

2
FERPA Snapshot

• Bradley R. Barnes, CISSP
• Chief Information Officer
• Oklahoma State University Center for Veterinary
  Health Sciences
• Bradley.r.barnes_at_okstate.edu

3
Privacy Puzzle
4
What is FERPA?

• Family Educational Rights and Privacy Act of 1974
  (20 U.S.C. 1232g 34 CFR Part 99)
• AKA Buckley Amendment
• Provides for privacy of educational records

5
Why Should I Care?

• Uh, its Federal Law?

6
Why Should I Care?

• Personal Safety?
• FERPA drew widespread attention after the 2007
  Virginia Tech massacre. Two government reports
  found that the law likely played a role in the
  school's decision not to share the shooter's
  mental-health history with anyone before the
  incident, findings that led Congress to revise
  the statute.

7
Why Should I Care?

• Student Safety?
• In another high-profile case, the University of
  Kansas cited FERPA to explain why it didn't
  disclose the previous drinking citations of Jason
  Wren, a 19-year-old student who died in March
  after a night of binge drinking. The university
  says it has since revised its parental
  notification policy.

8
Why Should I Care?

• Institutional Reputation?
• Roger Williams University in Rhode Island was
  criticized for hiring the university president's
  26-year-old son for a fund-raising job, which
  required a bachelor's degree. Citing the federal
  act, the university declined to say whether the
  son, Chris Nirschel, finished his undergraduate
  education at Roger Williams -- or anywhere else.

9
Why Should I Care?

• Litigation?
• Recent lawsuit by Chicago Tribune publisher
  Tribune Co. against the University of Illinois
  highlighted the dilemma surrounding FERPA. The
  newspaper reported that Illinois lawmakers
  pressured university officials into admitting
  politically connected yet sometimes unqualified
  applicants, a claim the university has
  acknowledged.

10
Why Should I Care?

• The Tribune's suit seeks information, including
  high school grade point averages, for about 800
  applicants. But the publisher says in the suit it
  isn't asking for applicants' names or any
  identifying information, claiming that FERPA is
  valid only if it pinpoints specific students.

11
Why Should I Care?

• University officials say the school isn't trying
  to save face, but to follow the law. "At this
  point, we've given more than 5,000 pages of
  documents," says university spokesman Tom Hardy.
  "The only thing we haven't given is student
  information, because doing that would potentially
  violate FERPA."

12
Why Should I Care?

• Public/Lawmaker Focus?
• Inconsistencies in the application of the
  35-year-old law were detailed in a recent series
  of stories in The Columbus (Ohio) Dispatch that
  said schools often hide behind FERPA in
  improperly censoring a wide range of athletics
  records beyond the academic and other personal
  information it was designed to protect.

13
Why Should I Care?

• Records related to coaches and boosters, details
  of rules infractions and crimes and other
  information that should be publicly accessible
  have been withheld, the newspaper said. James L.
  Buckley, the former U.S. senator who drafted
  FERPA in 1974, told the newspaper the statute was
  being misapplied.

14
What is Attendance?

• In Person
• By Correspondence
• Videoconference
• Satellite
• Internet
• Other electronic information and
  telecommunications technologies

15
Who is a Student?

• An individual who is or has been in attendance
  at an educational agency or institution and
  regarding whom the agency or institution
  maintains education records

16
Who is an Eligible Student?

• A student who has reached 18 years of age or
  attends a postsecondary institution and thereby
  becomes an eligible student.

17
What is a Record?

• Any information recorded in any way, including,
  but not limited to, handwriting, print, computer
  media, video or audio tape, film, microfilm, and
  microfiche.

18
What is an Education Record?

• Directly related to a student and maintained by
  an educational agency or institution or by a
  party acting for the agency or institution
• Records relating to an individual in attendance
  at the agency or institution who is employed as a
  result of his or her status as a student are
  education records
• Records that pertain to a individuals previous
  attendance as a student regardless of when they
  were created or received by the institution

19
Annual Notification

• A school must annually notify students in
  attendance that they may
• Inspect and review their education records
• Seek amendment of inaccurate or misleading
  information in their education records
• Consent to most disclosures of personally
  identifiable information from education records.

20
Annual Notification

• The annual notice must also include
• Information for a student to file a complaint of
  an alleged violation with the FPCO
• A description of who is considered to be a school
  official and what is considered to be a
  legitimate educational interest so that
  information may be shared with that individual
  and
• Information about who to contact to seek access
  or amendment of education records.

21
Means of Notification

• May include student newspaper calendar student
  programs guide rules handbook, or other means
  reasonable likely to inform students
• Notification does not have to be made
  individually to students.

22
What is Personally Identifiable Information?

• "Personally identifiable information" includes,
  but is not limited to
• Direct Personal Identifiers
• The student's name
• Student ID
• Social Security Number
• Indirect Personal Identifiers
• Date and place of birth
• Mothers maiden name

23
What is Personally Identifiable Information?

• The name of the student's parent or other family
  member
• The address of the student or student's family
• A personal identifier, such as the student's
  student ID number or userid which would allow
  access to additional student records without
  further validation
• A list of personal characteristics or other
  information that would make the student's
  identity easily traceable

24
What is Personally Identifiable Information?

• Biometric Records
• A record of one or more measurable biological or
  behavioral characteristics that can be used for
  automated recognition of an individual, including
  fingerprints, retina and iris patterns,
  voiceprints, DNA sequence, facial
  characteristics, and handwriting.

25
What is Personally Identifiable Information?

• Information requested by a person who the
  educational agency or institution reasonably
  believes knows the identity of the student to
  whom the education record relates
• Other information that, alone or in combination,
  is linked or linkable to a specific student that
  would allow a reasonable person in the school
  community, who does not have personal knowledge
  of the relevant circumstances, to identify the
  student with reasonable certainty

26
What is Directory Information?

• FERPA defines "directory information" as
  information contained in the education records of
  a student that would not generally be considered
  harmful or an invasion of privacy if disclosed.

27
What is Directory Information?

• Directory Information Includes, but is not
  limited to
• Student's name
• Address
• Telephone listing
• Electronic mail address
• Photograph
• Date and place of birth
• Major Field of Study
• Grade Level

28
What is Directory Information?

• Enrollment status (e.g., undergraduate or
  graduate full-time or part-time)
• Dates of Attendance
• Participation in officially recognized activities
  and sports,
• Weight and height of members of athletic teams
• Degrees, honors and awards received
• Most recent educational agency or institution
  attended

29
What Cannot Be Directory Information?

• Directory information cannot include
• Student identification numbers or user IDs which
  by themselves grant additional access to student
  records
• Social Security Numbers
• Ethnicity/race/nationality
• Gender

30
Who is a School Official?

• School official must be defined by the
  institution as a matter of published policy
• Contractors, consultants, volunteers, and other
  outside service providers used by a school
  district or postsecondary Institution to perform
  institutional services and functions. A
  contractor (or other outside service provider)
  that is given access to education records under
  this provision must be under the direct control
  of the disclosing institution

31
Who is a School Official?

• Disclosure is permitted under this exception only
  if the district or institution is outsourcing a
  service it would otherwise provide using
  employees

32
Who is a School Official?

• A district or institution may not disclose
  education records to an outside service provider
  under this exception unless it has specified in
  its annual FERPA notification that it uses
  contractors, consultants, volunteers, etc. as
  school officials to provide certain institutional
  services and functions

33
What is a Legitimate Educational Interest?

• Legitimate educational interests is defined as
  an interest which results from duties officially
  assigned to a school official and which are
  related to such a school officials
  responsibility for facilitating the students
  development.

34
What are Excluded Records?

• Records that are kept in the sole possession of
  the maker, are used only as a personal memory
  aid, and are not accessible or revealed to any
  other person except a temporary substitute for
  the maker of the record.
• Records of the law enforcement unit of an
  educational agency or institution, subject to the
  provisions of 99.8.

35
What are Excluded Records?

• Records relating to an individual who is employed
  by an educational agency or institution, that
• Are made and maintained in the normal course of
  business
• Relate exclusively to the individual in that
  individual's capacity as an employee and
• Are not available for use for any other purpose.

36
What are Excluded Records?

• Records on a student who is 18 years of age or
  older, or is attending an institution of
  postsecondary education, that are
• Made or maintained by a physician, psychiatrist,
  psychologist, or other recognized professional or
  paraprofessional acting in his or her
  professional capacity or assisting in a
  paraprofessional capacity

37
What are Excluded Records?

• Made, maintained, or used only in connection with
  treatment of the student and
• Disclosed only to individuals providing the
  treatment. For the purpose of this definition,
  "treatment" does not include remedial educational
  activities or activities that are part of the
  program of instruction at the agency or
  institution and
• Records that only contain information about an
  individual after he or she is no longer a student
  at that agency or institution and which do not
  pertain to previous attendance.
• Grades on peer-graded papers before they are
  collected and recorded by a teacher.

38
Access Records

• A school must
• provide a student with an opportunity to inspect
  and review his or her education records within 45
  days of the receipt of a request
• provide a student with copies of education
  records or otherwise make the records available
  to the student if the student, for instance,
  lives outside of commuting distance of the school
  
• redact the names and other personally
  identifiable information about other students
  that may be included in the student's education
  records.

39
Amend Records

• Consider a request from a student to amend
  inaccurate or misleading information in the
  student's education records
• Offer the student a hearing on the matter if it
  decides not to amend the records in accordance
  with the request
• Offer the student a right to place a statement to
  be kept and disclosed with the record if as a
  result of the hearing the school still decides
  not to amend the record.

40
Disclosure of Records

• A school must
• Have a student's consent prior to the disclosure
  of education records
• Ensure that the consent is signed and dated and
  states the purpose of the disclosure.
• Honor a former students opt-out request made
  while in attendance unless it has been
  specifically rescinded by the former student.

41
Disclosure of Records

• Use reasonable methods to identify and
  authenticate the identity of parents, students,
  school officials, and any other parties to whom
  they disclose education records.
• Prohibit the use of an SSN as an identification
  element when disclosing or confirming directory
  information unless the student has provided
  written consent for the disclosure.

42
Disclosure of Records

• A school MAY disclose education records without
  consent when
• The disclosure is to school officials who have
  been determined to have legitimate educational
  interests as set forth in the institution's
  annual notification of rights to students
• The student is seeking or intending to enroll in
  another school and after the student has enrolled
  at another school

43
Disclosure of Records

• The disclosure is to state or local educational
  authorities auditing or enforcing Federal or
  State supported education programs or enforcing
  Federal laws which relate to those programs
• The disclosure is to the parents of a student who
  is a dependent for income tax purposes
• The disclosure is in compliance with the Clery
  Act

44
Disclosure of Records

• The disclosure is in connection with determining
  eligibility, amounts, and terms for financial aid
  or enforcing the terms and conditions of
  financial aid
• The disclosure is pursuant to a lawfully issued
  court order or subpoena or
• The information disclosed has been appropriately
  designated as directory information by the
  school.

45
Disclosure of Records

• The records are redacted or provide only
  statistical information (been de-identified
  through the removal of all personally
  identifiable information taking into account
  unique patterns of information about the student,
  whether through single or multiple releases, and
  other reasonably available information

46
Disclosure of Records

• A school should also consider other information
  that is linked or linkable to a student, such as
  law enforcement records, published directories,
  and other publicly available records that could
  be used to identify a student, and the cumulative
  effect of disclosure of student data.

47
Disclosure of Records

• The disclosing party must look to local news,
  events, and media coverage in the school
  community in determining whether other
  information (i.e., information other than direct
  and indirect identifiers listed in the definition
  of PII), would make a particular record
  personally identifiable even after all direct
  identifiers have been removed

48
Disclosure of Records

• In all cases, the disclosing party must determine
  whether the other information that is linked or
  linkable to an education record would allow a
  reasonable person in the school community to
  identify the student with reasonable certainty.
• May not disclose information requested by a
  person who the educational institution reasonably
  believes knows the identity of the student to
  whom the education record relates.

49
Data Disclosure
Veterans by zipcode
Female Students by zipcode
All Students by major
50
Not Data Disclosure

• Returning an education record, or information
  from an education record, to the party identified
  as the provider or creator of the record. (This
  will help schools deal with falsified
  transcripts, letters of recommendation, and other
  documents they receive by allowing an institution
  that has received a questionable document to
  return it to the ostensible sender for
  verification.)

51
Not Data Disclosure

• A school may disclose education records to a
  parent of a dependent student under any
  circumstance this exception to the consent
  requirement is likely to cover the vast majority
  of traditional college students.
• Even if a student is not a dependent, a
  postsecondary institution may disclose education
  records to a students parent under the alcohol
  or controlled substance exception if the student
  is under the age of 21.

52
Not Data Disclosure

• If the school determines that there is an
  articulable and significant threat to the health
  or safety of a student or other individuals, it
  may disclose information from education records
  to appropriate parties whose knowledge of the
  information is necessary to protect the health
  and safety of the student or other individuals.
  This may include the parents of an eligible
  student.

53
No Hiding in Class!

• An opt out of directory information disclosures
  does not prevent a school from identifying a
  student by name or from disclosing a students
  electronic identifier or institutional email
  address in class. This change clarifies that a
  right to opt out of directory information
  disclosures does not include a right to remain
  anonymous in class, and may not be used to impede
  routine classroom communications and interactions.

54
Records Redisclosure

• An educational agency or institution may disclose
  personally identifiable information from an
  education record only on the condition that the
  party to whom the information is disclosed will
  not disclose the information to any other party
  without the prior consent of the parent or
  eligible student.
• The officers, employees, and agents of a party
  that receives information may use the
  information, but only for the purposes for which
  the disclosure was made.

55
Solomon Amendment (10 USC Sec. 983)

• Schools must provide access by military
  recruiters for purposes of military recruiting to
  the following information pertaining to students
  (who are 17 years of age or older) enrolled at
  that institution (or any subelement of that
  institution)
• Names, addresses, and telephone listings.
• Date and place of birth, levels of education,
  academic majors, degrees received, and the most
  recent educational institution enrolled in by the
  student.

56
More Information

• http//www.ed.gov/policy/gen/guid/fpco/index.html