FERPA Overview

1
FERPA Overview UpdatesA Private Conversation

• An overview of the Family Educational Rights and
  Privacy Act and why it is the right thing to do.
• CACCRAO 2008
• John Snodgrass, Registrar, Chapman University

2
Some Resources

• AACRAO FERPA Guide 2006
• www.aacrao.org/publications/
• The FERPA Doctors Case Book
• LRP Publications, www.shoplrp.com
• FPCO website http//www.ed.gov/policy/gen/guid/fp
  co/index.html
• AACRAO website http//www.aacrao.org/compliance/f
  erpa/index.htm

3
What is FERPA All About?

• Providing students guarantees regarding the
  access and confidentiality of their educational
  records
• Right to access
• Right to challenge contents
• Right to control over disclosure highest impact
  on how we deal with educational records

4
99.3 Key Definitions

• Attendance
• Directory Information
• Disclosure
• Disciplinary Action
• Educational Record
• Personally identifiable information
• Student
• (Note School Official is not described in 99.3)

5
Key Definition Student (post-secondary)

• In Attendance institutionally defined
• applicants, admits, or matriculants (actually
  attending as of the first day of class). Should
  be justified by some reasonable basis of fact and
  applied consistently
• Credit and non-credit, degree or non-degree
  seeking, all residencies all ages
• Regarding whom records are maintained
• Acquire all FERPA rights at the time they become
  a Student (note parents lose all right of access
  to educational records of students at post
  secondary institutions) retain FERPA rights
  until deceased.

6
Proposed Regulation Attendance

• Adds to current regulation attendance by
  videoconference, satellite, Internet, or other
  electronic information and telecommunications
  technologies for students who are not typically
  in the classroom.

7
Key Definition Educational Record

• With certain exceptions, all records identifying
  students maintained by the university in any
  medium
• Exceptions
• Law Enforcement records
• Treatment records
• Alumni records
• Employment records
• Sole Possession

8
Key Point To Remember, , ,

• Nothing in FERPA prohibits a school official from
  sharing information that is based on that
  officials personal knowledge or observation and
  that is not based on information contained in an
  educational record.

9
Proposed Regulations Personally Identifiable
Information

• Adds biometric record to the current list of
  personal identifiers e.g. name, SSN, ID, and adds
  other indirect identifiers such as date and place
  of birth, mothers maiden name, etc.
• Removes non-defined term easily traceable and
  provide instead that personally identifiable
  information that would allow a reasonable person
  in the school or its community, who does not have
  personal knowledge of the relevant circumstances,
  to identify the student with reasonable
  certainty.
• Additionally, personally identifiable information
  includes information that is requested by a
  person who the institution reasonably believes
  has direct personal knowledge of the identity of
  the student to whom the education record directly
  relatestargeted request

10
Update Treatment Records

• Education records do not include records on an
  eligible student that are
• Made or maintained by a physician, psychiatrist,
  psychologist, or other recognized professional or
  paraprofessional acting in his or her
  professional capacity or assisting in a
  paraprofessional capacity
• Made, maintained, or used only in connection with
  treatment of the student and
• Disclosed only to individuals providing the
  treatment. For the purpose of this definition,
  treatment does not include remedial educational
  activities or activities that are part of the
  program of instruction at the agency or
  institution.

11
Update Treatment Records, continued

• Once treatment records are disclosed outside of
  the requirements described above, the records
  become education records under FERPA
• Records maintained by an office of disability
  services are education records because they
  contain information that is directly related to a
  student.
• Treatment does not include determining
  appropriate accommodations for a disability.
• There is no exclusion from the definition of
  education records for health or medical
  records, except for treatment records that meet
  the requirements described above.

12
Proposed Regulations Education Record

• Alumni Records
• Clarify that with respect to former students,
  education records exclude records that are
  created or received by the institution after an
  individual is no longer a student in attendance
  and are not directly related to the individuals
  attendance as a student.

13
Proposed Regulations Education Record

• Peer Grading
• Clarify that peer-graded papers that have not
  been collected and recorded by a teacher are not
  considered maintained by an educational
  institution and, therefore, are not education
  records under FERPA (implementation of Supreme
  Court Case Owasso)

14
Key Definition School Officials

• Individual or group providing a necessary service
  for or on behalf of the institution
• No inherent rights re accessing educational
  records May access based upon need to know
• Are equally responsible for following FERPA
  regulations, re-disclosure requirements

15
Proposed Regulation School Officials

• Other School Officials
• Expand the school official exception to include
  contractors, consultants, volunteers, and other
  outside parties to whom an educational
  institution has outsourced institutional services
  or functions so long as
• --In order to be considered a school official
  an agency or institution must be able to show
  that a non-employee or other outside party is
  providing an institutional service or function
  that the agency or institution would otherwise
  use employees to perform.
• --The school must also show that the outside
  party would have legitimate educational
  interest in the information disclosed if the
  service were performed by employees.

16
Proposed Regulation School Official

• Other School Officials, continued
• --an agency or institution must be able to show
  that the outside party, in providing these
  services, is doing so under the direct control of
  the agency,
• --outside party is subject to the same
  redisclosure conditions applicable to other
  school officials
• --records directly related to a student that are
  maintained by such parties are education records,
  including any new student records created under
  an outsourcing agreement that are maintained by
  the outside service provider
• --the institution must comply with annual FERPA
  notification requirements in 99.7 by specifying
  their contractors, consultants, and volunteers as
  school officials retained to provide various
  institutional services and functions

17
Proposed Regulations School Officials

• Legitimate Educational Interest--Access
• Proposed regulations would require an
  institution to use reasonable methods to ensure
  that teachers and other school officials obtain
  access to only those education records in which
  they have legitimate educational interest.
  Such methods/controls may include
• Physical locked filing cabinets
• Technological software which implements role
  or field based security features
• administrative an institutional policy that
  prohibits access except for legitimate
  educational interest must be effective in
  ensuring compliance

18
99.4/99.5 Rights of Parents and Students

• 99.4Parents. Full rights to both parents.
• 99.5Student. all rights move from the parent to
  the student in post secondary environment.
• Exception if applicant to another component of
  institution, no right of access to records
  maintained by that component until the student is
  accepted and attends that other component

19
Proposed Regulations Release to
Parents--Clarification

• Proposed regulations in 99.5 clarify that even
  after a student has become an eligible student,
  an educational agency or institution may disclose
  education records to the students parents,
  without the consent of the eligible students if ,
  ,

20
Proposed Regulations Release to Parents,
continued

• --If the student is a dependent for Federal
  income tax purposes (99.31(a)(8)
• Note 99.31(a)(8) permits an educational agency
  or institution to disclose education records,
  without consent, to either parent if at least one
  of the parents has claimed the student as a
  dependent on the parents most recent tax return.
  Neither the age of the student nor the parents
  status as custodial parent is relevant.
• To make such a dependency determination, a
  school may
• -ask the parent to provide a copy of the most
  recent Federal income tax form (financial
  information may be redacted) showing dependency
  or
• -ask students to indicate if they are claimed
  as a dependent for income tax purposes by either
  parent (at registration, etc)

21
Proposed Regulations Release to Parents,
continued

• --In connection with a health or safety emergency
  (99.31(a)(10)
• --If the student is under the age of 21 and has
  violated a law or an institutional rule or policy
  governing the use or possession of alcohol or a
  controlled substance (99.31(a)(15)
• --If the disclosure falls within any other
  exception to the consent requirement in 99.31 (a)
  of the regulations, such as the disclosure of
  directory information or in compliance with a
  court order or lawfully issued subpoena.
• Ensures that institutions understand that FERPA
  does not block information sharing with parents
  if the above exceptions apply.

22
Proposed Regulations Health or Safety Emergency

• Removes language requiring strict construction
  of this exception
• Disclosure of education records is permitted when
  an institution, taking into account the totality
  of the circumstances, determines there is an
  articulable and significant threat to the health
  and safety of the student or other individuals.
• Disclosure may be made to any person whose
  knowledge of information is necessary to protect
  health and safety of student or others includes
  release to students parents.
• Department of Ed will not substitute its
  judgment for that of the institution in
  evaluating the circumstances and making its
  determination.

23
Remember, , ,

• While institutions may choose to follow a policy
  of not disclosing education records to parents of
  eligible students in these circumstances, FERPA
  does not mandate such a policy.

24
Institutional Requirements

• Annual Notification (99.7)
• Access and Review (Subpart B)
• Amendment (Subpart C)
• Disclosure (Subpart D)

25
99.7 Annual Notification

• Must include--
• Right method to inspect review
• Right method to seek amendment
• Right to consent other than 99.31 exceptions
• Right to file a complaint with Dept of ED
• Definition of school official
• Definition of legitimate educational interest
• DistributionAny means reasonably likely to
  inform
• Typically includes Directory information per
  99.37 requirements

26
SubPart B Student Rights to Review Records

• 99.10 Right to inspect review --Must
• Student must be allowed access within 45 days
• may charge a fee for copies (not retrieval)
  unless
• Cant destroy record once requested
• 99.12 Limitations on right to review
• parent financial information
• confidential letters
• Education records of the student that contain
  information on more than one student

27
More on Inspect Review, AKA Access

• 99.10(d) If circumstances effectively prevent the
  eligible student from exercising the right to
  inspect and review the students education
  records, the educational institution shall
• Provide a copy, or
• Make other arrangements to inspect review

28
So does that mean we dont have to give a copy of

• Grades? Nope
• Transcript? Nope
• Diploma? Nope
• But can we if we choose? Yep
• Should we? Hmmmm

29
Subpart C Amendment

• Request, Review, Hearing, decision
• Yes amend and notify
• No Notify, right to include statement
• Statement maintained life of related record
• Disclosed with related

30
Subpart D Disclosure

• 99.30 Prior Consent Required
• 99.31 Prior Consent Not Required
• 99.32 Recordkeeping, redisclosure, conditions on
  99.31

31
99.30 Consent Required

• Signature required (everything except 99.31)
• Provided directly to the institution
• Provided to a third party
• Electronic
• Consent includes
• What
• Purpose of disclosure
• To whom

32
Proposed Regulations Identification
Authentication

• Electronic/Telephonic Environments
• Proposed regulations would require an educational
  agency or institution to use reasonable methods
  to identify and authenticate the identity of
  students, parents, school officials, and any
  other parties to whom the institution discloses
  education records.
• Unique challenges exist re identification and
  authentication in electronic/telephonic
  environments. Students parents complaints re
  unauthorized access via use of widely available
  information, e.g the name and date of birth, name
  and SSN or other student ID number when providing
  .access
• This is a failure to properly authenticate
  identity.

33
Proposed Regulations Identification
Authentication

• Electronic/Telephonic Environments, continued
• --Authentication of identity generally involves
• -requiring a user to provide something that
  only the user knows, such as a PIN, password, or
  answer to a personal question
• -requiring something that only the user has,
  such as a smart card or token
• -or a biometric factor associated with no one
  other than the user, such as a finger, iris, or
  voiceprint.
• --The institution must insure it does not
  deliver a password, PIN, smart card, or other
  factor used to authenticate identity in a manner
  that would allow access to unauthorized
  recipients. This includes use of a common form
  user name (e.g. last name and first name initial)
  along with date of birth, SSN, or a portion of
  the SSN, as an initial password to be changed
  upon first use of the system.
• -

34
99.31 Key Exceptions

• Institution may disclose without consent if
  disclosure meets one or more of the following
  conditions (there or more these are most common)
• School Officials
• Parents of dependent students
• To institutions of post secondary education where
  the student seeks to enroll
• Financial Aid
• Judicial order/Subpoenas/Patriot Act
• Health Safety
• Disciplinary
• Sex Offender
• Directory

35
Proposed Regulations Disclosure to institution
in which student has enrolled

• Would allow institution to disclose education
  records, without consent, to another institution
  even after a student has already enrolled (and
  not just if student seeks to enroll) if the
  disclosure is for purposes related to the
  students enrollment or transfer.
• Intent is to allow institution to update,
  correct, or explain information originally
  disclosed. (Note current regulations allow
  institutions to send any and all education
  records, including disciplinary records to
  institutions to which a student seeks to enroll)

36
Proposed Regulations Disclosure definition re
institutions previously attended

• Excludes from definition of disclosure the
  release/return of an education record to the
  institution/party that created the record.
• Allows institutions to return transcripts,
  recommendations, etc that appear to have been
  falsified back to the institution or school
  official identified as the creator/sender in
  order to confirm authenticity. Allows sending
  school to confirm or deny accuracy of record, and
  send correct version. Consent from the student is
  not required.

37
Proposed Regulations Updating FERPA

• Updates or amends FERPA regulations to
  specifically include language related to
  releasing or re-releasing of information in
  accordance with the following Acts
• Patriot Act allows response to Ex Parte Order
  without notice to the student
• Campus Sex Crimes Prevention Act-- allows
  disclosure of information received under
  community notification program concerning
  registered sex offenders who are students
  (although institutions are not required under
  FERPA to collect or maintain information about
  registered sex offenders)
• Clery Act clarifies responsibility of
  institution to disclose information to accuser
  and accused allows re-disclosure by accuser

38
Directory Information

• Directory Information records which are neutral
  or not necessarily harmful if released to third
  parties
• institutions must specify what their Directory
  Information includes
• Cannot include SSN, Student ID, Gender,
  Nationality, Ethnicity, religion, grades, gpa
• Release not required may do so arbitrarily or
  capriciously.
• Students may withhold release--opt out
• Directory holds do not pertain to school
  officials having access to student educational
  records

39
Proposed Regulations Directory Information

• Would provide that
• --an educational agency may not designate as
  directory information a students SSN or other
  student ID number however
• --directory information may include a students
  user ID or other unique identifier used by the
  student to access or communicate in electronic
  systems, only if identifier is used in
  conjunction with one or more factors that
  authenticate the students identity, e.g. PIN,
  password, or other factor known only by the
  student.

40
Proposed Regulations Opting Out of Directory
Information

• Clarification of the regulations, affirming that
  an institution must continue to honor any valid
  request to opt out of directory information
  disclosures made while the individual was a
  student unless the student rescinds the decision
  to opt out of directory information disclosures.

41
Proposed Regulations Opting Out of Directory
Information

• Opt out of directory information does not prevent
  an educational institution from disclosing or
  requiring a student to disclose the students
  name, electronic identifier, or institutional
  email address in the classroom.
• Opt-out does not allow a student to remain
  anonymous in a class, and cannot be used to
  impede routine classroom communications, whether
  in person or on-line.
• Note proposal provides no authority to disclose
  any directory information outside of the
  students class nor does it allow for release of
  directory information not used for class
  communications if a student has opted out.

42
Proposed Regulations Use of SSN As An Aide in
Directory Confirmation

• Would prohibit an institution from using an SSN
  to identify or help identify a student or the
  students records when disclosing or confirming
  directory information unless the student has
  provided written consent in accordance with FERPA.

43
Disclosure requirements

• Conditions
• Record keeping
• Redisclosure

44
Proposed Regulations De-identification

• De-identification of information. Current
  regulations permit release of information without
  consent if all personally identifiable
  information has been removed.
• Proposed regulations will
• provide objective standards re when information
  releases may be considered de-identified
• apply to records at both student and aggregate
  form
• clarify permitted use of de-identified data
  releases for research purposes

45
Proposed Regulations Redisclosure

• Redisclosure under court order or subpoena
• Clarifies that redisclosing part has same
  responsibility as original disclosing party re
  notifying students prior to compliance.
• Redisclosure by federal and state officials
  (currently not permitted)
• Permits federal and state officials to
  redisclose under the same conditions as other
  recipients of education records allowed in 99.31
  (forward to another school, health/safety,
  accrediting agency, etc)

46
Proposed Regulations State Auditor

• Auditordefine State auditor as a party under
  any branch of government with authority to
  conduct audits (note that the audit must be a
  federal or state supported education program)

47
Proposed Regulations Organizations Conducting
Studies

• Current language for or on behalf of
• Proposed
• school does not have to initiate research
• school does not have to agree with or endorse
  conclusions
• school must agree with purposes of study
• school must maintain control over information
  disclosed

48
Proposed Regulations Organizations Conducting
Studies

• Institution must have written agreement with
  receiving organization that specifies
• -purpose of study
• -information can only be used to meet purposes
  of study
• -restriction on redisclosure
• -destruction of information when no longer
  required

49
Proposed Regulations Enforcement

• Clarify the Departments responsibilities related
  to authority and enforcement
• Affirms FPCOs authority to investigate a school
  when a student files a complaint
• Clarifies information FPCO may require to
  investigate and resolve complaints
• Clarifies that violation may be determined
  without being based upon a policy or practice of
  the school
• Clarifies that Secretary may take action to
  terminate assistance only when a school has been
  found to have a policy or practice in violation
  of FERPA, AND the school fails to voluntarily
  come into compliance.
• FPCO affirms that there is no intention or plan
  to initiate FERPA institutional compliance
  reviews or expand investigations beyond current
  practice.

50
Closing , , ,

• Remember It is the right thing to do
• Web Site http//www.chapman.edu/registrar/Privacy
  index.html
• snodgras_at_chapman.edu