Transcript FERPA for Registrars Something Old, Something New, You Can

FERPA for Admissions/Registrar Staff
Something Old, Something New, You Can Borrow,
Don’t Be Blue
Kris Kaplan, Deputy General Counsel
Minnesota State Colleges and
Universities
March 25, 2009
FERPA Regulations Amended
December 2008
Full text and detailed analysis available at:
• http://www.ed.gov/policy/gen/guid/fpco/hotto
pics/ht12-17-08.html
Few substantive changes, but added flexibility
(and corresponding recordkeeping) in some
areas and emphasis on good security practices.
Some Basic Principles
• Privacy laws apply (only) to documents and
information derived from documents.
• Education records include information about
students documented in any media, in any
location, but only
▫ “personally identifiable” to an individual student
(i.e., not aggregate or summary information).
FERPA – Recapping Some Basics
• Most education records are private
▫ Accessible to the student (with exceptions) within
10 days of request and
 To others with the student’s written (signed, dated)
consent
 To others as permitted by law
 Including school officials who have a legitimate
educational interest (defined by school)
• Parents of c/u students not automatically
entitled to access.
FERPA – Recapping Some Basics
• Some Education Records are public – directory
data
▫ Each college/university defines but will never
include SSN or certain personal “demographic”
information like gender or race (though DOB may
be included)
• Under MGDPA, public data must be provided
upon request, but
▫ Credit card marketers cannot have undergraduate
data
▫ May charge for copies per law/policy
NEW FERPA Clarification
• Student electronic personal identifiers may be
directory data if:
▫ The number cannot be used alone to access
private data (and is not part of the student’s SSN).
School should consider whether convenience
outweighs potential privacy concerns.
Student Rights under FERPA
• Access to own records (under MGDPA, includes copies
and 10 day response);
• May suppress directory data
▫ NEW clarification: must continue to honor even after
enrollment unless rescinded;
• May seek amendment of inaccurate, incomplete records
(clerical corrections);
• May file complaint with Department of Education
▫ Under MGDPA, may file similar administrative request for
opinion and bring claim for damages
All college/university students have the same rights to
control access to their records regardless of age.
Subpoenas and Other Legal Process
Requests
• Immediately forward any request for education
records pertaining to legal matter – whether by
letter or subpoena, court order or other - to
appropriate campus administrator for
consultation with OGC or AGO.
▫ Legal assistance needed to determine validity;
▫ Possible need to notify student in advance of
subpoena compliance.
Comply with search warrant immediately and
notify OGC or AGO as soon as practicable.
State Laws Also Apply
For example . . .
• Minnesota Government Data Practices Act
▫ Data from applicants included as educational
data – all may be treated as private despite
definition of directory data – until matriculation.
▫ Requires Data Privacy Notice (“Tennessen
Warning”) when collecting private data from
individual about him/herself.
• Other state law restrictions on SSN use, posting,
and security.
FERPA - What’s New?
Expanded Disclosures to Other Schools
• Education records may be released to another
school at any time so long as related to student’s
concurrent or subsequent enrollment – not just
at the time of transfer.
▫ May include any record – including discipline, but
 Suggest holding health-related records until after
admission decision.
• May return records to original provider
▫ Generally useful to verify authenticity.
To Implement
• Ensure campus FERPA Policy includes
statement that school discloses records to other
schools without consent if related to enrollment;
• Revise procedures to permit disclosures to other
schools (or other originators) as needed for
updates, corrections or verification of
authenticity.
FERPA - What’s New?
Reasonable Methods of Protection Required
• FERPA now specifies that schools use:
▫ Reasonable Methods to limit school officials’
access to records in which they have a legitimate
educational interest;
▫ Reasonable methods to identify and authenticate
who is receiving education records from school –
NEVER SSN.
To Implement
• Use appropriate policies, technological and physical
measures to control school officials’ access
▫ Consider potential harm, likelihood of compromise
• Establish appropriate methods to establish
identify/authenticity of requests that do not use
commonly available information like name, DOB,
student ID number (especially if public) and never
SSN (even indirectly).
▫ How to handle phone requests?
What is a Valid Authorization for
Release? See, www.ogc.mnscu.edu
• If written consent is required, look for these
elements:
▫ Name of student authorizing release (and other
optional identifier; SSN not recommended);
▫ Identity of who gets the information (could be
category, but more specificity is better);
▫ Description of records to be released and authorized
use of the information;
▫ Signature (may be copy or fax but not e-mail only);
▫ Date; under MGDPA expires after one year – or earlier
if purpose fulfilled.
Third Parties as School Officials
Outsourcing
• Schools may use third parties to do work using
education records that employees would
ordinarily do (outsourcing), but the school
remains responsible for its students’ records.
▫ Use contract terms that require appropriate
privacy and security;
▫ Use only for authorized purposes;
▫ No unauthorized re-disclosure.
Seek legal assistance on contract terms.
FERPA - What’s New?
Revised Health and Safety Emergency Standards
• School may release information from any
education record to any appropriate party if it
determines there is an articulable and
significant threat to the health or safety of the
student or any other person.
Previous strict construction language removed.
To Implement
• Identify campus team to deal with h/s safety
situations, using the articulable and significant
threat standard. Campus community should
know how to report situations.
• NEW: If information from education records is
disclosed under standard must record:
▫ The threat; the records disclosed; and to whom
disclosed. Keep with disclosed records pursuant
to retention schedule.
FERPA - What’s New?
Organizations Conducting Studies
Schools may provide education records to
organizations conducting studies “for or on
behalf of” the school;
• Now clarified: studies do not need to be initiated
by or endorsed by school but must be at least in
part “for or on behalf of” the school and
▫ NEW: written agreement required.
School always responsible for its education
records!
Handling Requests for Records for a
“Study”
• Refer to appropriate campus administrator
▫ Need to determine whether (really) mandated by
law or “for or on behalf” of school;
 May need review by IRB if “human subjects” study;
Consider potential benefits vs. administrative
burden;
 Employees do not have automatic access b/c of
status as employees
• Seek legal assistance when drafting agreement.
FERPA - What’s New?
Clarified definition of Alumni Records
• Alumni Records are not subject to FERPA and
school may therefore determine classification,
but some past confusion about definition.
• Now clarified: only includes information about
former student unrelated to activities as enrolled
student, and no need to permit former students
right to “suppress” directory data.
Final Tips
• Know your campus resources:
▫
▫
▫
▫
▫
Data Practices Compliance Official
FERPA Policy
Copy charge policy
Public records request policy
Other requests – e.g., employers, prospective
employers, other schools, law enforcement . . .
• Use good security practices when creating, using
storing private records; and
▫ Appropriate disposal procedures.