FERPA Overview & Updates

“A Private Conversation”

An overview of the Family Educational Rights and Privacy Act and why it is the right thing to do.

CACCRAO 2008 John Snodgrass, Registrar, Chapman University 1

Some Resources

AACRAO FERPA Guide 2006 – www.aacrao.org/publications/ The FERPA Doctor’s Case Book – LRP Publications, www.shoplrp.com

FPCO website: http://www.ed.gov/policy/gen/guid/fpco/index.html

AACRAO website: http://www.aacrao.org/compliance/ferpa/index.htm

2

What is FERPA All About?

Providing students guarantees regarding the access and confidentiality of their educational records – Right to access – Right to challenge contents –

Right to control over disclosure

–highest impact on how we deal with educational records 3

99.3 Key Definitions

Attendance Directory Information Disclosure Disciplinary Action Educational Record Personally identifiable information Student (Note: School Official is not described in 99.3) 4

Key Definition: Student (post secondary)

“In Attendance”: institutionally defined – applicants, admits, or matriculants (actually attending as of the first day of class). “Should be justified by some

reasonable basis of fact and applied consistently”

Credit and non-credit, degree or non-degree seeking, all residencies; all ages Regarding whom records are maintained Acquire all FERPA rights at the time they become a Student (note: parents lose all right of access to educational records of students at post secondary institutions); retain FERPA rights until deceased.

5

Proposed Regulation: Attendance

Adds to current regulation attendance by videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not typically in the classroom.

6

Key Definition: Educational Record

With certain exceptions, all records identifying students maintained by the university in any medium Exceptions: Law Enforcement records Treatment records Alumni records Employment records Sole Possession 7

Key Point To Remember, , ,

Nothing in FERPA prohibits a school official from sharing information that is based on that official’s personal knowledge or observation and that is not based on information contained in an educational record.

8

Proposed Regulations: Personally Identifiable Information

Adds “biometric record” to the current list of personal identifiers e.g. name, SSN, ID, and adds other indirect identifiers such as date and place of birth, mother’s maiden name, etc. Removes non-defined term “easily traceable” and provide instead that personally identifiable information that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.” Additionally, personally identifiable information includes information that is requested by a person who the institution reasonably believes has direct personal knowledge of the identity of the student to whom the education record directly relates—”targeted request” 9

Update: Treatment Records

“Education records” do not include records on an eligible student that are: – Made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his or her professional capacity or assisting in a paraprofessional capacity; – Made, maintained, or used only in connection with treatment of the student; and – Disclosed only to individuals providing the treatment. For the purpose of this definition, “treatment” does not include remedial educational activities or activities that are part of the program of instruction at the agency or institution.

10

Update: Treatment Records, continued

Once “treatment records” are disclosed outside of the requirements described above, the records become “education records” under FERPA Records maintained by an office of disability services are “education records” because they contain information that is directly related to a student.

“Treatment” does not include determining appropriate accommodations for a disability.

There is no exclusion from the definition of “education records” for “health” or “medical” records, except for “treatment” records that meet the requirements described above.

11

Proposed Regulations: Education Record

Alumni Records Clarify that with respect to former students, education records exclude records that are created or received by the institution after an individual is no longer a student in attendance

and are not directly related to the individual’s attendance as a student.

12

Proposed Regulations: Education Record

Peer Grading Clarify that peer-graded papers that have not been collected and recorded by a teacher are not considered maintained by an educational institution and, therefore, are not education records under FERPA (implementation of Supreme Court Case Owasso) 13

Key Definition: School Officials

Individual or group providing a necessary service for or on behalf of the institution No inherent rights re: accessing educational records; May access based upon need to know Are equally responsible for following FERPA regulations, re disclosure requirements 14

Proposed Regulation: School Officials

Other School Officials Expand the school official exception to include contractors, consultants, volunteers, and other outside parties to whom an educational institution has outsourced institutional services or functions so long as --In order to be considered a “school official” an agency or institution must be able to show that a non-employee or other outside party is providing an institutional service or function that the agency or institution would otherwise use employees to perform.

--The school must also show that the outside party would have “legitimate educational interest” in the information disclosed if the service were performed by employees.

15

Proposed Regulation: School Official

Other School Officials, continued --an agency or institution must be able to show that the outside party, in providing these services, is doing so under the direct control of the agency, --outside party is subject to the same redisclosure conditions applicable to other school officials --records directly related to a student that are maintained by such parties are education records, including any new student records created

under an outsourcing agreement that are maintained by the outside service provider

--the institution must comply with annual FERPA notification requirements in 99.7 by specifying their contractors, consultants, and volunteers as school officials retained to provide various institutional services and functions 16

Proposed Regulations: School Officials

Legitimate Educational Interest--Access Proposed regulations would require an institution to use reasonable methods to ensure that teachers and other school officials obtain access to only those education records in which they have legitimate educational interest. Such methods/controls may include Physical: locked filing cabinets Technological: software which implements role or field based security features administrative: an institutional policy that prohibits access except for legitimate educational interest; must be effective in ensuring compliance 17

99.4/99.5: Rights of Parents and Students

99.4—Parents. Full rights to both parents.

99.5—Student. all rights move from the parent to the student in post secondary environment.

– Exception: if applicant to another component of institution, no right of access to records maintained by that component until the student is accepted and attends that other component 18

Proposed Regulations: Release to Parents--Clarification

Proposed regulations in 99.5 clarify that even after a student has become an eligible student, an educational agency or institution may disclose education records to the student’s parents, without the consent of the eligible students if , , 19

Proposed Regulations: Release to Parents, continued

--If the student is a dependent for Federal income tax purposes (99.31(a)(8) Note: 99.31(a)(8) permits an educational agency or institution to disclose education records, without consent, to either parent if at least one of the parents has claimed the student as a dependent on the parent’s most recent tax return. Neither the age of the student nor the parent’s status as custodial parent is relevant.

To make such a dependency determination, a school may— -ask the parent to provide a copy of the most recent Federal income tax form (financial information may be redacted) showing dependency; or -ask students to indicate if they are claimed as a dependent for income tax purposes by either parent (at registration, etc) 20

Proposed Regulations: Release to Parents, continued

--In connection with a health or safety emergency (99.31(a)(10) --If the student is under the age of 21 and has violated a law or an institutional rule or policy governing the use or possession of alcohol or a controlled substance (99.31(a)(15); --If the disclosure falls within any other exception to the consent requirement in 99.31 (a) of the regulations, such as the disclosure of directory information or in compliance with a court order or lawfully issued subpoena.

Ensures that institutions understand that FERPA does not block information sharing with parents if the above exceptions apply.

21

Proposed Regulations: Health or Safety Emergency

Removes language requiring “strict construction” of this exception; Disclosure of education records is permitted when an institution, taking into account the totality of the circumstances, determines there is an articulable and significant threat to the health and safety of the student or other individuals. Disclosure may be made to any person whose knowledge of information is necessary to protect health and safety of student or others; includes release to student’s parents.

Department of Ed will not substitute its judgment for that of the institution in evaluating the circumstances and making its determination.

22

Remember, , ,

While institutions may choose to follow a policy of not disclosing education records to parents of eligible students in these circumstances, FERPA does not mandate such a policy.

23

Institutional Requirements

Annual Notification (99.7) Access and Review (Subpart B) Amendment (Subpart C) Disclosure (Subpart D) 24

99.7: Annual Notification

Must include- – Right & method to inspect & review – Right & method to seek amendment – Right to consent other than 99.31 exceptions – Right to file a complaint with Dept of ED – Definition of school official – Definition of legitimate educational interest Distribution:“Any means reasonably likely to inform” Typically includes Directory information per 99.37 requirements 25

SubPart B: Student Rights to Review Records

99.10: Right to inspect & review --“Must” – Student must be allowed access within 45 days – may charge a fee for copies (not retrieval) unless – Can’t destroy record once requested 99.12: Limitations on right to review – parent financial information – confidential letters – Education records of the student that contain information on more than one student 26

More on Inspect & Review, AKA Access

99.10(d) If circumstances effectively prevent the eligible student from exercising the right to inspect and review the student’s education records, the educational institution shall— – Provide a copy, or – Make other arrangements to inspect & review 27

So does that mean we don’t have to give a copy of

Grades? Nope Transcript? Nope Diploma? Nope But can we if we choose? Yep Should we? Hmmmm 28

Subpart C: Amendment

Request, Review, Hearing, decision: – Yes: amend and notify – No: Notify, right to include statement •Statement maintained life of related record •Disclosed with related 29

Subpart D: Disclosure

99.30 Prior Consent Required 99.31 Prior Consent Not Required 99.32+ Recordkeeping, redisclosure, conditions on 99.31

30

99.30: Consent Required

Signature required (everything except 99.31) – Provided directly to the institution – Provided to a third party – Electronic Consent includes – What – Purpose of disclosure – To whom 31

Proposed Regulations: Identification & Authentication

Electronic/Telephonic Environments: Proposed regulations would require an educational agency or institution to use reasonable methods to identify and authenticate the identity of students, parents, school officials, and any other parties to whom the institution discloses education records.

Unique challenges exist re: identification and authentication in electronic/telephonic environments. Students &parents complaints re: unauthorized access via use of widely available information, e.g the name and date of birth, name and SSN or other student ID number when providing .access “This is a failure to properly authenticate identity.” 32

Proposed Regulations: Identification & Authentication

Electronic/Telephonic Environments, continued: --Authentication of identity generally involves -requiring a user to provide something that only the user knows, such as a PIN, password, or answer to a personal question; -requiring something that only the user has, such as a smart card or token; -or a biometric factor associated with no one other than the user, such as a finger, iris, or voiceprint. --The institution must insure it does not deliver a password, PIN, smart card, or other factor used to authenticate identity in a manner that would allow access to unauthorized recipients. This includes use of a common form user name (e.g. last name and first name initial) along with date of birth, SSN, or a portion of the SSN, as an initial password to be changed upon first use of the system.

33

99.31: Key Exceptions

Institution may disclose without consent if disclosure meets one or more of the following conditions (there or more; these are most common) School Officials Parents of dependent students To institutions of post secondary education where the student seeks to enroll Financial Aid Judicial order/Subpoenas/Patriot Act Health & Safety Disciplinary Sex Offender Directory 34

Proposed Regulations: Disclosure to institution in which student has enrolled

Would allow institution to disclose education records, without consent, to another institution even after a student has already enrolled (and not just if student seeks to enroll) if the disclosure is for purposes related to the student’s enrollment or transfer. Intent is to allow institution to update, correct, or explain information originally disclosed. (Note: current regulations allow institutions to send any and all education records, including disciplinary records to institutions to which a student seeks to enroll) 35

Proposed Regulations: Disclosure definition re: institutions previously attended

Excludes from definition of disclosure the release/return of an education record to the institution/party that created the record.

Allows institutions to return transcripts, recommendations, etc that appear to have been falsified back to the institution or school official identified as the creator/sender in order to confirm authenticity. Allows sending school to confirm or deny accuracy of record, and send correct version. Consent from the student is not required.

36

Proposed Regulations: Updating FERPA

Updates or amends FERPA regulations to specifically include language related to releasing or re-releasing of information in accordance with the following Acts: Patriot Act— allows response to Ex Parte Order without notice to the student; Campus Sex Crimes Prevention Act-- allows disclosure of information received under community notification program concerning registered sex offenders who are students (although institutions are not required under FERPA to collect or maintain information about registered sex offenders) Clery Act– clarifies responsibility of institution to disclose information to accuser and accused; allows re-disclosure by accuser 37

Directory Information

Directory Information: records which are neutral or not necessarily harmful if released to third parties – institutions must specify what their Directory Information includes – Cannot include SSN, Student ID, Gender, Nationality, Ethnicity, religion, grades, gpa – Release not required; may do so arbitrarily or capriciously.

– Students may withhold release--opt out – Directory holds do not pertain to school officials having access to student educational records 38

Proposed Regulations: Directory Information

Would provide that --an educational agency may not designate as directory information a student’s SSN or other student ID number; however --directory information may include a student’s user ID or other unique identifier used by the student to access or communicate in electronic systems, only if identifier is used in conjunction with one or more factors that authenticate the student’s identity, e.g. PIN, password, or other factor known only by the student. 39

Proposed Regulations: Opting Out of Directory Information

Clarification of the regulations, affirming that an institution must continue to honor any valid request to opt out of directory information disclosures made while the individual was a student unless the student rescinds the decision to opt out of directory information disclosures.

40

Proposed Regulations: Opting Out of Directory Information

Opt out of directory information does not prevent an educational institution from disclosing or requiring a student to disclose the student’s name, electronic identifier, or institutional email address in the classroom. Opt-out does not allow a student to remain anonymous in a class, and cannot be used to impede routine classroom communications, whether in person or on-line.

Note: proposal provides no authority to disclose any directory information outside of the student’s class; nor does it allow for release of directory information not used for class communications if a student has opted out.

41

Proposed Regulations: Use of SSN As An Aide in Directory Confirmation

Would prohibit an institution from using an SSN to identify or help identify a student or the student’s records when disclosing or confirming directory information unless the student has provided written consent in accordance with FERPA.

42

Disclosure requirements

Conditions Record keeping Redisclosure 43

Proposed Regulations: De-identification

De-identification of information. Current regulations permit release of information without consent if all personally identifiable information has been removed.

Proposed regulations will provide objective standards re: when information releases may be considered de-identified apply to records at both student and aggregate form; clarify permitted use of de-identified data releases for research purposes 44

Proposed Regulations: Redisclosure

Redisclosure under court order or subpoena Clarifies that redisclosing part has same responsibility as original disclosing party re: notifying students prior to compliance.

Redisclosure by federal and state officials (currently not permitted) Permits federal and state officials to redisclose under the same conditions as other recipients of education records allowed in 99.31 (forward to another school, health/safety, accrediting agency, etc) 45

Proposed Regulations: State Auditor

“Auditor”—define State auditor as a party under any branch of government with authority to conduct audits (note that the audit must be a federal or state supported education program) 46

Proposed Regulations: Organizations Conducting Studies

Current language: “for or on behalf of” Proposed: school does not have to initiate research; school does not have to agree with or endorse conclusions; school must agree with purposes of study; school must maintain control over information disclosed 47

Proposed Regulations: Organizations Conducting Studies

Institution must have written agreement with receiving organization that specifies: -purpose of study -information can only be used to meet purposes of study -restriction on redisclosure -destruction of information when no longer required 48

Proposed Regulations: Enforcement

Clarify the Department’s responsibilities related to authority and enforcement: Affirms FPCO’s authority to investigate a school when a student files a complaint; Clarifies information FPCO may require to investigate and resolve complaints; Clarifies that violation may be determined without being based upon a policy or practice of the school; Clarifies that Secretary may take action to terminate assistance only when a school has been found to have a policy or practice in violation of FERPA, AND the school fails to voluntarily come into compliance.

FPCO affirms that there is no intention or plan to initiate FERPA institutional compliance reviews or expand investigations beyond current practice.

49

Closing , , ,

Remember: “It is the right thing to do” Web Site: http://www.chapman.edu/registrar/Privacyindex.

html [email protected]

50