welcome! ferpa student consent to disclosure austin college access network (acan) austin opportunity...
TRANSCRIPT
Welcome! FERPA Student Consent to Disclosure Austin College Access Network (ACAN)
Austin Opportunity Youth Collaborative (AOYC)
Presented by Glynis Kaye Miller, M. Ed. Office of the Registrar Austin Community College District September 2015
FERPA OverviewThis presentation is designed to give ACAN & AOYC members “Best Practices”
regarding their role in FERPA compliance. Topics of discussion:
Definitions & Student Rights
Look Out for the “MAYs” & “MUSTs” of FERPA
Education Records
Types of Information Under FERPA
Directory & (PII) Personally Identifiable Information
Student Rights Vs. Parental Rights
FERPA, ACAN & AOYC Working Together
Disclosure of PII & Nondisclosure of Directory Information
AOYC Responsibilities: Written Authorization of Student & It’s Contents
Violations, Sanctions & Enforcement
Legitimate Educational Interest
Best Practices
Q & A
The Family Educational Rights & Privacy Act
FERPA, also known as the Buckley Amendment, was enacted by Congress in 1974 and can be defined as:
“A federal law designed to protect the privacy of education records, to establish the right of students to inspect and review their education records, to provide students with the means to control the disclosure and the release of their records, and to provide guidelines for the correction of inaccurate and misleading data through informal and formal hearings.”
Student RightsFERPA gives the student the right to…
inspect and review education records
seek the amendment of education records
consent/control to the disclosure of education records
waive their rights in writing
file a complaint with the Family Policy Compliance Office in Washington, D.C.
Student Rights
With respect to a student’s right to inspect and
review records, it’s the institution’s responsibility
to:
comply with the request within 45 days
make a copy of records available when failure to do so would effectively deny access (i.e., for students or former students who do not live within commuting distance)
not destroy records if request for access is pending
Educational Records
As an ACAN or AOYC member, how would you define educational records?
Also, give some types and or examples of what is considered educational records.
What are Educational Records?
Educational records are those records, files, documents or other materials which contain information directly related to a student and that are maintained by any employee or an agent of the college. The information may be recorded in any way, including, but not limitedto, handwriting, print, computer media, videotape, audiotape, film, microfilm, microfiche, and e-mail.
Types of Educational Records
Written permission MUST be obtained from a student before releasing an education record unless the request fits certain narrow exceptions.
Academic Records
Directory & PII Information
Financial or Financial Aid Records
Disciplinary Records
Various Educational Records You May Work With:
Student/Class Roster Residency Form Grade Change Request Enrollment Verification Transcript Student Course Schedule Graduation Application Student Financial Aid Documents End-of-Semester Reports Health Record (at the K – 12 level) Meningitis Record (post-secondary until age 22)
WHAT is NOT an Education Record
Records made by college personnel that are the sole possession of the maker and not revealed to any other person (personal notes). However, once you share them with anyone else, they become “educational records.”
Records of the College Police Department for law enforcement purposes.
Employment records relating to an individual where employment is NOT connected to their status as a student. (full or part-time employment)
Medical or psychological treatment records that are only used for the treatment of a student. Once medical records are used for the determination related to educational purposes,
they become a part of the student’s education
record.
Two Types of Information defined in FERPA
Personally Identifiable Information:PII is information contained in a student’s record that is an unique identifier and/or if released, could be considered an invasion of privacy and/or harmful to the student.
Directory Information: Directory information is information contained in a student's education record that would not generally be considered harmful or an invasion of privacy if disclosed.
FERPA permits each institution to define a class of information as "directory information." FERPA permits public disclosure of directory information without the student's express written consent. In other words, director information MAY be disclosed to a third party.
FERPA Regulations Applies To:
FERPA applies to each educational agency or educational institution which receives funds, including Title IV Federal Aid, under any program administered by the Secretary of Education.
Parental Rights Vs. Student Rights
WHO is a Parent or Legal Guardian?
The term "parent" is defined as including natural parents, a legal guardian, or an individual acting as a parent (referred to as a proxy) in the absence of a parent or a guardian.
WHO is a Eligible
Student?
An “eligible student” means a student who has reached the age of 18 or who is attending a postsecondary institution at any age.
The Act applies to students enrolled in higher education institutions as well as K–12 students. Under FERPA, these two groups are treated the same with one fundamental difference:
WHO the rights are given to under the Act:
If a student is a minor (e.g., under the age of eighteen) or a dependent, the parents or legal guardians are afforded the rights.
On the other hand, the rights primarily reside with the “eligible student,” regardless of age, once he or she is admitted or enrolls at an institution of higher education.
Parental Rights to Access RecordsWhen a student reaches the age of 18 or begins attending a postsecondary
institution, regardless of age, FERPA rights transfer from the parent to the student. (See 34 C.F.R. secs. 99.3 and 99.5). In other words, at the postsecondary level, parents have no inherent rights to inspect their son's or daughter's education records.
The institution MAY grant parents the right to obtain non-directory information — such as grades and GPA — but is certainly not required under FERPA to do so.
If the institution chooses to allow parents to see such items as grades and GPA, there are two avenues for doing so:
1). Signed, written consent from the student involved
2). Submission by the parents of proof that they declared the student as a
dependent on their most recent Federal Income Tax form.
Theoretical Framework
Legal Considerations of Disclosure
Gramm-Leach Bliley Act (GLB Act): Privacy – Security – Pre-texting
Patriot Act: Domestic or International Terrorism
Campus Sex Crimes Prevention Act: Community Notification Program of Registered Sex Offender
Clery Act: School Disciplinary Proceedings and Outcome (accuser and
accused sex offense)
When you think about your own principles and values as it relates to handling either type of student information, what comes to mind?
Loss of Funding/Money Data Integrity Security Breach Foreseeable ThreatsGuarded/Alert Consumer ControlOpt-Out Clause
FERPA, ACAN, & AOYC Working Together:The Gramm-Leach Bliley Act (GLB Act) also known as
the Financial Services Modernization Act of 1999:
States that whether a financial institution discloses nonpublic information or not, there must be a policy to protect the information from foreseeable threats in security and data integrity. The three requirements are…
FERPA, ACAN, & AOYC Working Together:
GLB Act has 3 major requirements:
1.MUST securely store personal financial information
2.MUST advise you of their policies on sharing of personal financial information
3.MUST give consumers the option of opt-out of some sharing personal financial information
FERPA, ACAN, & AOYC Working Together:GLB Act major components put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information (or as FERPA refers to personally identifiable information)
include:
Financial Privacy RuleSafeguards RulePre-texting Protection
FERPA, ACAN, & AOYC Working Together:
Financial Privacy Rule: Requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter.
Question: ACAN or AOYC how is this being done?
The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected.
FERPA, ACAN, & AOYC Working Together:
Safeguards Rule: Requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.
What “Best Practices” does your office have to protect the student’s information? Are they written into the procedures?
FERPA, ACAN, & AOYC Working Together:
Pre-texting Protection: (sometimes referred to as “social engineering”) occurs when someone tries to gain access to personal nonpublic information without the proper authority to do so. This may entail requesting private information while impersonating the client by phone, mail or email).
Best Practices: What is your office policy regarding emails? What is your office policy regarding disclosure over the telephone?
ACC Shares Best Practice: Communicating via E-mail & Telephone
ACCemail (contracted through Google/Gmail) is the official required form of electronic communication for ACC students.
(Administrative Rule 3.05.006) All College e-mail communication to students will be sent solely to ACCmail accounts, from official ACC employee email accounts.
Confidential information MAY be disclosed over the telephone ONLY IF you have ensured that you are speaking with the student or agent of the college.
Best Practices: ALWAYS err on the side of caution Question: ACAN and AOYC do you communicate via email or
telephone? What is the written policy of communication via e-mail and telephone?
DisclosureAs previously stated, there are (2) two types of
information distinguished under FERPA. Let’s
discuss (PII) in more detail:
Personally Identifiable Information
Personally Identifiable Information
How do you handle Personally
Identifiable Information within
the scope
of your job
duties?
Personally Identifiable Information
Prior consent, in the form of a signed and dated document, must be provided by the student to authorize an institution or agency to disclose personally identifiable information. The consent:
Must specify exact record(s) to be released/disclosed Must state purpose of disclosure Must identify party or class of parties to whom
disclosure may be madeMust state period of time for which the release is
effectiveMust be signed and dated by the student and/or parent
or legal guardian
ACC Shares Best PracticesThis form MUST be presented to the school official. Staff are responsible for
properly identifying the student and/or proxy submitting the release form:
Student Proxy Authorization Form
NOTE: e-mailed releasescannot be accepted.
Question: ACAN or AOYC doyour foresee a need for a studentproxy form?
Primary ExceptionsPRIOR CONSENT is NOT Required to Disclose
Personally Identifiable Information (PII) to school
officials:
to a school official who has a legitimate educational interest
to schools in which a student seeks or intends to enroll (the institution must make an attempt to notify the student that records are being provided)
to federal, state and local authorities involving an audit or evaluation of compliance with education programs
in connection with financial aid (such as the
administration or continuation of aid)
Primary Exceptions…ContinuedPRIOR CONSENT is NOT Required to Disclose Personally Identifiable Information (PII):
to individuals/organizations conducting studies for or on behalf of an educational institution
to regional or professional accreditation organizations
to parents of a dependent student
in the event of a health or safety emergency where the information is required to resolve the emergency
to comply with a judicial order or subpoena (a reasonable effort must be made to notify the student beforehand—unless ordered by the subpoena not to do so)
to military recruiters (Applies HEI’s Only)
Primary Exceptions…ContinuedPRIOR CONSENT is NOT Required to Disclose Personally Identifiable Information (PII):
“typically” or (MAY) be what is considered directory information, so long as the student has not requested nondisclosure of this information
to the student (victim) of a crime. The student (victim) has access to the results of a disciplinary hearing where the student (offender) is the perpetrator of a crime of violence or a non-forceable sex offense. Under this exception, information on the student (offender) MAY be released to anyone, including the media. NO information on the victim or witnesses may be released.
of a student under the age of 21 who has committed a drug or alcohol related offense (e.g., MAY report the offense to the parents of the student).
Best Practices & Protocol: Report these incidents to your supervisor. Both the media and parents are typically notified at the executive level [President, VP, Provost, Dean level(s)].
Directory Information Directory Information is generally defined in
the Education Code as “information contained in an education record of a student which would not generally be considered harmful or an invasion of privacy if disclosed."
Directory Information *MAY be disclosed to a third party without the student’s express written permission. *(“Best Practice”)
HOW ACC Defines Directory Information (Note: When in doubt, request should be fielded through the Registrar’s Office)
NameAddressTelephone NumberDates of AttendanceMajor Field of StudyDate and Place of BirthDegrees, Certificates and Awards ReceivedParticipation in Officially Recognized Activities Educational Institution Most Recently AttendedStudent Classification (freshman, sophomore, etc.)Enrollment Status (full, half, quarter, less than half-time)
HOW does the other (HEI’s) higher education institutions partnered with ACAN define Directory Information?
Directory Information An institution MAY disclose directory information if it has given
students in attendance public notice of:
what the institution has designated or defined as directory information
the timeframe within which a student must notify the school, in writing, that he or she does not want any or all of the information designated as directory information….
a student’s right to refuse designation of some OR all of their information as directory information (Opt-Out Option)
ACC Shares Best Practices: Non-Disclosure
Restricting the Release of Directory Information
Students have a right under the law to request that their directory information not be released.
Students must submit a signed Request to Withhold Directory Information form to Admissions and Records.
A privacy block is put on the student’s Ellucian /Datatel record, and a warning message, “this person has requested privacy on their records” appears to anyone accessing the record.
NO information may be disclosed to anyone other than the student, in person, showing valid identification.
Restriction remains until revoked in writing.
Note: What can we say to an inquiry about a restricted record: “I have no information to provide about that individual.”
Changes to FERPAReleased in December 2008
No changes to basic rights of students or responsibilities of institutions
Clarifications and interpretationshttp://www2.ed.gov/policy/gen/guid/fpco/hottopics/ht12-17-08.html
Health or Safety DisclosuresReleased in December 2008
Health or Safety Emergencies:
More Flexibility to Administrators: Information from student record can be disclosed without student consent if a student is judged to present an “articulable and significant threat to the health or safety” of himself or others
Permits disclosure to those who can assist the student in an emergency (including parents)
Does NOT permit disclosure on a routine, non-emergency basis to law enforcement
MUST record the “articulable and significant threat” and parties to whom the information was disclosed
Changes to FERPA Released in December 2008
Safeguarding Privacy and Educational Records:
Added “biometric record” to personally identifiable information
Created a new exception to the definition of “education records” that excludes grades on peer-graded papers before they are collected and recorded by a teacher. This change clarifies that peer-grading does not violate FERPA. Note: Once the grade is recorded by the instructor, it becomes part of the educational record.
Confidentiality does not permit student to be anonymous in classroom nor to impede classroom communication
Confidentiality requests are in effect permanently until rescinded by the student, even after student is no longer enrolled
Question: ACAN (members with access to Ellucian/Datatel) how to you handle confidentiality requests?
Changes to FERPA Released in December 2008
Safeguarding Privacy and Educational Records:
SSN may NOT be defined as directory information (1998)
“In attendance” includes students in online courses
Requires school to use “reasonable methods” to ensure school officials have access to only those records they need (MUST have Legitimate Educational Interest)
School Officials MAY include third parties under contract who provide services or functions the institution would normally provide Example: Higher One; Magnus Health, etc.)
MUST use “reasonable methods” to authenticate parents, students, faculty, staff, AOYC prior to release of records including access to electronic records (e.g. PIN, password, token, Official IDs)
Question: Is there a need to authenticate your AOYC partner? If so, how do you authenticate the AOYC staff?
Changes to FERPA Released in December 2008
Better Access to Education Data for Research and Accountability:
Allows release without consent to organizations conducting research studies: a). School must agree with purpose of study b). Requires written agreement with organization conducting study
Transfer of Education Records: Schools are permitted (MAY) to disclose a student's education records to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll.
Release of Data: (MAY) Educational agencies and institutions are permitted to release, without consent, education records, or information from education records that have been de-identified through the removal of all personally identifiable information. ****Not a Best Practice
Most Recent Changes to FERPA Released in December 2011
http://www2.ed.gov/policy/gen/guid/fpco/pdf/sealea_overview.pdf
Primarily focused on enabling sharing/disclosure of student education records (without consent) to evaluate the effectiveness of publicly-funded education programs and to facilitate the creation of longitudinal data systems:
Gives institutions more latitude to release education records without student consent to state agencies for purposes of evaluating and tracking student progress and success
Institutions must keep record of disclosure
Permits state agencies to re-disclose education records for purposes of research studies designed to improve instruction:
Re-disclosure may be made over the objection of the institution Requires written agreement Results may only be published at aggregated level
Most Recent Changes to FERPA Released in December 2011
Permits state agencies to re-disclose education records to “authorized representatives” for purposes of audit, evaluation or compliance
Requires written agreement
Researchers and contractors must now destroy data after agreement ends – can no longer simply return it to the institution
Question: If the relationship ends between ACAN and AOYC, how will you destroy student data?
Broader definition of “Education Programs” covered by FERPA
Students may not use a directory block to refuse to wear or present a student ID card or badge (Admissions front counter; library, campus activities, College Connection events, etc.)
Permits institutions to create policies limiting release of directory information
Must be covered in annual notice to students
Other Important Legal Changes Regarding Student Rights
Exception to consent allowed in the case of ex parte court order to collect education records relevant to an investigation or prosecution of an act of domestic or international terrorism (Patriot Act)
Exception to consent allowed under a community notification program concerning a student who is required to register as a sex offender in the state (Campus Sex Crimes Prevention Act)
Requires a school to inform the accuser and the accused of the outcome of a school’s disciplinary proceeding of an alleged sex offense (Clery Act)
Schools MAY not require the accuser to execute a non-disclosure agreement or otherwise interfere with the re-disclosure or other use of information disclosed under the (Clery Act)
Judicial Orders and Subpoenas
The institution should comply with judicial orders or lawfully issued subpoenas, provided that the institution makes a reasonable attempt to notify the student in advance of compliance, so that the student may seek protective action (unless the subpoena explicitly orders the institution not to disclose the existence of the subpoena to the person who would normally be notified of its existence).
Penalties for FERPA Violations
It’s The Law: Institutions which violate the Act can be faced with a withdrawal of federal funding to the college, including student financial aid.
It’s The Law: Federal educational funding is conditional upon compliance .
It’s The Law: Multiple violations without any corrective action taken can cause lawsuits and complete loss of federal funds.
Oversight and Enforcement
FERPA is enforced by the Family Policy Compliance Office, U.S. Department of Education, Washington, DC.
The Family Policy Compliance Office is the office within the Department of Education that administers FERPA and is responsible for providing technical assistance regarding FERPA to educational institutions.
Oversight and Enforcement
There are two basic requirements for a complaint to
be properly filed against an institution in relation to
FERPA infractions:
The complaint must be made within 180 days of when the infraction was discovered (not necessarily when the infraction occurred).
There must be sufficient facts (evidence) to prove the violation.
If these criteria are met, the Family Policy
Compliance Office will:
contact the president of the institution and notify him or her of the violation
allow the institution to voluntarily correct their actions/ comply with the FERPA regulations
offer guidelines on how to better comply with FERPA in the future
To Avoid FERPA Violations
DO NOT:Leave Personally Identifiable Information unsecured.
Discuss the progress of any student with anyone other than that student (including parents) without the student's consent.
Provide anyone with a list of students enrolled in your program (s) for any commercial purpose.
Provide anyone with student schedules or assist anyone
other than college officials in finding a student on campus.
Keep student’s academic performance confidential!Student written consent is required to release academic
performance information
Identification numbers such as Social Security should not be used in subject line of emails
Test Scores/Grades should not be sent via email
Take a look around your work area…
What information do you have which may need to be handled in a secure way? Student registration forms? Grades? Test Scores?Advising information? Student information displayed on your
computer screen? End-of-semester Reports?
Remember: Legitimate Educational Interest
AOYC Staff: Access to the student’s academic information should ONLY be used in the context of official business and in conjunction with the educational success of students.
HEI’s Staff: Access to Ellucian/Datatel or other Student Information Systems does NOT authorize unrestricted use of student data!
ACC Contacts for Disclosure of Information
Glynis Kaye Miller, Registrar, for compliance with law enforcement officials and subpoenas for student records. For questions about FERPA and student records.
Linda Kluck, Executive Director of Admissions and Records for questions about student records.
Brette Lea, Public Information Officer for Public Information or Open Records Request.
Gerry Tucker, Vice-President, Human Resources, for questions about Employment Records.
Family Policy Compliance Office
U. S. Department of Education
400 Maryland Avenue, SW
Washington DC 20202-4605
Phone: (202) 260-3887
Fax: (202) 260-9001
Web site: http://www.ed.gov/offices/OM/fpco
E-mail: [email protected]
FERPA Resources
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
U. S. Department of Education (202) 260-3887http://www.ed.gov/policy/gen/fpco/index.html E-mail: [email protected]
http://www.aacrao.org (American Association of Collegiate Registrars & Admissions Officers)