What IT Staff Need to Know About Educational

Records Privacy Regulations

Or . . .

FERPA for CIOs

Jeff von Munkwitz-Smith

University Registrar

University of Connecticut

What are the regulations?

• A federal law, the Family Educational Rights and Privacy Act of 1974, as amended.

• It is also known as “FERPA” and as the “Buckley Amendment”.

• The law applies to both K-12 and Postsecondary education.

What are a student’s rights?• The right to know about the purposes,

content, and location of information kept as part of their educational records.

• The right to gain access to and challenge the content of their educational records.

• The right to expect that information kept as part of their educational records will be kept confidential, disclosed only with their permission or under provisions of the law.

A few important definitions . . .

“Education Record”

• “Records, files, documents, and other materials that contain information directly related to a student and maintained by the institution or someone acting for the institution according to policy.”

Some examples

• Data on the student information system(s), including course management systems.

• Paper files maintained by the institution• E-mail messages relating to the student• Employment records for student

employees• Disciplinary records

What’s not?• Employment records of people not employed

as a result of their status as a student.• “Sole-possession” records• Records of police services• Application records of people not admitted• Alumni records• Medical records• Parents’ financial information (e.g., tax

returns)

“Directory Information”

“Information contained in an education record of a student which would not generally be considered harmful or an invasion of privacy if disclosed.”

“School Official”“A person employed by the University in an

administrative, supervisory, academic or research, or support staff position (including law enforcement unit personnel and health staff); a person or company with whom the University has contracted (such as an attorney, auditor, collection agent, or official of the National Student Clearinghouse, or the University Foundation); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks.”

Some key issues for IT . . .

• Expansion of access to data systems, including reporting data bases

• Software packages

• New types of systems and technologies

• On-line education

• Outsourcing

Expanded access

• Key questions:• Is the system secure?• Do the users fall under the definition of

“school official” and do they need access to do their job?

• Do they know their responsibilities regarding education records privacy?

Software packages

• Key questions:• How does the software handle FERPA

issues?• Is the software FERPA compliant?

Don’t assume they know what they’re doing!

New types of systems

• Key questions:• Does the system contain student

information?• If so, are security and access controls

appropriate? Is the software FERPA compliant?

On-line education

• Key point:

FERPA does cover students enrolled in on-line courses

Outsourcing

• Key questions:• Does the agreement specify appropriate

usage and security of the data?• Does your institution’s annual notification

to students of their rights include these vendors in the definition of “School officials”?

Some common questions . . .

If a student doesn’t have a “Privacy Bar”, we can release any

information. Right?

Wrong!

• If a student has a “privacy bar”, “no release code”, etc., you can’t release any information to the public.

• If a student doesn’t have one, you may ONLY release Directory Information.

What about releasing information to parents?

• Remember: the rights belong to the student, regardless of age or who’s paying the bills!

• Institutions MAY release non-directory information to parents of dependent students. (Know your institution’s policy.)

Do we have to release information such as email

address outside the institution?

• FERPA does not require release of directory information outside the institution, it allows it.

• If your institution is public, it pays to know your state’s freedom of information regulations.

Your questions . . .

Where can I go for help?

• Ask your Registrar

• Your institution’s attorney

• AACRAO FERPA Guide

• The Family Policy Compliance Office web site:

http://www.ed.gov/offices/OM/fpco

• Send e-mail to FERPA@ed.gov

My best advice:

When in Doubt . . .

Ask!

Contact information

Jeff von Munkwitz-Smithjvon@uconnvm.uconn.edu

www.registrar.uconn.edu/ferpa.html