FERPA presented by: Traci Gulick Associate Registrar Michigan State University
Dec 19, 2015
FERPA
presented by:
Traci GulickAssociate Registrar
Michigan State University
Laws governing data and data privacy
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley (GLBA)Payment Card Industry Data Security
Standard (PCIDSS)State Law
What is FERPA and to whom does it apply?
Federal law enacted in 1974 called “Family Educational Rights and Privacy Act” with amendments… most recent in 2012 and 2009
Purpose is to protect the privacy rights of student educational records and to ensure the accuracy of those records
Applies to currently enrolled or formerly enrolled students (regardless of age or parental dependency status)
Applies to all institutions that receive Department of Education funds
What rights does FERPA afford students?
Right to inspect and review the education record
Right to request an amendment to the record that the student believes is inaccurate or misleading or violation of his/her privacy rights and to request a hearing if request to amend is not granted
Right to consent to disclosure of personally identifiable information
What rights does FERPA afford students?
Right to know what institution has designated as public/directory information and the right to request suppression of public/directory information
Right to know that school officials may access records and the criteria for determining that a school official has a legitimate need to know the information
Right to file a complaint with the Family Policy Compliance Office in the U.S. Department of Education
What cannot be directory information?
GradesSocial Security NumberGPAStudent ID Number (w/ exception)RaceCountry of CitizenshipGenderReligion
Who may have access to education records?
The student (always has access, except to parents financial and waived letters of recommendations)
Any outside party that has the student’s written consent (keep a copy of the consent)
School officials (as defined by the institution) with a legitimate educational interest
Parents of a dependent student as defined by the IRS code, who have claimed the student as a dependent on their most recent tax forms
A person in response to a lawfully issued subpoena or court order
Using private student information
In most instances need written permission from the student to release the information
MSU: Letters of recommendation or being a reference require written permission from the student
What is legitimate educational interest?
Often referred to as “need to know”Interest in reviewing student education
records for the purpose of performing assigned institutional research, educational or administrative function
Guiding principle – If you need the data to perform your job duties you should have access to it
When don’t you need prior written consent from the student to release private information? (not
exhaustive)
Lawfully issued subpoena or court orderSchool officials who need information to
fulfill their professional duties Health or safety emergencyFor audit/evaluation of educational
programs (to Comptroller General of the U.S.; The U.S. Attorney General; The Secretary of the Dept. Of Education; State and local educational authorities)
What about parents?
Parents are considered a “third party,” and do not have a right to student information
May release non-suppressed public information to them
Can talk about general public information, but not specifics of particular student
Power of Attorney – does have its limitations
What if a student seems in crisis?
The health or safety emergency exception allows the release of private student data to any party determined to be able to assist the student
Must document in the student’s record what was released, to whom, and for what reason
Consult with your supervisor before determining to release information
Guiding principles regarding private student information?
School officials shall not disclose personally identifiable information about a student nor permit inspection of those records without the student’s written permission unless it is allowed in one of the exceptions mentioned
You have a legal responsibility to protect confidentiality of student records
Only access what you need to know to do your job
Curiosity ≠ Legitimate need to know
Organizations Conducting Studies
Final 2009 regulations clarify that a school does not have to-initiate the research request or - or agree with or endorse the conclusions or results of the study
The school must agree with the purposes of the study and retain control over the information from the education records it discloses
Must have a written agreement with receiving organization
Written Agreement must specify
The purpose, scope and duration of the study and the information to be disclosed;
The information may only be used to meet the purpose or purposes of the study stated in the agreement;
The organization must conduct the study in a manner that does not permit personal identification of parents and students by anyone other than representatives of the organization with legitimate interests;
The requirement for return or destruction of the information when no longer needed for purposes of the study;
The time period in which the information must be returned or destroyed.
Redisclosure of Education Records
Regulations (§ 99.31(b)(1)) permit Federal and State officials to redisclose education records under §99.31(a)(3) and 99.25 for audit, evaluation, and compliance and enforcement purposes to redisclose education records the same conditions as other recipients of education records.
Redisclosure of Education Records
A State higher education authority that obtained education records for audit, evaluation, or compliance and enforcement purposes are permitted to redisclose records for other qualifying purposes under §99.31 so long as it is on behalf of the institution. This includes but is not limited to:
– forwarding records to a student’s new school district
– to another listed official, including the Secretary, or a Postsecondary Authority
– to an accrediting agency– in connection with a health or safety emergency– in compliance with a court order or subpoena
Recordkeeping Requirements
Final regulations requires a school to maintain a record of redisclosures it has authorized under § 99.33(b), including the names of the additional parties to which the receiving party may further disclose the information on behalf of the school and their legitimate interests in receiving the information.
Recordkeeping Requirements
Final regulations require a State or Federal official that rediscloses education records on behalf of the school to comply with these recordation requirements if the school does not do so, and to make the record available to the school upon request within a reasonable period of time not exceeding 30 days.
A school is required to obtain a copy of the State or Federal official’s record of further disclosures and make it available in response to a parent’s or eligible student’s request to review the student’s record of disclosures.
Recordkeeping Requirements, cont.
Recordkeeping requirement of disclosures of education record information without the students written consent includes, but is not limited to:To the parentIn response to court order or subpoenaExternal research & students have been identifiedIn response to health or safety emergency
Security
Physical security Desktop Laptop/portable devices OfficeElectronic security Wireless Using a network Working from home WebEmployee-Owned communications tools
Your role
Part of what you do every day is records management
You are our strongest and weakest link in securing data
It is all our jobs to protect data and ensure we are using, storing and disposing of it properly
What if you inadvertently release private data?
Notify your supervisor
If possible, remove the material from public view
Should have a plan in place on when to notify the students who had data released
MI School Data(created by Center for Educational Performance and
Information (CEPI)
• Online data portal
• College Data• Collect student data at the K-12 and
postsecondary levels• Connect student records between levels and
institution• Report data for program evaluation and
public inquiry and policy
• All Michigan funded colleges, and a limited number of independent colleges, annually submit complete academic records with Unique Identification Codes (UICs)
FERPA & MI School Data
Following are the guidelines they use for all data….•Kept secure at all times•Stored, and in transit, adhering to 128-bit encryption•Stored where only authorized representatives may access the data and be protected from unauthorized access or disclosure•Carefully tracked including the locations of all copies of the data
FERPA & MI School Data, cont.
Following are the guidelines they use for all data….•Used in a way that respects privacy, anonymity and confidentiality of all concerned parties•Clearly marked “Confidential-internal use only” for any documents containing identifying information•Used only in products that are FERPA-compliant and are subject to all applicable statutes and regulations•Used only by authorized representatives who have completed formal FERPA training
FERPA & MI School Data, cont.
Following are the ways the data CANNOT be used….•Used for research studies•Used commercially for things such as marketing, outreach, surveys, or anything other than education program evaluation•Sold or rented
A breach will result in sanctions including a prohibition on access for up to five years.
Questions?
RESOURCES
AACRAO website: http://www.aacrao.org/compliance/ferpa/index.htm
AACRAO FERPA Guide 2012
FERPA Quick Guide 2012: www.aacrao.org/publications
FPCO website: http://www.ed.gov/policy/gen/quid/fpco.index.html
Kathryn Stafford, Student Services Information OfficerWashtenaw Community College [email protected] 734-477-8581
Traci Gulick, Associate RegistrarMichigan State [email protected] 517-353-3881
Give Credit Where It’s Due
AACRAO 2012 FERPA Guideedited by LeRoy Rooker and Tina Falkner
Exploring MI School Data’s College Transfer & Student Pathways ReportsCenter for Educational Performance and Information