FERPA for Admissions/Registrar StaffSomething Old, Something New, You Can Borrow, Don’t Be Blue

Kris Kaplan, Deputy General CounselMinnesota State Colleges and UniversitiesMarch 25, 2009

FERPA Regulations AmendedDecember 2008Full text and detailed analysis available at: •http://www.ed.gov/policy/gen/guid/fpco/ho

ttopics/ht12-17-08.html

Few substantive changes, but added flexibility (and corresponding recordkeeping) in some areas and emphasis on good security practices.

Some Basic Principles

•Privacy laws apply (only) to documents and information derived from documents.

•Education records include information about students documented in any media, in any location, but only ▫ “personally identifiable” to an individual

student (i.e., not aggregate or summary information).

FERPA – Recapping Some Basics•Most education records are private

▫Accessible to the student (with exceptions) within 10 days of request and To others with the student’s written (signed,

dated) consent To others as permitted by law

Including school officials who have a legitimate educational interest (defined by school)

•Parents of c/u students not automatically entitled to access.

FERPA – Recapping Some Basics•Some Education Records are public –

directory data▫Each college/university defines but will

never include SSN or certain personal “demographic” information like gender or race (though DOB may be included)

•Under MGDPA, public data must be provided upon request, but▫Credit card marketers cannot have

undergraduate data▫May charge for copies per law/policy

NEW FERPA Clarification

•Student electronic personal identifiers may be directory data if:▫The number cannot be used alone to access

private data (and is not part of the student’s SSN).

School should consider whether convenience outweighs potential privacy concerns.

Student Rights under FERPA• Access to own records (under MGDPA, includes

copies and 10 day response);• May suppress directory data

▫ NEW clarification: must continue to honor even after enrollment unless rescinded;

• May seek amendment of inaccurate, incomplete records (clerical corrections);

• May file complaint with Department of Education▫ Under MGDPA, may file similar administrative

request for opinion and bring claim for damages

All college/university students have the same rights to control access to their records regardless of age.

Subpoenas and Other Legal Process Requests• Immediately forward any request for

education records pertaining to legal matter – whether by letter or subpoena, court order or other - to appropriate campus administrator for consultation with OGC or AGO.▫Legal assistance needed to determine validity;▫Possible need to notify student in advance of

subpoena compliance.Comply with search warrant immediately and

notify OGC or AGO as soon as practicable.

State Laws Also ApplyFor example . . .

•Minnesota Government Data Practices Act▫Data from applicants included as

educational data – all may be treated as private despite definition of directory data – until matriculation.

▫Requires Data Privacy Notice (“Tennessen Warning”) when collecting private data from individual about him/herself.

•Other state law restrictions on SSN use, posting, and security.

FERPA - What’s New?Expanded Disclosures to Other

Schools•Education records may be released to

another school at any time so long as related to student’s concurrent or subsequent enrollment – not just at the time of transfer.▫May include any record – including discipline,

but Suggest holding health-related records until

after admission decision.•May return records to original provider

▫Generally useful to verify authenticity.

To Implement

•Ensure campus FERPA Policy includes statement that school discloses records to other schools without consent if related to enrollment;

•Revise procedures to permit disclosures to other schools (or other originators) as needed for updates, corrections or verification of authenticity.

FERPA - What’s New?Reasonable Methods of Protection

Required•FERPA now specifies that schools use:

▫ Reasonable Methods to limit school officials’ access to records in which they have a legitimate educational interest;

▫Reasonable methods to identify and authenticate who is receiving education records from school – NEVER SSN.

To Implement• Use appropriate policies, technological and

physical measures to control school officials’ access▫Consider potential harm, likelihood of

compromise• Establish appropriate methods to establish

identify/authenticity of requests that do not use commonly available information like name, DOB, student ID number (especially if public) and never SSN (even indirectly).▫How to handle phone requests?

What is a Valid Authorization for Release? See, www.ogc.mnscu.edu • If written consent is required, look for these

elements:▫Name of student authorizing release (and other

optional identifier; SSN not recommended);▫Identity of who gets the information (could be

category, but more specificity is better);▫Description of records to be released and

authorized use of the information;▫Signature (may be copy or fax but not e-mail

only); ▫Date; under MGDPA expires after one year – or

earlier if purpose fulfilled.

Third Parties as School Officials Outsourcing

•Schools may use third parties to do work using education records that employees would ordinarily do (outsourcing), but the school remains responsible for its students’ records.▫Use contract terms that require

appropriate privacy and security;▫Use only for authorized purposes;▫No unauthorized re-disclosure.

Seek legal assistance on contract terms.

FERPA - What’s New?Revised Health and Safety Emergency Standards

•School may release information from any education record to any appropriate party if it determines there is an articulable and significant threat to the health or safety of the student or any other person.

Previous strict construction language removed.

To Implement•Identify campus team to deal with h/s safety

situations, using the articulable and significant threat standard. Campus community should know how to report situations.

•NEW: If information from education records is disclosed under standard must record:▫The threat; the records disclosed; and to

whom disclosed. Keep with disclosed records pursuant to retention schedule.

FERPA - What’s New?Organizations Conducting Studies

Schools may provide education records to organizations conducting studies “for or on behalf of” the school;

•Now clarified: studies do not need to be initiated by or endorsed by school but must be at least in part “for or on behalf of” the school and▫NEW: written agreement required.

School always responsible for its education records!

Handling Requests for Records for a “Study”•Refer to appropriate campus administrator

▫Need to determine whether (really) mandated by law or “for or on behalf” of school; May need review by IRB if “human subjects”

study; Consider potential benefits vs. administrative burden;

Employees do not have automatic access b/c of status as employees

•Seek legal assistance when drafting agreement.

FERPA - What’s New?Clarified definition of Alumni Records

•Alumni Records are not subject to FERPA and school may therefore determine classification, but some past confusion about definition.

•Now clarified: only includes information about former student unrelated to activities as enrolled student, and no need to permit former students right to “suppress” directory data.

Final Tips•Know your campus resources:

▫Data Practices Compliance Official▫FERPA Policy▫Copy charge policy▫Public records request policy▫Other requests – e.g., employers,

prospective employers, other schools, law enforcement . . .

•Use good security practices when creating, using storing private records; and▫Appropriate disposal procedures.