FERPA presented by: Traci Gulick Associate Registrar Michigan State University Laws governing data and data privacy Family Educational Rights and Privacy Act (FERPA) Health Insurance Portability and Accountability Act (HIPAA) Gramm-Leach-Bliley (GLBA) Payment Card Industry Data Security Standard (PCIDSS) State Law What is FERPA and to whom does it apply? Federal law enacted in 1974 called “Family Educational Rights and Privacy Act” with amendments… most recent in 2012 and 2009 Purpose is to protect the privacy rights of student educational records and to ensure the accuracy of those records Applies to currently enrolled or formerly enrolled students (regardless of age or parental dependency status) Applies to all institutions that receive Department of Education funds What rights does FERPA afford students? Right to inspect and review the education record Right to request an amendment to the record that the student believes is inaccurate or misleading or violation of his/her privacy rights and to request a hearing if request to amend is not granted Right to consent to disclosure of personally identifiable information What rights does FERPA afford students? Right to know what institution has designated as public/directory information and the right to request suppression of public/directory information Right to know that school officials may access records and the criteria for determining that a school official has a legitimate need to know the information Right to file a complaint with the Family Policy Compliance Office in the U.S. Department of Education What cannot be directory information? Grades Social Security Number GPA Student ID Number (w/ exception) Race Country of Citizenship Gender Religion Who may have access to education records? The student (always has access, except to parents financial and waived letters of recommendations) Any outside party that has the student’s written consent (keep a copy of the consent) School officials (as defined by the institution) with a legitimate educational interest Parents of a dependent student as defined by the IRS code, who have claimed the student as a dependent on their most recent tax forms A person in response to a lawfully issued subpoena or court order Using private student information In most instances need written permission from the student to release the information MSU: Letters of recommendation or being a reference require written permission from the student What is legitimate educational interest? Often referred to as “need to know” Interest in reviewing student education records for the purpose of performing assigned institutional research, educational or administrative function Guiding principle – If you need the data to perform your job duties you should have access to it When don’t you need prior written consent from the student to release private information? (not exhaustive) Lawfully issued subpoena or court order School officials who need information to fulfill their professional duties Health or safety emergency For audit/evaluation of educational programs (to Comptroller General of the U.S.; The U.S. Attorney General; The Secretary of the Dept. Of Education; State and local educational authorities) What about parents? Parents are considered a “third party,” and do not have a right to student information May release non-suppressed public information to them Can talk about general public information, but not specifics of particular student Power of Attorney – does have its limitations What if a student seems in crisis? The health or safety emergency exception allows the release of private student data to any party determined to be able to assist the student Must document in the student’s record what was released, to whom, and for what reason Consult with your supervisor before determining to release information Guiding principles regarding private student information? School officials shall not disclose personally identifiable information about a student nor permit inspection of those records without the student’s written permission unless it is allowed in one of the exceptions mentioned You have a legal responsibility to protect confidentiality of student records Only access what you need to know to do your job Curiosity ≠ Legitimate need to know Organizations Conducting Studies Final 2009 regulations clarify that a school does not have to -initiate the research request or - or agree with or endorse the conclusions or results of the study The school must agree with the purposes of the study and retain control over the information from the education records it discloses Must have a written agreement with receiving organization Written Agreement must specify The purpose, scope and duration of the study and the information to be disclosed; The information may only be used to meet the purpose or purposes of the study stated in the agreement; The organization must conduct the study in a manner that does not permit personal identification of parents and students by anyone other than representatives of the organization with legitimate interests; The requirement for return or destruction of the information when no longer needed for purposes of the study; The time period in which the information must be returned or destroyed. Redisclosure of Education Records Regulations (§ 99.31(b)(1)) permit Federal and State officials to redisclose education records under §99.31(a)(3) and 99.25 for audit, evaluation, and compliance and enforcement purposes to redisclose education records the same conditions as other recipients of education records. Redisclosure of Education Records A State higher education authority that obtained education records for audit, evaluation, or compliance and enforcement purposes are permitted to redisclose records for other qualifying purposes under §99.31 so long as it is on behalf of the institution. This includes but is not limited to: – forwarding records to a student’s new school district – to another listed official, including the Secretary, or a Postsecondary Authority – to an accrediting agency – in connection with a health or safety emergency – in compliance with a court order or subpoena Recordkeeping Requirements Final regulations requires a school to maintain a record of redisclosures it has authorized under § 99.33(b), including the names of the additional parties to which the receiving party may further disclose the information on behalf of the school and their legitimate interests in receiving the information. Recordkeeping Requirements Final regulations require a State or Federal official that rediscloses education records on behalf of the school to comply with these recordation requirements if the school does not do so, and to make the record available to the school upon request within a reasonable period of time not exceeding 30 days. A school is required to obtain a copy of the State or Federal official’s record of further disclosures and make it available in response to a parent’s or eligible student’s request to review the student’s record of disclosures. Recordkeeping Requirements, cont. Recordkeeping requirement of disclosures of education record information without the students written consent includes, but is not limited to: To the parent In response to court order or subpoena External research & students have been identified In response to health or safety emergency Security Physical security Desktop Laptop/portable devices Office Electronic security Wireless Using a network Working from home Web Employee-Owned communications tools Your role Part of what you do every day is records management You are our strongest and weakest link in securing data It is all our jobs to protect data and ensure we are using, storing and disposing of it properly What if you inadvertently release private data? Notify your supervisor If possible, remove the material from public view Should have a plan in place on when to notify the students who had data released MI School Data (created by Center for Educational Performance and Information (CEPI) • Online data portal • College Data • • • • Collect student data at the K-12 and postsecondary levels Connect student records between levels and institution Report data for program evaluation and public inquiry and policy All Michigan funded colleges, and a limited number of independent colleges, annually submit complete academic records with Unique Identification Codes (UICs) FERPA & MI School Data Following are the guidelines they use for all data…. • Kept secure at all times • Stored, and in transit, adhering to 128-bit encryption • Stored where only authorized representatives may access the data and be protected from unauthorized access or disclosure • Carefully tracked including the locations of all copies of the data FERPA & MI School Data, cont. Following are the guidelines they use for all data…. • Used in a way that respects privacy, anonymity and confidentiality of all concerned parties • Clearly marked “Confidential-internal use only” for any documents containing identifying information • Used only in products that are FERPA-compliant and are subject to all applicable statutes and regulations • Used only by authorized representatives who have completed formal FERPA training FERPA & MI School Data, cont. Following are the ways the data CANNOT be used…. • Used for research studies • Used commercially for things such as marketing, outreach, surveys, or anything other than education program evaluation • Sold or rented A breach will result in sanctions including a prohibition on access for up to five years. Questions? RESOURCES AACRAO website: http://www.aacrao.org/compliance/ferpa/index.htm AACRAO FERPA Guide 2012 FERPA Quick Guide 2012: www.aacrao.org/publications FPCO website: http://www.ed.gov/policy/gen/quid/fpco.index.html Kathryn Stafford, Student Services Information Officer Washtenaw Community College Stafford@wccnet.edu 734-477-8581 Traci Gulick, Associate Registrar Michigan State University gulickt2@msu.edu 517-353-3881 Give Credit Where It’s Due AACRAO 2012 FERPA Guide edited by LeRoy Rooker and Tina Falkner Exploring MI School Data’s College Transfer & Student Pathways Reports Center for Educational Performance and Information