FERPA
presented by:
Traci Gulick
Associate Registrar
Michigan State University
Laws governing data and data privacy
 Family Educational Rights and Privacy Act




(FERPA)
Health Insurance Portability and
Accountability Act (HIPAA)
Gramm-Leach-Bliley (GLBA)
Payment Card Industry Data Security Standard
(PCIDSS)
State Law
What is FERPA and to whom does it apply?
 Federal law enacted in 1974 called “Family
Educational Rights and Privacy Act” with
amendments… most recent in 2012 and 2009
 Purpose is to protect the privacy rights of student
educational records and to ensure the accuracy of
those records
 Applies to currently enrolled or formerly enrolled
students (regardless of age or parental dependency
status)
 Applies to all institutions that receive Department
of Education funds
What rights does FERPA afford students?
 Right to inspect and review the education
record
 Right to request an amendment to the record
that the student believes is inaccurate or
misleading or violation of his/her privacy rights
and to request a hearing if request to amend is
not granted
 Right to consent to disclosure of personally
identifiable information
What rights does FERPA afford students?
 Right to know what institution has designated
as public/directory information and the right to
request suppression of public/directory
information
 Right to know that school officials may access
records and the criteria for determining that a
school official has a legitimate need to know the
information
 Right to file a complaint with the Family Policy
Compliance Office in the U.S. Department of
Education
What cannot be directory information?
Grades
Social Security Number
GPA
Student ID Number (w/ exception)
Race
Country of Citizenship
Gender
Religion
Who may have access to education records?
 The student (always has access, except to parents




financial and waived letters of recommendations)
Any outside party that has the student’s written
consent (keep a copy of the consent)
School officials (as defined by the institution) with
a legitimate educational interest
Parents of a dependent student as defined by the
IRS code, who have claimed the student as a
dependent on their most recent tax forms
A person in response to a lawfully issued subpoena
or court order
Using private student information
 In most instances need written permission
from the student to release the information
 MSU: Letters of recommendation or being a
reference require written permission from the
student
What is legitimate educational interest?
 Often referred to as “need to know”
 Interest in reviewing student education records
for the purpose of performing assigned
institutional research, educational or
administrative function
 Guiding principle – If you need the data to
perform your job duties you should have access
to it
When don’t you need prior written consent from the
student to release private information? (not exhaustive)
 Lawfully issued subpoena or court order
 School officials who need information to fulfill
their professional duties
 Health or safety emergency
 For audit/evaluation of educational programs
(to Comptroller General of the U.S.; The U.S.
Attorney General; The Secretary of the Dept. Of
Education; State and local educational
authorities)
What about parents?
 Parents are considered a “third party,” and do
not have a right to student information
 May release non-suppressed public information
to them
 Can talk about general public information, but
not specifics of particular student
 Power of Attorney – does have its limitations
What if a student seems in crisis?
 The health or safety emergency exception
allows the release of private student data to
any party determined to be able to assist the
student
 Must document in the student’s record what
was released, to whom, and for what reason
 Consult with your supervisor before
determining to release information
Guiding principles regarding private
student information?
 School officials shall not disclose personally
identifiable information about a student nor
permit inspection of those records without the
student’s written permission unless it is
allowed in one of the exceptions mentioned
 You have a legal responsibility to protect
confidentiality of student records
 Only access what you need to know to do your
job
 Curiosity ≠ Legitimate need to know
Organizations Conducting Studies
 Final 2009 regulations clarify that a school
does not have to
-initiate the research request or
- or agree with or endorse the conclusions
or results of the study
 The school must agree with the purposes of the
study and retain control over the information
from the education records it discloses
 Must have a written agreement with receiving
organization
Written Agreement must specify
 The purpose, scope and duration of the study and the




information to be disclosed;
The information may only be used to meet the purpose or
purposes of the study stated in the agreement;
The organization must conduct the study in a manner that
does not permit personal identification of parents and
students by anyone other than representatives of the
organization with legitimate interests;
The requirement for return or destruction of the information
when no longer needed for purposes of the study;
The time period in which the information must be returned or
destroyed.
Redisclosure of Education Records
 Regulations (§ 99.31(b)(1)) permit Federal
and State officials to redisclose education
records under §99.31(a)(3) and 99.25 for
audit, evaluation, and compliance and
enforcement purposes to redisclose education
records the same conditions as other
recipients of education records.
Redisclosure of Education Records
 A State higher education authority that obtained education
records for audit, evaluation, or compliance and enforcement
purposes are permitted to redisclose records for other qualifying
purposes under §99.31 so long as it is on behalf of the institution.
This includes but is not limited to:
– forwarding records to a student’s new school district
– to another listed official, including the Secretary, or
a Postsecondary Authority
– to an accrediting agency
– in connection with a health or safety emergency
– in compliance with a court order or subpoena
Recordkeeping Requirements
 Final regulations requires a school to
maintain a record of redisclosures it has
authorized under § 99.33(b), including the
names of the additional parties to which the
receiving party may further disclose the
information on behalf of the school and their
legitimate interests in receiving the
information.
Recordkeeping Requirements
 Final regulations require a State or Federal official that
rediscloses education records on behalf of the school to comply
with these recordation requirements if the school does not do so,
and to make the record available to the school upon request
within a reasonable period of time not exceeding 30 days.
 A school is required to obtain a copy of the State or Federal
official’s record of further disclosures and make it available in
response to a parent’s or eligible student’s request to review the
student’s record of disclosures.
Recordkeeping Requirements, cont.
Recordkeeping requirement of disclosures of
education record information without the students
written consent includes, but is not limited to:
 To the parent
 In response to court order or subpoena
 External research & students have been identified
 In response to health or safety emergency
Security
 Physical security
 Desktop
 Laptop/portable devices
 Office
 Electronic security
 Wireless
 Using a network
 Working from home
 Web
 Employee-Owned communications tools
Your role
 Part of what you do every day is records
management
 You are our strongest and weakest link in
securing data
 It is all our jobs to protect data and ensure we
are using, storing and disposing of it properly
What if you inadvertently release
private data?
 Notify your supervisor
 If possible, remove the material from public
view
 Should have a plan in place on when to notify
the students who had data released
MI School Data
(created by Center for Educational Performance and Information
(CEPI)
•
Online data portal
•
College Data
•
•
•
•
Collect student data at the K-12 and postsecondary
levels
Connect student records between levels and
institution
Report data for program evaluation and public
inquiry and policy
All Michigan funded colleges, and a limited number of
independent colleges, annually submit complete academic
records with Unique Identification Codes (UICs)
FERPA & MI School Data
Following are the guidelines they use for all
data….
• Kept secure at all times
• Stored, and in transit, adhering to 128-bit
encryption
• Stored where only authorized representatives
may access the data and be protected from
unauthorized access or disclosure
• Carefully tracked including the locations of all
copies of the data
FERPA & MI School Data, cont.
Following are the guidelines they use for all data….
• Used in a way that respects privacy, anonymity and
confidentiality of all concerned parties
• Clearly marked “Confidential-internal use only” for any
documents containing identifying information
• Used only in products that are FERPA-compliant and are
subject to all applicable statutes and regulations
• Used only by authorized representatives who have
completed formal FERPA training
FERPA & MI School Data, cont.
Following are the ways the data CANNOT be used….
• Used for research studies
• Used commercially for things such as marketing, outreach,
surveys, or anything other than education program evaluation
• Sold or rented
A breach will result in sanctions including a prohibition on access
for up to five years.
Questions?
RESOURCES
AACRAO website: http://www.aacrao.org/compliance/ferpa/index.htm
AACRAO FERPA Guide 2012
FERPA Quick Guide 2012: www.aacrao.org/publications
FPCO website: http://www.ed.gov/policy/gen/quid/fpco.index.html
Kathryn Stafford, Student Services Information Officer
Washtenaw Community College
Stafford@wccnet.edu 734-477-8581
Traci Gulick, Associate Registrar
Michigan State University
gulickt2@msu.edu 517-353-3881
Give Credit Where It’s Due
 AACRAO 2012 FERPA Guide
edited by LeRoy Rooker and Tina Falkner
 Exploring MI School Data’s College Transfer &
Student Pathways Reports
Center for Educational Performance and
Information