FERPA Implications

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools and institutions of higher education that receive funds under an applicable program of the U.S. Department of Education.

FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. College students are considered responsible adults and are allowed to determine who will receive information about them.

  • College students have the right to inspect and review their own student’s education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for students to review the records. Schools may charge a fee for copies.
  • College students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the student has the right to place a statement with the record setting forth his or her view about the contested information.
  • Generally, schools must have written permission from the college student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
    • School officials with legitimate educational interest;
    • Other schools to which a student is transferring;
    • Specified officials for audit or evaluation purposes;
    • Appropriate parties in connection with financial aid to a student;
    • Organizations conducting certain studies for or on behalf of the school;
    • Accrediting organizations;
    • To comply with a judicial order or lawfully issued subpoena;
    • Appropriate officials in cases of health and safety emergencies; and
    • State and local authorities, pursuant to specific State law.

Schools may disclose, without consent, “directory” information.  Directory information is usually defined as:

» student name
» date admitted
» birthdate
» mailing address and telephone number
» local address and telephone number
» university e-mail address
» semesters of attendance
» major(s)
» minor
» specialization
» school
» full- or part-time status
» classification (freshman, sophomore, etc)
» degree sought
» honors and awards
» degrees and dates received
» participation in officially recognized intercollegiate sports, weight, height, hometown, parents’ names and previous school(s) attended (for members of athletic teams)
» ID photograph
» Emergency Contact Information

FERPA directs that schools must tell students about directory information and allow students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a bulletin, student handbook, or newspaper article) is left to the discretion of each school.

Those students who request a FERPA block should be aware that this request does not restrict administrative access to their information where there is a legitimate educational interest, but does restrict other sharing of this information. For example, a FERPA block will not keep advisors or tutors from seeing the student’s information, or prevent the student from being listed on a class list where access to the list is limited to members of the class, or from being shown in online class tools as long as use of such tools is restricted to members of the class.

Online classes are covered by FERPA in the same way that face-to-face classes are covered.  By the above rules, it is acceptable for students to see each other’s name and email addresses in LMS class rosters but it would be unacceptable for you to scan in your official school roster which contains student ID numbers.  It is acceptable to use the LMS gradebook and let students check their own grades, but unacceptable to post a list of grades, even if you used last 4 digits of a SSN as an identifier.  It is acceptable to allow outside guest speakers to talk to your class in Zoom, but not acceptable to send your guest speaker an advance copy of the class roster (unless you had the permission of all students).

Southern Methodist University had good advice for its faculty members:

If in doubt, don’t give out!

With many institutions shifting fully online due to COVID-19, faculty should consider whether all the software they use for their class meets FERPA guidelines.  As Madeline St. Amour noted in a recent Inside Higher Ed article on Privacy and the Online Pivot,

“…FERPA is technology neutral, according to Leroy Rooker, a senior fellow at the American Association of Collegiate Registrars and Admissions Officers. Colleges are allowed to use contractors and consultants for services — including for online instruction — but the contracts need to include stipulations to protect student privacy under the law.

Most importantly, if the vendor collects any data on its users, the college has to be the owner of that information. This means that the data can only be used or redisclosed at the college’s direction…”

She goes on to note that Zoom has provided assurances that it does not sell its data to anyone and is compliant with FERPA.

Western Washington University provided a good overview of FERPA for online faculty, including these best practices:

FERPA Best Practices for Professors

  • When writing a syllabus, it is advantageous to add a blanket statement like “In this class, our use of technology will sometimes make students’ names and Internet IDs visible within the course website, but only to other students in the same class. Since we are using a secure, password-protected course website, this will not increase the risk of identity theft or spamming for anyone in the class. If you have concerns about the visibility of your Internet ID, please contact me for further information.”
  • Due to inherent security risk, professors should never carry their grade books on a memory stick, or other unprotected, losable format.
    • When possible, passwords offer decent protection. They are especially useful when a grade book is held on a shared computer, or in a common area.
  • Use caution when saving anything on a laptop or shared computer.
    • Keep your anti-virus software updated (and use it), and keep your OS updated and patched.
    • Always keep hardware (especially laptops or memory sticks) in a physically secure place.
  • A FERPA confidential block/non-disclosure does not apply to information within the classroom (physical or digital), but rather to only releasing any information to a entity outside the institution. Students with a confidential block are still required to do the work that the faculty member defines as the requirement of the course, including things like posting to a message board on Canvas.
  • Educators should be able to answer ‘no’ to three questions related to if something is a potential FERPA violation:
    • Are we dealing with releasing student records or information out to the public?
    • Are we preventing a student from asking about their own record?
    • Are we violating another federal law?
  • If students are asked to use a specific program or application (such as on an iPhone), the terms and conditions may be against FERPA. While you are protected, a student may choose to opt out of using the application due to those terms, and you’ll need to provide an alternate method that the student can still learn or have access to the information.