February 5, 2013

FERPA: The law you think you know, until you don’t

By Matt Saavedra

I know what FERPA means, but please remind me again

mazeThe Family Educational Rights and Privacy Act is a topic most of us are familiar with as staff. FERPA was established in 1974 and protects the privacy of student education records. FERPA guarantees several rights to students in regards to their education records including:

  1. The right to inspect and review the student’s education records within 45 days of the day the University receives a request for access.
  2. The right to request the amendment of the student’s education records that the student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.
  3. The right to provide written consent before the University discloses personally identifiable information from the student’s education records, except to the extent that FERPA authorizes.
  4. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the University to comply with the requirements of FERPA.

FERPA also governs how we handle grade information and prohibits the public posting of student grade information or the sharing of educational records to third parties (including parents) without the consent of the student.

Though the rights for students and the basic tenants of the law seem straightforward, it is not always easy to interpret the impact of the law on the many unique and complicated situations presented to us on a daily basis. In addition to the federal law, there are also UW policies and state legislation governing the privacy of student data.  With that in mind, let’s explore several topics related to the complexities of student privacy.

Email is safe right? RIGHT?

guard dog

Email communications are considered to be inherently insecure. Email is often sent over unencrypted networks, and the potential for messages to be intercepted “in transit” is a very real and potential danger. Email is also prone to human error (you didn’t really mean to send that recipe for tuna casserole to your tax accountant did you?).  But email is also an everyday communication tool we use at home and work. If you can’t email, then what?

There are simple steps you can take to minimize the risk of unintentional breaches of confidential information when using email.

  • Avoid putting personal identifiers such as student names and numbers in the subject line of an email. Hackers have been known to scan the subject lines of email communications looking for user names, passwords, and other personally identifiable information.  Information in the subject line could also be easily viewed by the person sitting next you on your bus ride home, or the barista who might glance at your iPhone while you are waiting for your latte. Maximize privacy by including this information in the main body of the email.
  • When emailing student information for educational purposes to a student or to another university recipient, consider breaking the information up. For example, send a message to a department documenting the nature of the email topic, and then send a second email to include the name of the student discussed in the first email. This way, if one email is intercepted, not all data is disclosed at once.
  • Finally, remember that some conversations are best accomplished in person. With as many benefits as email has, the security and confidentiality of information can sometimes best be handled through old-fashioned means such as a conversation in a private space, or a confidential phone call between staff members.

Email conversations aren’t part of the student record right?

Because email by its nature is a shared communication to one or more recipients, any information about a student that is shared through email can be considered to be part of a student’s education record, and can (must) be provided to the student if requested. When communicating through email or other electronic means regarding students, remember to use professional language and appropriate content.

So I can post grade information as long as I am using the last 4 digits of the student ID number, right?


Historically, both FERPA and UW have permitted the use of the last 4 digits of the student ID for instructors to post grades. FERPA allows such use if the student ID number being used is random, and if the ID cannot be used to access student information systems. UW student IDs meet these criteria, however the UW recommendation on this method has recently changed as better alternatives to the physical posting of grades have increased. It is now recommended you use UW applications, or other secure methods when communicating grade information to students.

Catalyst GradeBook and GradePage allow you to share grade information securely and electronically with students. Grade information can also be shared in-person with a student, or through a phone conversation if needed. Students can access their own grade information through unofficial transcripts via MyUW, and through learning management systems like UW Canvas. With all these alternatives available, the physical posting of grades becomes a less necessary option, and we encourage you to explore the many available tools UW provides.

This is all so overwhelming — I wish I had someone to help me!

graffittiRemember, you don’t have to know it all. None of us want to unintentionally violate FERPA or breach confidential student data. But the rules about what can and cannot be done are often grey and the answers unclear. With that in mind, we encourage you to seek out our resources to assist you with FERPA and student privacy issues. The Office of the Registrar has established a contact line at ferpa@uw.edu for you to use to ask us any FERPA questions you might have. Breaches of confidential information should also be reported immediately to the Office of the CISO.

Leave a Reply