FERPA: The law you think you know, until you don’t

I know what FERPA means, but please remind me again

mazeThe Family Educational Rights and Privacy Act is a topic most of us are familiar with as staff. FERPA was established in 1974 and protects the privacy of student education records. FERPA guarantees several rights to students in regards to their education records including:

  1. The right to inspect and review the student’s education records within 45 days of the day the University receives a request for access.
  2. The right to request the amendment of the student’s education records that the student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.
  3. The right to provide written consent before the University discloses personally identifiable information from the student’s education records, except to the extent that FERPA authorizes.
  4. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the University to comply with the requirements of FERPA.

FERPA also governs how we handle grade information and prohibits the public posting of student grade information or the sharing of educational records to third parties (including parents) without the consent of the student.

Though the rights for students and the basic tenants of the law seem straightforward, it is not always easy to interpret the impact of the law on the many unique and complicated situations presented to us on a daily basis. In addition to the federal law, there are also UW policies and state legislation governing the privacy of student data.  With that in mind, let’s explore several topics related to the complexities of student privacy.

Email is safe right? RIGHT?

guard dog

Email communications are considered to be inherently insecure. Email is often sent over unencrypted networks, and the potential for messages to be intercepted “in transit” is a very real and potential danger. Email is also prone to human error (you didn’t really mean to send that recipe for tuna casserole to your tax accountant did you?).  But email is also an everyday communication tool we use at home and work. If you can’t email, then what?

There are simple steps you can take to minimize the risk of unintentional breaches of confidential information when using email.

  • Avoid putting personal identifiers such as student names and numbers in the subject line of an email. Hackers have been known to scan the subject lines of email communications looking for user names, passwords, and other personally identifiable information.  Information in the subject line could also be easily viewed by the person sitting next you on your bus ride home, or the barista who might glance at your iPhone while you are waiting for your latte. Maximize privacy by including this information in the main body of the email.
  • When emailing student information for educational purposes to a student or to another university recipient, consider breaking the information up. For example, send a message to a department documenting the nature of the email topic, and then send a second email to include the name of the student discussed in the first email. This way, if one email is intercepted, not all data is disclosed at once.
  • Finally, remember that some conversations are best accomplished in person. With as many benefits as email has, the security and confidentiality of information can sometimes best be handled through old-fashioned means such as a conversation in a private space, or a confidential phone call between staff members.

Email conversations aren’t part of the student record right?

Because email by its nature is a shared communication to one or more recipients, any information about a student that is shared through email can be considered to be part of a student’s education record, and can (must) be provided to the student if requested. When communicating through email or other electronic means regarding students, remember to use professional language and appropriate content.

So I can post grade information as long as I am using the last 4 digits of the student ID number, right?

folder

Historically, both FERPA and UW have permitted the use of the last 4 digits of the student ID for instructors to post grades. FERPA allows such use if the student ID number being used is random, and if the ID cannot be used to access student information systems. UW student IDs meet these criteria, however the UW recommendation on this method has recently changed as better alternatives to the physical posting of grades have increased. It is now recommended you use UW applications, or other secure methods when communicating grade information to students.

Catalyst GradeBook and GradePage allow you to share grade information securely and electronically with students. Grade information can also be shared in-person with a student, or through a phone conversation if needed. Students can access their own grade information through unofficial transcripts via MyUW, and through learning management systems like UW Canvas. With all these alternatives available, the physical posting of grades becomes a less necessary option, and we encourage you to explore the many available tools UW provides.

This is all so overwhelming — I wish I had someone to help me!

graffittiRemember, you don’t have to know it all. None of us want to unintentionally violate FERPA or breach confidential student data. But the rules about what can and cannot be done are often grey and the answers unclear. With that in mind, we encourage you to seek out our resources to assist you with FERPA and student privacy issues. The Office of the Registrar has established a contact line at ferpa@uw.edu for you to use to ask us any FERPA questions you might have. Breaches of confidential information should also be reported immediately to the Office of the CISO.

Confused about directory release information?

A recent segment on KOMO news has created some confusion regarding the release of directory information via the UW’s iPhone app.

As always, the UW is in compliance with federal regulations regarding what student information it does and does not release. Students are allowed to designate whether they want to allow a specific set of their information to be made public or not. The iPhone app uses a small subset of that information and releases it only for those students who have designated that they are willing to let the UW release that information.

More information on the Federal Education Right to Privacy Act (FERPA) is available at uw.edu/students/reg/ferpa.html, which also contains links to MyUW, where students can change their FERPA release flag.

Administrative staff can now be all EARS

Campus administrators who need to view student academic records have a new tool at their fingertips. The Electronic Academic Records System (EARS) is a web-based system initially developed for UW academic advisers. After years of waiting, this resource has been enhanced by the Office of Information Management to allow campus administrative staff access as well.

Available now, the new version of EARS offers several improvements over current terminal-based views of student data. It’s much easier to use, providing on-screen cues and information unavailable in a terminal display. Users can also generate and print unofficial transcripts in PDF format, a long-requested feature. And allowing non-advisers access to student records (with a legitimate purpose) will benefit students by expediting their requests.

Because the system displays student information subject to FERPA regulation, access to EARS must be granted through the OUR’s Data Management Office (including the use of a SecurID or Entrust token). Once access is granted, users can log into EARS here. Information on what functionality is available to administrative users is available here.

Web Services applications highlighted in University Week

University Week header

Two applications built upon the UW’s Student Web Services (SWS) infrastructure were highlighted in an article in University Week on April 30. This publicity will introduce the services to a wider University audience and help the tools gain more faculty users.

The article, titled “Two new tools for UW teachers: An online grade book and photos of their students,” discusses the positive impact Web GradeBook and Photo Class Lists have had on academics since their recent launch. It includes some positive feedback from teachers (which was shared in an earlier post on this blog) and impressive use statistics for Web GradeBook.

More importantly, though, the article acknowledges the efforts the Registrar’s office took in keeping sensitive student data secure while enabling it to be “set free,” and highlighting the cross-department nature of the projects. Designing, implementing, sharing, and maintining projects of this scope and importance to the University’s mission takes a coordinated effort, and the Registrar’s office is pleased to be part of the team making it happen. Other critical members of the team include the Office of Information Management, UW Technology, Learning & Scholarly Technologies — as well as several academic units.