How FERPA applies to the connected, 21st century classroom
General Information| Best Practices for Professors | Exceptions to FERPA
FERPA and Social Media | Tips for Using Social Media in Compliance with FERPA
FERPA, Permissions and Signatures | FERPA and the Cloud | Email, Texting, and IM
FERPA and Posting Student Work
- FERPA is technology neutral - everything is about the contents of the student records, not where they are physically or digitally found.
- While student education records are confidential, things can be shared if given written consent.
- Rare exceptions exist, such as concern about a student safety issue, but they're few and far between.
- The following are not considered education records under FERPA: law enforcement records, employment records, medical (treatment) records, alumni records, sole possession notes, and student work prior to evaluation.
- Exceptions do apply - for example, once a sole possession note is shared, it is considered an education record. As well, student employee records are considered education records if they go through financial aid office.
- FERPA allows the university to release certain "directory information," which may include the student's name, local address and phone number, whether the student is enrolled, dates of attendance, degrees earned, and most recent previous institutions attended. However, Western Washington University is more restrictive, releasing to third parties only if:
- the student is currently enrolled
- dates of attendance
- degrees awarded
- For students who have requested a confidential block through the Registrar's Office, no information is disclosed, whether or not the student is enrolled.
- The following are never considered directory information:
- a student's race,
- country of citizenship,
- social security number, or
- A school official only has a need-to-know specific information on any student's records - access should be only given if it is necessary or appropriate to the operation of the institution or the proper performance of the educational mission of the institution.
- The only way to guarantee identity over the phone is through a set of security questions, such as "What was the name of your first pet?" and "What was the name of the high school you attended?"
- For student employees, while they are on the clock they are considered school officials and can view other students education records if they have a legitimate educational interest.
- Student employees should be given FERPA training, and required to sign a form stating that they understand it.
- Under FERPA, educational institutions are required annually to notify students in attendance of their rights to inspect/review education records, request amendment of education records, to consent to disclosures, and to file a complaint with the U.S. Department of Education.
- FERPA does not allow students to see the records of other students (even if a record has information on more than one student), the financial records of a student's parents, or confidential letters and statements (if a student previous waived the right to review those documents).
- The authoritative source for FERPA is the Family Policy Compliance Office in the U.S Department of Education.
- When writing a syllabus, it is advantageous to add a blanket statement like "In this class, our use of technology will sometimes make students' names and Internet IDs visible within the course website, but only to other students in the same class. Since we are using a secure, password-protected course website, this will not increase the risk of identity theft or spamming for anyone in the class. If you have concerns about the visibility of your Internet ID, please contact me for further information."
- Due to inherent security risk, professors should never carry their grade books on a memory stick, or other unprotected, losable format.
- When possible, passwords offer decent protection. They are especially useful when a grade book is held on a shared computer, or in a common area.
- Use caution when saving anything on a laptop or shared computer.
- Keep your anti-virus software updated (and use it), and keep your OS updated and patched.
- Always keep hardware (especially laptops or memory sticks) in a physically secure place.
- A FERPA confidential block/non-disclosure does not apply to information within the classroom (physical or digital), but rather to only releasing any information to a entity outside the institution. Students with a confidential block are still required to do the work that the faculty member defines as the requirement of the course, including things like posting to a message board on Canvas.
- Educators should be able to answer 'no' to three questions related to if something is a potential FERPA violation:
- Are we dealing with releasing student records or information out to the public?
- Are we preventing a student from asking about their own record?
- Are we violating another federal law?
- If students are asked to use a specific program or application (such as on an iPhone), the terms and conditions may be against FERPA. While you are protected, a student may choose to opt out of using the application due to those terms, and you'll need to provide an alternate method that the student can still learn or have access to the information.
- If it is determined that there is an significant threat to the health and/or safety of a student, an institution may disclose information from education records to anyone whose knowledge of that information is necessary to help with the protection of a student's health/safety.
- If released, the institution must keep record of who was notified of the information, and why they were told.
- If a student is a dependent for tax purposes, an institution may disclose any education records to the parents or guardians without the consent of the student.
- When a student passes away, they are no longer protected under FERPA and their parents can request information from their education record.
- Once law enforcement has gotten a subpoena, an institution can share protected information from a student's education record.
- If a student is concurrently enrolled in a high school and a university, while a parent does not have a right to inspect an education record at the postsecondary, they can request the information and inspect it through the high school.
- If a student is under 21, an institution can notify the parents of any violation of a law (federal, state, or local) or any rule/policy of the institution related to the use or possession of alcohol or another controlled substance.
- Any "law enforcement unit records," such as those from campus security, can be disclosed to parents or federal, state, or local law enforcement agencies without consent of the student. These records are not considered to be a part of FERPA.
- Sharing is considered an important part of learning, and FERPA does not isolate learning from the general community, allowing things like a class Facebook page.
- FERPA does not prevent an instructor from assigning their students to create public content as a part of the course requirements, such as creating a Google Site or posting a video onto YouTube or Vimeo.
- Social media submissions are not FERPA protected because they are not considered received, and consequently not in the custody of the college. As well, they are typically not yet graded or reviewed by the faculty (and thus not under FERPA).
- Include a statement in your syllabus that material posted on the open web may be viewed by others both in and out of the class. For example:
- During this course you might have the opportunity to use public online services and/or software applications sometimes called third-party software such as a blog or wiki. While some of these are required assignments, you need not make any personally identifying information available on a public site. Do not post or provide any private information about yourself or your classmates. Where appropriate you may use a pseudonym or nickname (ensuring the facilitators know how to identify you). Some written assignments posted publicly may require personal reflection/comments, but the assignments will not require you to disclose any personally identifiable/sensitive information. If you have any concerns about this, please contact your instructor.*
- Do not require that students post any personally identifiable information.
- Allow students to post under an alias if they choose to do so.
- Never post instructor comments or grades on a public site, or anywhere they may be publically viewable.
- Take special precautions with students under the age of 18. It is strongly encouraged to get parental consent when using social media in a class.
- If students are uncomfortable with the social media aspect and it is not integral to an assignment, try to offer a possible alternative.
- Although wiki's are inherently open, they can be separated into different areas that can be designated either public or restricted to a specific group (such as a class).
- Due to the public nature of wiki's, it is strongly recommended that students are informed of the inherent potential of it being seen and given a consent form to sign.
- There are two different types of signatures used to give consent:
- Electronic signature - a written signature that is transmitted electronically, usually written on a digital pad (like in a department store), and
- Digital signature - a "signature" electronically encrypted by a computer system consisting of a combination of letter, numbers and symbols.
- FERPA allows higher learning institutions to disclose education records to third parties when given consent through an electronic signature, but not a digital one.
- With electronic signatures, institutions have to follow three principles before disclosing the information:
- The signature must be authenticated by comparing the name, date of birth, and social security number against a third-party database,
- The transmission of the information (especially the social security number) must be 100% secure, and
- The applicant must be fully aware of the rights related to electronic signatures, including the right to opt out.
- With cloud service providers, educational institutions may disclose personally identifiable information from an education record only on the condition that the entity that the information is disclosed with will not disclose that information to any other party without prior written consent of the student.
- Schools must maintain "direct control" over the personal data, even if it is outsourced - if FERPA is broken, the institution is ultimately at fault.
- In agreements, the cloud computing provider must be considered a "school official" to facilitate the sharing of FERPA-protected information.
- Under FERPA, these third-parties are seen as "a person or company with whom the university has contracted as its agent to provide a service instead of using university employees or officials."
- When emailing students, it should always be from an institution email to a student's institution account.
- By doing so, there will always be a copy on the institutions server.
- Professors can communicate about FERPA-protected information (like grades) through a student's institutional account, but not a private one.
- When mass-emailing a group of students, utilize the BCC feature (by emailing yourself, and blind copying all of the students) or create a distribution list in order to keep the email addresses private.
- Public instant messaging (such as Google, Facebook, or Skype) are not considered secure for any protected information.
- You can place a statement like "Under FERPA, this email is intended only for _______" to notify any unauthorized individuals about the privacy of the email.
- In online classes, never post grades or evaluative comments in spaces outside of the course system (Canvas), nor in a place on the site where they may be visible to their peers.
- With online classes, use the in-system communication system as often as possible for added security. Many (including Canvas) will notify students through an email when a message is sent.
- Teachers can give feedback and/or evaluative comments via a video-chatting program like Skype as long as they can identify the students.
- If you post work created by a student and credit them by name, you are required to obtain written student consent before it is published.
- Students ultimately own whatever work they create.
- This is regardless of the medium (at conference, journal articles, school-sponsored web sites, or any printed materials).
- If you post student work without their name or consent, it is considered a copyright violation.
- Once a piece of work is graded, consent is required prior to any publishing or sharing.
* This information has been compiled by the CIIA and adapted from the following sources:
Anderson, Geri J. (2014). FERPA Regulations for the Online Environment: A Toolkit for Faculty & Staff, Innovative Educators, accessed through webinar.
Campbell, E., Cieplak, B., & Rodriguez, B. (2012). Family Educational Rights and Privacy Act: FERPA for Colleges and Universities (PowerPoint Slides in PDF). Retrieved from http://www2.ed.gov/policy/gen/guid/fpco/pdf/postsecondary-webinar-presentation.pdf
U.S. Department of Education. (2007). Disclosure of Information from Education Records to Parents of Postsecondary Students. Retrieved from http://www2.ed.gov/policy/gen/guid/fpco/hottopics/ht-parents-postsecstudents.html
U.S. Department of Education. (2005). General: Frequently Asked Questions. Retrieved from http://www2.ed.gov/policy/gen/guid/fpco/faq.html
* Third-Party Software and FERPA language obtained from the syllabus template, released with Creative Commons licensing (CC BY-NC-SA 3.0), provided at the University of Georgia, Athens.