Legal Issues and FERPA

LIS 5916 – Info Security
Daniel Lanza
January 1, 2012

Legal Issues and FERPA

I chose to write about the Family Educational Rights and Privacy Act (FERPA) because it is closely related to my current work environment. I work full time at the Florida State University (FSU) Office of Admissions as webmaster and primary technical support contact. The admissions office deals with a large amount of student records and sensitive data protected under FERPA. As the primary technical support contact I encounter a wide variety of problems and I have to be very careful not to violate the FERPA rules.

First, let’s start with a definition of FERPA provided by the FSU Registrar’s Office. “FERPA is a federal law that protects the privacy of students’ educational records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Students have specific, protected rights regarding the release of such records, and FERPA requires that institutions adhere strictly to these guidelines” (FSU Registrar).

FERPA affects me two-fold since I am both a student and an FSU staff member. As a student, the law is good to have and I feel safer because I know that my information is protected. However, as a student I never really have to think about the law or enforce it like I do as a staff member. Some of the rights that FERPA grants to students are: the ability to view the information the institution holds; right to seek amendment of those records and, in certain cases, append a statement to the record; the ability to consent to disclosure of his/her records; and a right to file a complaint with the FERPA office in Washington, D.C.

I exercise my right to view my information all the time by checking my grades or my online unofficial transcript. I don’t think I’ve ever had to change any of my records or give consent to disclose my records. Thankfully, I’ve never had to exercise my right to complain about FSU and I haven’t heard of anyone else complaining about FERPA violations at FSU.

As a staff member at FSU I am granted certain rights under FERPA. For example, “a school official is a person employed by the University in an administrative, supervisory, academic, research, or support staff position. If a school official requires information located in a student’s educational record to fulfill University-related responsibilities, that official has legitimate educational interest” (FSU Registrar). Because I have legitimate educational interest, I have to be even more careful not to violate any FERPA rules.

At work I have complete access to view an applicant’s entire application data and that type of access comes with great responsibility. Some very sensitive information on the application includes: Social Security Number (SSN), test scores, and transcripts (grades). It would be a FERPA violation if I disclosed any of that information to the wrong person. As the primary technical support contact I receive emails and phone calls from applicants and applicants parents on a daily basis.

Usually if I’m speaking to a parent then the applicant is under 18 years old and they are applying as a senior in high school. In that case, I can share the students information with the parent. If the student is over 18 years old or if they’ve been enrolled in a college or institution I cannot disclose any information to the parent. The second case doesn’t happen very often because the student is usually responsible enough to call themselves.

To prevent FERPA violations, we have security procedures in place to validate a person’s identity before disclosing any sensitive information. I almost always verify an applicant’s name, date of birth, and the last four digits of their SSN before assisting them. There are additional procedures for changing sensitive information such as name or SSN which includes faxing a photocopy of official documentation relating to the change. For example, to change your SSN you must send us a copy of your SSN card or to change your name you must send a copy of your driver’s license, passport, or birth certificate.

Recently, I’ve started receiving a different type of communication from users trying to submit online letters of recommendation. Surprisingly there are a number of security concerns and FERPA rules related to recommendation letters. The integrity and validity of the recommendation letter is very important. There cannot be improperly submitted or falsified recommendation letters because that defeats the entire purpose. FERPA also grants students permission to view a recommendation letter submitted by others as part of an application. However, applications usually give the student the option to waive the right to view a recommendation letter.

Let me try to explain one common recommendation letter scenario that I deal with quite often. An applicant calls me seeking assistance with a letter of recommendation on behalf of the recommender, but I can’t help the applicant because I have to speak with the actual recommender for security purposes. If I had given the student access to the letter of recommendation upload website they could have easily uploaded a letter they had written instead of the actual recommender.

One difference in my communication approach is dependent on whether its an email or a phone call. Emails inherently contain some identifying information such as email address and name (if configured). If the email address matches the application I will generally assume that the email is legitimate. However, I still require verification of date of birth and SSN if the email requests any serious changes to the application. Phone conversations on the other hand are generally more complicated for me. Since the users have to dictate their name and email address over the phone I often have trouble understanding them or I misspell their name.

While researching FERPA I noticed that there are proposed regulations and additions to the law. The proposed changes intend to clarify and strengthen FERPA where it is needed. Due to an increase in digital student records and the Internet there are more and more threats to account for in FERPA and student privacy. The department of education is accepting feedback and comments on the proposed changes until May 23. Hopefully these changes help protect student privacy.

References

Family Educational Rights and Privacy Act (FERPA). 2011. U.S. Department of Education. Accessed on 1/27/2012. http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

FERPA Information Home. 2011. FSU Office of the Registrar. Accessed on 1/27/2012. http://registrar.fsu.edu/ferpa/