240 likes | 327 Views
What IT Staff Need to Know About Educational Records Privacy Regulations. Or. FERPA for CIOs. Jeff von Munkwitz-Smith University Registrar University of Connecticut. What are the regulations?. A federal law, the Family Educational Rights and Privacy Act of 1974, as amended.
E N D
What IT Staff Need to Know About Educational Records Privacy Regulations Or . . .
FERPA for CIOs Jeff von Munkwitz-Smith University Registrar University of Connecticut
What are the regulations? • A federal law, the Family Educational Rights and Privacy Act of 1974, as amended. • It is also known as “FERPA” and as the “Buckley Amendment”. • The law applies to both K-12 and Postsecondary education.
What are a student’s rights? • The right to know about the purposes, content, and location of information kept as part of their educational records. • The right to gain access to and challenge the content of their educational records. • The right to expect that information kept as part of their educational records will be kept confidential, disclosed only with their permission or under provisions of the law.
“Education Record” • “Records, files, documents, and other materials that contain information directly related to a student and maintained by the institution or someone acting for the institution according to policy.”
Some examples • Data on the student information system(s), including course management systems. • Paper files maintained by the institution • E-mail messages relating to the student • Employment records for student employees • Disciplinary records
What’s not? • Employment records of people not employed as a result of their status as a student. • “Sole-possession” records • Records of police services • Application records of people not admitted • Alumni records • Medical records • Parents’ financial information (e.g., tax returns)
“Directory Information” “Information contained in an education record of a student which would not generally be considered harmful or an invasion of privacy if disclosed.”
“School Official” “A person employed by the University in an administrative, supervisory, academic or research, or support staff position (including law enforcement unit personnel and health staff); a person or company with whom the University has contracted (such as an attorney, auditor, collection agent, or official of the National Student Clearinghouse, or the University Foundation); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks.”
Some key issues for IT . . . • Expansion of access to data systems, including reporting data bases • Software packages • New types of systems and technologies • On-line education • Outsourcing
Expanded access • Key questions: • Is the system secure? • Do the users fall under the definition of “school official” and do they need access to do their job? • Do they know their responsibilities regarding education records privacy?
Software packages • Key questions: • How does the software handle FERPA issues? • Is the software FERPA compliant? Don’t assume they know what they’re doing!
New types of systems • Key questions: • Does the system contain student information? • If so, are security and access controls appropriate? Is the software FERPA compliant?
On-line education • Key point: FERPA does cover students enrolled in on-line courses
Outsourcing • Key questions: • Does the agreement specify appropriate usage and security of the data? • Does your institution’s annual notification to students of their rights include these vendors in the definition of “School officials”?
If a student doesn’t have a “Privacy Bar”, we can release any information. Right? Wrong! • If a student has a “privacy bar”, “no release code”, etc., you can’t release any information to the public. • If a student doesn’t have one, you may ONLY release Directory Information.
What about releasing information to parents? • Remember: the rights belong to the student, regardless of age or who’s paying the bills! • Institutions MAY release non-directory information to parents of dependent students. (Know your institution’s policy.)
Do we have to release information such as email address outside the institution? • FERPA does not require release of directory information outside the institution, it allows it. • If your institution is public, it pays to know your state’s freedom of information regulations.
Where can I go for help? • Ask your Registrar • Your institution’s attorney • AACRAO FERPA Guide • The Family Policy Compliance Office web site: http://www.ed.gov/offices/OM/fpco • Send e-mail to FERPA@ed.gov
My best advice: When in Doubt . . . Ask!
Contact information Jeff von Munkwitz-Smith jvon@uconnvm.uconn.edu www.registrar.uconn.edu/ferpa.html