FERPA - Student Privacy Issues
The Family Educational Rights and Privacy Act of 1974 (FERPA), is a federal law which establishes rules and regulations regarding access to and disclosure of student records. The Act applies to all educational institutions that are recipients of federal funding.
The rights afforded to students and former students under FERPA are:
- To inspect and review their education records maintained by the school.
- To request that a school correct records which they believe to be inaccurate or misleading.
- To control the disclosure of their “education records” to others.
Under specifically defined conditions, parents of a student deemed “dependent” for income tax purposes may have access to the student’s educational records.
With specific exceptions, FERPA defines “an educational record” quite broadly and it is not limited to “academic” records. “Education records” include virtually all records maintained by an educational institution, in any format, that are “directly related” to one or more of its past or present students. A record is “directly related” to a student if it is “personally identifiable” to the student. A record is “personally identifiable” to a student if it expressly identifies the student on its face by name, address, ID number, or other such common identifier.
A record is also personally identifiable if it includes “other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty” – in other words, if it contains enough demographic or other information that it points to a single student.
The definition of “education records” does not give institutions any discretion to determine for themselves what is or isn’t an “education record” or to "treat" certain records as non-education records even though they meet the statutory definition.
“Education records” include not only Registrar’s Office records, transcripts, papers, exams and the like, but also non-academic student information database systems, class schedules, financial aid records, financial account records, disability accommodation records, disciplinary records, and even “unofficial” files, photographs, and e-mail messages.
An "education record" is "maintained" by the institution whenever it is in the possession, custody, or control of any employee or agent of the institution.
Records not considered "education records maintained" by the institution are:
- Sole possession records are records kept in the sole possession of the maker, are used only as a personal memory aid, and are not accessible or revealed to any other person except a temporary substitute for the maker of the records. e.g. private notes of a professor about class participation, etc.
- Law enforcement records are those are records (i) created by the law enforcement unit; (ii) created for a law enforcement purpose; and (iii) maintained by the law enforcement unit. Records created by others and sent to the WSU Police Department are not law enforcement records and remain covered by FERPA.
- Employment records are records related solely to the employment of a student by the institution, provided the student is not “employed as a result of his or her status as a student". Records on a work study or GTA/GRA student are covered by FERPA.
- Treatment records are medical records. Only if not shared, such records are covered by HIPAA.
- Alumni records are records that only contain information obtained about an individual after he or she is no longer a student at the university, but not if they “relate back” to when the person was a student.
Generally, a college or university that receives federal funding cannot disclose student records to anyone other than the student unless (1) it is "directory information" and the student has not opted-out; (2) the student has consented to the disclosure; or (3) the law provides an exception that permits disclosure without the student's consent.
Disclosure means “to permit access to or the release, transfer, or other communication of personally identifiable information by any means, including oral, written or electronic.
FERPA allows institutions to designate certain classes of information as “directory information” that may be released to anyone without a student’s consent. Directory information may be disclosed (the institution has discretion). WSU has designated the following information as "directory information":
Name, address, e-mail address, age or date of birth, level of education, major, degrees received, educational institution the student was most recently enrolled in, honors, awards, participation in sports or other activities, and the height and weight of members of athletic teams.
An institution that wishes to make directory information available must first give its students an opportunity to “opt out” and block the release of their own directory information, usually by making a formal request to the institution’s Registrar’s Office. This must be done on a yearly basis. Our Registrar’s Office has a Request to Restrict Release of Directory Information form which the student must file with the Registrar’s Office if they wish to opt out.
Even if a student has chosen to block the release of directory information, the institution may nevertheless continue to disclose that student’s directory information under any other exception that may be applicable or with the student’s case-by-case consent.
FERPA does establish several exceptions that allow the institution to disclose student records without the student’s prior written consent. Some of those exceptions are:
- To other school officials who have "legitimate educational interests" as defined by the institution, such as “advising”.
- To officials of other schools in which the student seeks to enroll.
- In connection with a student’s application for, or receipt of financial aid.
- If disclosure is necessary to protect the health or safety of the student or other persons (This health or safety exception is discussed below).
- In response to a lawfully issued subpoena. (Note: If you receive a subpoena requesting student records, you should notify the OGC and the Registrar’s Office immediately.)
These exceptions, like the other FERPA exceptions, are independent of each other.
Health Or Safety Exception
FERPA has always had an exception for non-consensual disclosure of education records in health or safety emergencies. New regulations issued by the Department of Education (DOE) in December, 2008, created three new provisions concerning this exception.
First, a student’s parents may always be notified in an emergency involving a student where disclosure of otherwise protected information is necessary to protect the student or others. Even if parents are not immediately able to act on the information, the regulations make clear that they may, nevertheless, be informed.
Second, the rules clarify that in the event of a health or safety emergency, a university may release information to any person whose knowledge of the information, in the institution’s reasonable judgment, is necessary to protect the health or safety of the student or other individuals. This new standard was implemented to clarify the scope of discretion allowed to schools after Virginia Tech cited FERPA as a reason for its failure to share and act on information about the student who committed the shootings on its campus in 2007. The persons typically given this information are law enforcement officials, public health officials and trained medical personnel. This exception is limited to the period of the emergency and generally does not allow for a blanket release of personally identifiable information from a student's education records.
Third, a university is explicitly required, when it utilizes this exception, to create a record of what it considered the health or safety emergency to consist of and to whom information was disclosed in response to the emergency. This change imposes new record-creating and record-keeping requirements on those who communicate about student crises or emergency situations.
While student disciplinary records are protected as education records under FERPA, there are certain circumstances in which disciplinary records may be disclosed without the student's consent. An institution of higher education may disclose to an alleged victim of any crime of violence or non-forcible sex offense the final results of a disciplinary proceeding conducted by the institution against the alleged perpetrator of that crime, regardless of whether the institution concluded a violation was committed. An institution may disclose to anyone--not just the victim--the final results of a disciplinary proceeding, if it determines that the student is an alleged perpetrator of a crime of violence or non-forcible sex offense, and with respect to the allegation made against him or her, the student has committed a violation of the institution's rules or policies.
Other Significant Changes to FERPA
Other significant changes in the regulations of the Department of Education implemented in December, 2008 include:
Preventing Disclosures to Unauthorized Persons
Universities must take affirmative steps to guard against unauthorized disclosures. The Department’s new rules require all schools to implement “reasonable methods” to authenticate the identity of students, parents, school officials, or any person to whom education records are disclosed.
Disclosures for Educational Studies or Research
Certain contract terms must be enacted when identifiable student information is disclosed to outside organizations who conduct studies with the information. A long-standing FERPA exception has allowed the sharing of student information without consent for the purpose of educational research designed to develop or validate predictive tests or improve instruction. The recent regulatory change requires that such disclosures not take place unless written agreements contain provisions for how the identifiable information will be protected. Specifically, the agreement must specify the purpose, scope, and duration of the study, limit the use of the personally identifiable information to the purpose of the study, require that identifiable information be protected against disclosure, and require that the information will be returned or destroyed upon completion of the study.
Those who receive student data for research, or assist with research involving such information, should contact the OGC for assistance in preparing written agreements that cover these new requirements.
The December, 2008 regulations also clarify the DOE's interpretation of the law that universities may disclose student information to third parties who perform services or functions that would otherwise be performed by the institution’s employees. This provision allows disclosure of student records to a variety of contractors who perform services on behalf of a university. A condition of such disclosures is that the service providers must be subject to Wayne State University’s control concerning their use of student records through, for instance, contract restrictions. Third parties must be made subject to the restriction that they, in turn, may not disclose the protected information without the student’s consent.
It is always important when dealing with contractors who offer to provide services to WSU to ensure that restrictions on their use of student information are included in written agreements. Please contact the OGC if you require assistance in this regard.
The foregoing is for informational and educational purposes only. It states general propositions and is not intended to and should not be viewed as legal advice from the Office of the General Counsel. Anyone having a specific issue or situation involving these or other student privacy issues should contact Linda Galante in the OGC at 577-2268.
-- updated June, 2013