Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

["Basgen, Brian" <bbasgen () PIMA EDU>]

> to proceed.  If we eliminate in house Identifiers (Student 
> IDs) as Directory information and then we go with a PIN or 
> secret word for faculty who post grades (and many do - at 
> least here at UC) how do we secure the identity of the PINs

 The proposal is that *every* teacher assigns unique authenticators
(pins, words, colors codes -- anything) to each student that is relevant
for only that class, for that semester. It is certainly a secure method,
and puts the onus on the faculty member. 

> if)  stopping faculty from posting grades than FERPA 
> regulation should simply mandate that this process stop or 
> they will be out of compliance with
> FERPA.

 That would be interesting, but probably untenable. I tend to think they
are okay with posting, so long as it is reasonably secure. 

> point.  One of the main reasons we (and I would assume 
> others) went to a Student ID vs SSN was so that we had a way 
> to identify students without giving up PII safeguards

 Right, but they do have a fair point. Since the SID follows the
student, as they point out, so long as you have the same class with the
same student, you've figured out their SID. One-time authenticators, by
contrast, don't have this problem.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College