Educause Security Discussion mailing list archives
Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT
From: David Lassner <david () HAWAII EDU>
Date: Tue, 1 Apr 2008 20:57:26 -1000
I'm with Michael. I haven't read this as carefully as I need to, but I think they got it pretty right. A few observations: The designation as "directory information" means that a data element is PUBLIC unless the student explicitly opts out (according to FERPA rules). It has nothing to do with directory technology. Think "directory" = "printed phone book" and you'll get FERPA-speak. In this case, PUBLIC means that it can be given out to salespeople, newspapers and vexatious requesters under FOIA. But it is not 100% public since all students must be given the option to opt out of having their directory information publicly disclosed. To the extent university employees need access to information to do their jobs, they can be provided with such access independent of whether a data element is "directory information" or whether a student has opted out. Nothing in FERPA is intended (lack of emphasis mine) to frustrate the ability of institutions to do their jobs. This applies to lookups via a student ID, the sending of institutional email and tax reporting with SSNs. I agree that the proposed language is not helpful to those who think that institutions need to provide and manage standard identifiers that can be used for the posting of grades on pieces of paper outside office doors. Even if one believes this practice is worth fighting over, designation of any proposed identifier as "directory information" is not the solution to this problem since no directory information can be posted for students who have opted out. So every faculty member would have to consult the opt-out list and manually refrain from posting grades for any students who had opted out of public disclosure of their directory information. What did I like most? If we think beyond grades posted on pieces of paper to issues associated with learning, this proposal nails a major exposure. The current guidelines have been interpreted to prohibit disclosing to students any information about other students in classes if they have opted out of disclosure of their directory information. E.g., if email address is directory information (as is standard), then disclosure of this information to other students in the class was considered to be a PUBLIC disclosure and inappropriate for students who might have opted out of inclusion in phone books and other really public media. This would apply to other "handles" as well. Addressing this issue is a big step forward for those who believe that online collaboration might be important in current and future learning environments. david On Apr 1, 2008, at 1:09 PM, Basgen, Brian wrote:
Chuck,For example, I'd suggest that the proposed regulation say that if the student identifier is used in any manner to authenticate access without some additional companion authentication mechanism known only to the student like a PIN or password, it cannot be included as directory information.Keep in mind that they do address "student identifiers" in exactly this manner. Kevin has found that the issue is their particular exclusion of "student IDs". It is one of those semantic things that, as you've pointed out, has quite a bit of meaning. My guess is that this regulation is picking up on a practice within institutions, like us, which have made student IDs non-directory as a method for dissuading faculty from posting student IDs with grades. I also think they are using this "5%" grade posting practice with student IDs as a "proof" that student IDs are, as a matter of practice, PII. What troubles me the most about this part of the regulation is where they talk about "no data" on more than one occasion, and yet make assumptions anyway. While I like their overall direction and don't want that to get lost in a critique, I also think these regs would serve us far better if they were based on concrete data. If it is true that there is a widespread *practice* of using Student IDs as a form of PII, then I think a reg makes sense. If it is the exception and not the rule, then I think they are using the wrong method to address the problem of identifiers and authenticators. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
Attachment:
smime.p7s
Description:
Current thread:
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT, (continued)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Mclaughlin, Kevin (mclaugkl) (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Charlie Prothero (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Chuck Dunn (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT David Lassner (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Drexel Atkinson (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)