Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

[Brad Judy <Brad.Judy () COLORADO EDU>]

A quick clarification to my post.  The Freedom of Information Act is a
federal item that affects information held by the federal government.
Check with your state to see what your state equivalent looks like and
how it relates to FERPA.  In your state, there may or may not be a
relationship between the two.  

 

Brad Judy

 

IT Security Office

University of Colorado at Boulder

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy
Sent: Wednesday, April 02, 2008 9:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses
Changes in IT

 

There seems to be a lot of misinformation about "directory" information
as defined by FERPA.  Let's go to the source:

Section 99.3 of FERPA says (to see the full text, visit
http://www.ed.gov/policy/gen/reg/ferpa/index.html):

""Directory information" means information contained in an education
record of a student that would not generally be considered harmful or an
invasion of privacy if disclosed. It includes, but is not limited to,
the student's name, address, telephone listing, electronic mail address,
photograph, date and place of birth,

major field of study, dates of attendance, grade level, enrollment
status (e.g., undergraduate or graduate; full-time or part-time),
participation in officially recognized activities and sports, weight and
height of members of athletic teams, degrees, honors and awards
received, and the most recent educational agency or institution
attended."

Institutions are allowed to define "directory information" for their
campuses within these boundaries (and it appears there are proposed
changes to these boundaries).

As mentioned, "directory" information in FERPA is unrelated to LDAP
directories, white pages, etc.  It is a data classification definition
that is then used later in the document to define the conditions for
disclosure of student related information.  It's an unfortunate choice
of wording, but we're stuck with it.

FERPA directory information is not related to Freedom of Information Act
requests.  FOIA requests are requests for "public records", another data
classification that applies to government entities.  In the case of
state schools or information handed to the department of education, an
FOIA request could be made for records related to higher education, but
it is not part of FERPA.

Classifying information as "directory information" does NOT make it
public, it changes the rules under which it can be given to third
parties.  An institution can classify a piece of information as
"directory information" and then choose to never publicly disclose it.  

Section 99.37 of FERPA "What conditions apply to disclosing directory
information?"

"(a) An educational agency or institution may disclose directory
information if it has given public notice to parents of students in
attendance and eligible students in attendance at the agency or
institution of:

(1) The types of personally identifiable information that the agency or
institution has designated as directory information;

(2) A parent's or eligible student's right to refuse to let the agency
or institution designate any or all of those types of information about
the student designated as directory information; and

(3) The period of time within which a parent or eligible student has to
notify the agency or institution in writing that he or she does not want
any or all of those types of information about the student designated as
directory information.

(b) An educational agency or institution may disclose directory
information about former students without meeting the conditions in
paragraph (a) of this section"

In short, FERPA is just about data classification and data disclosure.
It just defines two broad categories of information, then defines the
circumstances where consent is, or is not, required to disclose those
two different classes of data to different groups.  This includes rules
on specific situations like safety issues, justice system requests,
government requests, etc.  (It also covers things like hearings,
complaints and amending records)

If you have any questions about FERPA on your campus, ask the person
responsible for FERPA on your campus.  This is likely the group/person
generally responsible for student records, maybe your registrar.  

Brad Judy

IT Security Office

University of Colorado at Boulder

_____________________________________________
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Lassner
Sent: Wednesday, April 02, 2008 12:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses
Changes in IT

* PGP Signed by an unverified key: 04/02/08 at 00:57:26

I'm with Michael.  I haven't read this as carefully as I need to, but  

I think they got it pretty right.  A few observations:

The designation as "directory information" means that a data element  

is PUBLIC unless the student explicitly opts out (according to FERPA  

rules).  It has nothing to do with directory technology.   Think  

"directory" = "printed phone book" and you'll get FERPA-speak.  In  

this case, PUBLIC means that it can be given out to salespeople,  

newspapers and vexatious requesters under FOIA.  But it is not 100%  

public since all students must be given the option to opt out of  

having their directory information publicly disclosed.

To the extent university employees need access to information to do  

their jobs, they can be provided with such access independent of  

whether a data element is "directory information" or whether a student  

has opted out.  Nothing in FERPA is intended (lack of emphasis mine)  

to frustrate the ability of institutions to do their jobs.  This  

applies to lookups via a student ID, the sending of institutional  

email and tax reporting with SSNs.

I agree that the proposed language is not helpful to those who think  

that institutions need to provide and manage standard identifiers that  

can be used for the posting of grades on pieces of paper outside  

office doors.  Even if one believes this practice is worth fighting  

over, designation of any proposed identifier as "directory  

information" is not the solution to this problem since no directory  

information can be posted for students who have opted out.  So every  

faculty member would have to consult the opt-out list and manually  

refrain from posting grades for any students who had opted out of  

public disclosure of their directory information.

What did I like most?

If we think beyond grades posted on pieces of paper to issues  

associated with learning, this proposal nails a major exposure.  The  

current guidelines have been interpreted to prohibit disclosing to  

students any information about other students in classes if they have  

opted out of disclosure of their directory information.  E.g., if  

email address is directory information (as is standard), then  

disclosure of this information to other students in the class was  

considered to be a PUBLIC disclosure and inappropriate for students  

who might have opted out of inclusion in phone books and other really  

public media.  This would apply to other "handles" as well.   

Addressing this issue is a big step forward for those who believe that  

online collaboration might be important in current and future learning  

environments.

david

 

On Apr 1, 2008, at 1:09 PM, Basgen, Brian wrote:

> Chuck,

>

> > For example, I'd suggest that the proposed regulation say

> > that if the student identifier is used in any manner to

> > authenticate access without some additional companion

> > authentication mechanism known only to the student like a PIN

> > or password, it cannot be included as directory information.

>

> Keep in mind that they do address "student identifiers" in exactly  

> this

> manner. Kevin has found that the issue is their particular exclusion  

> of

> "student IDs". It is one of those semantic things that, as you've

> pointed out, has quite a bit of meaning.

>

> My guess is that this regulation is picking up on a practice within

> institutions, like us, which have made student IDs non-directory as a

> method for dissuading faculty from posting student IDs with grades. I

> also think they are using this "5%" grade posting practice with  

> student

> IDs as a "proof" that student IDs are, as a matter of practice, PII.

>

> What troubles me the most about this part of the regulation is where

> they talk about "no data" on more than one occasion, and yet make

> assumptions anyway. While I like their overall direction and don't  

> want

> that to get lost in a critique, I also think these regs would serve us

> far better if they were based on concrete data. If it is true that  

> there

> is a widespread *practice* of using Student IDs as a form of PII,  

> then I

> think a reg makes sense. If it is the exception and not the rule,  

> then I

> think they are using the wrong method to address the problem of

> identifiers and authenticators.

>

> ~~~~~~~~~~~~~~~~~~

> Brian Basgen

> Information Security

> Pima Community College

>

>

 

* david () hawaii edu <david () hawaii edu>

* Issuer: UH - Unverified