Re: FERPA question

[Allison Dolan <adolan () MIT EDU>]

A recent item from the state of Maryland may be of interest re: what
is public information (e.g. email)

Bill aims to shield student privacy
By: Megan Eckstein
Posted: 2/28/08
State lawmakers took up a bill yesterday that would give public
schools the power to deny companies access to students' information -
a step that could cut down on the flow of spam into university e-mail
accounts.

A students' directory information - e-mail address, phone number and
home address - is considered public. That means the university has to
give it out if it receives a written request.

The bill's advocates say public universities around the state often
give information out to predatory lenders and even groups that
participate in phishing, scams in which e-mail recipients are asked
to give out private information such as Social Security numbers.

"Sometimes it actually breaks our hearts to see where this
information is going," said David Robb, the university registrar, who
handles requests for students' information.

The bill would give the university the right to deny requests "if the
information is requested for commercial purposes."

Some senators questioned whether the registrar ought to be the only
one to determine whether a company is allowed access to directory
information.

Laura Anderson Wright, a university lawyer, responded by pointing out
that there is an appeal process for all public information requests.

"We're not asking for a bar," Wright said. "We're asking for a choice.

"This amendment to existing law will allow students of public
institutions to enjoy the same protection to their contact
information as students of private institutions enjoy," she said.

Even high school seniors who apply to a public university but choose
not to attend could have their information sent out, Wright said.

Del. Ben Barnes (D-Anne Arundel and Prince George's), the bill's
sponsor, said the bill has strong support because it "puts no extra
obligation on schools. They can keep doing what they're doing, but
they would also have a tool to protect students.

"I think this stands a good chance of passing," Barnes added. "I
think the committee sees the need in having this kind of law."

Student Government Association President Andrew Friedson testified
about some of the spam mail he has received, mentioning a phishing e-
mail sent to many students' university e-mail addresses that appears
to be from Chevy Chase Bank.

The e-mail asks for the recipient to update his or her account
information, and if a student does, the information the student
provides can be used for fraudulent charges and identity theft.
Friedson pointed out that many students have accounts with Chevy
Chase, which has an on-campus branch.

ecksteindbk () gmail com


Allison F. Dolan
Program Director, Protecting Personally Identifying Information
MIT
(617) 252-1461




On Feb 25, 2008, at 2:37 PM, Kathy Bergsma wrote:

> Thanks to Mike Lococo at NYU, I discovered that the 2000 FERPA
> amendment explicitly lists email as directory.
>
> http://www.ed.gov/legislation/FedRegister/finrule/2000-3/070600a.html
>
> Kathy Bergsma wrote:
> > I'm surveying edus that classify email address as non-directory
> > under FERPA. Please respond only if you do.  To minimize list
> > traffic, I'll summarize for the list if you respond privately.
>
> --
> Kathy Bergsma
> UF Information Security Manager
> 352-392-2061