Educause Security Discussion mailing list archives
Re: FERPA question
From: Allison Dolan <adolan () MIT EDU>
Date: Fri, 29 Feb 2008 12:30:04 -0500
A recent item from the state of Maryland may be of interest re: what is public information (e.g. email) Bill aims to shield student privacy By: Megan Eckstein Posted: 2/28/08 State lawmakers took up a bill yesterday that would give public schools the power to deny companies access to students' information - a step that could cut down on the flow of spam into university e-mail accounts. A students' directory information - e-mail address, phone number and home address - is considered public. That means the university has to give it out if it receives a written request. The bill's advocates say public universities around the state often give information out to predatory lenders and even groups that participate in phishing, scams in which e-mail recipients are asked to give out private information such as Social Security numbers. "Sometimes it actually breaks our hearts to see where this information is going," said David Robb, the university registrar, who handles requests for students' information. The bill would give the university the right to deny requests "if the information is requested for commercial purposes." Some senators questioned whether the registrar ought to be the only one to determine whether a company is allowed access to directory information. Laura Anderson Wright, a university lawyer, responded by pointing out that there is an appeal process for all public information requests. "We're not asking for a bar," Wright said. "We're asking for a choice. "This amendment to existing law will allow students of public institutions to enjoy the same protection to their contact information as students of private institutions enjoy," she said. Even high school seniors who apply to a public university but choose not to attend could have their information sent out, Wright said. Del. Ben Barnes (D-Anne Arundel and Prince George's), the bill's sponsor, said the bill has strong support because it "puts no extra obligation on schools. They can keep doing what they're doing, but they would also have a tool to protect students. "I think this stands a good chance of passing," Barnes added. "I think the committee sees the need in having this kind of law." Student Government Association President Andrew Friedson testified about some of the spam mail he has received, mentioning a phishing e- mail sent to many students' university e-mail addresses that appears to be from Chevy Chase Bank. The e-mail asks for the recipient to update his or her account information, and if a student does, the information the student provides can be used for fraudulent charges and identity theft. Friedson pointed out that many students have accounts with Chevy Chase, which has an on-campus branch. ecksteindbk () gmail com Allison F. Dolan Program Director, Protecting Personally Identifying Information MIT (617) 252-1461 On Feb 25, 2008, at 2:37 PM, Kathy Bergsma wrote:
Thanks to Mike Lococo at NYU, I discovered that the 2000 FERPA amendment explicitly lists email as directory. http://www.ed.gov/legislation/FedRegister/finrule/2000-3/070600a.html Kathy Bergsma wrote:I'm surveying edus that classify email address as non-directory under FERPA. Please respond only if you do. To minimize list traffic, I'll summarize for the list if you respond privately.-- Kathy Bergsma UF Information Security Manager 352-392-2061
Current thread:
- FERPA question Kathy Bergsma (Feb 25)
- <Possible follow-ups>
- Re: FERPA question Kathy Bergsma (Feb 25)
- Re: FERPA question Mike Lococo (Feb 25)
- Re: FERPA question Allison Dolan (Feb 29)
- Re: FERPA question Wes Hubert (Feb 29)
- Re: FERPA question Kathy Bergsma (Mar 07)
- Re: FERPA question Ced Bennett (Mar 11)