Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT

[David Lassner <david () HAWAII EDU>]

I'm with Michael.  I haven't read this as carefully as I need to, but
I think they got it pretty right.  A few observations:

The designation as "directory information" means that a data element
is PUBLIC unless the student explicitly opts out (according to FERPA
rules).  It has nothing to do with directory technology.   Think
"directory" = "printed phone book" and you'll get FERPA-speak.  In
this case, PUBLIC means that it can be given out to salespeople,
newspapers and vexatious requesters under FOIA.  But it is not 100%
public since all students must be given the option to opt out of
having their directory information publicly disclosed.

To the extent university employees need access to information to do
their jobs, they can be provided with such access independent of
whether a data element is "directory information" or whether a student
has opted out.  Nothing in FERPA is intended (lack of emphasis mine)
to frustrate the ability of institutions to do their jobs.  This
applies to lookups via a student ID, the sending of institutional
email and tax reporting with SSNs.

I agree that the proposed language is not helpful to those who think
that institutions need to provide and manage standard identifiers that
can be used for the posting of grades on pieces of paper outside
office doors.  Even if one believes this practice is worth fighting
over, designation of any proposed identifier as "directory
information" is not the solution to this problem since no directory
information can be posted for students who have opted out.  So every
faculty member would have to consult the opt-out list and manually
refrain from posting grades for any students who had opted out of
public disclosure of their directory information.

What did I like most?

If we think beyond grades posted on pieces of paper to issues
associated with learning, this proposal nails a major exposure.  The
current guidelines have been interpreted to prohibit disclosing to
students any information about other students in classes if they have
opted out of disclosure of their directory information.  E.g., if
email address is directory information (as is standard), then
disclosure of this information to other students in the class was
considered to be a PUBLIC disclosure and inappropriate for students
who might have opted out of inclusion in phone books and other really
public media.  This would apply to other "handles" as well.
Addressing this issue is a big step forward for those who believe that
online collaboration might be important in current and future learning
environments.

david


On Apr 1, 2008, at 1:09 PM, Basgen, Brian wrote:
> Chuck,
>
> > For example, I'd suggest that the proposed regulation say
> > that if the student identifier is used in any manner to
> > authenticate access without some additional companion
> > authentication mechanism known only to the student like a PIN
> > or password, it cannot be included as directory information.
>
> Keep in mind that they do address "student identifiers" in exactly
> this
> manner. Kevin has found that the issue is their particular exclusion
> of
> "student IDs". It is one of those semantic things that, as you've
> pointed out, has quite a bit of meaning.
>
> My guess is that this regulation is picking up on a practice within
> institutions, like us, which have made student IDs non-directory as a
> method for dissuading faculty from posting student IDs with grades. I
> also think they are using this "5%" grade posting practice with
> student
> IDs as a "proof" that student IDs are, as a matter of practice, PII.
>
> What troubles me the most about this part of the regulation is where
> they talk about "no data" on more than one occasion, and yet make
> assumptions anyway. While I like their overall direction and don't
> want
> that to get lost in a critique, I also think these regs would serve us
> far better if they were based on concrete data. If it is true that
> there
> is a widespread *practice* of using Student IDs as a form of PII,
> then I
> think a reg makes sense. If it is the exception and not the rule,
> then I
> think they are using the wrong method to address the problem of
> identifiers and authenticators.
>
> ~~~~~~~~~~~~~~~~~~
> Brian Basgen
> Information Security
> Pima Community College

Attachment: smime.p7s
Description: