Re: FERPA and E-mailing grades--back to basics

[Robert Meyers <remeyers () MAIL WVU EDU>]

Excellent comments, Jane. Thanks!
My experience has been that the "teaching moment" is for faculty and not students ;-)  The situations have been driven 
by staff sending grades via e-mail because it is convenient and not driven by students requesting it that way. We do 
have 2 secure servers (one using Blackboard) for faculty to post grades, with one reserved for final grade posts. Most 
of the situations of transmission have been grades of assignments, projects, exams, etc., during the class and not the 
final posting.  We are trying to stop the habit, but the saddest issue of most of our society, and not an indictment of 
hard working faculty and staff, is we humans much prefer convenience over security.  Or at least that's my only 
explanation of unsecured mobile devices that auto-sync personal data to cloud systems. But that's another rant ;-)
 
Thanks again for your insightful additions to the discussion.
 
Bob
 


 
 
Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers () mail wvu edu


> > > On Monday, January 09, 2012 at 10:52 AM, "Rosenthal, Jane E." <jer () KU EDU> wrote:

All,
This is certainly a good discussion and from a privacy perspective perhaps I have another vantage point.  Let's back up 
on this discussion--the inquirer asked if email was okay/option to use in order to send grades to an individual student.

Remember, whatever we recommend as a good/bad practice (and certainly email that is unencrypted or not otherwise 
through a secure system verifying the inquirer if not optimal.)  However, lest we forget that the student is the holder 
of the "consent" or privilege of the privacy of their information and can approve any action regarding their private 
information.  So, if for example the student provided a written, verified release to send info to them or anyone in the 
world via email, then they have the right to do so.

That said, under FERPA, we cannot willy nilly send email to students and it is a poor choice to send info through email 
as anyone can grab it, see it, etc.  The important part of this may be to have the professors understand that this can 
be a teaching moment regarding the student's privacy.  The professor can set the tone from the first day by stating in 
the syllabus what will be acceptable and what will not.    They can set the parameter of using Blackboard or another 
LMS for communication with the students and (drum roll) they can explain why they do this and the benefits of it.  

This is my $.02 but as this is Data Privacy Month, it would be a worthwhile discussion to have with faculty and staff 
regarding best options for private communication of private information.

Jane


Jane Rosenthal
Director I KU Privacy Office
Custodian of Public Records
Office of the Provost
The University of Kansas

Tel +1.785.864.9528 I Fax 1.785.864.4463
jer () ku edu I www.privacy.ku.edu

This message may be confidential and is only for the intended recipient. If you receive it in error, please delete it 
and attachments from all systems/memory and notify the sender ASAP.  Thank you.

Rock Chalk!


-----Original Message-----
From: Mclaughlin, Kevin (mclaugkl) [mailto:mclaugkl () UCMAIL UC EDU] 
Sent: Friday, January 06, 2012 12:38 PM
Subject: Re: FERPA and E-mailing grades

I think that the cornerstone of Dean's argument was that a contractual relationship existed between the entities (in 
particular he referenced Google - not Yahoo, hotmail, ACME mail, etc. )   without that contractual relationship (just 
my opinion here) I believe that it is prohibited under FERPA.  



- Kevin





Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, CRISC, PMP, ITIL Master Certified

Assistant Vice President, Information Security & Special Projects

University of Cincinnati

513-556-9177



The University of Cincinnati is one of America's top public research institutions and the region's largest employer, 
with a student population of more than 41,000.



cid:image002.gif@01C879E9.E20A0EF0



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Nathan 
Zierfuss
Sent: Friday, January 06, 2012 1:22 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] FERPA and E-mailing grades



I have to agree with Dean. I'm not convinced FERPA prohibits providing students grades via email. In fact some CMSs can 
be configured to automatically email or text students their grades when the grade-book is updated. I use this feature 
and suspect most students do. 



My experience has been our institution is struggling with not being the source of a digital identity for students that 
we used to be and coming to trust the one students have established for themselves prior to entering university. I 
believe FERPA requires us to validate who we are communicating with but not to secure the communications methods they 
elect. 



Has anyone explored identity validation via credit report questions similar to what banks do when you open an account 
online and accepting gmail, yahoo, ect. as a students email address rather then issuing them a new one?

Nathan



On Fri, Jan 6, 2012 at 6:44 AM, Dean Halter <Dean.Halter () notes udayton edu> wrote:

I agree that course management systems and ERPs are better ways of accessing/providing this information.  That said, 
I'm not sure that FERPA prohibits use of email to provide grade information.  Whether internal or contracted w/ a 
provider (Google, for example, is a "school official" per contract within Google Apps for Edu), I believe you should be 
able to use email as long as the solution is "secure."  Making sure faculty and staff address the information from and 
to university provided accounts is as important as the technical transport and storage.  Students, on the other hand, 
should be able to forward or share their mail if they choose.  Very interesting conversation and I appreciate 
everyone's insight. 

Dean
___________
Dean Halter, CISA, CISSP
IT Risk Management Officer, UDit
University of Dayton

"Security is a process, not a product."  Bruce Schneier 







-- 
Nathan Zierfuss, CISSP, Information Security Officer
-
Technology Oversight Services, University of Alaska
910 Yukon Dr. Suite 105, PO Box 755320
Fairbanks, Alaska 99775-5320
-
Phone: 907-450-8112  Fax: 907-450-8381