Ask the FERPA Professor

Dear FERPA Professor,

I work in the records department at a fully online institution. Thus, our communication with students is largely via e-mail and phone (from a staff perspective such as financial aid counselors, advising, registrars, etc.). I am trying to move the institution away from using the last 4 digits of the students’ social security numbers (SSN) as a way to verify caller identity. Rather, I am pushing the institution to adopt the use of a learner identification number and/or other pieces of data such as the course they are in and such.

However, I am getting some push back from a colleague who believes that our current practice is fine and permitted, and since we don’t use the whole SSN in our systems now as an identifier we are compliant. I contend that because we almost never see the student in front of us and do the vast majority of our interactions over the telephone or through e-mail, it is best not to use the social security numbers as a means of identification. Am I fighting for something that isn’t really a concern?

On this subject, as a matter of fact, we have also been wrestling with dual caller issues; where one of our students calls and has someone else on the line (friend, spouse, etc.) and gives verbal ‘okay’ or recognition that this other individual is on the phone during the discussion of their personal educational record, history, academic plan, financial aid info, and so on. I’ve advised that we need a written 3rd party release and should not be continuing such calls with people on the line other than the student. What can you tell me about this kind of situation? Is verbal release by the student on the phone enough?




Dear Outnumbered,

You are correct to have concerns about any practice that permits the disclosure of student education records without meeting the authentication requirements of FERPA. This specific requirement was added in the 2009 regulations and can be found in §99.31(c). The preamble to these regulations explains that the use of commonly known identifiers such as SSN, student ID, date of birth, and so on, are not considered “reasonable” under the regulations.

As for the dual caller issue, there is no such thing under FERPA as a “verbal consent.” There is signed consent, as required in §99.30 and there are exceptions to signed consent found in §99.31.


The FERPA Professor