FERPA is technology neutral.
A CRM, a file cabinet, or a pile of papers, the application of FERPA remains the same. The thought struck me while attending LeRoy Rooker and Dr. Helen B. Garrett’s annual standing-room-only session at the 108th AACRAO Annual Meeting, FERPA interpretation and application can often bear a striking resemblance to two “rules lawyers” arguing errata on a Saturday night playing their favorite board/card/tabletop game.
Words Matter
When it comes to FERPA, specificity matters. Terms and phrases like “may,” “must,” “known,” and “should have known” are key to understanding, interpreting, and applying FERPA. For a certain group of AACRAOANs (call them fans, wonks, geeks, or maybe just Registrars) there is never enough time to talk about FERPA, and if you are here you probably fall into one of those categories. Below you’ll find a recap of this year’s Ask the FERPA Professor Q&A session. If you still have questions, don’t forget you can always send your questions to communications@aacrao.org and we’ll be sure they make it to the FERPA Professor’s desk.
Once More Dear Friends
Q:We had a breach for 40 seniors who graduated and they were able, for a limited amount of time, to see one another’s student ID numbers.
Answer:
It would be a FERPA violation, student IDs would not be directory information, so there would be a violation in there, but in FERPA if the complaint is filed with the department there are two things they ask for. One that they’re going to want from the complainant. One we are going to look at is when did the violation occur and when did the student know about it?
Once they (the student) know about it, they have 180 days to file a timely complaint. So in the case you’ve described, all of those students would’ve seen that on a particular date when the email was sent out. The (education) department would look at that date and back it up 180 days.
I had a hunch from the way you were asking, that it had been more than 180 days. So you’ve done what you should do in terms of addressing the data breach there, even if one of those students would file a complaint at this point because it’s been over 180 days, and that’s the limitation on them.
180 days from when the student knew or should have known. Oftentimes they may not know about it till later on, but because this was sent on a particular date, that’s documented, there’s no question that’s when their clock would’ve started on filing a complaint.
A Record by Any Other Name
Q: Recently we acquired a new CRM. At the heart of the CRM is the ability to query data, and it was designed as an admissions CRM, but we are using it across campus. So I kind of know the answer to this question, but I feel like it needs to be revisited because of the way technology changes and FERPA doesn’t.
So we reduce some of the ability of the CRM if we don’t allow employees to query the data. However, there’s definitely data in there, or going to be in there, that employees wouldn’t necessarily have direct access to.
Answer:
FERPA is technology neutral. You cannot have a policy, or practice of allowing inappropriate disclosures of education records with whatever technology you’re using. So in the question asked in their CRM regarding having access, what we back up to is the requirement in FERPA, the exception in FERPA to signed consent (99.31.a.1.).
So when you have a system (CRM) as described, it’s imperative that the institution be able to really bifurcate the two.
It just depends on what kind of information they would have access to and whether they have a legitimate educational interest. If you have a system at your institution that lets everybody access every record, then the way you are going to protect yourself is to be able to track who’s had access, that way if a complaint comes in that someone who didn’t have any involvement with this student has disclosed information from the record then you’re able to go back and say they either accessed the information or didn’t.
More Welcome are You
Q: If I have an MOU written contract with a college and they want me to send back information about students in the admissions phase am I covered as long as I specify in the contract that we are going to share that information?
Answer:
(From the audience) Say that again, the whole part about an MOU being an agreement among equals…
MOUs are an agreement among equals. FERPA says if you’re sharing information from your institution with another institution, then you must have either signed consent or meet one of the exceptions to signed consent.
There’s not an MOU exception in there. There is the school official exception, but again, it specifically says within the institution.
share