Dear FERPA Professor,
I appeal to your expertise to help untangle this sticky situation. My Administrative Assistant was recently reported to HR as having committed a FERPA violation for emailing a copy of a student's transcript to our school's financial aid office upon their request to view transfer credits awarded. Our office policy states that we will not fax or email transcripts to a third party; however, in this situation, the document went by internal email directly to the school official who had "need to know" access. I don't believe that FERPA prohibits email or fax transmission (even though not recommended due to risk factors involved) or that this act was a violation of FERPA, but I do need an expert opinion before challenging this charge.
Thanks so much for your help!
Dear Ms. Mary,
FERPA is technology neutral, which is to say that a school can use the technology of its choice. However, what the school cannot do under FERPA is allow improper disclosures, including through the use of the chosen technology. Thus, while FERPA does not prohibit email or fax transmissions, you are correct that the risk factors should be a top consideration, but a FERPA violation would only occur if it resulted in an unauthorized disclosure. Both the use of encryption and internal email systems are two of the more reliable ways of mitigating the risk of improper disclosures.
I hope this is helpful in answering your question.
The FERPA Professor