FERPA is technology neutral.
A CRM, a file cabinet, or a pile of papers, the application of FERPA remains the same. The thought struck me while attending LeRoy Rooker and Dr. Helen B. Garrett's annual standing-room-only session at the 108th AACRAO Annual Meeting, FERPA interpretation and application can often bear a striking resemblance to two "rules lawyers" arguing errata
on a Saturday night playing their favorite board/card/tabletop game.
When it comes to FERPA, specificity matters. Terms and phrases like "may," "must," "known," and "should have known" are key to understanding, interpreting, and applying FERPA. For a certain
group of AACRAOANs (call them fans, wonks, geeks, or maybe just Registrars) there is never enough time to talk about FERPA, and if you are here you probably fall into one of those categories. Below you'll find a recap of this year's Ask the FERPA
Professor Q&A session. If you still have questions, don't forget you can always send your questions to firstname.lastname@example.org and we'll be sure they make it to the
FERPA Professor's desk.
Once More Dear Friends
Q: We had a breach for 40 seniors who graduated and they were able, for a limited amount of time, to see one another's student ID numbers.
We made a good-faith effort to notify them. I know that we do have some discretion on when we notify students. So my question is, is there a good rule of thumb for, a statute of limitations?
It would be a FERPA violation, student IDs would not be directory information, so there would be a violation in there, but in FERPA if the complaint is filed with the department there are two things they ask for. One that they're going to want from the complainant. One we are going to look at is when did the violation occur and when did the student know about it?
Once they (the student) know about it, they have 180 days to file a timely complaint. So in the case you've described, all of those students would've seen that on a particular date when the email was sent out. The (education) department would look at that date and back it up 180 days.
I had a hunch from the way you were asking, that it had been more than 180 days. So you've done what you should do in terms of addressing the data breach there, even if one of those students would file a complaint at this point because it's been over 180 days, and that's the limitation on them.
180 days from when the student knew or should have known. Oftentimes they may not know about it till later on, but because this was sent on a particular date, that's documented, there's no question that's when their clock would've started on filing a complaint.
A Record by Any Other Name
Q: Recently we acquired a new CRM. At the heart of the CRM is the ability to query data, and it was designed as an admissions CRM, but we are using it across campus. So I kind of know the answer to this question, but I feel like it needs to be revisited because of the way technology changes and FERPA doesn't.
So we reduce some of the ability of the CRM if we don't allow employees to query the data. However, there's definitely data in there, or going to be in there, that employees wouldn't necessarily have direct access to.
FERPA is technology neutral. You cannot have a policy,
or practice of allowing inappropriate disclosures of education records with whatever technology you're using. So in the question asked in their CRM regarding having access, what we back up to is the requirement in FERPA, the exception in FERPA
to signed consent (99.31.a.1.).
That's the key that says school officials with a legitimate educational interest at the institution, which is important because sometimes I'll come across institutions that want to have somebody at another institution
be an official exception. It says at the institution who have a legitimate educational interest
in accessing those records, your legitimate educational interest is going to come from a need to be able to access this information in order to do their job. So if you're in the registrar's office, you know, that's everybody. Or if
you're head of the math department that's who's taking math classes but it's not who's taking English classes.
So when you have a system (CRM) as described, it's imperative that the institution be able to really bifurcate the two.
It just depends on what kind of information they would have access to and whether they have a legitimate educational interest. If you have a system at your institution that lets everybody access every record, then the way you are going to protect yourself is to be able to track who's had access, that way if a complaint comes in that someone who didn't have any involvement with this student has disclosed information from the record then you're able to go back and say
they either accessed the information or didn't.
More Welcome are You
Q: If I have an MOU written contract with a college and they want me to send back information about students in the admissions phase am I covered as long as I specify in the contract that we are going to share that information?
So in that instance, if you're sending it back in the process of admissions, then you're free to have any kind of communication you want during the admissions process. Once they're a student then FERPA is going to kick in, but you don't have a
FERPA issue if it's in the admissions process. That's the whole idea of having admissions records not be subject to FERPA until the student becomes a student at your institution.
What you can't have though, even with an MOU, an MOU doesn't work. That's an agreement among equals. If you are going to share something after they're a student it's either going to take consent or meeting one of the exceptions to signed consent.
(From the audience) Say that again, the whole part about an MOU being an agreement among equals...
MOUs are an agreement among equals. FERPA says if you're sharing information from your institution with another institution, then you must have either signed consent or meet one of the exceptions to signed consent.
There's not an MOU exception in there. There is the school official exception, but again, it specifically says
within the institution.
The FERPA Professor