Education Records (FERPA and MGDPA)Page address: http://www.mnsu.edu/requestsforinfo/private/educationrecords.html
Minnesota State University, Mankato
October 6, 2004
Kris Kaplan, Assistant General Counsel
Minnesota State Colleges and Universities Office of the Chancellor
Email: Kristine Kaplan Phone: 651-296-3905
What is FERPA anyway?
- Family Educational Rights and Privacy Act (FERPA)
- A Federal law that regulates how all schools that accept federal funds handle "education records".
- Minnesota Government Data Practices Act (MGDPA)
- A federal law that adds requirements in handling all government data, including education records (a.k.a. "educational data").
Why do I need to know about FERPA?
It is the law – and has been since 1974. State employees who create and handle education records every day must understand their roles in maintaining education records in accordance with federal and state data privacy laws.
- Violations of data privacy laws expose the school and individuals to liability.
- Illegal FERPA policies could result in withdrawal of federal funds to the university.
- Under the MGDPA, institutions can be liable for money damages, or civil penalties, and individuals are subject to disciplinary action for willful violations, and potentially even criminal penalties.
Moreover, it is important for the integrity of the MnSCU system that we honor students´ rights to access and maintain privacy in the education records that are entrusted to us.
What are "education records"?
Education records are data maintained by the school (or an agent or employee acting in his/her official capacity) that directly relate to an individually identifiable student.
- Very broad – not just the "official file."
- May be in any tangible (including electronic) media or form.
- Includes admissions materials, Student Financial Services records, transcripts, class lists, class schedules, graded exams or papers, records of disciplinary proceedings, photographs, work study records and much more.
Certain information is exempted from the definition of "education record"
- "Sole possession" notes of instructors;
- Law enforcement unit records – not shared with school officials and maintained for law enforcement purpose;
- Alumni records – information about individuals when no longer students;
- Medical treatment records – only accessible by treatment providers.
- The privacy rules applicable to such records will vary.
How do privacy laws classify education records?
Most education records are "private" as to the subject student, which means:
- Accessible to the student.
- Accessible to others at institution who have a legitimate educational interest.
- Accessible to third parties only with written consent of student or as otherwise authorized by law.
"Directory Data" is public and available to anyone.
Directory Data is defined differently at each school. Some information is NEVER public: SSN, Student ID Number, race, ethnicity, gender and similar information.
Directory data at MSUM is defined as:
- Name; local and permanent address(es) and phone number(s)
- E-mail address
- Date and place of birth
- Program or major field of study
- Class status (freshman, sophomore, etc.)
- Degree, honors and awards received
- Participation in officially recognized activities and sports
- Weight and height of members of athletic teams
- Dates of attendance
- Most recent previous educational agency or institution attended
Do not automatically assume you can release directory data.
Students have the right to refuse the disclosure of their data. This must be honored in all contexts – not limited to omission from student directory. Consult the Registrar for information on whether students have "opted out."
Be careful about releasing directory data that indirectly reveals private information.
e.g., school officials could not respond to a request for a list of names of "all African American computer science majors" even though names and majors are "directory".
What rights do students have in their education records?
The primary rights include:
- To inspect and copy their education records.
- To request to amend an education record if inaccurate or incomplete.
- To have some control over disclosure of education records.
- To file a complaint with the FERPA Office in Washington D.C.
In Minnesota, students´ rights in their education records begin upon application and generally continue post-attendance (private data remains private after student leaves).
All students in higher education have the same rights regardless of their age.
International students have the same privacy rights except that the CIS (f.k.a. INS) gets access to certain information without specific consent.
Who has access to education records other than the sudent?
- Anyone with prior, written consent of student.
- Anyone asking for directory data unless the student has "opted out" (see above).
- "School officials" who have a "legitimate educational interest" in those records. Each school defines, at MSUM means:
- A school official is a person employed by the university in an administrative, supervisory, academic or research or support staff (including a school’s law enforcement unit personnel and health staff); a person or company with whom the university has contracted (such as an attorney, auditor, or collection agent); a person serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks.
- A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility; i.e., “need-to-know.”
- Third parties as authorized by law include:
- To comply with a valid subpoena or judicial order (after notice to student)
- To assist in health or safety emergency (narrow definition – imminent risk of physical harm).
What are the rights and responsibilities of Faculty and Staff regarding education records?
- Respect appropriate limits on access by school officials
- Know your resources
State employees have a legal responsibility to protect the privacy of student educational records under their control, including access within the institution. Need-to-know is the basic principle.
Limit your access to what is necessary for your work – your technical ability to access data may be broader than your legal authority.
If you are not clear about another employee´s right to access student information, ask them to explain. Curiosity is not a "legitimate educational interest". Limit the disclosure to what is really necessary to perform the job.
Be careful about inappropriate re-disclosure – including inadvertent viewing on desktops or computer screens or oral disclosures to colleagues who don´t have legitimate educational interest.
Keep copies of applicable policies/procedures handy, including
- Annual notice to students of rights
- Public access policy
- Policy on charging for copies
Know who to call for assistance. Every campus has a Data Practices Compliance Official who can help answer questions. For example, DeeAnn Snaza can answer questions at MSU.
Collect private data only as necessary. Restrict use of SSN or other personal identifiers.
When collecting private data from students, must give Data Practices Notice ("Tennessen Warning"):
- Why the data is being collected
- How the data is being used
- Whether legally required to provide
- Consequences of refusing or supplying
- Who may have access
- For SSNs - legal authority to request
Notice may be oral, but written is better record.
Keep private data secure – the laws apply to your handling of data wherever located.
- If you need to take private data home, do not allow improper disclosure to family or others
- Follow IT security standards for encryption, etc.
In the workplace
- Guard views of private data on your computer screen
- Do not "over-expose" private data by leaving it out unnecessarily
Social security numbers and medical data especially sensitive.
No portion of student´s SSN may be used for public identification, including, for example, posting of grades.
Before releasing data on one student always check to be sure it doesn’t improperly contain data on others.
To students who are subjects of data (under MGDPA within ten working days). Laws do not require written request – MSUM FERPA Notice suggests that students submit written request to appropriate school official who maintains records.
- With prior, written consent of student; or
- In health or safety emergency (a narrow exception – consult Data Privacy Official if possible).
To third parties – e.g., press, unions, law enforcement, other students, potential employers:
prior, written consent of student generally required that meets the following standards:
- Specifies records to be released
- States purpose of disclosure
- Identifies person(s) or class of persons to have access
- Is signed and dated
A release that does not include all the above requirements is not valid and cannot be honored. If that happens, provide a substitute, valid form.
A faxed release is okay if signed and dated. An e-mail "authorization" is not okay is needs a signature. Electronic signatures were recently approved for giving written consent where required under FERPA, but stringent standards must be met.
To third parties without consent as authorized by law. e.g., to organizations auditing school programs or Student Financial Services; for health or safety emergency (imminent danger required); in response to valid subpoena or court order, and other exceptions:
- Disclose only what the law authorizes;
- Maintain appropriate records of disclosure including who, what, when – keep with student´s records.
If in doubt, consult – in almost every case immediate response is not required.
Always refer legal process or law enforcement requests to DPCO. Responding to court orders or subpoenas requires special procedures, including notice to student, in most cases. Child support enforcement officials must obtain subpoena for private student data.
What are the procedures for responding to requests from third parties for private information on students.
Consult school policy/procedures for whether written request required and whether/how to charge for copies of information, if requested.
If served with a search warrant, obtain ID of official and a copy of the warrant; cooperate with search and notify the OGC or AGO as soon as practical.
In other cases: Ask for student´s written release – check to make sure it complies with requirements described above; ask for ID of requesting party.
If no release, may provide only directory information (so long as student has not "opted out") unless there is specific legal authority to release.
If legal authority is claimed, ask what it is and for a copy of the law, if possible. Limit disclosure to what the law requires &ndash government officials who need more can obtain subpoenas.
If a health or safety emergency is claimed, establish reasonable basis that there is imminent danger of physical harm to the student or others – if not, do not give out private data (including class schedules or locations) but may agree to appropriate assistance.
- Call from student – may provide private data to student so long as you make reasonable attempt to verify identity.
- Call from third party – may only provide public “directory data” unless have written release from student. Remember to verify that student has not restricted release of directory data. If you have release, may provide only private information that is authorized. Verify the caller´s identity.
By fax or e-mail
Sending private data by these means is arguably more risky than U.S. Mail as you have less assurance of who has access at the receiving end, especially to third parties. Take reasonable security precautions, including following any IT standards regarding electronic transmissions. May call to verify fax receipt.
Using a Web site to disseminate private student data is acceptable for students to access their own data by use of a confidential PIN number on a secure Web application.