Six Ways to Know You’re Following FERPA
FERPA is a privacy law that protects student information and stipulates that education institutions must protect the confidentiality of student records. It also governs the release of and access to students’ education records. Students may access their records at any time, but institutions cannot release student information without explicit permission. FERPA is crucial legislation because it keeps non-education information private, provides student choice and ownership over who sees their records and when, keeps students safe by including key exceptions to the privacy rule, provides value for the improvement of education by allowing educational institutions to conduct research using student data, and protects the integrity of student records and data by keeping them controlled and accurate.
All education institution employees who have access to student records or information must follow the guidelines of FERPA and keep that information private. Whether someone is a teacher, a professor, an aide, a student service employee, or the college president, FERPA applies in every interaction with a student and to every student information request. Below are six ways to know you’re following FERPA, which prevents the unlawful release of student information and protects personal data.
Confirm Student Identities
When a student comes into a student service office such as financial aid or the registrar, they typically must show their student or government ID to fulfill their request. That alone is following FERPA by preventing the release of information to the wrong student, but this is a little harder when you’re connecting with the student by phone. In a phone call, you can confirm the students’ identity by asking for their full name and an additional piece of information, such as their student ID number, birth month and day, school email address, mailing address, or phone number. If a student sends an email, you can confirm their school email address and only send your response to their school email rather than their personal email, even if their original request came from a personal address. These steps verify students’ identities, so their information stays safe.
Share Personal Identifiable Information Only After Requester Identity is Confirmed
If you receive a call or email from a student or parent requesting private information such as grades or discipline records, you should only release that information if you can confirm the person’s identity. For example, a parent in a secondary school calls a teacher and wants an update on their students’ progress. The teacher should confirm the parent’s identity before responding by asking for verification data. Mailing address, phone number, the student’s birth month and day-any of these can confirm that student information is being released to the correct person. At the postsecondary level, the steps become a little more complicated (see next bullet point!).
Release Information Only When Authorized or Release Only Directory Information
Educationalist institutions may release information about a student if it constitutes “directory” information. Directory information includes, but is not limited to, the student’s name, city and state of residence, enrollment status (full-time or part-time), current status (withdrawn, enrolled, etc.), program of study, degrees and/or certificates earned, and dates of attendance. This information is public unless otherwise blocked by the student (see next bullet point!). If a third party requests this information, the school employee may share it, but it’s a good practice to record details of the request for future reference, such as who requested the information and why, their organization, their relationship to the student, and what information was given. For non-directory information, students must submit written consent before information can be released. Students can give permission to additional people to access their records, from parents to spouses to employers to scholarship organizations, and those authorized will be named in their student record. Student information, including non-directory information, may be released to any of these authorized persons without written consent. You know you’re following FERPA if you know what directory information can be shared and, for that specific student, who is allowed to see non-directory information before you fulfill a request.
Honor Student FERPA Blocks
Students have the option to place a FERPA block on their records, which means that even directory information, which is typically public, may not be shared without written consent. Education employees should always check the student’s record for a FERPA block before fulfilling any information request. This guideline applies more readily to postsecondary institutions; I would venture that elementary and secondary schools should consider every student record as FERPA-blocked since their students are minors.
Keep Accurate and Neutral Records
Students who request their records are afforded access to any or their records, and records constitute anything “directly related to a student and that are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution” (U.S. Department of Education). In addition, data may be recorded in any way, “including, but not limited to, handwriting, print, computer media, videotape, audiotape, film, microfilm, microfiche, and e-mail” (U.S. Department of Education). School employees should keep notes and records about a student that are accurate and neutral, meaning anything they record should be done so as if directly to the student. Employees should always maintain professionalism and exclude personal opinions since the student can request and see those records. A self-check could be, “Have I included all the facts and only the facts? What would the student think and feel reading this?”
Make Sure Personal Information Stored Online Stays Private
Education platforms have permission to use student data for research purposes as one of the exceptions to FERPA, but they follow specific data practices. They cannot sell student data to outside parties and must delete all student data when their account is closed, among other requirements. Ideally, any online work would be housed in a legitimate education platform so that these privacy requirements are met. Students who must submit assignments or coursework in a public online space should never have to submit identifying information. In learning platforms where students share space, such as Google Classroom or Canvas, settings should be private and grades, individual feedback, and student records should never be shared there.
Keep in mind that FERPA has exceptions to best protect students’ safety. Schools may release information in an emergency, so if a student has an accident or other emergency, parents can be notified without violating FERPA rules. Because student information is so sensitive, checking before sharing any information is a best practice. An employee can always ask their office manager or records office for guidance, and whoever is legitimately requesting the information will want that information provided legitimately on behalf on the student as well, so they shouldn’t mind waiting. When it comes to FERPA, it’s always okay to use the phrase, “Let me find out appropriate next steps and get back to you.” Student privacy is simply too important to rush the answer.