FERPAand the MGDPA

What is FERPA and to whom does it apply?

• Federal law enacted in 1974 called “Family Educational Rights and Privacy Act”

• Purpose is to protect the privacy rights of student records and to ensure the accuracy of those records

• Applies to currently enrolled or formerly enrolled students (regardless of age or parental dependency status)

• Applies to all institutions that receive federal funds

What rights does FERPA afford students?

• Right to inspect and review the record (all parts with two exceptions)

• Right to request an amendment to the record that the student believes is inaccurate or misleading or violation of his/her privacy rights (recordation error not substantive decision) and to request a hearing if request to amend is not granted

• Right to consent to disclosure of personally identifiable information

What rights does FERPA afford students?

• Right to know what institution has designated as public/directory information and the right to request suppression of their public/directory information

• Right to know that school officials may access their records and the criteria for determining that a school official has a legitimate need to know the information

• Right to file a complaint with the Family Policy Compliance Office in the U.S. Department of Education

What are education records?

• Any record from which a student can be personally identified AND which is maintained by the institution regardless of its form (e.g., handwritten, print, database, disk, email, files, graded materials, class lists, individual student class schedules, financial aid records)

What is directory/public information?

• Information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed – if not suppressed, this may be given to third parties

• FERPA allows each school to choose what information is public/directory – can choose nothing

• If your school has directory/public information about students you must allow them to limit the release of that information to third parties

What can be directory information?

• Name• Address• Telephone• Email address/login name

for systems• Photograph• Date and place of birth• Major• Dates of attendance• Grade level

• Enrollment status• Participation in officially

recognized activities and sports

• Weight and height of members of athletic teams

• Degrees• Honors and awards received• Most recent educational

agency or institution attended

What can never be directory information?

• Grades• GPA• Race• Gender

• Social Security Number

• Country of citizenship

• Religion

Social Security Numbers on requests for directory information• A student’s SSN may not be used as an

“identification element” when disclosing or confirming directory information unless the student has provided written consent

• Institutions should not implicitly confirm any SSN in a request for public directory information

• Institutions should disclaim any confirmation of SSN on the request (e.g., “This information does not constitute a confirmation of the student’s SSN”)

Who may have access to education records?

• The student• Any outside party that has the student’s written

consent (get a copy of the consent)• School officials (as defined by the institution) with a

legitimate educational interest• Parents of a dependent student as defined by the

IRS code, who have claimed the students has a dependent on their most recent tax forms

• A person in response to a lawfully issued subpoena or court order

What about parents, spouses, same-sex domestic partners and others?

• Parents, spouses, same-sex domestic partners, attorneys, ombudsmen, etc. are all considered third parties under FERPA, HIPAA and the MGDPA

• You need specific written permission from the student to release information to them

What is a school official?

• Defined by the institution• Members of the institutional community who act in

the student’s educational interest within the constraint of their need to know

• Generally, someone the institution has employed, contracted with, or has other official relationship with who would need to access pertinent student data to perform their designated job functions– Contracts with outside entities must specify the access,

protection, and re-disclosure requirements. Your general counsel can assist with contracts.

What is Legitimate Educational Interest?

• Often referred to as “need to know”• Interest in reviewing student education records for

the purpose of performing assigned institutional research, educational or administrative function

• Not often a “blanket” access to all data• Guiding principle – If you need the data to perform

your job duties you should have access to it

What are the exceptions to prior consent? (not exhaustive)

• Lawfully issued subpoena or court order• School officials who need information to fulfill their

professional duties • Health or safety emergency (not used often)• School where former student seeks, intends to, or

has enrolled• For audit/evaluation of educational programs (to

Comptroller General of the U.S.; The U.S. Attorney General; The Secretary of the Dept. Of Education; State and local educational authorities)

Guiding principles• School officials shall not disclose personally identifiable

information about a student nor permit inspection of those records without the student’s written permission unless it is allowed in one of the exceptions mentioned

• Use reasonable methods to identify and authenticate students and authorized third parties when releasing student data (e.g., PINs, passwords, personal security questions)– Use the institution issued email address to communicate with a

student/former student when possible. If private email address is used, student should provide you, in writing, permission to use that address

• You have a legal responsibility to protect confidentiality of student records

• Only access what you need to know to do your job• Curiosity ≠ Legitimate need to know

Commenting Student Records

• Comments added to student information systems, databases, or tracking systems are part of the student’s educational record

• Student has the right to request to see this information

• Include the facts of an interaction and avoid personal judgments or opinions about that interaction

What is MGDPA and to whom does it apply?

• MN Open records law – most other states have one• Minnesota Government Data Practices Act (MGDPA)

prescribes specific requirements for handling government data, which includes “educational data”

• Applies to all public institutions• Regulates the collection, creation, storage,

maintenance, dissemination, and access to government data in state agencies, statewide systems, and political subdivisions.

• Establishes presumption that government data is public unless there is a federal law, state statute or temporary classification that provides it is not

What impact does the MGDPA have on your jobs?

• Certain educational data is covered under the law• If information about students is not defined as public

on your campus it is protected (private) under the MGDPA

• Must protect private information from unauthorized access or release

• Most of the data you work with is private

A few words about how HIPAA may impact your jobs

• May be given medical information by student to assist decision making on appeals, exceptions, etc.

• May be asked by student to re-release medical information you have in your files to other offices/agencies

• Medical information should be shredded when no longer needed to be retained

Safeguarding Student Data• Physical

– Lock rooms and file cabinets; rooms protected from hazard or natural disaster

– Limit access to secure areas with customer information– Use password activated screen savers– Use strong passwords– Change passwords periodically and don’t share them– Encrypt sensitive customer information transmitted

electronically– Being alert to fraudulent attempts to obtain customer

information– Dispose of customer information appropriately – shred or

confidentially recycle paper, erase all information on hard drives or other electronic media, follow your campus retention policy for disposing of outdated data

Safeguarding Student Data

• Technical (often central IT responsibility)– Store customer data on secure servers with security

protections– Don’t store customer information on machines with

internet connection– Maintain secure backup/archive media– Use antivirus software that updates automatically– Obtain and install vulnerability patches– Follow written contingency plans to address breaches

of safeguards– Maintain up-to-date firewalls

Providing Secure Data Transmission

• Use Secure Socket Layer (SSL) or other secure connection to collect credit card information

• Caution consumers about sending sensitive information (credit card, SSN, or account numbers) via email since it is not secure

• If you send sensitive consumer information via email you must use encryption

• When transmitting credit card information, must comply with PCIDSS

Security breaches

• Unauthorized acquisition of data by unauthorized person that compromises the security and classification of the data or intent to use data for nongovernmental purposes (e.g., stolen laptops or other devices that contain private student data, sending emails or attachments containing private student data to the wrong person)

• Does your campus have a protocol for dealing with a security breach?

Security breaches• U of M protocol

– Faculty or staff send email to specific email address when a breach is suspected

– Committee reviews breaches and advises departments or staff on next steps (e.g., contacting students who had data released, offering credit monitoring if SSN was part of the data released, etc.)

– Committee membership includes General Counsel staff, HIPAA officer, FERPA officer, data security staff, Chief Information Officer

What if you “leak” student educational data?

• FERPA has no private right of action • Family Policy Compliance Office will investigate and

may issue sanctions against the school• MGDPA allows that compensation for damages

caused by violating the law may be pursued from the agency and the individual

• Willful violation of the MGDPA is a misdemeanor and employees may be subject to suspension or dismissal

Contact information

Dan DelaneyOffice of the Registrar

University of Minnesota612-625-7864

delan021@umn.edu