Legal Requirements

Note to the Reader: This draft document on the Family Education Rights and Privacy Act (FERPA) is the first installment of a survey of specific pieces of legislation and how these apply to authentication and identity management. The final document will be included in the Spring 2005 version of this Framework and reside on the Campus Legal Clearing House website. Future topics include DMCA, TEACH Act, USA/Patriot Act, SEVIS, HIPAA, and ESIGN/GPEA. The authors are Peg O'Donnell from the Catholic University and Steve Worona from EDUCAUSE. Please send comments and suggestions to authnframework-comments@internet2.edu.

The FERPA-related topics discussed below include:

• Introduction to FERPA
• Using a PIN Number and Unique Identifier for Authentication
• Collecting and Using Logging Information
• Printing of ID Numbers on Campus ID Cards
• Releasing Individuals' Course Information Off Campus
• Having Students Review Each Others' Work

Introduction to FERPA

A federal law known as the Family Educational Rights and Privacy Act (FERPA) sets forth the rules for student record privacy. The law is codified at 20 U.S.C. § 1232g. Regulations used to interpret the law are contained at 34 C.F.R. § 99.1 et seq.

Most student records maintained by an institution are considered “education records” that are protected by FERPA, including computer records. The student has a right to access and review his/her education records. All education records are confidential and cannot be disclosed unless the student provides a signed and dated written consent or the disclosure fits one of the exceptions (34 CFR 99.31). Faculty and staff may view student education records only if the institution has determined that they have a legitimate educational interest in viewing the records, or one of the other statutory exceptions (e.g. health and safety emergency) applies.

Directory Information - Directory information is one of the many exceptions to the rule of non-disclosure. The FERPA regulations allow schools to disclose directory information to third parties without consent from a student, so long as the school has given public notice of the types of information which it has designated as directory information. The law also requires notice to the student of his/her right to restrict the disclosure of such information.

Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. It includes, but is not limited to, the student's name, address, telephone listing, electronic mail address, photograph, date and place of birth, major field of study, dates of attendance, grade level, enrollment status (e.g., undergraduate or graduate; full-time or part-time), participation in officially recognized activities and sports, weight and height of members of athletic teams, degrees, honors and awards received, and the most recent educational agency or institution attended. (34 CFR § 99.3) Social Security Numbers (SSN) are not considered directory information and therefore cannot be released except if another exception to the written consent requirement applies.

Regarding the release of student ID numbers, on November 5, 2004, the Family Policy Compliance Office released a letter clarifying that although the regulations describe a student ID number as "personally identifiable information", a school may designate a student ID number (as long as it is not the SSN) as directory information. This is derived from 34 CFR § 99.30: "The parent or eligible student shall provide a signed and dated written consent before an educational agency or institution discloses personally identifiable information from the student's education records, except as provided in §99.31."

If a student has placed a hold on the release of directory information, it can only be accessed/released if a legitimate educational interest exists or one of the other enumerated exceptions in FERPA applies. In other words, this data must now be treated like a confidential education record. Even though the law allows disclosure of directory information by the university when no hold has been placed by a student, there is no requirement under FERPA that it must be disclosed.

Question: Using a PIN Number and Unique Identifier for Authentication
We converted to a new ERP which, while it does have an SSN field in the database and a name field in the database that can be used to bring up the student's record if you also know the PIN, also provides a unique "peopleID" number to each student. We call it a "G number." Now students enter the G number and a PIN number to access their records. We don't consider the G number to be secret and we even stamp it on the student's ID card so that they can get their meals. We think of it as a substitute for the name. We'd use the name, but there are too many people with the same name, and some folks have more than one name. We do, however, treat the PIN as secret and private. We are implementing a middleware authentication and authorization system. We want to move to single sign-on, consisting of the G number followed by the PIN number. However, some folks believe that the FERPA esignature requirements specify that the G number can't be part of the sign-on.

FERPA Considerations
FERPA does not prohibit the use of a unique student identifier in combination with a PIN for the student to access/retrieve his or her own education records, or for use as a sign on to the system. This unique number and password would also suffice to allow a student to place an order to release his/her transcript to a school to which the student seeks to apply, as there is a provision in the law that does not require consent for disclosure to another institution of postsecondary education where the student seeks or intends to enroll.

In addition, The Family Policy Compliance Office (FPCO) recently issued an opinion (Nov. 5, 2004 to University of Wisconsin-River Falls) that allows a university to designate a unique personal identifier as directory information.

" We believe that FERPA allows an institution to designate and disclose as "directory information" a unique personal identifier, such as a student's user or account logon ID (or an email address used as a logon ID), as long as the identifier cannot be used, standing alone, by unauthorized individuals to gain access to non-directory information from education records. Conversely, if an institution allows a student to use a personal identifier to obtain access to education records without the use of a password or other factor to authenticate the student's identity (or if the identifier itself is also used to authenticate the student's identity), then that identifier may not be designated and disclosed as directory information under FERPA because it could result in the disclosure of protected information without meeting the written consent requirement.”

However, if the institution of higher education (IHE) is considering using this PIN number and unique student ID number as a digital signature by the student for release of records to a third party (other than the transcript scenario above) then there are issues that need to be addressed before these two pieces of data can substitute for “written consent”. In this instance there must be a policy in place that describes how use of a digital signature will identify and authenticate a particular person as the source of the electronic consent; and indicates such person's approval of the information contained in the electronic consent. The IHE will also run into problems if the unique ID is used as the student’s email address. As email addresses are generally not kept private, then the unique identifier would lose its viability as part of a digital signature process.

Question: Collecting and Using Logging Information
A computer science researcher who is drafting a proposal to NSF wants access to some of the computer data that is protected by Shibboleth. The logs provided may on occasion have a student's name associated with them, and from that the researcher would know what IP addresses the student was accessing. Also, on some occasions a collection of attributes might appear that if researched could yield up the identity of the student, but this would be very unlikely as the information that would be needed to get to the identify would not be held by the researcher. The question is as follows: Is this type of data an education record protected by FERPA? It is understood that if there are any social security numbers in the computer data that they would need to be filtered out.

FERPA Considerations
The term education record is defined as follows in the law (20 USC 1232g(a)(4).

(4) (A) For the purposes of this section, the term "education records" means, except as may be provided otherwise in subparagraph (B), those records, files, documents, and other materials which--
i. contain information directly related to a student; and
ii. are maintained by an educational agency or institution or by a person acting for such agency or institution.

Just where to draw the line on what is and is not an education record was complicated by a Supreme Court case, Owasso Independent School District v. Falvo.

While there are exceptions to the statutory definition and confusion resulting from the above referenced case, in general the education community understands “education record” to be a very broad and all encompassing term. The Owasso decision did not address computer records, but non-binding language in the case indicated that perhaps only records kept in a central location by single record custodian would be considered education records. In recognition of the potential university liability for relying on a perhaps too narrow definition of education record, schools continue to advise faculty and staff that education records are protected by FERPA, regardless of where they are physically kept. However, it is also important to understand that the lack of clarity about what is or is not an education record may give offer some flexibility when deciding how the law should be applied in any given fact setting.

Question: Printing of ID Numbers on Campus ID Cards
The University is moving away from using social security number as a university ID and will be creating generated 8-digit ID numbers for all faculty/staff/students. The University is concerned that some individuals will have difficulty remembering their new ID number, and have discussed the possibility of printing the generated ID number on everyone's university ID card (OneCard) as a convenient reference.

Some individuals on our campus believe that printing the generated ID number on the ID card will be a violation of FERPA. Others argue that by using their ID card the student is giving their consent (whether implicitly or explicitly) for a vendor or other individual to use or view their ID number. For some applications students will be able to use either their new ID number or their SSN as part of the authentication process.

May a university print generated ID numbers on campus ID cards?

FERPA Considerations
A recent FPCO opinion letter (see above) has indicated that schools may designate student ID numbers (but not SSNs) as directory information, and thus there would not be a FERPA violation in placing the number on the students’ ID cards. This having been said, there are two possible issues with printing these numbers on the student’s ID card. First, a student has the option of placing a hold on release of directory information. Query how placing a hold on release of all directory information by a particular student affects putting an ID number on that student’s card that needs to be presented to access certain services. There are two possible ways to get around this issue. First, if the card must be presented to food services to pay for a meal, make sure that the subcontractor is included in the university’s definition of a school official with a legitimate educational interest, thus allowing disclosure to the subcontractor. Second, there is an argument that the student is disclosing the information whenever they use the card, and not the school.

Note that if the school intends to use that ID number as part of a digital signature process, security might be compromised. While not definitive, these would be considerations.

Question: Releasing Individuals' Course Information Off Campus
A course is jointly taught at two universities. Students register for the course at their home institution. Electronic reserves for the course may only be accessed by students registered in the course. Each institution's digital library has its own portion of reserve material. Technicians plan to issue each student an electronic "credential", analogous to a university ID card, installed in the student's Web browser. The credential identifies the student and the student's university but contains no other information about the student. Whenever the reserve material is accessed, the electronic library receives the student's credential. The electronic library then makes an electronic inquiry asking the student's home registration system whether the student is registered in the course.

Technicians responsible for the registration systems are concerned that FERPA prohibits the release of course-registration information outside the institution without explicit student permission. Is it necessary to get all students to sign waivers before they sign up for the course? Alternatively, is it enough for the institutions to inform students that registering in a joint course implies consent to release course-registration information to the second institution? Or perhaps can the two universities be considered as a single institution for the purpose of this course and thus be permitted to share course-related information on a "need to know" basis with no explicit or implicit permission required?

FERPA Considerations
The FERPA regulation at 34 CFR §99.34(b) states as follows:
(b) An educational agency or institution may disclose an education record of a student in attendance to another educational agency or institution if:(1) The student is enrolled in or receives services from the other agency or institution; and(2) The disclosure meets the requirements of paragraph (a) of this section.

One of the options under paragraph (a) is for the school to include in its annual notification a notice that the school will forwards education records to the a school that has requested the record and in which the student seeks or intends to enroll. Thus a simple notice that for purpose of accessing e-reserves at the affiliated institution the home institution will confirm course registration information. Waivers would thus not be needed.

Question: Having Students Review Each Others' Work
What is permissible in the area of "peer review" of class assignments, posting student assignments to a shared web site, or publishing student papers as part of a course journal at the conclusion of the course.

FERPA Considerations
Based upon the decision in Owasso v. Falvo, supra, there should not be a problem with having students posting assignments to a shared web site for review by other students as part of the course assignment. This is a standard pedagogical technique not prohibited by FERPA.

Revision .5, December 12, 2004