Student Privacy Online
From E-Learning Faculty Modules
With universities storing a wealth of student information online these days, protecting student privacy has become absolutely crucial. Major precautions have had to be taken to protect students' personal information from being given to or taken by an unauthorized party. The federal government considered this area so important that it created legislation concerning it. This module will focus on FERPA rules and the measure Kansas State University has taken to protect student privacy online.
- Basic FERPA rules and resources
- Student rights
- K-State password protection
- Grievance procedures
FERPA Rules and Resources
- Faculty and staff guidelines
- Requests for information from the educational record of a student should be referred to the proper educational record custodian.
- Private notes of a faculty/staff member concerning a student and intended for the faculty/staff member's own use are not part of the student's educational record, provided they are kept separate from the student’s educational records. Only those individual student records that are necessary to fulfill professional responsibilities should be kept. Private records of faculty/staff and ancillary educational personnel are to be kept in the sole possession of the maker and are not to be accessible or revealed to any other person, except a substitute.
- Requests for information from the educational record custodian must not be made without a legitimate educational interest and the appropriate authority to do so.
- Student scores or grades may not be displayed publicly in association with names, social security numbers or other personal identifiers. Some other code known only to the instructor and the individual student may be used to post grades/scores.
- All papers or lab reports containing student names and grades should be secured. Students should not have access to the scores and grades of others in the class.
- Factual information regarding grades and performance in an educational record may be amended when the student is able to provide valid documentation that information is inaccurate or misleading. See Review and Challenge of Records.
- Student educational record information is not to be shared, including grades or grade point averages, with other faculty or staff members of the University unless their official responsibilities identify their "legitimate educational interest" in that information for that student.
- Information from student educational records, including grades, grade point averages, and letters of recommendation should not be shared by phone or correspondence with parents or other parties outside the institution, without written permission from the student.
- Information from medical, psychiatric, or psychological reports; records from law enforcement officials on or off the campus; or notes of a professional or staff person which are intended for that individual alone are not to be included in a student's educational records or made available to him/her, or to a third party.
- FERPA enforcement may include sanctions as severe as the withholding of federal funding. Civil litigation against individuals for alleged FERPA violations is also possible.
- Kansas State University Registrar’s Office - http://www.k-state.edu/registrar/ferpa/ferpa.html
- U.S. Department of Education - http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
- Confidentiality Statement
- Kansas State University maintains various student records to document academic progress as well as to record interactions with University officials and staff. To protect the students’ rights to privacy, and to conform with the Family Educational Rights and Privacy Act of 1974 (FERPA), the University has an established the Student Records Policy. Interpretation of this policy is based on experience with educational records, and the policy itself may subsequently be modified in light of this experience. Notice of this policy and of students’ rights under FERPA is given annually. Copies of this policy are available at the Registrar’s Office, 118 Anderson Hall, and it is published in the Undergraduate and Graduate Catalog and in the Course Schedules.
- Student Rights according to FERPA
- Right of inspection of records
- Right to challenge records believed to be inaccurate
- Right to consent to disclosure of personally identifiable records (with exceptions).
- Right to file complaints of alleged violations of the aforementioned rights.
- Directory Information
- Certain information concerning students is considered to be open to the public upon inquiry. This public information is called directory information and includes: name, local address and telephone number, permanent address, e-mail address, date and place of birth, photograph or likeness, college, curriculum, enrollment status (full/part-time), classification, dates of attendance at Kansas State University, awards and academic honors, degrees and dates awarded, most recent previous educational institution attended, participation in officially recognized activities and athletic teams, and height and weight of student athletes.
- Directory information as defined above will be released upon inquiry, unless the student has requested that this information not be released. The student’s request to have directory information withheld must be submitted to the Registrar’s Office, 118 Anderson Hall (208 College Center, Salina). The Registrar’s Office will notify other appropriate University offices by placing a notation within the student information system. See the FERPA Non-Disclosure page for further information and for a copy of the form.
- Student Records Policy
- Kansas State has also developed the Student Records Policy to protect students’ right to privacy and conform to FERPA.
- The full policy can be found at: http://www.k-state.edu/registrar/a_r/index.html#STUREC
K-State Password Protection
- One of the main ways that student privacy online is compromised is through poor password protection. In light of this, K-State has developed the following policies to help protect eID passwords.
- Passwords must have a minimum of 7 characters.
- Passwords must contain characters from 3 of the 4 following categories:
- Uppercase letters
- Lowercase letters
- Special Characters (for example: !,@,#,$,%,^,&,*, etc. But be aware if traveling outside the U.S. that some symbols, like the U.S. dollar sign, may not be available on international keyboards)
- Passwords cannot be the same as the K-State eID and not easily guessed (for example: no variants of the K-State eID, dictionary words, family names, pet names, birthdates, etc.).
- Passwords must be changed at least twice a year (eID password changes are during a designated time at the beginning of the fall and spring semesters).
- Passwords must be changed significantly and cannot repeat more frequently than every two years.
- Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.
- The same password used to access Kansas State University Systems (for example, your eID password) must not be used for accounts or other forms of access to non-K-State systems or applications such as online shopping, banking, etc.
- Passwords must not be shared unless explicitly permitted by the issuing authority. eID passwords must not be shared under any circumstances.
- Anyone who believes their password has been compromised must immediately notify their departmental or college IT support, or the IT Help Desk to evaluate possible risks.
- Default passwords in vendor-supplied hardware or software must be changed during initial installation or setup.
- The eID password must never be transmitted over the network in clear text (i.e., it must always be encrypted in transit). It is also strongly recommended that other types of passwords be encrypted in transit.
- K-State also makes it clear through university policy, frequent emails, and reminders on K-State websites that the university will never ask for a student’s password via email. Any email that asks for a student’s password is a scam and should be deleted.
- Review & Challenge of Records
- Upon request to the University official listed above, a record covered by the FERPA will be made available within a reasonable time to the student and in no event later than 45 days after the request. Copies are available at the student’s expense and explanations and interpretations of the records may be requested from the University official in charge. If the student believes that a particular record or file contains inaccurate or misleading information, the University will afford an opportunity for a hearing to challenge the content of the record. Prior to any formal hearing, the University official in charge of the record is authorized to attempt, through informal meetings and discussions with the student, to settle the dispute. If this is unsuccessful, the matter will be referred to the appropriate vice-president. If the student is still dissatisfied, a hearing may be requested. The hearing, conducted by a hearing officer appointed by the President, will be held within two weeks. The student will have the opportunity at the hearing to present any relevant evidence, and a decision will be rendered within two weeks after the hearing. If the result does not satisfy the student, he or she may place a statement in his/her educational record.
- A student who believes the University has not complied with the FERPA or regulations may send a written complaint to the Family Educational Rights and Privacy Act Office, Dept. of Education, 400 Maryland, SW, Washington, DC 20202.
Despite the University’s best efforts, it is nearly impossible to plan for or eliminate all situations that could compromise student privacy. However, possessing a clear policy and working to ensure its constant implementation does much to protect student privacy. Making sure that faculty, staff, and especially student workers are aware of University policy and FERPA is critical in this area.