FERPA (Family Educational Rights and Privacy Act)

From E-Learning Faculty Modules


Contents

Module Summary

The Family Educational Rights and Privacy Act (aka “Buckley Amendment” or “FERPA”) was signed into law in 1974 by President Gerald Ford (after passing the U.S. House and Senate). This federal law was designed to define how personal (as in related to a person) educational data should be handled by school administrators and what should be held close and what may be publicly released. This module touches on some of the basics about FERPA and how this (and other privacy-based laws and practices) may affect online teaching and learning.

Takeaways

Learners will...

  • review what the Family Educational Rights and Privacy Act is, when it originated, why it was created, and how it has evolved over the years…and also consider the role of the U.S. Department of Education in the enforcement of FERPA in the U.S.
  • consider the values and principles behind FERPA and the rights being protected with FERPA
  • think of what FERPA means for student information release in education and how it affects online teaching and learning
  • list exceptions to FERPA and consider when these exceptions might apply
  • consider whether FERPA applies only to formal credit courses and formalized learning sequences or to some degree to non-credit / short courses.


Module Pretest

1. What is “FERPA” (Family Education Rights and Privacy Act)? When did it originate? Why was it created? How has it evolved over the years? What is the U.S. Department of Education’s role in enforcing FERPA?

2. What are the values and principles behind FERPA? What rights are being protected with FERPA? Who are the main stakeholders?

3. What does FERPA mean for student information release in education? How does FERPA affect online teaching and learning?

4. Are there exceptions to FERPA? If so, what are these exceptions, and when? What other laws are there that also affect learner privacy?

5. Does FERPA apply to only formal credit courses and formalized learning sequences, and not non-credit (short) courses?

Main Contents

1. What is “FERPA” (Family Educational Rights and Privacy Act)? When did it originate? Why was it created? How has it evolved over the years? What is the U.S. Department of Education’s role in enforcing FERPA?

The Family Educational Rights and Privacy Act (FERPA) [aka the “Buckley Amendment”] was created to protect student privacy rights from release to others or the public, independent from the particular student…and to define the standards for the release of private student information (defined as educational information and records). This federal privacy law was signed into law in 1974. In the intervening years, there have been various addendums (https://www2.ed.gov/policy/gen/guid/fpco/ferpa/leg-history.html Legislative History of Major FERPA Provisions).

FERPA was created to address the issue of how to handle student-based educational data.

The U.S. Department of Education has a primary role in enforcing FERPA. The schools that receive U.S. Department of Education funding have to abide by FERPA guidelines. In most contexts, it is the registrars offices that deal with FERPA at institutions of higher education.

Learners have additional privacy rights beyond FERPA, but those will be addressed in another section (in this module).


2. What are the values and principles behind FERPA? What rights are being protected with FERPA? Who are the main stakeholders?

There seem to be two main stakeholders in terms of FERPA. For students under 18, their parents and guardians are important stakeholders. One of the sources by the U.S. Department of Education highlights this by their form of address:

To protect your child's privacy, schools are generally prohibited from disclosing personally identifiable information about your child without your written consent. Exceptions to this rule include:
disclosures made to school officials with legitimate educational interests;
disclosures made to another school at which the student intends to enroll;
disclosures made to state or local education authorities for auditing or evaluating federal- or state-supported education programs, or enforcing federal laws that relate to those programs; and
disclosures including information the school has designated as "directory information."

[“Parents’ Guide to the Family Educational Rights and Privacy Act: Rights regarding Children’s Education Records,” 2007]

The other stakeholder group for FERPA are students. Once students turn 18, the ownership of their data reverts from their parents to them.

“Once a student reaches 18 years of age or attends a postsecondary institution, he or she becomes an "eligible student," and all rights formerly given to parents under FERPA transfer to the student” [“FERPA General Guidance for Students,” 2015]

At this point, parents do not have rights to see student records. (FERPA protects student records even from spousal access.) Another source describes this:

“This U.S. federal law also gave students 18 years of age or older, or students of any age if enrolled in any post-secondary educational institution, the right of privacy regarding grades, enrollment, and even billing information unless the school has specific permission from the student to share that specific type of information.” (Family Education Rights and Privacy Act, Nov. 27, 2017)

In terms of the cases that have arisen around the application of FERPA, some patterns have emerged. While students have access to their own records for inspection and review and may request to amend (change) and may decide to hold or disclose, their rights to not extend to automatic amending, for example. They cannot just change grades. They cannot just change disciplinary records. And so on. One source writes:

Under FERPA, an eligible student has the right to request that inaccurate or misleading information in his or her education records be amended. While a school is not required to amend education records in accordance with an eligible student's request, the school is required to consider the request. If the school decides not to amend a record in accordance with an eligible student's request, the school must inform the student of his or her right to a hearing on the matter. If, as a result of the hearing, the school still decides not to amend the record, the eligible student has the right to insert a statement in the record setting forth his or her views. That statement must remain with the contested part of the eligible student's record for as long as the record is maintained.
However, while the FERPA amendment procedure may be used to challenge facts that are inaccurately recorded, it may not be used to challenge a grade, an opinion, or a substantive decision made by a school about an eligible student. FERPA was intended to require only that schools conform to fair recordkeeping practices and not to override the accepted standards and procedures for making academic assessments, disciplinary rulings, or placement determinations. Thus, while FERPA affords eligible students the right to seek to amend education records which contain inaccurate information, this right cannot be used to challenge a grade or an individual's opinion, or a substantive decision made by a school about a student. Additionally, if FERPA's amendment procedures are not applicable to an eligible student's request for amendment of education records, the school is not required under FERPA to hold a hearing on the matter. [“FERPA General Guidance for Students,” 2015]


3. What does FERPA mean for student information release in education? How does FERPA affect online teaching and learning?

The Family Educational Rights and Privacy Act affects “educational records.” Educational records may include admission records, academic ones, financial information, disciplinary information, health information, and other data. Educational records include a wide range of information in various modalities: photographs, publications, written documents, transcripts, application forms, test data, emails, videos, and security tapes. Anything that contains personally identifiable information (PII) is especially sensitive and more closely held (Family Education Rights and Privacy Act, Nov. 27, 2017). Sole possession notes (those written by school employees about a student) are education records (“FERPA and Student Notes,” n.d.) that are sensitive.

Essentially, FERPA means that educational institutions need to be law-abiding and thoughtful in how they share private student information. This law separates out data into two general categories: “non-directory information” and “directory information.” The first is considered private and will require specific circumstances to reveal, and the second is considered generally able to be revealed without special dispensation. “Directory information” is thought to be generally public information that may be released without causing invasion of privacy or enabling harm (if mis-used).

“Directory information” is generally thought to include a student’s name, address, telephone, e-mail address, date and place of birth, dates of attendance, and grade level. A student’s participation in sports and school activities is considered directory information. A student who competes on athletic teams may have his or her weight and height listed. A student’s degrees, honors, and awards is considered directory information and by default able to be publicized. Finally, the most recent school attended is also included in this group. In higher education, directory information may include job titles, dates of attendance, degrees awarded, grade level, and enrollment status.

In K12, these protections apply to children’s education records “such as report cards, transcripts, disciplinary records, contact and family information, and class schedules” [“Parents’ Guide to the Family Educational Rights and Privacy Act: Rights regarding Children’s Education Records,” 2007].

That said, a student may choose to withhold what is traditionally considered directory information. There are higher levels of privacy protections beyond holding directory information private. For example, students who may be at risk if they reveal their true identities and other information may have all of their information closely held in an educational institution.

All other non-“directory information” student data is considered by default private. These include demographic data like race, ethnicity, nationality, and gender. A student’s schedule and specific class location is protected because these have been used in the past to achieve physical attacks.

Just because privacy is the default setting does not mean that the student cannot release the data if he or she so chose, with signed consent. (As mentioned earlier, this is usually handled through the registrar’s office.)

FERPA affects the release of student information to staff who have a “legitimate educational interest” to access that information.

Non-students are not given FERPA protections. Such non-students may be those denied applicants to an educational institution.

If cases where there are public safety considerations, school administrators are bound by law to work with law enforcement to address threats. In such cases, the FERPA protections of educational records will not be sacrosanct. The need for public safety trumps students’ privacy rights.

What does FERPA mean for online learning?

  • For faculty who use public wikis and blogs, they should not require students to use personally identifiable information like their names that can be traced back to them. They should also not use public venues to provide evaluative information to learners (FERPA training video 4, Feb. 19, 2015), such as by posting evaluations of student work on public wikis and blogs. It is important to note that “public” also means the “internal public” of a class and classmates. A student’s personal information should not be released to other classmates either. (This means that evaluations and grades for students should not be viewable by other online learners in that course.)
  • Faculty who use social media and social networking sites with their students have to beware of the requirements of FERPA.
  • Those instructors who would go broadly public and “publish” their student work should follow all media rules—including those related to intellectual property, defamation, privacy, and others. If videos are taken of learners, instructors need students to have signed media releases in order to use their likeness. Also, instructors do not have rights to use student work in future classes, without having a legitimately signed release by the student (who owns copyright to their own creations).
  • Advisers who bring together students to advise on a shared course shell of an LMS would do well to protect learner information and keep private information private. They have to understand the technologies sufficiently to not accidentally or inadvertently leak information.
  • If an instructor receives an email from an unverified and non-university email account requesting access to private information, he or she cannot release private information of students through those channels—because he or she cannot truly verified the email sender’s identity. This is also true for phone calls.
  • FERPA applies to faculty who are asked to write letters of recommendation for students. They need permission by the respective students to share their grade data, for example. Releases have to be legally signed. (Any release of student information has to be legally defensible.)


4. Are there exceptions to FERPA? If so, what are these exceptions, and when? What other laws are there that also affect learner privacy?

There are law enforcement exceptions to FERPA. There are health emergency exceptions to FERPA.

While FERPA is the primary federal law related to student data privacy, there are some other laws at play.

For example, the Children’s Online Privacy Protection Act (COPPA) protects the types of data that may be collected and held about children under 13 on online sites. More information may be found in Complying with COPPA: Frequently Asked Questions and Children’s Online Privacy Protection Act.

There are laws protecting people’s privacy related to health information. More may be learned about the Health Insurance Portability and Accountability Act of 1996 or HIPPA here.

In general, it is wise to avoid liability when engaging with student records. Liability and Student Records


5. Does FERPA apply to only formal credit courses and formalized learning sequences, and not non-credit (short) courses?

Technically, FERPA applies to “educational agencies and institutions that receive funding under a program administered by the U.S. Department of Education” Family Educational Rights and Privacy Act.

As noted earlier, FERPA is one law in a small thicket of laws, and there are a number of privacy protections. It is important to go with legal counsel when releasing learner information.

Examples

Per the cited resources, there are some authoritative online sites with more in-depth information about FERPA.

How To

This module is for informational purposes only and is not advisement and not counsel. Any sort of decision-making should be made with the input of university experts on the issue and legal counsel. The default setting should be to not release student information until the legality of such an action is clear.

Note that FERPA is no reason to restrict constructive learning approaches such as peer review (if done legally and without unintentional/intentional sharing of private learner data).

Possible Pitfalls

Risks related to the Family Educational Rights and Privacy Act (FERPA) stem from being unaware of this federal law and its implications. There are various nuances to this, and it would be safest to consult with the school’s legal counsel and the registrar’s office to know how to proceed if there are requests for student data of any sort.

There is an important caution in the Social Age for teachers who use wikis and blogs (web logs). No personally identifiable information should be released on such platforms, and no instructor evaluation of learner performance (such as commentary, feedback) should be shared on public platforms. The “public” is still an issue even if the wikis and blogs are closed to general public access but include learners in the class. Student grades and assessments should not be knowable or seeable by their fellow peers. (This is why it is inadvisable to allow students to sort through a stack of exams to find their own because they can see others’ grades as they’re looking for their own.)

Module Post-Test

1. What is “FERPA” (Family Educational Rights and Privacy Act)? When did it originate? Why was it created? How has it evolved over the years? What is the U.S. Department of Education’s role in enforcing FERPA?

2. What are the values and principles behind FERPA? What rights are being protected with FERPA? Who are the main stakeholders?

3. What does FERPA mean for student information release in education? How does FERPA affect online teaching and learning?

4. Are there exceptions to FERPA? If so, what are these exceptions, and when? What other laws are there that also affect learner privacy?

5. Does FERPA apply to only formal credit courses and formalized learning sequences, and not non-credit (short) courses?

References

Family Educational Rights and Privacy Act. (2017, Nov. 27). Wikipedia. https://en.wikipedia.org/wiki/Family_Educational_Rights_and_Privacy_Act.

Family Educational Rights and Privacy Act (FERPA). (n.d.) U.S. Department of Education. https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html.

FERPA General Guidance for Students. (2015). U.S. Department of Education. https://www2.ed.gov/policy/gen/guid/fpco/ferpa/students.html.

FERPA Training Video 4. (2015, Feb. 19). CatchCreative on YouTube. https://youtu.be/ZvAWBxmMt6U.

Parents’ Guide to the Family Educational Rights and Privacy Act: Rights regarding Children’s Education Records. (2007). U.S. Department of Education. https://www2.ed.gov/policy/gen/guid/fpco/brochures/parents.html.

Extra Resources