FERPA Regulations For The Online Environment: A Toolkit For Faculty & Staff Dr. Geri Anderson...
-
Upload
rafe-bates -
Category
Documents
-
view
216 -
download
0
Transcript of FERPA Regulations For The Online Environment: A Toolkit For Faculty & Staff Dr. Geri Anderson...
FERPA Regulations For The Online Environment: A Toolkit For Faculty
& Staff
Dr. Geri [email protected]
Quick FERPA OverviewJust the Basics
Guidelines for Online EnvironmentsSpecific Online Examples
AGENDA
Check for UnderstandingScenarios Designed for Online Environments
Questions/Comments/Ideas
FERPA
FERPA of 1974 is a federal law designed to:• protect the privacy of education records.• establish the right of students to inspect and
review their education records.• provide guidelines for the correction of
inaccurate and misleading data through informal and formal hearings.
FERPA is enforced by the Family Policy Compliance Office.
It’s All About The “Record” Not Where The Record Hangs
Out
FERPA is Technology Neutral!
FERPA is one of the most misunderstood regulations in education when it comes to electronic classrooms.
Inspire “Common Sense” Mentality
The Basics of The Law
College students must be permitted to inspect their own education records.
•School officials may not disclose personally identifiable information about students nor permit inspection of their records without written permission unless such action is covered by certain exceptions permitted by the Act.
Basic Rules
• Student educational records are considered confidential and may NOT be released without the WRITTEN consent of the student
• There are exceptions to written permission of student
WHEN IN DOUBT- DON’T GIVE OUTASK! ASK! ASK!
• Education Record• Personally Identifiable• Directory Information• School Official• Legitimate Educational Interest
Key FERPA Terms
• Any record, with certain exceptions, maintained by an institution that is directly related to a student or students
• Education records include both personally identifiable information such as a student’s name(s) or information from which an individual student’s identity can be deduced
• Education records include: files, documents and materials in whatever medium (handwriting, print, tapes, disks, film, microfilm, or microfiche)
What is an Education Record?
• Law Enforcement Records• Employment Records • Medical Records • Alumni Records • Sole Possession Notes• Student Work Prior To Evaluation
What is NOT an Education Record?
Educational Record?
Just about any information provided by a student for use in the educational process is considered a student educational record:
A. Personal Information – Personally Identified
B. Enrollment RecordsC. GradesD. Schedules
• Sole Possession: notes made by one person as an individual observation or recollection, and kept in the possession of the makero Once hared with anyone, becomes educational recordo Best practice: If you don’t want it to be subject to
review, don’t write it down.
• Student Employee employment records are educational records
• Alumni Records
What is NOT an education record?
Directory information is the information available about a student that is not considered harmful or an invasion of privacy if disclosed. While FERPA protects the privacy of educational records, directory information is not treated as confidential and may be disclosed by the institution without student consent unless the student requests a privacy hold.
Directory Information
Sample Directory Information
Student’s name Student’s local/permanent addresses and email address Student’s listed telephone number(s) Major field of study
Dates of attendance Enrollment status (undergraduate or graduate, full time or part
time) Degrees and awards Most recent previous educational institution attended
Publication titles (dissertations) Weight and height of university athletes Participation in officially recognized activities and sports
---Check With Your Registrar for Your Institution’s Directory Information---
Race or Country of CitizenReligionGender
Social Security NumberGrades or GPA
NEVER DIRECTORY INFORMATION
School Officials
As a college employee you have a responsibility to protect educational records
in your possession regardless of the medium.
• Legitimate educational interest means a school official has a need-to-know specific information in a student's record. Legitimate educational interest refers to any authorized interest or activity undertaken in the name of the institution.
• Access to an educational record must be necessary or appropriate to the operation of the institution or to the proper performance of the educational mission of the institution.
Legitimate Educational Interest:
Need To Know Basis
CONFIDENTIAL BLOCK/NON-DISCLOSURE
Students can block the release of all information, including directory information. This must be done in writing by the student but faculty must be certain to check for blocks before providing any student information.
If In Doubt…Don’t Give Out!
FERPA & Social MediaFERPA Guidelines
Sharing is an important part of learning
FERPA doesn’t isolate learning from the community.
FERPA requires schools to maintain control over certain student records. These records include medical information, social security numbers, and grades.
FERPA requires all student coursework to be kept private at all times, and thus prevents the use of social media in the classroom – NOT!
FERPA does not prevent instructors from assigning students to create public content as part of their course requirements.
Social Media submissions not FERPA-protected •Not yet received •Not in the custody of the college•Not reviewed/evaluated by the faculty
Social MediaPolicy Suggestions
Check Your Institution’s Policy When students are assigned to post information to
public social media platforms outside of the institution LMS, include a statement that their material may be viewed by others in the course syllabus.
Do not require students to release personal information on a public site.
Allow “posting” under an alias. Instructor comments or grades on student material
should not be made public. Peer review and grading can be public.
While not required by law, students under the age of 18 should get their parents’ consent to post public work.
Enact, “common sense” rule allow alternative assignment Reminder NOT to post personal information
FERPA & Wiki’sA Wiki is an open collaboration tool. This means that access should be restricted only in cases which really require it. That said, here is how to modify access.
• A wiki is a collaborative website where readers can also contribute content.
• Institutions may create one wiki separated into different areas called webs. Webs can be public or restricted to a group. Once you register your wiki username, you can eithercontribute to an existing wiki web (space), or get your own
and use it for group or class collaboration.
FERPA Consent Form for Course Wiki Participation
Under the Federal Family Education Rights and Privacy Act of 1974 (FERPA) and NC State’s FERPA regulation, a student’s education records are protected from disclosure to third parties. Because of the public nature of wikis, students must provide written consent for wiki participation in a course setting. I understand that participation in a wiki is required for (Name and number of course) I give permission to (Instructor) to include me in the wiki for this course. I understand that the wiki will be open and accessible to the public. (Student’s signature and date)
Syllabus Statement"In this class, our use of technology will sometimes make students' names and Internet IDs visible within the course website, but only to other students in the same class. Since we are using a secure, password-protected course website, this will not increase the risk of identity theft or spamming for anyone in the class. If you have concerns about the visibility of your Internet ID, please contact me for further information."
FERPA & Electronic and Digital Signatures
Electronic or “noncryptographic” signature: A written signature that is transmitted electronically. Such a signature “looks like” a signature.
Examples: A. Faxed signatureB. Retail store electronic pads are used on which a signature is written with a
stylus when making a credit card purchase.
Digital signature: Electronically encrypted by computer system consisting of a combination of letters, numbers and signs; it looks nothing like a written signature. Many state laws use the phrase “electronic signature” interchangeably with “digital signature,” as shorthand for any signature not in traditional form. In terms of taking practical steps to ensure message integrity, however, it is useful to keep in mind the differences.
Electronic Signatures
FERPA allows institutions of higher education to disclose education records to third parties when the request is made via electronic signature. “Signed and dated written consent” under this part may include a record and signature in electronic form provided the educational agency or institution follows a process to:
--Identify the individual and authenticate the identity of the individual requesting disclosure of education records;
--Attribute the signature to the consent;
--Secure and verify the integrity of the consent in transmission and upon
receipt; --Document and record the signed
message.
Authentication. Name, Date of Birth and Social Security number associated with an electronic signature must be authenticated by a third party against an approved database;Security. Transmission of social security numbers from a school to the third-party authenticator must be 100 percent secure, to prevent unauthorized access to applicants' personal data; andDisclosure. Applicants must be fully informed of their rights regarding the use of electronic signatures, including their right to opt out of the e-sign system.
Authentication: Name, date of birth and social security number associated with an
electronic signature must be authenticated by a third party against an approved database
Authentication Options:•National Commercial Credit Bureaus•Commercial Data Sources or Services•State Motor Vehicle and Other Government
databasesNot An Option: School Databases
Electronic Signature Policy Considerations (Required)
Security: Transmission of social security numbers from a school to the third-party authenticator must be 100
percent secure, to prevent unauthorized access to
applicants' personal data.
Disclosure: Applicants must be fully informed of their rights regarding the use of
electronic signatures, including their right to opt out of the e-sign system.
Electronic Signature Policy Considerations (Required)
FERPA AND 3RD PARTY VENDORSLIVING IN THE CLOUD
Responsibilities of a Cloud Provider
The FERPA Regulations, 34 C.F.R. § 99.33(a)(1):
An educational agency or institution may disclose personally identifiable information from an education record only on the condition that the party to whom the information is disclosed will not disclose the information to any other party without the prior consent of the student.
FERPA AND 3RD PARTY VENDORS– LIVING IN THE CLOUDResponsibilities of the School
Schools must maintain “direct control” over student personal data even when outsourced to cloud computing services. According to Department of Education guidance in the 2008 regulations:Schools outsourcing information technology services, such as web-based and email services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements established by the educational agency or institution that discloses the information.
FERPA AND 3RD PARTY VENDORS– LIVING IN THE CLOUD
Components Needed In Agreements
•Designate the cloud computing provider as a “school official” in order to facilitate the sharing.
•FERPA Language: A school official is a person employed by the University in an administrative, supervisory, academic or research, or support staff position (including law enforcement unit personnel and health staff); a person or company with whom the University has contracted as its agent to provide a service instead of using University employees or officials (such as an attorney, auditor, or collection agent); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. Department of Education,
AGREEMENT FOR PROTECTION OF College INFORMATION This Agreement is made by and between _________________________ [ outside party receiving student information ], and [Your Institution] _________________ desires to provide a service called ______________ to [Your Institution] and its students. This service will [ describe the service. Then describe how it’s paid for, if applicable. ] The service will benefit ______________ as a source of revenue [ or however it will benefit ], and will benefit [Your Institution] as an enhancement of electronic course management [ or whatever ]. The parties hereby agree to the following terms and conditions with respect to the ____________________ service. 1. _______________________ acknowledges that [Your Institution] has a duty to maintain the privacy of education records under federal privacy law ("FERPA" at 20 USC 1232g and 34 CFR part 99), and further acknowledges that as an independent contractor providing a service for [Your Institution], _________________ accepts responsibility to preserve the privacy of all education records (including student passwords and identification codes, student submissions of assignments and other information, and student grades) to the full extent required of [Your Institution]under FERPA. 2. ___________________ will not use any personally identifiable information acquired from [Your Institution]or from [Your Institution]students for marketing, sales, or anything else beyond the _________________ service provided to [Your Institution]. 3. _____________ will employ security measures that are at least as good as industry standard and that pose extremely little risk of breach of confidentiality of data. 4. ____________________ will indemnify and hold [Your Institution]harmless against any FERPA or other privacy violations, security breaches, or loss of data with respect to __________________'s transmission, storage, use, and disclosure of student assignments, grades, and any other data that is part of the _______________________ service provided to [Your Institution]. 5. ______________ will provide the ______________________ service with sufficient reliability to allow students to receive and complete assignments, and the instructor to receive grades, on a schedule that allows timely completion of the course. 6. This Agreement shall be governed by and construed under the laws of the State of [Your State], which shall also be the forum for any lawsuit arising from or incident to this Agreement. Agreed to this the _________ day of _____________ 200_ by the duly authorized representatives of the parties, as witnessed by their signatures below: [Your Institution] Signature: _____________________________________________[ printed name and title of University official authorized to sign contracts ][ other party’s legal name ]
Signature: _____________________________________________
[ printed name and title ]
FERPA & Communicating
Online
Email, Texting & IM•You should always use the institution email address to communicate with students from your official institution email account (require part-time faculty to use institutional email)•It is permissible to communicate about educational records, including grades, through the student’s institutional email account•If you email a group of students, put the students’ email addresses in the BCC column or develop a distribution list for each class•Public instant messaging is not a secure option for communicating any sensitive information; this includes your students’ grades, IDs and passwords
Communicating With Students Electronically
• When communicating about a student's non-directory information (e.g., sending change-of-gradepaperwork), use your college email only.
• Always use a student’s college email account. Students can forward this email to another account, but in so doing, they remove the information from the school protected server and assume liability for the content of the email at that point.
• Conduct ALL grade and performance discussions with students in the course by using the internal Mail tool only.
• Place a statement in the Subject line or body of external email communications that states: "Under FERPA, this email is intended only for (Student's Name)."
• Keep a record of all communications during a term as a record of compliance.• Protect all records kept on a computer, printed, or otherwise stored during a
term. Ensure these and any non-directory information about a student (e.g., grade book backups, graded coursework) is protected. If you share a computer with anyone, consider password-protecting student information or keeping it on a password-protected external storage medium.
• Never post grades or comment in an evaluative manner about course performance in spaces external to the password-protected course system.
FERPA & CopyrightPublishing/PostingStudent Work
•If you post work that students developed in your classes, and you are crediting these students by name, FERPA requires that you obtain the students’ consent before publicizing their work. •This principle applies to any medium in which student work is showcased (e.g., at conferences, in journal articles, on departmental web sites, in brochures and other print materials, etc.) “Student work” is any material developed as part of a class for which students were evaluated (e.g., reports, drawings, discussion posts, etc.)
It is a FERPA violation to publicly link students’ names with class work for which they were graded without their consent.
It is a copyright violation to use students’ class work without crediting them by name.
FERPA & Storing Student Information
Do not save any student information unless absolutely necessary
• Use caution when saving confidential documents on laptops, portable storage devices (e.g., CDs, USB drives), or shared computers.
• Make sure that you routinely use anti-virus software and that your operating system is updated with the latest security patches and updates.
• Always keep your hardware in a secure physical location.
Secure Your Computer
Security breaches occur most often on computers that are not up-to- date and that do not use the most recent anti-virus software.
• Use anti- virus software• Keep your operating system
updated.• Use spyware detection
programs• Download software only from
reputable sources • Lock away your CDs, USB
drives and any other storage media
• Use a laptop security cable to lock your laptop to your desk.
• If your office has a door, lock it at the end of the day!
Check for Understanding
Scenario 1
A student in your online class has a confidentiality hold. The student indicates that because of her confidentiality request, she is unable to participate in the required online chats among her classmates. Do you have to excuse her from this portion of the course based upon FERPA guidelines?
YES
NO
FEPRA confidentiality guidelines do not permit the student to impede or be excluded from classroom communication. The student may not be anonymous in class and must participate in all required components of the course.
Scenario 2
At a recent conference, you were introduced to an interesting new online tool that you'd like to use as part of your class. Is it OK to upload your class list to the vendor's web site so that students can log in to the site?
YES
NOSince class enrollment is not directory information, uploading a class list constitutes a release of non-directory information and either requires the prior consent of every student or a contract with the vendor containing four FERPA-specific clauses. If an instructor is considering using any hosted vendor product that requires student information, then the instructor should check with purchasing to see if an appropriate contract is in place with the vendor. If not, a contract will need to be completed prior to using the product.
Scenario 3 A newspaper reporter calls to interview you about MOOCs and other online learning programs. During the conversation he asks for a list of students with contact information to include their comments in the story. Is it OK to give it out as long as the student has not requested directory information confidentiality?
YES
NO Even though FERPA allows for release of directory information without prior written consent, the reporter has asked for information that is not part of directory information.
You should ask for the reporter’s information to share with interested students.
Scenario 4
Part-time faculty share work spaces. You walk through the shared office and see an electronic grade book displayed on an unattended screen. Does FERPA apply to information stored on a computer database?
YES
NOInformation on a computer screen should be treated the same as printed records. FERPA applies to information stored on any media, including, but not limited to, print, audio, digital, video, electronic, or photographic.
General Rule: The medium in which the information is held is unimportant. No information should be left accessible or unattended, including computer displays.
Scenario 5
A student emails you from her Gmail account to ask you about a grade she received on her midterm. She believes your calculation is wrong and would like you to check her grade.
Can you email her back with the information requested?
YES
NOYou should reply to this student from your institution email account to her institution email account. If you respond to her Gmail address, it should only be to tell her that you have emailed the information to her official institution account.
Scenario 6
Students are developing historical essays as part of your online course requirements. You think it’s beneficial for students to post their work on a blog to receive feedback from interested historians. One student shares a concern with posting work because of a “personal issue”. What alternatives can you propose to the students which are allowable under FERPA?
Allow student to post using an alias
Provide an alternative assignment
Allow student to share work with a “trusted” source, such as another enrolled student
SANCTIONS OR LIABILITY RISKS FOR A FERPA VIOLATION
FERPA provides for a complaint procedure to the United States Department of Education with an ultimate sanction of withholding of federal funding. While there is generally no private cause of action directly under FERPA, students may seek to hold the Institution or individuals liable under common law tort theories such as invasion of privacy. Faculty, staff, administration or students who violate the Institution’s FERPA policy may be subject to corrective or disciplinary action, depending on the individual institution.
The Authoritative Source
Family Policy Compliance OfficeU.S. Department of Education
400 Maryland Ave., SWWashington, D.C. 20202-5920
[email protected]/policy/gen/guid/fpco/
202-260-3887 (phone)
Great Sources
2013 FERPA Quick GuideT. Falkner and L. Rooker (2013).
Washington, D.C.AACRAO
FERPA Clear and SimpleRamierez, C.A. (2009)
Jossey-Bass
QUESTIONS/COMMENTS/DISCUSSION
Dr. Geri [email protected]
www.innovativeeducators.org