Student Data Privacy
FERPA Authorization to Access Educational Record Form (PDF)
Tutorial for Faculty and Staff on Accessing a student's FERPA Form.
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student educational records. These same rights are reinforced in Minnesota by several state laws, including the Minnesota Government Data Practices Act. FERPA prohibits the funding of an educational institution that has a practice of disclosing educational records , or the personally identifiable information contained in those records, to unauthorized individuals without consent of the student’s parent. When a student turns 18 years old or attends a postsecondary institution at any age, the rights under FERPA transfer from the parent to the student.
The words "educational record" refer to "those records that are (1) directly related to a student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution."
The words "personally identifiable information" include, but are not limited to:
- The student’s name;
- The name of the student’s parent or other family member;
- The address of the student or student’s family;
- A personal identifier, such as the student’s social security number or student number;
- A list of personal characteristics that would make the student’s identity easily traceable; or
- Other information that would make the student’s identity easily traceable.
"Disclosure," in this context, includes "access to or the release, transfer, or other communication to any party, by any means, including oral, written, or electronic means."
Basically, then, FERPA says that the university and its agents (faculty, staff, administrators) are not allowed to share educational information about any student without the student’s prior consent.
There are two primary exemptions to this blanket statement:
1. FERPA defines certain information as "directory information" and gives institutions latitude to define additional categories of directory information that can be shared with anybody who asks. At Winona State University (per University Regulation 3-9), there are two categories. Directory information includes:
- Preferred Name
- Local Address
- Permanent City and State
- Local WSU Email Address
- Dates of Attendance
- Classification (FR, SO, JR, SR, GR, SP, etc.)
- Current Major and Minor Fields of Study and Licensure Programs
- Degrees and Awards Received
- Participation in NCAA or Club Sports
Limited Directory Data includes:
- Tech ID
- Legal Name
- Permanent Address
- Residence Status (in or out of state)
- Permanent Telephone Number
- Date of Birth
- Place of Birth
- Weight and Height
- Educational Institutions Previously Attended
- Date of WSU Graduation
- Advisor's Name
- Cell Phone Number
The university may disclose any of these items without prior written consent. A student who does not want directory information made available must notify the Registrar in writing.
In order to release non-directory information, FERPA requires that we have a signed and dated written statement from the student telling us (a) what specific kinds of information we can share, and (b) whom we can share it with. For example, a student who wants a potential employer or another school to have a transcript of his/her academic record must make a specific written statement allowing us to send it. The Registrar has the designated responsibility for handling FERPA disclosure statements on behalf of the university.
2. FERPA allows the university to disclose non-directory information without prior consent to (a) certain school officials, including advisors, who have legitimate educational interests; (b) certain representatives of state and federal educational agencies; (c) individuals or agencies in response to a court order or a subpoena; (d) individuals or agencies in response to a health or safety emergency.
Each of these exceptions involves some judgment to determine who has a legitimate educational interest, for example, or what constitutes an emergency. Except for those people mentioned in 2(a) above, the university is required to keep a record of requests for access to non-directory information and each person/agency to which that information was disclosed. The student may request to see that record at any time. The only major exception to this rule is that the university may be required to keep a student from knowing that a law enforcement agency has received educational records in the course of a criminal investigation or in some situations governed by the Patriot Act.
Significant Implications of FERPA
Without a student’s written consent, we cannot respond to many requests from parents, reporters, researchers, employers, clubs, or social organizations. Often these parties ask for information about a disciplinary action, attendance in class, grades or cumulative GPA, eligibility for participation in sports, or financial aid status. Each of these requests involves non-directory information and thus cannot be fulfilled. Faculty or staff who receive these requests should deny them and refer the petitioner to the Registrar for any further explanation.
Faculty are not allowed to post grades in such a way that any student's individual performance can be easily identified by a third party. In practice, this prohibits posting exams scores by name, Social Security number, or Warrior ID. Under some circumstances, it may be permissible to post by using a PIN or code known only to the student and the instructor. However, even this may be problematic in a small class or under other circumstances when a third party might easily match a student to a particular grade.
[Note: Faculty may have students evaluate each others’ work in class because the courts have determined that the work has not been "maintained," as required under the definition of educational records, until the faculty have received the finished work.]
[Note: Universal access to electronic systems at WSU offers faculty secure options for posting student grades. The D2L portal system's grade book option also allows faculty to post class grades in such a way that each student only has access to his/her own data in the grade book.]
It is also a FERPA violation to leave graded student work where others can view it or to return a student’s graded work by having another student pick it up. This means, for example, that faculty cannot have students search through a stack of other students’ papers to find their own, and that they cannot have students claim papers from a box in a hallway or departmental office. [It is ok, however, to have a secretary or another faculty member return papers, provided that they do it individually, because they have a legitimate educational interest.]
lt is not permissible to disclose a student's non-directory information during a class or group meeting, or in another public setting where it may be overheard by someone other than the student. For example, a staff member may not use one student’s financial aid information as an example in showing other students how to fill out a form. Also, a faculty member cannot use a student’s work as an example in class if doing so would reveal the student’s grade on the work.
A student has the right to view his/her own academic records and to petition to have factual errors corrected. This right does not extend to portions of the file to which the student has waived the right to access, as is often the case with letters of recommendation, for example.
Penalties For Violating FERPA&
Individuals cannot be penalized for FERPA violations, and the U.S. Supreme Court has held that individual students cannot sue for damages under FERPA. However, as noted at the top of this memo, the federal government has the right to deny funding to any educational institution that has a practice of violating FERPA. The government would base its decision in such a case upon evidence that faculty, staff, or administration had an ongoing pattern of making improper disclosures and that the university had made no effective efforts to prevent them. University Regulation 3-9 establishes the university’s own policy for applying FERPA and, therefore, demonstrates a commitment to complying with the law. Following through on that commitment becomes an obligation on the part of all faculty, staff, and administrators.
Also note that the Minnesota Government Data Practices Act (MN Statutes 13.01 et seq.) does allow for sanctions against government agencies (like WSU) and individuals who violate data privacy expectations. To quote the statute, "In the case of a willful violation, the political subdivision, statewide system or state agency shall be liable to exemplary damages of not less than $100, nor more than $10,000 for each violation. .... Willful violation of this chapter by any public employee constitutes just cause for suspension without pay or dismissal of the public employee." Unlike FERPA, therefore, the state law provides for --- in fact, requires --- a substantial penalty.
Despite FERPA's clear regulatory tone and its legalistic recitation of rights and sanctions, it is student-friendly and fully consistent with good practice in higher education. FERPA provides a clearly-articulated statement against which to benchmark our campus policy and our actual practice. Even if FERPA did not exist, the standards of community behavior at Winona State University would suggest that we voluntarily commit to the spirit of its guidelines, out of respect for our students' privacy and our individual and collective sense of integrity.