FERPA and Electronic ID's

Created by Steven Worona (EDUCAUSE) on December 2, 2004

FERPA is the Family Educational Rights and Privacy Act, the law that limits the release of student information. It's also known as "the Buckley Amendment". Every college administrator who ever deals with student records has heard of FERPA. So have all the faculty.

FERPA is administered by the Family Policy Compliance Office of the U.S. Department of Education, affectionately known as FPCO or just "the FERPA Office". Since 1988, the chief administrator of the FERPA Office has been LeRoy Rooker.

FERPA defines and then specifies the handling of "student education records", which include any information "maintained by" the college that is "directly related to a student". Therefore, of course, grades are student education records. And so are transcripts, course enrollment data, exam papers, etc. Most "personally identifiable information" from student education records can't be released outside the college without the student's permission, and can't even be accessed within the college except by those with "a legitimate educational interest" in the information.

FERPA also creates a category called "Directory Information", data that can be made public without student permission. Each college must decide, within certain limits, what it considers Directory Information, and must publish the list. Typically this includes things like name, phone number, address, graduation year, and major. According to FERPA Regulations, Directory Information is "information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed".

When you realize that FERPA became law in August of 1974 (don't trust anyone over 30), it's not surprising that some of its provisions are a bit difficult to apply in the context of modern computer and network technology.

In particular, administrators on several campuses interpret FERPA as requiring electronic student ID's to be private. They are, after all, personally identifiable information maintained by the college in a student education record. They also "uniquely identify" one particular student, and therefore (according to these administrators) cannot be considered Directory Information.

Now, wait just a minute (you might be thinking). What about e-mail addresses? They surely uniquely identify a particular student, but they're one of the most obvious examples of what ought to be treated as Directory Information. Well, yes, and in 2000 FPCO explicitly amended the FERPA regulations to allow e-mail addresses as Directory Information. But this still left all the other unique electronic identifiers in limbo.

This leads to some dilemmas. For example, the public keys in PKI certificates aren't useful unless they're both unique to the certificate holder and public. Even more fundamentally, there's no point in saying that Directory Information itself is public if the unique student ID needed to find that directory entry is private.

Well, I bring you good news. In response to a series of letters from the University of Wisconsin, River Falls, the FERPA Office has determined that it's OK to release unique electronic student ID's as long as

they are not derived from Social Security Numbers (see Rodney Petersen's blog entry for more on SSN's), and
they can't be used without additional authentication (such as a PIN or password) to acquire non-Directory Information about the student.

If you're one of the many who work with FERPA, go take a moment and read the letter. I think you'll agree with me that FPCO did an excellent job on a tricky question.

And now go distribute those PKI certificates.

Steve

This message reflects the opinions of the author, and not necessarily those of EDUCAUSE or its members.

Steve's blog
Login or register to post comments
4628 reads

		FERPA and Electronic ID's Created by Steven Worona (EDUCAUSE) on December 2, 2004 FERPA is the Family Educational Rights and Privacy Act, the law that limits the release of student information. It's also known as "the Buckley Amendment". Every college administrator who ever deals with student records has heard of FERPA. So have all the faculty. FERPA is administered by the Family Policy Compliance Office of the U.S. Department of Education, affectionately known as FPCO or just "the FERPA Office". Since 1988, the chief administrator of the FERPA Office has been LeRoy Rooker. FERPA defines and then specifies the handling of "student education records", which include any information "maintained by" the college that is "directly related to a student". Therefore, of course, grades are student education records. And so are transcripts, course enrollment data, exam papers, etc. Most "personally identifiable information" from student education records can't be released outside the college without the student's permission, and can't even be accessed within the college except by those with "a legitimate educational interest" in the information. FERPA also creates a category called "Directory Information", data that can be made public without student permission. Each college must decide, within certain limits, what it considers Directory Information, and must publish the list. Typically this includes things like name, phone number, address, graduation year, and major. According to FERPA Regulations, Directory Information is "information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed". When you realize that FERPA became law in August of 1974 (don't trust anyone over 30), it's not surprising that some of its provisions are a bit difficult to apply in the context of modern computer and network technology. In particular, administrators on several campuses interpret FERPA as requiring electronic student ID's to be private. They are, after all, personally identifiable information maintained by the college in a student education record. They also "uniquely identify" one particular student, and therefore (according to these administrators) cannot be considered Directory Information. Now, wait just a minute (you might be thinking). What about e-mail addresses? They surely uniquely identify a particular student, but they're one of the most obvious examples of what ought to be treated as Directory Information. Well, yes, and in 2000 FPCO explicitly amended the FERPA regulations to allow e-mail addresses as Directory Information. But this still left all the other unique electronic identifiers in limbo. This leads to some dilemmas. For example, the public keys in PKI certificates aren't useful unless they're both unique to the certificate holder and public. Even more fundamentally, there's no point in saying that Directory Information itself is public if the unique student ID needed to find that directory entry is private. Well, I bring you good news. In response to a series of letters from the University of Wisconsin, River Falls, the FERPA Office has determined that it's OK to release unique electronic student ID's as long as they are not derived from Social Security Numbers (see Rodney Petersen's blog entry for more on SSN's), and they can't be used without additional authentication (such as a PIN or password) to acquire non-Directory Information about the student. If you're one of the many who work with FERPA, go take a moment and read the letter. I think you'll agree with me that FPCO did an excellent job on a tricky question. And now go distribute those PKI certificates. Steve This message reflects the opinions of the author, and not necessarily those of EDUCAUSE or its members. Steve's blog Login or register to post comments 4628 reads
		© Copyright 1999-2009 EDUCAUSE Need Help? \| Feedback \| Privacy Policy
	Unless otherwise noted, EDUCAUSE holds the copyright on all materials published by the association, whether in print or electronic form. In certain cases the work remains the intellectual property of the individual author(s) (see Special Circumstances). Content from conference speeches, presentations, blogs, wikis and feeds reflect the opinions of the author, and not necessarily those of EDUCAUSE or its members.