Main Nav

EDUCAUSE and Security Task Force Comment on Proposed FERPA Rules

EDUCAUSE joined the American Council on Education (ACE) in comments to respond to a Notice of Proposed Rulemaking regarding the Family Educational Rights and Privacy Act (FERPA). The EDUCAUSE contribution addressed the proposed rules treatment of Social Security Numbers (SSN's), Student ID Numbers, and Student User ID's in the context of "directory information." The comments state:

According to the discussion [in the proposed rules], "student ID numbers (SID) can be used to impersonate the owner of the number and obtain information or services by fraud." We understand that this is widespread practice with respect to how the private sector uses the SSN for obtaining a variety of products and services. We do not believe, however, that unique student ID numbers created for internal educational uses typically are used in the same way or are subject to the same abuses. More often than not, such numbers are treated as identifiers only; they normally cannot be used to obtain access to education records by themselves, without a further act of authentication, nor can they normally be used in combination with other commonly available information to establish accounts or impersonate people. Moreover, on many campuses, the general "student ID number" and the "user ID" used to log in to electronic systems are in fact one and the same. As a result, many campuses may believe that they cannot designate these various kinds of identifiers as directory information even when doing so would yield clear benefits and could cause no harm.

The comments support the U.S. Department of Education's position that SSN's should never be considered "directory information". However, the comments provide alternative language for the treatment of SID and User ID's, essentially suggesting that they could be treated as "directory information" if there is an additional act of authentication and that the identifier itself does not provide an individual with access to student education records. The entire comments related to "directory information" are available on pages 1-2 of the ACE letter. There is also a discussion of "outsourcing" on pages 4-5.

The EDUCAUSE/Internet2 Computer and Network Security Task Force also commented on the department's "Recommendations for Safeguarding Education Records". FERPA has never contained regulations related to the security of student education records, although it is implied as a necessary safeguard to help keep student education records private. The department chose to include in this Notice some recommendations that included references to guidance issued by the National Institute of Standards in Technology (NIST) and the Office of Management and Budget (OMB). While the Security Task Force shared the department's concerns about cybersecurity, it was concerned that focus on government approaches may be misinformed and encouraged the department to consider resources developed by the task force (e.g., see Effective IT Security Practice Guide). The task force further cautioned the department that "the inclusion of recommended safeguards causes considerable confusion about the department's intentions and future plans."



Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.


Digital Badges
Member recognition effort
Earn yours >

Career Center

Leadership and Management Programs

EDUCAUSE Institute
Project Management



Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.


EDUCAUSE organizes its efforts around three IT Focus Areas



Join These Programs If Your Focus Is


Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.



2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations

Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.