Main Nav

EDUCAUSE and Security Task Force Comment on Proposed FERPA Rules

EDUCAUSE joined the American Council on Education (ACE) in comments to respond to a Notice of Proposed Rulemaking regarding the Family Educational Rights and Privacy Act (FERPA). The EDUCAUSE contribution addressed the proposed rules treatment of Social Security Numbers (SSN's), Student ID Numbers, and Student User ID's in the context of "directory information." The comments state:

According to the discussion [in the proposed rules], "student ID numbers (SID) can be used to impersonate the owner of the number and obtain information or services by fraud." We understand that this is widespread practice with respect to how the private sector uses the SSN for obtaining a variety of products and services. We do not believe, however, that unique student ID numbers created for internal educational uses typically are used in the same way or are subject to the same abuses. More often than not, such numbers are treated as identifiers only; they normally cannot be used to obtain access to education records by themselves, without a further act of authentication, nor can they normally be used in combination with other commonly available information to establish accounts or impersonate people. Moreover, on many campuses, the general "student ID number" and the "user ID" used to log in to electronic systems are in fact one and the same. As a result, many campuses may believe that they cannot designate these various kinds of identifiers as directory information even when doing so would yield clear benefits and could cause no harm.

The comments support the U.S. Department of Education's position that SSN's should never be considered "directory information". However, the comments provide alternative language for the treatment of SID and User ID's, essentially suggesting that they could be treated as "directory information" if there is an additional act of authentication and that the identifier itself does not provide an individual with access to student education records. The entire comments related to "directory information" are available on pages 1-2 of the ACE letter. There is also a discussion of "outsourcing" on pages 4-5.

The EDUCAUSE/Internet2 Computer and Network Security Task Force also commented on the department's "Recommendations for Safeguarding Education Records". FERPA has never contained regulations related to the security of student education records, although it is implied as a necessary safeguard to help keep student education records private. The department chose to include in this Notice some recommendations that included references to guidance issued by the National Institute of Standards in Technology (NIST) and the Office of Management and Budget (OMB). While the Security Task Force shared the department's concerns about cybersecurity, it was concerned that focus on government approaches may be misinformed and encouraged the department to consider resources developed by the task force (e.g., see Effective IT Security Practice Guide). The task force further cautioned the department that "the inclusion of recommended safeguards causes considerable confusion about the department's intentions and future plans."