Main Nav

This message posted on behalf of the EDUCAUSE Campus Policy Working Group [*] Several weeks ago, a couple of threads on the POLICY-DISCUSSION list raised the question of how FERPA regulations interact with breach-notification requirements. There is no single, simple, comprehensive answer to this question, but we thought it might be helpful to mention a few relevant parameters and facts that can serve to guide future discussions. - FERPA and state breach-notification laws address different sets of information that may or may not overlap. FERPA protects "education records," a term that is quite broad (though nuanced) and includes almost all records colleges and universities maintain about their students, whether related to academics or not. State breach-notification laws typically cover a narrower scope of information (often name in conjunction with social security, credit card, and/or driver license number) for a broader range of individuals (usually all state residents), but these vary by state. To our knowledge, no state breach-notification law explicitly cross-references FERPA or incorporates the concept of "education records," but some "education records" nevertheless may be covered by state breach-notification laws (for example, a list containing student names and social security numbers). Moreover, both FERPA and state breach-notification laws have exceptions (in the case of FERPA, the category called "directory information," which may be released publicly without consent) and sometimes exceptions to the exceptions (in the case of FERPA, the "opt out" provision for directory information). Whether a particular breach implicates FERPA, state law, or both will thus depend on exactly what data was released and how. - FERPA is not a breach-notification law and imposes no affirmative notification requirement. FERPA does, however, require that the institution maintain a record of each unauthorized disclosure, and this record must be available to students exercising their right, granted by FERPA, to examine their files. And if information that is breached is covered by both FERPA and a state breach-notification law, the fact that there is no notification obligation under FERPA does not exempt the institution from complying with the state breach-notification law. - Regardless of whether an unauthorized release of information requires notification, the institution should conduct a review to determine why the incident occurred and to address any technical or procedural deficiencies that emerge. - In addition to FERPA and state breach-notification laws, unauthorized release of information may implicate other federal and state laws and regulations (such as Gramm-Leach-Bliley or HIPAA), especially if social security numbers are part of the release. - Legal requirements, whether based on FERPA or on state breach-notification laws (or, perhaps eventually, a federal breach-notification law), are only one consideration in determining whether to notify, who to notify, and how. Even if notification is not a legal requirement, your institution may decide for reasons of public relations, policy, or ethics that notification is an appropriate response. [*] The EDUCAUSE Campus Policy Working Group (http://www.educause.edu/policy/campus/community/wg) is a small group of experts and practitioners active in campus IT policy. This group identifies policy and compliance issues that benefit from focused attention, and provides support to the higher education community on these topics through the development of FAQs, best practices, webinars, and other means. ********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

Comments

Thanks for the clear follow-up. I still had a couple of questions: First, take the case of a breach that is relevant to BOTH state breach notification AND FERPA. Does specific, individual notification required by the state law do dual duty? Or, even with specific notification, must one still insert a disclosure notice available to a student inspecting his or her records? Second, in today's world of access to one's own records online, I'm a bit baffled as to what constitutes a record of the disclosure in the student's file, or available to a student. Are we assuming that "inspection" means only those students who take themselves to a specific office (e.g., registrar)?
Here, belatedly, are some thoughts on your questions:

1.  The recordation requirement is different from notification (which, as discussed, is not required by FERPA), so an individual notification required by state law would not satisfy it.

2.  In general (subject to a number of exceptions), an institution is required to make " a record of each request for access to and each disclosure of personally identifiable information from the education records of each student" and to " maintain the record with the education records of the student as long as the records are maintained."

3.  This requirememt isn't particularly easy to comply with in the decentralized systems of records we all have, and it's probably honored as much in the breach as otherwise.  However (and fortunately), the "with" part of the requirement does not appear to be literal; rather, it appears to be sufficient to make and maintain the record of disclosure in such a way that the "student will become aware of the disclosure during an inspection of the student’s education record."  How to implement that as a practical matter is beyond my skills as a lawyer, but I suspect that the technology that has multiplied the number and locations of records may also offer some solutions . . . .
Steven J. McDonald General Counsel | Rhode Island School of Design 2 College Street | Providence, RI 02903 | 401-277-4955
On 12/2/11 2:09 PM, Susan Brooker-Gross wrote:
Thanks for the clear follow-up.

I still had a couple of questions:

First, take the case of a breach that is relevant to BOTH state breach notification AND FERPA. Does specific, individual notification required by the state law do dual duty? Or, even with specific notification, must one still insert a disclosure notice available to a student inspecting his or her records?

Second, in today's world of access to one's own records online, I'm a bit baffled as to what constitutes a record of the disclosure in the student's file, or available to a student. Are we assuming that "inspection" means only those students who take themselves to a specific office (e.g., registrar)?



Recommend

Close
Close


EDUCAUSE Connect
View dates and locations

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

EDUCAUSE Institute
Leadership/Management Programs
Explore More

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.