Main Nav

Hi,
I hope to get advice and counsel from this group.

We had student email address listed as directory information for many years, with a publicly posted directory showing the student's name and email address.  Around 2002, there was a business that targeted higher ed, submitting FOIA requests to obtain student email addresses and then sending massive email spam.  Our student congress requested that email address be removed as directory information, and we complied.  Gradually, over time, every data element in the directory was removed except name.  Fast forward to today:  We have a web directory that simply lists student names ( you can see it here http://www2.oakland.edu/webdirectory/index.cfm).

The Dean of Students and I went to our student congress yesterday and asked them what they wanted done with this directory.  What they want is a student directory behind a login in our portal. 

As I look at this, it seems to me that we then need to put student email address on the FERPA "directory information list."  I don't see anything in FERPA that states that something identified as directory information has to be posted on a public web site.  We could then put the directory in the student portal, behind the login.

What do you think?

--
Theresa Rowe
Chief Information Officer
Oakland University
 
********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

Comments

From what I know about FERPA, it only controls what can be released, it never compels disclosure - FOIA does that. I think you're correct that e-mail would need to be added back as directory information, however doesn't that get you back to allowing spammers to send fruitful FOIA requests? Or perhaps you're hoping that the spammers learned their lesson years ago, and stopped submitting FOIA requests, and won't notice that you've added e-mail back as directory information. On 2/14/2012 8:48 AM, Theresa Rowe wrote: > Hi, > I hope to get advice and counsel from this group. > > We had student email address listed as directory information for many > years, with a publicly posted directory showing the student's name and > email address. Around 2002, there was a business that targeted higher > ed, submitting FOIA requests to obtain student email addresses and > then sending massive email spam. Our student congress requested that > email address be removed as directory information, and we complied. > Gradually, over time, every data element in the directory was removed > except name. Fast forward to today: We have a web directory that > simply lists student names ( you can see it here > http://www2.oakland.edu/webdirectory/index.cfm). > > The Dean of Students and I went to our student congress yesterday and > asked them what they wanted done with this directory. What they want > is a student directory behind a login in our portal. > > As I look at this, it seems to me that we then need to put student > email address on the FERPA "directory information list." I don't see > anything in FERPA that states that something identified as directory > information has to be posted on a public web site. We could then put > the directory in the student portal, behind the login. > > What do you think? > > -- > Theresa Rowe > Chief Information Officer > Oakland University > > ********** Visit the EDUCAUSE Policy website at > http://www.educause.edu/policy. > ********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

My first thought on the matter (without doing a whole lot of thinking) is that your directory information is data that MAY be shared with people outside of the institution.  It is not data that MUST be shared.  I think you could probably specify in your policy that email addresses are directory data but that you’re only going to share it with some defined groups or that you will not honor requests for bulk export of email addresses. 

 

You are correct that in order to disclose student e-mail addresses to a broader audience (i.e., anyone other than the individual students themselves or someone eligible under one of the various narrow exceptions), you must include student e-mail addresses on your list of directory information. Doing so, however, does not mean that you *must* disclose e-mail addresses more broadly. It simply gives you the discretion, not the obligation, to disclose them, and, at least as far as FERPA is concerned, you are free to pick and choose to whom you disclose them, and even to be arbitrary and capricious if you wish. It would be fine under FERPA to "publish" that information only behind a portal. That said, you must also look at your state public records statute, which in some cases may compel you to disclose (when requested under that statute) what FERPA does not forbid you to disclose. But, for the very reason you have indicated, some state public records statutes have been amended to specifically exclude requests for e-mail addresses from commercial entities. And, regardless of what FERPA and your state public records statute may say about obtaining the information, you also have some discretion and ability (subject, as a public institution, to First Amendment limitations) to set parameters for your spam filter to solve this problem from another angle. Steven J. McDonald General Counsel | Rhode Island School of Design 2 College Street | Providence, RI 02903 | 401-277-4955 On 2/14/2012 9:48 AM, Theresa Rowe wrote: > Hi, > I hope to get advice and counsel from this group. > > We had student email address listed as directory information for many > years, with a publicly posted directory showing the student's name and > email address. Around 2002, there was a business that targeted higher > ed, submitting FOIA requests to obtain student email addresses and > then sending massive email spam. Our student congress requested that > email address be removed as directory information, and we complied. > Gradually, over time, every data element in the directory was removed > except name. Fast forward to today: We have a web directory that > simply lists student names ( you can see it here > http://www2.oakland.edu/webdirectory/index.cfm). > > The Dean of Students and I went to our student congress yesterday and > asked them what they wanted done with this directory. What they want > is a student directory behind a login in our portal. > > As I look at this, it seems to me that we then need to put student > email address on the FERPA "directory information list." I don't see > anything in FERPA that states that something identified as directory > information has to be posted on a public web site. We could then put > the directory in the student portal, behind the login. > > What do you think? > > -- > Theresa Rowe > Chief Information Officer > Oakland University > > ********** Visit the EDUCAUSE Policy website at > http://www.educause.edu/policy. > ********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.
Wouldn't it also depend if the email address is a personal email or institution supplied address.
No. Essentially, whatever personally identifiable information you maintain about a student is covered by FERPA. Steven J. McDonald General Counsel | Rhode Island School of Design 2 College Street | Providence, RI 02903 | 401-277-4955 On 2/14/2012 10:18 AM, Kirk Bay wrote: > Wouldn't it also depend if the email address is a personal email or institution supplied address. > >
Aren't Directory Information (FERPA) and FOIA separate issues ? Does this imply that FOIA request need to be honored for only Directory Information ?
That is the understanding we've had from our general counsel.  We removed email address from directory information so that it could not be requested under FOIA.  If we put it back, it can be requested under FOIA.  But the Steven McDonald is saying is confirming another understanding:  Just because it is directory information, we are not obligated to do an open and public publishing of the directory.

As we go through this, what are you doing with social media identities and your FERPA directory information?  Are you putting social media identities on the list of directory information?

Theresa
We've learned that it's institutional policy if student e-mail addresses are available to anyone via a web directory or to only campus clientele via authentication. For staff and faculty, being state employees, we can put e-mail addresses behind a portal, but if someone requests the e-mail address(es) we have to provide them. However, you can include with the information how these addresses cannot be used. Any unsolicited e-mail, for example, is spam and it violates policy. These entities can be blacklisted for spamming and even legitimate mail will be blacklisted. Additionally, we can say that this is for individual use and cannot be sold or given to another person. They would have to ask for the information from us individually. Finally, we can charge a fee for staff time in providing the information.
Sort of.  Because federal law "trumps" state law, FOIA requests cannot reach that which FERPA prohibits you from releasing.  However, because FERPA does not prohibit you from releasing directory information, it is possible your state law will require you (if you're a public) to release it upon request.  The interesting -- and unfortunately unresolved -- question is whether state law can require you to disclose information that *could* be on your directory information list (i.e., you technically aren't prohibited from releasing it), but that you have chosen not to include for some policy reason.

In the most recent set of amendments to the regulations, FPCO, the office that oversees FERPA, attempted to address this, but what it is saying is not entirely clear.  FWIW, here's a lengthy excerpt from the preamble to the relevant part of those amendments:

Under FERPA, educational agencies and institutions are only required to provide access to education records to parents and eligible students. All other disclosures listed in § 99.31 are optional. This includes the disclosure of directory information under § 99.31(a)(11), under the conditions specified in § 99.37. However, some educational agencies and institutions have advised, and administrative experience has shown, that State open records laws have required disclosure of student directory information because, in most cases, FERPA does not specifically prohibit the disclosure of this information. It is our understanding that many, if not most, State open records or sunshine laws require that public entities, such as public schools, LEAs, and State colleges and universities, disclose information to the public unless the disclosure is specifically prohibited by another State law or by a Federal law such as FERPA. Thus, in practice, while FERPA only requires schools to disclose PII from education records to parents or eligible students, State sunshine laws may require the public release of properly designated directory information from which parents and eligible students have not opted out. With regard to the commenter who asked whether a school that chooses not to adopt a limited directory information policy could still limit the disclosure of directory information if its State law required the disclosure, FERPA permits the disclosure of directory information but it does not require it. Some States have State open records laws that may require the disclosure of directory information if a school has a directory information policy and the parent or eligible student has not opted out. We believe that the FERPA regulations will better assist educational agencies and institutions in protecting directory information if an educational agency or institution that adopts a limited directory information policy limits its directory information disclosures only to those parties and purposes that were specified in the policy. To clarify, this regulatory scheme gives each school the option of limiting its directory information disclosures and does not subject a school to enforcement proceedings by FPCO if the school elects not to limit disclosure to specific parties or for specific purposes, or both. With regard to the recommendations by commenters that the regulations explicitly state that directory information not be disclosed except to specific parties or for specific purposes, we do not believe this change is necessary. As noted, neither the disclosure of directory information nor the adoption of a limited directory information policy is required by the regulations. The regulations make clear that if a school chooses to adopt a limited directory information policy, then it must limit its directory information disclosures to those specified in its public notice. With regard to concerns expressed by commenters about directory information being released to entities for marketing purposes, a school has the flexibility to allow or restrict disclosure to any potential recipient. For example, a limited directory information policy may be expressed in a negative fashion, indicating that the school does not disclose directory information for marketing purposes. While Congress has not amended FERPA to specifically address disclosure of directory information to companies for marketing purposes, Congress amended section 445 of GEPA, commonly referred to as the Protection of Pupil Rights Amendment (PPRA) in 2001 to address this issue. Public Law 107–110, § 1061. Under PPRA, LEAs are required to work in consultation with parents to develop and adopt a policy governing the collection, disclosure, or use of personal information collected from students for the purpose of marketing or for selling that information (or otherwise providing that information to others for those purposes). The policy must include arrangements to protect student privacy in the event of such collection, disclosure, or use. LEAs are also required to notify parents of students of any activities that involve the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information (or otherwise providing that information to others for those purposes) so that parents may opt their child out of participation in those activities. 20 U.S.C. 1232h(c)(1)(E) and (c)(2). While PPRA does not generally apply to postsecondary institutions, understanding and complying with its requirements for LEAs should address some of the commenters’ concerns about this matter. With regard to the fact that we did not propose to amend the FERPA regulations to prevent third parties that receive directory information from further disclosing it, we do not believe that it is realistic to make such a change. By its nature, directory information is intended to be publicly shared. Congress included the disclosure of properly designated directory information as an exception to the general consent requirement in FERPA so that schools may make disclosures of the type of information generally not considered harmful or an invasion of privacy, such as information on students that would normally be found in a school yearbook or directory. It is not administratively practicable to take action against a third party that rediscloses directory information. For example, it would be virtually impossible to control how student information contained in a yearbook is distributed to others. Therefore, we believe that schools are in the best position to determine who should receive directory information and, should they choose, implement a limited directory information policy. With regard to the commenter who stated that adopting the limited directory information provision in the regulations would add confusion and possibly raise unnecessary allegations of improper disclosure from parents and eligible students, we do not believe this is the case. On the contrary, the option to have a limited directory information policy should better protect against improper disclosures of PII from education records and reduce the number of complaints in this regard. With regard to our recommendation that schools adopting a limited directory information policy consider entering into non-disclosure agreements to restrict the information from being further disclosed, we agree that this will not always be feasible. Clearly there are situations in which a school could not have a non-disclosure agreement, such as when it publishes directory information in a school yearbook, a sports event program, or a program for a school play. Schools will have to exercise judgment with respect to whether to utilize non-disclosure agreements to prevent further disclosure of directory information by assessing the circumstances surrounding the disclosure of the directory information. Finally, we note that the regulatory change to allow educational agencies and institutions to implement a limited directory information policy was not specifically intended to address how schools interact with or disclose directory information to members of the media. Rather, we were addressing concerns raised by school officials who, alarmed about the increase in identity theft, expressed a need to protect the privacy of students’ directory information. We encourage school officials to act responsibly in developing a limited directory information policy and to keep in mind routine disclosures that schools need to make in the normal course of business, including providing properly designated directory information to the media about various student activities and extracurricular pursuits of students.

An example from Virginia:
 

Required sunshine:  Virginia FOIA requires disclosure in response to requests unless there is an exception.

Voluntary sunshine:  Virginia FOIA permits disclosure even if there is a FOIA exception, unless the disclosure is otherwise prohibited by law (like FERPA).

 

Since disclosure of an institution’s listed directory information is, by definition, not prohibited by law, it “could” be released in response to FOIA (and generally is, so we, too, do not list student email as directory info)

 

However, I’ve wondered why my institution doesn’t take refuge (from spammers, e.g.) in the fact that state law makes no mention of directory information, and that all student records are still an “exception” to Virginia FOIA where disclosure is NOT required.

 

Virginia FOIA is very FERPA-esque, excepting “Scholastic records containing information concerning identifiable individuals”  [Scholastic = records containing information directly related to a student]

 
Sent: Tuesday, February 14, 2012 10:56 AM
Subject: Re: [POLICY-DISCUSSION] Reality check request: FERPA
 
Sort of.  Because federal law "trumps" state law, FOIA requests cannot reach that which FERPA prohibits you from releasing.  However, because FERPA does not prohibit you from releasing directory information, it is possible your state law will require you (if you're a public) to release it upon request.  The interesting -- and unfortunately unresolved -- question is whether state law can require you to disclose information that *could* be on your directory information list (i.e., you technically aren't prohibited from releasing it), but that you have chosen not to include for some policy reason.

In the most recent set of amendments to the regulations, FPCO, the office that oversees FERPA, attempted to address this, but what it is saying is not entirely clear.  FWIW, here's a lengthy excerpt from the preamble to the relevant part of those amendments:

Under FERPA, educational agencies and institutions are only required to provide access to education records to parents and eligible students. All other disclosures listed in § 99.31 are optional. This includes the disclosure of directory information under § 99.31(a)(11), under the conditions specified in § 99.37. However, some educational agencies and institutions have advised, and administrative experience has shown, that State open records laws have required disclosure of student directory information because, in most cases, FERPA does not specifically prohibit the disclosure of this information. It is our understanding that many, if not most, State open records or sunshine laws require that public entities, such as public schools, LEAs, and State colleges and universities, disclose information to the public unless the disclosure is specifically prohibited by another State law or by a Federal law such as FERPA. Thus, in practice, while FERPA only requires schools to disclose PII from education records to parents or eligible students, State sunshine laws may require the public release of properly designated directory information from which parents and eligible students have not opted out. With regard to the commenter who asked whether a school that chooses not to adopt a limited directory information policy could still limit the disclosure of directory information if its State law required the disclosure, FERPA permits the disclosure of directory information but it does not require it. Some States have State open records laws that may require the disclosure of directory information if a school has a directory information policy and the parent or eligible student has not opted out. We believe that the FERPA regulations will better assist educational agencies and institutions in protecting directory information if an educational agency or institution that adopts a limited directory information policy limits its directory information disclosures only to those parties and purposes that were specified in the policy. To clarify, this regulatory scheme gives each school the option of limiting its directory information disclosures and does not subject a school to enforcement proceedings by FPCO if the school elects not to limit disclosure to specific parties or for specific purposes, or both. With regard to the recommendations by commenters that the regulations explicitly state that directory information not be disclosed except to specific parties or for specific purposes, we do not believe this change is necessary. As noted, neither the disclosure of directory information nor the adoption of a limited directory information policy is required by the regulations. The regulations make clear that if a school chooses to adopt a limited directory information policy, then it must limit its directory information disclosures to those specified in its public notice. With regard to concerns expressed by commenters about directory information being released to entities for marketing purposes, a school has the flexibility to allow or restrict disclosure to any potential recipient. For example, a limited directory information policy may be expressed in a negative fashion, indicating that the school does not disclose directory information for marketing purposes. While Congress has not amended FERPA to specifically address disclosure of directory information to companies for marketing purposes, Congress amended section 445 of GEPA, commonly referred to as the Protection of Pupil Rights Amendment (PPRA) in 2001 to address this issue. Public Law 107–110, § 1061. Under PPRA, LEAs are required to work in consultation with parents to develop and adopt a policy governing the collection, disclosure, or use of personal information collected from students for the purpose of marketing or for selling that information (or otherwise providing that information to others for those purposes). The policy must include arrangements to protect student privacy in the event of such collection, disclosure, or use. LEAs are also required to notify parents of students of any activities that involve the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information (or otherwise providing that information to others for those purposes) so that parents may opt their child out of participation in those activities. 20 U.S.C. 1232h(c)(1)(E) and (c)(2). While PPRA does not generally apply to postsecondary institutions, understanding and complying with its requirements for LEAs should address some of the commenters’ concerns about this matter. With regard to the fact that we did not propose to amend the FERPA regulations to prevent third parties that receive directory information from further disclosing it, we do not believe that it is realistic to make such a change. By its nature, directory information is intended to be publicly shared. Congress included the disclosure of properly designated directory information as an exception to the general consent requirement in FERPA so that schools may make disclosures of the type of information generally not considered harmful or an invasion of privacy, such as information on students that would normally be found in a school yearbook or directory. It is not administratively practicable to take action against a third party that rediscloses directory information. For example, it would be virtually impossible to control how student information contained in a yearbook is distributed to others. Therefore, we believe that schools are in the best position to determine who should receive directory information and, should they choose, implement a limited directory information policy. With regard to the commenter who stated that adopting the limited directory information provision in the regulations would add confusion and possibly raise unnecessary allegations of improper disclosure from parents and eligible students, we do not believe this is the case. On the contrary, the option to have a limited directory information policy should better protect against improper disclosures of PII from education records and reduce the number of complaints in this regard. With regard to our recommendation that schools adopting a limited directory information policy consider entering into non-disclosure agreements to restrict the information from being further disclosed, we agree that this will not always be feasible. Clearly there are situations in which a school could not have a non-disclosure agreement, such as when it publishes directory information in a school yearbook, a sports event program, or a program for a school play. Schools will have to exercise judgment with respect to whether to utilize non-disclosure agreements to prevent further disclosure of directory information by assessing the circumstances surrounding the disclosure of the directory information. Finally, we note that the regulatory change to allow educational agencies and institutions to implement a limited directory information policy was not specifically intended to address how schools interact with or disclose directory information to members of the media. Rather, we were addressing concerns raised by school officials who, alarmed about the increase in identity theft, expressed a need to protect the privacy of students’ directory information. We encourage school officials to act responsibly in developing a limited directory information policy and to keep in mind routine disclosures that schools need to make in the normal course of business, including providing properly designated directory information to the media about various student activities and extracurricular pursuits of students.

Terry,

We have always had a login requirement to view student information on the directory lookup.  That is not a big deal.

We also block being able to see anyone's email address from off-campus.  (You can send the person an email via a web form.)
See:  https://apps.svsu.edu/lookup/

I would advise not putting the email address on your FERPA form ( personal opinion, not based on law or policy ).

Ken Schindler/SVSU


From: "Theresa Rowe" <rowe@OAKLAND.EDU>
To: POLICY-DISCUSSION@LISTSERV.EDUCAUSE.EDU
Sent: Tuesday, February 14, 2012 9:48:57 AM
Subject: [POLICY-DISCUSSION] Reality check request: FERPA

Hi,
I hope to get advice and counsel from this group.

We had student email address listed as directory information for many years, with a publicly posted directory showing the student's name and email address.  Around 2002, there was a business that targeted higher ed, submitting FOIA requests to obtain student email addresses and then sending massive email spam.  Our student congress requested that email address be removed as directory information, and we complied.  Gradually, over time, every data element in the directory was removed except name.  Fast forward to today:  We have a web directory that simply lists student names ( you can see it here http://www2.oakland.edu/webdirectory/index.cfm).

The Dean of Students and I went to our student congress yesterday and asked them what they wanted done with this directory.  What they want is a student directory behind a login in our portal. 

As I look at this, it seems to me that we then need to put student email address on the FERPA "directory information list."  I don't see anything in FERPA that states that something identified as directory information has to be posted on a public web site.  We could then put the directory in the student portal, behind the login.

What do you think?

--
Theresa Rowe
Chief Information Officer
Oakland University
 
********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

********** Visit the EDUCAUSE Policy website at http://www.educause.edu/policy.

Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.