Probably no statute affects higher education more, but is understood less, than the Family Educational and Privacy Rights Act, or “FERPA,” the primary federal law that regulates how we handle our records about our students. And that is no doubt especially true when it comes to electronic records (which for some reason seem to baffle us in almost every context). Data Privacy Month seems a good time to clear up some of the most common misunderstandings:
1. FERPA makes no distinction between electronic and other records. FERPA governs all records that we maintain about our students, be they written on paper; captured in film, photographs, or audiotape; made up solely of electrons; or, for that matter, carved into stone tablets, and it governs them in exactly the same way. At least for purposes of FERPA, the medium is not the message.
2. FERPA does not prohibit the use of electronic means to record, maintain, or disseminate student records. It is perfectly legal, and completely consistent with FERPA, to operate, and make full use of, an electronic student information system, not to mention an e-mail system and a web presence. (Of course, the same disclosure restrictions that apply to paper records also apply to electronic records. Those restrictions are too complex to summarize here, but further information about them can be found in the 2008 Chronicle article, "The Family Rights and Privacy Act: 7 Myths—and the Truth," the 2009 NACUA Notes article, "FERPA and Campus Safety," and the Higher Education Compliance Alliance website.)
3. That said, electronic records do raise unique security concerns, and FERPA does require us to address them. Even then, however, the standard is the same as for paper records: we must use “reasonable methods” to protect all student records. Just as it is appropriate to lock the file cabinet in which we maintain paper student records, it is appropriate to take steps to prevent unauthorized access to and disclosure of our electronic student records. How we do that, however, is largely up to us. In the words of the Family Policy Compliance Office:
[T]he standard of “reasonable methods” is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs.
And better yet:
The Department recognizes that no system for maintaining and transmitting education records, whether in paper or electronic form, can be guaranteed safe from every hacker and thief, technological failure, violation of administrative rules, and other causes of unauthorized access and disclosure. Although FERPA does not dictate requirements for safeguarding education records, the Department encourages the holders of personally identifiable information to consider actions that mitigate the risk and are reasonably calculated to protect such information. Of course, an educational agency or institution may use any method, combination of methods, or technologies it determines to be reasonable, taking into consideration the size, complexity, and resources available to the institution; the context of the information; the type of information to be protected (such as social security numbers or directory information); and methods used by other institutions in similar circumstances. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable.
And best of all:
“Effectiveness” is certainly one measure, but not necessarily a dispositive measure, of whether the methods used by an agency or institution are “reasonable”. . . . [A]n agency or institution is not required to eliminate all risk of unauthorized disclosure of education records but to reduce that risk to a level commensurate with the likely threat and potential harm.
4. FERPA is not a data breach notification statute. When student records (again, whether paper or electronic) are improperly accessed or disclosed, it will in many cases be advisable to alert the affected students, and, depending on the nature of the records breached, we may be required to do so by other statutes, such as applicable state statutes requiring notice of breaches of SSNs, credit card numbers, and the like. FERPA, however, imposes no such requirements itself. (Still, the Department of Education does have some “suggestions” for handling such breaches – and for preventing them in the first place – none of which will be terribly surprising to those who deal with data security regularly.)
Dealing with electronic student records is thus really not terribly difficult, nor terribly different from dealing with other electronic records. The key is simply to think about these issues, rather than to just assume that the system will take care of them. If you have a good general data security program in place already, you’re probably in good shape when it comes to student records.
Steven J. McDonald is General Counsel at Rhode Island School of Design and previously served as Associate Legal Counsel at The Ohio State University.