FERPA: The law you think you know, until you don’t

I know what FERPA means, but please remind me again

mazeThe Fam­ily Edu­ca­tional Rights and Pri­vacy Act is a topic most of us are famil­iar with as staff. FERPA was estab­lished in 1974 and pro­tects the pri­vacy of stu­dent edu­ca­tion records. FERPA guar­an­tees sev­eral rights to stu­dents in regards to their edu­ca­tion records including:

  1. The right to inspect and review the student’s edu­ca­tion records within 45 days of the day the Uni­ver­sity receives a request for access.
  2. The right to request the amend­ment of the student’s edu­ca­tion records that the stu­dent believes are inac­cu­rate, mis­lead­ing, or oth­er­wise in vio­la­tion of the student’s pri­vacy rights under FERPA.
  3. The right to pro­vide writ­ten con­sent before the Uni­ver­sity dis­closes per­son­ally iden­ti­fi­able infor­ma­tion from the student’s edu­ca­tion records, except to the extent that FERPA authorizes.
  4. The right to file a com­plaint with the U.S. Depart­ment of Edu­ca­tion con­cern­ing alleged fail­ures by the Uni­ver­sity to com­ply with the require­ments of FERPA.

FERPA also gov­erns how we han­dle grade infor­ma­tion and pro­hibits the pub­lic post­ing of stu­dent grade infor­ma­tion or the shar­ing of edu­ca­tional records to third par­ties (includ­ing par­ents) with­out the con­sent of the student.

Though the rights for stu­dents and the basic ten­ants of the law seem straight­for­ward, it is not always easy to inter­pret the impact of the law on the many unique and com­pli­cated sit­u­a­tions pre­sented to us on a daily basis. In addi­tion to the fed­eral law, there are also UW poli­cies and state leg­is­la­tion gov­ern­ing the pri­vacy of stu­dent data.  With that in mind, let’s explore sev­eral top­ics related to the com­plex­i­ties of stu­dent privacy.

Email is safe right? RIGHT?

guard dog

Email com­mu­ni­ca­tions are con­sid­ered to be inher­ently inse­cure. Email is often sent over unen­crypted net­works, and the poten­tial for mes­sages to be inter­cepted “in tran­sit” is a very real and poten­tial dan­ger. Email is also prone to human error (you didn’t really mean to send that recipe for tuna casse­role to your tax accoun­tant did you?).  But email is also an every­day com­mu­ni­ca­tion tool we use at home and work. If you can’t email, then what?

There are sim­ple steps you can take to min­i­mize the risk of unin­ten­tional breaches of con­fi­den­tial infor­ma­tion when using email.

  • Avoid putting per­sonal iden­ti­fiers such as stu­dent names and num­bers in the sub­ject line of an email. Hack­ers have been known to scan the sub­ject lines of email com­mu­ni­ca­tions look­ing for user names, pass­words, and other per­son­ally iden­ti­fi­able infor­ma­tion.  Infor­ma­tion in the sub­ject line could also be eas­ily viewed by the per­son sit­ting next you on your bus ride home, or the barista who might glance at your iPhone while you are wait­ing for your latte. Max­i­mize pri­vacy by includ­ing this infor­ma­tion in the main body of the email.
  • When email­ing stu­dent infor­ma­tion for edu­ca­tional pur­poses to a stu­dent or to another uni­ver­sity recip­i­ent, con­sider break­ing the infor­ma­tion up. For exam­ple, send a mes­sage to a depart­ment doc­u­ment­ing the nature of the email topic, and then send a sec­ond email to include the name of the stu­dent dis­cussed in the first email. This way, if one email is inter­cepted, not all data is dis­closed at once.
  • Finally, remem­ber that some con­ver­sa­tions are best accom­plished in per­son. With as many ben­e­fits as email has, the secu­rity and con­fi­den­tial­ity of infor­ma­tion can some­times best be han­dled through old-fashioned means such as a con­ver­sa­tion in a pri­vate space, or a con­fi­den­tial phone call between staff members.

Email con­ver­sa­tions aren’t part of the stu­dent record right?

Because email by its nature is a shared com­mu­ni­ca­tion to one or more recip­i­ents, any infor­ma­tion about a stu­dent that is shared through email can be con­sid­ered to be part of a student’s edu­ca­tion record, and can (must) be pro­vided to the stu­dent if requested. When com­mu­ni­cat­ing through email or other elec­tronic means regard­ing stu­dents, remem­ber to use pro­fes­sional lan­guage and appro­pri­ate content.

So I can post grade infor­ma­tion as long as I am using the last 4 dig­its of the stu­dent ID num­ber, right?


His­tor­i­cally, both FERPA and UW have per­mit­ted the use of the last 4 dig­its of the stu­dent ID for instruc­tors to post grades. FERPA allows such use if the stu­dent ID num­ber being used is ran­dom, and if the ID can­not be used to access stu­dent infor­ma­tion sys­tems. UW stu­dent IDs meet these cri­te­ria, how­ever the UW rec­om­men­da­tion on this method has recently changed as bet­ter alter­na­tives to the phys­i­cal post­ing of grades have increased. It is now rec­om­mended you use UW appli­ca­tions, or other secure meth­ods when com­mu­ni­cat­ing grade infor­ma­tion to students.

Cat­a­lyst Grade­Book and Grade­Page allow you to share grade infor­ma­tion securely and elec­tron­i­cally with stu­dents. Grade infor­ma­tion can also be shared in-person with a stu­dent, or through a phone con­ver­sa­tion if needed. Stu­dents can access their own grade infor­ma­tion through unof­fi­cial tran­scripts via MyUW, and through learn­ing man­age­ment sys­tems like UW Can­vas. With all these alter­na­tives avail­able, the phys­i­cal post­ing of grades becomes a less nec­es­sary option, and we encour­age you to explore the many avail­able tools UW provides.

This is all so over­whelm­ing — I wish I had some­one to help me!

graffittiRemem­ber, you don’t have to know it all. None of us want to unin­ten­tion­ally vio­late FERPA or breach con­fi­den­tial stu­dent data. But the rules about what can and can­not be done are often grey and the answers unclear. With that in mind, we encour­age you to seek out our resources to assist you with FERPA and stu­dent pri­vacy issues. The Office of the Reg­is­trar has estab­lished a con­tact line at ferpa@uw.edu for you to use to ask us any FERPA ques­tions you might have. Breaches of con­fi­den­tial infor­ma­tion should also be reported imme­di­ately to the Office of the CISO.

Leave a Reply

Your email address will not be published. Required fields are marked *