Note: NACADA does not provide legal advice

FERPA information

Individuals with questions regarding FERPA interpretation at a specific college/university should contact that institution's Registrar or general counsel office. Questions regarding K-12 FERPA issues should be directed to the building principal or the school district's legal counsel. 

Introduction
Among the U.S. laws that impact academic advising in higher education, the Family Educational Rights and Privacy Act (FERPA) is likely the most often cited and yet also the most poorly understood. This article will present a general overview clarifying the advising-related components of FERPA, including:

• Distinctions from state privacy laws and institutional policy
• What student information is protected by FERPA
• Common disclosure scenarios and procedures, and
• Rights of the advisee under FERPA

No part of this article should be construed as legal advice for a specific situation. Advisors with specific questions about their advising practice should consult their institution’s legal counsel.

Distinctions
FERPA represents the floor, not the ceiling of privacy laws impacting academic advising. FERPA generally imposes less onerous requirements regarding maintenance and disclosure of education records than what state privacy laws and institutional policies require. Additionally, the penalties for non-compliance with FERPA are generally not as intimidating as those associated with state privacy laws.

Record-Keeping
FERPA, a federal funding statute enacted in the 1970s, conditions continued receipt of federal dollars upon compliance with the confidentiality requirements FERPA establishes (US Department of Education, 2004). Because of this, FERPA applies to any institution of higher education—public or private—that receives federal money (financial aid, research grants, etc.). FERPA does not, however, require the maintenance of education records regarding students. FERPA simply sets guidelines for keeping those records confidential, so long as the institution of higher education chooses to maintain them.

Nevertheless, state–level laws and regulations often do establish expectations for advisors to create and maintain education records.  For example, a records retention schedule from the Idaho State Board of Education (2008) requires that student advising records be maintained by institutions under that board’s purview for a set period of time and then destroyed. Additionally, a records retention schedule from The Ohio State University (2013) shows how institutional policy might dictate the maintenance of records. In this case, the institutional policy specifies correspondence with students as part of the advising files to be maintained.  No such records retention schedule exists within FERPA or its implementing regulations from the U.S. Department of Education’s Family Policy Compliance Office (FPCO).

Restrictiveness
Another important distinction between FERPA, state law, and institutional policy lies in the requirements of non-disclosure. For example, FERPA regulations that went into effect in 2012 generally allow for the disclosure of student identification numbers, so long as use of those numbers alone (without a password) would not grant access to education records (34 C.F.R. § 99, 2011). This relaxed standard—which was unsuccessfully challenged in a federal district court (Electronic Privacy information Center v. U.S. Department of Education, 2013)—stands in sharp contrast to state privacy laws which sometimes require specific encryption in the maintenance or transmission of identification numbers (Nicholson & O’Reardon, 2009). The relaxed FERPA standard also should be distinguished from institutional policies which often prohibit the disclosure of student identification numbers. For example, a data classification chart from Stanford University (2014) lists university ID numbers as confidential information, and states that access to these numbers should be “limited to those with a need to know” (Table 1, row 2). This university policy also strongly recommends encryption for storage or transmission of university ID numbers. FERPA contains no expectation of encryption for the digital transmission of student information.

Enforcement
A final distinction lies in enforcement options under FERPA compared to state laws. The Supreme Court has clarified that students have no individual right of action under FERPA (Gonzaga v. Doe, 2002). This means that when students believe an institution has violated their privacy rights under FERPA, they do not have the option to bring a lawsuit. Rather, the student must file a complaint with the FPCO, at which point the FPCO would notify the institution of the alleged violation and give the institution an opportunity to change any deficient practices. Only if the institution refused to comply—after being warned and having an opportunity to change practices—would the institution lose federal funding (34 C.F.R. § 99). This ultimate punishment has never been handed out, and even if it were, the aggrieved students would still have no options to sue under FERPA for personal damages.

Under many state privacy laws, however, a student who believes his or her university has violated state law could sue the institution for damages. Indeed, at least seven states, the District of Columbia, Puerto Rico, and the Virgin Islands permit individuals to bring a cause of action when the privacy of their personally identifiable data has been breached (BakerHostetler, 2014).

The distinctions discussed above highlight that FERPA is merely the minimum when it comes to privacy laws with which advisors should familiarize themselves. Advisors should also consult websites or trainings at their institutions (typically available from the Registrar’s office) for guidance on the state privacy laws and institutional policies that likely impose more stringent requirements than FERPA.

What is Protected Under FERPA?
FERPA generally requires that advisors not disclose to third parties the personally identifiable information contained in students’ education records. FERPA defines education records broadly to include most any record maintained by the institution (or by a third party acting for the institution) regarding a student (34 C.F.R. § 99). Advisors are wise to assume that any email or record system—paper or electronic—where they maintain correspondence with or notes on advisees would qualify as education records under FERPA.

Tangible Education Records
A frequently over-looked aspect of the notion of education records under FERPA is that the law applies only to information from tangible records (Family Policy Compliance Office, 2006). Information that advisors learn from students through conversation is not protected by FERPA. That is, FERPA does not create an advisor-advisee privilege around advising conversations such that advisors are prohibited from disclosing the substance of those conversations to third parties. That being said, state privacy laws, institutional policy, or a common sense desire to maintain rapport with students would likely compel an advisor to keep advising conversations confidential.

Directory Information
The main exception to the general rule of non-disclosure is in the case of directory information. Directory information includes information such as email addresses, dates of attendance, academic major, awards and class standing, but it also includes student identification numbers as discussed above (34 C.F.R. § 99). Generally, directory information may be disclosed to third parties, unless the student has requested that directory information not be disclosed. When students ask to protect their directory information, many institutions will show a FERPA privacy block—sometimes a window shade icon—in their student information systems as a notice to advisors.

In Attendance
Education records become subject to FERPA protection as soon as a student—regardless of age—is “in attendance” at the institution. This means that admissions records of students who apply to but ultimately never attend an institution are not subject to FERPA. Institutions are free to define through institutional policy what the date of “in attendance” will be so long as it is after the student has been admitted but no later than the first day of classes (Rooker & Falkner, 2013). See, for example, how Penn State University (2014) has established that university’s effective date:

According to Penn State policy, FERPA becomes effective on the first day of classes for those newly admitted students who have scheduled at least one course. A student who accepted an admission offer but did not schedule at least one course, or a newly admitted student who canceled his/her registration either before or after the semester begins, is not covered by FERPA (FAQ 16).

Advisors should consult their own institution’s guidance on when education records will begin to be protected by FERPA. Advisors should also look to whether there is institutional policy on where advisors should maintain notes from advising conversations and what information the institution deems to be directory information that is generally able to be disclosed. In particular, advisors should verify whether their institutions adopted the relaxed view of student ID numbers that FERPA promulgated in the 2012 regulatory update.

When to Disclose
The general rule with education records protected under FERPA is that advisors should not disclose information from those records to third parties. There are, however, four scenarios that typically arise in advising where advisors are permitted to disclose and remain in compliance with FERPA.

Consent-based
The first scenario is where consent is present. In this typical scenario, students consent to release of personally identifiable information from their education records through a signed, written consent form specifying the person (or group of people) to whom disclosures may be made (34 C.F.R. § 99). Changes to the FERPA regulations from 2008 add an expectation that advisors will take reasonable steps to authenticate the identity of any third party requesting access to a student’s education records. For this reason, many institutions add a password to FERPA disclosure consent forms; students then share this password with the persons to whom they are consenting to have their records released; that third party must then provide the password to the advisor before disclosure may occur.

Legitimate Educational Interest
The second common scenario includes disclosures to school officials with a legitimate educational interest (34 C.F.R. § 99). FERPA does not specify who will be considered to have a legitimate educational interest, but rather views this broadly. It is likely that any employee of the institution with some articulable connection to the educational mission of institution will qualify. Advisors should inquire, however, into whether their institutions specifically define who will have a legitimate educational interest. For example, the online bulletin from Indiana University Bloomington (2014) gives a broad overview of the types of individuals who may qualify under this exception.

A school official is a person employed by the University in an administrative, supervisory, academic or research, or support staff position (including law enforcement unit personnel and health staff); a person or entity with whom the University has contracted (such as an attorney, auditor, or collection agent; the Indiana University Foundation and Indiana University Alumni Association; and vendors of services such as e-mail or other electronic applications, enrollment verification, and so on); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibilities for the University (para. 3).

Tax-Dependent Status
A third common disclosure scenario in advising is in the tax dependent exception. FERPA allows—but never mandates—institutions to disclose information from a student’s education record to a parent who claims that student as a tax dependent (34 C.F.R. § 99). Typically, if an institution opts to release education records in this manner, the institution will have staff in the registrar’s office trained on receiving and interpreting tax forms. If advisors share education record information under the tax dependent exception, that disclosure must be recorded in a log (no such requirement exists for the consent-based or legitimate education interest scenarios discussed above).

Health and Safety Exception
In 2008, regulatory updates to FERPA clarified the health and safety exception. This was done in part to encourage sharing of information that might prevent tragedies like the 2007 shootings at Virginia Tech (Nicholson & O’Reardon, 2009). Under the health and safety exception, advisors may share information from an education record (e.g., a troubling email) if doing so is necessary to protect the health and safety of that student or others. As with the tax-dependent status exception, disclosures under the health and safety exception must be recorded in a log.

There are two issues related to the health and safety exception advisors should consider. If the troubling information is coming not from an education record but from a conversation with a student in distress, FERPA does not apply, so there would be no need to look for a disclosure exception. The second issue to keep in mind is that most campuses consider their advisors to be mandatory reporters of sexual assault occurrences, meaning disclosures of such information would not merely be permissible, disclosures would be expected.

Advisors should consult their institutional policies to determine whether their institution chooses to disclose under all of the exceptions discussed above. Some institutions might choose to only disclose in cases where consent and legitimate educational interest are present. Indeed, institutions could even decide to not disclose protected information under any circumstances. FERPA never mandates releasing protected information.

Rights of Students Under FERPA
In addition to understanding the obligations imposed by FERPA, it is important that advisors understand the following rights granted to students under FERPA:

1. Students have the right to access their education records. This means advisors should assume that anything they put in writing regarding a student could eventually be accessed by the student. This is true whether that writing be in paper or electronic file or in an email.
2. Students have the right to opt out of having their directory information published. Advisors should therefore take care when publishing lists of their advisees’ contact information or awards lists such as Dean’s Lists. Such information is directory information and therefore publishable but only if the student has not opted out of directory information publication.
3. Students have a right to annual notification of their institution’s FERPA compliance policies and procedures. If changes are made to those practices, students need to be updated.

Finally, it is important to note that these rights associated with FERPA belong to the student as soon as the student is in attendance at the institution of higher education. This is true regardless of whether the student is still a minor.

For Further Guidance
The above general guidance on the U.S. federal law known as FERPA serves to reduce misconceptions and encourage compliance with this important advising-related law. Advisors will need to consult their institution’s policies and offices such as the Registrar and General Counsel for specific guidance on how to appropriately observe state privacy laws applicable to their institution. Advisors will also want to work with their legal counsel to ensure that the policies and procedures in their offices are up-to-date regarding any recent developments in the FERPA statute, its implementing regulations or in state law. To help guide these discussions, a checklist is provided below.

For Advisors in Canada 
Unlike the U.S., Canada does not have a singular federal privacy law related to student records which sets a consistent minimum standard. There is, however, a fairly consistent naming convention for the privacy laws that exist in the territories and provinces. Advisors in Canada should consult their institutional legal counsel for guidance on compliance with their applicable Information and Privacy Act (Office of the Information Commissioner of Canada, 2014).

Matthew M. Rust, MS, JD
Director of Campus Career and Advising Services
Indiana University-Purdue University Indianapolis

References:

34 C.F.R. § 99 (2011). Family Educational Rights and Privacy Act (FERPA). Retrieved from http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

BakerHostetler. (2014). Data breach charts. Retrieved from http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf

Electronic Privacy Information Center v. U.S. Department of Education, District of Columbia – Document Filing System (United States District Court for the District of Columbia, 2013). Retrieved from https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2012cv0327-28

Family Policy Compliance Office (2006, February 15). Letter to Montgomery County Public Schools (MD) re: law enforcement unit records. Retrieved from http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/montcounty0215.html

Gonzaga v. Doe 536 U.S. 273 (2002). Gonzaga University v. Doe. Retrieved from http://www.oyez.org/cases/2000-2009/2001/2001_01_679

Idaho State Board of Education. (April, 2008). Students—Advising records. Records Management Guide Appendix  9. Retrieved from http://history.idaho.gov/sites/default/files/uploads/Education_Higher_Ed_Records_Book_0.pdf

Indiana University Bloomington. (2014). Indiana University’s annual notification of student rights under FERPA. Enrollment and Student Academic Information Bulletin. Retrieved from http://enrollmentbulletin.indiana.edu/pages/ferpa.php?Term=3

Nicholson, J. L., & O'Reardon, M. E. (2009). Data protection basics: a primer for college and university counsel. The Journal of College and University Law 36(1), 101-144.

Office of the Information Commissioner of Canada (2014, April 7). Links. Retrieved from: http://www.oic-ci.gc.ca/eng/links-liens.aspx

Pennsylvania State University. (September, 2014). FERPA frequently asked questions (FAQ). Office of the University Registrar. Retrieved from http://www.registrar.psu.edu/confidentiality/FERPA_faq.cfm

Rooker, L. R. & Falkner, T. M. (2013). 2013 FERPA quick guide. Washington, D.C.: American Association of Collegiate Registrars and Admissions Officers.

Stanford University. (May, 2014). Data classification, access, transmittal, and storage. Retrieved from http://web.stanford.edu/group/security/securecomputing/dataclass_chart.html

The Ohio State University. (March, 2013). Student & course records—Advising files. General Records Retention Schedule. Retrieved from http://library.osu.edu/documents/records-management/general-schedule.pdf

US Department of Education. (February, 2004). Legislative history of major FERPA     provisions. Retrieved from http://www2.ed.gov/policy/gen/guid/fpco/ferpa/leg-history.html

Resources:

Checklist for working with legal counsel to develop FERPA policies and procedures for advising offices 

FERPA Resources from AACRAO: American Association of Collegiate Registrars and Admissions Officers

Chart comparing privacy laws in U.S. States

Canadian Privacy Law Resources

Cite this using APA style as:

Rust, M. M. (2014). FERPA and its implications for academic advising practice. Retrieved from the NACADA Clearinghouse of Academic Advising Resources website: 

http://www.nacada.ksu.edu/Resources/Clearinghouse/View-Articles/FERPA-overview.aspx

This article should not be considered legal advice from NACADA nor from the author. Individuals contemplating any action regarding a FERPA claim should seek legal counsel before going forward.

Individuals with questions regarding FERPA interpretation at a specific college or university should contact the institution's Registrar or Student Legal Services office. Questions regarding K-12 FERPA issues should be directed to the building principal or the school district's legal counsel.