For All Gallaudet University Employees

FERPA Guide & Tutorial

PLEASE MAKE TIME TO READ & UNDERSTAND

ALL THE FERPA INFORMATION PRESENTED

You Will Be Required To Pass A Quiz

On FERPA Information

FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT

WEB LINKhttp://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

FERPA

1974 – Buckley Amendment (Sen. Buckley, NY)Federal Statute governing privacy of student education records & student informationGoverned under the Department of Education’s; Family Policy Compliance Office (FPCO)

Responsibilities of the FPCO:o Advises institutions about FERPAo Investigates complaints of non-compliance with FERPAo Resolves complaints of non-compliance with FERPA

violation does not need to represent a “policy or practice” no provision under FERPA for student to sue because of a

violation institution allowed to voluntarily correct could lose federal funding

o Reference & Contacto www.ed.gov/offices/OM/fpco.htlmo FERPA@ed.gov for Education Officials only

More about FERPA…

Institutions Receiving Federal Funds Have A Legal As Well As A Moral Responsibility To

Protect Education & Any Private Or Confidential Records Retained In Possession *

*Office OR Department Holding & Securing The Record

As Required By Privacy Laws

FERPA & FPCO

FERPA’s regulations are governed under the Department of Education

Family Policy Compliance Office (FPCO)

o FERPA applies to each education agency & institution that receives funds under any program administered by the Secretary of Education

o Educational institutions are schools or other entities that provide education services & are attended by students

o Educational agencies are entities that are authorized to direct & control public elementary, secondary or post secondary institutions

FERPA REACH

‘Sole Possession’ Records

Typically Sole Possession Records Are:o Records created & maintained by a law enforcement unit for a law

enforcement purposeo Employment recordso Medical * records that are made & maintained in the course of

treatment & disclosed only to those individual providing treatmento Records that contain information about an individual after he or

she is no longer a student at that institution

* Restricted Access - Confidential Records – Refer to HIPAA

CLARIFICATION OF PERSONAL NOTES

Faculty, advisors, program coordinators & deans that have records they make to be used as a personal memory aid in connection with a student & kept in their possession without revealing to others or becoming part of an official student record are also considered ‘sole possession’ records - - Once that information is shared with any other institutional office in any manner or recorded in database, BB or university email – then the information becomes an educational record protected by FERPA

OFFICES & UNITS RETAINING STUDENT RECORDS

Admissions Records* Cumulative Academic Records Financial Aid Records***

Student Employment Records*** College/Academic Advising Records Financial Records*** Disciplinary Records Medical Records** Mental Health\Personal/Career Counseling

Records** Cooperative Education & Placement Records*

*Department proprietary until applicant achieves ‘enrolled/registered status’ - then the record is protected under FERPA** Student records retained by SHS and MH records are subject to HIPAA*** Student records retained by Financial Aid/Accounting/Human Resources – Also Under Gramm Leach Bliley Act (GLB)

Legal Record Determiners

WITH FEW EXCEPTIONS - ALMOST ANY RECORD IN ANY FORMAT@ DIRECTLY RELATED TO A STUDENT (EXCEPT THOSE MAINTAINED AS ‘SOLE POSSESSION’ RECORDS) MADE ON THIS CAMPUS WHICH ARE RELATED TO A STUDENT’S EDUCATION -MUST BE HANDLED IN COMPLIANCE WITH FERPA OR OTHER RELEVANT PRIVACY LAWS

@Record Formats Include: Written, Graded Documents, Forms, Printed, Copies, Digital, Internet, Institution Database, Scanned, Emailed Taped, Photographed, Video Graphed (Celluloid Film Or Digital)

MEDICAL RECORDS WHICH ARE MAINTAINED ACCORDING TO * HIPAA REQUIRE THAT THEY BE HANDLED WITH PRIVACY IN MIND & IN ACCORDANCE WITH SPECIFIC RULES ABOUT WHO CAN READ THEM, HOW LONG THEY MUST BE KEPT & WHEN THEY MUST BE DESTROYED* Restricted Access – HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules

The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

GALLAUDET UNIVERSITY Classifies Student Information Into 3 BASIC Categories

ACADEMIC Information• Student ID Number• Dates of Attendance• Career/Program• Academic Standing

with University• Major & Class (Fr., Soph., Jr.,

Sr.)• Advisor• A.D.G. (Anticipated Date of

Graduation)• Transcript Records• Degree Awards &

Honors (honors that appear on a transcript only)

• Veteran Status• Athletic Status• Application Information &

Previous Education Records

CONTACT Information• Campus Address• Telephone/VP/TTY

Numbers• Addresses• GU E-mail Address• Non-GU E-mail

Address• Other Personal -

Social Media Addresses

• Emergency Contacts

CONFIDENTIAL & PERSONAL Information Personal Proprietary Information

Student’s Full Name/Former Names DOB & Related Information SSN - Passport - CC ## – Driver’s License

Info & # Financial & Financial Aid + FAFSA/Student

Loans Health Information (HIPPA) Employment Information/Records Family PPI Information, Photographs

/Social Relationships Gender, Race, Marital Status, Religion &

Organizations Citizen - Country/VISA I-20 – SEVIS Information Judicial Status

WHAT IS THE DIFFERENCE BETWEEN A HISTORIC RECORD …AN ARCHIVAL RECORD & A PERMANENT RECORD

HISTORIC records are those that institutions have determined have significance due to their ability to document the history of the organization An ARCHIVAL RECORD is material determined to have permanent value, due either to standards of practice (ex: transcripts), their significance curriculum and/or educational plans, or legal requirements (regulations and lawsuits)

A PERMANENT RECORD is one with a life span in excess of 50 or more years, due to the preservation and management requirements associated with maintaining them. In some states, records with retention of over 25 years are considered permanent, although they have an eventual destruction

TRANSFER OF ACADEMIC RECORD RIGHTS

Rights are transferred from parents to students

at 18 years of age OR when the student is enrolled

in a postsecondary institution…at ANY AGE even if

under age 18

Parents may retain rights if student is still their dependent under the federal tax code*

*Official Proof Required By Registrar’s Office

FERPA Gives Students The Right To Inspect Their Education Records Amend Their Education Records Have Control Over The Disclosure Of Their

Education Records File A Complaint For An Alleged Violation Of

Their FERPA Rights

FERPA Was Written Specifically To Guarantee Students 4 Primary Rights

How Students are advised on FERPA rights at GU

All students are responsible for knowing the contents of the Student Handbook they receive during NSO - which covers information on ‘student records’ & FERPA

FERPA and student confidentiality information is included in each academic catalog

Annual notification of their basic FERPA rights with the ‘Request to Prevent Directory Disclosure Form’ required each year & maintained on file at the Registrar’s Office

The Registrar’s Office WEB provides a full FERPA Guide

Institutions MUST Advise Students Of Their FERPA Rights Annually

Institutions must identify ‘Directory Information’ & allow students the right to restrict the disclosure of their Directory Information FERPA also leaves it to the discretion of an institution to release directory information or not to release directory information* Conflict with State Law It should be noted that FERPA may be more permissive than the privacy & public information laws of some states - FERPA should not be interpreted to reduce the stringency of such State laws - They counsel common sense, good judgment, perspective & integrity for compliance by postsecondary institutions in the implementation of the Act GU Policy - “Do not disclose ‘Directory Information’ unless required to do so legally” - The Registrar’s Office generally handles all student information releases – Check with the Registrar or campus legal counsel* Information may be released with the student’s written consent (i.e. a 3rd party signed release) current or previously given for applicable purposes – Under the circumstances specified in the section “Statement of Confidentiality” or as judiciously ordered & In the event of a health or safety emergency

FERPA DICTATES THAT STUDENTS BE ALLOWED TO OPT OUT OF DISCLOSURE OF DIRECTORY INFORMATION ANNUALLY

DIRECTORY INFORMATION *MAY INCLUDE

NameAddressTelephone numberEmail addressMajor field of studyDates of attendanceEnrollment statusDegrees and awards received

Date and place of birthMost recent previous school attended

Photographs

DIRECTORY INFORMATION MUST NOT INCLUDE

Student ID NumberSocial Security NumberRaceEthnicityNationalityGender

*Point of Release OR Review Regarding Information Requests Should Almost Always Occur At The Registrar’s Office To Remain FERPA Compliant - - FERPA Blocks & Student Releases Can Be Appropriately Determined As Well As Student’s Privacy Rights Protected

DO NOT REVIEW any student personal information that is out in the open to view - IF it is not related to any part of your work responsibility - Be responsible & FERPA compliant when working with the following types of information

o Student ID numberso Other confidential personal identifiers (i.e. DOB, SSN,

Driver’s License ID, CC Account etc.). o This includes payment sheets & receipts o Academic program student

files/lists/directories/mailing labelso Career Center recordso Student employment (including work study)

DO NOT DISPLAY OR CREATE LISTS of student personal information publically in association with the student’s name, student ID numbers, or other confidential personal identifiers (i.e. DOB, SSN, Driver’s License ID, Passport, CC or Other Accounts etc.)

This includes o Payment sheets & receipts o Athletic NCAA participation forms, rosters & sign in

sheetso Academic program student

files/lists/directories/mailing labelso Career Center recordso Student employment (including work study)

Student Status at GUOnce a student is formally admitted, matriculated - has scheduled a course or courses & then completes business registration – they are officially considered ‘an enrolled student’ & can be verified ‘registered’ at Gallaudet University

Continuing student status involves the ability for a student to course register, maintain a schedule & complete business registration in the next upcoming enrollment period

BEST PRACTICES

Managing Protection Of Student Records

& Confidential Information

YOUR Work & Student Information o Be mindful of the use of student information & do not show a

lack of consideration for how or where that information may be used or re-released (refer to next slide)

o Be mindful of the environment in which you may print any document or make copies

o There are increased concerns for identity theft, financial fraud & other serious & harmful uses/practices as well as uploading information onto the internet

o Only use or access records involved with your work & do not seek other information that does not apply to that work with a student

o It is always best for the student to give out their own personal information (i.e. SSN, DOB, address/contact information) or provide official proof of identity when needed (students may also require a notary public in some situations) – authentication is a best practice & generally handled at the Registrar’s Office

YOU MAY BE PROTECTING THE STUDENT FROM HARM

MISCELLANEOUS NOTES…

•Student records may have documents that did not originate at Gallaudet - The nature of these documents held in a student file past the applicant admission process cannot be copied or transferred in any way to the student or other agencies/institutions without professional & legal author/ownership rights being properly addressed *

•Records – including transcripts, SAT, ACT, GRE scores, evaluations, audiograms & letters of recommendations from other institutions/services cannot be copied or re-released without ownership/author rights being violated - Proper official signed releases from the document author/owner must be received with date & recipient release information included

*Businesses with the proprietary rights of such records must provide specific copy & re-release permissions to a designated recipient institution or business by postal mail or certified courier directly to Gallaudet Registrar’s Office – all releases must be authentic – thus no facsimile copies or statements provided by student, phone/VP call or email will be accepted

FERPA Risks & ViolationsFACULTY - These Are FERPA Violations• Posting a list of student grades by name,

SSN or Student ID# anywhere that is accessible to others

• Leave graded tests/papers in a stack for students to sort through & pick up

• Discuss a student’s education records with others (education officials or not) where you might be overheard or viewed (i.e. signed conversations, VP, SKYPE or other visual communication methods)

• Release student information by phone or e-mail – refer the inquiry to the Registrar’s Office

• Dispose of old student records in the normal trash

• DO NOT post student personal academic information in a class group BB post (evaluations, grades, critiques & non-general program/course information)

ADMINISTRATION & ACADEMIC STAFF These Are Serious FERPA Violation Risks• Not keeping student files locked & secured

out of public view• Keeping “Unofficial Files” to circumvent

FERPA• Not having a process for addressing &

resolving student grievances/complaints• Failing to list accrediting agency’s contact

information for students in case of grievances/complaints

• Not providing a copy of all such grievances or complaints to the President’s office & university legal counsel

• Taking student files or information from a record home or any other location not designated or authorized by university policy

Non- Edu Staff & Employees - These Are FERPA Violations & PPI Risks• Using an open computer in an office you are working in or around to view student

database records• Using technical devices to copy/record student information of an academic or personal

confidential nature• Opening an office to an intruder or others that are not assigned to that office in order to

acquire access to record files etc• Removing any documents, folders or files within your work area that belong to the

university in official business related to students• Remove official mail to be sent or received by an office with student records • Removing any folders, documents, USB devices, to access & use information

RECORD MAKING CAUTION

•Record & information collection – especially personal information requires too much security to maintain digital or hard copy files of any type & leaves the university responsible for any infractions of shared – misused information

DIGITAL RECORDSEducational institutions & agencies are required to conform to fair information practices - This means that persons who are ‘subjects’ of data systems (i.e., students at an institution) MUST• Be informed of the existence of such systems • Have identified for them what data about them are on record • Be given assurances that such data are used only for intended purposes • Be given the opportunity to request an amendment or correction to their record*

• Be certain that those responsible for data systems take reasonable precautions to prevent misuse of the data

Miscellaneous Data•Although the fair information act does not require it, those responsible for data systems are obliged to consider properly disposing of, or destroying information when the conditions under which that information was collected no longer exists & there are no legal restrictions preventing such disposal

Permanent Records •Grades, grade changes, withdrawals, official transcripts & curriculum plans are all permanent academic records

*Corrections to personal BIO/Demographic information programs, majors, etc. following proper policies, protocols & approvals with the Registrar’s Office

If it is found that passwords are being loaned or shared, employees who are assigned access to records are subject to disciplinary action

As such, a log-on ID belongs to a single individual

It is the responsibility of the accountable officer in each department/division to notify GTS when the individual leaves the employment of the university or changes positions within the university

Upon such notification, the log-on ID should be discontinued to prevent inappropriate access & data changes

The password is entered with the log-on ID to initiate a computer session

DATABASE

Login &

Password Requiremen

ts

Educational Databases Track All Access & Educational Related Database ‘db’ USE AS WELL AS DATA ENTRY WORKEach Employee Will Be Required to Agree to University Policies*

YOUR ACCESS to education information & university record databases must be for a legitimate educational purpose & your

access must be limited to a use that is within your responsibility & required duties in your designated position

* Please check with the Registrar’s Office when you have questions AGREEMENTS FOR db ACCESS & USE MUST MEET ALL LEGAL

REQUIREMENTS• ONLY USE areas of database involved with your work & do not seek other information that does not apply to that work with a student• DO NOT USE unsecured Wi-Fi to access database from home• It is important to BE AWARE OF THE ENVIRONMENT you share information with a student about their records/grades/concerns/progress etc • It is also IMPORTANT not to allow anyone to view student information on a computer screen, leave a computer monitor or record open unattended or not properly secure/log out of a campus PC or db• REMEMBER it is important to never give anyone your login access or password• DO NOT use or allow students to use USB devices that may compromise db or other records/documents e-mails saved onto the computers

E-mails & FERPA Remember FERPA Draws No Distinction Between Paper & Electronic Records

Thus.. e-mails that (a) you "maintain" & (b) are ‘directly related’ to a student will constitute "education records" unless they fall within one of the six ‘exceptions’ (sole possession records, treatment records, law enforcement records, employment records, alumni records & peer grading records) - Faculty & staff e-mail to or from a student or about a student generally will constitute education records & none of the exceptions generally applyo DO NOT use your personal e-mail for academic issues, grading,

evaluations, advisement etc - USE UNIVERSITY ISSUED E-MAIL ONLYo E-mails should be exclusive NOT inclusive – do not forward without

specified permission by a student o Send e-mails to individual students when discussing their progress,

program, other academic or confidential informationo NEVER enter a student’s full name, SSN, student ID in the subject line of

an e-mailo DO NOT forward a student listing via e-mail without permission from the

Registrar’s Office due to FERPA release parameters & proper departmental requests

o It is important to clear your computer cache daily and delete all downloaded documents (Google will store these downloads in both PS/BISON as well as GU e-mail)

o Please do not ask students to send personal proprietary information via e-mail that is not encrypted

o DO NOT encourage students to scan student information via unencrypted non-GU e-mail accounts

…PCs – Laptops - Wi-Fi – USBs Clear cache PC/laptop upon login/logout of

database Do not leave PCs or laptops unattended Do not allow personal USB device use with

Gallaudet networked computers ALWAYS clear downloads of academic record or

personal information documents on computers used/accessed by students & others

All GU computers, scanners need to have hard drives erased/wiped digitally clean of all login password records, system files related to GU & networking before disposing or re-selling

DO NOT allow personal USB device use with Gallaudet networked computers

ALWAYS clear downloads of academic record or personal information documents on computers used/accessed by students & others

Office Machines & FERPALeased Office Machines Copiers – Scanners – Facsimiles Always use a ‘FERPA LENS’ when

dealing with contractors/vendors of any digital platform or archival function

Seek approval of all vendor relationships/contracts through campus legal counsel

Always have clearly defined contracts with such vendors for university ownership & handling of the information according to laws & university policies for safe secure confidential/academic records management

Leased copiers, fax, scanner, imaging digital office equipment – ALWAYS clear cache or retain hard drive drum for proper complete technical

complete eraser/removal of information

DO NOT allow any PC, laptop, university USB devices, copiers, fax/scanners to leave offices or the Gallaudet University campus with retrievable confidential or academic

record information

PRIOR WRITTEN CONSENT“When in doubt, think prior written

consent.”Leroy Rooker, former director of the Family Policy

Compliance Office

FPCO strongly advises all universities to only release information on a single request basis with a written dated consent via the Registrar’s Office to insure that any proprietary information as well as academic

information that is released is in full compliance with the laws

THIS IS THE END OF THE GU FERPA TUTORIAL

PLEASE PROCEED TO THE FERPA QUIZ