ferpa tutorial
TRANSCRIPT
For All Gallaudet University Employees
FERPA Guide & Tutorial
PLEASE MAKE TIME TO READ & UNDERSTAND
ALL THE FERPA INFORMATION PRESENTED
You Will Be Required To Pass A Quiz
On FERPA Information
FAMILY EDUCATIONAL RIGHTS & PRIVACY ACT
WEB LINKhttp://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
FERPA
1974 – Buckley Amendment (Sen. Buckley, NY)Federal Statute governing privacy of student education records & student informationGoverned under the Department of Education’s; Family Policy Compliance Office (FPCO)
Responsibilities of the FPCO:o Advises institutions about FERPAo Investigates complaints of non-compliance with FERPAo Resolves complaints of non-compliance with FERPA
violation does not need to represent a “policy or practice” no provision under FERPA for student to sue because of a
violation institution allowed to voluntarily correct could lose federal funding
o Reference & Contacto www.ed.gov/offices/OM/fpco.htlmo [email protected] for Education Officials only
More about FERPA…
Institutions Receiving Federal Funds Have A Legal As Well As A Moral Responsibility To
Protect Education & Any Private Or Confidential Records Retained In Possession *
*Office OR Department Holding & Securing The Record
As Required By Privacy Laws
FERPA & FPCO
FERPA’s regulations are governed under the Department of Education
Family Policy Compliance Office (FPCO)
o FERPA applies to each education agency & institution that receives funds under any program administered by the Secretary of Education
o Educational institutions are schools or other entities that provide education services & are attended by students
o Educational agencies are entities that are authorized to direct & control public elementary, secondary or post secondary institutions
FERPA REACH
‘Sole Possession’ Records
Typically Sole Possession Records Are:o Records created & maintained by a law enforcement unit for a law
enforcement purposeo Employment recordso Medical * records that are made & maintained in the course of
treatment & disclosed only to those individual providing treatmento Records that contain information about an individual after he or
she is no longer a student at that institution
* Restricted Access - Confidential Records – Refer to HIPAA
CLARIFICATION OF PERSONAL NOTES
Faculty, advisors, program coordinators & deans that have records they make to be used as a personal memory aid in connection with a student & kept in their possession without revealing to others or becoming part of an official student record are also considered ‘sole possession’ records - - Once that information is shared with any other institutional office in any manner or recorded in database, BB or university email – then the information becomes an educational record protected by FERPA
OFFICES & UNITS RETAINING STUDENT RECORDS
Admissions Records* Cumulative Academic Records Financial Aid Records***
Student Employment Records*** College/Academic Advising Records Financial Records*** Disciplinary Records Medical Records** Mental Health\Personal/Career Counseling
Records** Cooperative Education & Placement Records*
*Department proprietary until applicant achieves ‘enrolled/registered status’ - then the record is protected under FERPA** Student records retained by SHS and MH records are subject to HIPAA*** Student records retained by Financial Aid/Accounting/Human Resources – Also Under Gramm Leach Bliley Act (GLB)
Legal Record Determiners
WITH FEW EXCEPTIONS - ALMOST ANY RECORD IN ANY FORMAT@ DIRECTLY RELATED TO A STUDENT (EXCEPT THOSE MAINTAINED AS ‘SOLE POSSESSION’ RECORDS) MADE ON THIS CAMPUS WHICH ARE RELATED TO A STUDENT’S EDUCATION -MUST BE HANDLED IN COMPLIANCE WITH FERPA OR OTHER RELEVANT PRIVACY LAWS
@Record Formats Include: Written, Graded Documents, Forms, Printed, Copies, Digital, Internet, Institution Database, Scanned, Emailed Taped, Photographed, Video Graphed (Celluloid Film Or Digital)
MEDICAL RECORDS WHICH ARE MAINTAINED ACCORDING TO * HIPAA REQUIRE THAT THEY BE HANDLED WITH PRIVACY IN MIND & IN ACCORDANCE WITH SPECIFIC RULES ABOUT WHO CAN READ THEM, HOW LONG THEY MUST BE KEPT & WHEN THEY MUST BE DESTROYED* Restricted Access – HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security and Breach Notification Rules
The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
GALLAUDET UNIVERSITY Classifies Student Information Into 3 BASIC Categories
ACADEMIC Information• Student ID Number• Dates of Attendance• Career/Program• Academic Standing
with University• Major & Class (Fr., Soph., Jr.,
Sr.)• Advisor• A.D.G. (Anticipated Date of
Graduation)• Transcript Records• Degree Awards &
Honors (honors that appear on a transcript only)
• Veteran Status• Athletic Status• Application Information &
Previous Education Records
CONTACT Information• Campus Address• Telephone/VP/TTY
Numbers• Addresses• GU E-mail Address• Non-GU E-mail
Address• Other Personal -
Social Media Addresses
• Emergency Contacts
CONFIDENTIAL & PERSONAL Information Personal Proprietary Information
Student’s Full Name/Former Names DOB & Related Information SSN - Passport - CC ## – Driver’s License
Info & # Financial & Financial Aid + FAFSA/Student
Loans Health Information (HIPPA) Employment Information/Records Family PPI Information, Photographs
/Social Relationships Gender, Race, Marital Status, Religion &
Organizations Citizen - Country/VISA I-20 – SEVIS Information Judicial Status
WHAT IS THE DIFFERENCE BETWEEN A HISTORIC RECORD …AN ARCHIVAL RECORD & A PERMANENT RECORD
HISTORIC records are those that institutions have determined have significance due to their ability to document the history of the organization An ARCHIVAL RECORD is material determined to have permanent value, due either to standards of practice (ex: transcripts), their significance curriculum and/or educational plans, or legal requirements (regulations and lawsuits)
A PERMANENT RECORD is one with a life span in excess of 50 or more years, due to the preservation and management requirements associated with maintaining them. In some states, records with retention of over 25 years are considered permanent, although they have an eventual destruction
TRANSFER OF ACADEMIC RECORD RIGHTS
Rights are transferred from parents to students
at 18 years of age OR when the student is enrolled
in a postsecondary institution…at ANY AGE even if
under age 18
Parents may retain rights if student is still their dependent under the federal tax code*
*Official Proof Required By Registrar’s Office
FERPA Gives Students The Right To Inspect Their Education Records Amend Their Education Records Have Control Over The Disclosure Of Their
Education Records File A Complaint For An Alleged Violation Of
Their FERPA Rights
FERPA Was Written Specifically To Guarantee Students 4 Primary Rights
How Students are advised on FERPA rights at GU
All students are responsible for knowing the contents of the Student Handbook they receive during NSO - which covers information on ‘student records’ & FERPA
FERPA and student confidentiality information is included in each academic catalog
Annual notification of their basic FERPA rights with the ‘Request to Prevent Directory Disclosure Form’ required each year & maintained on file at the Registrar’s Office
The Registrar’s Office WEB provides a full FERPA Guide
Institutions MUST Advise Students Of Their FERPA Rights Annually
Institutions must identify ‘Directory Information’ & allow students the right to restrict the disclosure of their Directory Information FERPA also leaves it to the discretion of an institution to release directory information or not to release directory information* Conflict with State Law It should be noted that FERPA may be more permissive than the privacy & public information laws of some states - FERPA should not be interpreted to reduce the stringency of such State laws - They counsel common sense, good judgment, perspective & integrity for compliance by postsecondary institutions in the implementation of the Act GU Policy - “Do not disclose ‘Directory Information’ unless required to do so legally” - The Registrar’s Office generally handles all student information releases – Check with the Registrar or campus legal counsel* Information may be released with the student’s written consent (i.e. a 3rd party signed release) current or previously given for applicable purposes – Under the circumstances specified in the section “Statement of Confidentiality” or as judiciously ordered & In the event of a health or safety emergency
FERPA DICTATES THAT STUDENTS BE ALLOWED TO OPT OUT OF DISCLOSURE OF DIRECTORY INFORMATION ANNUALLY
DIRECTORY INFORMATION *MAY INCLUDE
NameAddressTelephone numberEmail addressMajor field of studyDates of attendanceEnrollment statusDegrees and awards received
Date and place of birthMost recent previous school attended
Photographs
DIRECTORY INFORMATION MUST NOT INCLUDE
Student ID NumberSocial Security NumberRaceEthnicityNationalityGender
*Point of Release OR Review Regarding Information Requests Should Almost Always Occur At The Registrar’s Office To Remain FERPA Compliant - - FERPA Blocks & Student Releases Can Be Appropriately Determined As Well As Student’s Privacy Rights Protected
DO NOT REVIEW any student personal information that is out in the open to view - IF it is not related to any part of your work responsibility - Be responsible & FERPA compliant when working with the following types of information
o Student ID numberso Other confidential personal identifiers (i.e. DOB, SSN,
Driver’s License ID, CC Account etc.). o This includes payment sheets & receipts o Academic program student
files/lists/directories/mailing labelso Career Center recordso Student employment (including work study)
DO NOT DISPLAY OR CREATE LISTS of student personal information publically in association with the student’s name, student ID numbers, or other confidential personal identifiers (i.e. DOB, SSN, Driver’s License ID, Passport, CC or Other Accounts etc.)
This includes o Payment sheets & receipts o Athletic NCAA participation forms, rosters & sign in
sheetso Academic program student
files/lists/directories/mailing labelso Career Center recordso Student employment (including work study)
Student Status at GUOnce a student is formally admitted, matriculated - has scheduled a course or courses & then completes business registration – they are officially considered ‘an enrolled student’ & can be verified ‘registered’ at Gallaudet University
Continuing student status involves the ability for a student to course register, maintain a schedule & complete business registration in the next upcoming enrollment period
BEST PRACTICES
Managing Protection Of Student Records
& Confidential Information
YOUR Work & Student Information o Be mindful of the use of student information & do not show a
lack of consideration for how or where that information may be used or re-released (refer to next slide)
o Be mindful of the environment in which you may print any document or make copies
o There are increased concerns for identity theft, financial fraud & other serious & harmful uses/practices as well as uploading information onto the internet
o Only use or access records involved with your work & do not seek other information that does not apply to that work with a student
o It is always best for the student to give out their own personal information (i.e. SSN, DOB, address/contact information) or provide official proof of identity when needed (students may also require a notary public in some situations) – authentication is a best practice & generally handled at the Registrar’s Office
YOU MAY BE PROTECTING THE STUDENT FROM HARM
MISCELLANEOUS NOTES…
•Student records may have documents that did not originate at Gallaudet - The nature of these documents held in a student file past the applicant admission process cannot be copied or transferred in any way to the student or other agencies/institutions without professional & legal author/ownership rights being properly addressed *
•Records – including transcripts, SAT, ACT, GRE scores, evaluations, audiograms & letters of recommendations from other institutions/services cannot be copied or re-released without ownership/author rights being violated - Proper official signed releases from the document author/owner must be received with date & recipient release information included
*Businesses with the proprietary rights of such records must provide specific copy & re-release permissions to a designated recipient institution or business by postal mail or certified courier directly to Gallaudet Registrar’s Office – all releases must be authentic – thus no facsimile copies or statements provided by student, phone/VP call or email will be accepted
FERPA Risks & ViolationsFACULTY - These Are FERPA Violations• Posting a list of student grades by name,
SSN or Student ID# anywhere that is accessible to others
• Leave graded tests/papers in a stack for students to sort through & pick up
• Discuss a student’s education records with others (education officials or not) where you might be overheard or viewed (i.e. signed conversations, VP, SKYPE or other visual communication methods)
• Release student information by phone or e-mail – refer the inquiry to the Registrar’s Office
• Dispose of old student records in the normal trash
• DO NOT post student personal academic information in a class group BB post (evaluations, grades, critiques & non-general program/course information)
ADMINISTRATION & ACADEMIC STAFF These Are Serious FERPA Violation Risks• Not keeping student files locked & secured
out of public view• Keeping “Unofficial Files” to circumvent
FERPA• Not having a process for addressing &
resolving student grievances/complaints• Failing to list accrediting agency’s contact
information for students in case of grievances/complaints
• Not providing a copy of all such grievances or complaints to the President’s office & university legal counsel
• Taking student files or information from a record home or any other location not designated or authorized by university policy
Non- Edu Staff & Employees - These Are FERPA Violations & PPI Risks• Using an open computer in an office you are working in or around to view student
database records• Using technical devices to copy/record student information of an academic or personal
confidential nature• Opening an office to an intruder or others that are not assigned to that office in order to
acquire access to record files etc• Removing any documents, folders or files within your work area that belong to the
university in official business related to students• Remove official mail to be sent or received by an office with student records • Removing any folders, documents, USB devices, to access & use information
RECORD MAKING CAUTION
•Record & information collection – especially personal information requires too much security to maintain digital or hard copy files of any type & leaves the university responsible for any infractions of shared – misused information
DIGITAL RECORDSEducational institutions & agencies are required to conform to fair information practices - This means that persons who are ‘subjects’ of data systems (i.e., students at an institution) MUST• Be informed of the existence of such systems • Have identified for them what data about them are on record • Be given assurances that such data are used only for intended purposes • Be given the opportunity to request an amendment or correction to their record*
• Be certain that those responsible for data systems take reasonable precautions to prevent misuse of the data
Miscellaneous Data•Although the fair information act does not require it, those responsible for data systems are obliged to consider properly disposing of, or destroying information when the conditions under which that information was collected no longer exists & there are no legal restrictions preventing such disposal
Permanent Records •Grades, grade changes, withdrawals, official transcripts & curriculum plans are all permanent academic records
*Corrections to personal BIO/Demographic information programs, majors, etc. following proper policies, protocols & approvals with the Registrar’s Office
If it is found that passwords are being loaned or shared, employees who are assigned access to records are subject to disciplinary action
As such, a log-on ID belongs to a single individual
It is the responsibility of the accountable officer in each department/division to notify GTS when the individual leaves the employment of the university or changes positions within the university
Upon such notification, the log-on ID should be discontinued to prevent inappropriate access & data changes
The password is entered with the log-on ID to initiate a computer session
DATABASE
Login &
Password Requiremen
ts
Educational Databases Track All Access & Educational Related Database ‘db’ USE AS WELL AS DATA ENTRY WORKEach Employee Will Be Required to Agree to University Policies*
YOUR ACCESS to education information & university record databases must be for a legitimate educational purpose & your
access must be limited to a use that is within your responsibility & required duties in your designated position
* Please check with the Registrar’s Office when you have questions AGREEMENTS FOR db ACCESS & USE MUST MEET ALL LEGAL
REQUIREMENTS• ONLY USE areas of database involved with your work & do not seek other information that does not apply to that work with a student• DO NOT USE unsecured Wi-Fi to access database from home• It is important to BE AWARE OF THE ENVIRONMENT you share information with a student about their records/grades/concerns/progress etc • It is also IMPORTANT not to allow anyone to view student information on a computer screen, leave a computer monitor or record open unattended or not properly secure/log out of a campus PC or db• REMEMBER it is important to never give anyone your login access or password• DO NOT use or allow students to use USB devices that may compromise db or other records/documents e-mails saved onto the computers
E-mails & FERPA Remember FERPA Draws No Distinction Between Paper & Electronic Records
Thus.. e-mails that (a) you "maintain" & (b) are ‘directly related’ to a student will constitute "education records" unless they fall within one of the six ‘exceptions’ (sole possession records, treatment records, law enforcement records, employment records, alumni records & peer grading records) - Faculty & staff e-mail to or from a student or about a student generally will constitute education records & none of the exceptions generally applyo DO NOT use your personal e-mail for academic issues, grading,
evaluations, advisement etc - USE UNIVERSITY ISSUED E-MAIL ONLYo E-mails should be exclusive NOT inclusive – do not forward without
specified permission by a student o Send e-mails to individual students when discussing their progress,
program, other academic or confidential informationo NEVER enter a student’s full name, SSN, student ID in the subject line of
an e-mailo DO NOT forward a student listing via e-mail without permission from the
Registrar’s Office due to FERPA release parameters & proper departmental requests
o It is important to clear your computer cache daily and delete all downloaded documents (Google will store these downloads in both PS/BISON as well as GU e-mail)
o Please do not ask students to send personal proprietary information via e-mail that is not encrypted
o DO NOT encourage students to scan student information via unencrypted non-GU e-mail accounts
…PCs – Laptops - Wi-Fi – USBs Clear cache PC/laptop upon login/logout of
database Do not leave PCs or laptops unattended Do not allow personal USB device use with
Gallaudet networked computers ALWAYS clear downloads of academic record or
personal information documents on computers used/accessed by students & others
All GU computers, scanners need to have hard drives erased/wiped digitally clean of all login password records, system files related to GU & networking before disposing or re-selling
DO NOT allow personal USB device use with Gallaudet networked computers
ALWAYS clear downloads of academic record or personal information documents on computers used/accessed by students & others
Office Machines & FERPALeased Office Machines Copiers – Scanners – Facsimiles Always use a ‘FERPA LENS’ when
dealing with contractors/vendors of any digital platform or archival function
Seek approval of all vendor relationships/contracts through campus legal counsel
Always have clearly defined contracts with such vendors for university ownership & handling of the information according to laws & university policies for safe secure confidential/academic records management
Leased copiers, fax, scanner, imaging digital office equipment – ALWAYS clear cache or retain hard drive drum for proper complete technical
complete eraser/removal of information
DO NOT allow any PC, laptop, university USB devices, copiers, fax/scanners to leave offices or the Gallaudet University campus with retrievable confidential or academic
record information
PRIOR WRITTEN CONSENT“When in doubt, think prior written
consent.”Leroy Rooker, former director of the Family Policy
Compliance Office
FPCO strongly advises all universities to only release information on a single request basis with a written dated consent via the Registrar’s Office to insure that any proprietary information as well as academic
information that is released is in full compliance with the laws
THIS IS THE END OF THE GU FERPA TUTORIAL
PLEASE PROCEED TO THE FERPA QUIZ