Educause Security Discussion mailing list archives
Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT
From: Brad Judy <Brad.Judy () COLORADO EDU>
Date: Wed, 2 Apr 2008 10:52:32 -0600
A quick clarification to my post. The Freedom of Information Act is a federal item that affects information held by the federal government. Check with your state to see what your state equivalent looks like and how it relates to FERPA. In your state, there may or may not be a relationship between the two. Brad Judy IT Security Office University of Colorado at Boulder From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brad Judy Sent: Wednesday, April 02, 2008 9:24 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses Changes in IT There seems to be a lot of misinformation about "directory" information as defined by FERPA. Let's go to the source: Section 99.3 of FERPA says (to see the full text, visit http://www.ed.gov/policy/gen/reg/ferpa/index.html): ""Directory information" means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. It includes, but is not limited to, the student's name, address, telephone listing, electronic mail address, photograph, date and place of birth, major field of study, dates of attendance, grade level, enrollment status (e.g., undergraduate or graduate; full-time or part-time), participation in officially recognized activities and sports, weight and height of members of athletic teams, degrees, honors and awards received, and the most recent educational agency or institution attended." Institutions are allowed to define "directory information" for their campuses within these boundaries (and it appears there are proposed changes to these boundaries). As mentioned, "directory" information in FERPA is unrelated to LDAP directories, white pages, etc. It is a data classification definition that is then used later in the document to define the conditions for disclosure of student related information. It's an unfortunate choice of wording, but we're stuck with it. FERPA directory information is not related to Freedom of Information Act requests. FOIA requests are requests for "public records", another data classification that applies to government entities. In the case of state schools or information handed to the department of education, an FOIA request could be made for records related to higher education, but it is not part of FERPA. Classifying information as "directory information" does NOT make it public, it changes the rules under which it can be given to third parties. An institution can classify a piece of information as "directory information" and then choose to never publicly disclose it. Section 99.37 of FERPA "What conditions apply to disclosing directory information?" "(a) An educational agency or institution may disclose directory information if it has given public notice to parents of students in attendance and eligible students in attendance at the agency or institution of: (1) The types of personally identifiable information that the agency or institution has designated as directory information; (2) A parent's or eligible student's right to refuse to let the agency or institution designate any or all of those types of information about the student designated as directory information; and (3) The period of time within which a parent or eligible student has to notify the agency or institution in writing that he or she does not want any or all of those types of information about the student designated as directory information. (b) An educational agency or institution may disclose directory information about former students without meeting the conditions in paragraph (a) of this section" In short, FERPA is just about data classification and data disclosure. It just defines two broad categories of information, then defines the circumstances where consent is, or is not, required to disclose those two different classes of data to different groups. This includes rules on specific situations like safety issues, justice system requests, government requests, etc. (It also covers things like hearings, complaints and amending records) If you have any questions about FERPA on your campus, ask the person responsible for FERPA on your campus. This is likely the group/person generally responsible for student records, maybe your registrar. Brad Judy IT Security Office University of Colorado at Boulder _____________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Lassner Sent: Wednesday, April 02, 2008 12:57 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] FERPA Notice of Proposed Rulemaking Addresses Changes in IT * PGP Signed by an unverified key: 04/02/08 at 00:57:26 I'm with Michael. I haven't read this as carefully as I need to, but I think they got it pretty right. A few observations: The designation as "directory information" means that a data element is PUBLIC unless the student explicitly opts out (according to FERPA rules). It has nothing to do with directory technology. Think "directory" = "printed phone book" and you'll get FERPA-speak. In this case, PUBLIC means that it can be given out to salespeople, newspapers and vexatious requesters under FOIA. But it is not 100% public since all students must be given the option to opt out of having their directory information publicly disclosed. To the extent university employees need access to information to do their jobs, they can be provided with such access independent of whether a data element is "directory information" or whether a student has opted out. Nothing in FERPA is intended (lack of emphasis mine) to frustrate the ability of institutions to do their jobs. This applies to lookups via a student ID, the sending of institutional email and tax reporting with SSNs. I agree that the proposed language is not helpful to those who think that institutions need to provide and manage standard identifiers that can be used for the posting of grades on pieces of paper outside office doors. Even if one believes this practice is worth fighting over, designation of any proposed identifier as "directory information" is not the solution to this problem since no directory information can be posted for students who have opted out. So every faculty member would have to consult the opt-out list and manually refrain from posting grades for any students who had opted out of public disclosure of their directory information. What did I like most? If we think beyond grades posted on pieces of paper to issues associated with learning, this proposal nails a major exposure. The current guidelines have been interpreted to prohibit disclosing to students any information about other students in classes if they have opted out of disclosure of their directory information. E.g., if email address is directory information (as is standard), then disclosure of this information to other students in the class was considered to be a PUBLIC disclosure and inappropriate for students who might have opted out of inclusion in phone books and other really public media. This would apply to other "handles" as well. Addressing this issue is a big step forward for those who believe that online collaboration might be important in current and future learning environments. david On Apr 1, 2008, at 1:09 PM, Basgen, Brian wrote:
Chuck,
For example, I'd suggest that the proposed regulation say
that if the student identifier is used in any manner to
authenticate access without some additional companion
authentication mechanism known only to the student like a PIN
or password, it cannot be included as directory information.
Keep in mind that they do address "student identifiers" in exactly
this
manner. Kevin has found that the issue is their particular exclusion
of
"student IDs". It is one of those semantic things that, as you've
pointed out, has quite a bit of meaning.
My guess is that this regulation is picking up on a practice within
institutions, like us, which have made student IDs non-directory as a
method for dissuading faculty from posting student IDs with grades. I
also think they are using this "5%" grade posting practice with
student
IDs as a "proof" that student IDs are, as a matter of practice, PII.
What troubles me the most about this part of the regulation is where
they talk about "no data" on more than one occasion, and yet make
assumptions anyway. While I like their overall direction and don't
want
that to get lost in a critique, I also think these regs would serve us
far better if they were based on concrete data. If it is true that
there
is a widespread *practice* of using Student IDs as a form of PII,
then I
think a reg makes sense. If it is the exception and not the rule,
then I
think they are using the wrong method to address the problem of
identifiers and authenticators.
~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College
* david () hawaii edu <david () hawaii edu> * Issuer: UH - Unverified
Current thread:
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT, (continued)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Kevin Shalla (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Michael R. Gettes (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Charlie Prothero (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Chuck Dunn (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Basgen, Brian (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT David Lassner (Apr 01)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Drexel Atkinson (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)
- Re: FERPA Notice of Proposed Rulemaking Addresses Changes in IT Brad Judy (Apr 02)