4 FERPA Pitfalls to Avoid
When it comes to protecting student records against FERPA (Family Educational Rights and Privacy Act) breaches, security and staff training both play essential roles. Here are four tricky aspects of the law that can lead to problems:
1. Improper Understanding of FERPA Hampers Emergency Responses
According to the 2018 Final Report of the Federal Commission on School Safety, misunderstandings surrounding FERPA and emergencies persist and present a real danger to students and staff:
“…confusion remains in some localities about whether and when student records can legally be shared during a health or safety emergency. Reducing this confusion can lead to greater compliance and appropriate reporting of threats to the safety of students and schools.” (The Federal Commission on School Safety, 2018)
It’s important that organizations become familiar with how FERPA allows information sharing in “worst case scenarios” so that the law designed to protect students doesn’t end up causing harm.
Permissible Disclosures to Threat Assessment Teams
Problems often start small, but grow big if neglected. Schools are encouraged to set up “Threat Assessment Teams” of school officials, healthcare providers, and police in order to review potential problem situations. Providing a pipeline for staff to present concerns can help ensure students get the help and protection they need before a serious threat or concern emerges.
“Threat assessments are best performed by multi-disciplinary teams that include highly trained professionals from a variety of different disciplines (e.g., teachers, administrators, school resource officers, school psychologists, guidance counselors). The team will conduct the threat assessments, implement crisis prevention when needed, assess the student’s potential for violence, and develop intervention and management strategies to mitigate that risk.” (The Federal Commission on School Safety, 2018)
Beyond members of the team that are school staff, FERPA also allows non-employees to be given access to protected records without prior approval by the rights holders, as long as they “perform an institutional service or function” for which the school or district would otherwise use employees, are under the “direct control” of the institution with regards to student records, are subject to FERPA’s use and re-disclosure requirements, and qualify as “school officials” with “legitimate educational interests” under the law (U.S. Department of Education, 2019).
Staff Observations Aren’t Protected Unless They’re in Records
Staff observations of student behavior aren’t considered protected information under FERPA until (and if) they become part of official education records (for example, after being recorded in disciplinary records). As a result, if staff see something concerning, FERPA shouldn’t hold them back from reporting it. As long as these observations aren’t in the official records, FERPA doesn’t prevent them being passed along to authorities, healthcare professionals, and others, even if the situation doesn’t represent an imminent threat.
The FERPA Emergency Exception
FERPA allows for extraordinary disclosures to respond to emergencies or prevent extraordinary impending events, releases of information far beyond what is normally allowed without consent.
The intent behind the law is to ensure emergency services and parents have the information they need to protect (or care for) students, without essential details being withheld due to privacy concerns. However, the Department of Education is clear that such disclosures can only occur with specific information and in a specific time frame to handle imminent or current emergencies.
“This exception to FERPA’s general consent requirement is limited to the period of the emergency and does not allow for a blanket release of PII from a student’s education records. Rather, these disclosures must be related to a significant and articulable emergency, such as an impending natural disaster, a terrorist attack, a campus threat, or the outbreak of an epidemic disease.” (U.S. Department of Education, 2019)
These limitations have proved to be a significant source of frustration to the press and community at large when a student or former student is involved in a crime. However, the law doesn’t make exceptions for dispersing student records to the general public after the fact.
For additional insight from the US DoE on this subject, check out their recent guidance document: School Resource Officers, School Law Enforcement Units, and the Family Educational Rights and Privacy Act (FERPA).
2. FERPA Protects Without Expiration Dates
Even if a student has long since graduated, your organization is still obligated to protect their records. FERPA protections apply to any student record and information collected during their time with your institution, whether they’re still in attendance or not. Furthermore, the law also protects any additional educational information that may come into your hands that is generated after the student leaves (for example, due to transfer requests, applications, inquiries, etc.).
FERPA After Death
Unlike with HIPAA, FERPA protections end in the event of a student or former student’s death IF the student is an “eligible student” (over 18 and/or attending postsecondary education) and thus the primary rights holder. If the student hasn’t met this criteria yet, protections continue as their parents hold the rights. However, even if standard FERPA protections have ended, it’s important to be aware of any applicable state laws or district guidelines that may extend or replace them.
3. The Telephone is an Easily Overlooked Breach Vector
FERPA privacy protections focus on students’ information, regardless of what form it’s conveyed in, which means phone calls and voicemails can be vectors for breaches.
Given the immediate “on the spot” nature of telephone conversations, it can be easy for details to slip out. It’s essential that staff be aware of their obligations in voice communications and that systems are protected against breaches.
The caller says they’re a student’s parent. They may even know some private details. But can you be sure that they’re really who they say they are? Your organization needs to have a system for verifying identities prior to dispersing private information, and anyone who could answer the phone must be trained to use it.
The Line Between Directory Information and Private Information
While teachers are probably more aware of what they are and aren’t allowed to share about students, office staff more removed from these records could accidentally cross the line between what they’re allowed to share (defined as “Directory Information” under the law) and what they can’t (everything else). Everyone who could answer the phone at your organization needs to know where this line is, or that they aren’t allowed to share anything at all (instead referring questions to someone else).
Examples of directory information can include:
- Phone Number
- Birth Information (Date & Place)
- Names of Honors & Awards
- Dates of student attendance at an institution – i.e. “was a student from ____ to ____”
Parents may be surprised to find out that some of these details (like a student’s birth information) are not protected under FERPA, which is why educational institutions are required to provide advance notice of what information they will be making available under this clause.
Information That is Shareable…Unless It Isn’t
Further complicating things is the fact that while FERPA allows Directory Information to be shared without prior consent, students and parents can request that information be withheld, making it private in their case. It’s likely that most won’t have taken this step, so it can be harder for staff to remember which students have, especially mid-conversation. Record systems should be set up to explicitly signal when a student has requested privacy, and staff should be trained to check before responding to requests, even if 99% of the student body allows disclosure.
Phone Theft Can Lead to Breaches
Beyond controlling what information staff give out, there’s another phone breach risk your organization should be aware of. If staff have access to work voicemails via mobile devices (either organization-provided or used under Bring Your Own Device (BYOD) initiatives), there is always a risk of them being lost or stolen. Using a Secure Messaging solution (such as CX-E) protects against this risk by making messages accessible to, but not storable on such devices. In the event one is exposed, messaging access can be cut off at the server level, preventing a breach without requiring the device’s recovery.
4. Letters of Recommendation Are Student-Viewable Records Under FERPA
Providing student records to other institutions for the purposes of student applications or transfers is a permissible disclosure under FERPA. As a result, letters of recommendation can be sent freely to the appropriate schools without prior disclosure. However, it’s important to remember that FERPA isn’t just about preserving student privacy, it also guarantees student (or parent, depending on the student’s age & secondary education status) access to education records.
This means that students and parents have the legal right to demand access to these documents where teachers & staff are providing their candid assessments. The risk of oversight can have a chilling effect on how upfront they’re willing to be. For this reason, asking the FERPA rights holder to sign a waiver of their rights regarding such letters can facilitate a smoother process that allows educators to deliver more detailed assessments.
Learn More About FERPA’s Intricacies
Explore the FERPA Information Hub for answers to a huge range of frequently asked questions. Including:
- Does FERPA apply to international students?
- Can a student use FERPA to shield their records from their parents?
- Does FERPA protect immigration status?
Secure Your Document Communications
It’s essential to remember that student records aren’t only vulnerable to attack when they’re sitting on your servers. Outside communications are a point of significant vulnerability that shouldn’t be discounted. Email was never designed to be secure and without added protections cannot rebuff efforts to intercept it. Couriers and other physical shipping methods get expensive quickly and can also cause unexpected delays. You need a solution that is fast, affordable, reliable and secure.
XMedius data solutions are the answer. XM Fax is the industry-leading Fax over IP (FoIP solution) that allows your organization to replace expensive, unreliable fax machines with modern computer and MFP integrations. Take advantage of fax’s ubiquitous adoption amongst institutions without the hassle of outdated hardware.
XM SendSecure is the future of secure file exchange. While FoIP solutions are perfect for sending black and white documents, being able to send data is increasingly becoming essential to schools. With this solution, your organization can send any type of file in sizes of up to 5 terabytes. Beyond transferring small items like grading spreadsheets, database entries, and other records, it also excels at delivering large files like security camera footage and photographs. Not only that, but the solution is intuitively designed to make communications with parents and outside institutions (schools, police departments, government agencies, etc.) easy. They aren’t even required to have their own account; you can provide links that allow them to send you files using yours.
Reach out to us to learn more about how these and other XMedius solutions can improve the way you work on a daily basis.
The Federal Commission on School Safety. (2018). Final Report of the Federal Commission on School Safety. Retrieved July 8, 2019, from https://www2.ed.gov/documents/school-safety/school-safety-report.pdf
U.S. Department of Education. (2019, February). School Resource Officers, School Law Enforcement Units, and the Family Educational Rights and Privacy Act (FERPA). Retrieved from StudentPrivacy.ed.gov: https://studentprivacy.ed.gov/resources/school-resource-officers-school-law-enforcement-units-and-ferpa