FERPA Toolkit

Introduction

The following information was developed in coordination with the Registrar’s Office and the Center for Instructional Innovation and Assessment. Last updated 3/20/23.

For more information on procedures and interpretation at WWU, see:

1. Annual Notification of Student Rights under FERPA - WWU Registrar’s Office
2. FERPA - WWU Registrar’s Office
3. FERPA: Brand and Communication Guide - Office of University Communications
4. FAQ for Faculty: Online Class Recordings - ATUS
5. Consent Form: Online Class Recordings - Canvas Commons - ATUS/Registrar

FERPA General Information

• FERPA protects the privacy of education records for current and former students of the university. In general, FERPA allows disclosure of education records or personally identifiable information to third parties (individuals other than the student) in the following circumstances:
  • with the written consent of the student
  • if the disclosure meets a statutory exemption
  • if the disclosure is of institutionally defined directory information and the student has not opted out of the sharing of directory information
• The following are not considered education records under FERPA: law enforcement records, employment records, medical (treatment) records, alumni records, sole possession notes, and student work prior to evaluation.
  • Exceptions do apply - for example, once a sole possession note is shared, it is considered an education record. As well, student employee records are considered education records if they go through the Financial Aid office.
• FERPA allows universities to define "directory information," as educational record information that may be disclosed to third parties without requiring prior consent from the student. However, students can choose to make their records confidential,restricting release of all information, including directory information. This restriction does not apply to university officials engaged in legitimate educational purposes.
• Western Washington University defines directory information as the following:
  • student's name
  • institutionally- provided email address
  • major field of study
  • date and term of graduation
  • mailing address
  • local telephone number
  • dates of attendance
  • degrees and awards received
  • participation in officially-recognized sports or activities
  • weight and height if a member of an athletic team
  • most recent previous educational institution attended
• The following are never considered directory information:
  • a student's race,
  • country of citizenship,
  • religion,
  • gender,
  • social security number, or
  • grades/GPA
• FERPA is technology neutral - everything is about the contents of the student records, not where they are physically or digitally found.
• A school official should have access to student records only given if it is necessary or appropriate to the operation of the institution or the proper performance of the educational mission of the institution.
• Student employees, are considered school officials while working and can view other students' education records if they have a legitimate educational interest.
  • Student employees should be given FERPA training and required to sign a form stating that they understand it.
• Under FERPA, educational institutions are required annually to notify students in attendance of their rights to inspect/review education records, request amendment of education records, to consent to disclosures, and to file a complaint with the U.S. Department of Education.
• FERPA does not allow students to see the records of other students (even if a record has information on more than one student), the financial records of a student's parents, or confidential letters and statements (if a student previously waived the right to review those documents).
• The authoritative source for FERPA is the Family Policy Compliance Office in the U.S. Department of Education.

FERPA Best Practices for Professors

• When writing a syllabus, it is advantageous to add a blanket statement like "In this class, our use of technology will sometimes make students' names and Internet IDs visible within the course website, but only to other students in the same class. Since we are using a secure, password-protected course website, this will not increase the risk of identity theft or spamming for anyone in the class. If you have concerns about the visibility of your Internet ID, please contact me for further information."
• Due to inherent security risk, professors should never carry their grade books on a memory stick, or other unprotected, losable format.
  • When possible, passwords offer decent protection. They are especially useful when a grade book is held on a shared computer, or in a common area.
• Use caution when saving anything on a laptop or shared computer.
  • Keep your anti-virus software updated (and use it), and keep your OS updated and patched.
  • Always keep hardware (especially laptops or memory sticks) in a physically secure place.
• A FERPA confidential block/non-disclosure does not apply to information within the classroom (physical or digital), but rather to only releasing any information to an entity outside the institution. Students with a confidential block are still required to do the work that the faculty member defines as the requirement of the course, including things like posting to a message board on Canvas.
• Educators should be able to answer 'no' to three questions related to if something is a potential FERPA violation:
  • Are we dealing with releasing student records or information out to the public?
  • Are we preventing a student from asking about their own record?
  • Are we violating another federal law?
• If students are asked to use a specific program or application (such as on an iPhone), the terms and conditions may be against FERPA. While you are protected, a student may choose to opt out of using the application due to those terms, and you'll need to provide an alternate method that the student can still learn or have access to the information.

Exceptions to FERPA

• Note that any of the following situations should be referred to the Registrar’s Office for handling.
• If it is determined that there is a significant threat to the health and/or safety of a student, an institution may disclose information from education records to anyone whose knowledge of that information is necessary to help with the protection of a student's health/safety.
  • If released, the institution must keep record of who was notified of the information, and why they were told.
• If a student is a dependent for tax purposes, an institution may disclose education records to the parents or guardians without the consent of the student.
• When a student passes away, they are no longer protected under FERPA and their parents can request information from their education record.
• Once law enforcement has gotten a subpoena, an institution can share protected information from a student's education record.
• If a student is concurrently enrolled in a high school and a university, while a parent does not have a right to inspect an education record at the postsecondary, they can request the information and inspect it through the high school.
• If a student is under 21, an institution can notify the parents of any violation of a law (federal, state, or local) or any rule/policy of the institution related to the use or possession of alcohol or another controlled substance.
• Any "law enforcement unit records," such as those from campus security, can be disclosed to parents or federal, state, or local law enforcement agencies without consent of the student. These records are not considered to be a part of FERPA.

FERPA and Social Media

• Sharing is considered an important part of learning, and FERPA does not isolate learning from the general community, allowing things like a class Facebook page.
• FERPA does not prevent an instructor from assigning their students to create public content as a part of the course requirements, such as creating a Google Site or posting a video onto YouTube or Vimeo.
• Social media submissions are not FERPA protected because they are not considered received, and consequently not in the custody of the college. As well, they are typically not yet graded or reviewed by the faculty (and thus not under FERPA).

Tips for Using Social Media in Compliance with FERPA

• Include a statement in your syllabus that material posted on the open web may be viewed by others both in and out of the class. For example:
  • During this course you might have the opportunity to use public online services and/or software applications sometimes called third-party software such as a blog or wiki. While some of these are required assignments, you need not make any personally identifying information available on a public site. Do not post or provide any private information about yourself or your classmates. Where appropriate you may use a pseudonym or nickname (ensuring the facilitators know how to identify you). Some written assignments posted publicly may require personal reflection/comments, but the assignments will not require you to disclose any personally identifiable/sensitive information. If you have any concerns about this, please contact your instructor.
• Do not require that students post any personally identifiable information.
• Allow students to post under an alias if they choose to do so.
• Never post instructor comments or grades on a public site, or anywhere they may be publically viewable.
• Take special precautions with students under the age of 18. It is strongly encouraged to get parental consent when using social media in a class.
• If students are uncomfortable with the social media aspect and it is not integral to an assignment, try to offer a possible alternative.
• Although wikis are inherently open, they can be separated into different areas that can be designated either public or restricted to a specific group (such as a class).
• Due to the public nature of wikis and other third-party tools used with a course, it is strongly recommended that students are informed of the inherent potential of it being seen and given a consent form to sign.

FERPA, Permissions and Signatures

• There are two different types of signatures used to give consent:
  • Electronic signature - a written signature that is transmitted electronically, usually written on a digital pad (like in a department store), and
  • Digital signature - a "signature" electronically encrypted by a computer system consisting of a combination of letters, numbers and symbols.
• FERPA allows higher learning institutions to disclose education records to third parties when given consent through a verified electronic signature, but not a digital one.
• With electronic signatures, institutions have to follow three principles before disclosing the information:
  • The signature must be authenticated by comparing the name, date of birth, and social security number against a third-party database,
  • The transmission of the information (especially the social security number) must be 100% secure, and
  • The applicant must be fully aware of the rights related to electronic signatures, including the right to opt out.

FERPA and the Cloud

• With cloud service providers, educational institutions may disclose personally identifiable information from an education record only on the condition that the entity that the information is disclosed with will not disclose that information to any other party without prior written consent of the student.
• Schools must maintain "direct control" over the personal data, even if it is outsourced - if FERPA is broken, the institution is ultimately at fault.
• In agreements, the cloud computing provider must be considered a "school official" to facilitate the sharing of FERPA-protected information.
  • Under FERPA, these third parties are seen as "a person or company with whom the university has contracted as its agent to provide a service instead of using university employees or officials."

Email, Texting, and IM & Personally Identifiable Information

• When emailing students, it should always be from an institutional email to a student's institutional account.
• Professors may communicate about FERPA-protected information (like grades) through a student's institutional account, but never a private one.
• When mass-emailing a group of students, utilize the BCC feature and student institutional email accounts only (by emailing yourself, and blind copying all of the students) or create a distribution list in order to keep the email addresses unviewable to others and secure within the official university email account system.
• Public instant messaging or social media platforms (such as Google, Facebook, or Skype) are not considered secure for any FERPA protected information.
• In online classes, never post grades or evaluative comments in spaces outside of the course system (Canvas), nor in a place on the site where they may be visible to their peers.
• With online classes, use the in-system communication system for added security. Many (including Canvas) will notify students through an email when a message is sent.
• Teachers can give feedback and/or evaluative comments via a video-chatting program like Teams or Zoom as long as they can clearly identify the student.
• Written student consent is required from all students enrolled in a course or present if capturing still or moving images and voice recordings of students in classroom settings or affiliated academic exercises if those images/recordings will be posted in any venue that may be, even once, publicly accessible. It is highly recommended that before considering the capture of student images/voice recordings that teachers consult with their faculty leadership and/or Registrar.

FERPA and Posting Student Work

• If you post work created by a student and credit them by name, you are required to obtain written student consent before it is published.
  • Students ultimately own whatever work they create.
  • This is regardless of the medium (at conference, journal articles, school-sponsored websites, or any printed materials).
• If you post student work without their name or consent, it is considered a copyright violation.
• Once a piece of work is graded, consent is required prior to any publishing or sharing.

Key Terms To Know

• Confidential Block/Non-Disclosure - when a student formally restricts the release of all information, including directory information, except to school officials for legitimate educational interests.
• Directory Information - educational record information defined by the institution that may be released to third parties without prior consent, unless a student has opted to restrict such release.
• Education Program - any program principally engaged in the provision of education, including postsecondary education, job training, adult education, and career/technical training.
• Education Record - virtually any record maintained by an institution that is directly related to a student or students, such as files, documents, or materials regardless of medium.
• FERPA - Family Educational Rights and Privacy Act, a federal law in place to:
  • protect the privacy of education records of students,
  • allow students to view their own educational records, and
  • detail how students can get inaccurate records fixed.
• Legitimate Educational Interest - any authorized interest or activity undertaken in the name of an institution in relation to education records.
• Personally Identifiable Information (PII) - information that could be used to identify a student, including things like:
  • student names (or family member names),
  • date of birth
  • student identification number (W#)
  • personal characteristics, or
  • anything else that could make it possible to identify a student with relative certainty.
• School Official - a person employed by the university in an administrative, supervisory, academic/research, or support staff position.
• Sole Possession - notes made by one person as an individual observation or recollection, and kept in the possession of the maker (not considered an education record).
• Wiki - a collaborative website where readers can also contribute content.

Communication

1. Always use your university-supplied email for corresponding with students.
2. While you may email students through their personal email addresses relating to general course questions, anything related to grades or personal information can only be sent to a student's institution-provided email.
3. When sending mass emails to a class, there are two main ways to keep email addresses hidden from other students: the BCC feature (blind copy) or by creating a distribution list for a class.
4. Instant messaging sites are not considered secure under FERPA for communicating with a student about their education record.
5. Unlike IM'ing, video-chatting services, where the student can be visually identified, are considered secure for discussing things like graded assignments with students.
6. With online or blended courses, use the communication built into the LMS (Canvas) whenever possible.
7. You can place a statement like "Under FERPA, this email is intended only for _______" to notify the recipient and any unauthorized individuals about the privacy of the email.

Online-specific

8. Make sure that any third-party programs (e.g., wiki, social media, etc.) you choose to use in a course are FERPA-compliant.
9. While you can require a student to use a specific program or application, if a student chooses to opt out due the Terms of Service, you'll need to provide an alternative method for that student to access the information.
10. If your class has an online component, include a statement in your syllabus that material posted on the open web may be viewed by others both in and out of the class.
11. Never require that students post any personally identifiable information on the internet - allow them to use an alias if they so choose.
12. Never post instructor comments or grades on a public site, or anywhere they may be publically viewable.
13. If your course requirements include editing a wiki, it is recommended to explain the inherent open nature of them, and provide a consent form for students to sign.

General Tips

14. When writing a syllabus, it is advantageous to add a blanket statement like "In this class, our use of technology will sometimes make students' names and Internet IDs visible within the course website, but only to other students in the same class. Since we are using a secure, password-protected course website, this will not increase the risk of identity theft or spamming for anyone in the class. If you have concerns about the visibility of your Internet ID, please contact me for further information."
15. Grade books should be secured both physically and digitally - password-protect them whenever possible, and try to keep the device they're on (like a laptop or PC) in a safe place like a locked office.
16. Memory sticks are risky to save grade books on - avoid doing so whenever possible.
17. When in doubt about whether or not you should share a piece of information about a student, err on the side of caution and do not share it.
18. When posting student work, even if the name and any identifying information is removed, you must receive written consent before sharing (due to copyright).
19. FERPA does not prevent an instructor from requiring assignments that have public content, such as creating a Google Site or posting a video onto Youtube or Vimeo. Feel free to do so if it adds to the course.
20. A non-disclosure/confidential block does not include information within the course. Students with a confidential block are still required to do the work that the faculty member defines as the requirement of the course, including things like posting to a message board on Canvas.