What is FERPA?
FERPA stands for the Family Educational Rights and Privacy Act. This is a federal law enacted in 1974 to protect the privacy of student education records as well as to provide access to records for the eligible student.All educational agencies or institutions that receive funds under any program administered by the Secretary of Education must abide by FERPA and the regulations that go with it, or risk losing federal funding.
What FERPA Does
FERPA addresses the following:Types of information protected as part of an educational recordWhen that information may or may not be disclosed by an institutionStudent rights regarding their personal education recordsParental rights regarding the education records of their child
FERPA only applies to Education RecordsWhat is an Education Record?It is a record that is:Directly related to the student’s education, and;Maintained by an institution or agency acting on an institution’s behalf
Education records may be in any format, including computer records, printed or hand-written records, audio, photographs, film, and email.What isNOTan Educational Record?Personal Observations (more information on this later)Sole Possession Records (records maintained only by an individual staff member as a personal memory aid and that are not revealed to other individuals except as substitutes to the record keeper)Alumni RecordsEmployment RecordsPolice Reports (maintained by KUMC Office of Public Safety)Medical treatment records (kept by physicians & psychologists)
Personal observations about a student are generally not a part of an educational record. For example:Faculty member overhears a student discussing plans to harm himself or othersStaff member witnesses a student harassing another student
Personal ObservationsAREstudent records if the observation is something you have determined. For example:Student gradesDetermination of student misconductIF YOU DECIDE IT, DON’T DISCLOSE IT.
NameMonth & Day of Birth (not year)Current and permanent student addressCurrent and permanent student phone numberIndividual student email addressLevel and schoolMajor field of studyEnrollment status
Participation in officially recognized activities and sportsHeight and weight of members of athletic teamsDates of attendanceDegree(s) receivedHonors and awards receivedMost recent previous educational institution attendedName, positions, length of service and/or courses taught for student employees
Directory information may be disclosed without written consent from the student, unless the student has opted out of disclosure. Directory information is personally identifiable information contained in a student record that would generally not be considered harmful or an invasion of privacy if disclosed. The University of Kansas Medical Center defines directory information as:
Additionally, for official news releases, business, and/or advancement purposes, student photographs, and parent/guardian name, address, telephone, and individual email addresses are considered directory information.
Non-directory information generally may not be disclosed without prior written permission from the student. Non-directory information is defined as any information contained in a student record that is not directory information. This includes, but is not limited to:Social Security numbersStudent identification numbers (KU ID#)Transcripts or grade reportsStudent grades (including graded assignments or exams that have been recorded)Student birth yearDisciplinary records
Student grades on assignments and exams
Posting student grades by the student’s name, student ID, or social security number without the student’s written permission is a violation of FERPA. Even without names, these student identifiers are considered personally identifiable information protected by FERPA.FERPA Violations Include:Posting grades by social security number or student ID numberReturning papers/exams by stacking them on a table at the front of the class and allowing students to dig through and find their ownLeaving a student assignment on your door for a student to pick up
Accessing a record
School officials with a legitimate educational interest may generally access student information without written consent. Access to student information for personal use is inappropriate, illegal, and subject to disciplinary action. Curiosity is not an appropriate reason to access a student record, nor is accessing a record for someone who does not have appropriate access rights and/or job duties.University personnel have legitimate educational interest when the need to view a student record is necessary to carry out their professional responsibilities in support of the educational, scholarly, or administrative functions of the University of Kansas Medical Center.*It is permissible for student clerkship schedules to be placed on the School of Medicine’s SharePoint site to facilitate accurate scheduling for clerkships and full participation of students.(per University Registrar, 9.2017)
Disclosing information in an education record
Disclosure of information is handled under theStudent Records Policyas administered by the Campus Registrar and General Counsel. Just remember,WHEN IN DOUBT, DON'T GIVE IT OUT!You cannot go wrong if you do not provide access to information. At any time you may refer the requestor to the Campus Registrar or General Counsel.
Students may consent to the disclosure of their education records. However, that consent must always be in writing, dated, signed by the student, and it should make clear:What records may be disclosedThe purpose of the disclosureTo whom the records may be disclosedIf you have any questions regarding consent procedures, contact the Campus Registrar or General Counsel.
Handling information within the university
Extreme caution should be taken when handling digital and paper education records. Care should be taken whenever storing/retaining information, transmitting it physically or electronically, or disposing of data.EmailIdentifiable information concerning a student may be sent via email as long as:The email communication is exclusively between KU/KUMC email accounts hosted on the KU/KUMC systemThe recipient has a legitimate educational interest to receive the identifiable information; content of the email does not contain identifiable information subject to specific restrictions under law and/or policy (e.g. SSN, grades, HIPAA, GLBA, disciplinary records); andThere is no reason to suspect a security concern. If there is a concern, please contact the Campus Registrar, General Counsel or the Information Security OfficeEmail sent to non-KUMC addresses is not encrypted and is not secure. Before sending email off campus, review the “Email Use Policy”
Handling information within the university
While email is generally considered secure, you must be cautious about sending any email – make sure you are sending it to the proper recipient. Some best practices include:Confirm the email address: Is it the right address? Does that person have a legitimate educational interest? Do you have signed, written consent from the student?Do Not use “Reply All”Use EncryptionUse Password Protection – on your smartphone tooRemove unnecessary information from the email
Handling information within the university
StorageKeep data within the KU/KUMC system – behind the firewallsLimit Access – both physical access and with electronic permissionsUse encryption on laptopsUse passwords on everythingDo not use unsecure devices for storage or transport (e.g. jump drives)Dispose of records properly (e.g. shred them)
Who at KUMC has rights under FERPA?Students have rights under FERPA, even if the student is under 18.Full rights under FERPA begin on the first day of the first active term* of enrollment of the student. Prior to initial enrollment, the University begins treating applicants and admitted students as if FERPA applies to assist in the transition.Parents do not have rights under FERPA and non-directory information should not be shared with parents, unless: (1) the student has consented to release information to the parent, (2) the parent can prove dependency, as evidenced by documentation that the student is a dependent on federal tax forms, or (3) in the case of a new student, the student has not yet been enrolled for an active term* at the University of Kansas Medical Center.Former students/alumni retain FERPA rights, but only with respect to records created while the individual was a student, not post-graduation records.* Definition of "Active Term" - Any term (Fall, Spring, Summer) that is presently in progress
Student and Parent Rights Under FERPAA student has the right to know what information is in their education record, to seek amendment to their record, and file complaints if an institution has disclosed a record in violation of FERPAParents/Guardians of students who have attended or were enrolled for an active term at KUMC may access a student’s education record only with the student’s written consentStudents or parents who wish to inquire about their FERPA rights should contact the Campus Registrar for more information
Delegate Access is the system that KU/KUMC uses to authorize third party access to an individual student record. Students can choose to designate a delegate to view information on their account in Enroll & Pay. This access can be granted or revoked at any time.Delegate Access can be granted for the following areas:Schedule only:view enrollment and course schedules for the current termGrades & Course History:view past semester course enrollment and officially posted grades for those coursesStudent Financials:includes access to the account balance, summary of current charges/payments, review of past activity, view/print current and prior bills, make paymentsStudent Financials 1098-T:grants access to current and prior year 1098-Ts. Students must grant consent to receive the 1098-T online before delegates are able to access this information in their delegate accountFinancial Aid:includes financial aid awards summary, satisfactory academic progress, scheduled disbursement dates, expected family contribution, cost of attendance, shopping sheet, and to-do lists
Health and safety exception
FERPA does not prevent the University or its faculty and staff from appropriately disclosing issues concerning the health and safety of students if there is an articulable and significant threat to the health and safety of a student or other individuals. Unless thereis a criticalemergency, you should consult with the Campus Registrar or the General Counsel’s Office before you disclose any non-directory student record information under this exception.Note: Personal observations of a student’s statements or behaviors indicating self-harm or harm-to-others or reports of discrimination or harassment are not student records. You need no FERPA exception or permission to disclose these observations to appropriate University and public safety officials.
Getting help withferpa
The security and privacy of student records is extremely important to the University of Kansas Medical Center. Make sure you are familiar with your responsibilities under FERPA as you access, view, handle, and disclose education records within your position.Contact the following offices for more information and additional training:Campus RegistrarGeneral Counsel