Campus card professionals, like most modern administrators, are in the data business. They collect data, process data, determine eligibility for services based on data parameters, disseminate data, and warehouse data. On first glance, most people would not consider the data used by card programs to be education records, but under the law, much of it is just that. And when it comes to governing an educational institution’s handling of educational records, one name comes to mind–Buckley.

The Buckley Amendment is the common name for the Family Educational Rights and Privacy Act (FERPA). Enacted by the U.S. Congress in 1974, the act has undergone multiple revisions in its nearly thirty-year lifespan. Its thrust—granting certain rights to an individual with respect to his or her educational records—has remained unchanged. In summary, these rights fall into 3 categories:

1. the individual’s right to inspect and review his or her own
   education records,
2. the right to request that his or her own records be amended, and
3. the right to have some control over the disclosure of personally identifiable data from such records.

FERPA defines education records as, “those records, files, documents, and other materials which contain information directly related to a student; and are maintained by an educational agency or institution or by a person acting for such agency or institution.” Following this definition, the ID numbers, financial transaction information, access control system data, event participation records, and other such elements collected via campus card programs and related systems are covered under FERPA.

Any institution receiving funds from programs administered by the U.S. Secretary of Education is subject to FERPA guidelines. This includes nearly every K-12 and higher education institution–public and private.

In a nutshell …

FERPA states that personally identifiable information under the control of an educational institution can only be provided to that student or, in certain cases, the parents or legal guardians without prior consent. Once a student reaches the age of 18 or enters a post-secondary institution, a school is prohibited from disclosing to the parent without the student’s consent. However, if the parent can demonstrate that the student is a financial dependent (via Internal Revenue Service records) the institution may opt to disclose the information. FERPA does not mandate that they do so, but it leaves policy decision to the individual institution. With few exceptions–such as certain law enforcement bodies and other educational institutions to which a student has applied–an institution may not disclose personal information on a student.

Directory information

There are elements of data that areexcluded from these restrictions. Information that has been deemed to be not harmful if disclosed is termed directory information. This information can be shared with any party–student, parent, or other–without prior consent.

FERPA has traditionally defined directory information as that “contained in an education record of a student which would not generally be considered harmful or an invasion of privacy if disclosed. It includes, but is not limited to the student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weights and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended.” In 2000, this definition was expanded to include email addresses, enrollment status (e.g. undergraduate, graduate), and photographs.

It is important to recognize that the section does not limit directory information to only that mentioned above. An institution is free to modify that which is considered directory information, so long as it follows the intents and limitations set forth in the act.

Insight into the Department of Education’s thought process regarding directory information can be gleaned from statements made regarding the decision to include photographs in the revised language. In the Federal Register on July 6, 2000, they stated “a student’s photograph is a type of identifying information, like a name and address, that would generally not be harmful or an invasion of privacy if disclosed. Unlike social security numbers (SSNs), we do not believe that disclosure of photographs will allow access to other types of sensitive information such as disciplinary files or grades.”

The institution must give annual public notice of that data elements that it has designated as directory information. The students must be given the opportunity to decline his or her data from directory information. The method of annual notification is left to the decision of the institution, though most use directories, catalogs, or student newspapers.

What does FERPA have to say about the use of social security numbers?

A social security number is obviously a personally identifiable data element, thus it is not directory information and may not be disclosed without consent. The question then becomes the interpretation of the term disclosed. Is using the number as an identifier in internal systems? Probably not. Is printing the number on the face of an ID card disclosing the number? This gets tricky as one could argue that the student shows that card for various services and thus is himself ‘forced’ to disclose the number.

Public Affairs Officer, Jim Bradshaw, in the Family Policy Compliance Office within the Department of Education said, “the Family Policy Compliance Office feels that the use of the SSN as the ID number would not violate FERPA because the student has the option of whether or not to use the card for nonessential university business.” In essence, they could opt to not disclose theinformation.

FERPA is clear on one use of the SSN. In several rulings, it has been made clear that the use of all or part of the SSN by professors as a means to post grades is a clear violation.

In the following section, a series of possible scenarios are presented to help put the issues relating to FERPA into real-world situations faced by card offices.

Via the ID production and other systems, the card office has access to all kinds of student information from class schedules to addresses. If a parent call or stops by requesting some information on their child, can card office staff help the requestor?

There are two issues addressed in this scenario, one of purely institutional policy and one of FERPA policy. From an institutional standpoint, determination must be made as to who will be the provider of student data in a legitimate request. It seems unlikely that an institution, unless clearly granting permission to do so, would approve of an office other than the registrar or its equivalent serving this function. In other words, regardless of FERPA implications it would be unwise to overlap in this service area without the permission of appropriate university policymakers.

From the FERPA perspective, a student who has attained the age of 18 has the sole right to his or her personal records. Parents have no legislatively mandated right to an adult child’s records. Exceptions exist only when the student has provided written authorization, a subpoena has been issued, or the parent has proven that the student is a financial dependent (via most recent year’s IRS returns). And even with the proof of financial dependency, the university has no obligation to provide the records—it is left to individual institutional policy. However, if the data requested is classified as directory information by FERPA and the institution, it may be distributed freely to any requesting party—parent or otherwise.

A potential vendor partner for the card program wants to conduct a market research effort before signing contracts. They have asked for the names and addresses of every student. Can the institution share it with them?

FERPA does not restrict the distribution of the entire database of directory information to a requestor. Such a decision would be left to the discretion of the institution. It is important to note that often the provision of the entire directory may be preferable under FERPA. It is not acceptable to distribute directory information based on a criterion that is not directory information. For example, a request for the names and addresses of all Native American students could not be provided because the individual’s status as Native American is not considered directory information. Nor could a list based on gender be provided as gender is also not considered directory information.

An outside vendor helping in theimplementation of the card program needs a copy of the student database to prepare for the installation. Legally, to whom can this data be provided?

If the information you are providing is directory information, then FERPA does not restrict parties to whom the data can be provided. If the database contains other non-directory information (which it likely would as the ID number would be needed for most applications), it is okay to do so—so long as a contract is in place and the outside party has been informed of proper use of the data. FERPA would not restrict this process.

Despite FERPA’s allowance of this practice, it is still not wise to provide an outside contractor with any data elements that are not expressly required for their task at hand. In the late 1990s, the University of Arizona came under considerable negative attention when the student database containing SSNs was provided to the campus card program’s telecommunications partner, MCI. In this case, while perfectly legal under FERPA it was still viewed by many as a violation of student privacy and, at very least, poor judgement.

What changes are pending to FERPA?

Currently there are no pending changes to FERPA that would impact card programs in any significant manner. There is a proposed amendment that would provide for the acceptance of electronic signatures to fulfill the requirements for “written and signed consent” in cases where non-directory information is to be disclosed. This, however, is merely an effort to bring the legislation up-to-date with electronic signature acceptance as set forth in the E-Sign Act and the Paperwork Reduction Act.

So what should card office staff know about FERPA?

The most important thing to know is that there are others on campus who know a lot more about it. Rely on your campus compliance officials, registrar, and legal departments to interpret the regulation and determine specific policies in those areas that are left to institutional decision. From the card office perspective–though this may be contrary to principles of good customer service–when it comes to information disclosure the customer is not always right. Ensure that your staff understands that no information on any student or student account should be disclosed over the phone or in person without the office manager’s approval. And ensure that your manager understands the basics of FERPA.

Err on the side of caution by protecting the information until you are certain it can legally be shared. It can always be provided at a later point but it can never be retrieved once released.