Office of Faculty and Staff Development

FERPA

Home

FERPA
- Overview

- Regulations

- Model Notification of Rights

- Solomon Amendment Compliance

- Records NOT Covered by FERPA

- Releasing Student Reports without Consent

- Parental Access to Student Records

- Subpoena Compliance

- FERPA & Anti-Terrorism Activities

- Use of SSN as Identifier

- E-FERPA

- Training Program Description

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT

E- FERPA

Are electronic records “education records”?

Yes, as long as they are “directly related to a student,” are “maintained by an educational agency or institution or by a party acting for the agency or institution,” and do not fall within any of the listed exceptions to that term; the medium in which information is recorded is irrelevant to the analysis. In 1996, the Department of Education amended the regulatory definition of the threshold term “record” to include “any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.” 34 C.F.R. § 99.3 (emphasis added). The Department stated that the amendment was intended “to reflect changing technology and changing modes of maintaining information.” 61 Fed. Reg. 10663, 10664 (Mar. 14, 1996).

Are student e-mail messages “education records”?

Maybe – it depends on the context in which the question is asked. Most student e-mail messages will be “personally identifiable” to (at least) the authoring student, and thus “directly related to” that student, by virtue of the student’s e-mail address and/or the content of the message. The answer thus seems to hinge on whether the message is “maintained” by the institution. A message that a student sends to a professor or staff member, and that is in the possession of that professor or staff member, seems without question to be so “maintained” and thus an “education record” in the absence of an applicable exception. See, e.g., President and Trustees of Bates College v. Congregation Beth Abraham, 2001 Me. Super. Lexis 22 (2001) (“The e-mail messages here were generated by students and directed to the[ir] faculty advisor . . . . The records directly related to the named students and sought the advice and assistance of a person acting for the college. Although the e-mail correspondence may be of a different character than most records, files and documents maintained by an educational institution, [FERPA] does not limit the definition of [education records]. As such that term ought to be liberally construed to be inclusive rather than exclusive to carry out the Act’s purpose and intent for the protection of the students.”) The same should hold true for a professor’s or staff member’s copy of a message sent to a student.

But what about a copy of that same message, or of a student-to-student message, that is resting in the student’s account on an institutional server?

In some sense, that copy is “maintained” jointly by both the student and the institution. Nevertheless, it seems clear that FERPA would not prevent the student from doing with it as he or she wishes – even if it also is “directly related to” another student – because the student is not “maintaining” the copy on behalf of the institution. Cf. Owasso Independent School District v. Falvo, 122 S. Ct. 934 (2002) (discussed below). But if a system administrator has access to the message, or an institutional official wishes to retrieve the message as part of an investigation, or the institution has received a public records request for the message, the restrictions of FERPA should apply.
The status of e-mail messages that a student may post to a class listserv or web page is less clear. When the institution’s role is only the passive, technical one of making the medium available for student use (similar to the institution’s role in permitting students to post messages to physical bulletin boards), the messages arguably are not “maintained” in the sense required for FERPA to be applicable. Cf. id. (Alternatively, the student might be deemed to have waived FERPA in those circumstances.) If, however, a professor actively manages the listserv or web page, and/or if students are required to post messages, the answer potentially could be different.

Are e-mail addresses “directory information”?

Yes, if the institution has included e-mail addresses in its designation of directory information. See 34 C.F.R. §§ 99.3, 99.31(a)(11), and 99.37. See also 65 Fed. Reg. 41852, 41855 (July 6, 2000) (“[A]s methods of communication and record management continue to evolve, it is useful to list additional categories of information that we believe are directory information, such as a student’s e-mail address . . . . We do not believe that the disclosure of student e mail addresses will generally be considered harmful or an invasion of privacy. We think that a student’s e mail address is analogous to a student’s mailing address, an item already included as directory information.”)

May a student’s consent to disclosure of education records be given electronically?

Yes, but. FERPA regulations require a “signed and dated written consent” for those disclosures that require consent. 34 C.F.R. § 99.30(a). Earlier this year, however, the Family Policy Compliance Office of the Department of Education amended the regulations to provide that such consent “may include a record and signature in electronic form” if it sufficiently identifies and authenticates the person giving the consent and indicates that person’s approval of the information contained in the consent. 34 C.F.R. § 99.30(d). FPCO did not specify any particular means, noting that it wanted to “permit schools to take advantage of changing technology as it may become available”, but did state that the FSA standards for electronic signatures in student loan transactions could be considered a “safe harbor”. 69 Fed. Reg. 21670 (Apr. 21, 2004) (attached).

May an institution deliver education records by e-mail or make them available through the web?

Yes, but. Nothing in FERPA or the implementing regulations specifies or limits the particular means by which an institution may transmit education records; it focuses on whether they may be disclosed, not how. The fact that electronic delivery is not perfectly secure also does not prevent its use. FERPA does not mandate perfection – if it did, paper delivery would not be an option, either. And in fact, with appropriate precautions such as PINs or passwords, encryption, and the like, electronic delivery can be much more secure than paper delivery.

Exactly what type and level of precautions are necessary is unclear – and probably a moving target. For an excellent resource on the technical aspects of the issue, see Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities, <http://www.educause.edu/ir/library/pdf/PUB3102.pdf>, a white paper developed jointly by CAUSE (the predecessor of EDUCAUSE) and AACRAO in 1996.
______________________

The above materials pertaining to “E-FERPA” were prepared by Steven J. McDonald, General Counsel, Rhode Island School of Design, Providence, Rhode Island.

Home - Calendar of Events - Collegial Conversations - Committee Members - iTEACH - Learning Communities - NCBI - NISOD Awards - Professional Development Funds - Publications/Subscriptions/Memberships -
Special Events - Mission Statements - NECC Home Page