ECURE
8:30-10:00, October 11, 2002
Richard Rainsberger
Consultant, Education Records Law and Privacy
1
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT OF 1974
“A FEDERAL LAW DESIGNED TO PROTECT THE PRIVACY OF EDUCATION RECORDS,
TO ESTABLISH THE RIGHT OF STUDENTS TO INSPECT AND REVIEW THEIR EDUCATION RECORDS,
AND TO PROVIDE GUIDELINES FOR THE CORRECTION OF INACCURATE AND MISLEADING DATA THROUGH INFORMAL AND
FORMAL HEARINGS.”
2
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT OF 1974
THIS ACT IS ENFORCED BY THE FAMILY POLICY COMPLIANCE
OFFICE, U.S. DEPARTMENT OF EDUCATION, WASHINGTON,
D.C.
3
The Authoritative Source
Family Policy Compliance Office
Leroy Rooker, Director U.S. Deptartment of Education
400 Maryland Ave., SW
Washington, D.C. 20202-4605
COLLEGE STUDENTS MUST BE PERMITTED TO INSPECT THEIR OWN EDUCATION RECORDS.
SCHOOL OFFICIALS MAY NOT DISCLOSE PERSONALLY
IDENTIFIABLE INFORMATION ABOUT STUDENTS NOR PERMIT INSPECTION OF THEIR RECORDS WITHOUT
WRITTEN PERMISSION UNLESS SUCH ACTION IS COVERED BY CERTAIN EXCEPTIONS PERMITTED BY THE ACT.
5
An Additional Corollary for the High Tech Age
Whether we are dealing with high-tech or low-tech education, we only have one education records law:
6
An Additional Corollary for the High Tech Age
And...
we do not change our policies simply because our educational delivery methods have changed.
7
KEY CONCEPTS
Required annual notification
Written permission of student required to disclose
The exceptions to written permission
Student’s right to access their records
The “musts” and “mays” in
FERPA
Parents/parental disclosure
Legitimate Educational Interest
8
KEY TERMS
Education Record
Directory Information
School Official
Personally Identifiable
Eligible Student
9
WHAT IS AN EDUCATION RECORD?
ANY RECORD, WITH CERTAIN EXCEPTIONS, MAINTAINED BY AN INSTITUTION THAT IS DIRECTLY RELATED TO A STUDENT
OR STUDENTS. THIS RECORD CAN CONTAIN A STUDENT’S NAME, OR STUDENTS’ NAMES OR INFORMATION FROM
WHICH AN INDIVIDUAL STUDENT, OR STUDENTS, CAN BE PERSONALLY (INDIVIDUALLY)
IDENTIFIED
THESE RECORDS INCLUDE: FILES, DOCUMENTS, AND MATERIALS IN WHATEVER MEDIUM (HANDWRITING, PRINT, TAPES,
DISKS, FILM, MICROFILM, MICROFICHE) WHICH CONTAIN INFORMATION DIRECTLY RELATED TO STUDENTS AND FROM WHICH
STUDENTS CAN BE PERSONALLY (INDIVIDUALLY) IDENTIFIED.
10
“PERSONALLY IDENTIFIABLE”
“PERSONALLY IDENTIFIABLE” MEANS DATA OR INFORMATION WHICH INCLUDES:
THE NAME OF THE STUDENT, THE STUDENTS PARENTS, OR OTHER FAMILY MEMBERS
THE STUDENTS CAMPUS OR HOME ADDRESS;
A PERSONAL IDENTIFIER (SUCH AS A SOCIAL SECURITY NUMBER OR STUDENT NUMBER)
ALIST OF PERSONAL CHARACTERISTICS OR OTHER INFORMATION WHICH WOULD MAKE THE STUDENTS IDENTITY EASILY
TRACEABLE
11
Grades Posted on Bulletin Board outside of Instructor’s Office
12
13
WHAT AN EDUCATION RECORD IS NOT!!
“SOLE POSSESSION” NOTES
LAW ENFORCEMENT UNIT RECORDS
RECORDS MAINTAINED EXCLUSIVELY FOR INDIVIDUALS IN THEIR CAPACITY AS EMPLOEES
RECORDS OF INDIVIDUALS WHO ARE EMPLOYED AS A RESULT OF THEIR STATUS AS STUDENTS (WORK
STUDY) ARE EDUCATION RECORDS.
DOCTOR-PATIENT PRIVILEGE RECORDS
ALUMNI RECORDS
14
WHAT IS AN EDUCATION RECORD? (SUMMARY)
IF YOU HAVE A RECORD THAT IS:
MAINTAINED BY YOUR INSTITUTION
PERSONALLY IDENTIFIABLE TO A STUDENT (DIRECTLY RELATED TO A STUENT AND FROM WHICH A STUDENT
CAN BE IDENTIFIED)
NOT ONE OF THE EXCLUDED CATEGORIES OF RECORDS...
IT IS SUBJECT TO FERPA
15
REQUIREMENTS FOR COMPLIANCE
DIECTORY INFORMATION
INFORMATION NOT NORMALLY CONSIDERED A VIOLATION OF A PERSON’S PRIVACY
STUDENTS MUST BE NOTIFIED OF THE ITEMS OF DIRECTORY INFORMATION.
STUDENTS MUST BE GIVEN THE OPPORTUNITY TO REQUEST THAT DIRECTORY INFORMATION NOT BE RELEASED.
THIS RIGHT OF NON-DISCLOSURE APPLIES TO DIRECTORY INFORMATION ONLY.
16
WHAT CAN DIRECTORY INFORMATION INCLUDE?
DIRECTORY INFORMATION MAY
INCLUDE THE FOLLOWING STUDENT INFORMATION:
STUDENT’S NAME
ADDRESS
TELEPHONE NUMBER
DATE/PLACE OF BIRTH
MAJOR
FIELDS OF STUDY
PARTICIPATION IN OFFICIALLY RECOGNIZED ACTIVITIES AND SPORTS
HEIGHT/WEIGHT OF ATHLETIC TEAM MEMBERS
DATES OF ATTENDANCE
DEGREES AND AWARDS RECEIVED
MOST RECENT EDUCATIONAL INSTITUTION ATTENDED
OTHER SIMILAR INFORMATION AS DEFINED BY THE INSTITUTION THAT WOULD NOT NORMALLY BE
CONSIDERED AN INVASION OF A STUDENT’S PRIVACY
17
WHAT CAN DIRECTORY INFORMATION INCLUDE?
DIRECTORY INFORMATION MAY
INCLUDE THE FOLLOWING RECENT ADDITIONS TO STUDENT INFORMATION:
CLASS SCHEDULE
E-MAIL ADDRESS
CLASS ROSTERS
PHOTOGRAPHS
CLASS SCHEDULE AND CLASS ROSTERS ARE
CURRENTLY (2001) UNDER REVIEW AS TO WHETHER THEY WILL REMAIN DIRECTORY INFORMATION
18
WHAT CAN DIRECTORY INFORMATION INCLUDE?
DIRECTORY INFORMATION MAY
INCLUDE THE FOLLOWING STUDENT INFORMATION:
RACE
GENDER
SOCIAL SECURITY NUMBER
GRADES
GPA
COUNTRY OF CITIZENSHIP
RELIGION
19
DIRECTORY INFORMATION COLLEGE XXX STYLE
XXX COLLEGE HAS DESIGNATED DIRECTORY INFORMATION ACCORDING TO THE FAMILY
EDUCATIONAL RIGHTS AND PRIVACY ACT OF 1974 TO BE THE STUDENTS:
NAME
LOCAL AND PERMANENT ADDRESS/TELEPHONE NUMBER
MAJOR FIELD OF STUDY
PARTICIPATION IN OFFICIALLY RECOGNIZED ACTIVITIES/SPORTS
WEIGHT AND HEIGHT OF MEMBERS OF ATHLETIC TEAMS
DATES OF ATTENDANCE
DEGREES AND AWARDS RECEIVED AND DATES
MOST RECENT PREVIOUS EDUCATIONAL INSTITUTION ATTENDED
ACADEMIC LEVEL
ENROLLMENT STATUS (FT/PT)
20
DIRECTORY INFORMATION
It is important to remember that “directory information” must be defined as such by each
institution.
If a data element isn’t defined as “directory information” it isn’t
directory information and can only be released if the student’s written
permission is obtained or the release can be justified under one of the exceptions to students’
written permission found in FERPA.
21
“School Officials”
A “SCHOOL OFFICIAL” CAN BE A PERSON:
EMPLOYED BY THE COLLEGE IN AN ADMINISTRATIVE, SUPERVISORY, ACADEMIC, RESEARCH, OR SUPPORT STAFF POSITION
(INCLUDING LAW ENFORCEMENT AND HEALTH STAFF PERSONNEL),
ELECTED TO THE BOARD OF TRUSTEES,
OR COMPANY EMPLOYED BY OR UNDER CONTRACT TO THE COLLEGE TO PERFORM A SPECIAL TASK SUCH AS THE ATTORNEY,
AUDITOR, OR COLLECTION AGENCY,
OR STUDENT SERVING ON AN OFFICIAL COMMITTEE, SUCH AS A DISCIPLINARY OR GRIEVANCE COMMITTEE, OR ASSISTING
ANOTHER SCHOOL OFFICIAL IN PERFORMING HIS OR HER TASKS.
22
“LEGITIMATE EDUCATIONAL INTEREST”
THE DEMONSTRATED NEED TO KNOW BY THOSE OFFICIALS OF AN INSTITUTION WHO ACT IN THE STUDENT’S
EDUCATIONAL INTEREST, INCLUDING FACULTY, ADMINISTRATION, CLERICAL AND PROFESSIONAL EMPLOYEES,
AND OTHER PERSONS WHO MANAGE STUDENT RECORD INFORMATION.
ALTHOUGH FERPA DOES NOT DEFINE “LEGITIMATE EDUCATIONAL INTEREST,” IT STATES THAT
INSTITUTIONS MUST SPECIFY THE CRITERIA FOR DETERMINING IT.
23
REQUIREMENTS FOR COMPLIANCE
WHAT WE MUST DO...
PROVIDE ANNUAL NOTIFICATION TO STUDENTS OF THEIR
FERPA RIGHTS.
PROVIDE STUDENTS’ ACCESS TO THEIR EDUCATION RECORDS
24
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
1. INSTITUTIONS SHALL OBTAIN WRITTEN CONSENT FROM STUDENTS BEFORE DISCLOSING ANY PERSONALLY
IDENTIFIABLE INFORMATION FROM THEIR EDUCATION RECORDS (WITH THE EXCEPTIONS
AS NOTED IN SECTIONS 2 AND 3 BELOW). THE WRITTEN CONSENT MUST:
a. SPECIFY THE RECORDS TO BE RELEASED
b. STATE THE PURPOSE OF THE DISCLOSURE
c. IDENTIFY THE PARTY OR PARTIES TO WHOM DISCLOSURE MAY BE MADE
d. BE SIGNED AND DATED BY THE STUDENT.
25
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
2. INSTITUTIONS MUST DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
a. STUDENTS WHO REQUEST THE INFORMATION FROM THEIR OWN RECORDS
26
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
a. AUTHORIZED REPRESENTATIVES OF THE FOLLOWING FOR AUDIT. EVALUATION, OR ENFORCEMENT OF FEDERAL AND STATE
SUPPORTED PROGRAMS:
COMPTROLLER GENERAL OF THE UNITED STATES
THE SECRETARY OF THE UNITED STATES DEPARTMENT OF EDUCATION
U.S. ATTORNEY GENERAL (LAW ENFORCEMENT ONLY)
STATE EDUCATIONAL AUTHORITIES
27
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
b. PERSONNEL WITHIN THE INSTITUTION DETERMINED BY THE INSTITUTION TO HAVE A LEGITIMATE EDUCATIONAL INTEREST
c. OFFICIALS OF OTHER INSTITUTIONS IN WHICH THE STUDENT SEEKS TO ENROLL, ON CONDITION THAT THE ISSUING
INSTITUTION MAKES A REASONALBE ATTEMPT TO INFORM THE STUDENT OF THE DISCLOSURE
28
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
d. PERSONS OR ORGANIZATIONS PROVIDING TO THE STUDENT FINANCIAL AID, OR DETERMINING FINANCIAL AID DECISIONS
e. ORGANIZATIONS CONDUCTING STUDIES TO DEVELOP, VALIDATE, AND ADMINISTER PREDICTIVE TESTS, TO ADMINISTER
STUDENT AID PROGRAMS, OR TO IMPROVE INSTRUCTION
29
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
f. ACCREDITING ORGANIZATIONS CARRYING OUT THEIR ACCREDITING FUNCTIONS
g. PARENTS OF A STUDENT WHO HAVE ESTABLISHED THAT STUDENTS STATUS AS A DEPENDENT--IRS CODE OF 1986, SECTION 152
30
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
h. PERSONS IN COMPLIANCE WITH A JUDICIAL ORDER OR A LAWFULLY ISSUED SUBPOENA, PROVIDED THAT THE INSTITUTION
FIRST MAKE A REASONABLE ATTEMPT TO NOTIFY THE STUDENT. EXCEPTION: IF THE SUBPOENA
IS ISSUED FROM A FEDERAL GRAND JURY, ORDERS THE INSTITUTION NOT TO NOTIFY THE STUDENT.
31
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
i. A COURT IF THE STUDENT HAS INITIATED LEGAL ACTION AGAINST THE INSTITUTION OR THE INSTITUTION HAS INITIATED
LEGAL ACTION AGAINST THE STUDENT
32
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
j. PERSONS IN AN EMERGENCY, IF THE KNOWLEDGE OF INFORMATION, INFACT, IS NECESSARY TO PROTECT THE
HEALTH OR SAFETY OF THE STUDENT OR OTHER PERSONS
33
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
k. AN ALLEGED VICTIM OF ANY CRIME OF VIOLENCE OF THE RESULTS OF ANY INSTITUTIONAL DISCIPLINARY PROCEEDING
AGAINST THE ALLEGED PERPETRATOR OF THAT CRIME WITH RESPECT TO THAT CRIME
34
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
m. VETERANS ADMINISTRATION OFFICIALS IN RESPONSE TO REQUESTS RELATED TO VA PROGRAMS
n. REPRESENTATIVES OF THE IMMIGRATION AND NATURALIZATION SERVICE FOR PURPOSES OF THE COORDINATED INTERAGENCY
PARTNERSHIP REGULATING INTERNATIONAL (CIPRIS)
35
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
o. PARENTS OF A STUDENT UNDER THE AGE OF 21 REGARDING A VIOLATION OF ANY LAW, AT ANY LEVEL, OR INSTITUTIONAL
POLICY OR RULE GOVERNING THE USE OF ALCOHOL OR A CONTROLLED SUBSTANCE
DOES NOT SUPERSEDE ANY STATE LAW THAT PROHIBITS DISCLOSURE OF THIS INFORMATION.
36
PROCEDURES AND STRATEGIES FOR COMPLIANCE
A. DISCLOSURE OF EDUCATION RECORD INFORMATION
3. INSTITUTIONS MAY DISCLOSE EDUCATION RECORDS WITHOUT WRITTEN CONSENT
OF STUDENTS TO THE FOLLOWING:
p. THE PUBLIC REGARDING THE FINAL RESULTS OF AN INSTITUTIONAL DISCIPLINARY PROCEEDING AS LONG AS THE
STUDENT HAS BEEN DETERMINED TO BE THE ALLEGED PERPETRATOR OF A CRIME OF VIOLENCE OR NON-FORCIBLE SEX OFFENSE
37
What do the “finalresults” include?
Must include only: the name of the student, violation committed, and any sanction imposed by the
institution against the student.
The institution may not disclose the name of any other student, including a victim or witness, without
prior written consent of the other student.
38
What about Parents?
When a student reaches the age of 18 or begins attending a postsecondary institution regardless of age,
FERPA rights transfer to the student.
Parents may obtain directory information only at the discretion of the institution.
Parents may obtain non-directory information (grades, gpa,
etc.) only at the discretion of the institution AND after it has been determined that their child is
legally their dependent.
Parents may also obtain non-directory information by obtaining a signed consent from their child.
39
PROCEDURES AND STRATEGIES FOR COMPLIANCE
B. RECORDS OF REQUESTS AND DISCLOSURES
ALL INSTITUTIONS ARE REQUIRED TO MAINTAIN RECORDS OF REQUESTS AND DISCLOSURES OF PERSONALLY
IDENTIFIABLE INFORMATION
a. THESE RECORDS WILL INCLUDE THE NAMES AND ADDRESSES OF THE REQUESTOR AND HIS/HER INDICATED INTEREST IN THE
RECORDS.
40
PROCEDURES AND STRATEGIES FOR COMPLIANCE
2. RECORDS OF REQUESTS AND DISCLOSURES DO NOT HAVE TO BE
KEPT FOR:
REQUESTS FROM STUDENTS FOR THEIR OWN USE
DISCLOSURES IN RESPONSE TO WRITTEN REQUESTS FROM STUDENTS
REQUESTS MADE BY SCHOOL OFFICIALS
THOSE SPECIFIED AS DIRECTORY INFORMATION
WHAT’S LEFT?
41
PROCEDURES AND STRATEGIES FOR COMPLIANCE
B. RECORDS OF REQUESTS AND DISCLOSURES
3. THESE RECORDS OF REQUESTS AND DISCLOSURES ARE PART OF THE STUDENT’S EDUCATION
RECORDS AND MUST BE RETAINED AS LONG AS THE EDUCATION RECORDS TO WHICH THEY REFER ARE MAINTAINED BY THE
INSTITUTION.
We do not change our policies simply because our educational delivery methods have
changed.
49
Current Issues and FERPA
E-signatures/digital signatures
Electronic signature--“An electronic sound, symbol, or
process, attached to or logically associated with a contract or other record and executed or adopted by a person
with the intent to sign the record.” $106 E-sign Act, 2000.
In lieu of written permission, a PIN can only be used by a student within a secure
web-based system to authorize release of non-directory information to him/herself.
52
Current Issues and FERPA
E-mail transcript requests
Written permission is required. Therefore, faxed signatures are OK. A “typed”
name is not.
53
Current Issues and FERPA
01001100001100110011110001010010010101011011001
Tracking/logging
When do those bits and bytes become personally identifiable to a student and become
subject to FERPA?
54
Current Issues and FERPA
Tracking/logging
Rezmierski, Virginia and Nathaniel St. Clair, “Identifying Where Technology
Logging and Monitoring for Increased Security End and Violations of Personal Privacy and Student Records Begin:
A Report to the Digital Government Program of the National Science Foundation,” 2001.
55
Current Issues and FERPA
Annual notification via the web
Only if all students are required to have PCs and they have unrestricted access to the
institution’s web page.
$ 99.31 Under what conditions is prior consent (of a student) not required to disclose information?
63
$ 99.31 Under what conditions is prior consent (of a student) not required to disclose
information?
(a)An ... institution may disclose personally identifiable information from an education record of a
student...if the disclosure meets one or more of the following conditions:
(1)The disclosure is to other school officials whome the ...institution has determined to have
legitimate educational interests.
64
$ 99.33 What limitations apply to the redisclosure of information?
(a)(1) An ... institution may disclose personally identifiable information from an education record
only on the condition that the party to whom the information is disclosed will not disclose the
information to any other party without the prior consent of the student....
(e) If this Office (FPCO) determines that a third party improperly rediscloses personally identifiable
information from education records ..., the ... institution may not allow that third party access to
personally identifiable information from education records for at least five years.
65
$ 99.7 What must an educational ... institution include in its
annual notification?
(a)(3)(iii) If the ... institution has a policy of disclosing education records under $99.31(a)(1),
a specification of criteria for determining who constitutes a school official
and what constitutes a legitimate educational interest (must be included in the
annual notification).
66
Model Annual Notification of Rights under
FERPA for Post Secondary Institutions
The Family Educational Rights and Privacy Act
(FERPA) affords students certain
rights with respect to their education records. They are....
(3)The right to consent to disclosures of personally identifiable information contained in the student’s
education records, except to the extent that
FERPA authorizes disclosure without
consent.
One exception which permits disclosure without consent is disclosure to school officials with legitimate
educational interests. A school official is a person employed by the University in an administrative,
supervisory, academic or research, or support staff position (including law enforcement unit personnel
and health staff); a person or company with whom the University has contracted
(such as an attorney, auditor, or collection agent); a person serving on the Board of Trustees; or
a student serving on an official committee, such as a disciplinary or grievance committee, or assisting
another school official in performing his or her tasks.
67
And what does LeRoy say?
“...nothing in FERPA prevents an
educational institution from contracting with a person or entity outside the institution to perform
services that the institution would otherwise provide for itself.”
(Letter from LeRoy Rooker to Daniel Boehmer, April 19,1993 found in McDonald, Steven J., The Family
Educational Rights and Privacy Act: A Legal Compendium, NACUA, 1999, pp. 221-223.)
68
Key FERPA Terms for
Outsourcing
School Officials
Legitimate Educational Interest
Annual FERPA Notification to
Students
69
To Contact Me...
Richard A. Rainsberger, Ph.D.
Consultant
Education Records Law and Privacy
Develop a goal statement/identify a desired outcome
Why do you think outsourcing will benefit your institution?
What are your expectations for outsourcing?
What is the state of your current service?
Who is affected by this service? How do they currently evaluate the service?
11
Where to Start?
1. Develop a goal statement/identify a desired outcome
To establish an on-line, integrated, real time information system that provides
customer access 24/7 and permits customers to process any administrative transactions via web based
processing.
12
Where to Start?
Outsourcing will benefit the institution by providing a customer-friendly environment
for accessing accounts, processing administrative transactions, and providing state-of-the-art technology
at a lower cost.
13
Where to Start?
3. What are your expectations for outsourcing?
More favorable satisfation ratings from our customers after the
system has been implemented for one year
Improved security for administrative transactions
Decrease in number of errors to research
An “audit trail” of all transactions made to the
system
Automatic scheduled backups with ease of information
retrieval
14
Where to Start?
4. What is the state of your current service?
Is the service delivered in a timely mannor?
Is service of the desired quality?
Are service expectations being met?
Are new features desired?
Is staffing a problem?
15
Where to Start?
5. Who is affected by this service? How do they currently evaluate the service?
Student
Faculty
Staff and administrators
Boards, Legislators, and Regulating Bodies
Alumni
16
Basic for Evaluating the Outsourcing Vendor
Reference Checks
Request list of current users
Request list of cancelled/former users
Contact references and verify vendor performance in
critical areas
17
Basis for Evaluating the Outsourcing Vendor
Quality of Service
Speed and convenience of delivery
Accuracy and completeness
Standards of professional practice
Error rate/need of repeat service
Service downtime
Response to user-identified problems
Quality of vendor communication
18
Basis for Evaluating Outsourcing Vendor
Cost of Service
“...the cost of providing the service through
a vendor should be complared to the cost of performing the function internally.”
______________________________
AACRAO 2001 Outsourcing Survey
19
Basis for Evaluating Outsourcing Vendor
Cost of Service
Include all institutional cost
Determine whether cost shifts occur
Identify hidden costs
Vendor support costs
Image/reputational cost
Termination cost
20
Privacy Issues
FERPA
regulates what, who and how
Vendor must act as agent to handle confidential records
Current and future data disposal
Confidentiality and intergrity of data
Ultimate accountability remains with the institution
21
So What Does FERPA
Say
22
34 CFR 99 FERPA
Regulations
*Appendix 2 of AACRA0 FERPA
Guide
$99.31 Under what conditions is prior consent (of a student) not required to disclose
information?
23
$99.31 Under what conditions is prior consent (of a student) not required to disclose
information?
(a)An ... institution may disclose personally identifiable information from an
education record of a student...if the disclosure meets one or more of hte following conditions:
(1)The disclosure is to other school officials whom the ...
institution has determined to have legitimate educational interest.
24
$99.33 What limitations apply to the redisclosure of information?
(a)(1) An ... institution may disclose personally identifiable information from an education record
only on the condition that the party to whom the information is disclosed will not disclose the
information to any other party without the prior consent of the student....
(e) If this Office (FPCO) determines that a third party improperly rediscloses personally identifiable
information from education records ..., the ... institution may not allow that third party access to
personally identifiable information from education records for at least five years.
25
$99.7 What must an educational ... institution include in its
annual notification?
(a)(3)(iii) If the ... institution has a policy of disclosing education records under $99.31(a)(1),
a specification of criteria for determining who constitutes a school official
and what constitutes a legitimate educational interest (must be included
in the annual notification).
26
Model Annual Notification of Rights under
FERPA for Post Secondary Institutions
The Family Educational Rights and Privacy Act (FERPA) affords students certain rights with respect to
their education records. They are....
(3) The right to consent to disclosures of personally identifiable information contained in the student’s
education records, except to the extent that
FERPA authorizes disclosure without
consent.
One exception which permits disclosure without consent is disclosure to school officials with legitimate
educational interests. A school official is a person employed by the University in an administrative,
supervisory, academic or research, or support staff position (including law enforcement unit personnel
and health staff); a person or company with whom the University has contracted
(such as an attorney, auditor, or collection agent); a person serving on the Board of Trustees;
or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting
another school official in performing his or her tasks.
A school official has a legitimate educational interest if the official needs to review an education
record in order to fulfill his or her professional responsibility....
“...nothing in FERPA
prevents an educational institution from contracting with a person or entity outside the
institution to perform services that the institution would otherwise provide for itself.”
(Letter from LeRoy Rooker to Daniel Boehmer, April 19,1993 found in McDonald, Steven J., The Family
Educational Rights and Privacy Act: A Legal Compendium, NACUA, 1999, pp. 221-223.)
28
Key FERPA Terms
for Outsourcing
School Officials
Legitimate Educational Interest
Annual FERPA Notification
to Students
29
Balancing Risks
Identify data and level of confidentiality
Assess impact if confidentiality compromised
Release no unessential data
Assess vendor training
Assess vendor data security
Assess vendor attitude toward exclusivity of data or service---does it
impact other operations?
30
Balancing Risks
Assess long term impact of decision on institution
Does institution have the resources to manage the contract?
If “yes,” who is assigned that responsibility?
31
Outsourcing Agreement
State responsibility of both parties
Specify ownership and control of data rests with the institution
Include non-disclosure agreement
Specify compliance with FERPA
Prohibit unauthorized data usage
Consider indemnity clause; “hold harmless”
Explicitly name vendor as agent of the institution
32
Outsourcing Agreement (cont'd)
Establish dispute resolution procedure
Specify any usage of school name and logo
Establish performance measures
Limit length of initial agreement
Specify termination notice requirements
Limit exclusivity
Provide for periodic review and upgrades
33
Sample Terms
Non-directory information is to be stored in an encoded format.
Non-directory information is not to be viewed by, displayed to or available
to employees at any time.
The vendor may not sell, distribute, release or disclose personally identifiable
or directory information without the express written consent of the institution.
34
Sample Terms (cont'd)
The vendor has the right to use the name of the institution only in
connection with rendering the service.
The institution appoints the vendor as its agent for the purpose of
rendering the service. The agent is subject to and must comply with all state education codes and
with the Family Educational Rights and Privacy Act of 1974 (as amended) (FERPA)
35
Sample Terms (cont'd)
Nothing in the contract shall be construed as limiting the activities of the
institution for which it has been traditionally and ultimately responsible.
All fees are as specified in the contract and are for the period of the
contract. Fees may only be changed with the consent of the institution.
36
Sample Terms (cont'd)
Upon termination of the contract for any reason, the vendor will return all
information provided by the institution and will provide a certificate attesting that all information
on the vendor systems and storage files provided by the institution has been destroyed.
37
Managing the Agreement
Successful agreement will benefit both school and vendor
Regular communication between vendor and school
Institution in client complaint loop
Regular reports on volume, turnaround time, service downtime, and
service errors
38
What happens if things go awry?
Develop a plan for continuing service if vendor relationship is
severed
Fleming, M. Emerging Business Affiliation Models for E-COMMERCE.
In Continuing Legal Education (eds.) E Commerce (Section III). St. Paul: Minnesota State Bar Association,
2000.
Kaganoff, Tessa. Collaboration, Technology, and Outsourcing Initiatives in
Higher Education: A Literature Review. Washington DC: Rand Corp., 1998
40
To Contact Me...
Richard A. Rainsberger, Ph.D.
Consultant
Education Records Law and Privacy
![[graphic text of the letters F-E-R-P-A]](img/ferpa.gif)
![[table of an example grade posting]](img/grades.gif)
![[a screen shot of an example IST 133-02 Grade Book layout]](img/book.gif)