University Times

Last year’s student shooting at Virginia Tech has focused renewed attention at college campuses on a federal law that protects students’ privacy rights, two Pitt officials said.

“And that’s a good thing. We’re glad to be able to talk about student privacy to avoid any trouble beforehand” and to clear up ambiguity, said Ted Fritz, associate general counsel.

There can be consequences for violating the Family Educational Rights and Privacy Act, or FERPA, including federal censure, loss of federal funding and legal actions against employees, said Sam Conte, although he added that Pitt has not had a serious violation in his 20-plus years as Pitt’s registrar.

Problems here over time have been rare, small and correctable, he said. “We might hear that a faculty member has posted grades using social security numbers, which is not permitted under FERPA, even using just the last four digits, because these are personal identifiers of students and come under a student’s education record,” he said.

Fritz and Conte led a Human Resources workshop April 22 on “Student Privacy and FERPA.” While primarily directed at employees who handle, review, store or disclose student records, the workshop also offered some tips for faculty faced with disclosure decisions.

The 1974 federal law, also known as the Buckley Amendment, applies to all higher education institutions that receive funding from the U.S. Department of Education.

Students, including international students, who currently are or formerly were enrolled at an institution, regardless of age or dependent status, are covered by FERPA regulations; students not enrolled, including those who have been accepted into a school, are not covered until they enroll. FERPA coverage continues until the death of an individual, although students and former students can waive certain privacy rights.

Conte and Fritz acknowledged that FERPA can cause confusion because there are numerous exceptions and caveats to the law, as well as some wiggle-room for an institution’s discretion.

“For example,” Conte said, “the law says the University may give out directory information, not must do it. We reserve the right to ask why a person needs information on a student and to refuse to give it out.”

Directory information under FERPA is defined as the student’s name, place of birth, address, telephone number, email address, major field of study, dates of attendance, degrees and awards received, previous educational institutions attended, participation in officially recognized sports and activities, weight and height for athletes and the student’s photograph.

Students may prohibit the University from releasing directory information by written request to the Registrar’s office. The refusal release restricts all the directory information, Conte noted, adding that it is binding until the individual rescinds it in writing.

Students’ rights

Under FERPA, students have the right to:

• Inspect and review their education records;

• Seek to correct their education records;

• Report violations of FERPA to the Department of Education;

• Be informed annually of their FERPA rights by the institution, and

• Exercise limited control over disclosure of education records information.

Education records

For the purposes of FERPA, education records include any records created or possessed by the University that contain personally identifiable information related to a student. The records may be in printed form, handwritten, computer-stored, on magnetic tape, in email, on film or in some other medium.

“So, you need to be careful, for example, when you’re writing an email to a colleague about a student, because you are creating a record,” Fritz said. “You need the information you’re sharing to be accurate and factual, and not include opinions on a certain student, because the student does have a right to access that. Even if you delete the email, we would be required to search the network server if a student requested to see his or her records.”

Under a voluntary written consent waiver clause, students may designate specific institutions or parties who can view their education records. That consent remains valid until the student revokes it in writing.

Student consent and waiver information is recorded on PeopleSoft, the University’s student record system, Conte said. A link to a student’s record, called a positive service indicator, flags for the user that a release of some sort has been activated.

“For those of you who handle student records on PeopleSoft, you should click on the positive service indicator to find out what forms have been filed before you give out any information,” he said.

What’s not covered

Personal records, such as a faculty member’s private notes on a student that remain unshared, are not considered part of a student’s education record under FERPA, although those would have to be disclosed under certain circumstances involving litigation, Fritz said.

Other information not protected as FERPA education records includes: law enforcement or campus security records, such as Pitt police records; records relating to an individual’s employment by the University (although a student’s work study records are considered education records under FERPA because it is a requirement of the job to be a student); medical treatment records made or maintained by a physician, psychiatrist, psychologist or paraprofessional, and alumni records.

Medical records constitute a gray area, Fritz acknowledged. The Health Insurance Portability and Accountability Act (HIPAA) prohibits the disclosure of medical records to anyone, but excludes in its privacy provisions any records that are subject to FERPA, he said.

FERPA allows the sharing of medical records among professionals involved in treatment; otherwise, they are subject to the same restrictions as other student records. “So FERPA trumps HIPAA,” Fritz said.

The records review process

Students may review their records by submitting a written request to the appropriate record custodian. Under the law, the University must comply with the request within 45 days.

There are certain limitations under FERPA as to what a student may review. The student is not permitted to review financial records of his or her parents or confidential letters and recommendations in the education record file.

Students are permitted to take notes while reviewing their file, but the University is under no obligation to make copies of students’ records, Fritz said. “In some cases we will provide copies, for a fee, if the person is not able to come to campus,” he said.

Conte said that his biggest concern is that a student will want to tamper with the education record file. “You should not let students review their records alone. Stay in the room with them,” Conte urged.

While students have the right to correct any errors in their file, under FERPA they cannot challenge a grade or other evaluation that has been recorded accurately, he added. “That’s handled under the University’s academic integrity guidelines,” Conte said.

Institutions’ rights

FERPA permits institutions to release student education records information to parents of dependent children, as demonstrated by the most recent federal tax returns.

Also, schools may advise parents of any violations of federal, state or local laws, or of university policies governing the use or possession of alcohol or controlled substances, if the student is under 21, regardless of dependent status. Pitt routinely informs parents of all such violations, Conte said.

However, faculty who get a call from a parent requesting information that may be contained in a student’s education record should decline, until the faculty member has confirmed the student’s dependent status, Fritz said. “They should say to the parent, ‘I can’t discuss that right now. I can ask the student for permission or you can ask the student to file a consent form.’ Where there is any doubt, it’s best to contact either the Registrar’s office or the Office of the General Counsel,” he said.

Disclosure exceptions

There are numerous disclosure exceptions to FERPA regulations, including for:

• University faculty, staff and administrators with a “legitimate educational interest,” which is defined as a reasonable need for access to the information to fulfill their job functions or responsibilities;

• Federal, state and local education authorities involving an audit or evaluation of compliance;

• Judicial orders or subpoenas;

• Alleged victims of crimes of violence, who are entitled to results of disciplinary hearings;

• Educational institutions where a student seeks or intends to enroll;

• Financial aid processing, and

• A health or safety emergency.

The health and safety emergency disclosure exception led to some of the confusion in the Virginia Tech incident, where in April 2007 an enrolled student went on a shooting rampage and killed 32 people before committing suicide.

School officials apparently became confused over which behaviors legally could be made public under FERPA regulations in advance of the violence, Fritz noted. A state-appointed review panel criticized Virginia Tech administrators for failing to respond to “red flags” in the student assailant’s behavior or to take action that might have reduced the number of casualties.

“The Department of Education is now developing new guidelines that [relax the regulation’s statement] that health and safety emergencies have to be ‘strictly construed,’” he said. The Family Policy Compliance Office, which enforces FERPA for the Department of Education, previously defined the standard for invoking the exception as a situation that is dangerous, serious and imminent. New guidelines give an institution much more flexibility and discretion, Fritz said.

“That means if a faculty member has some grounds for concern about health and safety they can and should alert the appropriate parties,” such as parents, the campus police, Student Affairs officials or the counseling center, Fritz said. “Err on the side of people’s health and safety over FERPA concerns,” he said.

More information on FERPA is available at www.ed.gov/policy/gen/reg/ferpa/index.html. Pitt’s policy and procedure 09-08-01 covers FERPA regulations and can be viewed at www.bc.pitt.edu/policies/procedure/09/09-08-01.html.

Information also can be obtained from the Registrar’s office, 4-7600, and from the Office of General Counsel, 4-5674.

—Peter Hart