University Times

The fatal Virginia Tech shootings in 2007 focused new attention on the federal law that protects student privacy rights. Now the U.S. Department of Education has issued a new guide that seeks to elucidate — rather than alter significantly — the Family Educational Rights and Privacy Act, or FERPA. The new regulations, issued by the government in December, went into effect Jan. 8.

According to University Registrar Samuel Conte, the new guidelines clarify existing rules under FERPA, the 1974 federal law, also known as the Buckley Amendment, that governs disclosure of student records and applies to all higher education institutions that receive funding from the U.S. Department of Education.

“There are no significant changes. If you follow the University policy as written, you’ll be okay,” Conte said.

The most important change, Conte said, affects interpretation of the emergency exception to FERPA regulations. Conte said that some confusion resulted over FERPA following the Virginia Tech incident, where in April 2007 an enrolled student went on a shooting rampage and killed 32 people before committing suicide. According to investigations of the shooting, Virginia Tech officials apparently were confused over which student behaviors could be made public under FERPA regulations in advance of the violence.

The Department of Education previously defined the standard for invoking the emergency exception to FERPA regulations as a dire situation that is “dangerous, serious and imminent.” The new rules relax that strict construction standard in favor of disclosing information about a student “if there is an articulable and significant threat to the health or safety of the student or other individuals.”

“There has always been a health or safety emergency exception in FERPA,” Conte said. But now the government is ceding authority to higher education institutions to determine what constitutes an emergency as well as what information may be disclosed and to whom. Institutions can make the judgment as long as they can articulate that an emergency merits an exception to the privacy rules, he said.

“The phrase they use is provide ‘a rational basis,’” Conte pointed out. “In most cases, an institution certainly would want to err on the side of safety and worry less about the other concerns until later. What the Department of Education decided basically validates that point of view. In the event of an emergency, the institution has to make a decision at the time and would be under time pressure and that decision won’t be second-guessed by the government.”

As the introduction to the new guidelines states: “The Department [of Education] will not substitute its judgment for that of the agency or institution if, based on the information available at the time … there is a rational basis for the agency’s or institution’s determination that a health or safety emergency exists.”

As a practical matter, what that means is if a faculty member has some grounds for concern about health and safety of a student or students, the faculty member can and should alert the appropriate parties, such as parents, the campus police, Student Affairs officials or the counseling center, Conte said.

He said there also are small modifications in the guidelines. Citing a report by the American Association of Collegiate Registrars and Admissions Officers, of which he is a board member, Conte said alterations include that student ID numbers generated by an institution now may be included in directory information released by the institution provided that the number cannot be used to gain access to education records without additional authentication. If those numbers require a password, for example, their inclusion in directories is not problematic, the new rules state.

In addition, the new guidelines establish that online (distance education) students are protected under FERPA, and specify that contracts with third parties who handle student information must reflect that the information is owned by the institution and governed by FERPA regulations, he pointed out.

All students, including international students, who currently are or formerly were enrolled at an institution, regardless of age or dependent status, are covered by FERPA regulations. FERPA coverage continues until the death of an individual, although students and former students can waive certain privacy rights.

FERPA also gives parents certain rights with respect to their children’s education records.

These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. However, the new FERPA rules continue to permit institutions to release student education records information to parents of dependent children, as demonstrated by the most recent federal tax returns. Faculty who get a call from a parent requesting information that may be contained in a student’s education record should decline, until the faculty member has confirmed the student’s dependent status. Where there is doubt, call the Registrar’s office, Conte said.

Also, schools may still advise parents of any violations of federal, state or local laws, or of university policies governing the use or possession of alcohol or controlled substances, if the student is under 21, regardless of dependent status. Pitt routinely informs parents of all such violations, Conte said.

While the national hubbub over FERPA interpretations focused mainly on the emergency exception issue, the law also governs which student identification numbers may be used and in which contexts. The new guidelines reiterated that Social Security numbers may be used provided access is strictly limited.

“Years ago, you might have a FERPA issue, for example, when a faculty member posted grades using the Social Security numbers,” Conte said. “But ever since we’ve gone to online grade submission, it’s a non-issue for us. Faculty submit the grades and they’re processed overnight and students can view them the next day online in a secure environment. There’s no need to post grades.”

Employees who handle student records continue to be covered under disclosure exceptions to FERPA regulations based on a “need to know.” That would include Pitt faculty, staff and administrators with a “legitimate educational interest,” which is defined as a reasonable need for access to the information to fulfill their job functions or responsibilities.

“This is nothing new,” Conte reiterated, adding that no new training would be required for employees.
(For more on FERPA, see the May 1, 2007, University Times.)

The complete text of the FERPA final regulations is posted online at: www.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.html.

—Peter Hart