By SHANNON O. WELLS
At their most recent meetings, Senate Council and Faculty Assembly approved updated and streamlined Pitt policies and procedures covering access to and disclosure of student education records.
Introducing the “Access to and Disclosure of Education Records” policy, which was last updated in 2008, John Stoner, co-chair of the Senate’s Educational Policies committee, said while few may be familiar with the Federal Educational Rights and Privacy Act (FERPA), he argued that it “may be the single-most important government regulation in terms of how student information and educational information is handled at the University. “
Noting how common scam “phishing” alerts and other threats to personal information have become in the intervening 15 years, Stoner said the draft policy, which Educational Policies recently passed, is now more relevant than ever. The need for protection, he said, is “at an all-time premium for both protecting from (Pitt’s) perspective, as well as the more nefarious interests of others at taking it away from us.”
Stoner and representatives from Pitt’s Office of Policy Development and Management outlined the draft policy during a Feb. 7 Faculty Assembly meeting held virtually to accommodate a Board of Trustees committee meeting in the Assembly’s usual Posvar Hall meeting room. Senate Council subsequently approved the draft following a discussion, including additional information on training and compliance, at its Feb. 18 meeting in Posvar.
The committee to revise academic policy ACO4 was convened in February 2023 by Pitt Registrar Jonathan Helm and Laurel Gift, assistant vice chancellor for compliance, investigation and ethics, and included Brittany Connor from the policy office and what Stoner called a “wide mix” of other stakeholders.
Ericha Geppert, program manager in the Office of Compliance, Investigation and Ethics, engaged in comprehensive benchmarking on how other universities have handled recent FERPA policy updates and components. The team spent time “fine-tuning language and discussing issues and implications” starting from when a student becomes active and therefore is covered under FERPA, Stoner explained.
“We also spent a lot of time thinking about the items that had historically been considered part of (student) directory information and whether or not there were certain items … we wanted to either exclude or limit,” such as dates of birth and hometowns, based on identity security concerns.
Educational Policies also focused on aspects of procedure and training, coming up with a two-tiered regimen where anyone at Pitt who is “remotely considered” to have access to student information “should be at least trained in basic terms on FERPA,” Stoner said. For example, if a member of the custodial staff discovers, while cleaning, a pile of academic records that shouldn’t be out in public, that employee should be trained to report and sequester the documents in a safe location.
“We also talked about the need for possibly more intensive training for those who regularly work with these records and possibly needing to know some of the greater nuances of this,” he said.
Discussions concluded late last year, with Helm, Gift and Connor presenting policy and procedure drafts to Educational Policies, which the committee unanimously approved.
Privacy vs. access
Responding to a question about how widely available student directory information — including names, birth dates, contact information, enrollment status, fields of study and credentials — will be, Helm explained, “They wouldn’t necessarily be widely available on an ongoing basis.”
“By placing them on this list, we could make them available, but that gives us the latitude to do so,” he said, with University-specific record custodians and others authorized to decide “based on a specific request or … specific situation” whether it’s reasonable to make the requested information available. “So basically those things that appear on the list could … but won’t necessarily be made available.”
Specific language was added to procedures regarding dates of birth, which Helm said was “probably the element that got the most attention” in the policy update conversations. While physical addresses don’t necessarily need to be made available, Helm said “there are practical reasons to have it on the list so that we could provide it as directory information if we deemed it was appropriate and useful.”
That said, FERPA gives students the right to restrict release of their information. Students with concerns “could easily request from our office that we restrict release of that information,” Helm said, noting such requests are “not particularly common. I mean, there are students that definitely exercise that right as they deem necessary.”
While a federally required annual alert of students’ information privacy rights is a “baseline for the communication that we’re required to do in order to be compliant,” Helm noted, “it is information that we would see being available throughout the year, posted publicly so that students would be hopefully well aware of it.”
The policy team, he added, will explore opportunities to communicate to students who enroll during spring semester or otherwise might miss the annual notification.
Increasing communication
To clarify misconceptions of what constitutes directory information, Laurel Gift said it’s not like “the old-school student directory, where it was all your friends listed. That’s not what this is.”
Rather, the directory is a category of information FERPA has defined and permits academic institutions to release without consent, provided there’s an official request. “It’s not a public-facing document.”
“It’s not like any student can go into the directory and get an address for another student, but it would permit us to share an address of a student for a legitimate educational purpose as a school official,” Gift said. “In every one of these requests, there’s still the analysis that we go through: Is this a legitimate educational purpose? Should I be sharing this information? And it just permits for that category of information that we don’t have to get individual consent from the student every single time.”
Working with Student Affairs to improve how FERPA information is shared, Gift said the information is in the Student Code of Conduct, “which is part of your onboarding when you come in as a student.” Notifications also will increase with the new compliance program, including the semesterly notice distribution. “We’ve already increased communication about that,” she said.
Items like hometowns and dates of birth were discussed extensively. “We had a fairly lengthy conversation about whether a hometown is really at all useful” in a student’s educational record, Stoner said, “because that’s sometimes the kind of thing that they ask you for security passwords and other things … having that information really didn’t seem to be necessary.”
Birth dates, Stoner said, “should be even more carefully circumscribed in terms of access.”
Noting that Pitt is not subject to state Freedom of Information Act (FOIA) regulations the way “some of its peers would be,” Helm noted that the University has discretion on “whether to provide that directory information upon some request being received. Whereas if we were subject to state (FOIA) regulations, we could potentially be compelled to provide that information,” he said. “So that was definitely a factor as well in our analysis of what we should include on the list and what we should not.”
Katherine Wood, research assistant professor in the Department of Medicine, asked about a differentiation in the policy draft between “forcible and non-forcible” sex offenses in terms of information disclosure. Helm said that is the “exact regulatory language put forward and accepted” from the Department of Education.
Which, Gift noted, “we have to abide by. It’s not discretionary to us to change that definition,” she said, adding that it “is setting the floor for us” to determine how to handle future responses.
Robust training
While the draft policy and procedures don’t cover compliance training for FERPA-covered records, Gift said if the drafts are approved, she and Helm will develop an appropriate training program. Gift added that her office seeks to create consistency and track the training, likely using the Health Insurance Portability and Accountability Act (HIPAA) policy as a model.
“I anticipate that it’ll look a lot like that,” she told Faculty Assembly. “We will identify areas of the University … that will require FERPA training, likely on an annual basis, to include new employees as they come on.
“It will be more robust than what we’re all used to, to create some consistency and then to be able to track that training,” Gift said, adding that it’s an educational tool, “so when someone slips up or there’s a mistake in the area, I’m usually notified and log that, and my follow up is often, ‘OK, let’s get some additional training and education about this.’ ”
At the Senate Council meeting, Gift said the training system will likely be similar to existing security awareness training done via email to accommodate tracking. This includes a communications plan covering policy requirements and changes, along with “what all of you can expect in the coming year about those changes.”
Current FERPA training, Gift explained, is “ad hoc and kind of as needed.” A goal of the new policy is to make it “much more available to more of our community — easy to deploy, easy to track — and so we're hoping to see some efficiencies and ease here.”
Faculty Assembly passed the FERPA “Access to and Disclosure of Education Records” policy and procedures, on Feb. 7, with 39 voting yes, one voting no, and four abstentions. Senate Council OK’d the draft policy on Feb. 15, with 39 voting in favor, one opposing and one abstention.
The draft policy will now proceed to Chancellor Joan Gabel for her consideration.
Shannon O. Wells is a writer for the University Times. Reach him at shannonw@pitt.edu.
Have a story idea or news to share? Share it with the University Times.