Publication Date: 2003
Author: Holub, Tamara
Source: ERIC Clearinghouse on Higher Education
College Student Records: Legal Issues, Privacy, and Security Concerns. ERIC Digest.
As the practice of entering student records online has become more widespread, many colleges are struggling with the technical and legal complexities of protecting the privacy of student data. There have been a number of reports in the news of hackers breaking into college websites to steal student identifies, tamper with grades or other information, and illegally view student records. Many colleges have established policies to comply with the Family Educational Rights and Privacy Act (FERPA) of 1974, also known as the Buckley Amendment, which enumerates legal guidelines regarding the privacy of student records. However, changing technologies and the new law, the US Patriot Act, which amends some provisions of FERPA, forces colleges to reexamine how they can protect student records. This digest will briefly discuss the provisions of FERPA and the US Patriot Act, and the measures some colleges are implementing to comply with these laws and improve the security of electronic student records.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA)
FERPA established specific rights to parents regarding their children's
1.) Parents or eligible students have the right to inspect and review
2.) Parents or eligible students have the right to request that a school
3.) Generally, schools must have written permission from the parent or eligible student to release information from a student's educational record. However, FERPA allows school to disclose educational records without consent to particular parties such as school officials with a legitimate educational interest.
4.) Schools may disclose, without consent, directory information such
Finally, schools must notify parents and students annually of their rights under FERPA. The Family Policy Compliance Office, with the U.S. Department of Education, responds to all complaints or alleged violations under FERPA, and gives advise to colleges and schools on how to comply with the law (Walsh, 2002a). For the first time, the U.S. Supreme Court, in 2002, heard two cases based on FERPA. In February 2002, the court unanimously decided in Owasso Independent School District v. Falvo (No. 00-1073), that the practice of peer grading and students calling out each other's grades to the teacher, did not violate the provisions of FERPA (McCarthy, 2002). In Gonzaga University v. Doe (No. 01-679), the U.S. Supreme Court rules 7-2, that individuals do not have a right to sue over alleged violations under FERPA, and that individuals cannot seek compensation under that law (Walsh, 2002b). The Gonzaga ruling reaffirms the process by which the U.S. Department of Education enforces FERPA.
THE US PATRIOT ACT
As a result of the US Patriot Act, educational institutions must comply with aspects of the law that require the monitoring of foreign students and the disclosure of student records to track suspected terrorists. The US Patriot Act allows the U.S. Attorney General to access student records and collect information on foreign students, such as name, address, and visa classification which is maintained by educational institutions through the Student Exchange and Visitor Information System (SEVIS). The law also permits the U.S. Attorney General to apply for a court order to access student records maintained by educational institutions for the purpose of an investigation or prosecution relating to terrorism (American Council on Education, 2001). The law exempts both SEVIS and information obtained from student records by a court order from the disclosure clause required by FERPA. Many colleges and universities are grappling with the complexities of the law, in particular their obligations and role. A number of colleges are worried that responses to an invalid request will prompt lawsuits under the Fourth Amendment (Carlson & Foster, 2002). In response to the requirements of the law, some colleges are drafting compliance checklists for staff use to more effectively respond to law enforcement requests to search confidential university records. Librarians are concerned about privacy rights of readers since patrons' book loan records could be investigated under the U.S. Patriot Act.
ELECTRONIC SECURITY ISSUES AND COLLEGE POLICIES
Electronic information is protected not only by technology such as firewalls, password protection, and other measures, but also by the college employees who safeguard and manage the information. Some colleges have created electronic communications procedures to educate staff on how to protect student information. The University of California, Los Angeles has a policy that restricts the level of access to student information based upon what the particular staff member needs to know. For instance, academic counselors have a different level of access compared to financial aid officials.
Also, before any faculty or staff member can access information, they
must fill out a
Another complex issue is under what circumstances college officials
have the right to
The widespread use of Social Security numbers to tract student records
In 2002, a Swedish hacker broke into an Indiana University database and downloaded the names and Social Security numbers of 3,100 students (Foster, 2001). In 2002, a University of Delaware student allegedly changed her grades online after successfully impersonating a professor by finding his Social Security number online and guessing the password to the professor's computer account (Read, 2002). Incidences like these often occur because software glitches or errors by university staff leave the electronic system vulnerable to attack, the lack of safeguards in protecting student information, and even organized crime rings (Foster, 2002a). Occurrences of security breaches have prompted students and some lawmakers to pressure college officials to curtail the use of Social Security numbers. Although some colleges have limited the use of students' Social Security numbers to identification purposes, many college administrators are reluctant to alter their practices, arguing that changing their procedures is too costly and time consuming and ultimately ineffective (Foster, 2002a). Laws have been passed in Arizona, California, Maryland, New York, and Wisconsin which restrict a college's use of student Social Security numbers.
The complexities of the digital age, combined with new laws designed
American Council on Education (2001, November 5). .S. Patriot Act includes
provisions on student records. Retrieved on June 24, 2003 from
Carlson, S., and Foster, A.L. (2002, March 1). Colleges Fear Anti-terrorism Law Could Turn Them into Big Brother. The Chronicle of Higher Education A31.
Foster, A.L. (2001, May 11). The Struggle to Preserve Privacy. The Chronicle of Higher Education, A37.
Foster, A.L. (2002a, August 2(. ID Theft Turns Students into Privacy Advocates. The Chronicle of Higher Education, A27, A29.
Foster, A.L. (2002b, August 2). U. of Illinois may be a model in protecting privacy. The Chronicle of Higher Education, A28.
Hackers Breach Student Database at the University of Texas (2003, March
McCarthy, M.M. (2002). The Supreme Court Addresses Student Records: Peer Grading Passes the Test. Educational Horizons, Vol. 81, Number 1, 13-15.
Read, B. (2003, august 2). Delaware Student allegedly Changed Her Grades Online. The Chronicle of Higher Education, A29.
U.S. Department of Education (2002). Family Educational Rights and Privacy
Walsh, M. (2002a, April 17). Court To Decide If Pupil Privacy a Federal Case. Education Week, 25,27.
Walsh, M. (2002b, July 10). Privacy Law Not a Courtroom Matter. Justices
Decide. Education Week, 35,43.
Library Reference Search Web Directory
This site is (c) 2003-2005. All rights reserved.
Please note that this site is privately owned and is in no way related to any Federal agency or ERIC unit. Further, this site is using a privately owned and located server. This is NOT a government sponsored or government sanctioned site. ERIC is a Service Mark of the U.S. Government. This site exists to provide the text of the public domain ERIC Documents previously produced by ERIC. No new content will ever appear here that would in any way challenge the ERIC Service Mark of the U.S. Government.