Privacy Invasion
Mark calls home early in his first semester at
college and tells his mother he doesn’t like his Statistics class and he wishes
he could drop it. Knowing her son is busy, Helen asks Mark for his username and
password so that she can take care of it for him. She logs onto the college’s
add/drop page and removes him from the course. Later, Mark discovers that his
mother has inadvertently dropped him from his Principles of Accounting course
and the deadline for adding the class back into his schedule has passed.
Whether it is a situation such as this fictitious
example, a parent’s request to have access to a student’s schedule or grades,
or transferring student data from one computer to another, university officials
continue to find creative ways to protect student information during a time
when outsiders can infiltrate data using a computer more easily than getting
access to paper files.
Jean Lang, the campus registrar for Washington State
University (WSU) in Vancouver
and the local FERPA officer, and her colleagues within the student-affairs
department, regularly field phone calls from parents or spouses regarding the
Family Educational Rights and Privacy Act (FERPA), a 1974 federal law that
protects the privacy of student-education records.
Getting the 2,555 students and their parents up to
speed about FERPA is mostly a matter of training. WSU’s new-student orientation
includes a section on student data privacy taught by Lang and other university
officials. “The orientation presentation plants a seed. But parents don’t
understand the full effect of the law until they call me about their child’s
academic standing, only to discover I can’t release the information to them
without their child’s permission,” said Lang.
View-Only Software
In an effort to keep family members engaged in the
student’s education without compromising privacy, WSU’s technology staff at the
Pullman campus are developing a software program that will allow students to
give others view-only access to a portion of their records. “The student
controls what information a spouse or parent can see. As a result, the students
can keep their own passwords safe and secure,” said Lang. WSU consists of four
campuses and a distance-learning program with a total student population of
more than 24,000.
In order to access records, each parent fills out a
guest account on the WSU Website that includes his or her name, address, and
e-mail. A “friend identification” is created. Next, the parent gives the
student the identification information and the student checks off which items
the parent can view, according to Richard Backes, senior associate registrar and FERPA advisor at WSU’s Pullman campus. The new software is tentatively being
called “Friend IDs” and will be launched next fall.
The view-only concept initially caught Backes’
attention during a conference demonstration he attended given by the University of Minnesota. The University of Minnesota
system, called Parent/Guest Access, was introduced in 2005. Users have access
to grades, enrollment summaries, financial aid holds, and student accounts.
A view-only system is only one of the methods WSU
uses to comply with FERPA, also commonly referred to as the Buckley Amendment,
after its principle sponsor, Sen. James Buckley of New York. Pushing data from one point to the
next has become more secretive. WSU employees have switched from sending
word-processing attachments via e-mail that contain student data to
transmitting encrypted attachments: “Today the climate is that confidential
e-mails need to be encrypted,” said Backes.
Most Secure Method
The best choice for safeguarding student data,
according Backes, is by using secure file transfer protocol (FTP), a way to
pass files over the Internet or through a network. He regularly uses this
method to forward graduate information to off-campus sources. “Secure FTP is
secure because it sends data point-to-point, whereas e-mail goes from
point-to-point-to-point.” Removing all social security numbers from computer
databases, files, and servers is another way WSU safeguards student
information.
The University also requires all employees who work
with student data to take part in online training every three years. “The
refresher course reminds people of the fact that there is a FERPA law. People
tend to forget the rules, such as what information can be released and to whom,
especially if they have worked here 10 or more years,” said Backes. The WSU
system flags employees who need training; if they do not participate in the
training, then they are denied access to student data.
Overall Backes is confident that most WSU employees
have a firm grasp on what student information can be shared and what can not,
or they know who to call if they have a question: “The more you train people in
the institution, the more likely they are to call me or the attorney general’s
office before they release student information.”
Washington State
University has five assistant attorneys
general on the Pullman campus who can field
calls about FERPA and other legal matters. “We provide advice on FERPA
questions from faculty and administration about three times a month,” said Toni
Ursich, senior assistant attorney
general. Her office also assists the registrar during annual FERPA training for
new faculty.
Parent/Guest Access
The largest group of culprits at the University of Minnesota (U of M) who share data is the
students themselves. All combined, the university has four campuses with more
than 65,000 students, 18,000 employees, and mountains of student data to
protect. Students often give parents or friends their private passwords and
usernames, giving others the ability to manipulate students’ records.
The Parent/Guest Access system that was introduced
to the campus more than two years ago has allowed students a way to share data
with any third party they choose, while encouraging students to protect their
usernames and passwords by not sharing them, said Tina Falkner, Ph.D., associate
registrar at the Twin Cities campus. “We like to think of it as giving
students a way to share the information that they want to, but not giving
someone the keys to the kingdom.”
Before the system was created, parents sometimes
logged on and changed student information. “The impetus for creating the system
was a clamoring from students and their parents to have a way to share
information and not have students share usernames and passwords with parents
who would then sometimes do things that were detrimental to the student’s
educational progress,” said Falkner.
Another way to educate parents on privacy issues is
to keep faculty and staff up-to-date on FERPA rules. Regular training at the U
of M help members of the faculty and staff answer parents’ questions as well as
inquiries from students. A session called “Public Jobs: Private Data University
Security Training” covers a host of security measures required for dealing with
private data that is protected under federal and state laws, as well as
University policies. Employees learn to identify security issues, how to
protect data and hardware, and the protocol for responding to security
problems, according to a FERPA tutorial available through the U of M Website.
The Public Jobs course is mandatory training for all
university employees and is available by WebCT. New employees get the training
delivered directly to their online portal.
For quick information on FERPA, employees can take a
10-minute tutorial online. The PowerPoint
presentation provides tips such as:
- Remove social security numbers or
student identification numbers from posted grades.
- Examinations, term papers, blue
books, or other graded materials with identifiable student information should
be distributed directly to students or held in offices.
- Do not share student class schedules
with others.
- Protect student data as if it were
your own.
Protecting educational records such
as grades, financial aid information, transcripts, and advising information is
more successful when institutions combine employee training programs, introduce
view-only software for third-party users, and transfer data using secure
computer-to-computer methods. Family members will continue to want some access
to students’ information, such as grades and bills, and universities can
empower students to make the choice of who to give view-only access to.
Likewise, keeping employees current on the FERPA law helps them make accurate
decisions when accessing student data ore releasing information. University
employees are more aware of how to work with data today, according to
officials, but sometimes the key is to know who or where do go to when a
question arises.
Rhonda Morin is an Oregon-based writer and editor. She’s the former editor of the Thomas Magazine, a New England
college publication, and an associate editor for a computer trade publication
and an academic journal. She can be contacted at 503/206-4298 or
[email protected].