Privacy Invasion

Mark calls home early in his first semester at college and tells his mother he doesn’t like his Statistics class and he wishes he could drop it. Knowing her son is busy, Helen asks Mark for his username and password so that she can take care of it for him. She logs onto the college’s add/drop page and removes him from the course. Later, Mark discovers that his mother has inadvertently dropped him from his Principles of Accounting course and the deadline for adding the class back into his schedule has passed.

Whether it is a situation such as this fictitious example, a parent’s request to have access to a student’s schedule or grades, or transferring student data from one computer to another, university officials continue to find creative ways to protect student information during a time when outsiders can infiltrate data using a computer more easily than getting access to paper files.

Jean Lang, the campus registrar for Washington State University (WSU) in Vancouver and the local FERPA officer, and her colleagues within the student-affairs department, regularly field phone calls from parents or spouses regarding the Family Educational Rights and Privacy Act (FERPA), a 1974 federal law that protects the privacy of student-education records.

Getting the 2,555 students and their parents up to speed about FERPA is mostly a matter of training. WSU’s new-student orientation includes a section on student data privacy taught by Lang and other university officials. “The orientation presentation plants a seed. But parents don’t understand the full effect of the law until they call me about their child’s academic standing, only to discover I can’t release the information to them without their child’s permission,” said Lang.

View-Only Software

In an effort to keep family members engaged in the student’s education without compromising privacy, WSU’s technology staff at the Pullman campus are developing a software program that will allow students to give others view-only access to a portion of their records. “The student controls what information a spouse or parent can see. As a result, the students can keep their own passwords safe and secure,” said Lang. WSU consists of four campuses and a distance-learning program with a total student population of more than 24,000.

In order to access records, each parent fills out a guest account on the WSU Website that includes his or her name, address, and e-mail. A “friend identification” is created. Next, the parent gives the student the identification information and the student checks off which items the parent can view, according to Richard Backes, senior associate registrar and FERPA advisor at WSU’s Pullman campus. The new software is tentatively being called “Friend IDs” and will be launched next fall.

The view-only concept initially caught Backes’ attention during a conference demonstration he attended given by the University of Minnesota. The University of Minnesota system, called Parent/Guest Access, was introduced in 2005. Users have access to grades, enrollment summaries, financial aid holds, and student accounts.

A view-only system is only one of the methods WSU uses to comply with FERPA, also commonly referred to as the Buckley Amendment, after its principle sponsor, Sen. James Buckley of New York. Pushing data from one point to the next has become more secretive. WSU employees have switched from sending word-processing attachments via e-mail that contain student data to transmitting encrypted attachments: “Today the climate is that confidential e-mails need to be encrypted,” said Backes.

Most Secure Method

The best choice for safeguarding student data, according Backes, is by using secure file transfer protocol (FTP), a way to pass files over the Internet or through a network. He regularly uses this method to forward graduate information to off-campus sources. “Secure FTP is secure because it sends data point-to-point, whereas e-mail goes from point-to-point-to-point.” Removing all social security numbers from computer databases, files, and servers is another way WSU safeguards student information.

The University also requires all employees who work with student data to take part in online training every three years. “The refresher course reminds people of the fact that there is a FERPA law. People tend to forget the rules, such as what information can be released and to whom, especially if they have worked here 10 or more years,” said Backes. The WSU system flags employees who need training; if they do not participate in the training, then they are denied access to student data.

Overall Backes is confident that most WSU employees have a firm grasp on what student information can be shared and what can not, or they know who to call if they have a question: “The more you train people in the institution, the more likely they are to call me or the attorney general’s office before they release student information.”

Washington State University has five assistant attorneys general on the Pullman campus who can field calls about FERPA and other legal matters. “We provide advice on FERPA questions from faculty and administration about three times a month,” said Toni Ursich, senior assistant attorney general. Her office also assists the registrar during annual FERPA training for new faculty.

Parent/Guest Access

The largest group of culprits at the University of Minnesota (U of M) who share data is the students themselves. All combined, the university has four campuses with more than 65,000 students, 18,000 employees, and mountains of student data to protect. Students often give parents or friends their private passwords and usernames, giving others the ability to manipulate students’ records.

The Parent/Guest Access system that was introduced to the campus more than two years ago has allowed students a way to share data with any third party they choose, while encouraging students to protect their usernames and passwords by not sharing them, said Tina Falkner, Ph.D., associate registrar at the Twin Cities campus. “We like to think of it as giving students a way to share the information that they want to, but not giving someone the keys to the kingdom.”

Before the system was created, parents sometimes logged on and changed student information. “The impetus for creating the system was a clamoring from students and their parents to have a way to share information and not have students share usernames and passwords with parents who would then sometimes do things that were detrimental to the student’s educational progress,” said Falkner.

Another way to educate parents on privacy issues is to keep faculty and staff up-to-date on FERPA rules. Regular training at the U of M help members of the faculty and staff answer parents’ questions as well as inquiries from students. A session called “Public Jobs: Private Data University Security Training” covers a host of security measures required for dealing with private data that is protected under federal and state laws, as well as University policies. Employees learn to identify security issues, how to protect data and hardware, and the protocol for responding to security problems, according to a FERPA tutorial available through the U of M Website.

The Public Jobs course is mandatory training for all university employees and is available by WebCT. New employees get the training delivered directly to their online portal.

For quick information on FERPA, employees can take a 10-minute tutorial online. The PowerPoint presentation provides tips such as:

  • Remove social security numbers or student identification numbers from posted grades.
  • Examinations, term papers, blue books, or other graded materials with identifiable student information should be distributed directly to students or held in offices.
  • Do not share student class schedules with others.
  • Protect student data as if it were your own.

Protecting educational records such as grades, financial aid information, transcripts, and advising information is more successful when institutions combine employee training programs, introduce view-only software for third-party users, and transfer data using secure computer-to-computer methods. Family members will continue to want some access to students’ information, such as grades and bills, and universities can empower students to make the choice of who to give view-only access to. Likewise, keeping employees current on the FERPA law helps them make accurate decisions when accessing student data ore releasing information. University employees are more aware of how to work with data today, according to officials, but sometimes the key is to know who or where do go to when a question arises.

Rhonda Morin is an Oregon-based writer and editor. She’s the former editor of the Thomas Magazine, a New England college publication, and an associate editor for a computer trade publication and an academic journal. She can be contacted at 503/206-4298 or [email protected].