FERPA Considerations in an Online Environment
When working with academic technologies that involve capturing student data online, FERPA compliance can be somewhat complicated. Cloud technologies (technologies that are Internet-based rather than local computer-based) can introduce more complexity.
The bottom line:
- Use University of Minnesota Systems of Record to avoid exposing student records
- When making student work public, be explicit about what you’re requiring students to do in your course
Systems of Record
Systems of record are intended to store and protect data. Anything that OIT considers part of the “common good,” that is supported in our central infrastructure and x.500 integrated, is a system of record.
- The Registrar’s gradebook system is an appropriate place to store grades
- Moodle’s built-in grade book is an appropriate place to store grades
- Netfiles is an appropriate place to store documents
- Active Directory is another way you could store a file
- The U’s installation of Google is now considered a system of record. You can use Google spreadsheet to store grades — it may not the best practice, but it’s acceptable. Be aware of settings and who has access to the system — Google is easy to share openly, so you should make sure you lock down the spreadsheet so only you and your TAs have access to it.
Do not keep student records on your desktop computer, laptop, or in an unlocked drawer.
What about using a 3rd party application?
If you use a 3rd party application, there may be issues (e.g. faculty using a publishing house supplied website — students had to enter private data, then, worse, system was assigning and storing grades, and faculty were adding even more info to it — not a good idea!).
What about state’s e-portfolios? Is that system of record?
No – it’s not x.500 integrated, it’s not under OIT’s security team (but in that context, students are the ones manufacturing the data – they’re sharing it by their own choice, they own their own educational records).
Making Student Work Public
When making student work public, be explicit about what you’re requiring students to do in your course.
Complications can arise when you require students to make themselves and their work public (e.g., recording one another and posting to a public website). Their visibility may be a risk for them. The likelihood of this is remote, but it’s important to think about how you might accommodate students who don’t want their info on the web.
As an instructor you are entitled to design learning environments to best meet the learning outcomes. The learning environment can compel students to be public, share their content, develop media-rich learning objects with their name on it, receive feedback from peers and instructors, etc. But you have to be explicit and clearly specify the conditions of participation in the course.
There is a right to student privacy, but instructors also have a right to establish a learning environment. The Office of General Counsel (OGC) at the University of Minnesota has said that instructors can’t publish grades, but they can have peer review, rich commentary, all in a public space, and can require that learners contribute content to Wikipedia, and open themselves up to criticism in a very public way.
It’s important to put a statement in your syllabus explaining their exposure to others beyond the class. It’s good practice to provide accommodations to students who have a need to protect their identity, but according to OGC, you are not obligated to provide an accommodation.
Can students use aliases?
Yes, this is a good accommodation, if they’re comfortable with that option.
What about filming students?
Filming students is a separate issue from FERPA. You will need to get permission from participants and explain how the footage will be used. Be explicit about the consequences of granting permission. See the standard University release forms »
If we develop software and another institution is using it, does FERPA apply?
If you’re hosting the software, then you have responsibility that should be clarified in a contract. If you’re selling the software to another institution, then FERPA compliance is the responsibility of that institution.
When creating software, it is important to think about data privacy and vet it through IT professionals at the University.
Complete the FERPA tutorial to learn more about protecting educational records.