FERPA Policy And Procedure Audit - WaACRAO
FERPA Policy and Procedure Audit Presented by: Helen B. Garrett, Ed.D., University of Washington WaACRAO 2018
Learning Outcomes of this session: You will have the tools to perform a FERPA audit and know how to update your policies and procedures to comply with FERPA regulations. By performing the audit you will reaffirm your role as FERPA educator and compliance officer
OVERVIEW Important to keep your policies and procedures updated in case there is a potential violation of FERPA. FERPA law requires annual notice of institutional FERPA policy. Policies and procedures provide documents for continued training and reference, especially in light of faculty and staff turnover. While FERPA law does not mandate training, it’s obviously a good idea.
We will cover Why this matters and why an audit? Notification and updating best practices Steps for Conducting a Policy and Procedure review: Annual FERPA notice/campus FERPA policy Directory information Student/staff/faculty system access notices Information Technology system access documents Human Resources FERPA training documents Data Sharing Agreements and 3rd Party Contracts Special release forms used by departments Visual departmental FERPA audit
WHY AN AUDIT? It is the Registrar’s responsibility It assists in ensuring campus-wide compliance It keeps campus and FERPA documents current with Federal updates The Annual Notice is the first item the FPCO reviews if there is a complaint
Why this matters
Notification and updating best practices
HOW TO BEGIN Identify a chair / audit lead (typically the Registrar) Determine if there is already an established FERPA policy / procedure review process Set an audit timeline
WHO SHOULD BE INVOLVED? CREATE A DISAPPEARING TASK FORCE: Staff from the Registrar’s office Human Resources Public safety / campus security University / college counsel President / Vice President’s Office Academic department administrators Information Technology
STEPS FOR CONDUCTING A POLICY AND PROCEDURE REVIEW
WHAT TO REVIEW YOUR AUDIT SHOULD COVER EIGHT AREAS: Annual FERPA notice / campus FERPA policy 2. Directory information 3. Student / staff / faculty system access notices 4. IT system access documents 1.
WHAT TO REVIEW YOUR AUDIT SHOULD COVER EIGHT AREAS: 5. HR FERPA training documents 6. Data Sharing Agreements and Third Party Contracts 7. Special release forms used by department 8. Visual departmental FERPA audit
Areas to Audit 1. Annual FERPA notice / campus FERPA policy
WHEN TO UPDATE: When updating your class schedule or catalog Edit when changes are made to the federal law. When you have a potential FERPA violation or question about the institutional interpretation, review and update your policy. If you switch college legal counsel, review this carefully with that person.
QUESTIONS TO ASK: ANNUAL FERPA NOTICE How are students learning of this annually at your school? How are new employees with access and ability to disclose FERPAprotected information trained on where this is? When is the last time it was updated, and does it reflect the 2009 and 2012 FERPA updates?
ANNUAL FERPA NOTICE Institutions must notify students annually who are currently enrolled of their FERPA rights by a means most likely to be seen by students. This includes students taking distance education and non-credit classes. Institutions are not required to notify former students.
THE REGULATIONS DO NOT SPECIFY HOW STUDENTS ARE NOTIFIED. Most common examples are: ANNUAL Institutionally-issued email FERPA Printed catalog NOTICE Before using the SIS to register Mailed class schedule Student handbook School newspaper School website* *Only if students are required to have personal computers or are provided with free and easy to access campus computers
ANNUAL FERPA NOTICE May not disclose educational records without student’s written consent, unless specified by the law. An institution is not bound to disclose student record information to a parent of a dependent student, but may choose to do so. Every school official must ensure that FERPAprotected information is not disclosed improperly to parents or other individuals outside of the student.
HELPFUL RESOURCES The AACRAO 2012 FERPA Guide: FERPA12, Family Educational Rights and Privacy Act by LeRoy Rooker and Tina Falkner Appendix D: Model Notification of Rights Under FERPA for Postsecondary Institutions, pages 187-189.
HELPFUL RESOURCES Department of Education Model Notification of Rights Under FERPA https://www2.ed.gov/policy/gen/guid /fpco/ferpa/ps-officials.html
ANNUAL FERPA NOTICE COMPARE YOUR ANNUAL NOTICE TO THE DEPT OF ED MODEL AND LOOK FOR: FERPA rights for eligible students 18 years of age or who attend a postsecondary institution Right to inspect and review educational records Right to request an amendment to an educational record Right to prevent disclosure, except under FERPA exceptions
ANNUAL FERPA NOTICE RIGHT TO INSPECT AND REVIEW EDUCATIONAL RECORDS: Institution must respond within 45 days to a written request from the student School will notify time and place for records to be inspected; doesn’t require copies unless the distance precludes visual inspection
ANNUAL FERPA NOTICE RIGHT TO REQUEST AN AMENDMENT TO AN EDUCATIONAL RECORD: Written request from student identifying what part of record should be changed and why. If not amended as requested, student notified in writing and appeal hearing provided.
ANNUAL FERPA NOTICE FERPA EXCEPTIONS (99.31): School officials defined Third parties defined Officials at a school where student seeks or intends to enroll Some judicial orders / lawfully issued subpoenas Authorized federal, state and local educational authorities Parents of dependent under IRS tax law
FERPA ANNUAL NOTICE ADDENDUM (PAGE 189): ANNUAL FERPA NOTICE Specifically addresses changes from 2012 FERPA Updates Personally identifiable information such as SSN, grades, and other private information may be released without student consent. Statewide longitudinal data systems allow state authorities to collect and share previously protected FERPA information without written consent.
Areas to Audit 2. DIRECTORY INFORMATION
QUESTIONS TO ASK: DIRECTORY INFORMATION How do staff know what can be released as directory information? How would staff know if they couldn’t release directory information? What is said to someone when it cannot be released?
DIRECTORY INFORMATION INSTITUTIONS MUST NOTIFY STUDENTS IN ATTENDANCE WHAT IS DESIGNATED AS DIRECTORY INFORMATION. This notification should instruct students on how to withhold directory information, and it’s typically included with the Annual Notice.
DIRECTORY INFORMATION Job aid used at Lane Community College
STUDENT INFORMATION RELEASE SAMPLE LANE COMMUNITY COLLEGE http://www.lanecc.edu/e sfs/release-records Information for students on how to provide access to student records by using the Student Information Release tool in Ellucian / Banner Student Portal
POLICY SAMPLE #1 UNIVERSITY OF MINNESOTA https://policy.umn.edu/edu cation/studentrecords WHY THIS IS STRONG: Easy to find with information on grades Lists directory information Lists FERPA rights
POLICY SAMPLE #2 THE OHIO STATE UNIVERSITY http://registrar.osu.edu/p olicies/privacy release st udent records.pdf WHY THIS IS STRONG: Provides clear information for students, faculty, and staff Explains basics of the law in an accessible manner
POLICY SAMPLE #3 INDIANA UNIVERSITY EAST http://www.iue.edu/reg istrar/policies/FERPA po licy.php WHY THIS IS STRONG: Excellent explanation of exceptions from 99.31
Areas to Audit 3. Student / staff / faculty system access notices
ACCESS NOTICES: STUDENT / STAFF/ FACULTY QUESTIONS TO ASK: What is the initial login password, and is it FERPA-compliant? What does your system terms of usage tell a student, staff member, or faculty person when they first access your campus computer system? Do the terms reference FERPA, and are students reminded of their FERPA rights?
ACCESS NOTICES: STUDENT / STAFF/ FACULTY PASSWORDS CANNOT CONTAIN: Any or all of student’s SSN Any or all of date of birth Any or all of institutionally issued student identification number Mother’s maiden name
ACCESS NOTICES: STUDENT / STAFF/ FACULTY ALL SYSTEM USERS SHOULD REVIEW / ACCEPT A TERMS OF USAGE WHEN LOGGING INTO SYSTEM FOR THE FIRST TIME. Information for user only PINS/PASSWORDS/PASSPHRASES to be kept confidential and known only to user Reference to FERPA policy on campus website
Areas to Audit 4. Information Technology System Access Documents
ACCESS NOTICES: IT QUESTIONS TO ASK: Do new users of campus systems have to complete a FERPA training? Do new users of campus systems have to complete an access form explaining IT policies? Is FERPA mentioned when granting access to campus computer systems? Does your school list IT policies on the website?
ACCESS NOTICES: IT 2009 FERPA REGULATION UPDATE TO 99.31 (a) (I) (ii) Institutions must use reasonable methods to ensure that school officials obtain access to only those educational records in which they have legitimate educational interests. Physical or technology access controls must ensure this or have an administrative policy for controlling access that is effective.
ACCESS NOTICES: IT POLICIES AND PROCEDURES MUST BE IN PLACE TO: Instruct prospective users in FERPA confidentiality requirements Review and update approved users of all confidentiality protocols Use institution’s software security assignments Offer periodic monitoring and system tracking of user access Remove access when user leaves or changes positions
Areas to Audit 5. Human Resources FERPA Training Documents
HR FERPA TRAINING DOCUMENTS QUESTIONS TO ASK: How often is the HR team trained on FERPA and by whom? How are new employees trained on FERPA? How are these training mechanisms and forms being updated with FERPA changes? Is there a form to sign acknowledging FERPA training? What if an employee violates FERPA?
HR FERPA TRAINING DOCUMENTS Special reminder: Records related to employees are not protected under FERPA, unless the position can only be filled by a student, such as a graduate assistant or workstudy position. In this case, all records related to the student’s employment are considered educational records and are subject to FERPA.
Areas to Audit 6. Data Sharing Agreements and Third Party Contract
DATA SHARING DOCUMENTS AND 3rd PARTY AGREEMENTS QUESTIONS TO ASK: How are you monitoring data sharing agreements throughout your institution? Have they been reviewed by your legal resources? How are you insuring that you are seeing all renewals? Where are these being stored for reference?
Navigating a Data Breach https://studentprivacy.ed.gov/resources/dat a-breach-response-training-kit
Areas to Audit 7. SPECIAL RELEASE FORMS
SPECIAL RELEASE FORMS QUESTIONS TO ASK: What departments are having students and/or parents or guardians complete a FERPA release form? How do you know if this is happening? Where are these forms being archived? How does a person releasing information know that a form has been signed? Who is maintaining these forms and keeping them updated with FERPA changes?
SPECIAL RELEASE FORMS POTENTIAL DEPARTMENTS TO AUDIT: Athletics – releases for athletes to participate in competitions, plus medical releases Health professions – release of medical/other information to medical facilities providing clinical rotations Dual enrollment – release of information to secondary schools and potentially parents / guardians with student permission English as second language release of information to individuals assisting with translation
SPECIAL RELEASE FORMS GUIDANCE FOR AUDITING DEPARTMENTAL RELEASES: Partner with manager and gain trust that FERPA must be adhered to with releases Ask to review releases and provide FERPA language to strengthen release Ask how staff can access releases and know what the releases provide Determine process by which Registrar’s Office has notice of release
Areas to Audit 8. Visual departmental FERPA audit
VISUAL DEPARTMENTAL FERPA AUDIT QUESTIONS TO ASK: How often does the Registrar conduct visual/procedural FERPA audits internally? How are staff members trained to prevent accidental release of information at their workstations? What barriers are in place that may put a student’s information at risk for release? How can the Registrar’s Office assist with overcoming these barriers?
VISUAL DEPARTMENTAL FERPA AUDIT What is the easiest way for an individual to access FERPAprotected information without a staff person knowing? Don’t forget to check staff desk setup!
VISUAL DEPARTMENTAL FERPA AUDIT ADDITIONAL AUDIT STEPS: Do all computers screen have a barrier to prevent access for others to see information? When do screens time out on shared computers? What documents are in plain sight of a student at a staff member station? What documents are left out after hours? What is the process for protecting documents waiting to be shredded?
7 POSTAUDIT QUESTIONS AFTER AUDITING, DO YOU KNOW ? 1. whether staff and students know how to find your institutions’ FERPA policy online? 2. your institution’s definition of directory information? 3. how your school defines “attendance” in the annual notice? 4. whether your school allows parents of dependent students to present Section 152 tax records to have access to student records?
AFTER AUDITING, DO YOU KNOW ? 7 POSTAUDIT QUESTIONS 5. whether your institution has defined in writing who your “school officials” are, including 3rd party partners? 6. how your students are being notified annually of their FERPA rights? 7. that all staff that release directory information can see if a student has opted out with a confidentiality indicator?
Tips Keep the audit process simple and stress free by reviewing your policy annually and keeping the language as basic and easy to read as possible When reviewing release forms: more text is better - you are having the student agree to terms of information that may be released and to whom If you are the campus FERPA custodian, make yourself accessible to faculty, students and staff with FERPA questions
Summary Have fun with this! Remember the by-product of the audit is to establish your role as a trusted ally in adhering to FERPA
Why did the chicken cross the road? Sorry, I can’t tell you without a release! Your Questions?
Thank You! Helen B. Garrett, Ed.D. University of Washington helenbg@uw.edu
potential violation of FERPA. FERPA law requires annual notice of institutional FERPA policy. Policies and procedures provide documents for continued training and reference, especially in light of faculty and staff turnover. While FERPA law does not mandate training, it's obviously a good idea. OVERVIEW
FERPA violation is confirmed and ensure privacy related communications sent to students impacted by a FERPA violation include links to the FERPA website, Regulation FIU-108, Access to Student Education Records, and/or other applicable contact information. A log of FERPA requests and potential violations was created during the audit. The
FERPA transfer from the parents to the student, and he or she is known as an "eligible student" under FERPA. We will talk specifically about these rights as we get into this presentation. This means that the parents no longer have "rights" under FERPA, but there are provisions in FERPA that will permit a
Research & Evaluation under FERPA FERPA does not have a "research" exception to the parental consent requirement. Instead, research and evaluation using PII from education records is typically performed using either FERPA's: Studies Exception, or the Audit and Evaluation Exception to the requirement for parental consent. 12
They will be happy to answer your questions or provide additional training. 1. As federal law, FERPA trumps Florida's open records lawsand as the University and many of our students rely on federal grants and financial aid, it is vital FSU comply with FERPA . Microsoft PowerPoint - FERPA Template - White 06-27-2017 Author: sehubbard
Dec 17, 2018 · medical/counseling records at the college or university the student attends; FERPA does. Treatment Records under FERPA are handled in most ways like Protected Health Information under HIPAA, but not in all ways. A student does not have a FERPA right to “inspect and review” unshared treatment r
1) An overview of federal HIPAA and FERPA laws and an easy-to-use guide that describes state-level laws. 2) Resources for school mental health leadership to use for developing policy that is impacted by HIPAA and FERPA,2 including: behavioral health referral pathways on campus and to the community; crisis
has completed annual FERPA training on _ (Print Date) I confirm that I have received a copy of Snead State's policy and procedures regarding confidentiality of student records. _ (Signature) Title: Microsoft PowerPoint - FERPA Training [Read-Only] Author: vcarr Created Date: 9/5/2012 7:57:30 AM .
Astrology takes us into the very heart of life – it is at once intuitive and intellectual, down-to-earth and deeply magical, a system of thought and a very pragmatic tool: a philosophy of an interconnected earth and sky which over the centuries has inspired both scientists and artists, and is capable of describing and illuminating every stratum of life on earth, from the workings of the .
