I was reading emails on a listserv for colleagues in my field recently when one particular email caught my eye. A professor had shared an email he'd received from a student by forwarding the student's entire email to the listserv. The forwarded email included not only the student's message to the faculty member, but also the student's email address, full name and the school the student attended.
I know that folks who work with students do stuff like this all the time: we share the goofy or wonderful things students say. “Students say the darnedest things” is basically a favorite pastime of anyone who teaches.
But what this professor did, in forwarding the student's entire email to a listserv, rather than, say, paraphrasing a student's words, was a clear violation of the Family Educational Rights and Privacy Act (FERPA). And seeing the professor's forward made me feel very bad for the student and for my field as a whole.
This article is about why we should all care about violations of FERPA, a set of regulations that many folks in higher education do their best to both abide by and ignore. This column is not meant to substitute for the FERPA training I hope you've already taken. Instead, I hope to help you understand why FERPA is important for both you and your students.
FERPA exists to protect both institutions and students (and their families). FERPA is a series of regulations promulgated by the Department of Education that helps clarify how student information should be treated.
Under FERPA, school officials (that means you) must keep certain student information confidential. That information, for the most part, includes “education records,” which are “records that are directly related to a student and that are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution.”
What counts as an education record? Things like “grades, transcripts, class lists, student course schedules … student financial information (at the postsecondary level), and student discipline files.” Furthermore, “The information may be recorded in any way, including, but not limited to, handwriting, print, computer media, videotape, audiotape, film, microfilm, microfiche, and e-mail.” (See 34 CFR § 99.2.)
Students have a right to request and view their education records, and they have a right to expect you to keep their education records private. One big exception to that “education record” rule are records that you've created just for your own note-taking and that you shared with no one else. These records are called “sole possession records.” Students don't have the right to request and view those.
Not Even Parents
No matter how old a student is, once she enrolls in any postsecondary institution, all rights under FERPA belong to the student, not the parents. That means that even if a student is 17 years old, and even if the parents are paying the tuition, the parents do not have a right to that student's education records.
If a parent calls you up and asks how his kid is doing in your class, you cannot share that information, not without prior written permission from the student to do so.
What's more, you can't even confirm to a parent that a student is in your class. Class rolls and a student's course of study are, after all, education records.
Sometimes, you can't even confirm that a student is enrolled at your institution.
Under FERPA, institutions have the right to share what's called “directory information”—such as a student's name, major, and year—with the public without violating a student's privacy. However, a student can opt out of having her directory information made public. If you have a student whose directory information is set to private, you cannot even acknowledge that she is enrolled at your school.
I've heard some faculty and administrators complain that this “no-acknowledgment” rule is too rigid.
Let's think about why a student might wish to keep her directory information private and from whom. Students on the run from abusers or stalkers, for example, might need that level of privacy. And if you are a young person, and you have been abused, it is likely that your abuser was a parent.
At the beginning of each semester, if you are teaching, do you check your class rolls to see who has opted to have their directory information kept private? If you don't, then you are not taking care with your students' privacy or safety.
If a parent calls you to “check in on his daughter in your class,” and you confirm she is your student, you might have given away a student's location to a person she's in hiding from.
The great thing about FERPA is that it protects you, too. I've developed some kind but firm ways of redirecting questions. For example, you're not allowed to disclose anything to parents. I've run into parents of students at the grocery store—“My daughter is really enjoying your class!” And I simply say, “That's interesting,” and smile. Or “Is she now?” I don't confirm that there is a daughter in my class at all. To do so would violate FERPA and the trust my students have put in me.
If a parent asks me directly, “Is my daughter in your class?” I reply, “I'm not sure,” and then I recommend that the parent ask the student directly or contact the school registrar. Your school registrar is accustomed to fielding these requests.
Later, I tell the student about the parents' questions, and I leave the door open for further discussion in case the student wants to talk with me about problems with her family.
We have a duty
Here's the takeaway: If a student hasn't told her parents that she is enrolled in my class, I do my utmost to protect her privacy, even if she hasn't opted to keep her directory information secret. She might have a reason for the secrecy. And if she has a reason, she might also have a problem, a serious one, and I'm in a position to refer her to people who can help.
We owe it to our students to take care of their privacy. We might never know whose health and well-being our discretion will protect.
Not every student is facing a dire abuse situation. But our students still deserve to have their records protected. Let's return to the listserv email-forward situation that I described at the beginning of this column. The professor who forwarded that email violated FERPA because he shared a student's education record with a listserv of over a thousand people.
The email counted as an education record because it was correspondence between a professor and a student about that student's education—the professor and the student were emailing about school. And then the professor mocked the student's school work on a listserv, providing all kinds of identifying information in the process.
Don't do that. Have more respect for your students, and for your profession.
Want more detailed information about FERPA? Read the FAQ put together by the Department of Education.