Watercolor World Map

Retired and Former AACRAO Members

Connect to the world of higher education

With AACRAO membership you'll be connected to more than 11,000 members from institutions around the world. Facilitate your professional development by attending discounted meetings, gaining complimentary subscriptions to our College & University journal and more.

Why should you join? Development never ends, retired or not. Keep current on trends in the field by collaborating with our members and lending your voice to discussions about practices in the field. 

Annual Membership Price: $151

Requirements: YOU BE A RETIRED MEMBER OR A MEMBER WHO LOST EMPLOYMENT AND IS NO LONGER ELIGIBLE FOR INSTITUTIONAL MEMBERSHIP.  

Develop Professionally

Retired Members - Professional Development


Professional Competencies

Keep up to date on skills areas like technical knowledge and professional development and contributions to the field. We have the tools for you.

Online Learning

From free webinars to self-paced on-demand learning, AACRAO's online learning covers a variety of subjects—technology, strategic enrollment management, admissions, FERPA, transfer, credential evaluation, and international education—and allow you to engage with the presenters and instructors.

Take the next step in your career

Maybe you want to reenter the workforce or change the trajectory of your career--AACRAO's Career Navigator is a wealth of job postings and resources for you. 

Gain Recognition

Retired Members - Gain Recognition


Get Published

AACRAO's professional journals College & University and SEM Quarterly are always accepting articles and have a wide circulation base.

Research Opportunities

Leverage the expertise of our over 11,000 members and contribute to one of the premier sources of practice related research within the global higher education community. 

Join a committee

Do work you're passionate about, with support and mentoring from fellow members. From Caucuses to specialized topics, it's all one community. 


AACRAO_Connect_logo_final_transparentbkg

AACRAO's bi-weekly professional development e-newsletter

Live from #AACRAO2023: Ask the FERPA Professor

Mar 28, 2023, 12:43 PM
legacy id :
Summary : A series of in-depth FERPA questions answered by LeRoy Rooker "The FERPA Professor" and Dr. Helen B. Garrett.
Url :

FERPA is technology neutral.

A CRM, a file cabinet, or a pile of papers, the application of FERPA remains the same. The thought struck me while attending LeRoy Rooker and Dr. Helen B. Garrett's annual standing-room-only session at the 108th AACRAO Annual Meeting, FERPA interpretation and application can often bear a striking resemblance to two "rules lawyers" arguing errata on a Saturday night playing their favorite board/card/tabletop game. 

Words Matter

When it comes to FERPA, specificity matters. Terms and phrases like "may," "must," "known," and "should have known" are key to understanding, interpreting, and applying FERPA. For a certain group of AACRAOANs (call them fans, wonks, geeks, or maybe just Registrars) there is never enough time to talk about FERPA, and if you are here you probably fall into one of those categories. Below you'll find a recap of this year's Ask the FERPA Professor Q&A session.  If you still have questions, don't forget you can always send your questions to communications@aacrao.org and we'll be sure they make it to the FERPA Professor's desk.

Once More Dear Friends

Q: We had a breach for 40 seniors who graduated and they were able, for a limited amount of time, to see one another's student ID numbers. 

We made a good-faith effort to notify them. I know that we do have some discretion on when we notify students. So my question is, is there a good rule of thumb for, a statute of limitations?

Answer: 

It would be a FERPA violation, student IDs would not be directory information, so there would be a violation in there, but in FERPA if the complaint is filed with the department there are two things they ask for. One that they're going to want from the complainant. One we are going to look at is when did the violation occur and when did the student know about it?

Once they (the student) know about it, they have 180 days to file a timely complaint. So in the case you've described, all of those students would've seen that on a particular date when the email was sent out. The (education) department would look at that date and back it up 180 days.

I had a hunch from the way you were asking, that it had been more than 180 days. So you've done what you should do in terms of addressing the data breach there, even if one of those students would file a complaint at this point because it's been over 180 days, and that's the limitation on them.

180 days from when the student knew or should have known. Oftentimes they may not know about it till later on, but because this was sent on a particular date, that's documented, there's no question that's when their clock would've started on filing a complaint.

A Record by Any Other Name

Q: Recently we acquired a new CRM. At the heart of the CRM is the ability to query data, and it was designed as an admissions CRM, but we are using it across campus. So I kind of know the answer to this question, but I feel like it needs to be revisited because of the way technology changes and FERPA doesn't.

So we reduce some of the ability of the CRM if we don't allow employees to query the data. However, there's definitely data in there, or going to be in there, that employees wouldn't necessarily have direct access to.

Answer:

FERPA is technology neutral. You cannot have a policy, or practice of allowing inappropriate disclosures of education records with whatever technology you're using. So in the question asked in their CRM regarding having access, what we back up to is the requirement in FERPA, the exception in FERPA to signed consent (99.31.a.1.). 

That's the key that says school officials with a legitimate educational interest at the institution, which is important because sometimes I'll come across institutions that want to have somebody at another institution be an official exception. It says at the institution who have a legitimate educational interest in accessing those records, your legitimate educational interest is going to come from a need to be able to access this information in order to do their job. So if you're in the registrar's office, you know, that's everybody. Or if you're head of the math department that's who's taking math classes but it's not who's taking English classes.

So when you have a system (CRM) as described, it's imperative that the institution be able to really bifurcate the two.

It just depends on what kind of information they would have access to and whether they have a legitimate educational interest. If you have a system at your institution that lets everybody access every record, then the way you are going to protect yourself is to be able to track who's had access, that way if a complaint comes in that someone who didn't have any involvement with this student has disclosed information from the record then you're able to go back and say  they either accessed the information or didn't.

More Welcome are You

Q: If I have an MOU written contract with a college and they want me to send back information about students in the admissions phase am I covered as long as I specify in the contract that we are going to share that information?

Answer:

So in that instance, if you're sending it back in the process of admissions, then you're free to have any kind of communication you want during the admissions process. Once they're a student then FERPA is going to kick in, but you don't have a FERPA issue if it's in the admissions process. That's the whole idea of having admissions records not be subject to FERPA until the student becomes a student at your institution.

What you can't have though, even with an MOU, an MOU doesn't work. That's an agreement among equals. If you are going to share something after they're a student it's either going to take consent or meeting one of the exceptions to signed consent.

(From the audience) Say that again, the whole part about an MOU being an agreement among equals...

MOUs are an agreement among equals. FERPA says if you're sharing information from your institution with another institution, then you must have either signed consent or meet one of the exceptions to signed consent.

There's not an MOU exception in there. There is the school official exception, but again, it specifically says within the institution.


The FERPA Professor
Want the Professor to come to your campus? Visit our FERPA compliance training page.

AACRAO members, send your questions to the FERPA Professor at communications@aacrao.org.
Categories :
  • AACRAO Annual Meeting
  • FERPA
  • FERPA Training & Review
Tags :
  • Annual Meeting
  • FERPA Professor
cartoon figure reminiscent of Einstein stands in front of a chalkboard with the board "FERPA" written on it
Related people

Build Connections

Retired Members - Build Connections


Attend a event

Our meetings, workshops, and international institutes are designed instruct, educate and foster collaboration between professionals and institutions. Connect with old friends and register for one today.

Learn More

Member Only Benefits

AACCRAO_Transcript-purple

AACRAO's weekly e-newsletter delivering policy and industry news

Member Login Required

Questions? Contact us at membership@aacrao.org or (202) 355-1040