Below is the text of LeRoy Rooker's letter to the editor in response to to a recent article published in Inside Higher Ed.
Dear Inside Higher Ed Editor,
In an article published in Inside Higher Ed earlier this month, a roundtable panel of privacy experts from the private sector and from numerous colleges and universities expressed “their frustrations with the aging Family Educational Rights and Privacy Act and the concerns posed by technologies such as cloud storage solutions.”
In particular, they noted the expanded use of private commercial software for email and productivity suites has increased the risk for education records to be compromised, since the information is not housed and controlled explicitly by the institution who outsourced those services. In addition, the round table was unclear about how to navigate current policies on privacy, or how to create guidelines to protect the privacy of education records – and thus, desire to lead the way on the creation of these policies.
Members of the American Association of Collegiate Registrars and Admissions Officers (AACRAO) have been successfully navigating and complying with the Family Educational Rights and Privacy Act (FERPA) since its inception. That is not to say it is always easy, but there are quite a few experts that contribute to our FERPA expertise through publications, webinars, articles, and presentations to aid the membership in this endeavor. Most recently, I presented a session at the TACRAO annual conference in El Paso which dealt specifically with this subject.
Preliminarily, it is important to remember that FERPA is technology-neutral, so long as any resulting disclosures or use of education records does not violate FERPA. The key to protecting those records is in the contract terms and conditions, which needs to address the use of the records maintained, the security of the records maintained, and finally the student access to those records maintained by the vendor.
For example, cloud storage of education records is not a problem under FERPA so long as the records stored are protected from unauthorized disclosure and are accessible by the student. On the other hand, data mining of the record by the vendor is never acceptable – this point should be clearly addressed in any contract. A vendor cannot be paid in education records.
Many vendors claim to be FERPA compliant when in fact they are not. The problem for postsecondary institutions is that they are responsible for their vendors. Thus the institution could be responsible for any improper use or disclosure of education records created and maintained by the vendor.
AACRAO recognizes that vendor contracting is an emerging issue for postsecondary institutions, so it now provides an independent third party review of vendor products through its Vendor Product FERPA Review. That is not to say AACRAO is the final word on a vendor’s products and services, but such a thorough third party review of vendor offerings to postsecondary institutions should be carried out before and, periodically, during the agreed-upon contract period.
To reiterate, technology is irrelevant as it pertains to FERPA, so long as whatever technology is used is FERPA compliant. As such, institutions need to do their due diligence in knowing that the particular technology is going to keep them FERPA compliant.
Sincerely,
LeRoy Rooker,
Senior Fellow
American Association of Collegiate Registrars and Admissions Officers