Dear FERPA Professor,
The adviors’ web portal at my institution restricts advisor access to student information. When logged into the web portal, advisors can only access information on their advisees. I just learned, however, that some advisors have a database query on their PCs which allows them to access information on all students in the student information system. The query bypasses the security measures set up in the advisors’ web portal.
I want to eliminate this “backdoor” but need to justify taking this action. So, my questions are: Is this wide-open access to directory and non-directory information permissible under FERPA? And, if so, what is the institution’s responsibility for preventing inappropriate access? An advisor honor system does not seem sufficient in my estimation.
Thanks,
Jess T. Fucation
____________________________
Dear Jess,
You are right to be concerned for you institution whenever there is a process which permits someone to access student educational records outside the control of the institution.
Concerning your specific example, §99.31(a)(1) in the FERPA regulations permits an institution to give student education record access to a school official at your institution, but only if that official has a “legitimate educational interest” in accessing those records. Both “school official” and “legitimate educational interest” must be defined in your institution’s annual notice of FERPA rights, notification of which the institution is required to provide to your students.
§99.31(a)(1) also makes clear that it is the responsibility of the institution to ensure that this limitation on access is enforced (see §99.31(a)(1)(ii) for specific details). If you have the 2012 AACRAO FERPA Guide, you can find all the necessary information to make your justification on page 159.
Sincerely,
The FERPA Professor
Please visit our Ask the FERPA Professor archives for more insight from the professor.
Please send your questions for the FERPA Professor to connect@aacrao.org.