Ask the FERPA Professors

Dear FERPA Professor,

We are trying to determine the best practice for IT when it comes to resetting passwords for students. 

Dear Ms. Tustehp,

The process you describe for resetting passwords for students to access their SSI would not be in compliance with FERPA. Institutions are required to ensure the privacy of student education records, and any disclosure of those records must meet the signed consent requirements at § 99.30 in the FERPA regulations or the conditions of one of the exceptions to signed consent found at § 99.31. One of those exceptions is § 99.31(a)(12), which permits disclosure to the student without consent. However, § 99.31(c) requires that the institution use "reasonable methods" to identify and authenticate the identity of the student prior to any disclosure of those records.

This would involve such methods as a secret PIN or password. When resetting a password, it is important to have a robust identity authentication process in place. This could include an authentication process such as a verified photograph of the student, having the student email the request through an institutional assigned email account, or mailing the new password to the home address on file. What is not considered reasonable for identity authentication, however, are items such as D.O.B., SSN. An institution would not be prohibited from requesting such items, but they do not authenticate a student's identity. In addition, if the SSI contains financial information, then the institution would be subject to the requirements of the Gramm-Leach-Bliley Act, which has its own standards concerning the protection and disclosure of financial information.