Dear FERPA Professor,
I am seeking guidance on the use of a digital non-directory release form.
From what I’ve read, FERPA allows for electronic signatures (99.30(d)), but only if they meet certain criteria and there is more criteria somewhere in the details I think. Every time I go down that rabbit-hole I feel more lost than when I started.
Can we officially consider a student email statement (that specifies what can be releases, the purpose, and to whom it can be disclosed) or an online form submitted via a digital forms system (both are behind a multi-factor authenticated login) an acceptable signature? Is a pdf with digital signature acceptable if submitted by student email that is behind MFA login?
Regards,
Ms. Hare
Dear Ms. Hare,
The Department of Education issued FERPA regulations in 2004 to allow institutions to accept electronic signatures that meet the conditions of § 99.30(d). In the preamble to the Notice of Proposed Rule Making (NPRM), the Department included that the FSA Standards would serve as a "safe harbor" provision for institutions creating an electronic signature.
The process you describe would appear to meet the "safe harbor"criteria for an electronic signature established by the institution. This is because a secret pin or password is necessary in order for the student to access the institutional assigned email or SIS. As such, this would serve as the student's signed consent. The PDF process, as you describe below, would also meet the criteria.
You can find the 2004 FERPA final regulations on electronic signature requirements in Appendix J, starting on page 353, of the 2012 AACRAO FERPA Guide. The Appendix also contains the electronic signatures "safe harbor" FSA Standards on page 360 of the Guide.
I hope this is helpful in answering your questions