EDUCAUSE and Security Task Force Comment on Proposed FERPA Rules

Rodney — Mon, 12 May 2008 20:38:32 -0500

EDUCAUSE joined the American Council on Education (ACE) in comments to respond to a Notice of Proposed Rulemaking regarding the Family Educational Rights and Privacy Act (FERPA). The EDUCAUSE contribution addressed the proposed rules treatment of Social Security Numbers (SSN's), Student ID Numbers, and Student User ID's in the context of "directory information." The comments state:

According to the discussion [in the proposed rules], "student ID numbers (SID) can be used to impersonate the owner of the number and obtain information or services by fraud." We understand that this is widespread practice with respect to how the private sector uses the SSN for obtaining a variety of products and services. We do not believe, however, that unique student ID numbers created for internal educational uses typically are used in the same way or are subject to the same abuses. More often than not, such numbers are treated as identifiers only; they normally cannot be used to obtain access to education records by themselves, without a further act of authentication, nor can they normally be used in combination with other commonly available information to establish accounts or impersonate people. Moreover, on many campuses, the general "student ID number" and the "user ID" used to log in to electronic systems are in fact one and the same. As a result, many campuses may believe that they cannot designate these various kinds of identifiers as directory information even when doing so would yield clear benefits and could cause no harm.

The comments support the U.S. Department of Education's position that SSN's should never be considered "directory information". However, the comments provide alternative language for the treatment of SID and User ID's, essentially suggesting that they could be treated as "directory information" if there is an additional act of authentication and that the identifier itself does not provide an individual with access to student education records. The entire comments related to "directory information" are available on pages 1-2 of the ACE letter. There is also a discussion of "outsourcing" on pages 4-5.

The EDUCAUSE/Internet2 Computer and Network Security Task Force also commented on the department's "Recommendations for Safeguarding Education Records". FERPA has never contained regulations related to the security of student education records, although it is implied as a necessary safeguard to help keep student education records private. The department chose to include in this Notice some recommendations that included references to guidance issued by the National Institute of Standards in Technology (NIST) and the Office of Management and Budget (OMB). While the Security Task Force shared the department's concerns about cybersecurity, it was concerned that focus on government approaches may be misinformed and encouraged the department to consider resources developed by the task force (e.g., see Effective IT Security Practice Guide). The task force further cautioned the department that "the inclusion of recommended safeguards causes considerable confusion about the department's intentions and future plans."

FERPA Notice of Proposed Rulemaking Addresses Changes in IT

Rodney — Mon, 31 Mar 2008 12:52:09 -0500

The U.S. Department of Education has issued a Notice of Proposed Rulemaking with proposed regulations pertaining to the Family Education Rights and Privacy (FERPA). Among other things, "the proposed regulations respond to changes in information technology and address other issues identified through the Department's experience administering FERPA," according to the Notice. Additionally, the regulations are needed to implement amendments to FERPA contained in the USA Patriot Act and the Campus Sex Crimes Prevention Act, to implement two U.S. Supreme Court decisions interpreting FERPA, and to make other necessary changes.

Among the IT-related changes are:

Clarification of what can be included as directory information, addressing Social Security Number (SSN), other student ID numbers, and email addresses
Requiring the use of reasonable methods to identify and authenticate the identity of students, parents, school officials, and any other parties to whom personally identifiable information is disclosed
Recommendations to assist institutions in safeguarding educational records

The deadline for comments is May 8, 2008.

The EDUCAUSE Washington Office is reviewing the proposed changes and welcome your comments or questions. We will provide a more detailed analysis of the proposed rules and any further updates at a later date.

EDUCAUSE | Elimination of Social Security Numbers as Primary Identifiers and FERPA

EDUCAUSE and Security Task Force Comment on Proposed FERPA Rules

FERPA Notice of Proposed Rulemaking Addresses Changes in IT