How to navigate FERPA and instructional technology
When the University of Utah shifted to remote instruction in March, faculty and students leaned on online learning platforms and collaborative tools for coursework and communication, sparking some discussions about the use of technology and student data.
In many cases, faculty members began the conversation about Family Educational Rights and Privacy Act (FERPA) guidelines, said Trevor Long, associate director for Governance, Regulation & Compliance in the U’s Information Security Office. FERPA, which applies to all schools that receive government funding, protects the privacy of student education records.
“Kudos to all the U employees who are involved in teaching,” Long said. “They've been really aware, and they want to make sure that they do things right, so we've been getting lots of questions. ‘Hey, can I use this? Hey, can I use that? Is it OK? Is it safe?’ They haven't said, ‘Does it align with security policy?’, but in so many words, that's what they're asking.”
University Rule 4-004C: Data Classification and Encryption outlines the requirements of managing student information, which the U has designated as sensitive data. According to Rule 4-004C, the “protection of [sensitive] data is required by the Data Steward or other confidentiality agreement.”
“Anything that has academic information associated with a student, we’re in the FERPA realm,” Long said. “And according to university policy, that means it's a sensitive data type and we need to treat it accordingly.”
University Registrar Tim Ebner said his office received similar questions. Although the U has offered instructional technology for a number of years, he said the transition to online learning brought to the forefront concerns about using multiple platforms that may or may not be supported by the university.
“We appreciate everyone’s diligence on thinking twice about what they're doing with student data, how they're communicating with students, and whether it is secure and safe,” said Ebner, who also is the data steward for enrolled students, and academic courses, majors, and degrees.
The U has approved a handful of platforms for sensitive data, including university instances of Box, Canvas, UMail, and Zoom.
Zoom is a recent addition. In fact, when the U first moved to remote teaching and learning, Zoom didn’t meet security requirements and would not have been appropriate for student data even though the university had a business agreement with the company. It could, however, be used for other purposes. That’s the case for most digital tools, Long said.
For example, Long said students who interact with each other (for example, collaborating on a class project) on platforms not approved for student data by the university would not be in violation of FERPA regulations. The same goes for instructors using the technology to interact with students, as long as they don’t share any academic information, such as GPA or class lists.
If employees need to share or store student data, Long said they must use the approved tools.
“If they are, for some reason, sending grades back and forth across Facebook, that would be a violation of university policy and FERPA. Just keep it in Canvas,” he said. “If you keep that information in Canvas or DARS (the Degree Audit Recording System), you're following the appropriate guidelines.”
Ebner and Long know that FERPA can be confusing and difficult to navigate at times. Long noted that the legislation was enacted in 1974, when most academic records were kept on paper. And Ebner said he sometimes needs help answering more difficult questions, even after all his years of working with student data. In those instances, he relies on resources provided by professional organizations and the university.
In fact, the Office of the Registrar and ISO have developed resources to make FERPA easier to understand, including a review for faculty and staff, a quick facts web page, a flowchart to help you quickly decide whether your platform is compliant, and a UIT Knowledge Base article.
Ebner encouraged instructors to use those materials, as well as the university’s data regulations, to reacquaint themselves with FERPA protocols, especially when they’re unsure about a new technology.
“I don't think [FERPA is] overly complicated, as much as we just need to be aware and informed,” he said.
Long agreed with Ebner’s recommendations, particularly reviewing the U’s data rules. Ultimately, they said, the goal is to protect students.
“We want people to come to the University of Utah and know that we are doing everything we can to keep their data safe,” Long said.
Ebner, likewise, said the university takes the stewardship of student data very seriously.
“They can be assured that we are not sharing their student data with anyone who does not have a legitimate need to know, and that we're all committed to following the best practices,” he said.
The Office of the Registrar and U’s Information Security Office compiled the following resources for those interested in learning more about FERPA.
- Flowchart: Securely storing student data
- Office of the Registrar: FERPA resources for faculty and staff
- Office of the Registrar: FERPA/privacy rights/student directory information
- Rule 4-004C: Data Classification and Encryption
- UIT Knowledge Base article: FERPA: Sharing and storing student data securely
- S. Department of Education: Family Educational Rights and Privacy Act (FERPA)
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.