One Step Ahead: Focus on FERPA and Student Data Privacy
Another in a series of tips provided by the Offices of Information Security, Information Systems and Computing and Audit, Compliance and Privacy
National Data Protection Day, which took place on January 28, is always a welcome opportunity to raise awareness about the privacy of individuals, securing information systems and protecting data from unauthorized access. .
As an educational institution, Penn faculty and staff must always consider FERPA, the Family Educational Rights and Privacy Act, when receiving, processing, or transmitting information. on the students.
FERPA and Penn protect personally identifiable information contained in “academic records,” generally including records directly related to a student and maintained by the University or a party acting for the University.
Several other Penn policies reflect FERPA requirements and ensure the protection of Penn student information, prohibiting the disclosure of student records except with the student’s written consent or to the extent FERPA permits disclosure without consent.
Protected student information includes, but is not limited to, biographical information, enrollment records (including class rosters), grades, and schedules. (Education records generally do not include law enforcement records, employment records, and directory information).
The most significant exception to the student consent requirement allows sharing with school officials with a “legitimate educational interest.” School officials include, but are not limited to, Penn employees or anyone else performing work for Penn under proper authorization, including third party service providers.
Penn may also disclose “directory information” to third parties without the student’s consent, unless the student has specifically instructed Penn not to do so, or “opted-out”. Penn defines FERPA Directory information to include name, address, telephone number, date and place of birth, major, participation in officially recognized activities (including social and honorary fraternities), and sports, a student’s weight and height if he is a member of a sports team. , dates attended, degrees and awards earned, and previous educational institutions attended.
If a student wishes to opt out of sharing FERPA directory information, the student must complete and submit an opt-out form to the Office of the Registrar.
For more information on FERPA: https://oacp.upenn.edu/privacy/penndata/appropriate-use-of-penn-data/ferpa/.
For additional guidance, see the One Step Ahead link on the Information Security website: https://www.isc.upenn.edu/security/news-alerts#One-Step-Ahead.