2. How Will That Record Be Used?
In years past, classroom interactions between a professor and student primarily happened in real time. Class would end, and that fleeting interaction between instructor and student disappeared into memory. But now, with recorded lectures and online learning, not only is that moment often documented, it has the potential to be saved and shared with dozens, hundreds or even thousands of future viewers.
Or take, for instance, contact tracing. The very nature of it requires the creation and maintenance of records. Temperatures, diagnoses, absences and location monitoring — all of these immediately become protected information once they’re linked to a specific student, recorded and filed away.
While FERPA does allow for certain disclosures to be made in cases of health or safety emergencies (contact tracing among them), it also requires that a notice of the disclosure be kept in the student’s education record. Similarly, if an instructor records a lecture and realizes it includes imagery, audio or other information that could identify a student, the instructor must generally ask that student’s permission before sharing it outside of that specific classroom setting.
3. What About Your Vendors?
FERPA compliance doesn’t only require that your institution and its faculty obey regulations; it also requires that your technology vendors do. The quick pivot to online, remote and hybrid learning has necessitated that many colleges implement new technologies and services, many of which could potentially expose protected student data.
For example, many universities are using proctoring services to ensure students do not cheat when taking exams online. What are those providers doing with the records they’re creating when monitoring tests? What about their videoconferencing, collaboration and learning management systems? Are these platforms creating student records? If so, how will the information be protected from unauthorized disclosures, and how will students be provided access to them?
This is a particularly critical undertaking for universities trying to balance FERPA compliance with virtual instruction — and a particularly complicated one as well.
Throughout my career, I’ve yet to encounter vendors who didn’t say their products were FERPA compliant. Some of them actually are — but not all. Many, if not most, have not had an independent party review their product. When selecting vendors, it’s crucial that they be properly vetted to determine whether they truly understand and comply with FERPA regulations. Otherwise, you might find your institution facing the consequences of violating student privacy without ever having realized what you were doing.
4. When In Doubt About FERPA, Ask
In general, the average professor is fairly aware of FERPA — but without necessarily being an expert in all of its nuances, of which there are many. Fortunately, there are offices at your institution that are specifically tasked with understanding FERPA and with helping faculty and staff (IT included) to remain compliant.
Whether through the registrar’s office or your university’s general counsel, stay aware of who at your institution is the go-to resource when it comes to ensuring FERPA adherence in any vendor contracting. Then, when the time comes and you find yourself facing a risk or uncertainty, don’t hesitate: Ask them.