FERPA Considerations for the Social Media

Under FERPA, Educational Records have obligations to maintain respect for the law and for the privacy of their students. As a Facebook application and social media provider, we get questions about FERPA and these obligations by the Higher Education community as it relates to our products.  We’ve worked extensively with lawyers and academic profesionals to prepare a FERPA overview in the form of “Frequently Asked Questions” for reference.

Check out Inigral’s online FERPA Backgrounder here.

Here are the highlights as they relate to Schools on Facebook and other social software:

So long as an institution is in pursuit of their educational mission, colleges and universities may, within reason, use and release certain types of information that identifies students both publicly and to third parties.  Releasing certain types of information can be perceived as more risky or offensive, depending on the party obtaining the information, their intention, and their efforts to maintain obligations related to that information.  FERPA makes broad definitions with the intention of directing institutions to establish and maintain responsible practices, and provide a framework for legal accountability.

Directory Information: Scope and Best Practices

Releasing “Directory Information,” which is broadly defined under FERPA, does not require express consent of the student, unless the student proactively exercises his or her right to block such release.  This is traditionally useful for creating traditional publications like a Facebook, phone book, or yearbook and also protects the population of data systems and learning management systems.

Directory information may include:

  • name, mailing address(es), telephone listing(s), and email address(es),
  • participation in officially recognized activities and sports,
  • weight and height (for members of athletic teams),
  • photograph,
  • degrees, honors, and awards received,
  • date and place of birth,
  • major field of study,
  • dates of attendance,
  • grade level,
  • class roster,
  • class schedule, or
  • the most recent educational agency or institution attended.

Other types of information might also be categorized as directory information.

Legal teams and technology teams may be risk averse and want to get express consent for release of less generic forms of Directory Information.  In such a situation, sound information practices encourage both getting a student signature prior to enrollment or during orientation that expressly acknowledges broad terms and/or specific inclusion of information defined as “Directory Information.”  In addition, technology teams may create or provide tools to enable direct student management of their information.

Personally Identifiable Information: Scope and Best Practices

FERPA discusses “Educational Records” and “Personally Identifiable Information” (PII) broadly.  FERPA requires that students provide prior written consent to the release of PII, except where FERPA authorizes the release of “Directory Information” without prior written consent.   PII that may be sensitive includes, for example, unique IDs, social security numbers, mobile phone numbers, billing information, family addresses attached to billing, health or financial records, grades, performance, or behavioral records.

Information provided to third parties should not be transmitted via telephone, however it may be transmitted to a third party that provides identification and appears in person, and via Internet including via electronic mail, websites, and similar technologies.  Universities should require third parties to take precautions to limit disclosure to fourth parties unless:

  • The student has provided consent
  • There is statutory permission (or)
  • Disclosure to the fourth party is deemed by the University to be in the interests of the student and the University

There may be some question over what constitutes sensitive PII vs Directory Information, and ultimately these definitions are up to the institution.  Though unnecessary unless generic Directory Information is published in potentially offensive formats, publicly publishing what an institution considers to be PII and Directory Information, educating staff, and getting student signatures consenting to these definitions is encouraged.