FERPA

Information for Faculty & Staff

It is important that faculty and staff are familiar with the provisions of FERPA so that they can maintain strict confidentiality of sensitive student information.

The U.S. Department of Education closely monitors universities to determine whether an institution is providing Family Educational Rights and Privacy Act (FERPA) training for its employees with access to student records. Accrediting agencies also want reassured that institutions are fulfilling this expectation.  Northeast Ohio Medical University (NEOMED) requires that all faculty (including M3 and P4 clinical experiential directors) and staff who have or who will have access to student records, either electronic or hardcopy, are required to complete a brief (30 minute) on-line FERPA Compliance Training program and certification test (10 minutes) at the time of hire and every two-years.  The need for other clinical/experiential faculty and/or support staff to engage in FERPA training will be assessed on an individual basis dependent on student data need.

Access to student records in Banner, ARGOS and/or other software systems (e.g., Vovici, OASIS, AIMS, etc.) utilized by the university is contingent upon completing this brief training and test. The information on this website is intended to compliment that required training.

For further information regarding FERPA Compliance Training, please contact the Registrar via email at registrar@neomed.edu.

What is an Educational Record?

Just about any information provided by a student to the university for use in the educational process is considered a student education record. Examples include, but are not limited to:

• personal information
• enrollment records
• grades and other academic assessment data
• schedules

Student educational records may be:

• a document in the Registrar’s Office
• a computer printout in your office
• a class list on your desktop
• a computer display screen
• notes you have taken during an advisement session

What are my responsibilities regarding student records?

All university employees are considered school officials and are required by law to maintain the confidentiality of student records. Any employee who maintains specific records is considered a record custodian.  All staff or faculty who has access to, or is in receipt of, student information may not share it with others, even internal constituents, unless that individual is a university official and has a legitimate educational interest – which means they need the information to do their job as defined by the University.  The release of any non-directory information about a student to any person outside the university community, with specific exceptions, or to any university personnel without a legitimate educational interest is illegal.  At Northeast Ohio Medical University (NEOMED), the Office of the Registrar is considered the official custodian for student academic records, and Student Services is responsible for student health records (immunizations, drug tests, health insurance, etc.).

What can be disclosed without a student’s consent?

In certain instances, the law does not require the university to obtain student consent before disclosing information from an academic record. The most common examples of disclosure that do not require your consent include:

• Disclosures to school officials with a legitimate educational interest
• Disclosures to other institutions where student is enrolled or is seeking to enroll
• Disclosures regarding the receipt of financial aid (validating eligibility)
• Disclosures to state/local officials in conjunction with legislative requirements
• Disclosures to organizations conducting studies to improve instruction, or to accrediting organizations
• Disclosures in compliance with a judicial order or lawfully issued subpoena. (NEOMED will make a reasonable attempt to notify the student of disclosures to their parents or disclosures in response to a subpoena.)
• Disclosures for a health/safety emergency
• Disclosures of information from disciplinary proceedings to the alleged victims of violent crimes or sexual offenses
• Disclosures of name, sanction, and outcome of disciplinary proceedings (public information), when a student has been found in violation of a crime of violence
• Disclosures of student “directory information” (unless the student has requested a confidentiality hold). NEOMED has defined  several categories of “directory information” which includes:

Category I

Name, address, telephone number, e-mail address, photograph, dates of attendance, class, enrollment status and electronic personal identifier (ex., user name).

Category II

Previous institution(s) attended, major field of study, awards, honors and degree(s)/diploma(s) conferred (including dates), and residency match results (COM students only).

Category III

Past and present participation in officially recognized activities, date and place of birth, and hometown.

Category IV

Names of parent(s), spouse and children.

What student data do we need to be particularly careful about?

While all non-directory information about a student needs to be treated carefully and kept confidential within the parameters of the law, there is student data that faculty and staff frequently have access to that everyone should be particularly diligent about.  These include, but are not limited to:

• SSN
• Banner id (e.g., @0001234)
• Grades and academic assessments
• Students individual course schedules
• CAPP details/sanctions
• Gender

How would I know that a student has a confidentiality hold on their record?

Staff and faculty who have access to Banner screen SPAIDEN will see a data field entitled “confidential” that has a checkmark indicator.  Additionally, all ARGOS reports that include student information should include a confidentiality flag indicator designed to either exclude those students from the output or at least bring the confidentiality flag to the users attention so they are informed that the student has requested their directory information be restricted and can employ the appropriate action.

What should I do if I receive a call about a student with a confidentiality hold?

If a caller requests information about a student who has a confidentiality hold, you cannot provide any information about that student; in fact, you cannot even acknowledge that the individual is a NEOMED student. Any student who has placed a privacy hold on their record must conduct all business in person after presenting photo identification. A staff member may communicate with a student via a NEOMED email account if non-disclosure has been requested, but confidential disclosures should be kept to a minimum as part of general email protocol. If there is any question regarding whether specific information can or should be provided, always err on the side of caution and consult your supervisor, the University Registrar.

How can I get student data for a report I need to do or assessment purposes?

Faculty and staff can submit a request to the University Registrar by either utilizing the Internal Data Request Form* or submitting an email from their NEOMED account that outlines what they need, why, when and whether this will be a reoccurring request.  The Office of the Registrar will attempt to respond within 3-5 business days, depending on the complexity of the request.

Can parents access their son or daughter’s academic record?

When a student reaches the age of 18 or begins attending a post-secondary institution, regardless of age, FERPA rights transfer from the parent to the student. Parents may obtain non-directory information at the discretion of the institution and only after it has been determined that their child is legally their dependent. Should a parent contact you regarding their child, you must not discuss the student with their parent. You should advise the parent that their child must give you written authorization that specifically identifies what information may be released to the parent before you can do so.

While you cannot discuss the student’s circumstances, you can listen to the parent’s concerns and you are free to describe University policies and procedures, such as your attendance policy, billing procedures, the disciplinary process, etc.  This information can be helpful to the parent while maintaining the student’s privacy under FERPA.

What are the consequences for violating FERPA?

Under federal law, FERPA violations may result in the loss of federal funding for NEOMED. Any breach of confidentiality could lead to disciplinary action by NEOMED, including the possibility of termination of employment.

Must I formally acknowledge that I understand FERPA?

All faculty and staff that have access to student records are required to participate in an initial FERPA training experience, with mandatory refreshers every other year.  This training includes an assessment activity that requires a 70% pass rate for continued access to student data.  However, any staff interested in learning more about FERPA may contact the University Registrar for training services.

Do student and/or temporary employees have to maintain the confidentiality of student records?

Yes; Student and temporary employees have the same obligations to maintain the confidentiality of student records as any other employee, and are required to participate in FERPA training as part of the Orientation process.

What standard security practices must I follow?

All faculty and staff must utilize reasonable measures to preserve the confidentiality, security and integrity of NEOMED information systems and the information contained therein. All NEOMED staff should practice appropriate security measures:

• Never disclose, share or loan your username(s) and password(s) to anyone (e.g., another employee, faculty member, supervisor, student assistant, etc.)
• Never use generic/group IDs when accessing confidential academic record information.
• Ensure that remote access to, retrieval and transmission of confidential academic record information is accomplished through a secure and encrypted connection.

In addition, faculty and staff should take reasonable measures to restrict unauthorized persons from viewing confidential academic record information. For example, you should:

• Never leave your computer workstation unattended while signed on without appropriate screen locking (e.g., a password-protected screen saver).
• Never leave personal logon information (e.g., username, password, network mapping, etc.) in view of unauthorized persons.
• Never program (or ‘hot-key’) automatic access to confidential academic record systems.
• Never post grades in a public or non-secure electronic fashion.
  • The public posting of grades either by the student’s name, social security number or student identification number without the student’s written permission is a violation of FERPA. This includes the posting of grades to a class website and applies to any public posting of grades for students taking distance learning courses.
  • Instructors and others who wish to publicly post students grades or use a shared class/group list must use a protocol that ensures that FERPA requirements are met. This can be accomplished either by obtaining the student’s written permission or by using code words or randomly assigned numbers that only the instructor and individual student should know.
  • Notification of grades via e-mail is not recommended. There is minimal guarantee of confidentiality on e-mail. The institution would be held responsible if an unauthorized third party gained access, in any manner, to a student’s educational record through any electronic transmission method. NEOMED provides a secure web application for students (Banner Self-Service) to view their academic records, and faculty are strongly encouraged to post grades using this same application.

Are electronic records and data protected by FERPA?

FERPA protects the privacy of all education records, regardless of the medium in which those records are maintained.

How should I handle a subpoena?

Please contact the Office of the General Counsel for advice on how to proceed with handling a subpoena.

How should I handle a power of attorney?

If all legal requirements are met, the individual (often a parent or spouse) listed on the power of attorney will be treated in the same manner as would the student. For access to academic records, the Office of the Registrar requires a notarized power of attorney that specifically authorizes access to academic records or is a general power of attorney that covers all documents. If you have any questions about evaluating a Power of Attorney, please contact the Office of the General Counsel.

How should I handle a “public records” request?

As a publicly funded state university, NEOMED is subject to the Ohio Public Records Act (or the “Sunshine Laws”) and has an obligation to make its records available upon request, unless a statutory exemption applies.  You should forward all such requests to the Office of General Counsel for response.

How should I handle a media request?

If you are contacted by or are working with the news media, you should seek the assistance of the Office of Marketing and Communications at marcom@neomed.edu or 330.325.6618.

How should I handle student information requests for research studies and surveys?

NEOMED often receives requests for student information to include in studies. If you receive such a request, refer the requestor to the Office of Institutional Research.

How should I handle a concern about a potential FERPA violation?

All concerns about a potential FERPA violation should be shared with the University Registrar who will confidentially explore the issue, determine legitimacy, assist with resolution and involve General Counsel as appropriate.

 What information can I provide to military recruiters?

The Solomon Amendment is a federal law that governs the type of student data (defined as recruitment information) that may be released to military recruiters without student consent. Under this law, the following has been designated as recruitment information: student name, addresses, telephone numbers, date and place of birth, level of education, academic major, degrees received, and the most recent previous educational institution attended.

No other information should be released to a military recruiter without the student’s written permission. In addition, no information, including recruitment information, should be released about a student who has a privacy hold on his or her record.

The Solomon Amendment provides a significant exception to FERPA, which typically would prohibit non-consensual release of student data not previously designated as directory information.  Under the Solomon Amendment, the university must comply with requests from military recruiters for student recruitment information, even if that information has not been designated by the university as directory information under FERPA. Please note, however, that the university is required to respond to requests to each branch of the armed services once a term only. For questions regarding requests for release of student information to military recruiters, please contact the Registrar’s Office.

Should I add anything to my email signature about student confidentiality?

It is recommended for faculty and staff to add the following confidentiality statement to their email signature:

CONFIDENTIALITY NOTICE: This electronic mail transmission and any documents accompanying it may contain confidential information, protected by the Family Educational Rights and Privacy Act. Please protect the privacy of this information and do not forward this email. If you have received this transmission in error, please immediately notify the sender to arrange for the return of the message and any attached documents.

What are the guidelines regarding communicating with faculty, staff, and students via their personal email addresses rather than NEOMED email addresses?

Communicating with faculty, staff, and students via personal email addresses is strongly discouraged although not prohibited. For security and accountability purposes, it is recommended that someone communicate via email with others using their NEOMED email addresses only. Staff may communicate with students who have requested non-disclosure only if the NEOMED email address is used. The staff member should always err on the side of caution and may opt to not provide information via email if he/she believes the information should not be released in that method and the student should come into the office.