RE: FERPA and Protection of Student Privacy
September 27, 2019
In light of the fact that much of today’s business communication is conducted digitally, we must be extremely mindful of other people’s rights to privacy, especially student privacy.
As many of you are aware, FERPA is a federal law that protects the privacy of student education records, and applies to all schools receiving funds from the U.S. Department of Education. FERPA stipulates that a student’s PIN and/ or password can be “known or possessed only by the authorized user”. Simply put, institutions failing to comply with this mandate are in violation of federal law.
In support of FERPA and other applicable federal and state laws, Administrative Regulation 6006 also prohibits the sharing of passwords. AR 6006 applies to all students and District personnel (staff, faculty, and any other individual operating on behalf of the District).
With that in mind, it is important to consider the following.
When students request assistance, one of the more unwitting mistakes they make, in both email and in person, is to offer/ give their password to District personnel. Since accepting that password would be in clear violation of federal law, preventative steps must be taken.
For example, if you receive an email from a student containing their password, you need to remove or redact that password and reply to the email with something to the following effect:
Long Beach Community College is committed to protecting your right to privacy. The Family Educational Rights and Privacy Act (FERPA) is a federal law that defines those rights and specifically prohibits institutions like LBCC from accepting or soliciting student passwords. In the future, please do not offer District staff, faculty, or other personnel your passwords.
For general information on how to protect yourself from cyber-crime, please see the National Cyber Security Alliances’ Stay Safe Online.
When you have a moment, the Office of Information Security encourages you to review the following subjects relevant to this topic.
- Advisory: Sharing of User IDs and Passwords, June 4, 2019
- Advisory: Account & Password Security, March 28, 2018
- Information Security Best Practice: FERPA-Protected Data
- Information Security Procedure: Dealing with PII in Outlook
The protection of privacy is a shared responsibility: Being mindful of student privacy rights helps prevent unnecessary risk to students, yourself, and the District.