Using university email is a FERPA violation?

[Aster]

One of my senior colleagues told many of the faculty that it was a FERPA violation for anyone to use university email (which is secured) to communicate with students on their secure, university email, about anything protected by FERPA.

If this is correct, I don't understand how a university can function. The registrar can't contact a students about his/her transcript or registration information. The disabilities office can't contact a student about his accommodations. A professor can't contact a student about his/her grade. A department head can't contact a professor about a particular student's grades.

What are we supposed to do then, hold a closeted oral conversation for everything?

[traductio]

When I taught in the States, we received the opposite message -- that the only way to talk about FERPA-protected things via email was through the university's email system, precisely because it was secured and we could be confident of a student's identity (at least compared to non-university accounts).

I did use FERPA as a justification for not discussing grades by email, which is a policy I've maintained even now where FERPA doesn't apply (because I'm not in the States).

Edited to add: we could use Blackboard, too, because it was secure and because students' identities were verifiable (assuming they didn't share their passwords).

[Parasaurolophus]

Like traductio, I've only ever heard the opposite.

I think your colleague was confused.

[polly_mer]

Ask for clarification on this issue and get a written response from an authoritative source at your institution.

I agree with the others that all parties being on institutional email is usually the recommendation.

[Caracal]

One of my senior colleagues told many of the faculty that it was a FERPA violation for anyone to use university email (which is secured) to communicate with students on their secure, university email, about anything protected by FERPA.

If this is correct, I don't understand how a university can function. The registrar can't contact a students about his/her transcript or registration information. The disabilities office can't contact a student about his accommodations. A professor can't contact a student about his/her grade. A department head can't contact a professor about a particular student's grades.

What are we supposed to do then, hold a closeted oral conversation for everything?

FERPA doesn't  say this. Universities are in charge of putting policies in place that will ensure that they are complying with FERPA. At various points, some schools decided that grades weren't secure over email and that sending grade information to students could put the school at risk of running afoul of FERPA. I don't think this ever made much sense, but my impression is that it is less common now.

[Chemystery]

Different universities seem to interpret this differently.  My previous institution took the stance that email was not secure so discussing grades was not allowed.  My current institution says it is fine.
Like traductio, I still give it as the reason that I won't discuss grades through email.  I've never had anyone call me out on it.

[Caracal]

Different universities seem to interpret this differently.  My previous institution took the stance that email was not secure so discussing grades was not allowed.  My current institution says it is fine.
Like traductio, I still give it as the reason that I won't discuss grades through email.  I've never had anyone call me out on it.
[/quote

I've always thought it was an odd stance to take. Email certainly should be pretty secure. To prohibit discussing grades via email because it would be possible for someone to hack into an email account seems like an odd double standard. Someone could break into my house or my office and steal my bluebooks, but I'm not required to keep them in a safe.

[quasihumanist]

I've always thought it was an odd stance to take. Email certainly should be pretty secure. To prohibit discussing grades via email because it would be possible for someone to hack into an email account seems like an odd double standard. Someone could break into my house or my office and steal my bluebooks, but I'm not required to keep them in a safe.

There is one fundamental insecurity with e-mail, which is that it is (unless you take special effort) not encrypted and therefore readable by men-in-the-middle.  If I send an e-mail to you, it goes from my mail server to your mail server over the Internet, and anyone who is scanning Internet messages (like the NSA(*)) can read it.  It's quite common for faculty and student e-mails to actually use different mail servers, so that this still happens when I send e-mail to my students.

On the other hand, web pages are a newer and more easily updatable technology, and most of that is encrypted.  When I use web e-mail, the message is encrypted when it's going from my computer to the mail server or vice versa, and the same is true for things on Blackboard or Moodle (assuming they are set up correctly).

(*) Actually, more likely, GHCQ, in that it is widely believed that NSA and GHCQ have an agreement to spy on each others' citizens to circumvent laws on spying on their own citizens.

[Caracal]

There is one fundamental insecurity with e-mail, which is that it is (unless you take special effort) not encrypted and therefore readable by men-in-the-middle.  If I send an e-mail to you, it goes from my mail server to your mail server over the Internet, and anyone who is scanning Internet messages (like the NSA(*)) can read it. 

That's not really right in the sense that "anyone" can read it. Emails are unencrypted, and they go through various servers as well as routing points. But none of these places are open, someone has to bypass the security and get in. I really think the parallel with physical records is relevant. If I go for a walk and leave my office door wide open with a bunch of graded student exams sitting on the desk, I'm not safeguarding the records since anybody can just walk by, see that the grades are there and take a look. If I lock the door and somebody breaks in, I don't think anybody is going to say I should have bought a safe.

The value of the records to other parties also seems relevant here. When you're considering security, you're allowed to consider whether anybody would want to steal something. And really, FERPA isn't a security act. It allows institutions to decide what is and isn't secure.  If, for some reason, I had the social security numbers of all of my students, linked to their addresses and just left those sitting in a marked folder on the passenger seat of my car, or even in my locked office, it would be reasonable to say that I was careless with those records, even if doing the same thing with exams wasn't.

Seems like you can use the same principle with email. Grades are private information and I need to make sure I'm not just disclosing them publicly, but they aren't valuable to anyone else, so the basic precautions of making sure I'm sending grade information to only university addresses should suffice. It would be a bad idea to send social security information or protected directory information though email.

[Aster]

Ask for clarification on this issue and get a written response from an authoritative source at your institution.

I agree with the others that all parties being on institutional email is usually the recommendation.

Our university is pretty clear on all employees using university email to contact students about anything, so long as we also send those communications to students' university email.

The question came up last week when the faculty were routinely submitting our end-of-term grade records. We routinely do this via university email, following our university's specific directions for doing so. But there was this one professor who told many of us that this was illegal because it violated FERPA. I don't know how he's been completing his mandatory end-of-term submissions all this time though. The only way to do it is through university email.

[Hibush]

But there was this one professor who told many of us that this was illegal because it violated FERPA. I don't know how he's been completing his mandatory end-of-term submissions all this time though. The only way to do it is through university email.

There is always this one professor who will claim that the official procedure is illegal or inappropriate because of some nuance of interpretation that is specific to their field of expertise. Nevertheless, the procedure is actually fine because bureaucrats have figured out how to make things work despite ambiguity and mutually exclusive requirements.

[polly_mer]

But there was this one professor who told many of us that this was illegal because it violated FERPA. I don't know how he's been completing his mandatory end-of-term submissions all this time though. The only way to do it is through university email.

There is always this one professor who will claim that the official procedure is illegal or inappropriate because of some nuance of interpretation that is specific to their field of expertise. Nevertheless, the procedure is actually fine because bureaucrats have figured out how to make things work despite ambiguity and mutually exclusive requirements.

Yes, an "authoritative source" is the registrar, not Professor Nitpicker-Who-Thinks-He-Heard-Once-That.

Caracal clearly hasn't worked where I've worked in which even a locked door is not considered sufficient and the rules on safes are way beyond "I lock the safe and then lock my office door".

The rules became such recently that I had a checklist to leave my office even for the five minute trip to the break room because of what had to be locked (safe, filing cabinets, screens) and recorded as being locked.

[Caracal]

But there was this one professor who told many of us that this was illegal because it violated FERPA. I don't know how he's been completing his mandatory end-of-term submissions all this time though. The only way to do it is through university email.

There is always this one professor who will claim that the official procedure is illegal or inappropriate because of some nuance of interpretation that is specific to their field of expertise. Nevertheless, the procedure is actually fine because bureaucrats have figured out how to make things work despite ambiguity and mutually exclusive requirements.

Yes, an "authoritative source" is the registrar, not Professor Nitpicker-Who-Thinks-He-Heard-Once-That.

Caracal clearly hasn't worked where I've worked in which even a locked door is not considered sufficient and the rules on safes are way beyond "I lock the safe and then lock my office door".

The rules became such recently that I had a checklist to leave my office even for the five minute trip to the break room because of what had to be locked (safe, filing cabinets, screens) and recorded as being locked.

Your posts in response to mine often remind me of things students write on in class essays. I can recognize the echoes of something I said in lecture, but it has lost all the context which gave it any meaning or sense.

I'm sure extensive procedures are required for some kinds of information. It obviously is not for a blue book or a spreadsheet of grades in the possession of a professor. 

[dr_codex]

Ask for clarification on this issue and get a written response from an authoritative source at your institution.

I agree with the others that all parties being on institutional email is usually the recommendation.

Our university is pretty clear on all employees using university email to contact students about anything, so long as we also send those communications to students' university email.

The question came up last week when the faculty were routinely submitting our end-of-term grade records. We routinely do this via university email, following our university's specific directions for doing so. But there was this one professor who told many of us that this was illegal because it violated FERPA. I don't know how he's been completing his mandatory end-of-term submissions all this time though. The only way to do it is through university email.

I have to say, that's probably not the most secure way to handle grades. There are records management systems that might be worth an investment. But your email system might be more secure than ours, which is decidedly not.

Still, not a FERPA violation, as long as the messages are being directed to the right people.

Unlike the message sent by a member of my department, with full names, student numbers, and everything you'd need to get into their financial aid applications. Slow clap.

[arcturus]

I'm sure extensive procedures are required for some kinds of information. It obviously is not for a blue book or a spreadsheet of grades in the possession of a professor. 

Your institution may not yet be worried about these things, but mine certainly is. We are not allowed to have student records (including the excel spreadsheets of grades generated by our LMS) on our computers.  We have been instructed that if we want to work from such a spreadsheet, it must be in the secure area allocated to us in Box.  Our computer drives must also be encrypted.  Similarly, if we have paper versions of things, they absolutely must not be left in unsecure areas - they should be either locked in the filing cabinet in the locked office or in the locked desk drawer in the locked office. Your scenario regarding blue books being stolen out of a car would land the instructor in hot water for not properly securing student information. Proper protection of student information is not just about social security numbers.