Using university email is a FERPA violation?

[Caracal]

I'm sure extensive procedures are required for some kinds of information. It obviously is not for a blue book or a spreadsheet of grades in the possession of a professor. 

Your institution may not yet be worried about these things, but mine certainly is. We are not allowed to have student records (including the excel spreadsheets of grades generated by our LMS) on our computers.  We have been instructed that if we want to work from such a spreadsheet, it must be in the secure area allocated to us in Box.  Our computer drives must also be encrypted.  Similarly, if we have paper versions of things, they absolutely must not be left in unsecure areas - they should be either locked in the filing cabinet in the locked office or in the locked desk drawer in the locked office. Your scenario regarding blue books being stolen out of a car would land the instructor in hot water for not properly securing student information. Proper protection of student information is not just about social security numbers.

Well, again, institutions are allowed to decide how to interpret FERPA. That interpretation seems a bit extreme. I actually can't find anything at the large institution I teach at specifying how faculty are supposed to safeguard educational records. I take that to mean I should use reasonable precautions relative to the value of student grades and the risk of them falling into the wrong hands. I'm not going to leave them out on my desk for all to see, or throw grade sheets away on campus without shredding them, but I also don't need to act like I've got a briefcase full of  diamonds because I'm bringing home some blue books.

[pepsi_alum]

At new faculty orientation back in August, our registrar admitted that there's some legal ambiguity about how to interpret FERPA with regard to email. She stated that communicating with students about grades through LMS messages s the legally least risky option, but didn't go so far as to say that email was off-limits. This I can live with. LMS messages here get forwarded to the student's university email account, so the distinction is somewhat murky to me. But I can live with it.

There was an episode at my last university in which an associate dean publicly accused several unnamed faculty members of being "lazy" for using FERPA as an "excuse" not to discuss emailed grade complaints with students over winter break. It then led to an ugly exchange at a collegewide faculty meeting that left one faculty member in tears and the dean visibly embarrassed.

[Caracal]

There was an episode at my last university in which an associate dean publicly accused several unnamed faculty members of being "lazy" for using FERPA as an "excuse" not to discuss emailed grade complaints with students over winter break. It then led to an ugly exchange at a collegewide faculty meeting that left one faculty member in tears and the dean visibly embarrassed.

Calling someone lazy for not doing work during their break is unpleasant, but it does seem like a bad idea to invoke FERPA in refusing to discuss grades, unless that really is institutional policy. As a strategy for avoiding complaints, it is likely to backfire, as it did in this case. Most grade complaints take the form of "I don't understand why my grade is x." The students usually aren't really operating in good faith, but if you just pretend they are, it usually works fine. I go look at the grade, make sure I didn't actually make a mistake, and then explain the grade very briefly, but politely. If the student tries to argue with me, I then say I'd be happy to discuss the details of an assignment once the semester starts if they want to come by some time. If you just stonewall them from the beginning you let them turn the narrative into "my professor wouldn't tell me why I got a B."

[downer]

I've found that different schools have very widely varying interpretations of federal laws -- FERPA, ADA for example. And these varying interpretations are stable -- they do not gradually move towards a common agreed interpretation. It seems that there is no particular pressure on schools to come to a single interpretation.

It's almost as if they are just making up policies as they go along, and then justifying them with reference to federal law afterwards.

[writingprof]

A senior university administrator once told our faculty that it is a FERPA violation to tell a student, out loud, in class, that an answer he has proposed is incorrect. 

Teacher: "Does anyone remember the square root of 121?"
Student: "12."
Teacher: [grim silence]

[polly_mer]

I'm sure extensive procedures are required for some kinds of information. It obviously is not for a blue book or a spreadsheet of grades in the possession of a professor. 

Your institution may not yet be worried about these things, but mine certainly is. We are not allowed to have student records (including the excel spreadsheets of grades generated by our LMS) on our computers.  We have been instructed that if we want to work from such a spreadsheet, it must be in the secure area allocated to us in Box.  Our computer drives must also be encrypted.  Similarly, if we have paper versions of things, they absolutely must not be left in unsecure areas - they should be either locked in the filing cabinet in the locked office or in the locked desk drawer in the locked office. Your scenario regarding blue books being stolen out of a car would land the instructor in hot water for not properly securing student information. Proper protection of student information is not just about social security numbers.

Well, again, institutions are allowed to decide how to interpret FERPA. That interpretation seems a bit extreme. I actually can't find anything at the large institution I teach at specifying how faculty are supposed to safeguard educational records. I take that to mean I should use reasonable precautions relative to the value of student grades and the risk of them falling into the wrong hands. I'm not going to leave them out on my desk for all to see, or throw grade sheets away on campus without shredding them, but I also don't need to act like I've got a briefcase full of  diamonds because I'm bringing home some blue books.

All that indicates, Caracal, is it is possible that your administrators have not been attending the appropriate meetings or reading the appropriate guidance documents for years.

Or, it's possible that once again faculty members haven't paid attention during briefings and instead insisted that what they think should be the answer is the answer.

Or, it's possible that once again someone is looking for an explicit instruction along the lines of:


You must follow process A (see Attachment 1) when handling all blue books or similar handwritten documents.

You must follow process B (see Attachment 2) when handling all electronically submitted documents.
...


when the assumption is that somewhere faculty were actually taught to be professionals on a law that is more than 45 years old. Thus the majority of people teaching now would have been taught entirely under that law being in effect.

"Follow all applicable laws" is a pretty standard assumption in professional employment and what that means tends to change as technology changes and best practices with technology changes.

[Aster]

Most of the security and privacy policies at every university I've worked at come in two versions.

1. Stuff that's actually important, people understand and see a value for it's importance, the policy is publicly examined, discussed, and modified to suit specific circumstances, and most people comply with it. That's professionals in a team environment acting professionally.

2. Stuff that only gets Put Out By Weird-Niche branches of the Administration and Everyone (including Administration) ignores. These are most commonly heavy-handed misinterpretations of some state or federal rule or guideline that an office-wonk cooked up in a self-imposed bubble. That's top-down office wonkery that professionals may evaluate to be crap, and then those professionals do what they're trained to do under such circumstances. Use their own professional judgement.

The funniest ones in my experience are the security policies from IT departments. If you've ever worked for university IT, you know what I'm talking about.

Purchasing, Food Prep, HVAC, Parking, Hiring, Academic Dishonesty, and Transfer Credits are some other funny ones where stated policy and working practices are often not at all the same thing.

But one thing is constant for all university policies. There are always administrative meetings for each and every one. Heh. Or as one of my mentors once put it, "Meetings All The Time".

[Caracal]

"Follow all applicable laws" is a pretty standard assumption in professional employment and what that means tends to change as technology changes and best practices with technology changes.

Sure, but the law, and even guidance on it, is entirely silent on exactly how information should be safeguarded. Actually if you read the FERPA guidance, they say many, many times that FERPA is not a "security" act. "FERPA does not provide any specific requirements for educational agencies and institutions regarding disposition or destruction of the data they collect or maintain themselves." A school can get in trouble if they don't take reasonable steps to protect student data.

There isn't even any real guidance about things like security of grades while in faculty possession. All the guidance is about not just disclosing grades, for example by leaving graded papers for students to pick up without an envelope or posting grades publicly. Why isn't there a lot of guidance about exactly how faculty need to transport and secure graded materials? I'm pretty sure, it is because there has never been a FERPA complaint involving someone stealing exams from a faculty members possession. You would have to imagine a very weird scenario for there to be one. What would a burglar do with my graded exams? Attempt to blackmail students? Post them on facebook? If someone steals my bag which has a bunch of exams I was going to give back to students, they would take my computer and toss the exams in the trash.

[pepsi_alum]

Calling someone lazy for not doing work during their break is unpleasant, but it does seem like a bad idea to invoke FERPA in refusing to discuss grades, unless that really is institutional policy. As a strategy for avoiding complaints, it is likely to backfire, as it did in this case. Most grade complaints take the form of "I don't understand why my grade is x." The students usually aren't really operating in good faith, but if you just pretend they are, it usually works fine. I go look at the grade, make sure I didn't actually make a mistake, and then explain the grade very briefly, but politely. If the student tries to argue with me, I then say I'd be happy to discuss the details of an assignment once the semester starts if they want to come by some time. If you just stonewall them from the beginning you let them turn the narrative into "my professor wouldn't tell me why I got a B."

For the record, I agree, and that's my usual response to grade complaints. But the administration had sent several FERPA-paranoid emails in the semester beforehand that some faculty took a little to literally.