Utah State University’s College of Education and Human Services is responsible for a large percentage of USU’sresearch portfolio, and an even larger share of the Human Subjects Research conducted on USU’s campus. Recently, the IRB has noticed an uptick in the amount of research looking to use educational records, both in K-12and higher education settings – no surprise given USU’s robust research around issues of education! This document serves as a basic primer on the use of educational records in research. It is specific to federal FERPA guidelines, so please note that there are other Utah-specific requirements that are not addressed which governhow and what types of data researchers can collect from Utah students. This document is intended to provide basic information about the collection of existing educational records under federal law.
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of all personally identifiable education records maintained by an educational institution. It applies to records at both K-12 and higher education institutions, so long as that institution receives federal funds.
What is an education record?
An education record is any record maintained by an educational institution that is directly related to a student. An education record is personally identifiable (and thus, protected by FERPA) if there are personal identifiers associated with that record, including any “information that would make the student’s identity easily traceable.”
What does this mean for researchers?
When a researcher wishes to access an identifiable educational record protected by FERPA, they must obtain specific authorization from the parent (K-12) or the student (higher education) prior to doing so. This is true regardless of whether the researcher intends to keep those records in an identifiable state.
Protocol Tips:
- In general, Letters of Information or other passive consent processes will not be sufficient to access that information.
- Many schools have forms or FERPA waivers already in place – always check with the institution you want to work with to see if they have a required process for accessing student information.
- Often, schools and higher education institutions will accept a USU IRB approved Informed Consent document as a FERPA waiver. If you’d like to do this, make sure you check with the school first, and be sure to include specifically what information you’ll be obtaining in the Informed Consent document you create. If you wish to create your own form for any reason, the five elements that must be included are:
- (1) a parent signature, (2) the name of the child, (3) the date of signature, (4) the record or records that will be disclosed, and (5) the class of people to whom those records can be disclosed.
Can I access anything from the educational records without an authorization?
FERPA only protects identifiable education records. Further, FERPA excepts “directory information” from federal privacy protections. Finally, there are exceptions to the general rule of requiring authorization, and if your research fits into one of those exceptions, you might be able to access that information (with the agreement of the school charged with maintaining those records).
Directory Information
Directory Information is information which, if disclosed, would generally not be considered harmful or an invasion of privacy. Each institution determines what constitutes “directory information,” versus what constitutes a protected educational record. You must check with the education entity you are working with to see what constitutes Directory Information in that setting. Furthermore, students and parents have the right to say that they do not want their or their child’s directory information released.
- Examples of directory information: Name, whether or not the student is enrolled, email addresses, etc.
It is critically important to work with the office charged with the maintenance of educational records before you access them as researchers, because individual teachers or advisors may not be aware that a student or parent has elected not to make their directory information public. For example, stalking victims at universities are often counseled to keep their directory information private, and the institution can be liable for the unauthorized release of that information.
Identifiable Records
Often, the data researchers are interested in do not necessarily require identifiable records. If that is the case, you could ask an institution to provide you those records in a way that is deidentified. Please remember: if a member of the research team is accessing those records, they are probably identifiable. Names, student ID numbers, and social security numbers are all identifiable, and if they are being accessed by the researcher, those are identifiable education records (think pulling your students’ grade data off of Canvas – A numbers and names are available to you, even if you aren’t going to use them).
The best way to compile deidentified education records is to work with the school office that maintains those records, and ask them to provide you the data you are interested in without any identifying information. At USU, Academic Instruction Services and the Registrar’s Office, can help you to obtain student education records in a way that ensures you do not possess identifying information.
FERPA Exceptions
FERPA outlines a number of scenarios that do not require an authorization or consent in order to access identifiable education records. Institutions are permitted to release identifiable education records where:
- The disclosure is to other school officials when the institution has determined that the release is for legitimate educational interests of the students. At USU, that determination can only be made by an administrative unit, like the Registrar’s Office, Provost’s Office, College Dean, etc.
- The disclosure is to organizations conducting studies for, or on behalf of, an educational institution in order to:
- Develop, validate, or administer predictive tests;
- Administer student aid programs; or
- Improve instruction.
AND
-
-
- The study is conducted in a way that does not release any identifying information, and the information is destroyed as soon as it is no longer needed.
-
It is important to note that this second exception would require an official partnership between the researcher and the educational institution releasing the records. It also requires the quick destruction of all records, even if they have been deidentified.
There are other exceptions to the requirement to obtain an authorization before accessing educational records, but these are the ones most applicable to researchers. Feel free to peruse the text of FERPA at 34 C.F.R. 99.31 for the remaining exceptions.
Resources
The USU Registrar’s Office maintains an online, twenty-minute training for USU faculty and staff on FERPA, available at http://www.usu.edu/registrar/htm/faculty_staff/ferpa. Additionally, USU’s Director of Research Integrity can be reached for questions about research uses of FERPA records at (435) 797-4208 or at jodi.roberts@usu.edu.