General University Reference Utility
Guideline ADG06 APPROPRIATE USE OF STUDENT DATA
The 1974 Family Educational Rights and Privacy Act (FERPA) protects the privacy of student records and regulates the conditions under which institutions may release student educational records. Following passage of this legislation, Penn State implemented policy AD11 on Confidentiality of Student Records. According to this policy, nothing other than the items defined as “directory information” can be shared without the student's consent. Penn State may grant access to non-directory information to “university officials” for purposes of “legitimate educational interests,” both of which are defined in AD11.
In today's environment, with widespread decentralized access to institutional data through tools such as the data warehouse, it's imperative that we have clear guidelines on appropriate use of data. Marketing interests and private partnerships that engage Penn State in relationships with those who need specialized data are an ongoing challenge for those charged with the responsibility of safeguarding the privacy of students, employees, and others. Employees need guidance and supervision in order to appropriately address the use of data to which the individual employee may have an otherwise legitimate use but is faced with a new request for the use of those data.
Guidelines concerning appropriate use of University student data:
- In general, University employees should not provide lists of student directory information to entities outside of Penn State. If an outside entity wants to mail information to Penn State students that the University feels is beneficial to those students, then the entity may provide Penn State with the materials already stuffed in stamped envelopes. Penn State may then create the mailing list, apply labels to the envelopes, and mail the materials. In this way, the students receive the information but the mailing list is not shared with the outside entity.
If there are cases where having Penn State handle the mailing isn’t possible and it is deemed that the entity has important information for students, and if the release of the mailing list will not constitute an implicit disclosure of confidential information (e.g. all students with certain cum GPAs, all students who received a particular grade in a course, etc), then permission to share the mailing list must be granted by the Vice President and Dean for Undergraduate Education or the Dean of the Graduate School, as appropriate. If the mailing list is shared with the entity, it must be made clear through a cover memo that the list may be used only to fulfill the purpose for which it was originally requested and must not be shared outside the entity.
- Employees may share directory information for individual students for purposes such as job references, enrollment/degree verification. Non-directory information may never be shared with any outside entity (including parents) without written consent of the student.
- In cases where a third party is providing a service to the University that is directly related to the University’s mission (i.e. the service is one that the University would normally provide itself but has out-sourced due to cost/resource issues) and requires student information, a contractual arrangement must exist between Penn State and the third party that requires the third party to:
- Protect the information at the same level as required of the university by law, existing contract, or institutional policy.
- Use the information for only the purposes for which Penn State grants access to the information.
- Not share the information with any other entity.
- Destroy or return the information within a specified timeframe at the conclusion of any contractual arrangement with the university and retain no copies of the information.
- Provide adequate administrative, electronic, and physical safeguards to assure the confidentiality, integrity, and accessibility of the information at a level specified in the contract between the university and the third party.
- In cases where an external research organization is conducting research using personally identifiable student information without the written consent of the student, a written agreement must be in place between the University and the research organization. The written agreement must reflect the five bullet points outlined above, and must set forth the purpose, scope and duration of the study. In addition, the University must agree with the purpose of the study. In cases where only de-identified data is shared, a written agreement is not required.
All research utilizing identifiable student data obtained from the University must be reviewed by a University Institutional Review Board prior to beginning the research.
- Lists of student information may be shared within the University for purposes that are beneficial to the student and/or to the University with the understanding that the units receiving those lists provide appropriate privacy and security of those lists according to institutional policy or law.
- University employees are permitted to access only those student education records in which they have a “legitimate educational interest” in order to fulfill their professional responsibilities in connection with the university’s educational mission. Student education records should be used only in the context of official business in conjunction with the educational success of the student.
Effective Date: November 4, 2009
Date Approved: October 12, 2009
Date Published: November 3, 2009
Revision History (and effective dates):
- November 4, 2009 - New Guideline.