Interview with LeRoy Rooker, Director
Family Policy Compliance Office, U.S. Dept. of Education
OGC: Lee, how many years have you been the head of the Family Policy Compliance Office(FPCO)?
LR: I have been the Director of the Family Policy Compliance Office since February 1988.
OGC: With respect to working with FERPA in higher education, what do you think is the most common mistake made by educational administrators?
LR: Generally, it is school officials thinking they can disclose information under education records without written consent. For example, there may be a state law that requires release of information or another federal law that school official believes apply to student records. Right now, we are receiving a lot of questions from school officials about the applicability of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to education records. The important piece for school officials to understand is that health records are “education records” subject to FERPA, not HIPAA. Also, in terms of tracking students, you can send personally identifiable records forward (e.g. to a school a students seeks or intends to enroll in) but not back (to a school the student formerly attended) without the student’s consent. However, information provided back to the school previously attended needs to be in non-personally identifiable form.
OGC: There have been several cases in the last few years dealing with applicant records. What position does FPCO take on whether or not records sent directly from a high school to a college are governed by FERPA, and also what about those records submitted directly from an applicant or from ETS?
LR: Anything sent directly from a high school to a university is protected under FERPA. The student will not have a right of access until he/she matriculates, but the non-release provisions of FERPA apply. Records submitted from the applicant or ETS are not education records under FERPA.
OGC: I have heard you mention that schools that have computerized student information systems such as PeopleSoft or Banner have an obligation to track which school officials might be accessing a particular student record if the access granted by the system is broader than just to those school officials with a legitimate educational interest. For example, if the school system gives a professor access to the records of all students in a particular department, rather than just records of students that are the professor's advisees, then the school, (presumably via its software) must be able to track any inappropriate access. In other words, the "honor system" as a defense would not fly with the Family Policy Compliance Office if there if an investigation. Am I understanding you accurately on this issue?
LR: Again, in responding to this question, we must begin with what FERPA says about access to education records. FERPA says generally you have to have a signed consent. However, Congress recognized that in certain instances this does not make sense so they put in exceptions that are to be narrowly read. The school official exception is dependent upon notice to the students about that provision, and contingent upon the definition of school official and legitimate educational interest being both provided to the student, and followed. For most of the history of FERPA these were paper records kept in different offices, and someone had to ask for access. In the computer age it is much easier for schools to computerize this information. So, while you can give records to a school official without consent, that official has to have a legitimate educational interest in accessing the records. Thus, FPCO does not care what system a school uses for maintaining records, but the requirements in FERPA are still there. If FPCO gets a complaint that someone accessed records inappropriately, and the school does not have a system that allows the school to know who accesses records, then the school has a policy or practice of permitting access to education records without knowing whether the school official has a legitimate educational interest in those records. The system has got to be one that permits the institution to know who are accessing records. We plan to issue further guidance on this.
OGC: Can you tell us where in the process the electronic signature regulations are in terms of being finalized?
LR: We published the proposed regulation in July of last year. The comment period closed in September. We have completed the draft response to the comments, and hope to have final regulations out in April of 2004.
OGC: There have been questions lately on various higher education listservs about printing randomly generated student ID numbers (not social security numbers) on student ID cards and whether or not this would violate FERPA. Do you have any clarification on this issue for higher education administrators?
LR: In terms of what goes on a student ID card that is up to the institution because the card is given to the student so there is no disclosure. If the student uses the card at the institution it would be a release to a school official who has a legitimate educational interest. However, randomly generated student ID numbers are education records and should be protected just as a social security number should be, so a professor should not post grades by student ID number if the student ID number follows the student. However, a professor can randomly generate numbers for a particular class and use those numbers.
OGC: There has been some commentary to the effect that FERPA, as it protects student rights, has been watered down over the years. Do you find this to be the case?
LR: I don’t think so. There have been changes to FERPA, but they have been common sense changes, for example, the law enforcement unit exception that expanded the universe of what could be done with those law enforcement records, which are separate from education records. Same thing with respect to a student who has been found in violation of a campus judicial code that would rise to the level of a crime of violence. You also have the disclosure to parents of a student under age 21 if they have been subject to a code of conduct violation about alcohol.
OGC: Can you tell us about some of your interesting cases you have had in that time?
LR: There are so many of them that are interesting. In one case a law enforcement unit at an institution revealed information from an education record (the fact that the student was barred from campus) outside the campus to a reporter. The issue there was distinguishing an education record from a law enforcement unit record. The latter is releasable, but information from the education record is not. In this case, the information from the education records was written into the police report, which was open to the public.
Another interesting case was where the school put a student’s social security number on a check and sent it outside the institution. The student had refused to put the social security number on the check. The institution should have advised they would not take the check. It was up to the student to decide whether or not they wanted the number disclosed. The solution was for the school to give notice to students that social security numbers will be required for checks, and notify students that cash and credit cards are alternatives if they do not want to write their social security numbers on their check.
OGC: What do you see as the next major issue for FERPA?
LR: Issuing guidance on electronic maintenance of records that will be posted on our web page and distributed through training and through educational associations. We hope to have this posted by April of this year.
Editor's Note: This interview took place in February 2004. LeRoy Rooker will be speaking at the Educause Policy Conference 2004 on May 19th at the Fairmont Hotel in Washington, D.C. on issues related to FERPA and technology.
| 
