[Rhonda Kitch] Good morning everyone. We are thrilled today to kick off and spend some time together in the next hour or so talking about FERPA. We're excited to get started. I'm very excited about the turnout. And so as you could probably tell we, are recording this session, it will be saved. Once you transcribe it and review the transcription, it will be saved and shared online and the OUR website. With that, we're going to jump in.

Powerpoint Slide Text: FERPA 101, Title. Office of the University Registrar. Cindy Grey, Assistant University Registrar. Rhonda Kitch, University Registrar

[Cindy Grey] Good morning everyone. I'm Cindy Grey, I'm the Assistant university registrar for academic records and operations in the office, and I am one of the main people that handles all FERPA requests and FERPA information through the office of the university registrar. 

[Rhonda Kitch] Hi, I'm Rhonda Kitch and I'm the University Registrar excited to partner today, with Cindy and I want to call out, Jen Weidner.  Jen is the the college registrar at ILR. Jen came to us with this idea and said, you know, I think this would be a really cool thing to do. Is this something we can think about? And here we are hanging out today with nearly 200 of our closest FERPA friends, chatting through lots of details and nuances today. So Jen, I'd like to just give you a shout out and thank you for your work and pulling this all together. Very grateful to have this partnership.

 [Jennifer Weidner] Thanks, Rhonda. Vicki Mikula just put in the chat that some folks are having a hard time hearing you. And it may be just because the mic is a little far away from you.

[Rhonda Kitch] We will talk louder and thank you for that feedback. Really appreciate it. Is that volume a little bit better? Great. Great. Thank you-all. Thank you.

Powerpoint Slide Text: Agenda is the title, followed by a bulleted list of the following topics; FERPA Basics, Educational Records, Directory/Non-directory Information, FERPA and Parents, Legititmate Educational Interest, FERPA Breaches, FERPA and Social Media, Scenarios, Resources.
 
[Cindy Grey] We're gonna get started reviewing our agenda, topics we're going to cover. So we're gonna go over the very basics of FERPA. Talk about the main piece of FERPA, the educational records themselves, what are considered educational records. Information around directory and non-directory information and how that information can be shared. And then one of the biggest pieces I think where FERPA comes into play for most of us is around parents and being able to share information with the parents and the information that they would like to have shared with them. Then we'll move into legitimate educational interests in how that plays into each of our roles as staff members here at the University, FERPA breaches and how that's handled through our office. And then always fun to talk about social media and how information is shared through social media in this world today. Then we are going to get into some scenarios, we're going to have you all participate with us and give us your thoughts on how you think the scenarios might be able to be handled. And then we'll review some cases on how we would handle the situation and move from there. And then we'll wrap up with the resources that are available to you and how you can go forward with your next steps on learning more about FERPA.

Powerpoint Slide Text: Let’s level set!, Title. Bullet 1: FERPA can be complicated and hard – it is murky at times, but there are also lots of clear answers to many FERPA FAQ’s. Bullet 2: Many FERPA violations stem from a lack of understanding – the good news is we are here to help!  Bullet 3: This session is being recorded and will be shared on OUR’s FERPA page. Bullet 4: Due to volume of attendees, we will not be able to respond to chat questions or a Q&A after the presentation.  Reach out to OUR for follow-up regarding specific questions; contact information available on final slide

[Cindy Grey] So FERPA it's very complicated and hard at times, can be very murky. And one of the things that I often have heard a lot is, well, it depends, when  people talk about FERPA. So there are a lot nuances and really can be dependent on the situation and the pieces of the situation that are involved. But sometimes there are really clear answers to the questions. We have developed an FAQ on our website of some very common questions we get asked and provided the answers to those questions. So I invite you all to check those out at the end of the presentation. There are some very basic answer is right there for you to review and always there for you to pull up should you face any questions. As I said in the agenda, we're going to go over FERPA breaches. Well, sometimes the violations that we encounter is because people just don't understand how FERPA works. And the good news is, we are here to help them provide the information and Rhonda comes with an extensive background of FERPA. So we're hoping we can be able to answer all those questions for you. As Rhonda said in the beginning and we are recording this presentation and we plan to share it on our website once the transcription is done and complete. So it will be in a few days or so that we'll have that up on our website to be reviewed as you need. Due to the volume of the attendees today, we won't be able to take questions and we won't be able to open it up to Q&A. But as I said, we will have resources page at the end that will give you resources that you can reach out to you and then you can also contact us with direct questions beecause, you know, as I said, the information can be very dependent on situations as you go through,and handle different areas. 

Powerpoint Slide: Picture of a little boy whispering in the ear of a little girl. The text says, “Knock, Knock, Who’s there? FERPA. FERPA who? Sorry, I can’t tell you that…”

[Cindy Grey] So here's a little meme, little fun. We get to have the FERPA, just see a couple of our fun little photos that we use to bring some fun into this. But we started right off with the word FERPA and Really never explained exactly what FERPA stands for. So it's the Family Educational Rights and Privacy Act. And lots of specifics around where it began and how it started. We have resources for that as well on our website. So we won't bore you with all those specific details and just wanted to give you the definition of it. 

[Rhonda Kitch] One thing I want to jump in, this meme is circulated around registrars for many years and some good tongue in cheek. But the story I can tell you that the reality is except for when you can. Because we know that there are circumstances that you can share information and we're gonna walk through some of those today. So there's a reality that you need to be able to have access to data to do your job and to share data appropriately when there's a legitimate educational interests. So we're going to walk through those nuances but we like to have some fun along the way with FERPA. 

Powerpoint Slide Text: Why Should I care about FERPA?, Title. Bullet 1: FERPA is your responsibility!  Bullet 2: As member of the educational community at Cornell University, you have a legal responsibility under FERPA to protect the privacy of student educational records in your possession or have access to. Bullet 3: Your position places you in a position of trust and you are an integral part of ensuring that student information is handled properly. “Need to know” is the basic principle of FERPA.

[Cindy Grey] So to start off, why should you care about FERPA? So it's your responsibility to be a data steward. To be a good data steward and keep confidential information that you'd have access to confidential. And so even though you may not be in a role where you meet with students daily or give them or be in an  advising role if you have access to any information regarding the educational record, it's your responsibility to know how to handle that educational information and the sharing of it. So anybody that has access to PeopleSoft or Salesforce already knows that they have had to complete confidentiality agreements and statements. And so that's also a part of your responsibility as a staff member to make sure that you are covering in making sure you're not sharing that information inappropriately. So a lot of what we say again about FERPA, is it's a need to know basis. A lot of times we get requests and we have to take a step back and say, does this person need to know this information? What is there driving force behind the requiring or gathering this information? So we just take a few minutes sometimes to think through what's happening. 

Powerpoint Slide Text: What are the basic student rights under FERPA?, Title. 1. Right to inspect and review their education records except: Information about other students– Financial records of parents. Confidential letters of recommendation if they waived their right of access. Have up to 45 days to inspect after request is made 2. Right to seek amendment to records they believe are incorrect 3. Right to have some control over disclosure of education records. Consent to disclosure to third parties. Restricted directory information 4. Right to file a complaint with Student Privacy Policy Office within the U.S. Department of Education   

[Cindy Grey] Okay. So there's some basic rights under FERPA for the students. And the one to start off with is that they have the right to inspect and review their educational records. So this is mainly one of the pieces that I handle in the University Registrar's Office is gathering that request from the student, working with them to understand what they are looking for in reviewing their educational record and then contacting the offices across campus to gather all that information. We work closely with University Counsel when doing this. And we review everything with them so that we can then give the student a way to review that information and review your records and then make sure that they can see what they want. We do take time to redact any information on the student from the financial record that pertain to the parents, the student does not have the right to see that. And they also don't have a right to any letters of recommendation that they waive the right to see when they were in application process. Once the request comes in, we have 45 days to produce the record for to review. And a lot of these requests come in around this time of year actually, for admissions, students think that they can get their admission file and it is going to contain information about what Cornell reviewers said about them or what made your application outstanding. That is not retained in the admission record , only what the students submitted in their common application. Letters of recommendation and transcripts are contained. So we worked with the students to help them understand that and then be able to provide that information that they're looking for. The second right that they have is to make amendments to the record. So once they view them, if they feel amendments needs to be made. We will work with them to do to address that, review that and see under guidance what can be changed.

[Rhonda Kitch] I'll just add in this area, the rights of amend records is certainly there. But the reality is there are very few instances in my nearly 20 years in academic records, I think I've worked through one, maybe two cases of an amendment to the records. So these are incredibly rare. 

[Cindy Grey] So the third is the right for them to have control over the disclosure of their records. And you'll notice this does say some. We're going to get into all these little pieces of this. How disclosures work, that consent for third parties and restricting their directory information. And then the fourth right is for them to file a complaint to the student privacy policy officers in the US Department of Education. Again, I've haven't been in the world as long as Rhonda, but, something that's very far between.

[Rhonda Kitch] Thankfully it is Cindy. Once of the pieces as Cindy noted that students have a right to inspect and review their record and in OUR, OUR works specifically with those requests so if you  have a student interested in that certainly direct them our way, One nuance is they have a right to inspect and review? It's not a right to inspect and make a copy. You're not obligated to make a photocopy or provide them copies of the record. So again, those are nuances that we worked through. But it's about creating some realistic expectations as well.
Powerpoint Slide Text: When is a student a student at Cornell?, Title. Bullet 1: When a student reaches the age of 18 or begins to attend a post-secondary institution, regardless of age, all FERPA rights belong to the student – For elementary and secondary students, if they are under 18 and not in a postsecondary setting, the FERPA rights belong to the parents/guardian. Bullet 2: FERPA begins for a Cornell student on the first day of classes/semester or attendance, whichever comes first, and the student continues to be protected by FERPA for their lifetime.

[Cindy Grey] When does a student become a student at Cornell? and this can be a very difficult area to discuss, especially when it comes to parents. Many people don't even realize FERPA is pertains to students in elementary school and secondary schools. It doesn't necessarily come out in that way very often. So it really comes up when students become a student at a university or college. Cornell defines a student as becoming a student on the first day of classes or the semester, or when the first day of attendance, whichever comes first. So students, some parents don't quite wrap their head around this very much. I may still think because the student is under 18, that they have all rights too all their academic information and that's not the case. So takes a little bit of education in some areas. And one thing that we are going to talk about is just because other institutions may handle this differently and they may have rights in one institution. This is how Cornell handles it, and this is when we determine a student has become a student. 

Powerpoint Slide Text: What are educational records?, Title. Bullet 1:  Any record directly related to the student (regardless of format or medium) maintained by the institution, or by a party acting for the agency or institution. Bullet 2: May not be released to a third party without a student’s explicit written consent. Bullet 3: Examples:Personal/biodemographic information (SSN, race/ethnicity, gender, nationality, student ID, etc.), Enrollment records,  Grades– Class list, Disciplinary records, Class Schedules, Student exams or papers, Financial aid information , Emails maintained by anyone at the institution, provided they are related to the student.

[Cindy Grey] What are educational records, we have a lot of different areas that we use educational records in at Cornell through Canvas and some other curriculum management entities. So anything that is directly related to the student and maintained by the institution. We're going to talk a little bit about maintaining. When we get into notes and things like that that are taken during meetings with students, any record maintained in any system, and they cannot be released to a third party without that student's consent. We're going to talk about consent a little bit coming up here today as well. So you'll see some various examples. Particularly I know a lot of things are grades and class list, and class schedules. Those are some of the particulars that we call out a lot of times for people. People understand not sharing that through different ways, meeting like through email, information like that over the phone. We in the time of COVID, we came up with quickly Some ways to be able to identify that we are talking to the student over the phone because we couldn't have people coming in person. So we can definitely give people more information on that. If people have concerns around that area.

Powerpoint Slide Text: What is not an educational record?, Title. Bullet 1:  Records in “sole possession of maker”  Bullet 2: Law enforcement records created for a legal purpose. Bullet 3: Employment records, unless employment is based on student status (work-study, graduate teaching assistants). Bullet 4: Medical/psychological treatment records. Bullet 5: Alumni records (created after student was enrolled).

[Rhonda Kitch] Alrighty, thanks Cindy. So in terms of, we know, a little bit about the boundaries of what is considered an educational record, but what's not considered an educational record? And these are just a few examples, certainly sole possession notes, and I'm going to talk about those on the next slide in a little bit more detail. Law enforcement records created for a legal purpose, employment records, but yet there's a caveat to that. If the employment record is tied to a student's status or study, TA that kind of thing, then it could be considered an educational record. Again, this is where things can sometimes get a little bit gray. And so reaching out and consulting and questions is a great path forward. Certainly, medical and any treatment records are not considered educational records, and alumni records, any of those that are created after the enrollment ceased, after graduation, those would not be considered educational records either. 

Powerpoint Slide Text: What is a sole possession note?, Title. Bullet 1: Made by one person as an individual observation or recollection and are kept in the possession of the maker (e.g., memory jogger). Bullet 2: Notes taken in conjunction with any other person are not sole possession notes. Bullet 3: Sharing the notes with another person or placing in an area where they can be viewed or accessed by others makes them “educational records” and they would be subject to FERPA. Bullet 4: Emails are never sole possession notes. Bullet 5: All information recorded in Salesforce and CUESR, including notes and reports, are part of the educational record. Follow guidelines from Salesforce Documentation Best Practices Committee for how to document student exchanges.  Information available at https://cornell1.force.com/cep/s/article/Advising-Portal-DocumentationBest-Practices 

[Rhonda Kitch] Alright. So what is the sole possession note? These are first and foremost, they're pretty rare. And so think about these as, as a note that an individual makes and it's really I often equate them to being a memory jogger. I'm going to just really something pretty isolated. If I'm a faculty member and Cindy's my student, and I just, it's something that helps me remember who Cindy is and What we might have talked about really briefly, but it's really like, oh yeah, that way the next time I see Cindy, I remember who she is. If I'm talking about, if I'm taking notes that are in conjunction with any other person that I'm working on with any of the person. So Cindy and I are taking notes together about Jen Weidner our student, that would not be considered a sole possession notes. Cindy and I are working through that situation together. And so now Now it's considered share. So that gets into - you're sharing, the notes with another person, if the notes are in an area where they can be viewed or accessed by anybody else, think about shared drives or anything like that, that really does transition them and they become education records and thus subject to FERPA. Email is covered on the last side, emails, as they pertain to students are never considered sole possession notes. So really when we think about how this translates, again, sole possession notes are really, really rare. So any information, though, that's recorded in Salesforce or ESR, including notes and reports, are considered part of the educational record. There are guidelines that have been developed by the Salesforce documentation best practice committee and how to best document student exchanges. And there's information available at this website. So just wanting to be mindful, that sole possession, again, pretty rare. And it's I think it's pretty hard to imagine a place where e.g. a student service office would have sole possession notes. Again, in my experience, most most notes that arise really do become part of the education records. 

Powerpoint Slide Text:  FERPA Pro Tip: Dance like no one is watching; email/take notes like it may one day be read aloud in a deposition or appear on the front page of your local newspaper.

[Rhonda Kitch] Alright, Again, little bit more fun. And in terms of a FERPA Pro Tip, And I think this is a good reminder in our daily professional lives. Yet, this comes with a caveat as well. My history is that until I came to Cornell a little over two years ago, my entire higher education career was at public institutions. So all of my email is open record. So we talked about that quite a bit in terms of the instances and times that our email could be requested by the local newspaper and will be on the front page. Of course, if there was specific student information that was always redacted, but it's something just to be mindful of. So while we want to be mindful of how we're, we're emailing, taking notes, sending information, we also shouldn't be afraid of documenting what the situation is in sufficient detail to ensure a complete and helpful record. Because that helps put the pieces together for the next person that might be working with the students. Accurate records are really critical in support of students and their academic endeavor. Endeavors. It's just the goal will be to do so professionally and very neutrally. 

Powerpoint Slide Text: What is Directory Information at Cornell?, Title. Bullet 1: Directory information is an exception under FERPA that permits for the release of information in a student’s educational record that is not considered to be harmful or an invasion of privacy if disclosed. Bullet 2: Items that may be released without student consent (unless student has a FERPA flag):  Student name, Campus E-mail address, Local and cell phone numbers, Photograph, Major field of study and college attended, Academic level, Dates of attendance, Enrollment status (withdrawn, less than half-time, half-time, three-quarter-time, full time), University assistantship status (e.g. teaching assistantship, graduate research assistantship, research assistantship, graduate assistantship), Participation in officially recognized activities and sports, Weight and height (of members of athletic teams)– Any degrees earned and awards received, Date of birth and local address (for the sole purpose of federal census data responses), Note: Address information is not considered directory information at Cornell. “Just because you can, doesn’t mean you should”.

[Rhonda Kitch] Alright, so we're going to talk a little bit about what is directory information at Cornell. Directory information is an exception under FERPA. And Cindy talked about it's the Family Educational Rights and Privacy Act. And a little fun tip is that FERPA has been around since 1974. So it's been a law for a long time. So one of the things that I also think of when I think of FERPA is, you know, when the law was written, It was not specific. That was pertaining to email or microfiche or paper. That's why we talk about this. It's regardless of the form that it's kept, it's really about what is the student record. And so it, Like I said, it's been around for a long time. And FERPA does permit for the release of information in a student's educational record that's not considered to be harmful or an invasion of privacy if the information were disclosed. So this list of data elements are items that may be released without student consent, unless the student has a FERPA flag and you may ask: What's a FERPA flag? we're going to talk about in just a few minutes. So within this list, and it's very specific in terms of student name, Canvas, email, local cell phone numbers, photograph, major, academic level. Are they a first year, second year or third year or a rising senior? That's what we mean by academic level. Dates of attendance, enrollment status. Do they have an assistantship? And if so, what's that status? Are they participating in officially recognized activities and sports? Then we get into weight and height, and this relates to athletic teams. You may wonder how can we release information so specifically about student athletes? Well, this ties in with FERPA. and it also ties in with release of information that student athletes typically would sign off on. In addition, In terms of directory information it includes any degrees earned and awards received. And then specifically for federal census data reporting, date of birth and local address, are directory information elements, but only as it relates as OUR reports for federal census needs. That's not information we would release Typically. Any sort of address information is not considered directory information at Cornell. I come back to this phrase time and time again, just because you can, doesn't mean you should. So how that applies to directory information is just because we can release directory information, doesn't mean they always should. It sometimes can be a case-by-case scenario. Really thinking about

Well, is there harm? Is there an invasion of privacy if it were to be disclosed? How does it come through in that situation? And who are we releasing  information to. So it can be a little bit nuanced. This information is also on OUR's website and again, we've referenced that a few times. And it has been Cornell's practice to be a bit more conservative and not share information unless it is directly with the students or there is a legitimate educational interest. 

Powerpoint Slide Text: FERPA Reminders, Title. Bullet 1: FERPA indicates we MAY, not MUST release directory information – if in doubt, do not release. Bullet 2:  It is ok to take time and circle back to someone requesting information. Bullet 3: Other institutions may identify directory information differently than our institutional practices and that’s ok!

[Cindy Grey] And I'll just add, you may all have been experiencing a lot of communication with parents recently to pre-enrollment times. We have been talking a lot of parents and so this has come up quite frequently in being able to talk about what level the student is at, when the pre-enrollment period is, and most times people are really good about understanding the situation. So just to be able to have the language to refer back to, can sometimes be helpful when you're talking with someone. 

[Rhonda Kitch] Yeah, thanks, Cindy. So, FERPA very specifically says we may release directory information. It doesn't say we must release directory information. So again, can be a judgment call. If you're in doubt. Don't release the information. It's really hard to circle back and redact that information later on. So if you're in doubt, just say, No, I'm not going to release that information. Or certainly if it's something you're really not sure about. It's ok to to take the time, tell somebody. I'd like to do some additional checking on this. Let me get back to you. You don't need to do an instant, instant response to it and reach out to your FERPA friends at OUR to get some additional clarification. And then you can circle back to somebody. Or it might be even appropriate for you to turn this situation over to us. So that's just something to keep in mind. We're really in this together. Also be mindful that that directory information list that was on the previous slide, that's what Cornell identifies as directory information. The FERPA law gives us latitude. There's a long list of directory elements that we could release. And we as an institution, get to decide what we consider directory information. So if you've been at a prior institution that identifies directory information differently, that's okay. That's part of our prerogative. So you may see longer lists elsewhere. Don't think that they're breaking the law by any means. It's up to an institution to define and publish and share what's considered directory information.

[Cindy Grey] Again, another point that you may hear a lot from parents. They may have one child in an institution where they're allowed to get the information in a different way and then call here and we're telling them something different. 

Powerpoint Slide: How do I navigate FERPA and parents?, Title. Bullet 1: Parents do not have a right to a student’s education record, absent a student’s express written permission. Even with student permission, this is a “may” disclose situation. We are not required to disclose student records even if the student has authorized it. Bullet 2: FERPA releases– Cornell does not accept “blanket” FERPA releases for parents to access information. 

[Rhonda Kitch] That's a great segue, Cindy How do I navigate FERPA and parents? As we talked about earlier, parents do not have a right to a student in post-secondary education. You don't have a right to access their education record. Absent a student's express written permission. But even with student permission This is still a may disclose situation. We are not required to disclose student records even if the student has authorized it. As a practice, as a campus, we do not have a blanket FERPA release for parents to access information. If you want specific information about how your college might work through that information, I recommend contacting your college registrar in terms of what the college's best practices are and process for that. 

[Cindy Grey] I would also add we get a lot of questions at the beginning of a new year where parents want to file a power of attorney with us because they have had their child sign one before they left for college We also don't record those and maintain those as a record of the student. 

Powerpoint Slide Text: How do I navigate FERPA and parents, cont.? Title. Bullet 1:  In general, the university does not make education records available to the parents of a student. However, where the university believes that it is in a dependent student’s best interest, information from the student’s education records may, at the university’s discretion, be released to the parents or legal guardians of such a dependent student. Bullet 2: Such disclosure generally will be limited to information about a student’s official status at the university, but parents or legal guardians of a dependent student may also be notified upon the authorization of the dean of the student’s college, or the vice president for student and campus life, or the dean of students, or their designees in the following cases: when a student has voluntarily withdrawn from the university or has been required by the university to withdraw; when a student has been placed on academic warning; when the student’s academic good standing or promotion is at issue; when a student engages in alcohol- or drug-related behavior that violates Cornell policies; when a student has been placed on disciplinary probation or restriction; in exceptional cases when a student otherwise engages in behavior calling into question the appropriateness of the student’s continued enrollment in the university. 

[Rhonda Kitch] Alright so additional information about FERPA and parent navigation. This information is specifically, within the privacy policy. But in general, we do not make education records available to parents of students. But where we believe it's in a dependent student's best interests, information from the student record may, at our discretion be released to parents or guardians. And again, this is specific to dependent students. So it's typically very limited information about a student's official Status at the university. But we've may notify in a couple of different cases. And you could see there's a laundry list at the bottom. Specific cases that we call out. If a student is voluntary withdrawn or they're required to withdraw, they've been placed on academic warning. Their student's good standing or promotion is at issue. If they're engaged in alcohol or drug related behavior that violates our very own policies. If they've been placed on disciplinary probation or restriction, or in exceptional cases where they otherwise engage in behavior, calling into question the appropriateness of their continued enrollment at the institution. Again, if in doubt, reach out and consult and we can work through what the nuances are and what some best steps are in working through that situation. 

Powerpoint Slide Text: The difference between “may” and “must”, Title. Bullet 1: When a child turns 18 or enters a postsecondary institution at any age the rights under FERPA transfer to the eligible student. Bullet 2: If a student is claimed as a dependent by either parent for tax purposes, then a parent is permitted to have access; the disclosure is NOT compelled. Bullet 3: This permutation of FERPA causes some parents some consternation and frustration.

[Rhonda Kitch] Alright, and again, reinforcing, there's a difference between may and must. And so as a reminder, when a child turns 18 or enters a post-secondary institution at any age, the rights under FERPA go from the parent or guardian to the students, so the student could be claimed as a dependent by either parent. For tax purposes, a parent can be permitted to have access in those situations, but yet disclosure is still not compelled. And let me tell you, this nuance of FERPA certainly causes some parents, some consternation and frustration. And as a parent of a college student myself, I lived and experienced that, I understand it. It is fascinating to me since we move from the upper Midwest watching what one institution, when our son enrolled in that situation, How they managed FERPA at that institution to how they manage it at his new institution. And guess what? They're all right. There's, there's a lot of nuances, and flavors. And so it's just part of that navigation.

Powerpoint Slide Text: What about health and safety emergencies?, Title. Bullet 1: Can disclose to appropriate officials in a health or safety emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals. Bullet 2: Typically working through a Crisis Manager/Dean of Students; contact the Office of the University Registrar with questions.

[Cindy Grey] Thanks Rhonda. We're going to move now into talking about health and safety emergencies as Rhonda mentioned, there can be situations where information is disclosed. Obviously, we disclose information to the appropriate officials in a health or safety emergency. We'll get into that in a little bit further but the legitimate need to have this information to protect the health and safety of other students or other individuals in our community. So we work closely with the Cornell police and the crisis managers, Dean of Students Office to provide information that they may need should certain situations arise and move forward with them handling that situation. There may be times where someone, again, either the police or crisis manager reaches out to the college registrar or a department to gather some more information depending on the situation and that information can be shared with those people. Again, not to keep repeating ourselves, but if there's any question or any hesitation, you can always contact our office to check to see if what you're being asked to share with that person is legitimate and make sure that that person is an entity of our community that that information can be shared with. 

Powerpoint Slide Text: What is a FERPA Flag?, Title. Bullet 1: Students have the right to suppress directory information from public release; students suppress all or none of their information. Bullet 2: Everyone at the institution must respect a student’s record suppression. Bullet 3:  This icon, found on the Peoplesoft Student Record, indicates the student has a FERPA flag/directory suppression on file– Text within this flag indicates language to use: “I have no information to release on this individual.” Bullet 4: In Salesforce this information is displayed via a checkbox. Slide includes graphic of Salesforce Service Console page showing where the Suppress Information checkbox is. 

[Cindy Grey] So now we want to talk a little bit about FERPA flag, and this is how we identify students who have chosen to suppress their directory information. So that long list of information that Rhonda shared a few slides ago. This allows the student to say, no, I don't want any of this information shared with anyone at any time. The students are able to go in and set this FERPA flag themselves in their Students Center in PeopleSoft. And students who have questions around this can easily call our office or e-mail our office and we can get them instructions at how they can do this. So when we talk about educational records and pulling up a student's record in PeopleSoft or Salesforce. We always want you to use caution about sharing whatever information you're reading and then sharing that information. This flag and the suppression checkbox are just another barrier where we really want you to take that pause and say, oh, here we go. This student has decided to suppress all of their directory. We really need to be extra cautious about this. In PeopleSoft, you will see this little blue, what looks to be like a little window shade being pulled down. It's typically found at the top of the student's record a little bit off to the right hand side. You'll see any other service indicators, such as holds, which is a circle with a line through it, or a star which indicates a positive service indicator. All of that is right up at the right-hand side of the student record in PeopleSoft. If you were to click on that shape, we provide you with the language to use to someone that you just simply say, I have no information to release on this individual. It's a very generic statement. It doesn't give information on whether the person is a student, is not a student and gives you that language. Sometimes this needs to be repeated multiple times to people. And they'll keep asking questions to try and get you to answer something. But we always just say keep using this language and it'll help you through. If you use Salesforce, we wanted to show you this as well. It's not quite as out there and bold as it is in PeopleSoft, But in Salesforce, you'll see that there's some checkboxes along The top in the student record and suppress information is checked. So you'll just want to take So you'll just want to take some time as you're looking through the student record to make sure that you're looking for these indicators. 

[Rhonda Kitch] One thing that I'll note as well, Cindy is that this information is fluid. And so a student might have suppression one day. It could be removed the next. They might not have it one day, and it could be removed the next, or could be on the next. So if you're working with a dataset, that's something to be mindful of as well. If you save something weeks ago and you're ready to send something out, you need to be mindful of when was the information collected and reviewed and to go from there.

[Cindy Grey] Great point. And one thing that I would like to say about this is once a students or process their information, all of the directory information is suppressed. You can't pick and choose what is suppressed and what is not. We've worked with students before who want their name to be in the Cornell directory, but don't want their name to be seen in other places and we can't accommodate that it has to be all or nothing. In this time of the semester one thing we're talking with students a lot about is that having their name put in publications around graduation. So the Commencement booklet, things like that, should the students have this suppression on their record, their name will not be included in Commencement booklets for graduation information. 

Powerpoint Slide Text: Is it ok to share educational records with others on campus?, Title. Bullet 1: Institutions may disclose educational records, without consent of the student, if the disclosure is to school officials (including faculty and staff), whom the institution has determined to have a legitimate educational interest. Faculty/Advisors, Campus Security/Police, Disability Services, Student Affairs/Academic Affairs, Alumni Relations, Athletics, Information Technology, College/School Offices. Bullet 2: Annual Notification of FERPA Rights includes criteria for determining who constitutes a school official and what constitutes a legitimate educational interest. Legitimate educational interest generally means a “need to know”: the school official needs access to the education records in order to fulfill their professional job responsibilities. Emailed to students annually; also included in Courses of Study.  

[Cindy Grey] Okay, So we talked a lot about this legitimate educational interest And we do define that as an institution, as generally someone who needs to know the information. that as a school official, and that needs to access the information. And so students are notified of this annually in our consumer disclosure statement that we send to them. It's also included in the courses of study, which is on our website for students to review. But you may be thinking, Oh, so-and-so from another office contacted me and wants of lists of students with their ID number to look them up for this reason or something like that. Can I just share that information with them? So in this terms, if they have a legitimate educational interests, you can share information with them. And you see here there's a list of people. Obviously faculty and advisors maybe someone that's coming to you If you're in a student services office requesting some information. The police goes back to what we talked about in the emergency situation. Disability services is often needing to collect information so that they can evaluate situations for students. Alumni affairs, we work with them frequently as they are trying to update their records and understanding of what degrees a student may have earned and  things like that. Athletics this as Rhonda mentioned height, weight, we do a lot of verifications for clubs sports. Many of you also may know that we handle NCAA reporting through our office. So my colleague handles all of that so there's a lot of information shared through that. Information technology around the net ID creation and information shared through e-mails and just various other schools and college offices. So again, if you have questions, reach out, contact your college registrar. They're also a great resource for you to understand what information can be shared. And so as we talked about what information can be shared. And we need to talk about a little bit about how it can be shared. And this, even, we do need to take this very seriously and protect rights. But it's also important for you to be able to share the information, with other people, so that they can do their job as well, right? So we do want to have some thought through that and give some leeway in that. 
Powerpoint Slide Text: What is written consent?, Title. Bullet 1: To disclose educational records, a student must provide a signed and dated written consent– The consent must: Specify record that may be disclosed; State purpose of disclosure; and Identify party or class of parties to whom disclosure may be made. Bullet 2:  Each college manages this process differently; as of now, there is not a centralized solution or form.

[Cindy Grey] So going into written consent and sharing that a little bit, the student can provide signed and dated written consent. To be able to share the information. We need to know who we can share the information with, what specific parts of the record they want to be shared. What is the purpose of sharing that? And exactly who in that Third party you can share with. We often get requests from people who are looking for employment and they've given the employer their permission to get their degree information for background checks and things like that. And this is all included in that consent. As Rhonda mentioned previously, each college manages this process differently. Each college may have a way for the students to give consent to a third party, to be able to consult with the advisor or someone else in their office. So it's best to check with them. And as of right now, we don't have a centralized form, so it is best to contact your college. 

Powerpoint Slide Text: What is written consent, continued?, Title. Bullet 1: Some examples of exceptions to written consent requirement: Directory information, School official with a legitimate educational interest, Seeks or intends to enroll at an institution, Audit (OUR notes in PeopleSoft), Health or safety emergencies (must be documented), Accrediting organization (OUR notes in PeopleSoft), Complying with a judicial order or subpoena.

[Cindy Grey] So there are some exceptions with written consent, again, little repetitive, but if the directory information, the legitimate educational interests, someone who is seeking or intends to enroll in the institution if they're not as we said, FERPA applies to people when they are here as a student, have in attendance or on the first day of the semester. It auditing purposes. So our records through OUR in PeopleSoft are often requested by auditing entities and we provide them with the information that they are requesting. Health and safety emergencies. This is also documented. We don't just give out information to them and not provide documentation. But as Rhonda said, we always want to be able to have clear, concise note-taking so that we can go back and see what was done on a record. And that also happens with the information that we provide out of OUR as well for auditing. And the next one, accrediting organizations. We keep careful documentation of what records are shared with those entities and what they were used for, and then complying with a judicial order or subpoena. Those go directly to the university council's office where they will handle the documentation that they've received and request and gather all the information they need for that order that they've received. 

Powerpoint Slide Text: How can I share educational records appropriately?, Title. Bullet 1: Review CIT’s Regulated Data Chart to determine FERPA usability for various products (permitted/restricted/prohibited)https://it.cornell.edu/regulated-data-chart-0 . Bullet 2: Utilize CIT’s Secure File Transfer– https://sft.cornell.edu/login .

[Cindy Grey] So how to share educational records, whether it be with another, office that's requested that information from you or university council. We want to draw your attention to the CIT's regulated data chart, it's very helpful in looking at what software you can use to share what information. There's a clear column that says FERPA and gives you the go-ahead or the not to share information that way. Some specific ones that I'll call-out are sharing information through Box. Or as the link we show here is your secure file transfer. We use secure file transfer all the time and we have even used secure file transfer. to share with other institutions who we have dual partnerships with, who needs students' transcripts or things like that. So it doesn't have to just be people that are in Cornell. But if you are sharing information with people outside of Cornell, please double-check with us on that and make sure that they have that legitimate educational interests. And I would say also that the regulated data chart, all of that data is overseen by CIT. So any questions related to that, should be directed to CIT. It is a very helpful resource and pretty easy to follow, but it's a great thing to take a look at it and be sure that you understand how you can share the information. 

[Rhonda Kitch] I agree, Cindy, you're able to do filters to see whether it is FERPA permitted, restricted, prohibited. It's a great interactive chart, so be sure to check that out. 

Powerpoint Slide Text: What happens when there is a FERPA breach?, Title. Bullet 1: A FERPA breach is when an educational record is shared where it should not have been – big or small. Bullet 2: Reach out to your college registrar or OUR. Bullet 3: Will need to know date, time, what occurred, etc. Photos, illustrations, graphics here. Bullet 4: OUR reports to CIT’s DPIRT for review and action. Slide includes a photo of a ferret with it’s mouth open. 

Words on the picture say, “ FERPA Ferret says: CTRL, ALT, DELETE before you leave your seat.”

[Rhonda Kitch] Alright, well, what happens when there is a FERPA breach though? It happens. It happens sometimes quite easily. And in my experience most of the time, there was certainly not intention to do any harm. But a FERPA breach is when an educational record is shared where it shouldn't have been and that can happen in big ways. And we've all seen about those in the news. Somebody's laptop was stolen or left unattended. Maybe it didn't have authentication. and people were able to access files. Thanks to what our computers are, our laptops here are at Cornell, you know we're authenticated through the CIT system And that makes a big difference. But in terms of some of the small ways, probably the most frequent way that I see FERPA breaches occur is through emails and emails that are shared with somebody that they shouldn't have been. And or perhaps emails that contain specific information, student information, and it shouldn't have been shared by email, it should have been shared instead by the secure file transfer process that Cindy talked about. So, what we do when there is a FERPA breach? Well, for starters, reach out to your college register or OUR And keep in mind, this is really not meant to be punitive in any way. We want it to be educational and we want to be transparent. But we're going to need to know some specifics we're going to need to know the date, time, what happened, some of those particulars. And then from there, OUR takes it to CIT's DPIRT: data privacy incident response team for next step review and action. And most of the time in my experience, it's really been about reminding individuals of FERPA protocols and how information should be shared and what's next. in terms of that process, OUR is required, for FERPA we're required to note any breaches on the student's record. And so that's something that we take care of recording and indicating on the student's record. One of probably the easiest ways to prevent breaches is also to be sure when you leave your desk area unattended, you need to lock your computer screen. And so, I've said this for years, if you are walking away from your space and you no longer see your computer monitor, you need to lock your screen. So that's just a basic best-practice, but it certainly can prevent unauthorized access into the systems that you have access to. So something to keep in mind and certainly some best practices pieces. One of the areas, again, I mentioned email is a common common way for reaches to occur. I think probably the vast majority of email FERPA breaches that I've seen have been due to either inadvertently e-mailing somebody that shouldn't have been on the list or through a series of forwards. Information has been shared with somebody, like later down in the email thread. Information has been subsequently shared with somebody that shouldn't have access to that information. So again, it's just really about taking the time, taking a deep breath, not being quite as rushed, and getting through the information being sure that it's going to the sender that intended sender and then that the information within that message is appropriate. 

Powerpoint Slide Text:Are there FERPA considerations with social media?, Title. Bullet 1: Be cautious about posting any course related information on social media, including information about grades, course enrollments, class schedules or asking students to “check in” with a location. Bullet 2: Avoid taking/posting photos of students in class activities where they are identifiable and named specifically by course, unless signed permission is obtained from each student.

[Rhonda Kitch] Alright. Are there FERPA considerations, with social media? Yes, there are. And I just encourage folks to be cautious about posting course-related information on any form of social media. Definitely information that can be contained and connected to grades, enrollment, class schedules. Asking students to check in with a location is really never a good idea. And really it's not a bad thing to take photos of students. What it is is it's taking  the picture isn't the issue. It's about posting it on social media if there's not permission from that individual. And so I've been in some stickier situations with FERPA where students were identified via social media where there was perhaps only one section on the course. And so easy to see the location, the dates, the times that that section was meeting, and that could result in really some safety and security kinds of concerns and issues. So again, taking photos, not a FERPA violation. It's what's done with those, I do know of practices where you take a photo, you wanted to capture some really great class activity. Maybe it's not shared until it comes out in, say, publication later on or it's shared after the semester is done to say, look at some of the great things that happened in this course and that's used for promotional materials later. Those are very different kinds of situations because then we're really getting out of some of the safety security pieces that might be there. But if students are identified easy enough, Again, it's really a great idea to get their permission about, about being able to share that information. 

Powerpoint Slide Text: Picture of the character Jan Brady with the words FERPA, FERPA, FERPA! On it. 

[Rhonda Kitch] Alright, Well thanks Jan Brady. Yes. FERPA, FERPA, FPERA! We appreciate Jan's reminder. 

Powerpoint Slide Text: Are these FERPA Dos or Don’ts?, Title. Bullet 1:  Use SSN to identify a student • Release class schedule to attempt to locate a student. Bullet 2:  Release directory information if student has FERPA suppression. Bullet 3: Leave sensitive information on desk when away from office. Bullet 4: Discard documents with sensitive information without proper destruction and disposal. Bullet 5: Leave papers/exams in a stack for students to pick up. Bullet 6: Circulate lists with student IDs, SSNs or grades. Bullet 7: Access student records for personal or reasons other than those required for job. Bullet 8:  Release lists with student information to third parties. Bullet 9: Give information to another university official without verifying they have an educational need to know. Bullet 10: Submit a student’s paper to an anti-plagiarism service without first removing the student’s name, ID number, or other personally identifiable information.

[Rhonda Kitch] So looking through that laundry list here, we're looking at are these FERPA dos? are these FERPA don'ts? And hopefully at just a quick scan, you're able to see that there's a number of things on here that would probably be a little cringe worthy and thinking about how to best approach. I often think about FERPA from a standpoint. How would I want my information to be used if I were the student? Would I want to be giving if I was calling one of my former institutions, what I want to release my social security number over the phone to identify myself? Would I want my class schedule released in an attempt to locate me? So, putting yourself in these situations. I think really helps bring to light in terms of what's the best way to approach these in terms of some bestpractices.

[Cindy Grey] Absolutely, I think as you read through these, hopefully each one of these gives you a little pause and makes you think for a moment on everything we've talked about today and understanding that it is information that we do want to keep confidential and private.

Slide changes. To add All FERPA Don’ts across the slide. 

[Rhonda Kitch] And so all of these we would consider FERPA don'ts and some of them certainly would be FERPA breaches, FERPA Violations, others, I would say probably a little bit more in line with just definitely not a best practice and something you'd want to be thinking about.

Powerpoint Slide Text: Scenario 1, Title. There are various reports/queries available within colleges and departments. A doctoral student teaching in your college needs data for their dissertation. Since you have access to these reports, you could quickly help out this graduate student. Should you release the data? Why or why not? What are potential next steps?

 [Cindy Grey] We want to move now into talking through some scenarios. We think that that's probably one of the best ways to handle some of the situations that you may encounter through your work day to day. And we are hoping that you'll participate with us in this a little bit. So I'm going to read through the scenario and then if you would like to pull up the poll everywhere links that I have at the bottom of the screen. And we will have you enter your thoughts on the question around, What's your thoughts are around this? And then we'll talk about some of it. Why and why not? Potential next steps. So scenario one, there are various reports, queries available within the colleges and departments. A doctoral student teaching in your college needs data for their dissertation. Since you have access to these reports, you could quickly help out this graduate student and provide them with this data. Should you release that data? Take a moment now to go ahead and enter the Poll Everywhere. Provide your responses. 

So we have about 80% of people saying, no, we should not release this data. And about 17% are saying, I'm sure no one is saying yes, that's great to see. That's wonderful. So thank you all for participating. So Rhonda, what do you think on this? Why or why not? 

[Rhonda Kitch] Yeah, it's a great question you're wanting to be helpful. We get that piece. It really ties back to: what's the legitimate educational interests here? And what kind of information are we going to be sharing? So what we don't know, there's, there's some ambiguity here. So I love the fact that everybody who's a bit more cautious on this or just like, I'm really not sure. So one of the questions that I would have would be is it directory information that we're releasing. Even with that, like, how do we feel about releasing that? It's like, what kind of information, what are they going to be doing with it? How do we move forward from there? And so I think probably the easiest response is why don't you reach out to OUR to do some checking. But we want to know a little bit more about what kind of information, what data elements is this doctoral student needing to complete their dissertation? Is it something that we can share? You can share information, but it would be completely anonymized. And so there would not be specific students tied with the data that might be a potential as well. But then there's also the piece of precedence. If I help, I help this situation. Am I going to get pinged for every single or many, many different doctoral students' data requests from here on out, is that a place you want to be in? So it's thinking through a lot of those nuances and going from there. But I, but I am thrilled to see that a lot of folks who are in that cautious or even just a little bit unsure it probably wanting to scope out a little bit more information. That's great. 

Powerpoint Slide Text: Scenario 2, Title. You work in your college’s student services office, which means you have access to a lot of student data. Your sister’s children attend Cornell. Recently, while working through reports and communication you discovered your nephew has been placed on academic warning. You know your sister will want to know and your nephew is unlikely to share his grades and past semesters’ academic info. Should you release the data to your sister?  Why or why not? What are potential next steps? 

[Cindy Grey] Okay. Scenario two: You work in your colleges student services office, which means you have an access to a lot of student data. Your sister's children attended Cornell recently while working through reports and communication, you discovered your nephew has been placed on academic warning. You know, your sister will want to know and your nephew is unlikely to share his grades and past semesters' academic information. Should you release this data to your sister? A little more tricky. So go ahead and enter your responses to this. Okay, so we're seeing overwhelmingly 90% of people are saying no. A small portion are unsure. Again, great to see that you're unsure thinking, through it, and that no one's saying yes to this but Rhonda, what are your thoughts? 

[Rhonda Kitch] Well, again, yeah, exactly. Cindy, happy to see the when in doubt. Don't release and maybe do some checking first. I think about this in terms of you have access to the information. I certainly hope that if this is in the scope of my role and responsibility and I saw my nephew is in trouble that I had a legitimate educational interest to see that information. Um, very significant difference if, for example my nephew was in a different college and I just happen to be checking out some stuff and ran past this information. I categorize that more in the nosey neighbor category in terms of I was snooping where I shouldn't be. That quite honestly is a FERPA violation. And so, in terms of where yes, I'm sure my sister would want to know this information it's unfortunate that my nephew isn't going to share this information to know what's going on in the past. But in terms of where I'm at in terms of protecting student information, I have an obligation to protect his information and not share that. Quite honestly, if my sister happened to say, you know, I'm really wondering how so-and-so is doing. That's a conversation to say, you know, that's really something we're gonna want to talk to about with him. And if you're my sister and you're asking me this information, I would indicate, you know, I'm in a place that I need to protect the information access that I have in order to do my job. If that's something that you want to know more then you really need to talk to your son and go from there. Again, it's really about having conversations and being that my sister and her son have more little bit more transparent situation going on. But that's not a place that I would want to be in to share that information with my sister and violate the access and the responsibility that I have for our system, right?

 [Cindy Grey] And that is something that we addressed a little bit on our website too, around parents. It can be a very difficult time and a very difficult conversation to have with each other to understand what communication channels need to be open and talking through that. And so sometimes that can be a very hard conversation for the parents to have, and it can be hard to bring up in a conversation with a parent as well. 

Powerpoint Slide Text: Scenario 3, Title. John is a teaching assistant for Dr. Herstory’s 1234 history class. After a prelim exam, Dr. Herstory is called away for a family emergency. The prelims are already graded but have yet to be entered into Canvas. Eager to get this off his plate, Dr. Herstory gives John their username and password for Canvas. Over the weekend, John logs into Canvas and enters in the grades.  Is this acceptable?  Can TA’s have access to education records?

[Cindy Grey] Scenario three. John is a teaching assistant for Dr. Herstory's 1234 History class. After a prelim exam. Dr. Herstory is called a way for a family emergency. The prelims are already graded but have yet to be entered into Canvas. Eager to get this off his plate, Dr. Herstory gives John their username and password for Canvas. Over the weekend, John logs into Canvas and enters in the grades. Is this acceptable? Okay, so our responses are a little more varied now, so this is interesting, about 15% of people say yes, 65% say no, in 20% say unsure. So this brings up a little bit more of a discussion here. So, Rhonda? 

[Rhonda Kitch] So yeah, this is great and this is where we can see the greyness of what these scenarios may bring. And sometimes there's not necessarily enough information to get into what the right path forward might be, but in this situation where we'd be in terms of if John logs into Canvas using Dr. Herstory's username and password information. That's where we have the biggest problem. John, was that provisioned to have access to Canvas. And Dr. Herstory, should really not be sharing their username and password with anyone. That's actually violating acceptable use. In terms of what we have for our credentials here at the institution, you shouldn't share your credentials with anyone: your login information for any system. And so if John needs that kind of access and John has a legitimate educational interests to the entry of grades into Canvas, then John should have that information, should have Canvas access provision himself. And so that brings up the bigger question like, well, should John have that Canvas access? And if so, then let's have a path forward to get John that Canvas access. Then John could go ahead and enter grades all his heart content to help out his faculty member. In terms of can TAs, have access to educational records? Absolutely. If it's a part of their roles and responsibilities and performing the duties related to their position. Of course, that's considered again, legitimate educational interests. There might be nuances where it's not a best practice for a TA to have access to education records. Again, it really depends if they're more in a peer situation and they're working with students that way in the setting. I know there's a variety of situations that can arise in TA settings. So is it an undergrad, is it a graduate TA, that's where it really gets into some different different details and specifics. and so, an undergrad Tas situation may not be appropriate for that individual to have access to Canvas, to enter grades for their peers. So again, there's more information that we need. But this one, the basis really comes down to, it's about sharing credential information and not being able to allow somebody to login on your behalf. Because if you were to look at, if the Canvas team were to look at the Canvas logs We know that John would be logging in, but it would appear that Dr. Herstory was the one logging in and entering those grades, not John. 

[Cindy Grey] And by also giving John the access to Canvas, he would then be asked to complete those confidentiality and security trainings or signing off on those documentation so that he can understand FERPA little better and the use of educational records. So we do that even here in our office we have student workers that are working with us and have access to certain pieces of data or certain systems here in our office. We request that they sign off on understanding FERPA and all the information that they have access to and keeping that information confidential. That would also be an important piece of that. 

Powerpoint Slide Text: Scenario 4, Title.  You receive a frantic phone call from someone stating to be a student’s mother who must get in touch with her daughter immediately due to a family emergency. Can you provide information pertaining to the student's class schedule? Why or why not?

[Cindy Grey] Scenario four: you receive a frantic phone call from someone stating to be a student's mother who must get in touch with her daughter immediately due to a family emergency. Can you provide information pertaining to the students class schedule? Join us in answering that. So 95% of people say, no, no, you cannot share that information, which is great. To hear that. We have experienced this phone call quite a few times in our office, Whether it be that the parent is trying to get in touch with the student because something is happening in their family or that the parent is concerned about the student. They haven't heard from them in a couple of days, couple of hours. And they want to be able to find out where the student is so that they can touch base with them. So certainly this is information we need to maintain. 

[Rhonda Kitch] Absolutely and Cindy, one of the pieces that I think gets really sticky and tricky here is we'd like to believe the best in people. Yet, we don't know if this truly is student's mother, or if it's the student's parents or guardian. And I've certainly had situations related to safety and security. stalking situations for students that just called into question if we were talking to the very person that they were presenting themselves as. So as a practice OUR refers these calls to CUPD and CUPD will work through the nuances and decide some next steps from there.

 [Cindy Grey] And the CUPD again will work with a crisis manager or the dean of students office. So they have an entire protocol around handling these situations. So we definitely defer to them to handle that phone call. 

[Rhonda Kitch] So its not that there won't be information sharing. It might be a matter that somebody from the institution is reaching out to connect with the daughter, to say you need to get in touch with your family. You know, there's something going on versus giving the information to the individual, identifying as a parent or guardian and just letting go of it from there. So it's about how we navigate. 

Powerpoint Slide Text: Scenario 5, Title. A parent of one of your advisees wants the ability to speak with her daughter’s instructors on a regular basis regarding her progress in classes. The daughter has signed a consent form granting her mother access to this information. Are you required to honor this request? Why or why not?

[Cindy Grey] Scenario five: A parent of one of your advisees wants the ability to speak with her daughter's instructors on a regular basis regarding her progress in classes. The daughter has signed a consent form granting her mother access to this information. Are you required to honor this request from the parent? With the consent form. Again, so we're a little varied here in our responses. By 8% of everyone said yes, 75% said no, and 18% said, unsure. And again, another great example of the gray area of FERPA. 

[Rhonda Kitch] So the trick to this one, the nuance I should say in the question is are we required to honor This request, going back to a number of slides earlier, that FERPA is full of mays and not many musts. And so we may honor this, but we're certainly not required to. And so it's great that the daughter has signed a consent form. That's really step one in terms of navigating through how what a good next step would be. But we aren't required to do this. And so I think the nuance here really comes down to how a college wants to approach this. That does a college really want to say, Yes, we're fine with a parent talking to instructors on a weekly basis on how their daughter is doing in a class. For some colleges, I would probably guess that that feels like overreach and not something that they're wanting and committed to doing. And so in terms of how to move forward on this request, great that the daughter has signed the consent form. But what is the consent form say? Is it really a matter of the mother can talk to somebody at the institution about the daughter's academic progress. That's very different from saying the daughter saying yes, it's fine that my mom checks in with my instructors every week. So again, really getting into what was the request, what are some of the reasonable expectations to move forward and the detail that we're not required to honor the request, we may choose to honor that request and then go forward from there. Okay. 

Powerpoint Slide Text: Scenario 6, Title. You receive a call from an employer asking for names and campus addresses of students with a GPA of 3.0 or better. They say they have multiple position opportunities for these students. We have a strong relationship with this employer. Can you help these students get jobs by sharing this information?

[Cindy Grey] Scenario six, you receive a call from an employer asking for names and campus addresses of students with a GPA of 3.0 or better. They say they have multiple position opportunities for these students and we have a strong relationship with this employer. Can you help these students get jobs by sharing this information? Again, a little bit varied. So 3% said yes, 95 no, and 3% unsure. It's very interesting here. I think this definitely comes into the realm of wanting to help students, right? We want to help them good job opportunities and be able to get that information. But how can we best share that and keep, maintain our student records? 

[Rhonda Kitch] So in terms of when I think about an external data requests that we're releasing to a third party and we're talking beyond the institution, Are we releasing and looking at information that is directory information? If so, are we okay with that again, just because we can release directory information doesn't mean you're required to. But if we were if the request was for names and campus email, that piece is a little different too, because campus address is never considered a directory information data element. But names of enrolled students are directory information provided They don't have a FERPA flag or FERPA suppression on file. The GPA piece is also a little tricky and nuanced Wouldn't want to be identifying students to indicate that even though we're not releasing their specific GPA, by identifying a list of students with a GPA of three point or higher, we are identifying, We're making some identification then of their academic achievement level really is. And that's something, again, we want to be thoughtful about and avoid. If this was more a matter of that employers, strong relationship with the employer and they're asking for names and IDs of all students in a particular major. Is that something that you can release? Sure. We actually could release that. That's all directory information. Again, provided the students don't have a FERPA flag on file. It's more a matter of do we want to get into that practice? Any requests for these kinds of data situations really should be something that you would have a conversation with OUR. In these situations OUR would probably be querying the data. So just reach out again if you have questions about appropriate data use and what the process is, because there are data stewardship models and processes to work through as well in terms of how we share student information and requests that would need to be reviewed and approved before this information could be shared. Again, providing it's directory information.

 [Cindy Grey] Another thing to speak about is how we can help this situation without having to share the data. And maybe there's a way that the opportunity from the employer can be shared out of your office or posted for students in another fashion, rather than giving the employer themselves the data on the students. 

[Rhonda Kitch] Absolutely. There's, there's different ways to approach. And that's certainly one of them that we can take the information and subsequently share it out. Absolutely.

Powerpoint Slide Text: Scenario 7, Title. A parent calls and is logged into Student Center for the student. They are trying to add/drop classes. Is it okay to proceed talking to them? How would you advise them?

 [Cindy Grey] Okay. scenario seven. Last one and one that is very pertinent to these days that we're going through right now with pre-enrollment. So a parent calls and is logged into Student Center for the student. They're trying to add and drop classes for the student. Is it okay to proceed talking to them since they're already logged into the student's Students Center. Okay. So everybody said, no. Great, great. This has been a very hot topic in our office the last few days going through pre-enroll and we have talked with parents in this same situation right now I'm logged into my student's Students Center. I'm trying to add XYZ class. It says this. It says that, um, and so one of the things that we hold strong on, is advising parents that they are currently in violation of the student's code of conduct. And by accessing the student's Students Center and using whether the student logged in for them and is sitting right next to them, or the students share their credentials with the parent to be able to login. As Rhonda said before, that is a violation of the use of your credentials and IT policy. We've recently reviewed some of this with IT and if by chance the student and the parent are logged in at the same time in the IT is seeing that they're being, they're logged in in different locations such as like from different IP addresses. IT does flag that as a possible invasion in the student's record and will notify the Student that there is a possible breach of their information. So we kindly notify the parent that it is a violation of the student's code of conduct and we would like them to no longer be using Student's Center and that we cannot proceed with talking with them about anything related to the student and what information they're seen on Student Center. 

[Rhonda Kitch] Absolutely. This is a perennial challenge at any institution. From, from my perspective, I've shared that I said, Well, it's Students Center. It's student information. The student is responsible for this information. The students is the one that's been having conversations from an advertising standpoint, knowing what to take and what path forward. I've worked through a variety of situations, very unfortunate situations where parents have inadvertently dropped courses and students have not been able to recapture enrollment in those courses. And it's made a pretty significant negative impact in terms of academic progress for those students. So again, ties to acceptable use and, and what students should be doing. But no, we want to stop the conversation and encouraged the students, for the parent to connect with the students and the student should be taking action and if the student has questions, they can reach out. 

Powerpoint Slide Text: FERPA Ferret, Title. Picture of a ferret with a toothbrush. Words on the picture say “Passwords are like toothbrushes. Don’t share them with your ferret.”

 [Cindy Grey] So you may see some consistencies here with our friend, the FERPA ferret and definitely have to give kudos to our colleague, Karen, who reminds us frequently on the FERPA ferret and gives us fun little pictures of him frequently. So we definitely this relates to what we just talked about when sharing passwords and credentials with other people to be able to log into a system. You definitely don't want to do that. We definitely don't want to do that with our colleagues either. 

[Rhonda Kitch] Absolutely Cindy. 

Powerpoint Slide Text: Key Resources, Title. Bullet 1: Cornell University Office of the University Registrar https://registrar.cornell.edu/service-resources/ferpa  Bullet 2:  Courses of Study details the Annual Notification Under FERPA. Bullet 3: Cornell University Policy 4.5-Access to Student Information https://policy.cornell.edu/policy-library/access-student-information. Bullet 4: American Association of Collegiate Registrars and Admissions Officers (AACRAO)  http://www.aacrao.org/. Bullet 5: U.S. Department of Education’s Student Privacy Policy Office (SPPO.  https://studentprivacy.ed.gov 

[Rhonda Kitch] Then finally to wrap up, we really wanted to share some various key resources. We have our website through OUR. In addition, within courses of study, we detail the annual notification under FERPA. So you can see exactly what students receive in that annual notification. There's Cornell policy 4.5 that details access to student information. There's our professional organization, the American Association of Collegiate Registrars and Admissions Officers. AACRAO. AACRAO provides and has published a number of publications. This is probably the tried and trued FERPA guide that we go back totime and time again. We resource that a lot. They also released so 2020 FERPA guide. And then my favorite title, FERPA clear and simple. This didn't come from AACRAO, but from another organization. 304 pages of how a FERPA is clear and simple, but a lot of practical use information within these guides and we use those as well. In addition, the Department of Ed's SPPO office also has resources on their website that can be very beneficial. So a variety of resources to help with all these perplexing FERPA questions and to help us navigate the best path forward. 

Powerpoint Slide Text: OUR Contact Information, Title. Picture of a Star Wars Stormtrooper with the words saying” The moment you realize your co-worker isn’t FERPA trained”. Cindy Grey – cmk26@cornell.edu. Rhonda Kitch – rkk68@cornell.edu.

[Rhonda Kitch] Finally, here's contact information specifically for Cindy and myself. Again, we're always happy to reach out and to connect. If we were in a face-to-face setting together, we would've shared lifesavers because we want you to remember that OUR can be your lifesaver and help you out and be there when you need to consult and ask your questions. We're in this together. So thank you so much for joining us today. And thank you to Jen Weidner who was able to monitor chat, neither Cindy nor I could watch the chat while we were doing this today. So again, thank you to Jen for being able to pull some different threads out and go from there. I am going to stop recording.