FERPA and Student Work: Considerations for Electronic Theses and Dissertations
Information privacy is an important consideration when transitioning university collections from paper to electronic access. Yet the protection of and limits to student privacy regulations have rarely been addressed in the literature for online electronic theses and dissertations (ETDs). The Family Educational Rights and Privacy Act (FERPA) and its relevance to student work should be a consideration when widely distributing scholarship like e-portfolios, ETDs, and senior capstone projects. In this article, we share several campus approaches to FERPA and electronic student work.
Protecting the privacy of students' grades, health records, and similar documentation is not just a good idea, it is the law. But do protected "education records" encompass student works such as theses, dissertations, capstone projects, and the like?
In higher education, graduate student scholarship and research is often deposited in the university library with the expectation it will be available to library patrons, including students and faculty, as well as to other academic institutions. But legislation such as the Family Educational Rights and Privacy Act (FERPA) of 1974, featuring careful but vague wording, makes it challenging to determine the scope and reach of privacy laws.
Information privacy is an important consideration when transitioning university collections from paper to electronic access. Yet the protection of and limits to student privacy regulations have rarely been addressed for online electronic theses and dissertations (ETDs).
FERPA should be a consideration when widely distributing student work, including e-portfolios, ETDs, and senior capstone projects. In this article, we share several campus approaches to FERPA and electronic student work.
Student Information and FERPA
The Family Educational Rights and Privacy Act of 1974, also known as the Buckley Amendment, is a federal law designed to protect the privacy of student educational records in response to a history of inconsistent institutional policies and improper disclosure of student information. Throughout the years, challenges to FERPA resulted in refinements to the Act, with the most recent changes occurring in December 2008.
This law applies to all public K-12 educational institutions and most postsecondary institutions that receive federal funds allocated by the US Department of Education. Among other options, FERPA gives students the right to inspect and request corrections to their educational records as well as to limit the release of "personally identifiable" information from their records.
Legally, educational institutions may disclose directory information. Directory information is defined as "information that would not generally be considered harmful or an invasion of privacy if disclosed". Students must be notified about the possible disclosure of directory information and have an opportunity to "opt out", thus limiting disclosure of their directory information. Examples of directory information include the student's name, address, phone number, email, photograph, date and place of birth, major field of study, grade level, enrollment status, dates of attendance, participation in university activities; weight and height of student athletes; degrees, honors and awards received; and the most recent educational agency or institution attended.
In practice, some educational institutions have further limited the amount of directory information they will release, including limiting disclosure of "locator" information such as address and phone number.
Many universities allow students to limit disclosure of their directory information by using a secure university portal or other electronic system accessible from on or off campus with proper verification of their identification.
Once a student turns 18, or begins attending a higher education institution, the FERPA rights transfer from the parent to the student. If the student is still claimed on the parent's income tax returns as a dependent or if there are health and safety reasons, parents can still access their child's educational records without the student's consent.
School administrators, teachers, and other school officials as well as contractors and other outside service providers with "legitimate educational interest" are able to access education records without student consent. But a process does need to be in place to ensure only the appropriate parties are privy to such information and that the information, in turn, is not wrongly disclosed to outside entities. School districts and higher education institutions are responsible for utilizing reasonable methods to ensure that teachers, school officials and outside service providers obtain access to only those educational records paper or electronic in which they have legitimate educational interests."
But what are considered "education records"? According to FERPA, education records are "directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution" and include "any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche."  This does not include private notes intended for personal use, student disciplinary, law enforcement or medical records, and certain student employee records.
The education records of current and former students are protected under FERPA. Once a student limits disclosure of their directory information, it is honored even after graduation. But "an educational agency or institution is not required to notify former students about the institution's directory information policy or allow former students to opt out of directory information disclosures." A higher education institution can legally disclose directory information about alumni if those students did not limit disclosure of their information while they were enrolled at the institution.
State laws on student privacy may place further protections on students' educational records and each higher education institution has its own interpretation of the state and federal laws governing educational records.
Selected Literature Review
FERPA and its relevance to student work has received limited attention in the literature. Perhaps that is because until the events of September 11, 2001, and the creation of the USA Patriot Act, higher education institutions did not experience outside interest or requests for student information. Much of the focus has been on the development of campus compliance strategies in response to security breaches and privacy leaks of student information.
In fact, it was not until 2002 that universities began to hire chief privacy officers (CPOs). While common in the private sector, CPOs are still relatively rare in the academic world. These individuals help manage risk on university campuses, provide valuable guidance on compliance, give recommendations for increasing security measures, heighten awareness of privacy issues and campus responsibilities, and serve as a resource to help interpret the sometimes overly complicated legal jargon.
Even with the implementation of student ePortfolios (an online compilation of a student's works) by the Connecticut Distance Learning Consortium, FERPA was just one of many decision points in implementing broad access to student work.[12,13]
In the early 1990s, there was mounting concern in some university sectors that the FERPA definition of "education records" included the work of students. Would graduate and undergraduate works, such as dissertations, theses and capstone papers, fit within FERPA and, therefore, limit the release and circulation of such student works in some libraries? Spurred by a request by the American Library Association, LeRoy S. Rooker, Director of the Department of Education's Family Policy Compliance Office, provided clarification in September 1993, recognizing that
"undergraduate and graduate "theses" often differ in nature from typical student research papers and other education records, such as written examinations, in that they are published or otherwise made available as research sources for the academic community through the institution's library. It has been and remains our understanding that in these circumstances an educational institution would ordinarily have obtained the student's permission to make his or her work available publicly before doing so, perhaps in connection with notifying the student of specific course or program requirements. Consequently, an institution need not obtain a student's signed and dated specific written consent to disclose or publish a thesis in the library or elsewhere at the institution. Neither the statute, the legislative history, nor the FERPA regulations require institutions to depart from established practices regarding the placement or disclosure of student theses so long as students have been advised in advance that a particular undergraduate or graduate thesis will be made publicly available as part of the curriculum requirements."
On Sept. 15, 1993 the Chronicle of Higher Education reported this interpretation after contacting the Association of Research Libraries. The following month it was reported to the academic library community through a brief article in College and Research Libraries News. According to the correspondence archives of the Society of American Archivists, as described in the 2004 article "Navigating Ambiguous Waters: Providing Access to Student Records in the University Archives," the SAA also supported this action following a resolution put forth by the SAA's College and University Archives Section to "protect the traditional status of unpublished dissertations and theses as research materials."
Student Information and Theses and Dissertations
From a university's point of view, its Institutional Review Board (IRB) exists, in part, to handle theses and dissertations with FERPA issues. IRBs ensure that the rights of participants are protected when research protocols involve human subjects, among other activities. These rights include maintaining the anonymity of individuals surveyed and non-disclosure of sensitive and private information.
In spite of this, theses and dissertations sometimes contain now-private information such as Social Security numbers. These works, while available to walk-in patrons and interlibrary loan, sat on library shelves and infrequently circulated. Today theses and dissertations are commonly scanned to improve access to graduate student research and it requires additional careful work to ensure that sensitive information is not reproduced and distributed. Many academic libraries make scanned works openly accessible on the Web without explicit permission from the authors. Other universities, like Virginia Tech, follow a more cautious approach, providing university community members-only access to scanned theses and dissertations.
Considerations when Implementing ETDs: The Cal Poly Experience
In Spring 2008, the Robert E. Kennedy Library at California Polytechnic State University, San Luis Obispo, collaborated with their Research and Graduate Programs Office to lay the groundwork for electronic thesis implementation. Given the campus emphasis on technology and innovation, the relatively small graduate population (comprising roughly 6% of the total student enrollment), the existing centralized paper submission process, and the recent creation of the university's institutional repository, implementation of ETDs seemed to be a natural next step.
After analyzing the paper workflow and reviewing other campus ETD implementations, the library conducted a campus pilot to collect content, determine workflow, test software, and identify, review and update campus and library policies. FERPA became a salient issue during this phase.
Students control FERPA settings through the Cal Poly portal, an online centralized place for registration and enrollment information; employee information; college, department, and club information; and many widely used campus applications and computing services.
Once logged into the portal, a student can set FERPA privacy restrictions, thus limiting the information shared with the campus and student directories, campus clubs and university alumni association. By default, the system allows access to student directory information. A student can override the default and set a restriction that, in effect, electronically removes their information from public view.
The FERPA setting is shared with other Cal Poly campus systems relevant to enrollment, registration, student academic records and other specialized activities. Only campus officials with expressed needs can access these systems, and determine the FERPA privacy settings of individual students.
During the pilot phase of the ETD submission process, questions were raised about the library need, ability, and responsibility to verify student FERPA flags and privacy settings for student publications. Few library staff had access to these tools, presenting challenges in honoring FERPA settings. The broad FERPA definition of "education records" ostensibly encompassed all student work, which contradicted the library's mission of providing open access to student research and academic output including master's theses, graduate reports and undergraduate capstone projects.
A meeting with the campus FERPA Compliance Officer expanded the understanding of the legislation, and engaged the library in a period of self-review to identify and adjust library activities subject to FERPA laws, such as circulation records, interlibrary loan requests, and student employment records.
Bolstered by the 1993 correspondence between the American Library Association and LeRoy Rooker (in effect sanctioning the public circulation of student work notwithstanding FERPA),  the library pursued an open access approach to the implementation of electronic thesis submission, circumventing the need to incorporate additional administrative or system checks to determine privacy settings.
A final consultation with the FERPA Compliance Officer resulted in added wording to the submission agreement, a required step during the electronic submission to the online repository. In particular, the officer suggested adding the following statement:
"Students making submissions to this repository agree to share their work and waive any privacy rights granted by FERPA or any other law, policy or regulation, with respect to this work, for the purpose of publication."
The statement serves to remind students that they are waiving privacy rights and notifies them that this exception overrides any FERPA privacy settings that they may have previously set.
Accommodating FERPA Retroactively: Including the Virginia Tech Experience
From the first formal requirement that graduate students submit their theses and dissertations online at Virginia Tech in 1997, universities anticipated their legal vulnerabilities. It was not due to the concerns about FERPA compliance, but rather apprehension about violating author rights and copyright infringement. Universities subsequently adopting ETD initiatives largely chose to have their graduate student authors formally agree to what had been standard library practice for over one hundred years. The typical agreement reads:
I hereby grant to [the institution] and its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation, or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report.
However, during a review of compliance guidelines, Virginia Tech legal counsel raised questions and reviewed policies and guidelines for various records management systems. In March 2009, such a re-examination of FERPA prompted officials at Virginia Tech to evaluate the accessibility of ETDs. This triggered a survey of institutions with ETD initiatives including a listserv query sent to ETD-L@listserv.vt.edu and NDLTD-BOD-L@listserv.vt.edu.
Results revealed that most universities have been largely unaware or unconcerned about the impact of FERPA on ETDs.
Only a handful of universities address FERPA within their ETD initiatives. For example, many of the Texas universities (e.g., Baylor, Houston, University of Texas at Austin), require that students specifically waive their FERPA non-disclosure rights. The "Copyright and Availability Form" from Texas A&M University's Thesis Office says, "To the extent this thesis, dissertation, or record of study is an educational record as defined in the ... FERPA ..., I consent to disclosure of it to anyone who requests a copy." The University of Kansas obviously draws on FERPA without directly mentioning it on the KU ETD Release Form: "By signing below, the student is ... authorizing disclosure of the student's work to others, and is relinquishing and waiving any claims that may arise under any statutory or common law protections..."
University of Oregon addresses student rights broadly for its Scholars' Bank digital repository. According to their policy, "Students have given permission for public posting of any work they have authored that appears in Scholars' Bank, either directly to the host department or to the Libraries."
Other institutions have elected to address FERPA information on a university-wide level. For example, North Carolina State University's Office of Legal Affairs' "Legal Topics" include the "Student Privacy Law". Written consent is not necessary if students are notified that theses could be made publicly available as part of curriculum requirements. 
Most American universities post university-wide FERPA guidelines and do not correlate privacy issues with ETDs. These policies are managed by legal affairs offices as at West Virginia  or by the registrar as at Virginia Tech.
International Perspectives on Student Privacy and ETDs
The response to a query of the Board of Directors of the Networked Digital Library of Theses and Dissertations (NDLTD-BOD-L@listserv.vt.edu) was consistent though small. International institutions identified student privacy rights as a US-centric issue, pointing out that their countries lacked laws that ensure the right to privacy. However, they also pointed out that their countries focus more on public versus private good and ensuring access to information rather than protection.
Given the importance and attention given to FERPA, it is surprising that so little has been published about FERPA and online student works such as ETDs. It is inaccurate to conclude that this is due to either limited knowledge or indifference about the topic. Rather, we speculate like Richard Rainsberger, frequent author of FERPA interpretations for the American Association of Collegiate Registrars and Admissions Officers, "We do not change our policies simply because our educational delivery methods have changed."
FERPA should be a consideration when providing wide access to e-portfolios, ETDs, and electronic senior capstone projects so that everyone in the university community is aware of the myriad of related issues.
1. 20 US Code. Sec. 1232g; 34 C.F. R. Part 99. Family Educational Rights and Privacy Act of 1974. Federal Register. 73 (2008): 74806 -74855. Retrieved 6 Aug. 2009 http://www.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf.
3. Your Privacy Rights: Questions and Answers. 18 Aug 2009. Office of the Registrar, California Polytechnic State University San Luis Obispo. Retrieved 6 Aug. 2009 http://www.ess.calpoly.edu/_records/stu_info/ferpa_q&a.htm.
4. United States. Family Policy Compliance Office. Family Educational Rights and Privacy Act (FERPA) Final Rule, 34 C.F.R. Part 99, Section-by-Section Analysis (December 2008). Washington: GPO, 2008. Retrieved 6 Aug. 2009 http://www.ed.gov/policy/gen/guid/fpco/pdf/ht12-17-08-att.pdf.
5. 20 US Code. Sec. 1232g; 34 C.F. R. Part 99.3. Family Educational Rights and Privacy Act of 1974. 2008. Retrieved 6 Aug. 2009 http://edocket.access.gpo.gov/cfr_2008/julqtr/pdf/34cfr99.3.pdf.
6. 20 US Code. Sec. 1232g; 34 C.F. R. Part 99. Family Educational Rights and Privacy Act of 1974. Federal Register. 73 (2008): 74806 -74855. Retrieved 6 Aug. 2009 http://www.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf.
7. Baker, Thomas R. "Navigating State and Federal Student Privacy Laws to Design Educationally Sound Parental Notice Policies." New Directions for Student Services, 122 (2008): 81-103.
8. Public Law 107 - 56. http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/content-detail.html.
9. Toglia, Thomas V. "How Does the Family Rights and Privacy Act Affect You?" Education Digest, October 2007: 61-65.
10. Baker, Thomas R. Ibid.
11. Guernsey, Lisa. "A Wealth of Data, and Nobody in Charge." Chronicle of Higher Education, 25 November 2008: 1.
12. Goldsmith, Diane. "Enhancing Learning Assessment Through e-Portfolios: A Collaborative Effort in Connecticut." New Directions for Student Services, 119 (2007): 31-42.
13. Jafari, Ali. "The "Sticky" ePortfolio System: Tackling Challenges and Identifying Attribute." EDUCAUSE Review, July/August 2004: 38-49. Retrieved 18 Sept. 2009 http://www.educause.edu/EDUCAUSE+Review/EDUCAUSEReviewMagazineVolume39/TheStickyePortfolioSystemTackl/157912.
14. "Department of Education Clarifies Access to Theses." ALA Washington Office Newsline, 8 Sept 1993. Retrieved 6 Aug. 2009 http://serials.infomotions.com/alawon/alawon-v2n37.txt.
15. Jaschik, Scott. "Education Department Backs Off Statement that Colleges Need Permission to Keep Student Theses in Libraries." Chronicle of Higher Education, 15 Sept. 1993: 32.
16. Henderson, Carol C. Ibid.
17. Chute, Tamar G., and Ellen D. Swain. "Navigating Ambiguous Waters: Providing Access to Student Records in the University Archives." American Archivist, Fall/Winter 2004: 212-233. Retrieved 20 Sept. 2009 http://archivists.metapress.com/content/v418724687421m15/fulltext.pdf.
18. Mundle, Todd M., Simon Fraser University. David Palmer, University of Hong Kong. Emails to Gail McMillan. 12 Dec. 2005.
19. Henderson, Carol C. "Department of Education Clarifies Access to Theses." College and Research Libraries News, 54.9: 527.
20. Fox, Edward A., John L Eaton, Gail McMillan, Neill A. Kipp, Paul Mather, Tim McGonigle, William Schweiker and Brian DeVane. "Networked Digital Library of Theses and Dissertations: An International Effort Unlocking University Resources." D-Lib Magazine. Sept 1997. Retrieved 21 Sept. 2009 doi:10.1045/september97-fox.
21. "Copyright and Availability Form." 2009. Thesis Office, Texas A&M University. Retrieved 18 Sept 2009 http://thesis.tamu.edu/files/copyright_availability_form.pdf.
22. "Electronic Theses and Dissertations (ETD) Release Form." Mar. 2008. University of Kansas. Retrieved 18 Sept 2009 http://www.graduate.ku.edu/-downloads/04-d6_KU_ETD_release.pdf.
23. FERPA and Scholars Bank. 26 Aug. 2006. University of Oregon Libraries, University of Oregon. Retrieved 20 Sept 2009 http://libweb.uoregon.edu/catdept/irg/SB_ferpaRev.html.
24. Student Privacy Law (FERPA). 01 Aug. 2008. Office of Legal Affairs, North Carolina State University. Retrieved 20 Sept 2009 http://www.ncsu.edu/legal/legal_topics/student_privacy.php.
27. The dearth of information extends to the Journal of College and University Law, 1992-2005, Library Trends, and the Journal of Academic Librarianship.
28. Rainsberger, Richard, "FERPA in the Digital Age: What You Need to Know." ECURE 2001: Preservation and Access for Electronic College and University Records. Mesa, Arizona. 12 Oct. 2001. Retrieved 20 Sept 2009 http://www.asu.edu/ecure/2001/ppt/rainsberger.ppt.
About the Authors