FERPA for matriculating student

Most FERPA questions seems to be about the application process. The school my child is matriculating out sent out a FERPA notice as part of pre-enrollment, that the following information is considered directory info that they can give out freely unless the student requests otherwise:

Student name, address (home, campus and email), home, cell and campus telephone number, picture, date and place of birth, dates of attendance, enrollment status, course schedule, field of study, participation in officially recognized activities and sports, weight and height of member of athletic teams, degrees and awards received and the most recent educational agency or institution attended.

This seems very ill-advised in terms of identity theft, of which college students are more prone to be victims than most. I know some of this information should be able to be shared under the right circumstances, and with the right parties, but this seems so broad that it’s asking for trouble.

Has anyone else seen anything like this and put any limits on it? At the very least it seems that date and place of birth shouldn’t be publicly availably, and I’m not so sure of most of the rest of it, either! Of course, I don’t want my kid not included in a student directory that goest out to the whole incoming class.

Thoughts?

Call and ask if they give this info to anyone. I doubt that is the case. Back when my kids were on college, we had the same form and it was sent to parents. The kid has to opt out of sharing information with parents. And the kid could choose to do so.

Or simply decline to have the info released! That’s easy enough to do. Right?

they can give out freely unless the student requests otherwise

Yes, we will write them, but I want to make sure we don’t make our requests so restrictive that it causes problems for normal things, like verifying someone is a student! I’ve seen on other boards students/parents having difficulty if they didn’t waive permissions.

For example, it makes sense in a student guide to say where the students hail from; it doesn’t make sense to say where they were born.

Check to see what is included on a transcript, for example…because at some point that might need to be shared.

Increasingly, the trend is for fewer things to appear on a transcript. With a date and place of birth, a “not so sophisticated hacker” can do lots of nefarious things, so most colleges are providing name (social security number blocked out) and the relevant course description and grades.

Student enrollment verification does NOT require a transcript-- there is a national clearinghouse which most (not all) colleges participate in. So a landlord or car insurance company can pay the fee to verify a student’s enrollment but won’t get access to any other information.

I was a Registrar in a former life. While we “could” release certain information because the FEDERAL FERPA law allows it, we were very careful about what we actually released and to whom we released it. Your student is well within their rights to waive the ability for the school to release information, but it’s typically an “all or nothing” thing. From the point of view of someone who was protector of information at two different colleges, my take is that information is carefully guarded by schools. You can contact the Registrar to ask under what circumstances information allowed to be released under FERPA regulations is actually released per school policies.

The last school where I worked did not participate in the national clearinghouse for enrollment information. However, a call to the Registrar was all that was necessary to verify that a student had received a degree. A student who chooses to opt out of information being shared will not easily be able to allow others to verify current enrollment, though. They would most likely have to complete a form allowing a one-time release of specified information to a particular person in order for their current enrollment to be verified.

It’s correct that current transcript policies lean toward removing certain information for students/graduates, such as SSN and DOB.

My HR team constantly has to verify enrollment (for internships) and graduation (for ANYONE who lists an institution on their resume) and it’s not a big deal for the (increasingly small) group of colleges which do not participate in the clearinghouse. BUT- everyone should be aware that NOTHING belongs on their resume which is not a verifiable fact.

You took a three day seminar on negotiation at Wharton? That’s not an MBA and it takes three clicks of the mouse to figure that out. You plan to re-take the CPA exam because you failed the first time? You do not actually HAVE a CPA. Your “planned” graduation was June 2023 but the registrar just informed you that you are missing four credits (incomplete, W’s whatever…) ANY employer who checks is going to see January 2024 (or whatever date you actually finish) as the date the degree is granted. I’ve heard every excuse in the book- “But they let me walk” and “they handed me a blank piece of paper instead of a diploma since my parents had already booked airline tickets”, etc.

Don’t be that person. It’s just so easy to put truthful and verifiable information on your resume, why bother shaving the truth?

That’s what I thought as well.

I will do that. I hope it isn’t all or nothing!

This doesn’t seem unreasonable.

I live in a state where the Department of Revenue messed up and the entire state’s information(among those who file taxes or are a dependent with a SSN) was compromised, including children. They have to keep their credit locked forever. So I’m a bit sensitive to such things.

It’s ok to be sensitive! And reminding everyone (especially your kids) how easy it is for someone to get personal data is a good discipline.

My neighborhood had a spate last summer of break-ins. All the houses were empty, so nobody’s safety was compromised, but it was a bit of a head-scratcher until a Millennial on the police force figured out that everyone who was robbed had posted on Facebook “We’re heading to Hawaii for two weeks, we’ll post photos when we get there” or “Wish me congratulations on the birth of a grandson- I’ll be in Seattle for the next ten days and can’t wait to see my cutie”.

You can have neighbors take in your mail and packages; you can pay someone to keep your lawn mowed while you are gone. But if you are LITERALLY advertising that your house is empty-- on a public forum (there is no privacy on Facebook)-- good luck to you…

You’re smart to be prudent.

There should be lots of millennials in police departments these days…

This type of thing in the old days was associated with things like funeral announcements in newspapers where thieves would know that the deceased person’s house would be unoccupied during the funeral. But anyone who has heard of such a thing should realize that social media posts about vacationing away are best done after returning.

I spoke to the Registrar’s office; they say it’s for internal use on their secure servers and actually had me read them the specific language. They assured me that the school doesn’t share information, but told me to call IT. So I’m waiting to hear back form IT, which seems strange.

IT will know who else in on the university’s system has access to student information and records- health services? Financial aid/bursar’s office (you can’t accept federal funds for a student who has not enrolled or has dropped out, right?), Housing, etc.

Not strange at all. They will be able to reassure you what kind of information (enrollment date but nothing else; student in good standing but nothing else) can be accessed by a university employee with the appropriate passcode/clearance.

Are you aware of any way to make a distinction? It occurred to me the height/weight thing is probably there to be published in programs for varsity athletes, but I don’t know that all students’ heights and weights should be considered shareable, even if the College wouldn’t share!

The registrar did mention it might be related to a military thing. Which also seems odd.

I have seen thousands of transcripts in my career and have never seen height and weight… so it certainly isn’t released to employers, even in the years before the FERPA and privacy laws became a “thing”. And I cannot fathom how a U would even find out height and weight… healthcare records are separate from academic and bursar records.

There are universities overseas which used to send TONS of irrelevant information (including marital status, frequently a photo) but given the European privacy laws, that has mostly stopped.

Colleges take this stuff seriously.

From my OP, if members of athletic teams.

I don’t doubt that colleges take it seriously. I can’t wrap my head around why I’m supposed to just trust that they take it seriously while waiving my insistence that they take it seriously. I was assured nothing is given out, which I’m sure is true, but then why do I have to opt out of it being given out? Liability?

Height and weight would be used for athletes, I assume. Neither school where I was Registrar had sports teams, so we would never have released that information (I removed it from our statement). The statement is actually taken from Congressional law, 34CFR (Code of Federal Regulations) 99.3:

“Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.

(a) Directory information includes, but is not limited to, the student’s name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.

(b) Directory information does not include a student’s—

(1) Social security number; or

(2) Student identification (ID) number, except as provided in paragraph (c) of this definition.

(c) In accordance with paragraphs (a) and (b) of this definition, directory information includes—

(1) A student ID number, user ID, or other unique personal identifier used by a student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a personal identification number (PIN), password or other factor known or possessed only by the authorized user; and

(2) A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user’s identity, such as a PIN, password, or other factor known or possessed only by the authorized user.“

So schools “can” release any of the information they include in their annual notification of directory information. That doesn’t mean they will just give anyone information for any reason, though.

Thank you. Now I know where the language comes from, at least.

And of course it could be harmful to disclose date and place of birth!

I hope they will let us exclude that and not have it be all or nothing.

I forgot to address the “military thing.” There is a law that says secondary schools have to provide military recruiters with directory information upon request unless the parent/student has opted out of sharing directory information - bet you didn’t know that directory information is a thing in all levels of school: What are the requirements of § 9528 of the ESEA, regarding access to student contact information by military recruiters or institutions of higher education? | Protecting Student Privacy … and they must allow access to military recruiters in the same manner they allow access to college recruiters. Military recruiters ask colleges for the same information and access. Typically, the request is granted. (I interpret the law as being for K-12, though, and my opinion is that colleges are not under the same requirement to provide information or access - but I suspect most, although not all, do it.)

Thanks.