Northern Arizona University   Information Technology Services

ITS Info Online

Spring 2009

IN THIS ISSUE:

Front Page: From the CITO

The Power of No Power

ITS Offers Server Colocation and Support

Google Email for Students

Illegal Phishing and How to Report It

ABOR Purchases Security Tools

Upgrade to the New Microsoft Office Suite

Administrative Computing

New Name for Information Systems Training Team

Password Construction Guidelines

FERPA Changes Are Here

IRIS Unified Communications Pilot

New Name for Academic Computing Help Desk

PDF edition of this document (2.91Mb)

FERPA Changes
Are Here

It is the responsibility of all employees at the university who work with student data to be familiar with The Family Education Rights Privacy Act (FERPA). The Act has been updated and the final ruling was released in December. Changes were made in a number of areas. However, this article will focus on those with potential implications for technology services at NAU.

Outside Service Providers

We use many outside service providers at NAU yet outside service providers were never directly addressed by FERPA. Now the “school officials” exception has been expanded to include contractors, consultants, volunteers, and other outside service providers used by an institution to perform institutional services and functions. A contractor (or other outside service provider) who is given access to education records under this provision must be under the direct control of the disclosing institution and subject to the same conditions on use and redisclosure of education records that govern other school officials. In particular, the contractor must ensure that only individuals with legitimate educational interests (as determined by the district or institution, as appropriate) obtain access to personally identifiable information from education records it maintains or creates on behalf of the district or institution.

The “direct control” requirement means control of the outside service provider’s maintenance and use of information from education records and is not intended to affect the outside party’s status as an independent contractor or render that party an employee under state or federal law.

A good starting point for any entity on campus wishing to contract with outside service providers is Comptroller Policy 110 found at Comptroller Policy 110.

This policy states that “The University’s Purchasing Services will be responsible for selecting which service providers will be given access to customer information in the normal course of business. All contracts with such service providers shall require that the service provider implement and maintain adequate safeguards for customer information.”

Unrestricted Access to Education Records by School Officials

Parents and students have complained to the Family Policy Compliance Office that school officials have unrestricted access to the education records of all students in an institution’s system, particularly where records are maintained electronically. The final regulations require institutions to use “reasonable methods” to ensure that teachers and other school officials (including outside service providers) obtain access to only those education records—paper or electronic—in which they have legitimate educational interests.

The discussion of the final rule states that the rule can be implemented by institutions through the use of role-based security features found in most software today. Limiting an individual’s access to electronic records based on their professional responsibilities will help the institution to be in compliance with the final regulations.

Identification and Authentication

An institution is now required to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom they disclose education records. Authentication of identity is more complex for disclosure of electronic records as new methods and technologies are developed. Under the final regulations, districts and institutions may use PINs, passwords, personal security questions; “smart cards” and tokens; biometric indicators; or other factors known or possessed only by the user, as appropriate. However, using more traditional identifiers such as name and date of birth, or name and SSN or other student ID number are specifically stated to be a failure to properly authenticate identity.

NAU is working on a method for students to grant or revoke access to portions of their personal information as part of the LOUIE Guardian Access project. This will help to reduce some of the existing burden related to parent authentication. See the LOUIE section of the Administrative Computing portion of this newsletter for details.

Summary

We are reviewing each of these changes and will be making recommendations to the Steering Committee for Administrative Computing. However, it is the responsibility of all employees at the university who work with student data to be familiar with FERPA. If you would like additional information, go to the FERPA site.

—Harper Johnson

ITS Info is a publication of the Information Technology Services (ITS) department of NAU. Editor: Don Olson. Entire contents copyright © 2009 Northern Arizona University. Some images © 2007 www.clipart.com. Send comments or suggestions to Ask-ITS@nau.edu.

To contact ITS:

Faculty: 928-523-1511
Students: 928-523-9294
Statewide: 888-520-7215
Blue horizontal bar
Americans with Disabilities Act friendly logo Web Page Contact: ITS-Editor@nau.edu
© 2009 Northern Arizona University - Information Technology Services