We occasionally get questions on FERPA compliance so I thought I'd share some of our thoughts from working through these questions with our 20+ school partners.
If we (Firecracker or any other service/product provider) are an institutional affiliate, schools can share Personally Identifiable Information (PII) with the service/product provider. This is usually well understood by our partners and common practice in the industry.
However, 2 questions that have been coming up more recently are are less clear:
1. Can faculty who aren't teaching students have access to student data?
2. Can peer tutors have access to their tutees/peers data?
The answer to question 1 is yes for all faculty, and yes for any administrator provided it's relevant for them to know the information. For 2 (peer tutors), it's not clear. Pages 161-164 in this article cover these FERPA issues in detail.
Complicating matters further are sections 11.1 and 11.5 of the LCME standards which are sometimes viewed as conflicting with FERPA (e.g. the implicit recommendation for "tutorial services" since tutors don't have to influence student grading/promotion, or the implication that faculty can't see students records if they aren't their professor even though FERPA may allow for this).
"11.1 Academic Advising
A medical school has an effective system of academic advising in place for medical students that integrates the efforts of faculty members, course and clerkship directors, and student affairs staff with its counseling and tutorial services and ensures that medical students can obtain academic counseling from individuals who have no role in making assessment or promotion decisions about them."
"11.5 Confidentiality of Student Educational Records
At a medical school, medical student educational records are confidential and available only to those members of the faculty and administration with a need to know, unless released by the student or as otherwise governed by laws concerning confidentiality."
Similarly, section 9.4 and other relevant COCA standards potentially conflict with FERPA. Conveniently, COCA is soliciting feedback from Osteopathic community at this very moment. This is what COCA says about the standards still in development:
"Of the now 11 standards and 64 elements (plus one standard with 6 elements for institutional accreditation), 21 elements and evidentiary submissions were to be assessed via a “tabular methodology” that could not be provided earlier in the standards development process. Those 21 items have been pulled from the posted document. They will be revised by the COCA appointed Standards Taskforce and placed back for additional public comment over the next few weeks (please watch our website for this release). A final vote on these items will be completed at a special meeting of the COCA in May or June and these elements and evidentiary submissions will then also come into effect July 1, 2017."
This may be a good time for the osteopathic community to weight in with their accrediting body.
Finally, every school has their own preferred privacy and related operations/processes that need to be considered when implementing solutions where PII is shared within and outside institutoinal walls.
A. Make sure both administrators and faculty can only access student data on a "need to know" basis. Strict reading of the above nets this out, we believe, and can satisfy both FERPA and LCME (COCA TBD). That said, we recommend schools involve all administrators and faculty in their continious quality improvement efforts at some level, not only as a way to drive organizational effectiness in general and satisfy accredidation standards, but also to help defend a broader interpretation of "need to know".
B. Peer tutor access to student data may not be ok under FERPA, but it's unclear. If you already have a peer tutoring program, we recommend tutors only be allowed to see data for students they are tutoring (and only data they really need to aid tutoring/remediation). We also recommend you make the case that tutors are "within the institution" as faculty are. Again, this is where it's ambigous and you should certainly consult legal council to make this determination for yourself. The goal of this post isn't to provide legal advice, it's to identify potential issues and potential ways of solving them.
C. Make sure your internal processes around PII are aligned with FERPA and the relevant accredidation standards (LCME, COCA, AGCME, etc.). Engage with standards makers to make sure they are aware of the potential misalignment and how you'd like to see the standards written in the interest of driving continuous curriculum improvement, student outcomes, and faculty development.
We would love to hear your thoughts! If we can every help in any way, please don't hesitate to reach out. We'd love to help however we can.
CEO & Co-founder