Privacy is the ability of an individual or group to select to withhold information about themselves from people to whom they have not chosen to give the information. In the United States, the Family Education Rights Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99), also known as the Buckley Amendment, is a law that protects the privacy of student records. FERPA provides a minimum basis for the protection of student privacy regarding their education records. This law applies to all institutions that receive federal funding under applicable programs administered by the US Department of Education.
FERPA provides a benchmark for educational privacy standards. Many institutions build on FERPA regulations when they write their own institutional privacy policies, in many cases providing even greater and more specific privacy rights than those outlined in FERPA. Some state laws do the same.
Blackboard develops products that support FERPA and provide information, tools and utilities that allow institutions to configure their systems so they can meet even stricter privacy standards. While Blackboard cannot know or anticipate all state, local, or international laws and policies that may need to be applied to the handling of personally identifiable information, FERPA regulations are used as guidelines to develop flexible privacy management within Blackboard applications.
Unless otherwise sited, all quotations in this section are taken from the FERPA Regulations.
Institutions must obtain written permission from the student (or parent if the student is under 18) to disclose any information from the student’s educational record. Educational records are defined broadly and include grades, all coursework, and personal information about the student, such as contact information and expected graduation date. In short, the institution cannot disclose any information about the student to anyone except the student’s teachers and other “school officials with legitimate educational interest.”
The FERPA statue (Authority: 20 U.S.C. 1232g(b)(1)) defines disclosure as:
To permit access to or the release, transfer, or other communication of personally identifiable information contained in education records to any party, by any means, including oral, written, or electronic means.
For Blackboard, disclosure includes not only the direct release of information, but the ability to view information through the web interface.
However, the primary exception is that the institution can publish “directory information” about the student, for example name and email address. Fields of data included in directory information vary from institution to institution. To learn more, see User Directory and Personal Information Disclosure.
Educational records are defined broadly in FERPA and are defined in the statute (Authority: 20 U.S.C. 1232g(a)(4)) as:
(1) Directly related to a student; and
(2) Maintained by an educational agency or institution or by a party acting for the agency or institution.
'Record' means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche.
For Blackboard, records include all information about students and their participation in Courses and Organizations. This encompasses all data and materials tied to student users in the Blackboard system.
Personally identifiable information is any information or data that can identify a specific student. In FERPA the statute (Authority: 20 U.S.C 1232g) reads:
Personally identifiable information includes, but is not limited to:
(a) The student’s name;
(b) The name of the student’s parent or other family member;
(c) The address of the student or student’s family;
(d) A personal identifier, such as the student’s social security number or student number;
(e) A list of personal characteristics that would make the student’s identity easily traceable; or
(f) Other information that would make the student’s identity easily traceable.
For Blackboard, personally identifiable information is student record data that identifies the specific student. There is a difference between “personal data" meaning information that is tied to a specific person, and “aggregate data," the cumulative or summary information that does not specifically identify any particular person. For example, “John Smith logged into the Blackboard system at 3:25 on 11/2/2006” includes personally identifiable information, but “48 students logged into the Blackboard system between 3:00 and 4:00 on 11/2/2006” is aggregate data. Aggregate data is generally not as sensitive from a privacy perspective and is not protected by FERPA.