Student success and student privacy: Understanding the legal and strategic issues related to sharing student data

In today’s higher education environment, there is increasing pressure to improve student enrollment, retention, and degree-completion rates while using shrinking resources and existing staff as efficiently as possible. To accomplish these goals, each campus needs reliable data to identify and focus its efforts on strategies that have the greatest potential to improve student persistence. For maximum effectiveness, these data should enable a campus to understand its institutionwide strengths and challenges along with individual student priorities, needs, and receptivity to institutional support.

However, data do not create solutions—people do. If a campus truly wants to address student retention in a systematic and strategic way, then the data it collects must be shared with campus personnel who can best accomplish the goal of increasing student success and fulfilling the institutional mission.

But what if the data are sensitive and highly personal? When a campus starts talking about sharing student data, people can become a little uncomfortable, and rightly so. After all, how often do we encounter stories of the inadvertent disclosure of private information such as credit card numbers, social security numbers, or (most recently) medical information? Raising questions and concerns about the sharing of data within a campus or with outside organizations shows a responsible sensitivity to student privacy.

These issues can leave campuses with a dilemma. Without the sharing of data among student and academic affairs members, faculty, academic advisors, counselors, and other key staff, student retention efforts would be left to operate in the dark and lose much of their effectiveness. At the same time, all campus personnel should strive to protect the privacy of student information.

The key is to find an appropriate, responsible, and legal balance between student success initiatives and student privacy concerns.

What is allowed under federal law

The Family Educational Rights and Privacy Act (FERPA) requires that student records be kept confidential unless:

1. The student provides written permission for that information to be shared; or

2. The disclosure of information falls into one of the exceptions provided for in the act.

One of the exceptions is releasing student information to a school official with a legitimate educational interest. According to FERPA, teachers, contractors, consultants, volunteers, or other parties to whom the institution has outsourced institutional services or functions may be considered a school official. Furthermore, if these school officials need student data to do a job they have been assigned or contracted to conduct, they are also considered to have a legitimate educational interest. While FERPA does expand the range of individuals who can have access to student data, all school officials must take the same level of responsibility and care in handling student data regardless of their status as campus staff or external contractors.

Two scenarios to illustrate the appropriate sharing of data

With FERPA in mind, let’s examine two scenarios that illustrate how student information can be shared effectively and responsibly. Assume I am a director of academic support services. I am a full-time college employee and therefore a school official. I need to know which classes have high D, F, and W rates so that I can focus my departmental offerings on enhancing student success and completion as effectively as possible—a legitimate educational interest. Sharing of this aggregate information is thus acceptable. Also, on an individual level, if I know specifically which students are not attending class or are performing poorly, I can extend personal invitations to them to participate in academic support services. This would improve the chances that those students who need my services the most would receive support, thereby enhancing their chance of success and achievement of their academic goals. This is again a legitimate educational interest in student-specific information and an acceptable sharing of data. However, knowing which students are experiencing financial stress is less likely to enhance the results of academic support services and thus not data the director of academic support services should have access to, but something more appropriately shared with a financial aid director planning an optional financial literacy workshop.

In another scenario, assume I am vice president of enrollment management at my campus. In order to more proactively increase student success, I hire an outside vendor to predict future student retention behavior by analyzing past student behavior. This analysis requires providing non-public student information to the vendor. The vendor would be considered a school official with a legitimate interest in the non-public student data and could have access to it. The vendor is also required to safeguard the data as the campus would.

More responsibilities to keep in mind

The job of protecting non-public student information applies not only to the allowance of disclosure but also to the recipients’ use and protection of that data. If not in place already, you might explore an annual review of employee expectations for handling non-public information. This would include initiatives such as a clean desk policy, locking file cabinets, passwords that meet industry standards, not e-mailing sensitive data, security standards for confidential information that needs to be accessible online, requirements for storing non-public data on laptops and thumb drives, and notification requirements if a disclosure should occur.

No two campuses will interpret or apply FERPA standards exactly the same way. We encourage you to discuss these issues and your particular needs with your local data privacy point person and to work through acceptable scenarios for sharing data. Use the questions and concerns from colleagues as an opportunity to discuss and understand federal and state privacy obligations, and to clarify institutional policies and practices.

The use and sharing of non-public data in both aggregate and student-specific formats is central to the achievement of student enrollment, retention, and degree completion rates. With a full understanding of federal and state requirements this sharing can be accomplished without compromising student privacy or institutional success.