Step 2: Identify federal, state, and local regulations affecting the maintenance of student records.
Each use that you identify has its own set of regulations, and the system must be designed to comply with these laws, rules, policies, etc. Regulations may mandate or determine the response to any or all of the next ten steps.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that restricts access to individually identifiable student records and gives parents a right to view what is kept in their children's records. Because of this law, there are many restrictions and security measures you must plan to implement. There is more discussion about these restrictions and measures in Step 9. In addition, essential information for developing procedures and policies related to student records can be found in the NCES document, Protecting the Privacy of Student Records: Guidelines for Education Agencies.
Some states that have implemented student record systems have worked with their states' Attorneys General to ensure that no relevant laws are being broken. Many states have indicated that they have confidentiality laws that affirm or extend FERPA. No state may have a law more lenient than FERPA, but a state may impose greater restrictions on the release of student data. These restrictions must be addressed in developing a student record system.
To ensure that legal requirements are met and ethical responsibilities carried out appropriately and effectively, education agencies and institutions are advised to establish their own written policies and guidelines for maintaining the privacy and confidentiality of student records. Such policies and guidelines should state the principles and procedures for addressing the following issues:
- Selecting appropriate data elements for student records.
- Accurately, consistently, and carefully collecting these data elements.
- Maintaining relevant, accurate, and confidential records.
- Carefully screening anyone that will handle confidential information.
- Restricting access by school personnel.
- Safeguarding data (or restricting access) while data are in the possession of a contracting organization.
- Safeguarding individual student records being transferred to other schools, local education agencies, state education agencies, and elsewhere.
- Transferring personal information to an authorized third party only on the condition that this third party not permit access to any other party without the written consent of the student or parents, as appropriate.
- Concealing the identity of individuals or institutions desiring or entitled to confidentiality, through appropriate procedures for aggregating, encoding, and releasing sensitive data.
- Destroying records or data that are no longer needed.
Many of these areas are described more fully in the steps that follow.
Education agencies and institutions may want to establish and maintain an oversight committee to produce and review policies, procedures, and activities involving student records. The membership of this committee might include appropriate representatives of such groups as students, parents, teachers, counselors, principals, the board of education, and the general public. This committee should be assigned responsibility for ensuring that student data are collected, updated, stored, accessed, used, and discarded in such a way that:
- The rights and welfare of students are adequately protected.
- The potential benefits to students of any particular record use outweigh the potential risks.
- Informed consent is obtained from students or parents, by adequate and appropriate methods, for including certain data in student records and using (or releasing) the data for specified purposes.
Every education agency or institution should periodically reassure itself, through appropriate administrative overview, that the policies and procedures related to student records and designed to protect its students' rights and welfare are being applied effectively.