New regulations concerning student privacy that were released last week by the U.S. Department of Education take up technology in ways that the Family Educational Rights and Privacy Act never has before.

“A major reason for these new rules was to try to catch up Ferpa” — as the law is known — “with modern times,” says Rodney J. Petersen, a policy analyst for the higher-education-technology group Educause.

The Education Department’s proposed regulations sparked lively debates about privacy: One of technology officials’ main challenges was to explain the distinction between Social Security numbers and student-identification numbers.

In the proposed rules, neither could be included in colleges’ directories. And that change — treating ID numbers just like Social Security numbers — would have been tricky (and expensive), requiring many colleges to retrofit information systems.

But higher-education and technology groups described how, in most cases, student ID numbers do not open up access to additional information the way Social Security numbers do. In the final regulations, the Education Department said that ID numbers and other student identifiers could be included in directories as long as they could not “be used to gain access to education records except when used in conjunction with one or more factors” — like passwords — “that authenticate the student’s identity.”

“We’re all relieved that they took our comments into account,” Mr. Petersen says. But the department’s revision also means, he says, that campus officials have to redouble their efforts to prevent the public posting of education records — like grades — by student ID number.

On information security, the new regulations make certain recommendations about protecting student records. “The Department encourages the holders of personally identifiable information to consider actions that … are reasonably calculated to protect such information,” the rules say.

The regulations also leave colleges and universities room to figure out how best to safeguard students’ information. A given institution, the regulations say, “may use any method, combination of methods, or technologies it determines to be reasonable, taking into consideration the size, complexity, and resources available,” as well as the type of information that must be protected. “The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted,” the rules say, “the more protections an agency or institution should consider using.”

Mr. Petersen cautions colleges against strictly following the Education Department’s suggestions for which systems to use to safeguard information. He says colleges can find products better tailored to their needs than those mentioned in the rules.

Among other updates, the new regulations specify that Ferpa does not require colleges to notify students of security breaches affecting their personal information — although most state laws contain that requirement. And the new rules explicitly state — where they hadn’t before — that privacy law protects online students, too.

The regulations also discuss the tricky processes of identification and authentication, emphasizing that colleges must use passwords or personal-identification numbers to control access to transcripts, for example, and other protected records. —Sara Lipka

Categories: Security, Student-Life