[D31.0000] Family Educational Rights and Privacy Act (FERPA) Guidance UK guidance for Researchers and IRB Members on accessing educational records.

The U.S. Department of Education’s summary of the FERPA regulations lists the following conditions under which student records can be disclosed without consent:

• Develop, validate, or administer predictive tests;
• School officials with legitimate educational interest (e.g., improve instruction), included in the University of Kentucky’s designation of University (school) official, are persons employed in administrative, supervisory, academic, or research positions;
• Other schools to which a student is transferring;
• Specified officials for audit or evaluation purposes;
• Appropriate parties in connection with financial aid to a student;
• Organizations conducting certain studies for or on behalf of the school;
• Accrediting organizations;
• To comply with a judicial order or lawfully issued subpoena;
• Appropriate officials in cases of health and safety emergencies; State and local authorities, within a juvenile justice system, pursuant to specific state law; and
• Directory information.

The University of Kentucky (UK) definition of directory information includes the maximum amount of information protected under FERPA.

• FERPA defines directory information as information contained in a student’s education record that would not generally be considered harmful or an invasion of privacy if disclosed.
• FERPA also provides guidance on what may be considered directory information; however, each institution is free to designate less information as directory information.
• FERPA permits the following to be designated as directory information:
  • Name
  • Address
  • Telephone listing
  • Email address
  • Photograph
  • Date and place of birth
  • Major field of study,
  • Dates of attendance
  • Grade level
  • Enrollment status (e.g., undergraduate or graduate; full-time or part-time)
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees
  • Honors and awards received
  • Most recent educational institution attended

Researchers should note that the following are never designated as directory information: a student's social security number, and in most instances student identification number, citizenship, gender, religious preference, grades, and Grade Point Average (GPA).  Subjects must sign a consent form to release any of these items unless the request for access falls under any of the exempt conditions outlined in FERPA. 

Under FERPA, students are also given the opportunity to file a request to prevent disclosure of directory information, commonly known as “opting out."  An institution will not release any information on a student, even directory information, if a student has “opted out." UK’s process for “opting out” involves setting a privacy flag on the student’s directory information.  

• Instructions are available at FERPA | Office of the University Registrar.

FERPA allows the release of education records without consent if all personally identifiable information (PII) has been removed. Under FERPA, the term personally identifiable information (PII) includes, but is not limited to: 

• Student’s name and other direct personal identifiers, such as the student’s social security number or student identification number;
• Indirect identifiers, such as the name of the student’s parent or other family members; the student’s or family’s address, and personal characteristics or other information that would make the student’s identity easily traceable;
• Date and place of birth and mother’s maiden name;
• Biometric records, including one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual, including fingerprints, retina and iris patterns, voiceprints, DNA sequence, facial characteristics, and handwriting; and
• Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

If a researcher is collecting educational records, the written consent must:

1. Specify the records that may be disclosed,
2. State the purpose of the disclosure, AND
3. Identify the party or class of parties to whom the disclosure may be made.

A ‘‘Signed and dated written consent’’ may include a record and signature in electronic form that:

• Identifies and authenticates a particular person as the source of the electronic consent; and
• Indicates such person’s approval of the information contained in the electronic consent.

In instances where a researcher requests to waive the informed consent process, the following conditions must be met: 

1. Generally, FERPA allows a researcher to access and release information in an educational record for any of the items listed in the section “Conditions for Which Student Records Can Be Disclosed without Consent.”
   • Please note: The Office of Research Integrity (ORI) may forward any requests to access PII, without a consent form, to UK’s legal counsel. Legal counsel will make the final determination if the study meets the exception criteria to release educational information without a signed consent form and will develop appropriate agreements as required by 34 CFR 99.31.
2. Researchers must have permission from UK’s Registrar to access educational records at the University of Kentucky.  University requirements are available at FERPA | Office of the University Registrar.
   • Please note: The UK Registrar does not maintain educational records for the College of Medicine or the College of Dentistry. Researchers should contact the respective colleges and abide by their FERPA requirements.
3. In developing the IRB application, researchers should address:
   • purpose, scope, and duration of study;
   • use and disclosure of PII;
   • plans to protect PII and not release to any other party (other than representatives of the University of Kentucky with legitimate interests) without prior consent of parent or eligible student; and
   • plan to destroy information when no longer needed.       
4. If researchers propose to access student records at institutions other than UK, researchers should contact each institution and follow that institution’s FERPA policy when accessing directory information.  Each educational institution designates what information is considered directory information.
5. In accordance with FERPA, an educational institution has the authority to determine what information may be accessed from an educational record.  If an institution denies an investigator access to information in an educational record, the IRB cannot overrule the decision.
6. According to the IRB federal regulations, for non-exempt studies, an IRB cannot waive informed consent or documentation of informed consent unless specific conditions are met.  Consequently, researchers should include a rationale for waiver requests in the IRB application even in circumstances where FERPA allows access without prior consent.
7. FERPA and the Health Insurance Portability and Accountability Act (HIPAA) regulations provide conflicting requirements for medical records.  In some situations, FERPA is more restrictive for researchers than HIPAA.
   • Researchers should contact each educational institution and follow that institution’s applicable policies, whether FERPA and/or HIPAA policy, when accessing student medical records.
   • Please note: The University of Kentucky has elected to follow both FERPA and HIPAA regulations for University Health Services (UHS) medical records. Contact the ORI Research Privacy Specialist or the University Health Service (UHS) if your research proposal involves accessing student medical records.