Another tip in a series provided by the Offices of Information Security, Information Systems & Computing and Audit, Compliance & Privacy

National Data Privacy Day, which was on January 28, is always a welcome opportunity to raise awareness regarding individuals’ privacy, securing information systems, and protecting data from unauthorized access.

As an institution of learning, Penn faculty and staff must always consider FERPA, the Family Educational Rights and Privacy Act, when receiving, processing, or transmitting student information.

FERPA and Penn protect personally identifiable information contained in “education records,” generally including records that are directly related to a student and maintained by the University or a party acting for the University.

Several other Penn policies mirror FERPA requirements and ensure the protection of Penn student information, prohibiting disclosure of student records except with the student’s written consent or to the extent that FERPA authorizes disclosure without consent.

Protected student information includes, but is not limited to, biographical information, enrollment records (including class lists), grades, and schedules. (Education records generally do not include law enforcement records, employment records, and directory information).

The most significant exception to the student consent requirement allows sharing with school officials with a “legitimate educational interest.” School officials include, but are not limited to, Penn employees or any other persons performing work for Penn under proper authorization including third-party service providers.

Penn may also release “directory information” to third parties without a student’s consent, unless the student specifically asked Penn not to do so, or “opted-out.” Penn defines FERPA directory information to include a student’s name, addresses, telephone number, date and place of birth, major, participation in officially recognized activities (including social and honorary fraternities) and sports, weight, and height if a member of an athletic team, dates of attendance, degrees and awards received, and previous educational institutions attended.

If a student wishes to opt out of sharing FERPA directory information, the student must complete and submit an opt-out form to the Office of the Registrar.

For more information on FERPA: https://oacp.upenn.edu/privacy/penndata/appropriate-use-of-penn-data/ferpa/.

For additional tips, see the One Step Ahead link on the Information Security website: https://www.isc.upenn.edu/security/news-alerts#One-Step-Ahead.