Steve –
Under FERPA, student consent trumps everything. If the student
is appropriately authenticated and that authentication is sufficient to qualify
as an electronic signature, then the institution is considered to have collected
the student’s consent and is permitted to release the specified information.
Karen
Karen Schultz
University Registrar
Penn State University
114 Shields Building
University Park, PA 16802
(814) 863-3681
From:
[mailto:]
Sent: Monday, May 11, 2009 12:32 PM
To: inc-student
Subject: [InC-Student] FERPA, and Shibboleth, and the uApprove extension
Recently I sent a query to the ICPL email list, asking for
opinions as to whether the Shibboleth uApprove mechanism is "FERPA
compliant". I've pasted my original query in at the bottom of this note.
I got two responses -- both from lawyers who are familiar
with FERPA and its interpretations (the responses came from Tracy Mitrano and
Peg O'Donnell). I've pasted their responses in at the bottom of this note. They
said that if we authenticated the user, and interpreted their clicking
"Approve" as signed and dated consent, then yes, this mechanism would
be FERPA compliant.
I know this list includes some Registrars... I would be
curious to hear your thoughts on the FERPA compliance question.
At 11:33 AM -0400 4/17/09, wrote:
:
From:
Subject: FERPA and Shibboleth
I work with the Shibboleth project, and I'm looking for
opinions about how FERPA relates to a Shibboleth extension developed by our
Swiss partners.
Shibboleth (http://shibboleth.internet2.edu) is a Web Single SignON system
(SSO). It can be used both within a campus and cross-domain -- providing SSO
capability with external services. Shibboleth also provides for the filtered
release to a Service provider (SP) of ldap-directory attributes describing the
browser user. The filters can be specific to each SP. For the library use case,
the only released attribute may be a persistent opaque identifier, allowing
personalization at the SP site without releasing any PII. For software from
Microsoft ( https://downloads.channel8.msdn.com/ ), the attributes MUST include
Affiliation=student. For discount airline tickets, the attributes may include
affiliation, name, and email address.
In some of these cases, for students who have opt-ed out under FERPA, this
attribute information could include attribute information that the institution
may not be allowed to release to external SPs. I'd note that many external SPs
are providing services related to instruction (eg WebAssign, iTunes, etc), and
thus should qualify for the FERPA "loophole". There are,
however, SPs that are not so closely tied to instruction -- eg discount air
tickets. In these situations, I believe that FERPA would prohibit release
of the attribute information. In addition, an institution's privacy policy (if
there is one) might prohibit release.
SWITCH, the Swiss Higher Education and Research Network, has
developed uApprove (http://www.switch.ch/aai/support/tools/uApprove.html ), an
extension to the Shibboleth Identity Provider component. It allows a browser
user to approve or block the release of attribute information the first time
they access each SP. (The user's decision is logged.) If you'd like, go to the
uApprove site and try it yourself, using their demo accounts. (Scroll down to
"There is a demonstration site, where you can see the ArpViewer in
action."). (Note --ArpViewer was an earlier name for uApprove.)
A campus could configure Shibboleth such that releasing attributes X, Y, and Z
to any SP in InCommon (the US Higher Ed Federation) would require user
approval.. (eg for attributes Name, eduPersonPrincipalName, email, etc).
My question is -- if a site deploys Shibboleth in this manner, and a student
clicks "Approve" to release attributes to a specific eternal SP, does
that action constitute Approval under FERPA ?
At 11:51 AM -0400 4/17/09, Tracy Mitrano wrote:
My first thought is that if the student approves, there is
no problem. FERPA constrains institutions that maintain education
records, but the student may release attributes (which, whether covered under
FERPA or not, as directory information, is another question entirely) or even
their entire transcript if they so choose.
The law does not prohibit a student's release of an education record related to
the student him or herself.
At 1:25 PM -0400 4/17/09, O'Donnell, Margaret wrote:
From your description it sounds like the student gives their
approval
for the school to release the necessary data by clicking on the approval
button. If that is the case, I would apply the electronic signature
analysis which is as follows:
Sec. 99.30 (d) ``Signed and dated written
consent'' under this part
may include a record and signature in electronic form that--
(1) Identifies and authenticates a particular person as the
source
of the electronic consent; and
(2) Indicates such person's approval of the information
contained in
the electronic consent.
So you would need to be comfortable saying there was identification and
authentication as well as approval.
