Brendan –
Sorry for the delay in responding. Penn State’s attorneys
provided some information to me a few months ago regarding a question I posed to
them on FERPA requirements for electronic signatures:
“The 2004 FERPA Electronic Signature Amendments (“FERPA Amendments”)
authorized the acceptance of electronic signatures as part of the written
consent required prior to release of FERPA controlled information to third parties.
Under the FERPA Amendments, electronic signatures may be accepted provided the
electronic submission: (1) identifies and authenticates a particular person as
the source of the electronic consent; and (2) indicates such person’s approval
of the information contained in the electronic consent. In addition, the
request must otherwise contain any information which may be required in a valid
consent to release under FERPA guidelines. The FERPA Amendments further stated
that adherence to the FSA e-sign guidelines, covering electronic transmissions
related to federal student aid, would suffice to create a “safe-harbor” for
institutional compliance with the electronic signature requirements.”
They further went on to say:
“The “safe harbor” provision in the FERPA Amendments is not
intended to set the minimum guidelines for acceptance of electronic signature
verifications. In fact, the comments released with the FERPA Amendments clearly
state that the “safe harbor” requirements are deemed more stringent than those
necessary for minimal compliance with the new standards. The FERPA Amendments
provide no express guidance on any acceptable methods of authenticating the
electronic signature, and are expressly stated to be technology neutral.”
FSA stands for federal student aid, so you may want to check
with your financial aid folks to see what they use as a requirement for an
electronic signature. Although our interpretation is that those requirements
are more stringent than are necessary under FERPA.
Karen
Karen Schultz
University Registrar
Penn State University
114 Shields Building
University Park, PA 16802
(814) 863-3681
From: Brendan Bellina
[mailto:]
Sent: Monday, May 11, 2009 6:01 PM
To: Karen Schultz
Cc: ; inc-student
Subject: Re: [InC-Student] FERPA, and Shibboleth, and the uApprove
extension
What is required for an authentication event to be
sufficient to be used as an electronic signature?
Brendan
On May 11, 2009, at 2:27 PM, Karen Schultz <> wrote:
Steve
–
Under
FERPA, student consent trumps everything. If the student is appropriately
authenticated and that authentication is sufficient to qualify as an electronic
signature, then the institution is considered to have collected the student’s
consent and is permitted to release the specified information.
Karen
Karen
Schultz
University
Registrar
Penn
State University
114
Shields Building
University
Park, PA 16802
(814)
863-3681
From: []
Sent: Monday, May 11, 2009 12:32 PM
To: inc-student
Subject: [InC-Student] FERPA, and Shibboleth, and the uApprove extension
Recently
I sent a query to the ICPL email list, asking for opinions as to whether the
Shibboleth uApprove mechanism is "FERPA compliant". I've pasted my
original query in at the bottom of this note.
I
got two responses -- both from lawyers who are familiar with FERPA and its
interpretations (the responses came from Tracy Mitrano and Peg O'Donnell). I've
pasted their responses in at the bottom of this note. They said that if we
authenticated the user, and interpreted their clicking "Approve" as
signed and dated consent, then yes, this mechanism would be FERPA compliant.
I
know this list includes some Registrars... I would be curious to hear your
thoughts on the FERPA compliance question.
At 11:33 AM -0400 4/17/09,
wrote:
:
From:
Subject:
FERPA and Shibboleth
I
work with the Shibboleth project, and I'm looking for opinions about how FERPA
relates to a Shibboleth extension developed by our Swiss partners.
Shibboleth (http://shibboleth.internet2.edu)
is a Web Single SignON system (SSO). It can be used both within a campus and
cross-domain -- providing SSO capability with external services. Shibboleth
also provides for the filtered release to a Service provider (SP) of
ldap-directory attributes describing the browser user. The filters can be
specific to each SP. For the library use case, the only released attribute may
be a persistent opaque identifier, allowing personalization at the SP site
without releasing any PII. For software from Microsoft ( https://downloads.channel8.msdn.com/
), the attributes MUST include Affiliation=student. For discount airline
tickets, the attributes may include affiliation, name, and email address.
In some of these cases, for students who have opt-ed out under FERPA, this
attribute information could include attribute information that the institution
may not be allowed to release to external SPs. I'd note that many external SPs
are providing services related to instruction (eg WebAssign, iTunes, etc), and
thus should qualify for the FERPA "loophole". There are,
however, SPs that are not so closely tied to instruction -- eg discount air tickets.
In these situations, I believe that FERPA would prohibit release of the
attribute information. In addition, an institution's privacy policy (if there
is one) might prohibit release.
SWITCH,
the Swiss Higher Education and Research Network, has developed uApprove (http://www.switch.ch/aai/support/tools/uApprove.html
), an extension to the Shibboleth Identity Provider component. It allows a
browser user to approve or block the release of attribute information the first
time they access each SP. (The user's decision is logged.) If you'd like, go to
the uApprove site and try it yourself, using their demo accounts. (Scroll down
to "There is a demonstration site, where you can see the ArpViewer in
action."). (Note --ArpViewer was an earlier name for uApprove.)
A campus could configure Shibboleth such that releasing attributes X, Y, and Z
to any SP in InCommon (the US Higher Ed Federation) would require user
approval.. (eg for attributes Name, eduPersonPrincipalName, email, etc).
My question is -- if a site deploys Shibboleth in this manner, and a student
clicks "Approve" to release attributes to a specific eternal SP, does
that action constitute Approval under FERPA ?
At
11:51 AM -0400 4/17/09, Tracy Mitrano wrote:
My
first thought is that if the student approves, there is no problem. FERPA
constrains institutions that maintain education records, but the student may
release attributes (which, whether covered under FERPA or not, as directory
information, is another question entirely) or even their entire transcript if
they so choose.
The law does not prohibit a student's release of an education record related to
the student him or herself.
At
1:25 PM -0400 4/17/09, O'Donnell, Margaret wrote:
From
your description it sounds like the student gives their approval
for the school to release the necessary data by clicking on the approval
button. If that is the case, I would apply the electronic signature
analysis which is as follows:
Sec. 99.30 (d) ``Signed and dated written
consent'' under this part
may include a record and signature in electronic form that--
(1) Identifies and authenticates a particular person as the
source
of the electronic consent; and
(2) Indicates such person's approval of the information
contained in
the electronic consent.
So you would need to be comfortable saying there was identification and
authentication as well as approval.
|
