PUBLIC SUBMISSION | As of: February 10, 2009 Tracking No. 8053857c Comments Due: May 08, 2008 |
Docket: ED-2008-OPEPD-0002
Family Educational Rights and Privacy
Comment On: ED-2008-OPEPD-0002-0001
Family Educational Rights and Privacy
Document: ED-2008-OPEPD-0002-0012
Comment on FR Doc # N/A
Newark, DE,
Organization: University of DelawareRe: Proposed Regulations for Directory Information.
The NPR states electronic identifiers "cannot be used to gain access to
education records except when used in conjunction with one or more factors that
authenticate the student’s identity,such as a personal identification number
(PIN), password, or other factor known or possessed only by the student." This
is generally TRUE.
The NPR goes on to state "... SSNs and other student ID numbers are personal
identifiers that are typically used for identification purposes in order to
establish an account, gain access to or confirm private information, obtain
services, etc." This is generally FALSE.
Student ID numbers ARE NOT generally sufficient, by themselves, to gain access
to protected student records. Student ID numbers are identifiers (like a name)
not authenticators (are you really who you say you are). Authenticators such as
PINs or passwords can be used with Student ID numbers to authenticate.
In the move away from SSNs, schools have learned the lesson that it is
inadvisable to combine identification and authentication into a single piece of
information (e.g., SSN, or Student ID number). SSNs are high-risk because they
are used as identifiers and authenticators by some sectors of the economy. In
higher education, Student ID numbers are used to absolutely identify a student,
not to authenticate. In many cases, the Student ID number is also used as the
electronic identifier (e.g., as a portion of the e-mail address) or printed on
the face of school identification cards.
In practice, Student ID numbers are used in the manner the NPR describes
electronic identifiers (i.e., cannot be used to gain access to educational
records except when used in conjunction with one or more factors that
authenticate the student's identity.), and therefore should not be protected
under FERPA.
If you protect Student ID number, by logic, you should also protect name,
because Student ID number is simply a unique name and nothing more. It is not
access currency. If all names were unique, we would not need Student ID
numbers.
Protecting Student ID numbers would create an undue burden on higher education,
just as protecting name as a student record would. All administrative systems,
processes and functions would be severely impacted. Waste and inefficiency
would be realized, and all to protect a piece of information that generally
carries no inherent risk of disclosure.
Passwords and PINs are clearly not directory information, because with their
knowlege, one can assume another's identity and access protected student
records. Perhaps the code could be modified to state that if an institution
grants authentication via Student ID number, then it is protected, like a
password or PIN. If another authenticator is required - e.g., Student ID is
only an identifier - then Student ID is directory information .