One of the more difficult things that employees face in remaining FERPA compliant is verifying that a caller is who they say they are.

FERPA §99.31(c) Identification and authentication of identity.

Regulations require institutions to use reasonable methods to identify and authenticate the identity of students, parents, school officials, and other parties before disclosing educational records.

• Identification means determining who is the intended or authorized recipient of the information.
• Authentication means ensuring that the recipient is who they claim to be.

Regulations permit the use of PINs, passwords, personal security questions and phrases, smart cards and tokens, biometric indicators, or other factors known or possessed only by the authorized recipient.

IMPORTANT! The use of widely available information to authenticate identity, such as the recipient’s name, date of birth, Social Security Number (SSN), student ID, address, and email address is not considered reasonable under the regulations and cannot be used to authenticate identity. NEVER use the SSN or any part of the SSN over the phone.

The following methods can be used to authenticate the identification of the student:

1. Authenticate with SIRA
   For student and non-student callers.
   
   NOTE: this authentication option is not yet available to faculty. Faculty should contact an advisor or the Registrar's Office for assistance.
   
   The Student Information Release and Authorization (SIRA) form allows the student to assign a Passcode to themselves as well as to others. When a caller is inquiring about student-specific, FERPA-protected information, you can utilize the SIRA passcode to authenticate identity.

   • Go to SPACMNT or the comments section of the Advising Dashboard, and look for RSI entries which will contain a name and passcode.
   • If the caller is the student, ask them to provide their own passcode. If a valid code is provided, no additional authentication is needed. (If the student does not have a passcode assigned to themself, they can provide you with a passcode they have assigned to someone else. No additional validation is needed if they can do so.)
   • If the caller is not the student, ask if they have been authorized to access student information and records. If yes, request the passcode. If a valid code is provided, no additional authentication is needed.

    

   If the passcode is not known or does not exist, request that the caller log in to add one (if the student). If not the student, have the caller contact the student to ask them to give them authorization and a passcode through the SIRA form. You might say:

   "Please log in (or have your student log in) and create a passcode. This code will allow us to discuss your/the student's information now and in the future without issue."

2. Authenticate with an Institutional Email Address
   For student callers.
   
   This method of caller identification authentication utilizes the institutional email address assigned to the student. At UVU, this can be a @my.uvu.edu or @uvu.edu address. To utilize this method:

   • Ask the caller if they can access their UVU email address while on the phone.
   • Retrieve their email address from wherever you normally find student email information (Application Navigator, Banner Services, Advisor Dashboard, etc.)
   • Inform the caller you will be sending them an email to that address which will contain a random word, phrase, or number that they will need to provide to you once they receive it.
   • Send the email. Try not to reuse the same phrase, word, or number for other callers where possible.

    

   If the student can confirm the word, phrase, or number, no additional authentication is needed.

3. Authentication Questions
   For student callers.
   
   In the event that method 1 and method 2 cannot be completed in a reasonable amount of time, staff can validate by asking authentication questions. The following items can be requested, but may not be used alone to validate the caller’s identity (this is not a comprehensive list):

   • Name (any part), Date of Birth, Physical Address, Email Address, Telephone Number

    

   Because these items are likely to be known to others or may confirm to the caller that a SSN is correct (in identity theft cases), they are not approved for the use of caller identification validation. The Social Security number (or any part of it) can never be requested over the phone.

   The following are examples of validation questions that you can ask. The student must confirm at least 2 of these:

   • What was your major in your first semester at UVU?
   • What are the names of two instructors you had in the ___ semester?
   • Name the courses on your [choose semester] schedule.
   • Look at transfer work. Ask about the previous institution's work.
4. "Selfie "
   For student callers.
   
   Another option is to request the caller email a “selfie” to the staff member. The staff member will validate using the ID as if the caller was in-person.

   • Instruct the caller to hold their photo ID next to their face while taking a picture of themselves.
   • The caller should then email the “selfie” to the staff member who will validate using the ID as if the caller was in-person.

COMING SOON! Faculty and staff will soon be able to log in to a student privacy portal in myUVU to see authorized delegates, passcodes, and other useful tools for authenticating a person's identity!

In post-secondary education, the rights of students transfer from the parent to the student, regardless of student age. This includes students participating in UVU High School Concurrent Enrollment. Unless the student has provided written consent allowing disclosure of records and information to a parent, the parent has no right to that information.

What to Do

If you are contacted by a parent (or spouse, partner, etc.):

• Inform them that in accordance with the Family Educational Rights and Privacy Act (FERPA), a federal law, you need to make sure they have been authorized by the student to conduct business with UVU on the student's behalf.
• Take their information, name, phone number, and assigned security phrase (if they have one) and tell them you will call them back after you have confirmed this information.
• Contact the Registrar's Office to confirm that the student has authorized information release to that individual. If authorized, the student will have provided the person with a security phrase which you can get from the Registrar's Office and then confirm with the individual.

If the person has not been authorized, ask them to please talk to the student and request the student add them as an authorized individual. This is done using the Student Information Release and Authorization (SIRA) form in myUVU. Once authorized, you may speak to and share information with that person.

What Not to Do

Parents and others may say things like, "but I pay the bills" or "the student is a minor." These are not legitimate reasons under FERPA. Do not let someone bully you into releasing information without student authorization. Remember, you are complying with federal law and they need to understand that. Be kind but firm in protecting the student's information.

Bottom Line

A student's parent, spouse, partner, etc. does not automatically have rights under FERPA. The student must provide written consent and this is generally done through the SIRA form in myUVU.

Exceptions

FERPA provides an exception to parents of dependent students (IRS dependents). Do not give out information simply because the parent tells you this is the case. Refer these to the Registrar's Office as certain requirements must be met. Even in this case, information release is permissible but not required.

COMING SOON! You will be able to log in to a student privacy portal in myUVU to see who has been authorized without needing to contact the Registrar's Office!

The public posting of grades, by any part of the student’s name, student UVID, date of birth, or social security number, without the student’s voluntary and express written permission is a violation of FERPA. The term "public" includes any electronic or paper-based means.

The Registrar's Office strongly discourages the high-risk practice of publicly posting grades even with student permission or when de-identified.

Legitimate Educational Interest (LEI) is the demonstrated "need to know" by those officials of an institution who act in a students' educational interest. Employees with a legitimate educational interest, known as School Officials, need and use student record information in the execution of their defined job duties. School officials may also include contractors, vendors, and volunteers who are fulfilling institutional functions the institution would otherwise fulfill itself.

NOTE: Simply being a university employee does not convey a "legitimate educational interest" on a school official.

Faculty and staff shall not share records (intentionally or otherwise) with any person who does not have a legitimate educational interest in such records.

What To Do

• Be careful in conversations with other faculty as well as with staff, guests, and others who do not have a demonstrated need to know. Just because we are all employees or even faculty in the same department, does not mean we all have the same legitimate educational interest.
• Safeguard student records. Store digital records in Box and keep paper records locked away when not in use. Lock your computer while you are away.

What Not To Do

• Do not leave records unattended on a desk or computer screen.
• Do not view student records out of curiosity. This is not an LEI and is a violation of FERPA.
• Do not share individual records or lists with any third party. Refer requests for lists and information to the Registrar's Office.
• Do not share information with other faculty unless doing so is within the person's legitimate educational need to know.

Staff and faculty may at times wish to post exciting news and information about students to social media platforms. This is not inherently against FERPA, but it must be done properly to avoid a violation.

What To Do

• Before posting anything to social media about a student, get written consent from the student(s) who will be identified. The consent must specify exactly what will be shared and the student must agree to it in writing. The following consent form may be used: One-Time Information Release Authorization.
• Post general and de-identified information. Example:
  • "Congratulations to our Underwater Basket Weaving graduates, 95% of whom have already been placed in the workforce!"

What Not To Do

• When using Twitter, Facebook, or other social platforms, never reveal information about students that might indicate their grades, course enrollments, class schedules, and so on. Doing so is a FERPA violation.

Courses supported by class websites and/or discussion groups must take extra precautions to not inadvertently release non-directory student information, whether to the general public or to other students.