As some of you know, I’ve been posting at Michael Feldstein’s blog about our limited beta release this Fall. The overwhelming sentiment is “This is exciting, but what about FERPA!”
The immediate reaction to the thought of activating a campus-wide Facebook application can make any decision-maker nervous. Information is shared all over Facebook, and a campus’ interest to keep student data private and secure is not only an obligation but is also upheld by the law.
First, a basic understanding of Facebook Platform is necessary. Facebook presents applications through a frame and never has the opportunity to cache nor store any data presented within an application. As of the new redesign pushed by Facebook in July 2008, users have direct control over the “stories” that are generated by applications. Users also have control of what Facebook users can see what kinds of data, and can even directly block individual users that may find a nuisance.
We store our data with an infrastructure company on the cutting edge of data storage and security. We can, if requested, create a local installation on a local server behind campus security systems. However, we’d like our customers to note that innovative hosting companies have extensive expertise regarding large scale, secure hosting with nearly 100% up-time. Having that kind of performance locally is nearly impossible.
At Inigral, we’ve worked with our pilot school and our lawyers to assure that all features of our application are FERPA compliant and uphold the strongest standards of security and privacy. I don’t want to go into the exact feature set that makes it such a comfortable thing for institutional adoption, but it is proof that venturing into the wide world of the Social Web is highly possible with a little care.
However, the institution is not completely hands-off in this regard. At most campuses, the administration will have already asked the student to sign an agreement to share data with third parties acting in concert with the mission of the institution. With near certainty, we will be covered under such agreement. If the institution does not have such broad language in place but has policies that treat enrollment data as “directory information,” we will be covered so long as students are notified and allowed to “opt-out.” If enrollment data is not treated as “directory information,” the students should be asked for their consent by an “opt-in” email.
FERPA is in place to make sure that institutions are careful with and respectful of a students right to privacy, but it was not intended to hold back education in the 1990s before there were things like APIs and the Social Web. No school has ever lost Federal funds because of FERPA, which is the only punishment that can occur for being in violation (besides being tied up in a lawsuit). Privacy, Security, and personal Control over information is more than a valid concern, but lets not let it be a brick wall of anxiety in the face of the march towards user-friendly, interoperable, and multitudious educational solutions!
One of my good friends suggested my joking reference to a FERPA police as a little inappropriate. Ah, the written word and humor. For the record, it was funny.
Nice post here Micheal.
I’ve found that for sure, the utmost concern is student privacy… FERPA, NDA, eDiscovery and the like. However, these are often brought up as “red flags” that allow administrators to stop innovation or prevent emerging technologies from moving forward. Unfortunately may of these red flag holders don’t really grasp or understand what Facebook and social networks are… Nor have they even taken the time to figure it out.
All of this to say that it is good that you have covered the base of FERPA. It is also helpful to have information on eDiscovery, network data security (ssl and the like), etc.
I haven’t seen “Schools – Inigral Inc.” application before, so I’ll check that out!