Office hour sign-up sheets and other FERPA issues (#1009)

Topics/tags: Academia

Sometime last semester, as I was reading excerpts from the minutes of Grinnell’s Executive Council [1], I learned that some folks consider it a FERPA violation to post sign-up sheets for office hours outside of our offices. If I recall correctly, the question raised was why it is not permissible to have sign-up sheets for office hours, but it is permissible to have people visit classes [4].

For those who don’t know, FERPA is the Family Educational Rights and Privacy Act, which specifies that institutions should limit how they release students’ educational records. IANAL/IANAFO [4] so you should take everything I say [5] about FERPA with a grain [6] of salt. As I understand it, there are at least three related issues at play in many of the situations we consider under FERPA. Certainly, there are the FERPA policies themselves. But beyond those policies, there are also more general, but equally important, questions about student privacy, along with differently important questions about student safety.

Here’s what I understand about office-hour sign-up sheets: The general sheets don’t violate FERPA since students could be signing up to meet with you for a variety of reasons. However, they do potentially put students at risk because they permit someone to know where a student will be at a certain time. The second issue suggests that while public general office-hour sign-ups do not violate FERPA, they may not be a good practice [8]. In contrast, sign-ups that are tied to specific classes or to advising may violate FERPA because they reveal that a student is in a particular class or has a particular person as their academic advisor, both of which are often considered part of students’ academic records. Compared to some other releases of information, these are relatively minor. Nonetheless, they could be considered risky, particularly as our society gets more litigious.

I will admit that I have not worried about these issues because I primarily use electronic signups for office hours [9]. I didn’t choose them for FERPA or safety reasons; rather, I find that they make it easier for me to tell what slots are available when a student emails to ask Can I meet with you at 11:00 a.m. tomorrow? or something similar.

The ways in which we approach FERPA don’t always make a lot of sense to me. I recall being told for many years that I should not list the names of my research students in my CV or on the Web, except in publications or when students choose to list themselves. Why? Because doing so reveals that they did research with me. Then the Dean’s Office started publishing a public list of all the MAP students and, after some conversations with FERPA officers at other institutions, our FERPA officer determined that the Dean’s Office’s practice was acceptable, which suggests that listing on CVs is also acceptable. I forget the reasons why.

Of course, there are many ways in which the broader FERPA policies also don’t make a lot of sense to me. For example, we have multiple contractors who can access FERPA-protected data, including convicted felons [10]. To deal with those issues, we typically designate those contractors Officers of the College with a legitimate educational interest in accessing the data, or something like that [11]. You’d think that we would, therefore, have a legal responsibility to inform students which contractors have access to data. However, my conversations with our FERPA officer suggest that we do not, and I cannot find anything in the FERPA guidelines or FAQs that contradict that claim. I’d still prefer that students know the dozen or more outside contractors that regularly have access to their data, but that’s not my decision. And I’d really prefer that it be part of the law. What do I know? IANAL/IANAFO.

These issues also remind me about the new and somewhat scary practice of recording student attendance through phone tracking. It’s not happening at Grinnell [12] but it seems to be happening at other institutions. I wonder how schools are dealing with the issue that these apps (and, more importantly, the owners of those apps) have access to FERPA-protected information. While Degree Analytics does mention FERPA on their privacy page, I couldn’t find anything on the SpotterEDU site.

Back to the main issues. In spite of my concerns about how FERPA makes faculty work more difficult, I consider FERPA a reasonable law. Students are adults and adults deserve some privacy. While many have good relationships with their families, not all do. I realize that FERPA frustrates many parents, I’d rather have policies in place that protect students who want to keep some aspects of their lives private from their parents or others in similar positions.

Plus, FERPA makes my job easier: Can I talk to you about my child’s work in your class? You can certainly talk to me, but FERPA suggests that I can’t say anything in response. Fortunately, I don’t have to have that conversation all that often.

Postscript: I’ve been told that Office Hours is a term that needs explaining to some students. Some hear that and assume it means The time my faculty member has reserved for themselves in their office rather than The time my faculty member has reserved for students. Perhaps Student Hours would be better.

[1] Those excerpts are generally available as part of the agenda for faculty meetings. I learn a lot by reading them [2]. Sometimes I misread them [3]. Sometimes they frustrate me, such as when a Council member misstates a policy. But that’s not the point. What is the point? Oh, that’s right. Excerpts are available to members of the campus community and I make it a practice to read them.

[2] Nope, I’m not going to tell you what I’ve learned. You can read them yourselves, at least if you have access. If you don’t have access, I shouldn’t be telling you.

[3] No, not intentionally.

[4] The relationship between the two is that both can reveal that students are in a particular class, which is FERPA-protected information.

[4] I am not a lawyer and I am not a FERPA officer.

[5] Or write, in the case of this musing.

[6] Or granary [7].

[7] Why is it granary not grainary?

[8] Isn’t it sad that we have to worry about such things?

[9] Formerly with youcanbook.me, now with Acuity Scheduling, someday with something I write myself.

[10] At least that’s how one of my colleagues likes to refer to Microsoft.

[11] It’s a common hack to deal with the issue of which Cloud Services have access to FERPA-protected data, such as email or student records. By making them Officers of the College, we can legally store our information on their servers. And, if they breach FERPA, they now bear the responsibility. It also means that we don’t have to record the sharing of the data with them. Or something like that. As I said, IANAL/IANAFO. One of the FERPA FAQs says

Contractors, consultants, volunteers, or other third parties to whom a school or district has outsourced certain functions may be also be considered school officials. Schools and districts may disclose education records (and the PII contained in those records), without appropriate consent to such school officials provided that they (1) perform an institutional service or function for which the school or district would otherwise use employees; (2) are under the direct control of the school or district with respect to the use and maintenance of the education records; (3) are subject to FERPA’s use and re-disclosure requirements set forth in 34 CFR § 99.33(a); and (4) satisfy the criteria specified in the school or district’s annual notification of FERPA rights for being school officials with legitimate educational interests in the education records

[12] At least I hope it’s not happening at Grinnell. I’d like to see new PCard privacy policies.

Version 1.0 released 2020-02-06.

Version 1.0.1 of 2020-02-07.