This blog is part six of a series comprising a set of primers that address ten complex legal and ethical issues encountered when providing access to born-digital archival records. The guidance is grounded in two foundational beliefs: 1. There is a potential to harm individuals, communities, and institutions if access is not thoughtfully and strategically viewed through an ethical and legal lens; and 2. It is not ethical to restrict access unnecessarily. For more information see: https://osf.io/ketr7/.
Family Educational Rights and Privacy Act of 1974. FERPA compliance requires developing policies, procedures, and training for handling student records.
Most likely to come up in
- Most academic archives that retain student records
- Institutional records
- Dean’s office records
- Registrar’s office records
- Admissions office records
- Faculty papers (grades, student papers)
- Student scholarship
Actions for the institution to take
Institutions should establish a records management policy and access policies that detail how to deal with FERPA and removal policies that work in concert with the office/s of information technology. Doing so will establish compliance with privacy laws, making it easier to create accessible collections. Building a successful organizational structure that supports a comprehensive records management program makes certain records go to the right place at the right time. This includes making records accessible as quickly as possible, by dealing with legal and privacy issues at the beginning of the life cycle.
With a records management policy and program you address the following:
- Centrally controlled document access management
- Document classification policy management
- Retention policy management
- Destruction and disposition policy management
- Legal hold management
- Metadata generation and management
- Access policies
- Removal policies
Actions for the archivist to take
Lead a records management program to ensure compliance, or work with a Records Manager wherever they are in your organizational structure. This helps ensure records are destroyed and records of historical value will move to archives when their life cycle ends. Records retention periods should be accessible and located in records retention schedules in order to restrict or provide access in accordance with legal stipulations. Once in archives, the records can undergo an evaluative process for privacy issues.
Institutions, following best practices, should use a release form or donor waiver in the process of accepting student scholarship.
Archivists who take in papers and manuscripts should work with a records manager or legal counsel if records management resources are unavailable, to create a process to review materials for FERPA. Records management staff should provide archives staff with appropriate policies and procedures as well as training. If there is no record manager, the archivist or processor should review materials themselves with the assistance of legal counsel.
For future researcher access, the records manager or archivist should make certain there is a process in place in the beginning of the life cycle, dependent on where records are to redact and remove personally identifiable information (PII) from records when necessary. Records Managers use programs like an enterprise content management (ECM) system or BulkExtractor to identify and redact PII. If no earlier redaction occurs, establish an end of life cycle process for redacting PII in the arrangement and description process.
- Software that scans for and redacts PII across records, such as an enterprise content management system. ECMs have records management capabilities, indicating records of long term value. ECMs are also capable of exporting these records of long term value for transfer to the Archives, along with the PII redactions. ECMs have the ability to confidentially dispose or record series or records in accordance to their records retention schedule’s disposition date.
- A digital access system that can provide different levels of access and functionality to both content and metadata based on the user’s role, as well as time limited access to content and/or metadata (records manager or equivalent role must have a high level of access or administrator role in the system). Institutions should have specific guidelines that meet FERPA compliance requirements. At a minimum, encryption and transfer protocol should be in place.
In an academic institution, complying with FERPA involves notifying students of FERPA rights, training staff and faculty on appropriate uses of student records, and providing tools for students to consent to online and analog access to their records. Additionally, they should be informed of their right to opt out of sharing directory information (notification is usually done by the Registrar).
Compliance audits conducted by records managers in concert with information technology teams can pinpoint violations, and uncover lapses in users’ records keeping, records management guidance, and/or archival access practices. These protect organizations from violations against the federal statutes.
A note on security: The National Institute of Standards and Technology (NIST), the federal agency responsible for developing information security guidelines, defines information security as the preservation of data confidentiality, integrity, and availability (commonly referred to as the “CIA” triad). Violating these regulations has serious consequences, including criminal and civil penalties for clinicians and provider organizations.
There are two major ethical priorities for archives who work with education records: privacy and confidentiality; and data integrity and availability.
Privacy: With the onslaught of personal data being sold and used for economic gain in databases and electronic records, it is critical to protect medical and student data, as this also protects health and wellbeing. Institutions of higher education and archives have responsibilities to use the data they collect to improve support of students. Records Managers and Archivists can advocate for data protection by working with legal counsel to make sure institutional contracts reflect this commitment.
Data Integrity: Integrity assures that the data is accurate and has not been changed. This is a broad term for an important concept in the electronic environment because data exchange between systems is becoming common in the education sector in financial aid clearing houses, library systems, and the healthcare industry. Data may be collected and used in many systems throughout a higher education organization. This data can be manipulated intentionally or unintentionally as it moves between and among systems.
American Association of Collegiate Registrars and Admissions Officers. 2019. Student records management: retention, disposal, and archive of student records.
Alamuddin, Rayane, Jessie Brown, and Martin Kurzweil. “Student Data in the Digital Era: An Overview of Current Practices.” Ithaka S+R. Last Modified 6 September 2016. Available at https://sr.ithaka. org/publications/student-data-in-the-digital-era/
American Association of Collegiate Registrars Admissions Officers.
AACRAO’s Student Records Management : Retention, Disposal, and Archive of Student Records. 2019 Update].. ed. Washington, DC: American Association of Collegiate Registrars and Admissions Officers, 2019. Print.
BakerHostetler. 2016. “State Student Privacy Law Compendium.” Center for Democracy & Technology. Available at: https://cdt.org/ insights/state-student-privacy-law-compendium/.
Guttman, Barbara, and E. Roback. 1995. “An Introduction to Com- puter Security: The NIST Handbook,” October. Available at: https:// doi.org/10.6028/NIST.SP.800-12r1.
Hutt, Ethan. 2016. “A Brief History of the Student Record.” Ithaka S+R, September. Available at: https://doi.org/10.18665/sr.283886.
Lee, Christopher A., and Kam Woods. 2012. “Automated Redaction of Private and Personal Data in Collections: Toward Responsible Stewardship of Digital Heritage.” In Proceedings of The Memory of the World in the Digital Age: Digitization and Preservation. An International Conference on Permanent Access to Digital Documentary Heritage, edited by Luciana Duranti and Elizabeth Shaffer, 298–313. Vancouver, British Columbia, Canada.
Pyatt, Timothy D., and Ben Goldman. 2014. “Security Without Obscurity: Managing Personally Identifiable Information (PII) in Born Digital Archives.” Available at: https://doi.org/10.1080/01960075.2014.913966.
“Responsible Use of Student Data in Higher Education – a Project of Stanford CAROL & Ithaka S+R.” n.d. Accessed May 20, 2022. Avail- able at: https://ru.stanford.edu/.
Slade, Sharon. 2016. “Applications of Student Data in Higher Education.” Ithaka S+R, September. https://doi.org/10.18665/sr.283891.
Warren, Samuel D., and Louis D. Brandeis. 1890. “The Right to Privacy.” Harvard Law Review 4 (5): 193–220. Available at: https://doi. org/10.2307/1321160.
Related record management standards
- ISO 15489-1:2201: Information and documentation- Records Management- Part One General (ISO 15489-1)
- DoD 5015.02.STD: Electronic Records Software Applications Design Criteria Standard (DoD 5015.2)
- MoReq2010: Modular Requirements for Records Systems (MoReq2)
Primary Author of this section: Jessika Drmacich, Records Manager & Digital Resources Archivist, Williams College Special Collections
Co-Authors: Kate Dundon, Jess Farrell, Christina Velazquez Fidler, Hannah Wang, Camille Tyndall Watson
Thank you to the many community contributors for feedback and edits to Legal and Ethical Considerations for Born-Digital Access, from which this post was derived.
DISCLAIMER: This text has been reviewed and feedback incorporated from library professionals with legal expertise, but it was not originally drafted by a lawyer and is not legal advice. Please use this as a starting point to understand the issues, but always consult your local legal counsel or other support system as you make access decisions around born-digital collections.