Q: What are the basic rules regarding the protection of student information?
A: The University’s Policy on the Confidentiality of Student Records, which incorporates the federal FERPA law, provides the most directly relevant rules. The policy states that in general, University faculty and staff may not disclose personally identifiable information from a student or applicant’s records except with the student’s written consent. One common exception allows for sharing with school officials with “legitimate educational interests,” in other words where the information would be helpful in the performance of official duties or in the pursuit of an enterprise sanctioned by Penn. The policy also establishes general student rights, such as the right to access and correct records. Penn also has other policies, procedures and guidelines that focus on specific privacy issues, such as electronic data, Social Security numbers, e-mail, and records destruction, etc. For more information, view our Policies & Guidance.
Q: Does FERPA apply to individuals taking online courses at Penn?
A: Yes, to the extent that an individual is enrolled in the course as part of a Penn degree program or receiving academic credit for the online course, FERPA applies to the individual.
Q: May I discuss a student’s personal information with his or her advisor or other department, school, or University official?
A: Personally identifiable information about students may be disclosed to school officials (e.g., Penn faculty and staff) who have “legitimate educational interests” in this information. You may discuss a student’s personal information with the student’s advisor or other University official if such information is needed in the performance of his or her duties or in the pursuit of an enterprise sanctioned by Penn.
Q: May I discuss a student’s academic performance, or other information about a student, with his or her parent or guardian?
A: In general, the University does not make records available to a student’s parents. There are, however, some exceptions to this general rule. For example, such disclosure is allowable if the student provides written consent.
You may see what student consents are on record if you have access to the Student Records System or Advisor in Touch. Check the student’s preferences regarding who may access the information and what information may be accessed.
Alternatively, you may ask a student to sign a paper consent form, which is equally valid and may better suit a specific situation that the online consent settings does not provide for (i.e., disclosure of information that is neither academic nor financial).The paper version is available at the Penn Privacy website.
Responding to a request from a parent, and initiating a call to a parent, each have significant privacy implications. A student’s consent means that we may make a disclosure, not that we must. In sensitive situations, including a student in distress, the best course is to consult with appropriate University resources, particularly the Vice Provost for University LIFE (VPUL) and the Office of General Counsel (OGC).
Q: A student has requested that I write a recommendation for him or her in support of an application for employment. May I discuss the student’s academic and personal information?
A: In general, you may do so if the student has requested in writing that you submit a recommendation. There is a place on many forms for the student to authorize release of such information. Alternatively, you may direct the student to provide consent online through Penn InTouch by clicking on "Share academic/financial info" under "Profile, privacy & emergency," or via a Penn paper student consent form, paper version.
Q: What if the FBI calls regarding a background check for a student seeking federal employment?
A: Again, you may disclose student record information to the FBI if the student has provided written consent to such disclosure. FBI agents often will show you a signed authorization from the student. It is important to determine that the consent is current and valid. If you have any questions about this issue you should seek the assistance of the Office of General Counsel. Alternatively, you may seek a student’s written consent on a paper version available at the Penn Privacy website.
Q: May I ask students for their Social Security number?
A: In general, no. Penn’s goal is that Social Security numbers not be used as identifiers except when needed to fulfill legal requirements or where there is a sufficient need, such as when certain external organizations legitimately require them. Faculty should not ask students for their SSNs, including on exams or papers. Further, documents that contain Social Security numbers (such as old grade sheets or exams) should be security destroyed, i.e., shredded, when no longer needed. And Social Security numbers that may be stored on faculty computers should be deleted when no longer needed by placing them in the desktop trash and then emptying the trash.
Q: May I post students’ grades using Social Security numbers?
A: No. Social Security numbers may not be used to “post” grades, either in hard copy or electronically. You should not publicly display a student‘s Penn ID or any portion of the Social Security number because (especially in small classes) it may be possible to identify students from this information. You should not use name, initials, or any personally identifiable information to post grades. Even when an identifier is masked or absent, be sure not to post the grades in alphabetical order.
There are other options that you may use to communicate grade information to students. First, you can communicate directly with a student about a student‘s own grade information using a secure medium. The Blackboard information system, used by some departments, offers a secure mechanism for direct communications with a student. See http://www.library.upenn.edu/courseware/bbsupport.html for more information. Further, some departments have developed their own special programs that allow students to access their own grades only. Second, you can assign each student a unique identifier and use that identifier to post the grade. The student identifier should not be used for the same student in subsequent courses.
Q: May I leave graded papers and exams outside my door or in publicly accessible areas?
A: No. Graded papers and exams may only be shared directly with the student, with others pursuant to the student’s consent, with University officials with a legitimate need, or if the circumstances fit specific legal or policy exceptions. Without student consent, graded papers and exams may not be shared with, or be made accessible to other students in the class. There are several options that you may use to communicate grade information to students as described in the answer to the prior question.
Q: May I post class lists and student photos on the web?
A: Class lists and student photos are confidential under University policy and federal law. They are given to faculty and staff who have legitimate educational interests in this information. Unless a specific legal exception exists, they may not be distributed to other parties without the students’ written consent.
Q: May I destroy copies of my old grade sheets?
A: You may once you know that the original record copy has been received and processed by the University Registrar’s Office or, for the School of Medicine, the School of Medicine’s Registrar’s Office. However, if you are aware of a pending legal matter, or an outstanding request for the grade sheets, you should retain the information until such matters are concluded. When destroying documents is appropriate, we recommend shredding.
Q: What if a student group requests a list of students’ mailing or e-mail addresses to help advertise an activity or program?
A: In some cases, this information may be shared and in others not. Specific guidelines available on the Privacy website apply. These types of requests should be forwarded to your Dean’s Office. Or, you may raise the specific question with Penn’s Office of Audit, Compliance, and Privacy by writing to firstname.lastname@example.org.