"The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
"FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students." 1
Moodle is used in many different contexts. This will affect how you may implement roles and access for your Moodle instance. Some institutions will have very strict requirements. Others may face challenges of multiple contexts for the same instance, such as some public spaces and some instructional spaces that require restricted access.
In general, directory information is considered public. Examples of common items that may be considered "directory" information include: the student's name, address, photograph, telephone number, e-mail address, date and place of birth, major field of study, academic load, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees, honors, and awards received, class year in school, and most previous educational agency or institution attended.
Directory information is defined by the institution and this definition is made public knowledge. For example, some institutions include e-mail addresses as directory information, and some do not. The student is allowed to OPT OUT by submitting a written request to the registrar's office (or other appropriate office, depending on the organization of the school). Students who file such a request should not have any of their information published in event programs (such as "meet the athletes" booklets distributed at sporting events) or directories. The student usually must renew this request every semester.
Student's educational records are protected. "Student educational records" are generally defined as any personally identifiable records about a student or former student, and made, received or maintained by someone acting on behalf of the institution. Common items falling under this category include: student test scores and grades; submissions for assignments, class discussions or recorded comments, or any other materials produced by students in which the student can be identified; and listings of courses in which the student is enrolled. Some of these things are disclosed within the class, to the instructor and course participants, under "need to know". They are not, however, disclosed to individuals outside the class (other instructors, other students, guests). In fact, inviting an on-line guest lecturer and adding them to the course, even temporarily, could cause a privacy violation.
These items clearly relate to the way Moodle is typically used to facilitate learning.
Here are a list of identified problems and possible solutions:
- OPT OUT of profile info: there is no way for us to check "hide profile" for an individual student. Could we somehow add a field (that is accessible for those folks using batch enrolling techniques, from uploadusers to LDAP) that would selectively disable profile information for an individual student? Or, wouldn't it be even better to allow the STUDENT to check this box? I am checking on what roles should not have access to this information. (Solution: Admin > Users > Permissions > User policies > hiddenuserfields will hide them for all normal users)
- OPT OUT of name display in online users block: The on-line users block, while encouraging community, allows the display of any user on the system. If you click on the users name, you may be denied access to the profile (depends on roles settings), but the name is clearly visible. If a student opted out of directory information, then the online users block should also not display the name. (Solution: Moodle 2.0 will have a pseudonym feature so that each user can pick an alias for themselves. Only people with the right capability will see the real name).
- OPT OUT of other courses being revealed in profile: While the profile is likely accessible only by the student, the instructor, and other students in the class, it seems problematic from a privacy standpoint, to have all the courses that student is enrolled in to be displayed. Even an instructor probably doesn't "need to know" what other moodle courses a student is enrolled in. If they DO need to know this, they will likely have another method to access the information! Could we have a switch in the profile that the student can control to hide this information selectively? (Solution: Moodle 2.0 will have a capability to control this. It's easy to hack in user/view.php in the meantime, or take a look at MDL-13835 to see if you can implement or vote for it.)
- Student submissions or sensitive instructor documents might be accessed by users who know the URL; some debate is in progress about whether or not preliminary test results were flawed owing to the possibility of loading subsequent attempts from the cache rather than the server. We do know that files uploaded into the course area can't be selectively marked "public" or "private". Work on the file repository code, due in Moodle 2.0, may solve this problem. At least in Moodle 1.6.3, I tested this. As a student, I could access a graded document returned to a student through a private forum if I knew the URL. I could do this if I was enrolled in the course. If I cleared the cache between different attempts, I found that I could not do this if I was not logged in at all or if I were logged in as a student but not enrolled in the class. So we need to get some more definitive data on what is actually happening, and be vigilant about taking cache into consideration. (Moodle 2.0 has a new File API which will solve this once and for all.)
- Gradebook single student view: If a student comes to your office and wants to talk about grades, the gradebook view requires some clicking to get to the single student view. It is possible to view other student's grades as the instructor struggles to get to the right screen. Would it be possible to trigger "full class view" or "single student view" earlier in the process? (Solution: use a bookmark to the User report in Moodle 1.9)
- Assignment and Quiz single student view: A similar situation exists with assignments and quizzes. If a students asks me if I have one of their assigments or quiz results, I click on the assignment or quiz and the list shows the results for every student in my class. I don't think I know of a good way to show the results for a single student, especially if that student's submission has not been graded yet. (Solution: Ask the student to look away, or swivel the monitor. Otherwise we need a ne report that makes you type in their name. Perhaps "Lookup grade for [ ]" on the main page?)
- Notes (Introduced in Moodle 1.9): A new feature in Moodle 1.9 allows notes at the site, course, and personal level. You can disable this feature by setting moodle/notes:manage to prohibit for the teacher role. This feature can be useful, but should be used within school policy with respect to need to know and student privacy expectations.
- Opt out for optional fields: Currently fields like address or phone number are almost useless to a school wishing to follow good sense guidelines for student information. If the were fields had an opt out the school could require them, have a simple path for update of student info for instructors and no double work (like creating student directories) to share info for those who wish to opt in.
What can I do to make my Moodle install compliant with FERPA?
First off, every institution interprets FERPA a little bit differently. Find out what your institution classifies as directory information, and what its disclosure policy is. It may or may not include email address. Most solutions will not be solely Moodle solutions. Usually an institution looks carefully at its practice, and decides how Moodle will fit into this practice in a FERPA-compliant way.
Moodle is designed to allow great interactivity and sharing between users, but this conflicts with strict interpretations of FERPA. If you use 1.8 or higher, you're in luck, because you can edit all user permissions by restricting what screen views each global role can access.
Here are some things you can do when configuring Moodle:
- When installing, make sure your moodledata directory is placed outside of the public_html directory.
- Disable email-based self-registration. Moodle offers several other ways of authenticating users. This way you can be sure that everyone accessing your site is a member of your institution.
- Require loginforprofiles.
- Do not use opentogoogle.
- Hide the guest login button. In 1.8+, find this option in Admin block > Users > Authentication.
- Configure the Front Page so that courses list is not visible for unauthenticated users.
- Configure the Courses block so that it will not display a link to All Courses. This way even authenticated users cannot view a list of all courses on the installation.
- If you allow guest access, edit the guest permissions to prevent view of profiles and participants lists.
- Prevent student users from viewing the profiles of others (even if the two students are in a course together, the profile shows the list of courses a student is in, and thereby discloses non-directory information).
- Decide which blocks your institution wants to use, and edit the permissions for your global roles to prevent users from accessing user profiles or enrollment information through those blocks (or disable blocks you are not comfortable allowing instructors to place in a course).
- Think carefully about the ramifications of allowing instructors to assign other instructors to courses, or about assigning non-faculty members as instructors of courses.
- Consider searching for courses with no enrollment keys and correcting this deficiency. Also consider editing the language strings to prevent a hint from being shown should a student type in an incorrect enrollment key for a course.
Most faculty will have signed a FERPA form agreeing not to disclose non-directory information. Here are some things your faculty should know:
- Files in the files directory in the admin block are accessible to any user enrolled in the course. Non-directory information should not be stored there.
- There are screens which show grades for a list of student users--students should not ever view these screens, even casually, for instance, when they come into an instructor's office to discuss something. Most instructors also use student information systems, and understand this practice.
Many institutions run into trouble when a single Moodle installation is used for instructional spaces and non-instructional spaces (such as conference work areas, presentation spaces, and social networking spaces). It is really difficult to have a Moodle installation be both FERPA-compliant and fully functional for users focused on non-instructional collaboration. Consider running a second installation of Moodle with more relaxed access for applications like this.
What do I do about students who request holds on directory information?
Talk with your registrar and administrators to determine the best way to protect students with holds on their information. This will depend on your institution's interpretation of FERPA, and the setup of your Moodle installation.
Faculty should be aware of your institution's policy regarding students with holds on their directory information, and have received instruction about how to properly manage that information in conformance with your institution's practices. The enrollment list for a course shows a list of all user accounts in the Moodle install. If your institution allows faculty to enroll their own students, faculty will see this list, which will include any students with holds on their information. If your institution interprets FERPA strictly, and you can't make other administrative adjustments for students who have FERPA holds, you may want to restrict this activity solely to those with admin accounts.
Full FERPA Hold
In the event of a full FERPA hold, a student's data may only be released to parties with a specific need-to-know. This does not include students in the class or instructors not actually teaching the student. We have identified several key places where FERPA data is currently visible:
- Participants List: Providing a list of participants to the public violates FERPA in a broad sense; technically, though, even showing students with a full FERPA hold to others enrolled in the class violates FERPA.
- Profile View: A full FERPA hold should completely disable profile viewing. This means both user/view.php and modules which display user full names such as blog/index.php and forum/user.php.
- Assign Roles: Currently the Assign Roles function provides a full list of all users in the system. Those with a FERPA hold should not appear on this list as Instructors not teaching them do not have a need to know that they exist.