FERPA Identify Verification

Policy: 

FERPA regulations (34 CFR §99.30-31) require institutions of higher education to use reasonable methods to authenticate the identity of students, parents/family members, school officials, and other requesting third parties before disclosing information from a student's education record. To ensure that only appropriate individuals have access to a student’s information, FERPA requires the College to implement various forms of authentication to verify the identity of the requester.  

Regardless of whether the information requested is considered less sensitive (directory information) or highly sensitive (educational records), it is best practice to use an identity management tool or, at a minimum, two types of Personally Identifiable Information (PII) to authenticate identity before student information is released. PII refers to any information that can be used to identify, contact, or locate an individual, either alone or combined with other easily accessible sources. When requesting PII, it is best practice to use the student’s directory information (which is less sensitive) to authenticate identity. 

Procedure: 

Account Look Up 

When a caller contacts Clarkson College for assistance, the first step is to gather basic identifying information, such as name and date of birth, and locate the student account in the SIS system. This is NOT considered verifying the individual's identity. Do not share information about the student’s record at this point.

Student and Third-Party Verification Process – The process outlined below is used to verify the identity of the student or a third party who has been given prior authorization to access the student’s record from an Information Release Form signed by the student. 

  1. Verify (Tandem Phone Verification System – identity management tool– This is a two-factor authentication system that sends a verification code to the student or third party’s registered mobile number and asks them to confirm it during the call. Individuals with access to Verify include the Enrollment & Advising Team, the Registrar’s Office, Financial Aid, Student Accounts, and the Compliance Team.  
    1. Ask the student for their phone number and verify this is a phone number listed in Anthology Student.  
    2. Enter the phone number in Verify (Tandem website).  
    3. Ask the student to verify the code that is texted to them. Enter the verification code in Verify (Tandem website) 
    4. If the phone number on file is not current, encourage the student to update their phone number in MyCC “My Records” tab, or at the Registrar’s Office, who will need to choose another form of verification from the list below.
  2. Knowledge-based Authentication (KBA) - Per FERPA guidelines, Social Security Numbers (SSN) and date of birth (DOB) are not reasonable methods to verify identity. Use at least two questions from below in which the answer would only be known to the student or third party.
    1. Previous course history of the student. 
    2. Previous addresses on file for the student. 
    3. Previous phone numbers on file for the student. 
    4. Previous schools attended by the student (college or high school). 
    5. If working with a parent/guardian, confirm email from parent email/emergency contact information if listed in the CRM (Reach), SIS (Student), or the student portal (MyCC).
  3. Callback Verification - If there is still doubt about the caller's identity, offer to call them back on their registered phone number. This ensures that the caller is contacting the College from a legitimate number associated with their account. 
  4. Teams/Zoom Video Call - Send a Teams/Zoom link to the student or third party via email. Ask the person to join the call and show their photo ID. This option is reserved for those scenarios where there is doubt about the answers provided to the KBA questions, OR when students/third parties cannot verify any other way. Notably, this may need to be used for third parties on an older version of a Release of Information form that did not include the third-party phone number to confirm identity (e.g., parent whose cell phone number is not known). 
  5. Documentation - If a third party (parent/guardian/other) is given information from a student’s record, it must be documented in our student information system what was disclosed and the legitimate interest the third party had in obtaining the information. Legitimate interest refers to an educational reason to know about the student’s record. If the third party identifies personal reasons for wanting this information, we need to consider if it is in the best interest of student privacy to share that information (e.g., parent contacts the school because the student will not call them or to secretly discuss advising or enrollment decisions without the student’s knowledge/involvement). Students are entitled to this information if requested.