Case Corner

In March 2015, a UCF student filed a complaint directly with University Compliance, Ethics, and Risk (UCER) stating that an adjunct faculty member, Employee A, without a legitimate educational interest unlawfully accessed their academic records and disclosed their records to another student without their knowledge or consent. The complainant stated that Employee A used the UCF credentials of their spouse, Employee B, to access the student’s record. Both Employee A and B were UCF faculty members specializing in a field of study that had no relationship with the complainant. The complainant stated that they briefly dated the faculty members’ child, a current UCF student, and believed the one parent, Employee A, accessed their records to break up the relationship.

UCER investigated the concerns in collaboration with the UCF Registrar’s Office. The investigators reviewed computer access records and supporting documents, conducted interviews, and verified restricted data access rights.

Findings

Based on the findings of the investigation, the following violations were confirmed:

1. 1. Violation of the Family Educational Rights and Privacy Act of 1974 (FERPA)

Employee A confirmed that they accessed the complainant’s student record using their spouse’s UCF credentials and shared the record with their child. UCER found no evidence to suggest that Employee B was aware that their spouse had unlawfully used their UCF credentials for this purpose until after Employee A had already accessed the record. FERPA allows faculty access to a student’s educational record when there is an established legitimate educational interest. Employee A did not have a legitimate educational interest but rather a personal interest; therefore, their actions were unlawful.

1. 2. Violation of UCF Policy 4-008 Data Classification and Protection

Employee A stated that they perform 99% of their spouse’s data entry using the spouse’s UCF credentials, which includes entering grades for the spouse’s students. Student information is restricted data according to the UCF Data Classification and Protection policy and requires the highest level of access control and security protection. UCF employees with access to restricted data must implement managerial, operational, physical, and technical controls for access to, use of, transmission of, and disposal of university data in compliance with this policy and must not share the information without explicit management authorization. By providing the spouse with their UCF credentials to enter student grades, Employee B violated this university policy.

1. 3. Violation of UCF Policy 4-002.1 Use of Information Technologies and Resources

Employee A stated that they frequently, at least twice a month, accessed the UCF systems using the spouse’s UCF credentials for personal reasons such as obtaining payroll and insurance information. The Use of Information Technologies and Resources policy states that credentials must not be shared with others. As per this policy, Employee B should have been required to sign a UCF Confidentiality Agreement. In reviewing Human Resources documentation, UCER did not locate a copy of this agreement. Sharing UCF credentials for personal reasons is a violation of UCF policy.

Conclusion

Employee A violated the Family Educational Rights and Privacy Act of 1974 (FERPA) by accessing and disclosing a student’s educational record without the authority to do so. Employee A stated that Employee B shared their UCF credentials with them, which is a violation of two university policies.  UCER did not locate a signed UCF Confidentiality Agreement on file for Employee B’s access to university restricted data, which is required by university policy. In response to these findings, UCER issued corrective action recommendations to the college dean.

Recommendations

UCER recommended that the dean consult with Faculty Affairs, to consider the following recommendations:

1. 1. Take appropriate disciplinary action for the FERPA violation, which may include discontinued employment of Employee A
   2. Provide appropriate disciplinary counseling and education to Employee B for sharing their UCF credentials in violation of UCF policies
   3. Obtain a signed UCF Confidentiality Agreement from Employee B and maintain a copy in the employee’s human resources file
   4. Distribute a reminder to all faculty and staff in the department regarding FERPA, including a copy of the Registrar’s FERPA Reference sheets, and UCF’s prohibition on sharing UCF credentials

This case is an example of a FERPA violation and a violation of two UCF policies in place to protect UCF data. We are grateful for the student who came forward to give us the opportunity to address this matter.

If you become aware of a situation that is not in accordance with UCF regulations, policies, procedures, or standards of conduct, please report it through the available reporting mechanisms or submit a report through the UCF IntegrityLine.