Matthew Anderson (@hewanderson) is the new media coordinator at Western Washington University.

As employees in higher education, we have the records of thousands of students at our fingertips—often without even knowing it. It’s incumbent on all of us to treat student information with care and to abide by the privacy laws and policies that are in force at our institutions. Exactly what those laws say, though, can be tricky to discern.

In this post, I’m going to look specifically at the strictures laid down by the U.S. government’s Family Educational Rights and Privacy Act. It has a lot to say about the information we as U.S. universities release about our students. At its core, the act helps ensure students’ rights to access their educational records and to challenge the release of those records to the public. The content of educational records and students’ access to them are a major part of FERPA, but in this post, I’ll address only the part of the law that governs the release of information.

One thing to keep in mind, though: Any student attending a post-secondary institution, regardless of age, is granted full rights under FERPA, but if either parent has claimed that student as a dependent on his or her most recent tax return, FERPA allows for the release of educational records to both parents. (Check with your registrar before doing so as each school has different policies.) Also, if neither parent has claimed the student as a dependent, neither parent has any more access to a student’s educational records than the general public.

What information can we release about students?

The only information universities may release about students without their explicit permission is what FERPA calls directory information—their names, addresses, phone numbers, awards, dates of attendance and the like as specifically defined by the institution of higher education. FERPA requires that the university has notified the students of the university’s definition of directory information and has given them the opportunity to forbid or opt-out of the release of directory information in advance. Your school is required to notify students annually of their rights under FERPA.

Note what isn’t generally considered directory information (and thus should not be shared): Grades, courses taken, schedules, student ID numbers, photos in which the student is identifiable, etc. However, each institution may define directory information differently. Find out what your school considers to be sharable information. Many schools also specify that directory information is released only in carrying out specific institutional functions, and social media may not be covered.

For some students, ANY info is too much:

At any university, typically there are a few students requesting that the university release no information about them.

We don’t have many students at Western with such FERPA holds, but there are a few. If you deal with student information, your university should provide you with access to information on privacy and confidential holds so you can check a student’s preferences before releasing information.

Expectation of privacy:

One thing to keep in mind when sharing photos of students is that their right to privacy can be just as important as their FERPA rights. Did the student in your photo have a reasonable expectation of privacy?

A residence hall, for example, is a fairly private place, and you should always get permission before taking photographs or video there (even of large crowds).

But campus quads are generally public, and you may not need permission to shoot photos or videos there. At minimum, students hanging out on a public lawn don’t really expect to have privacy. Most likely, they’re not thinking about it at all.

Social media provide new challenges:

Because social media is somewhat new and case law can take years to get established, there aren’t clear-cut rules for dealing with confidentiality in the context of social media.

But let’s establish some best practices that should serve you well in most circumstances.

Best practices:

You should strive to get signed permission when:

• A person is clearly identifiable in a photo or video.
• You plan to identify a person (list his or her name or other identifying information) in a photo or video. Note: This situation crops up often when people send you information to share. The fact that seven participants in a university robot competition are lined up and smiling for a photo isn’t necessarily consent to being identified in a photo online. Ask the students.
• You’re shooting in a private or somewhat private place (e.g. residence hall or classroom).
• You plan to use the photo or video for overt marketing purposes. Note: A key question to ask students is what they reasonably expect will be done with their likeness. Don’t abuse that.
• Your photo or video shows off work (e.g. art, presentations, math assignments) that a student did for class. That work is considered part of a student’s educational record, which is protected by FERPA.

Try to get signed permission, but don’t stress about it when:

• You’re shooting a large crowd of people in a non-private setting.
• You’re shooting students who are performing on stage or participating in an athletic event.
• It’s not easy to visually identify the students, such as when they’re shot from the back or obscured in some way.

Odds and ends:

• When a student shares a photo on a university’s social media site, you may consider that a basic release. That release, however, doesn’t apply to other students who may be in the photo. For example, it’s probably OK to retweet a student’s selfie showing off the new college sweatshirt she just bought. But if she’s standing with other students, realize that you don’t have their consent.
• Verbal permission is iffy; get signed releases when possible.
• It is possible for someone to revoke a release after a photo has been published. When that happens, take it down.
• If you don’t know whether a student has a FERPA hold, don’t do anything to identify him or her as a student of your school. Don’t add the student to a public Twitter list of students, for example.
• Records created while a person was a student are protected by FERPA even after the student graduates. So the fact that a former student has now graduated doesn’t give you permission to share photos of him during his time at school. Nor does it give you permission to share his classroom artwork, for example, without his explicit consent.

Penalties for non-compliance:

The U.S. Department of Education has not yet taken major action against any universities for violations of FERPA, nor have courts allowed students to sue their universities over improper release of information. Most issues to date have been handled by the department reaching out to the universities to apprise them of the violations and to seek a change in practice.

Of course, we work in higher ed because we care about students, and we operate out of motivation for what’s best for them, not out of fear of consequences. Apply the principles you use in any interaction, whether social or otherwise: Be kind, considerate and courteous. Be human.