Student records have specific implications and pose special challenges to college and university records managers.
Many records and data transactions occur between students and the academic institution before, during and after pupils’ attendance. Several university departments are normally stakeholders with respect to student records and data. From a risk perspective, these records obviously contain personally identifiable information (PII) and must be protected.
Students have access rights to their academic and related records, and institutions must be prepared to furnish this access accordingly. This piece briefly explores some of the issues involved in records management on behalf of students in higher education.
Admissions and financial aid offices are frequently the first to engage prospective student candidates. Financial aid offices, of course, need to verify that sufficient tuition payment and related funding is available prior to matriculation. After the admissions process is completed, the candidate pools are normally split between students who attend the college, or matriculate (“matrics”), and candidates who don’t attend (“non-matrics”). Retention schedules typically indicate retention of non-matric records for a few years after application year, but call for retaining matric records for several years after graduation or the expected graduation year.
International student offices may also enter into the student record space early in the record lifecycle, as records such as I-20 eligibility forms and F, H, J and O visas must be processed for attendance of visiting scholars. Institutions welcoming international scholars will want to closely monitor and prepare for GDPR developments, as well.
The student data and records lifecycle can span multiple offices of record. For example, when admissions offices are done with matriculation, student advising personnel have an interest in the admissions background records as well as academic records. Then, the registrar is normally the final office of record for academic records, like transcripts. Records managers must build relationships with all of these offices and collaborate with official, cross-departmental stakeholders of student records over time.
As mentioned, student data needs protection controls. Data duplication may result when function-specific systems and enterprise resource planning (ERP) systems enable consumption of the same data — so the whole student data process should begin with data inventory and mapping exercises. ERP and departmental system data also need to be purged of PII regularly, and some programs are better at this “out of the box” than others. When building a student record retention policy, info pros can get a baseline using published schedules from other universities.
Additionally, academic records must also be made readily available. The Family Educational Rights and Privacy Act (FERPA) is a federal law limiting external disclosure and enabling student and parental access to student records. And while there are few, if any, examples of it happening, federal research funding can be withdrawn from non-compliant institutions. In 2015, a Stanford student publication encouraged students to request their admissions records, and up to 700 student record requests were placed. While such “load testing” requests are unusual, legitimate requests can be regularly expected by academic offices and records managers.
These are but a few considerations specific to records management in higher education. They show that records managers in academia face unique challenges that are not often covered in the IG literature. Yet, they also employ the same basic principles that govern IG pros in all industries.