System data-privacy official proposes clarified FERPA policy; committee received informational briefing

The committee received an informational briefing on a proposed update to the system's Family Educational Rights and Privacy Act (FERPA) policy.

Jan Khan, the system's data privacy officer, walked regents through a multi-stage development process for the draft: it drew on the U.S. Department of Education model FERPA policy, input from the general counsel's office, EDUCAUSE guidance, and stakeholder feedback collected across security, contracting, compliance, financial aid, registrars, student conduct, registrars, and student-government representatives.

Khan said changes include moving definitions into a discrete section, adding new terms (for example, "federal tax information"), clarifying concepts such as "eligible student" and "intent to enroll," and stressing that FERPA exceptions (including directory information) are discretionary and not mandatory. The draft also consolidates institutional obligations and enforcement steps (including links to the system's electronic-communications policy) and calls out a triumvirate of policy owners: the data privacy officer, the chief compliance officer and general counsel.

Khan flagged expected operational impacts as modest because the policy largely codifies practices institutions should already be following: maintaining disclosure records in certain circumstances, publishing processes for students to review and amend records, and recommending notifications to students in the event of reportable incidents. Khan proposed implementing the policy at the start of the next academic year (faculty year begins August 24) and offered training materials and one-page resources for students, faculty and staff.

The committee treated the item as informational and did not vote to change policy at the committee level; the draft will proceed to the full board for consideration as part of the normal policy-review process.