Thousands of University Oklahoma students were possibly put at risk after their personal information was exposed through an OU file-sharing system in what officials are calling a “misinterpretation.”
First reported by OU Daily, the university's campus newspaper said the information of more than 29,000 students including grades, financial aid status and social security numbers were made available on the Microsoft Office file sharing system Delve.
“Yes, your documents are safe. Delve never changes any permissions. Only you can see your private documents in Delve,” the program’s website reads.
The system was immediately shut down, according to campus authorities. Due to the shutdown, News 9 was unable to recreate the Daily's findings but campus officials were able to confirm the issue, but could not corroborate the exact numbers.
In a statement, OU's vice president for Enrollment and Student Financial Services said, "some sensitive files were inadvertently made accessible to OU account holders due to a misunderstanding of privacy settings. No unauthorized party accessed any of the files..."
The mishap may have also put OU at risk by potentially opening the university to a violation the federal Family Educational Rights and Privacy Act or FERPA.
“It's a pretty big trust issue when information is released,” Julie Miller said.
Miller is the General Counsel for The Oklahoma State School Board Association. She said FERPA usually protects information like social security numbers, grades, financial aid status or visa status of international students.
“Every institution works really hard to maintain the privacy for their student population,” Miller said.
However, schools are allowed to disclose what’s known as “directory information.” Miller says those standards are set by the schools, districts or institutions themselves. For instance, OU considers 17 categories “directory information” including student names, email addresses, permanent addresses, participation in supported activities or sports and grades, as long as the students are unidentifiable.
Students also have the option of opting out of normally disclosed information.
As schools have entered the digital age they've had to increase reliance on outside systems, like Delve, to keep information safe.
“We rely a lot on the people that we work with to store that data and creating the software there that's going to have that barrier there for protection,” Miller said.
Miller added it’s unlikely anything would come from the potential FERPA violation. The law doesn’t include civil penalties. The only penalty is the loss of federal funding, which Miller says in the law’s 43-year history has never been levied against an institution.
Access OU's FERPA guidelines here.