On May 15, 2000, former UT football captain Spencer Riley filed a class action suit against UT, the NCAA, and UT Director of English Composition Linda Bensel-Myers, asserting that university employees illegally released his student records, including the information that he had a learning disability, to Tom Ferry, an ESPN.com journalist. Riley sought a temporary restraining order barring UT from releasing any student record beyond what is allowed by state and federal statutes. In July 2000 an agreement to dismiss the suit was reached, which required that UT President J. Wade Gilley issue a formal letter of apology to Riley and assure him that UT procedures would be implemented to ensure that only information allowed to be released under the Family Educational Rights and Privacy Act would be released.
Interim Provost Clif Woods, working with the General Counsel’s Office, developed new operational guidelines for access and disclosure of student records. Access to student records was limited to those having an educational need to know, defined as meeting one of three qualifications: (1) the need to know was part of a task specific to the job description of the employee requesting access; (2) the need to know would provide a service and/or benefit to the student; (3) the need to know would maintain safety and security on campus. All employees with access to student academic histories were required to reapply for the access and to describe why they needed the information and its legitimate educational purpose. The goal was to limit access to the departmental level, although the provost could grant college or university access. Students were able to open their own records through computer access, including use of a personal identification number.
At the beginning of each fall semester, a broad advisory notice was required to be issued to all employees telling them of the legal requirements dealing with student records and the consequences of illegally releasing them and reminding all employees that they do not have the independent authority to determine that information is not personally identifiable and thus not subject to confidentiality requirements.