FERPA Compliance

Saroj Jha

FERPA Compliance

The Family Educational Rights and Privacy Act (FERPA) of 1974 was enacted to support and promote the protection of privacy and reasonable governance of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Security is a core functional requirement of FERPA, requiring mission-critical information to be protected from accidental or deliberate theft, leakage, integrity compromise, and deletion. The FERPA statute is found at 20 U.S.C. § 1232g and the FERPA regulations are found at 34 CFR Part 99.

FERPA gives parents of students and eligible students the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”).

Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a PTA bulletin, student handbook, or newspaper article) is left to the discretion of each school.

FERPA requires states to use reasonable methods to ensure the security of their information technology (IT) solutions. This may be achieved by hosting education records on cloud computing solutions. The law, in general, requires covered institutions and agencies to reasonably safeguard student education records from improper use or disclosure. FERPA defines “education records” as “records, files, documents, and other materials that are maintained by an educational agency or institution, or by a person acting for such agency or institution.” Education records also include any record that pertains to an individual’s previous attendance as a “student of an institution.”

Securing student record information, including students’ personally identifiable information (“PII”), is essential for educational institutions and vendors that provide them services which fall under the purview of FERPA. As an online programming platform for educational purposes, DataCabinet implements controls for services and provides robust offerings to customers to leverage in order to comply with FERPA. There are a number of safeguards to keep in mind when you are dealing with student records, and DataCabinet is well equipped to help you navigate them. Here are a few of them:

  • Student’s record managed by instructors/institutions: The student’s record in our system are controlled by the instructors themselves. Instructors can remove the grades from DataCabinet and maintain them in the LMS system (Blackboard or Canvas) at the end of the course. Our Privacy indicates we do not read student’s record and can be removed from our system anytime by instructors/institutions.

  • Explicit consent of students:

    • FERPA allows schools to make directory information available to third parties unless students want it explicitly not released. We will write an email to the class presenting DataCabinet and ask them if they have any reservations releasing their email to DataCabinet.

    • DataCabinet can write an email to the class asking them for consent to use DataCabinet with information about privacy. Students who sign up to DataCabinet, we can provide a version of the homework/exam (after vetting by the instructors) to them over DataCabinet.

  • Data Back-Up: Users can upload an unlimited number of files, and DataCabinet will protect all of them. Not having to worry about storage capacity means you can secure as many files as you need.

  • Data Encryption: DataCabinet employs robust encryption strategies that protect your data.

  • Data Integrity: Audit logs allow you to monitor which files have been altered, by whom, and when. If an unauthorized user gains access to your files, the audit logs make the intrusion easy to spot.

  • Automatic logoff: DataCabinet automatically logs users off after a predetermined period of inactivity, ensuring that unattended devices pose no threat to file security.

  • User Privileges: Users have unique IDs and must be authorized and logged in to access DataCabinet-protected files.

  • Revoked Access: Administrators can revoke access in real-time to users and devices, meaning that a hacked user account can be disabled.

Through these and other methods, DataCabinet can help you rest assured that your students’ PII remains private. After all, being confident in the safety of your students goes a long way when it comes to FERPA compliance.

http://ptac.ed.gov/sites/default/files/FAQ_Cloud_Computing.pdf https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html