The amount of student data being collected and stored is soaring. Coupled with the growing use of technology for storing and sending data, it’s more difficult than ever for schools to comply with the Family Educational Rights and Privacy Act (FERPA).
Schools that don’t meet FERPA compliance may be forced to forfeit federal funding. Depending on the specifics of the situation, the violating employee(s) may also face disciplinary action, lawsuits, fines or even prosecution.
FERPA is infamously puzzling due to its ambiguous definitions and situational exceptions. To help schools meet the high standards at which student data privacy is held, this article outlines ten steps to ensure you’re FERPA-compliant.
You might also like this FERPA Compliance Checklist that summarizes all of the ten points below. Download it, share it, print it and post it to make sure you stay compliant.
The first and most important step to comply with FERPA is to truly understand the legislation and its mission. FERPA, the Family Educational Rights and Privacy Act, is a federal law that aims to protect the privacy and sensitivity of student education records.
FERPA gives certain rights to parents or guardians over their child’s education records. In most situations, these rights transfer once the child turns 18 and they are then called an “eligible” student, but more on the exceptions later.
FERPA is sometimes also referred to as the Buckley Amendment. In a speech explaining the Act, Senator Buckley said that FERPA was adopted in response to “the growing evidence of the abuse of student records across the nation”. Schools are now collecting more data than ever and storing it digitally, making the protection and privacy of education records an important topic.
FERPA applies to any school—elementary, secondary or post-secondary—that receives federal funding from programs administered and overseen by the US Department of Education (DOE).
In other words, virtually all public and charter schools must comply with FERPA and few private or parochial schools are required to comply.
RELATED: What is the Clery Act?
A student’s record contains all educational information including report cards, grades, GPA, transcripts, immunization and medical records, disciplinary records, family contact information, course schedules, physical testing results, attendance records, special education records, psychological evaluations and more.
All information in a student’s record will fall into one of two categories: personally-identifiable information or directory information.
Personally-identifiable information (PII) is information that directly, or indirectly through linkages with other information, identifies a student. Direct examples of PII may include the student’s name, their social security number or their student ID number. Indirect examples of PII include date of birth, place of birth and mother’s maiden name.
Even aggregate data can be considered PII under FERPA if a reasonable person in the school community could identify a student based on the indirect identifiers together with other reasonably available information, including other public information.
It is a FERPA violation to disclose PII without consent. According to the National Association of Colleges and Employers, this information can only be disclosed if the school obtains the signature of the parent (or eligible student) on a document specifically identifying the information to be disclosed, the reason for the disclosure and the parties to whom it will be disclosed.
Directory information is contained in an educational record but would not generally be considered harmful or an invasion of privacy if disclosed. Examples of directory information may include the student’s name, address, phone number, age in years, academic major or grade level, participation in activities or sports, academic specialization and awards received.
This information is either not identifying or is publicly available and could be obtained in another manner, like from a phonebook or online directory.
Information Can be Both Directory and Personally-Identifiable
Some information (like student name) can be both PII and directory. This is confusing, so here’s an example:
A transcript that says the student’s name, date of birth, place of birth and their grades is PII. It’s personally-identifying and sensitive because it reveals the student’s grades, which is confidential information, and links it to the student by name. But a transcript that says only the name and age in years is probably considered directory information.
For more information, visit the US Department of Education website.
FERPA provides rights to both parents and “eligible” students. To be an “eligible” student, the individual must be either 18 years old or entering post-secondary education.
Before a student is “eligible”, their parents or guardians are awarded FERPA rights. Parents retain FERPA rights in some cases, such as when they claim the adult student as a dependent for tax purposes.
FERPA provides parents or eligible students the right to inspect, review and request changes to be made to education records maintained by the school. Parents or eligible students have the right to prohibit schools from disclosing directory information, in addition to PII which is already prohibited from disclosure.
Parents or eligible students also have the right to be notified annually by the school of their FERPA rights, as well as the right to obtain a copy of the school’s policy regarding educational records. The policy should inform them how to:
- Exercise their right to review records
- Exercise their right to correct information
- Refuse disclosure of directory information
- Consent to the disclosure of PII
- File a complaint about FERPA violations
It is the school’s responsibility to understand, train and retrain staff on all of the rights, prohibitions and exceptions outlined by FERPA.
There are certain situations under which schools are legally allowed to disclose records without consent from either the parent or eligible student.
According to the Electronic Privacy Information Center, a school may disclose PII from education records:
- to school officials who have a legitimate educational interest in the information
- to another school, district or institution where the student plans to enroll
- to authorities, such as the Attorney General, for purposes of audit or evaluation
- for purposes related to financial aid for which the student has applied
- to state or local officials or authorities within a juvenile justice system
- to organizations conducting certain types of studies for educational institutions
- to accrediting organizations for purposes of conducting accreditation procedures
- to the parents of a dependent student as defined by the IRS
- in connection with a health or safety emergency
- released in compliance with a court order, such as a subpoena
William J. Roberts, partner at Shipman & Goodwin LLP, says that many of the FERPA violations he has seen involve school-based health centers.
When a public school teams up with a healthcare provider to run a school-based health center, “schools often struggle with knowing which data can be sent by which party and for what purpose,” he says. The confusion increases “particularly when both HIPAA and FERPA may be at play in the arrangement”.
Mike Robinson, former registered civil rights lobbyist, has similar experiences. The sharing of GPA’s with outside entities is “one of the biggest and most common violations…It’s a huge infringement on the student’s privacy and often these lists [of students and their grades]…are created and sent off with little regard to the privacy act”.
Schools are responsible for ensuring that their third-party vendors comply with FERPA, so a school is held accountable if their vendor intentionally or unintentionally misuses or misplaces student information.
Tips for Information Sharing Between Vendors & Organizations
Tip 1: To make sure that vendors comply with FERPA requirements, schools are encouraged to carefully screen and select the vendors with which they do business. Ask questions about how record access is obtained and inquire about their prevention efforts.
Tip 2: Online vendors that offer free services will typically make their money through data mining. Do not use a third-party vendor that says they will store or analyze student data for free.
Tip 3: Go back and revise all third-party agreements to ensure that the vendor is aware of and comprehends FERPA requirements. Be sure to notify them that the information they’re working with may be PII and is subject to FERPA provisions.
Education institutions should conduct yearly training regarding FERPA, including the rights it provides and the requirements of the school. FERPA has many exceptions and nuances which are easy to forget, but an unintentional violation is still a violation. This is why regular training is the best approach for FERPA compliance.
For instance, an administrator who witnesses a physical fight on school grounds can discuss it openly and legally. But, if an administrator read a document summarizing the incident, FERPA would prohibit the administrator from discussing anything from the record. It’s important that school staff know to be cautious about what they discuss and with whom.
Roberts says that a lack of training is responsible for many of the FERPA violations regarding student right of access to education records. Roberts says that “a lack of training…may mean that a parent’s or student’s request for inspection or access is received by the incorrect party or a party who does not understand the significance of the request, and thus is not acted upon”.
Implementing policies and procedures that comply with FERPA makes it easier for teachers and administrators to comply. For example, write into your policy that old education records must be shredded after a certain period of time. This will make sure that archived documents never get into the wrong hands.
Well-developed policies and procedures can help mitigate the amount of damage caused by a data breach or unauthorized disclosure. A data breach response plan that outlines what to do upon breach discovery can minimize who views or has access to sensitive information.
Policies can also indirectly encourage best practices, such as not sharing sensitive information over email. While it’s not necessarily a violation to share PII, it’s not the most secure method of communication either. Accidentally attaching the wrong file or pressing “reply all” when you meant “reply” can lead to a major FERPA violation.
FERPA requires that schools maintain a list of all the individuals and organizations that have requested or obtained a student’s education records. They must also state the specific interest of the person or organization that is requesting the information. If administrators are trained with a procedure that incorporates this provision, it’s easier for schools to comply.
No matter how hard you try to routinize using the computer’s lock feature, particularly for staff members who have access to PII or other sensitive files, people make mistakes and will forget. For moments like those, encryption provides an extra layer of protection
Encryption tools help keep data secure on a physical level. If a computer is stolen, its files are hacked digitally or the computer is left unattended, encrypted files cannot be accessed without the decryption key.
Here’s an example of when encryption would come in handy. Experts advise not to share sensitive information over email but, according to data from CSID, half of higher ed institutions allow for the unprotected transmission of sensitive information over email.
Being FERPA compliant is a school-wide effort. The IT team, administrators, teachers, principals and superintendents all need to make a conscious effort to understand and comply with FERPA provisions.
In addition to encryption, there are many other prevention tools that can help keep the entire school compliant with FERPA guidelines. One good example of an internal prevention tool is to strategically structure and manage the IT department to make sure the entire team and all the projects are FERPA compliant.
For example, routine vulnerability scans can make sure schools that keep their education records in the cloud are safe from vulnerabilities and risks. If any are found, the IT team can correct the issue before the data gets leaked or breached.
Compliance-monitoring mechanisms can be installed on school computers and laptops to monitor employee behavior. The application can run silently in the background and notify the principal or an IT professional if there is suspicious behavior regarding student education records or other sensitive files.