What Is FERPA Compliance?
What is FERPA compliance? FERPA compliance refers to requirements academic institutions must adhere to when handling sensitive student data, including educational information and PII. These requirements cover cybersecurity, administrative privacy measures, and disclosures of rights to parents and students.
What Is the Family Educational Rights and Privacy Act (FERPA)?
In 1974, Senator James Buckley sponsored an amendment to address incidents (backed by evidence) that student records were being misused across the country. Emerging at the same time of general mistrust of government following the Watergate scandal, FERPA was seen as a bulwark against the leveraging of academic and institutional information for nefarious purposes by others.
The idea was that certain educational records contain personally identifiable information (PII). As such, FERPA builds specific rights and protections into law, all of which connect to overarching regulatory compliance requirements:
- Consent: Students or their parents/legal guardians can request their educational documents anytime. Institutions must fulfill these requests within 45 days. These parties may also request any amendment to specific records.
Stakeholders can waive this right, but students may only do so with guidance and counseling. Students must provide permission in writing before institutions can distribute documents to others. - Training: Teachers, administrators, and third-party vendors must be trained to ensure that records aren’t disclosed without authorization. Additionally, parents/guardians and students must be aware of their rights under FERPA in writing annually.
- Security: All private data regulated under FERPA must be protected to maintain confidentiality, integrity, and availability.
What Records Are Protected by FERPA?
FERPA 34 § 99.3 defines education records over which the law holds jurisdiction as follows:
- Educational Information: Any records related to grades, course transcripts, financial or loan records, student assessments, assignments, or attendance.
- Directory Information: These records refer to PII used to identify the student for administrative purposes and include addresses, phone numbers, dates related to attendance or enrollment, etc. According to FERPA, these records are only kept private upon the student’s request.
In both cases, the regulated information must be traceable to the student through anything like a unique identifier, student ID number, or Social Security number.
What Records Are Not Protected by FERPA?
Several forms of information are created during a student’s time at a school or university but do not relate to education. These records are exempt from FERPA regulations and include:
- Any records related to law enforcement from the educational institution
- Employment records for students hired by the institution
- Medical records related to professionals acting in such capacity for the institution (counseling services, health clinic services, etc.) for students 18 years or older
- Records the institution created after the student attended the institution
- Assessments made during peer review before collection by students or administrators
It’s important to note that once students turn 18 years of age or attend school beyond K-12, their parents or guardians no longer have the right to see protected documents under FERPA compliance without authorization from the student.
Who Are Excluded From FERPA Jurisdiction?
FERPA regulations generally hold that teachers, administrators, and third-party vendors associated with an educational institution must adhere to data privacy laws. However, there are some additional exemptions for personnel who meet certain criteria.
These exemptions include:
- Teachers and officials determined to have legitimate educational interest in the student’s records
- Contractors outsourced by the institution for educational services
- Other institutions where the student seeks enrollment (e.g., the transfer of academic records for performance verification purposes)
- Parties connected to financial aid
- Organizations creating, implementing, or maintaining institution-wide assessments, student aid programs, or instruction development
- Accreditation organizations
- Departments or institutions are compelled to disclose information based on a subpoena or judicial order
- Stakeholders associated with health or safety emergency services
- State and local authorities associated with juvenile justice systems
What Are the Best Practices to Ensure FERPA Compliance?
Maintaining the practices that guarantee data compliance with FERPA requires a clear understanding of when and where employees and students engage with protected records. Fundamentally, best practices will combine attention to IT cybersecurity controls and the implementation of monitoring and training measures.
Some best practices include:
- Encryption: To prevent unauthorized disclosure during use or transmission, all protected records must be encrypted while stored or in transit.
- Perimeter Security and Internal Controls: Institutions with IT systems holding protected records must implement firewall security and anti-malware software to prevent unauthorized access to data.
- Access Control Policy Management: Administrators must implement clear access controls to limit the disclosure of information to authorized parties. These access privileges should be role-based, with clear procedures for granting and revoking access based on events like employee promotion or termination.
- Monitoring and Logging: To prevent unauthorized access, IT systems containing sensitive data must monitor and log record- and user-level events to ensure security and integrity.
- Stakeholder Disclosures: Parents/guardians and students must receive annual updates on their rights under FERPA. Additionally, stakeholders must be allowed to opt out of optional functions related to their data, including software or platform personalization.
- Continuing Training: Administrative employees, teachers, and contractors must receive education related to their FERPA obligations.
What Are the Penalties for Failing to Comply With FERPA?
Like many other kinds of regulations, there are penalties for failure to comply with FERPA. Furthermore, it’s common for institutions to accidentally disclose information to unauthorized parties if their employees aren’t properly trained about their obligations.
Some ways an educational institution can violate FERPA regulations include:
- Sharing letters of recommendation with non-educational institutions (like private companies)
- Failure on the part of a vendor to secure systems containing confidential information
- Accidentally sending emails containing academic information to unauthorized parties
- Posting grades on a public board and connecting those grades to identifiable student data
- Providing academic or directory information over the phone to an unauthorized party
Under FERPA, however, affected students or parents are not allowed to sue an institution that exposed their information. Only the U.S. Department of Education may bring suit against these institutions as enforcement actions. These enforcement actions may include (but, to date, have not) financial penalties.
Individual personnel who breach FERPA may find themselves:
- Barred from accessing institutional resources related to their jobs, including access to educational platforms or student records
- Prosecuted individually under criminal codes related to theft or fraud
- Terminated from their position in the institution
Additionally, an institution that does not follow FERPA compliance and shows no move to do so may face a total loss of federal funding.
Support Your FERPA Compliance Obligations With the Kiteworks Private Content Network
FERPA, like any other industry standard, fully expects that institutions meet obligations to protect private user data. This means implementing secure platforms, private communications systems, and regular monitoring and maintenance practices.
For the education sector that is affected by FERPA, keeping private data confidential is crucial. But cybercriminals and rogue nation-states don’t make this easy. Earlier this year, SentinelOne found that educational institutions are the most targeted industry when it comes to cyberattacks and the numbers year over year increased 44%. This places educational institutions at risk—in terms of cyberattacks and noncompliance like FERPA.
To address these challenges, the Kiteworks Private Content Network unifies, tracks, controls, and secures every send and share of sensitive content like student PII and protected health information (PHI). The Kiteworks platform employs a content-policy zero-trust approach for tracking and controlling who can access content, who can view and edit it, and to whom it can be sent. Governance and security capabilities in Kiteworks include powerful encryption, immutable audit logging, and secure hardware.
One of the aspects that certain institutions may find particularly helpful is single-tenant cloud hosting on an organization’s Infrastructure-as-a-Service (IaaS) resources, or hosted as a private single-tenant instance by Kiteworks in the cloud by the Kiteworks Cloud server.
This means no shared runtime, shared databases or repositories, shared resources, or potential for cross-cloud breaches or attacks.
Educational institutions that need help protecting private data and ensuring compliance with regulations like FERPA can schedule a custom demo of the Kiteworks Private Content Network.
Additional Resources
- Report 15 Sensitive Content Exposure Risks You Need to Know About for 2023
- Brief 6 Reasons Why You Should Add Email Protection Gateway (EPG) to Your Kiteworks Deployment
- Case Study How Mandiant Uses Kiteworks to Protect Sensitive Content Communications to Protect Businesses Worldwide