We continue our compliance series with a focus on The Family Educational Rights and Privacy Act (FERPA).
What is FERPA?
Per the U.S. Department of Education, "The Family Educational Rights and Privacy Act (FERPA) is a federal privacy law that gives parents certain protections with regard to their children's education records, such as report cards, transcripts, disciplinary records, contact and family information, and class schedules. As a parent, you have the right to review your child's education records and to request changes under limited circumstances. To protect your child's privacy, the law generally requires schools to ask for written consent before disclosing your child's personally identifiable information to individuals other than you."
When a student turns 18 years old, or enters a post secondary institution at any age, the rights under FERPA transfer from the parents to the student.
FERPA prohibits disclosing a students personally identifiable information (PII) to third parties. A third party is defined as any individual or organization other than the student's parent or student. PII can only be disclosed if the parent or student has provided written consent (usually a signature).
Personally identifiable information that is protected under FERPA includes:
social security numbers
grades and GPAs
transcripts
health records
student financial information (post secondary level)
Educational institutions may disclose directory information, which is information in a student's record that is not considered to be PII. Some examples of directory information are:
student's name
address
telephone listing
date of birth
grade level
extracurricular activities within the institution, such as sports
degrees, honors, and awards
Directory information can be disclosed to anyone without the parent or student's permission, as long as the institution has given notice of the information the institution has deemed "directory information." Parents or students have the right to opt out of these disclosures. Institutions must allow a reasonable amount of time to request to opt out. It is up to the institution how they wish to convey this information, such as a letter sent home, email, etc.
What can I do to ensure I am FERPA compliant?
It's important that institutions carefully manage students records securely, pay attention to how they disclose information, and properly destroy files. Electronic sensitive data should be password protected. Consider implementing a strong password policy. Policies should be put in place on how to deal with data breaches or unauthorized disclosures. Teach students and employees how to safely navigate the internet on school premises so that no malware is introduced to the school's network.
Let Bedrock Technology take care of your cybersecurity and compliance needs.