FERPA Compliance

A primer on FERPA Compliance

Schools traffic in a lot of sensitive information pertaining to their students, like grades, transcripts, schedules, health records, financial aid information, or disciplinary documents—in other words, personally identifiable information, or PII. It’s critical that information like this be carefully controlled, easily accessible to parents, and disclosed to third parties only when necessary or with permission.

But that’s a complex—and sometimes contradictory web. Keeping PII confidential and knowing when and how to disclose it can be challenging. Enter the Family Educational Rights and Privacy Act (FERPA), a federal law that designates under what circumstances—and to whom—educational institutions may reveal private information. If you’re a school, school district, or college or university that receives any federal funding (and most do!), FERPA compliance is mandatory.

You might have heard of FERPA thanks to media protests against the misapplication of FERPA compliance: Sometimes, education officials lean on the law to conceal public records that are not educational in nature, which has led to a lot of confusion about what’s at work when it comes to FERPA. Let’s unpack what FERPA compliance really means, and how to achieve it.

What does FERPA do?

FERPA came about in the 1970s in response to the growing abuse of student records. The guidelines apply to any personal information, whether it’s transmitted on paper, electronically, or verbally. Bottom line: FERPA is all about protecting students’ privacy, while keeping them informed about the contents of records kept about them.

FERPA’s mission is threefold. It grants rights to parents and students:

  • to view personal education records;
  • to seek changes to the records if they are inaccurate or misleading;
  • to have some control over the disclosure of any PII. Here, schools often must ask parents for written consent before releasing students’ information to a third party, such as an employer, financial aid organization, or the media.

Students over 18 or enrolled in post-secondary institutions like colleges and universities are also granted the right of privacy regarding grades, enrollment, and other information. Parents may retain their rights only if the students are considered their dependents in the eyes of the IRS. In short, FERPA protects the privacy of families, making it especially difficult for personal information to be transferred haphazardly, keeping privacy—and trust—intact.

Recently, FERPA was in the news thanks to a group of students at Stanford University who asked the administration for their admission records. Because the information was considered an education record, the university had no choice but to comply within 45 days, releasing written assessments admissions officers made about the applicants, the numerical scores they assigned regarding a range of factors, and recommendation letters. The students urged others to follow their lead and take advantage of FERPA, which legally granted them access to this information.

Who can receive PII under FERPA?

A student’s information can be released to the student and/or his or her parents, as outlined above. From there, they can do what they wish with it.

Generally, schools need to have written permission from parents or eligible students to release information to third parties, but FERPA compliance means certain entities can still receive PII without consent. Namely, consent is not required for:

  • School officials with legitimate educational interest;
  • Institutions to which a student is transferring;
  • Specified officials for audit or evaluation purposes;
  • Student financial aid parties;
  • Organizations conducting certain studies for or on behalf of the school;
  • Accrediting organizations;
  • Officials complying with a judicial order or subpoena;
  • Appropriate officials in health and safety emergencies;
  • State and local authorities, within a juvenile justice system

When it comes to FERPA compliance, it’s important to note that when a third party is granted student information—whether or not it requires consent—the recipient is then prohibited from disclosing it further. But it falls on the original school to make sure the third party organization is complying with FERPA and keeping the entrusted data under wraps.

What’s at stake with FERPA compliance?

Educational institutions that flout FERPA compliance may forfeit their federal funding or be subject to institutional sanctions. Some states even level monetary fines against institutions that improperly disclose private information.

Consider the 2013 breach of 300,000 Social Security numbers belonging to students and alumni of the University of Maryland. Not only was it a massive violation of FERPA compliance, Maryland also had to shell out $2.8 million to provide credit monitoring services to the affected students.

How can I make sure that I’m following FERPA compliance rules?

It’s no secret that schools are a wealth of sensitive information—and when FERPA is breached, it’s rarely intentional. As education records are increasingly being kept, transmitted, and discussed online, they become a prime target for cybercrime.

New technology has revolutionized education—but it’s also provided new opportunities for negligence as well as hackers. In 2013, 9 percent of all data breaches came from the education sector.

What’s more, colleges and universities hold many of the same records as banks—but they’re a lot easier to breach.

It’s especially important to ensure that your PII is kept secure. The National Association of Colleges and Employers provides several recommendations for ensuring FERPA compliance:

  • advise students annually of their FERPA rights;
  • obtain signed, written consent before releasing student PII to employers, recruiters, or other third parties;
  • train your employees and develop policies about retaining and distributing student information;
  • review third-party agreements to confirm their FERPA compliance; and
  • establish plans for responding to potential breaches.

How can Sookasa help with FERPA compliance?

By now, you likely see that the disclosure of student information is delicate. So how do you go about protecting these sensitive records?

Keeping your files safe is a good first step to maintaining FERPA compliance, and can be achieved with smart password practices and security-savvy file usage. It’s just as—or even more—likely, that a security breach will occur accidentally, by an employee mistakenly emailing information to the wrong person or having her laptop stolen, rather than by a hacker.

Securing files with programs like Sookasa make transmitting files simple and secure. We’ve spent years developing one of the world’s most secure cloud services, and we partner with Dropbox to allow for the simplest cloud-based syncing and storage solution around. Sookasa allows you to share education records with parents, students, and authorized third parties through Dropbox; they become encrypted before ever reaching the cloud, and remain encrypted even if your laptop is stolen or Dropbox is hacked.

There are a number of safeguards to keep in mind as best practices when you’re dealing with student records, and Sookasa is well equipped to help you navigate them. Here are a few we think are especially useful:

  • Data Back-Up: Dropbox lets you upload an unlimited number of files, and Sookasa will protect all of them. Not having to worry about storage capacity means you can secure as many files as you need.
  • Data Encryption: Sookasa employs robust encryption strategies that protect your data even if Dropbox is compromised.
  • Data Integrity: Audit logs allow you to monitor which files have been altered, by whom, and when. If an unauthorized user gains access to your files, the audit logs make the intrusion easy to spot.
  • Automatic logoff: Sookasa automatically logs users off after a predetermined period of inactivity, ensuring that unattended devices pose no threat to file security.
  • User Privileges: Users have unique IDs and must be authorized and logged in to access Sookasa-protected files.
  • Revoked Access: Administrators can revoke access in real-time to users and devices, meaning that a lost or stolen device can become inaccessible immediately, and a hacked user account can be disabled.

Through these and other methods, Sookasa can help you rest assured that your students’ PII remains private. After all, being confident in the safety of your students goes a long way when it comes to FERPA compliance.