The Family Educational Rights and Privacy Act of 1974 (FERPA) is a United States federal law that determines how educational information can be accessed.
The law give parents access to their child’s education records, and more control over how their data can be disclosed.
In most cases, the school is required to obtain consent from the parents before disclosing their child’s information. FERPA only covers educational institutions that receive funds from the U.S. Department of Education.
The Family Policy Compliance Office (FPCO) investigates complaints of alleged violations of FERPA. If they confirm that a violation has occurred, they will give the college a reasonable amount of time for them to make the necessary corrections.
Unlike the GDPR, where fines for non-compliance can be as much as €20 million, it’s unlikely that failing to comply with FERPA will result in a fine or some form or criminal prosecution. That said, if the non-compliant entity fails to make the necessary corrections, they may have their funding revoked, or be subject to an alternative form of disciplinary action, depending on the severity of the risk.
Below are some of the key steps that need to be taken to comply with FERPA
What Information Is Covered by FERPA?
All information in a student’s record will fall into one of two categories: personally identifiable information or directory information.
Personally Identifiable Information (PII)
PII is any data, or set of data, that can be used to identify a student. This might include a student’s name, data or birth, place of birth, student ID, social security number, and so on. PII cannot be disclosed without consent from the student’s parents or the student, if they are over 18 years old. In addition to obtaining consent, the school must inform the parents about the reasons for disclosure, and who the data will be disclosed too.
Directory information is the type of information that one could typically find in the public directory, such as a phonebook. Given that this information is already publicly available, schools are not required to obtain consent for its disclosure, as it would not violate the privacy of the student. That said, some directory information might still be classified as PII if it were joined with other information to reveal the identity of the student.
Ensure That Parents and “Eligible” Students Know What Their Rights Are Under FERPA
Under FERPA, parents have the right to view and request changes to their child’s records, assuming the child is under the age of 18, and not entering post-secondary education. In some special cases, the parents are able to retain these rights after the student turns 18. However, this is usually due to tax reasons. Schools will need to produce a document that outlines the exact rights that parents and eligible students have, when it comes to accessing their data. Parents and eligible students must be allowed to view the policy, and should be annually reminded of their rights, as well as notified, were they to change.
Before disclosing PII, the school must obtain consent from the parents or eligible student, and they must be informed about how to refuse the disclosure of both PII and directory information. Additionally, they will need to be informed about how to report FERPA violations to the supervisory authorities.
It should be noted that there are certain circumstances where schools are legally allowed to disclose records containing PII without obtaining consent from the parents or eligible student. A school may disclose PII to the following recipients without obtaining consent:
- School officials who have a legitimate educational interest in the information.
- Other schools where the student is planning to enrol.
- Representatives of the Comptroller General of the United States, the Attorney General of the United States, the Secretary of the United States Department of Education, or other state or local authorities for purposes of audit or evaluation.
- State or local officials or authorities within a juvenile justice system, as long as the disclosure is made pursuant to a state law.
- Organizations that are conducting studies for educational agencies or institutions in connection with the development or administration of predicative tests or student aid programs, or studies that are intended to improve educational instruction.
- Accrediting organizations for purposes of conducting accreditation procedures.
- The parents of a dependent student as defined by the IRS.
- An organization dealing with a health or safety emergency.
- An organization that is providing financial aid to the student, assuming they have applied for it, and that the disclosed information is relevant to their application.
- The police, assuming a court order has been issued.
For a more detailed explanation of the various exceptions, you can visit the Electronic Privacy Information Center website.
Make Sure That Any Third Parties You Deal withAre Able to Comply with FERPA
Schools will need to carefully screen any vendors or associates, to ensure that they are able to satisfy the FERPA compliance requirements. They will need to ask questions about how they plan to collect and store student data, and the access controls they have in place to prevent unauthorised access.
Any vendors who offer to analyse student data for free should be avoided, as it is likely that they are seeking to make money from the data in some way. Schools will need to establish legally binding agreements with third parties, to ensure that they are aware of their responsibilities, when it comes to protecting student information and complying with FERPA.
Implement Policies &Procedures in Line with FERPA Compliance
Schools will need to establish clear policies and procedures to make it easier for staff members to comply. These might include acceptable use policies, procedures for disposing of old/redundant records, and an Incident Response Plan (IRP) to help limit the amount of damage caused by a data breach.
Keep Your Staff Informed of Their Responsibilities Under FERPA
Schools should carry out regular training to ensure that all staff members are aware of their responsibilities when it comes to protecting the privacy of student information, especially PII. Training sessions should be held at least once a year and should include information about the policies and procedures mentioned above.
Staff will also need to be reminded about the many exceptions (also listed above), which can be easy to forget. Many of the FERPA violations boil down to a lack of training. For example, if a member of staff witnesses a fight on the playground, they are free to speak about the incident with whoever they choose.
However, if they did not witness the incident directly, but instead learned of the incident via a formal document, they will not be allowed disclose the details of the document without authorisation. As such, staff members must be trained to ensure that they know what information they can share, and with whom. Staff members should have at least a basic understanding of data security best practices. For example, accidentally sending data to the wrong recipient will likely result in a violation of FERPA, yet this is a common mistake that people make.
It’s also worth bearing in mind that parents (and students) also make mistakes. For example, a parent might send a request for access to the wrong department. If the recipient doesn’t know what the request is about, they might choose to ignore it, which could result in a violation of FERPA.
Encrypt FERPA Covered Data atRest and In Transit
The SANS Institute estimates that on average only 54% of higher educational institutions encrypt PII in transit, and a mere 48% encrypt PII at rest.
While the use of encryption isn’t strictly necessary to comply with FERPA, it is still one of the simplest, cheapest and most effective ways to safeguard confidential data. If a device containing sensitive data were to be lost, stolen or hacked in some way, the encrypted files would be unreadable to anyone who doesn’t have the decryption key.
Keeping track of encryption keys across an entire district can be a challenge, and each time any on-boarding/off-boarding takes place, the keys need to be reviewed and reshuffled to ensure that ex-employees are not able to access the encrypted information.
Implement AComprehensive Data Loss Prevention Strategy for FERPA Breaches
Data Discovery and Classification
Regardless of which data privacy laws we are required to comply with, one of the first things we need to know is exactly what data we have, how sensitive the data is, and where it is located. It’s likely that most educational institutions will store large amounts of unstructured data, and while it may be possible to manually sift through this data and classify it accordingly, it would be more efficient to use a solution which can discover and classify the data automatically.
User Behaviour Analytics (UBA) with Real-Time Alerting
UBA is about knowing who, what, where and when, changes are being made to your sensitive data. UBA solutions use Machine Learning (ML) to learn the typical patterns of behaviour for each user, and send an alert, in real-time, when a user interacts with sensitive data in manner that is not typical for a given user.
For FERPA, organizations can use UBA to analyze user interactions with student data to ensure that unauthorized access or suspicious behavior isn’t taking place. If such behavior is taking place, being able to receive real time alerts will ensure that you can react quickly to prevent a potential FERPA breach.
Given that schools are using increasingly more cloud-based services, you will need a UBA solution that can aggregate and correlate event data from multiple cloud platforms.
Detect Unencrypted PII Leaving the Network
Data Loss Prevention refers to number of related strategies and solutions, with UBA being one of them. However, there are some DLP solutions, such as an Intrusion Prevention System (IPS) or a Next-Generation Firewall (NGFW) that can automatically detect and block unencrypted PII leaving the network.
Administrators will receive real-time alerts about suspicious network traffic, which will enable them to conduct and investigation into the issue.
In schools, where there are many staff coming and going, and where students have a tendency to engage in disruptive behaviour, we mustn’t ignore the importance of implementing strong physical security measures.
Such measures will include ID badges, locks, alarms, and CCTV cameras. Access to the server rooms must be controlled, and any network-enabled devices, such as printers, will need to be secured. Staff members should use automatic screen locking, and, ideally, the public/guest Wi-Fi network should be isolated from the network and devices that are used internally for processing student data.
How Lepide Helps You Become FERPA Compliant
The first step in achieving FERPA compliance is identifying where all of your PII and directory information resides in your data stores. This cannot be a one-off exercise either; classification must be an ongoing process as new data is generated. The Lepide Data Security Platform enables you to discover and classify your sensitive data by risk, type and relevant compliance requirements.
The next step is to ensure that you minimize the risk of breaches involving this sensitive data. Lepide can help you determine which of your users have access to FERPA-covered data and can even suggest which of these users do not require privileged access through their excessive permissions report. This kind of visibility can help you reduce your potential attack surface by implementing a policy of least privilege.
Once you have minimized risk through governing access, you can then use the platform to proactively monitor the behavior of users accessing, modifying, moving, copying or doing anything with your sensitive data. Lepide can learn what normal behavior looks like and proactively alert administrators when users’ behavior deviates from this norm.
If you would like to see the solution in action, schedule a demo with one of our engineers today.