When you’re working with personally identifiable information (PII), you may have to follow data privacy laws that govern how you must handle it. If the PII comes from an educational institution, that law is the Family Educational Rights and Privacy Act, also known as FERPA.
The Unified Stack for Modern Data Teams
Get a personalized platform demo & 30-minute Q&A session with a Solution Engineer
What is FERPA?
The Family Educational Rights and Privacy Act of 1974 (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that pre-dates the world wide web. Under FERPA, parents have certain rights relating to student’s educational records in state-funded schools. These rights are:
- A student’s parents can view their child’s education records at any time.
- Parents can request a correction for any inaccurate information in a student's education records.
- The educational institution that holds education records cannot share such information with anyone else without the parent’s written permission, although there are some exceptions to this rule.
When the child reaches 18 years of age and is no longer a dependent student, they take over these FERPA rights from their parents. An eligible student can make a verbal or written request for education records in the same way a parent would.
What are the Exceptions to FERPA?
The first two rights under FERPA are roughly in line with other privacy laws, like GDPR or CCPA. Data subjects may view their records, and all records must be accurate.
The third part of FERPA differs slightly from other laws, as the data subject has to give explicit consent to data sharing. This means that the school has to seek the student or parent’s written consent before sending records to another organization.
There are some built-in exceptions, however, and these allow data to flow freely among educational institutions. Schools can share data with:
- Other schools with a legitimate educational interest, such as a school to which the student is transferring.
- Organizations dealing with student financial aid.
- Bodies conducting audits, evaluation, or research.
- Accrediting organizations.
- Law enforcement, or in response to a subpoena or judicial order.
“Legitimate educational interest” is perhaps the broadest exception. There’s no strict definition of this term, and an auditor may ask for further details.
What about Directory Information?
School officials can also publish directory information. This can include such information as the student's name, mailing address, place of birth, telephone number, date of birth, enrollment status, student ID number, major field of study, dates of attendance, and honors and awards. The educational institute doesn’t need the written consent of the student to publish directory information, but a parent or eligible student can ask for exclusion.
What FERPA Means for Data Management
If your organization is working with education records, then you have to be aware of FERPA. You also need to know your local and state laws, which might impose further conditions on handling personally identifiable information.
The U.S. Department of Education (ED) published guidelines for school officials on best practices when dealing with educational records and other such information. You can find the full document on the main ed.gov website, but here are some of the main points:
First, the ED lays out some key terminology:
Data governance: Each organization’s internal framework for handling student education records, which must comply with FERPA
Data steward: The person or team responsible for educational records within the institution
Integrated Data System (IDS): Many educational institutions now pool their data via an IDS, which can collate information for a school district
IDS lead: The owner of an IDS, which is usually a regional education authority
IDS partner: An educational institute that supplies data to the IDS lead
Based on these core concepts, the ED explains how school officials can stay compliant with FERPA.
1. Have a strong data governance framework. Each organization needs clear rules about data handling. This includes handling, transmission, and storage. Don’t forget — FERPA mandates that you make data available to students (or their parents). You also need a process for applying corrections.
2. Empower your data steward. Every organization should have someone who fully understands FERPA rules. They must have the authority to prevent breaches and advise on compliance.
3. Know why you’re collecting data. Educational records should only contain relevant data. If the information doesn’t serve a clear purpose, it’s best to delete it.
4. Understand your processing reasons. If you don’t have explicit consent to share data, you may need to justify your actions by citing an exception. If you claim legitimate educational interest, you may need to prove that the interest is genuine.
5. Be transparent. It’s a good idea to involve all stakeholders in any decision about data sharing. Explain why you’re planning to share data and listen to any feedback. IDS leads and IDS partners should stay in contact and communicate changes to each other.
6. Keep records. A paper trail will help answer questions about data sharing practices. Use a system that can keep track of all data transfers. Remember also to keep track of why you shared data and whether you had explicit permission to do so.
7. Obfuscate where possible. The IDS lead can choose to hide certain data values. For instance, if an organization wants to do some analysis of a school district, the IDS lead can delete or mask any PII related to dependent or independent students.
8. Use a solid data infrastructure. Using an IDS means sensitive data is traveling across the internet between different systems. To guarantee privacy and security, you need to have top-class infrastructure on both sides. That involves an antivirus, firewalls, physical security, and encryption. You also need a reliable way of getting data from the IDS partner to the IDS lead.
Most of these rules are common sense, and they fit with best practices for dealing with sensitive data. The only difference is that your organization could face stiff penalties if you break the FERPA rules.
How Integrate.io Can Help with FERPA
The Unified Stack for Modern Data Teams
Get a personalized platform demo & 30-minute Q&A session with a Solution Engineer
FERPA regulations came into force even before fax machines, back when student records were all on paper. These days, educational institutions rely on the cloud and digital tools to manage such information. It raises a whole new set of questions about how to use technology while protecting the privacy of student records.
As the ED points out, the key is to have the right infrastructure. Integrate.io allows you to build reliable data pipelines with field-level encryption for added security. You have complete control over how you transmit and receive personally identifiable information and full visibility into every stage of the process.
Want to learn how Integrate.io can help you stay FERPA compliant? Try our 14-day demo and see for yourself.