FERPA Compliance

The FERPA Act does not contain specific Information Security policies, adherence to a sound Information Security Policy is a good starting point for all educational institutions. Learn how MSPs can assist their education clients.

What is it?

The Family Educational Rights and Privacy Act (FERPA) of 1974 is designed to protect student education records and student’s personal information. FERPA Compliance is overseen by The U.S. Department of Education.

Who does it apply to?

All schools K-12 and higher education, public or private, who receive funds from the U.S. Department of Education under any program. When schools, school districts, and other education agencies and institutions fail to comply with FERPA, they will lose their funding from the Department of Education. Individual states may also have laws enacted enforcing additional retention requirements. Penalties for not meeting individual state requirements could be disbursed for any improper disclosure or misuse of student education records.

How does it impact IT professionals?

MSPs may be called upon by educational institutions to help secure their networks and maintain an Information Security Policy that protected student education information as well as student PII.

What do your clients need to be FERPA compliant?

In order to be considered as in compliance with the FERPA Act, educational institutions must, in writing, notify students of their rights under FERPA. This notification of rights must take place annually. In addition, educational institutions must grant access by students (or parents if applicable) to education records.Institutions which violate FERPA can have their Federal funding withdrawn.

What is considered a student record?

There is a range of student education record types, including:

  • Financial information
  • Disciplinary files
  • All personal information
  • Student course history
  • Student transcripts
  • Immunization & health records

How Long Should Student Records Be Kept?

According to FERPA, there’s no formal retention time for student records. There are, however, many state laws that set retention restrictions.

When Student Records Can Be Shared

FERPA’s main purpose is to protect the privacy of student records and information, but there are some exceptions for who they can be shared with, including:

  • School officials with legitimate educational interest
  • Other schools to which a student is transferring
  • Specified officials for audit or evaluation purposes
  • Parties in connection with student financial aid
  • Accrediting organizations
  • Officials in cases of health and safety emergencies
  • State and local authorities within a juvenile justice system, pursuant to specific state law

How to become FERPA Complaint 

The best way to ensure your educational clients meet their FERPA requirement is to implement a record management strategy. This strategy should have strict policies and procedures in place that outline the secure process to store, backfile, scan, report, ad share student records. In the current state of data security and technology many educational institutions are benefiting from electronic storage of mass amounts of sensitive student data.