Management, compliance & auditing

How to comply with FERPA

Greg Belding
August 18, 2018 by
Greg Belding

Higher education is not only a popular way to expand one's knowledge; it can also open doors to employment and other opportunities. This translates into millions applying to colleges and universities annually, and a deluge of personal information contained in applications.

In response to this, Congress passed the Family Educational Rights and Privacy Act, or FERPA, in 1974. Institutions that receive federal funding are required to comply with FERPA or risk losing their funding. This clearly puts FERPA compliance at the top of the priority list for these institutions. This article will detail how institutions can comply with this student privacy protection act.

Protected information

There are three types of information that FERPA covers: educational information, personally-identifiable information (PII) and directory information. Signed, written consent is required prior to the release of educational information and PII, which will be the types of information that this article will mainly focus on. Directory information does not require signed, written consent prior to its release. Directory information that is released should indeed be disclosed, but more on that later.

Educational information includes the information classification of "educational records." The FERPA definition of educational records is "records, files, documents or other materials … that are maintained by an educational agency or institution." Operationally, this boils down to student GPA, transcripts, Social Security number, grades and evaluations for academic purposes.

FERPA compliance

Complying with FERPA is not a difficult feat to accomplish, but proper care should be taken to be sure. Below are tips for institutions trying to comply with FERPA.

Students rights

Institutions should advise students of their rights under FERPA on an annual basis. This should include any changes to FERPA that impact student rights.

Students have the right to view their educational records and letters of recommendation. If desired, students can also waive their right to view both of these files.

Consent

Prior to a school official, administrator or any other school representative releasing a student's PII or educational information, the school must obtain from the student a signed, written consent.

Training

Institutions should conduct regular training of their employees with respect to the student rights prescribed in FERPA. This training should be ongoing for all employees.

Notification

Institutions often host and facilitate employers, recruiters and employment agencies, and exposure to PII and education information can run rampant. Always be sure to notify these entities that the information they are being exposed to is subject to FERPA and that this protected information cannot be disclosed without student consent. Third parties with access to this information should be notified as well.

Use of directory information

As touched on above, the institution is required to notify the student of what information will be used as directory information. This notification should clearly communicate what protected information will be used and should give the students a reasonable amount of time for the student to opt out or to notify the institution that they do not want their information to be used as directory information.

Information technology

FERPA compliance goes so far as to touch how institutions structure and manage their information technology operations. Below are some tips to check if your institution's information technology department is FERPA-compliant:

  • Encryption. Encryption will help secure your data on a physical level. That is, if an institution's computer is physically stolen, students' protected information will not be accessible.
  • Find and Eliminate Vulnerabilities. Databases in the Cloud are not always protected as well as you would want them to be. Perform a vulnerability scan on your Cloud-based databases for potential vulnerabilities. If any vulnerabilities are found, immediately correct the issue. While you are at it, take a look at the security for any non-Cloud based systems you are using and correct any issues found immediately.
  • Use Compliance-Monitoring Mechanisms. Exposure of protected student information is a 24/7 issue. Hackers can breach networks any time, and that breach is considered a FERPA violation. Therefore, it would be smart for institutions to implement compliance-monitoring mechanisms. Try to use a compliance-monitoring mechanism capable of the following: running silently in the background, monitoring employee behavior and easy compatibility with other analytics systems. A good choice to use is a powerful SIEM, which can monitor networks and aid in times of compliance audits.
  • Information Security Plan Assessment and Update. FERPA, like other regulations, can change in response to changing circumstances. Institutions would be well-advised to perform regular assessments of their information security plan in light of changing circumstances and should update their plans accordingly.

Data breach policy

No matter how tight information security can be made, no system is completely impenetrable. This means that at some point in time, your information security system will probably be breached. To handle this nightmare, institutions should create and implement data breach policies and procedures. This will demonstrate to any potential auditor that while you are confident in your information security system, you have a disaster contingency plan in place for when a breach does occur.

Sources

Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.