The EU’s General Data Protection Regulation (GDPR) is currently at the forefront of attention of recent privacy legislation intended to protect the personal information of individuals and households. However, GDPR is only one of several of these types of laws, some of which may seem obscure in comparison. The Family Educational Right and Privacy Act (aka FERPA) is a federal law designed to protect the privacy of education records of current and former students. Unlike some of the more commonly known privacy laws -many of which have sprung into existence largely due to recent and highly publicized data breaches – FERPA actually came into being in 1974.
FERPA applies to all schools that receive funds under a specific program of the U.S. Department of Education. Therefore, Private and Parochial schools at the elementary and secondary levels are typically not subject to FERPA. Private postsecondary schools, however, are generally subject to FERPA, as they do receive such funding.
Generally speaking, parents may access their minor child’s education records, although control reverts to the child directly upon reaching their 18th birthday or upon entering a postsecondary educational institution at any age. Schools are required to honor information requests within 45 days.
With some exceptions, schools are generally prohibited from disclosing personally identifiable information without written consent. Disclosures considered exceptions include:
- Those made to school officials with legitimate educational interests;
- Those made to other schools where the student intends to enroll;
- Those made to state or local education authorities for auditing or evaluating federal- or state-supported education programs, or enforcing federal laws that relate to those programs; and
- information the school designates as “directory information,” which includes data that is not considered an invasion of privacy if disclosed – such as name, postal and email addresses, telephone numbers, birth date, attendance dates, grade level or participation in sports or other activities.
In addition to controlling access to student records, the Act also provides a mechanism for students or parents to amend any record they find to be inaccurate or that are in violation of the students’ privacy rights. If the custodian of the offending record refuses to make the requested alterations, the student is entitled to a hearing.
From the educational institution’s standpoint, FERPA does not require schools to retain records that are no longer needed or to provide access to documents that have been purged, unless there is a pending request for access. If schools no longer have an internal administrative need to maintain a student’s records and state law allows it to be destroyed, it’s generally considered a best practice for schools to destroy the record as schools have no obligation to provide access to destroyed records.
When FERPA was passed in 1974, student records most likely took the form of paper documents stored in a filing cabinet. Current technology has made it more likely that electronic records may be dispersed across multiple locations. For current documents, institutions should maintain an inventory of where education records and personal data are held. FERPA Information requests can be expedited if comprehensive lists of what types of data exist and who manages them are maintained. What records are kept with the registrar as opposed to which records do teachers keep in classrooms? Are they on-premise or in the cloud? Administrators need to review their state’s record retention laws and consult with their legal counsel in order to determine which documents fall under FERPA jurisdiction.
Sherpa Software provides a host of solutions that enable you to quickly locate personal information across all your unstructured data — on every individual employee workstation, company fileshares, SharePoint, email, PSTs, and over 70 types of attachments – and then take the desired action. You’ll have a defensible, auditable process for knowing what data is stored, where it’s stored, and who owns the file, and then easily manage it with the automated workflow that suits your company policy: copy it, move it, quarantine it, or delete it.
The cornerstone of any compliance program, FERPA or otherwise, is adopting a policy to save only the data you need. Sherpa makes it easy to implement and automate data retention/deletion policies that are as complex as your company desires, with infinitely customizable workflows to save, move, copy, and delete data with whatever exceptions you need.
For more information on FERPA compliance or other Information Governance challenges and solutions, please contact your Sherpa Software representative.