If you're storing or processing education records, it's absolutely essential that you're familiar with FERPA. But what is FERPA exactly, and how does FERPA relate to data privacy? We go over everything you need to know.
Table of Contents
What is FERPA?
The Family Educational Rights and Privacy Act of 1974 (20 U.S.C. § 1232g; 34 CFR Part 99), commonly known as FERPA, is a federal law that protects the privacy of students and their educational records. All schools and educational institutions that receive funds from the U.S. Department of Education must comply with FERPA.
FERPA prohibits schools, universities, registrars, and deans from releasing a student's education records without the student's written consent. An "eligible student" under FERPA is any student 18 years of age or older, or who is attending a postsecondary institution at any age. There are a few key additional rules:
- Non-post-secondary students under 18 are not covered by FERPA. Parents can view their children's education records and seek to amend them if necessary.
- All students over 18 can engage in voluntary disclosure of information to their parents or other people of their choosing.
The two types of information that are protected under FERPA include:
- Educational information (e.g. GPA, grades, report cards, transcripts, course enrollment). Disciplinary records have usually, but not always, been considered educational information in FERPA court cases.
- Personally identifiable information (e.g. Social Security numbers, family contact information, biometric records such as fingerprints and handwriting)
There are several caveats to FERPA. First, the law does not apply to "directory information," i.e. information, if disclosed, that does not violate student educational record privacy. This includes data such as:
- A student's name, mailing address, telephone number, date and place of birth, and student ID number (unless this ID number can be used to access education records)
- Extracurricular activities
- Honors and awards
- Dates of attendance or enrollment
Second, FERPA allows for limited disclosure of student information, without the consent of the student, to parties such as:
- School officials with a "legitimate educational interest"
- Another school to which a student is transferring
- Parties handling a student's financial aid
- A student's parents or officials in the event of a health or safety emergency
- Law enforcement, following a judicial order or subpoena
FERPA and Data Privacy
FERPA has a simple goal: to protect student privacy by preventing the unauthorized disclosure of education records. But in the era of big data, how does a law passed nearly 50 years ago, help safeguard data security and a student's right to privacy?
Surprisingly—or perhaps not so surprisingly, given the law's age—FERPA does not contain any provisions for what to do in the event of unauthorized disclosure, such as a data breach. For example, FERPA does not require institutions to notify students in the event of a breach that reveals their data, although they must create an internal record of this disclosure. The law says only that institutions "must use reasonable methods" to prevent unauthorized individuals from accessing students' educational records. In the event of a violation or alleged failure to comply with FERPA, parents or eligible students can file a complaint with the Family Policy Compliance Office of the U.S. Department of Education.
Unfortunately, data breaches and other cyberattacks against schools and universities are becoming more and more common, as malicious actors search for targets that are both easy and profitable. In April 2021, for example, universities including Stanford, the University of Miami, and the University of Colorado were victims of a data breach because of vulnerabilities in the Accellion file transfer software. The leaked data included students' mailing addresses, email addresses, Social Security numbers, and financial information.
Despite the lack of penalties under FERPA for unauthorized disclosure, there are still good reasons for schools and education programs to guard student data closely. First, FERPA violations can cause long-lasting reputational damage to the institution. In the wake of an improperly handled data breach, student applications and enrollments may decline due to a school's perceived indifference to student privacy and data security.
Second, these institutions may still be subject to other data privacy laws and regulations. Students in California, for example, are covered by the state's CCPA (California Consumer Privacy Act). Although the CCPA does not apply to non-profit educational institutions directly, it certainly applies to third-party companies who help these institutions process student data.
Here's another example of the ramifications of a breach of student data. In 2016 graduates of the University of Central Florida sued the school after their Social Security numbers were exposed in a 63,000-person data breach. The lawsuit argued that the school had violated Florida state law, in particular the Florida Deceptive and Unfair Trade Practices Act. UCF settled the lawsuit in 2018, agreeing to dedicate $1 million annually to protect students' and employees' personal data.
How Integrate.io Can Help with FERPA
To comply with FERPA and other privacy regulations, you need to take data security seriously. This includes your choice of ETL tool for when you move student records between different databases and data warehouses.
Integrate.io is a powerful, feature-rich, yet user-friendly ETL and data integration platform. We make security our utmost priority. We use SSL/TLS encryption on all our websites and microservices to protect your data both in transit and at rest.
Want to learn how Integrate.io can help you build a FERPA-compliant data integration workflow? Get in touch with our team of data experts today for a chat about your business needs and objectives, or to start your 7-day pilot of the Integrate.io platform.