What Is FERPA and What Are the Necessary Security Controls?

The right to privacy for individuals impacts just about every industry, and education is no different.

State and federal legislative bodies continue to introduce regulations pertaining to the protection of student records. If schools don’t comply with the Family Educational Rights and Privacy Act (FERPA), for example, federal funding is at risk, and schools may face a hefty fine, with an average cost of $245 per breached record.

FERPA is a federal law that affords parents with children under 18 three primary rights:

• Access to their children’s education records
• The ability to request records to be amended when errors or changes occur
• Control over the disclosure of their children’s personally identifiable information (PII)

When a student turns 18 years old or enters a post-secondary institution at any age, the rights under FERPA automatically transfer from the parents to the student. Under the act, a parent or eligible student must provide a signed and dated written consent before an educational institution discloses personally identifiable information (aka PII) from a student’s education records.

PII includes student names, identification numbers, and other information that distinguishes an individual’s identity through linkages with other sources of information. FERPA applies to all educational institutions that receive funds from any program administered by the Department of Education. Private schools are thus not subject to FERPA.

Best Practices for FERPA Compliance When Sharing Data with Government Agencies

Given the requirements of FERPA, educational leaders and their IT teams need to focus on protecting student privacy as data is used to drive program and policy formulation decisions. Where this challenge gets a bit tricky are the data systems that educational institutions are integrated with and which allow the linkage of administrative data from multiple government agencies. These include agencies that oversee child welfare, assisted housing, juvenile and adult justice, mental health, employment and earnings, early childhood education, homelessness, and health statistics.

It’s helpful for educational leaders to tap into these integrated systems so data from multiple sources can be analyzed holistically when designing educational programs and policies. But at the same time, connecting to other government agencies creates security risks that could violate FERPA requirements.

To help educational institutions take on this challenge, the U.S. Department of Education has published Integrated Data Systems and Student Privacy. The guide presents several best practices for governance and information security controls that IT teams can follow to make sure they comply with FERPA as they share data with other government agencies:

• Assign appropriate levels of authority to data stewards and proactively define the scope and limitations of that authority.
• Adopt and enforce clear policies and procedures in a written plan to ensure everyone understands the importance of data quality and security.
• Identify the purposes for which data is collected; this justifies the collection of sensitive data and optimizes data-management processes.
• Specify managerial and user activities related to handling data to provide data officers and users with appropriate tools for complying with security policies.
• Establish and communicate policies and procedures for handling records throughout all stages of the data lifecycle; this includes acquiring, maintaining, using, archiving, and destroying data.
• Ensure data is accurate, relevant, timely, and complete, and that the data is used for intended purposes.
• Establish and regularly update strategies for preventing, detecting, and correcting errors and misuses of data.
• Define and assign differentiated levels of data access to individuals based on their roles and responsibilities to prevent unauthorized access and to minimize the risk of data breaches.
• Maintain a record of each request for access to PII and each disclosure of student records; disclosure documentation should cover the release of information to integrated data systems as well as re-disclosures from an integrated data system to other stakeholders
• Ensure the security of PII and mitigate the risks of unauthorized disclosure of the data; essential components include:
  • Physical security
  • Network mapping
  • Authentication
  • Layered defense architecture
  • Secure configurations
  • Access controls, firewalls
  • Intrusion detection
  • Prevention systems
  • Automated vulnerability scanning
  • Patch management
  • Incident handling
  • Audit and compliance monitoring.

Transparency is also critical. Educational institutions should ensure all stakeholders are informed of the data governance and security policies and procedures. This includes state and local government agencies that connect to the integrated data system, policymakers, school staff and administration, and families with students in the community.

Building Robust Education Programs While Protecting Student Data

The diversity of integrated data system structures shared by government agencies along with governance models and the uses of student data present a complex legal and policy issue relating to privacy. Educational institutions will need to delve more deeply into FERPA and should rely on the expertise of an external consultant and legal counsel to make sure the necessary security controls are deployed.

The investment of time and resources is worthwhile in that participating in an integrated data system can help educational leaders tap into the data they require to build more robust educational programs and comprehensive policies. And by following the best practices outlined above, IT teams can better ensure they protect student privacy in compliance with FERPA and other applicable privacy laws.

Progress MOVEit^® Managed File Transfer can play a key role in helping educational institutions comply with FERPA. The solution assures compliant internal and external transfers of files containing protected student information by encrypting all data in motion and at rest. To see how MOVEit can help your organization, download a free trial today.