FERPA Services

FERPA Services

Advisory services to establish a credible FERPA compliance program.

Know how to handle records and aware on responsibilities.

Identify clear policies about who has the right to access records.

Addressing FERPA mandates with the application of cybersecurity.

Comprehensive assessment to identify FERPA compliance gaps.

Development of tailored FERPA security procedures.

FERPA Fast Facts

  • Family Educational Rights and Privacy Act (FERPA) of 1974.
  • Applies to all school that receive funding from the Department of Education (DoE).
  • Protects privacy of students educational records and allows students to access their records.
  • FERPA obligates faculty/staff to follow certain rules about protecting student information.
  • Children’s educational records may not be released without parent’s written consent.
  • DoE is responsible for enforcing FERPA.

An Executive Summary

  • U.S. Federal Law (20 U.S.C. § 1232g; 34 CFR Part 99).
  • Grants parents the right to inspect and review student records until their children are 18.
  • Once children turns 18, or attend post-secondary institutions, these rights revert to the child.
  • Educational institutions needs to meet FERPA requirements when engaging in online or connected services.
  • School must inform parents and students to obtain appropriate consent.

Who May have Access to Student Education Records and PII?

DoE must have written permission from the parent, guardian or eligible student in order to disclose PII or information from a student's education record to non-DoE personnel.

Definitions

PII is the student’s (or family member’s) name, address, personal identifier, and personal characteristics or other information that would make the student’s identity easily traceable.

An education record is any record that is:
• Directly related to a student; and
• Maintained by an educational agency or institution, or by a party acting for the agency or institution.

A “school official” includes a teacher, school principal, president, chancellor, board member, trustee, registrar, counselor, admissions officer, attorney, accountant, human resources professional, information systems specialist, and support or clerical personnel.

Need the consent of a student in writing before release a record or talk about its contents.

A school official has a “legitimate educational interest” if the official needs to review an education record in order to fulfill his or her professional responsibilities.

FERPA identifies certain categories of information as “directory information,” which the University may release without student permission.

Eligible student means a student who has reached 18 years of age or is attending an institution of post-secondary education.

Disclosure means to permit access to or the release, transfer, or other communication of PII contained in Education Records to any party, by any means, including oral, written, or electronic means.

Records relating to an individual who is employed by the University not as a result of his or her status as a student are excluded.

Computer Security ensures the Confidentiality, Integrity and Availability of data-confidentiality of student records, tests, financial information; grades of research data; and availability of resource like email or online databases when they are needed.

A “law enforcement unit” means any individual, office, department, division, or other component of a school, such as a unit of commissioned police officers or non-commissioned security guards, that is officially authorized or designated by that school.

FERPA Penalties

  • Students may file complaints with the DoE.
  • The Family Policy Compliance Office (FPCO) is authorized by the DoE to investigate, process, and review complaints and violations under FERPA.
  • If a complaint is found to be valid, the institution may lose DoE funds, and dismiss employees who violate the Act.

FERPA Violation

  • Violation of FERPA that is submitted to FPCO within 180 days of the date of the alleged violation or of the date that the parent or eligible student knew or reasonably should have known of the alleged violation.
  • A parent or eligible student may file a written complaint with the DoE regarding an alleged violation under the Act.

Privacy Rights of Parents and Eligible Students under FERPA

  • Right to inspect and review education records.
  • Right to seek to amend education records.
  • Right to confidentiality of information in education records except as specified by statute.
  • Right to consent to disclosure of education records (with exceptions).
  • Right to file a complaint with the DoE.

FERPA Limitations

Under FERPA, school can release records without parent’s permission to certain types of parties, including:

  • School officials with a “legitimate educational interest” (for example, an academic advisor who needs to review what courses a student has completed in order to give advice).
  • School to which a student is transferring.
  • Organizations conducting certain studies for or on behalf of the school.
  • Accrediting organizations.
  • Appropriate officials in health and safety emergencies.
  • Juvenile justice system authorities.
Privacy

Directory and Non-Directory Information

Directory Information (Public) Non-Directory Information (Never Share)
Name Social Security Number
Address Student ID Number
Phone Numbers Grades/Exam Scores
Email Address Grade Point Average (GPA)
Date of Birth Test Scores (SAT, GRE, etc.)
Program of Study Class Schedule
Dates of Attendance Race/Ethnicity
Degrees and Awards Received Citizenship/Nationality
Class Level Gender
Enrolment Status (Full/Part time) Religious Affiliation
Appropriate Personal Aesthetic Statistical Data
Participation in Sports and Activities

In the News

Medical IoT Cybersecurity Solution: ecfirst Partners with Culinda!

Events

HITRUST CSF: A Framework of Frameworks | ISACA Conference Oceania, Sep 28, 2021

Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.