The Family Educational Rights and Privacy Act (FERPA) is a privacy law designed to protect student education records. It grants parents (for minors) and students (over the age of 18 or in post-high school education) certain rights with regards to their records.
Specifically, it grants them the ability to review and inspect student records as well as request that errors in those records be corrected. From a security perspective, a school needs written permission to release student records. There are, of course, a number of exceptions to this rule. Some FERPA exceptions, taken straight from the law itself, 34 CFR § 99.31, include:
- The disclosure of student records to other school officials, including teachers, whom the agency has determined to have legitimate educational interests.
- The disclosure of records -- subject to the requirements of Sec. 99.34 -- to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll.
- The disclosure of records -- subject to the requirements of Sec. 99.35 -- to authorized representatives of:
- The Comptroller General of the United States
- The Attorney General of the United States
- The Secretary
- State and local educational authorities
Other possible exceptions include financial aid, improvement of instruction, accreditation institutions and assorted other legal courses to name but a few.
Additionally, FERPA grants educational institutions the ability to publish a student directory of publically available information such as names, addresses, phone numbers and date of birth. However, the institution must give students (or parents in the case of minors) sufficient notice of the intent to publish this information so they have the ability to opt-out of having their data published.
FERPA does not have specific audit log requirements per se, but it does require that institutions maintain logs of who has authorized access to which records; it also mandates that records be stored in such a way that those who shouldn't have access don't, and that records are destroyed when they are no longer necessary. Translation: As an institution, you need policies, procedures and technologies that provide authentication and authorization as well as document retention/destruction capabilities for all student data. Talk to your auditors to see what more specific requirements they'd like you to meet.
For more information:
- Learn how to build a proactive and customized security framework.
- Find out more about building a framework-based compliance program.
This was first published in July 2009