Q

How to prepare for a FERPA audit

Does your educational institution have to comply with FERPA? David Mortman, security management expert, explains what FERPA requires for school records and what to do when your FERPA audit is right around the corner.

What are the basic security-related compliance issues involved with FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a privacy law designed to protect student education records. It grants parents (for minors) and students (over the age of 18 or in post-high school education) certain rights with regards to their records.

Specifically, it grants them the ability to review and inspect student records as well as request that errors in those records be corrected. From a security perspective, a school needs written permission to release student records. There are, of course, a number of exceptions to this rule. Some FERPA exceptions, taken straight from the law itself, 34 CFR § 99.31, include:

  1. The disclosure of student records to other school officials, including teachers, whom the agency has determined to have legitimate educational interests.
  2. The disclosure of records -- subject to the requirements of Sec. 99.34 -- to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll.
  3. The disclosure of records -- subject to the requirements of Sec. 99.35 -- to authorized representatives of:
    1. The Comptroller General of the United States
    2. The Attorney General of the United States
    3. The Secretary
    4. State and local educational authorities

Other possible exceptions include financial aid, improvement of instruction, accreditation institutions and assorted other legal courses to name but a few.

Additionally, FERPA grants educational institutions the ability to publish a student directory of publically available information such as names, addresses, phone numbers and date of birth. However, the institution must give students (or parents in the case of minors) sufficient notice of the intent to publish this information so they have the ability to opt-out of having their data published.

FERPA does not have specific audit log requirements per se, but it does require that institutions maintain logs of who has authorized access to which records; it also mandates that records be stored in such a way that those who shouldn't have access don't, and that records are destroyed when they are no longer necessary. Translation: As an institution, you need policies, procedures and technologies that provide authentication and authorization as well as document retention/destruction capabilities for all student data. Talk to your auditors to see what more specific requirements they'd like you to meet.

For more information:

This was first published in July 2009

Dig deeper on Data Privacy and Protection

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close