How to Comply with FERPA

Higher education is not only a popular way to expand one’s knowledge; it can also open doors to employment and other opportunities. This translates into millions applying to colleges and universities annually, and a deluge of personal information contained in applications.

In response to this, Congress passed the Family Educational Rights and Privacy Act, or FERPA, in 1974. Institutions that receive federal funding are required to comply with FERPA or risk losing their funding. This clearly puts FERPA compliance at the top of the priority list for these institutions. This article will detail how institutions can comply with this student privacy protection act.

There are three types of information that FERPA covers: educational information, personally-identifiable information (PII) and directory information. Signed, written consent is required prior to the release of educational information and PII, which will be the types of information that this article will mainly focus on. Directory information does not require signed, written consent prior to its release. Directory information that is released should indeed be disclosed, but more on that later.

Educational information includes the information classification of “educational records.” The FERPA definition of educational records is “records, files, documents or other materials … that are maintained by an educational agency or institution.” Operationally, this boils down to student GPA, transcripts, Social Security number, grades and evaluations for academic purposes.

Complying with FERPA is not a difficult feat to accomplish, but proper care should be taken to be sure. Below are tips for institutions trying to comply with FERPA.

Students Rights

Institutions should advise students of their rights under FERPA on an annual basis. This should include any changes to FERPA that impact student rights.

Students have the right to view their educational records and letters of recommendation. If desired, students can also waive their (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Greg Belding. Read the original post at: