FERPA Compliance & How to Obtain It

When the San Diego School District was hacked over 18 months ago, the data of more than half a million students and employees was exposed. This data primarily included student’s health information, social security number, grades, delinquency reports and other personal data.

Due to this, the district schools were liable to face penalties under the federal regulations that govern data privacy in schools — the Family Educational Rights and Privacy Act (FERPA).

FERPA Compliance icon.

What Is FERPA?

The Family Educational Rights and Privacy Act (FERPA) was enacted to support and promote the protection of personal information of students and their families. Under FERPA, educational institutions are prohibited from disclosing student PII without written consent from the parent. The right of consent transfers from parents to students when they turn 18 years old.

FERPA provides parents and eligible students:

  • The right to inspect and review personal data
  • Governance over disclosure of personal data
  • A mechanism to amend incorrect personal data

The History of FERPA

The year 1974 witnessed many events that shaped history.

Richard Nixon became the first U.S. president forced to resign, the famous rematch between Muhammad Ali and George Foreman for the heavyweight title, Stephen King released his first novel Carrie, and the birth of FERPA.

In the early ’70s, anyone with a badge could obtain personal information on any student. Authorities used privileged access to move students from one school program to another without even notifying the parents or the students. It wasn’t long before the misuse of student information led to public outcry.

Senator James Buckley sponsored the Family Educational Rights and Privacy Act (FERPA), which was signed into law on August 21, 1974, by President Ford. FERPA is also known as the Buckley Amendment to honor Senator Buckley’s commitment to fighting against the abuse of student records across the United States.

Who Has to Comply With FERPA? 

FERPA applies to all educational institutions and agencies (entities that administer institutions directly linked to it) that receive funds from any program administered by the Department of Education.

Non-compliance with FERPA can have serious ramifications for educational establishments and their employees:

  • Loss of federal funding
  • Possible prosecution under criminal codes
  • Dismissal or termination of suspected parties
  • Temporary suspension of access to suspected parties

What Information Is Protected Under FERPA?

For the most part, FERPA is very straightforward. However, there are exceptions.

Education Records

Education records are files, documents and other resources that include information directly related to the student and maintained by an educational establishment. FERPA does not allow institutions to release or use this information without prior written consent.

Educational records pertain to:

  • University ID number
  • Social Security number
  • Birthdate
  • GPA/grades/exam scores
  • Parent details

Directory Information

Directory information is the FERPA exception. Directory information contains education records that would NOT be considered harmful to one’s privacy if disclosed. Once the directory information is released, it can be used for any purpose.

However, institutions need to notify students before their information can be used as directory information. It should clearly specify what personal data will be disclosed and gives students the option to opt out if they don’t want the data to end up in the directory information.

How Do You Become FERPA Compliant?

The focus should be on the following three areas to become fully FERPA compliant:

StudentsThird-Party Software VendorsEducators and Employees
  • Revisit FERPA with students every year to remind them of their rights
  • Obtain signed, written consent from students before educators or employees release personal information to employers, third-party software vendors, or external recruiters
  • Notify third-party education software vendors that improper disclosure will result in severe legal actions
  • Review and revise third-party agreements to ensure they are FERPA compliant
  • Give administrators the power to give or restrict employee access to third-party vendors
  • Train and retrain educators and employees regarding FERPA compliance
  • Implement disaster recovery policies that include how an institution will respond to data breaches


FERPA Compliance with Spanning Backup

The last point we mentioned would have probably made you a bit uneasy since we already assumed the nightmare of a data breach becoming a reality. Well, there’s no smoke without a fire.

According to the Breach Level Index Report, data attacks within the education sector are on the rise as nearly 33.5 million personal records of students were exposed as a result of security breaches.

Spanning Backup is a FERPA-compliant, enterprise-class solution that mitigates the risk of data loss. It protects educational institutions from reputational and revenue damage and loss while also ensuring operations continue as usual.

Be FERPA Compliant with Spanning


*** This is a Security Bloggers Network syndicated blog from Spanning authored by Dave Wallen. Read the original post at: https://spanning.com/blog/ferpa-compliance-how-to-obtain-it/