Protecting our privacy is becoming more difficult every day. For you, as a student, parent, or staff member, FERPA exists to give you guidelines to know what your rights are and how to keep sensitive information safe and secure. Consequently, FERPA compliance training is more important than ever to ensure institutional safety and information security.
When you were a college student, you may have become acquainted with FERPA. Also, if you work in education, FERPA may be something you deal with every day even if you don’t know exactly what it is. So, what is FERPA? It is a federal law that stands for the Family Educational Rights and Privacy Act.
FERPA was originally known as the Buckley Amendment when it became law in 1974. It came on the heels of the Watergate scandal and invasion of privacy issues. FERPA was instituted to ensure educational information remains private and cannot be accessed without written permission, with a few exceptions for emergencies, financial aid, criminal activity, or audits.
So, keeping information private is the responsibility of all educational institutions who receive federal funding through the U.S. Department of Education. This includes public and private K-12 schools, career, vocational, technical and post secondary institutions.
FERPA and PII, De-Identified and Aggregate Data
There are two types of data that institutions collect in order to serve students and direct resources accurately.
Ever heard of PII? PII means Personally Identifiable Data and includes:
- Name, date of birth, and names of parents or guardian
- Social Security Number
- Home address
- Attendance and grades, including test scores
- Learning disabilities and special services received
- Bank or credit card information
- Student loan details
- Disciplinary actions
The other type of data is called De-Identified and Aggregate data. This is used to provide services, teaching materials, meals and transportation. It also helps the federal agencies determine if districts are meeting goals, allocating funds and providing information to the public.
With all this information being collected over a long period of time, what is protected and what is not? Technically, permission should be given annually, in writing, by parents and/or adult students to decide what information they want released in directories or media materials.
Would you be comfortable having your name, address, phone number or photographs taken during a football game released? What about your child’s? In this era of ineffective cybersecurity, seemingly benign information can fall into the hands of hackers – or worse.
FERPA Training and Maintenance
No matter what your training program looks like, make sure it includes information about who can look at student records, shredding information, and dealing effectively with requests for information from unauthorized persons.
For example, FERPA does allow the release of:
- Name, address, telephone number, email, date and place of birth
- Honors and awards
- Participation in sports and activities, including athlete heights and weights
- Fields of studies and dates of attendance
- Enrollment status, grade level, and degrees received
Remember, free apps often gather information from an institutional network, resulting in data mining or selling the information to third party vendors. Consequently, it is critical to be aware of safeguards and make sure your cybersecurity measures are in place and updated regularly. Ransomware attacks and data breaches occur constantly.
Higher education institutions are in the news for scandals ranging from hazing and drugs to sexual assaults and athletic scandals. The media demands to know the facts. But what can be released and be in compliance with FERPA? If you receive a court order or subpoena, or a student is charged with a crime, including illegal possession of drugs or alcohol, you are not in violation.
FERPA Noncompliance Penalties
What happens if an institution is not in compliance with FERPA? If violations occur, there can be serious repercussions, including:
- Termination of federal funding
- Fines or lawsuits – fines are generally $1,000 or less
- Loss of public trust or damage to reputation
- Individual educators liable for data breaches
- Cease-and-desist orders to compel compliance