FERPA|Sherpa For Higher Education Institutions
Higher Education institutions are like miniature cities, storing not only student transcripts, but health and financial data, employment information, and campus safety and access technologies that can create new types of data. This data and new technologies can be used to help more students graduate and succeed than ever before, but it also makes higher education institutions uniquely vulnerable to privacy and security risks. Additional responsibilities fall on institutions and the companies they contract with to ensure that data is collected, used, and stored in a responsible manner.
The Value of Data
Data plays an extremely important role in our higher education system. Students and families, policymakers, and institutions need data on student access, progression, completion, costs, and post-college outcomes to inform a wide variety of decisions. Students and families need quality information to help them decide where and what to study in college. Policymakers use data to steward public investment in federal student aid and to develop informed federal and state policies that promote equitable student access and success. Institutions use data to implement policies and practices on their campuses that improve student outcomes and reduce equity gaps.
While our current data systems are not fully equipped to answer many basic questions about how our higher education system serves today’s students, improvements to our nation’s postsecondary data metrics and infrastructure would equip stakeholders to make more informed decisions. Better data leads to better student outcomes.
While FERPA is the primary law that applies to higher education privacy, there are many other federal laws that may apply to certain types of data. You can read about these laws below.
Some of the more well-known federal privacy laws mentioned in the higher education privacy space include:*
- The Family Educational Rights and Privacy Act of 1974 (FERPA): Designed to protect students and their families by ensuring the privacy of student educational records.
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA): Requires covered entities (typically medical and health insurance providers and their associates) to protect the security and privacy of health records.
- The Gramm Leach Bliley Act of 1999 (GLBA): Imposes privacy and information security provisions on financial institutions; designed to protect consumer financial data.
- Federal Policy for the Protection of Human Subjects (“Common Rule”): Published in 1991 and codified in separate regulations by 15 federal departments and agencies, outlines the basic ethical principles (including privacy and confidentiality) in research involving human subjects.
- The Fair and Accurate Credit Transaction Act of 2003 (FACTA, or “Red Flags Rule”): Requires entities engaged in certain kinds of consumer financial transactions (predominantly credit transactions) to be aware of the warning signs of identity theft and to take steps to respond to suspected incidents of identity theft.
- The Privacy Act of 1974: Specifies the rules that a federal agency must follow to collect, use, transfer, and disclose an individual’s personally identifiable information (PII).
When information is covered by more than one of these laws, the strictest law’s provisions rule.
It’s Not Just FERPA: Privacy and Security Issues in Higher Education (Baker Donelson)
*This list of laws is from the EDUCAUSE Information Security Guide chapter on privacy and is printed on FERPA|Sherpa under a Creative Commons license (CC BY-NC-SA 4.0).
State Laws and Legislation
Do you know if the state you are working in has a student privacy law? Just since 2013, over 100 new student privacy laws have passed in almost all states. Most of those laws impose new requirements on K-12 districts, states, and school service providers, but some do apply to higher education institutions.
The intersection of data analytics and privacy is a very sensitive space. While institutions and companies are able to do more to help students through analyzing large amounts of data and finding correlations that suggest new ways to help students, data analytics can also be used to harm students through inequitable algorithms or decisions made based on the data.
Institutions of higher education should work to ensure that data use is monitored for both intentional and unintentional discriminatory decisions that affect students. Use of predictive analytics or historical models to make decisions must be tested to ensure there is not a disproportionate impact on traditionally marginalized students.
According to the National Center for Education Statistics, “data governance refers to the overall management of the availability, usability, integrity, quality, and security of data.”
Institutions of higher education should establish data governance plans and an oversight board to manage the collection and use of student data. A strong plan for the effective use and protection of student information will define rules around the use, collection, and storage of data, and an oversight board will ensure compliance with the plan. Typically, data governance plans are products of a single administrative or technology-based office. Institutions seeking to implement effective, ethical, and safe student data practices should seek input from all stakeholders who provide or use this data when developing a plan.
Data governance plans should also provide guidance for long-term maintenance of and compliance with the plan. This means schools should regularly evaluate and audit student data: how it is collected, used, and shared. This will ensure colleges find and root out improper uses of data. Further, data security should also be a priority that is reevaluated on a regular basis, because as technology improves, so does the threat landscape.
Establishing Trust Through Transparency
Institutions should seek to establish the trust of their student population by being transparent about the use and collection of student data. Trust is an essential aspect of any student data system. When educational institutions clearly communicate what student data is collected, how it is used, and why it is necessary, students will be better equipped to make informed decisions about the use of their data. To effectively establish this trust, communication should be a two-way street. Institutions should provide students with an avenue to approach them with questions and concerns about the use of student data. Moreso, schools should establish a culture of privacy awareness throughout the school: not just with students, but with faculty, staff, and leadership. By providing the entire institution with training, resources, and support services, schools convey that protection of student data is a top concern.
Student Data and EdTech
Schools should manage and control the access third-party vendors have to student data, and ensure all use of data complies with FERPA, GDPR, and applicable state laws. FERPA governs information in a students education record, allows educational institutions to share student data with third-party service providers in certain circumstances. Many state student privacy laws go beyond the provisions of FERPA and require more protections, so it is important to understand the laws applicable to you. When contracting with a vendor, it is important to understand whether the vendor falls under the “school official” exception of FERPA. Consider these questions:
- Does the vendor perform a service for the school that the school would perform itself?
- Does the vendor fall under the school’s annual FERPA notification provision for sharing PII without student consent?
- Does the school retain “direct control” over the maintenance and use of the student data?
- Does the vendor use the student data only for the purpose it was shared?
- Does the vendor not disclose the data without the school’s consent?
Determining whether a vendor is a school official is a nuanced question. Contracts with vendors should be carefully drafted to be effective and ensure student privacy. Below are some best practices that you should consider when drafting a contract with student privacy in mind:
- Clearly define terms used throughout the contract
- Require notice or consent for any changes in the vendors Terms of Service
- Be clear about who is responsible for compliance
- Maintain control over subsequent data sharing
- Require student data to be collected, used, shared, and destroyed responsibly
- Define a strong, flexible security standard
- Determine how student data may be accessed and, if necessary, corrected
- Ensure ownership and rights over student data remain with the school
- Prohibit the third party from building personal student profiles other than to support the authorized purpose of the contract
- Require student data to be protected if control of the service changes hands
Resources for Higher Education Privacy
There are many great resources for higher ed officials on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the “Resources” tab above and selecting “Higher Ed Officials” or “Higher Ed Service Providers” in the Resources sidebar.
- U.S. Department of Education, Privacy Technical Assistance Center (2012): Webinar: FERPA for Colleges and Universities
- U.S. Department of Education, Privacy Technical Assistance Center (2016): Guidance on the Use of Financial Aid Information for Program Evaluation and Research
- Family Educational Rights and Privacy Act Regulations
- Federal regulations resources web page at the U.S. Department of Education
- U.S. Department of Education, Family Policy Compliance Office
- U.S. Department of Education, Family Policy Compliance Office (2015): Model Notification of Rights under FERPA for Postsecondary Institutions
- U.S. Department of Education, Privacy Technical Assistance Center
- U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2015): Case Study #1: High School Feedback Report
- U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2015): Case Study #4: PTAC Technical Assistance
- U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2015): Checklist: Data Sharing Agreement (PDF)
- U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2013): Data Deidentification: An Overview of Basic Terms (PDF)
- U.S. Department of Education, Privacy Technical Assistance Center (2014): FERPA Exceptions Summary
- U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2015): Frequently Asked Questions – Disclosure Avoidance
- U.S. Department of Education, Privacy Technical Assistance Center (2015): Guidance for Reasonable Methods and Written Agreements
Ensuring Student Privacy: A Guide for Teaching Assistants (Michigan State University)
FERPA Scenarios for Faculty & Staff (Kettering University)
Explaining “FERPA” to Students (Saint Mary’s College of California)
- College of William & Mary
The coronavirus pandemic and shift to online learning has raised questions about FERPA compliance with class recordings. This model resource from the College o…
- Institute for Higher Education Policy
This paper highlights promising examples of data systems that are prioritizing privacy and security. These examples span from government agencies to academia a…
Cyber Insurance protects from damages of equipment caused by breach events and some loss of service. This resource will help you figure out if you are qualifie…
- Privacy Technical Assistance Center (PTAC)
The Data Destruction Document is a best practices guide on properly destroying sensitive student data after it is no longer needed. It details the life cycle …