Higher Education institutions are like miniature cities, storing not only student transcripts, but health and financial data, employment information, and campus safety and access technologies that can create new types of data. This data and new technologies can be used to help more students graduate and succeed than ever before, but it also makes higher education institutions uniquely vulnerable to privacy and security risks. Therefore, additional responsibilities fall on institutions and the companies they contract with to ensure that data is collected, used, and stored in a responsible manner.
The Value of Data
Data play an extremely important role in our higher education system. Students and families, policymakers, and institutions need data on student access, progression, completion, costs, and post-college outcomes to inform a wide variety of decisions. Students and families need quality information to help them decide where and what to study in college. Policymakers use data to steward public investment in federal student aid and to develop informed federal and state policies that promote equitable student access and success. Institutions use data to implement policies and practices on their campuses that improve student outcomes and reduce equity gaps.
While our current data systems are not fully equipped to answer many basic questions about how our higher education system serves today’s students, improvements to our nation’s postsecondary data metricsand infrastructure would equip stakeholders to make more informed decisions. Better data lead to better student outcomes.
While FERPA is the primary law that applies to higher education privacy, there are many other federal laws that may apply to certain types of data. You can read about these laws below.
Some of the more well-known federal privacy laws mentioned in the higher education privacy space include:*
The Family Educational Rights and Privacy Act of 1974 (FERPA): Designed to protect students and their families by ensuring the privacy of student educational records.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA): Requires covered entities (typically medical and health insurance providers and their associates) to protect the security and privacy of health records.
The Gramm Leach Bliley Act of 1999 (GLBA): Imposes privacy and information security provisions on financial institutions; designed to protect consumer financial data.
Federal Policy for the Protection of Human Subjects (“Common Rule”): Published in 1991 and codified in separate regulations by 15 federal departments and agencies, outlines the basic ethical principles (including privacy and confidentiality) in research involving human subjects.
The Fair and Accurate Credit Transaction Act of 2003 (FACTA, or “Red Flags Rule”): Requires entities engaged in certain kinds of consumer financial transactions (predominantly credit transactions) to be aware of the warning signs of identity theft and to take steps to respond to suspected incidents of identity theft.
The Privacy Act of 1974: Specifies the rules that a federal agency must follow to collect, use, transfer, and disclose an individual’s personally identifiable information (PII).
When information is covered by more than one of these laws, the strictest law’s provisions rule.
It’s Not Just FERPA: Privacy and Security Issues in Higher Education (Baker Donelson)
* This list of laws is from the EDUCAUSE Information Security Guide chapter on privacy and is printed on FERPA|Sherpa under a Creative Commons license (CC BY-NC-SA 4.0).
State Laws and Legislation
Every state has a unique student privacy legal regime. Prior to 2013, most states tended to have student privacy laws that just reiterated FERPA. However, 19 new student privacy laws have passed since 2013, putting new requirements on higher education institutions and service providers. Read more about those new laws, and the legislative trends on higher education student privacy, below.
States can give students additional privacy protections, and many have: at least 35 states have passed laws supplementing FERPA; 45 make their data privacy policies publically available; 48 state education agencies have established governance bodies charged with managing the collection and use of data, including how that data will be kept secure and confidential; and 45 have established policies that determine what type of data is available to select stakeholders, such as teachers and principals, who will use it to improve instruction.
The number of laws directly regulating student privacy has dramatically increased in the past three years. Since 2014, 49 states have introduced over 500 student privacy bills, with at least 100 bills introduced each year. Thirty-eight states have passed 91 laws since 2013. Generally, these laws either regulate educational agencies and institutions, such as schools, districts, and state education agencies, or regulate third parties.
Thirty-three states as of the end of 2016 have introduced either a version of California’s SOPIPA or a similar piece of legislation that regulates industry known as the SUPER (“student user privacy in education rights”) Act, and 12 states have passed those bills into law.
SOPIPA, SUPER, and other recent student privacy laws impose direct liability on ed tech operators. FERPA, which is enforced by the U.S. Department of Education is only directly enforceable against “educational institutions receiving federal funds” – which equates to most public schools. Even if a third party vendor practice causes the school to be in violation of FERPA, DOE may only hold the school liable. Any liability by the school service provider would simply be through its contract with the school. The entire purpose of states seeking to pass SOPIPA, SUPER, and other student privacy laws is to directly regulate private companies that are now so frequently working directly with students.
 “Constitutions in ten states—Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina, and Washington—expressly recognize a right to privacy.” National Conference of State Legislatures, Privacy Protections in State Constitutions, December 11, 2013.
 “At least 30 states have enacted laws that require entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.” National Conference of State Legislatures, Data Disposal Laws, December 26, 2013.
The intersection of data analytics and privacy is a very sensitive space. While institutions and companies are able to do more to help students through analyzing large amounts of data and finding correlations that suggest new ways to help students, data analytics can also be used to harm students through inequitable algorithms or decisions made based on the data. Read more below.
We will have more information on this topic located here in summer 2017.
Resources for Higher Education Privacy
There are many great resources for higher ed officials on student privacy. Some of our favorite resources are listed below, but you can access all the resources we have found for service providers by clicking the “Resources” tab above and selecting “Higher Ed Officials” or "Higher Ed Service Providers" in the “Resources for…” drop-down menu.
U.S. Department of Education, Privacy Technical Assistance Center (2012): Webinar: FERPA for Colleges and Universities, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/postsecondary-webinarpresentation.pdf.
U.S. Department of Education, Privacy Technical Assistance Center (2016): Guidance on the Use of Financial Aid Information for Program Evaluation and Research: http://ptac.ed.gov/sites/default/files/FSA_final.pdf
Family Educational Rights and Privacy Act Regulations: http://www.ecfr.gov/cgi-bin/textidx?c=ecfr&SID=16796a773ac48f980cdfaed80b1fa94a&rgn=div5&view=text&node=34:184.108.40.206.33&idno=3 4%20.
Federal regulations resources web page at the U.S. Department of Education: www.ed.gov/policy/gen/reg/edpicks.jhtml?src=ln.
U.S. Department of Education, Family Policy Compliance Office: http://familypolicy.ed.gov.
U.S. Department of Education, Family Policy Compliance Office (2015): Model Notification of Rights under FERPA for Postsecondary Institutions, available at http://www2.ed.gov/policy/gen/guid/fpco/ferpa/psofficials.html.
U.S. Department of Education, Privacy Technical Assistance Center: http://ptac.ed.gov.
U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2015): Case Study #1: High School Feedback Report, available at http://ptac.ed.gov/sites/default/files/CaseStudy1_HSFeedbackReport.pdf.
U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2015): Case Study #4: PTAC Technical Assistance, available at http://ptac.ed.gov/sites/default/files/case-study4-ptac-technicalassistance-final.pdf.
U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2015): Checklist: Data Sharing Agreement, available at http://ptac.ed.gov/sites/default/files/Written_Agreement_Checklist_0.pdf.
U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2013): Data Deidentification: An Overview of Basic Terms, available at http://ptac.ed.gov/sites/default/files/data_deidentification_terms.pdf.
U.S. Department of Education, Privacy Technical Assistance Center (2014): FERPA Exceptions Summary, available at http://ptac.ed.gov/sites/default/files/FERPA%20Exceptions_HANDOUT_horizontal_0.pdf.
U.S. Department of Education, Privacy Technical Assistance Center (2012, updated 2015): Frequently Asked Questions – Disclosure Avoidance, available at http://ptac.ed.gov/sites/default/files/FAQ_Disclosure_Avoidance.pdf.
U.S. Department of Education, Privacy Technical Assistance Center (2015): Guidance for Reasonable Methods and Written Agreements, available at http://ptac.ed.gov/sites/default/files/Guidance_for_Reasonable_Methods%20final.pdf.
Ensuring Student Privacy: A Guide for Teaching Assistants (Michigan State University)
FERPA Scenarios for Faculty & Staff (Kettering University)
Explaining “FERPA” to Students (Saint Mary’s College of California)