Jun 14 2024

How to Ensure FERPA Compliance in Colleges and Universities

Complying with the federal privacy act requires diligent monitoring and data security practices.

As the amount of data that higher education institutions collect continues to increase, universities are under rising pressure to keep that data protected. This pressure comes not only from students but from a federal regulation that requires a certain level of data privacy.

According to the U.S. Department of Education, the Family Educational Rights and Privacy Act (FERPA) is a federal law that allows parents of K–12 students the right to access their children’s education records, seek to have the records amended and have some control over the disclosure of personally identifiable information from education records. When a student meets certain eligibility requirements, like enrolling in college, the rights under FERPA transfer from the parents to the student.

Higher education institutions are required to preserve the privacy of student education records and provide students access to their records upon request. The requirements to maintain FERPA compliance mean that colleges and universities must have practices in place to secure student data. Computer systems storing student information must have proper security controls in place to protect confidentiality, and access to student data must be restricted to authorized users only.

Click the banner below to read the 2024 CDW Cybersecurity Report and explore more on data security.


What Rights Do College Students Have Under FERPA?

To understand how to maintain FERPA compliance, it’s necessary to understand what FERPA is and the rights it affords to eligible students. Students are considered eligible when they turn 18 or when they enroll in a postsecondary institution at any age.

Once meeting eligibility requirements, students have the right to inspect and review their education records, request amendment of education records they believe to be inaccurate or misleading, and consent to the disclosure of personally identifiable information from their education record to third parties. Students must be informed of their rights under FERPA annually.

Education records may take the form of any medium — digital, printed, handwritten, audio, video, etc. They do not include medical records, records created and maintained by law enforcement, employment records, or any records not related to a student’s achievements while enrolled at the institution.

FERPA also protects students’ personally identifiable information. This information includes a student’s name, address, family members’ names, social security number, date and place of birth, and any other information that would allow a third party to reasonably identify a student. In most cases, this information cannot be disclosed without the student’s written consent. Some exceptions do exist, such as when certain information is listed as part of a directory.

Q&A: Carnegie Mellon University's Stan Waddell on balancing cybersecurity with a university's mission. 

How to Maintain FERPA Compliance

Because the IT department is responsible for storing, maintaining and securing student data, it’s important for IT teams to understand the nuances of FERPA and how to ensure the institution is compliant.

The Infosec Institute outlines the following best practices for IT departments to follow when evaluating FERPA compliance:

  • Ensure data is encrypted on physical devices and while in transit. With proper encryption in place, data cannot be obtained in the event a device is stolen.
  • Detect and resolve vulnerabilities in your IT infrastructure. Regularly scanning databases for weaknesses and fixing them as they are found can help ensure the tightest security controls.
  • Employ consistent monitoring. Continuous monitoring solutions at work in the background of your IT operations can immediately detect threats both from the outside as well as from internal users.
  • Stay on top of changing regulations. Like other compliance standards, FERPA is occasionally updated, so regularly assessing that your IT infrastructure complies with the latest version of the regulation is a must for continued compliance.

It’s also important to choose third-party vendors that understand the nuances of federal student data privacy legislation. Many vendors, such as GoogleAmazon Web Services and Microsoft have documentation outlining how their products comply with FERPA. Some vendors may not be as familiar, so ensure that they have proper data access and control measures in place before opting to work with them.

RELATED: Why a good cyber resilience strategy is essential to institutional success.

Faculty and staff outside of the IT department should be properly trained on the importance of FERPA. This is to ensure that they don’t share private student data on purpose and that they are practicing proper cybersecurity hygiene, like using identity and access management solutions and securing physical devices when not in use, to avoid accidentally creating a data breach.

Students can file FERPA complaints against their universities with the U.S. Department of Education, and all complaints are investigated. If found to be out of compliance, higher education institutions face the loss of federal funding, and state laws could result in additional penalties. Diligent privacy monitoring and data security can help universities protect student information as well as their bottom lines.

Editor's note: This article was originally published on May 3, 2022.

Laurence Dutton/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.