What Rights Do College Students Have Under FERPA?
To understand how to maintain FERPA compliance, it’s necessary to understand what FERPA is and the rights it affords to eligible students. Students are considered eligible when they turn 18 or when they enroll in a postsecondary institution at any age.
Once meeting eligibility requirements, students have the right to inspect and review their education records, request amendment of education records they believe to be inaccurate or misleading, and consent to the disclosure of personally identifiable information from their education record to third parties. Students must be informed of their rights under FERPA annually.
Education records may take the form of any medium — digital, printed, handwritten, audio, video, etc. They do not include medical records, records created and maintained by law enforcement, employment records, or any records not related to a student’s achievements while enrolled at the institution.
FERPA also protects students’ personally identifiable information. This information includes a student’s name, address, family members’ names, social security number, date and place of birth, and any other information that would allow a third party to reasonably identify a student. In most cases, this information cannot be disclosed without the student’s written consent. Some exceptions do exist, such as when certain information is listed as part of a directory.
How to Maintain FERPA Compliance
Because the IT department is responsible for storing, maintaining and securing student data, it’s important for IT teams to understand the nuances of FERPA and how to ensure the institution is compliant.
The Infosec Institute outlines the following best practices for IT departments to follow when evaluating FERPA compliance:
- Ensure data is encrypted on physical devices and while in transit. With proper encryption in place, data cannot be obtained in the event a device is stolen.
- Detect and resolve vulnerabilities in your IT infrastructure. Regularly scanning databases for weaknesses and fixing them as they are found can help ensure the tightest security controls.
- Employ consistent monitoring. Continuous monitoring solutions at work in the background of your IT operations can immediately detect threats both from the outside as well as from internal users.
- Stay on top of changing regulations. Like other compliance standards, FERPA is occasionally updated, so regularly assessing that your IT infrastructure complies with the latest version of the regulation is a must for continued compliance.
It’s also important to choose third-party vendors that understand the nuances of federal student data privacy legislation. Many vendors, such as Google, Amazon Web Services and Microsoft have documentation outlining how their products comply with FERPA. Some vendors may not be as familiar, so ensure that they have proper data access and control measures in place before opting to work with them.
RELATED: Why a good cyber resilience strategy is essential to institutional success.
Faculty and staff outside of the IT department should be properly trained on the importance of FERPA. This is to ensure that they don’t share private student data on purpose and that they are practicing proper cybersecurity hygiene, like using identity and access management solutions and securing physical devices when not in use, to avoid accidentally creating a data breach.
Students can file FERPA complaints against their universities with the U.S. Department of Education, and all complaints are investigated. If found to be out of compliance, higher education institutions face the loss of federal funding, and state laws could result in additional penalties. Diligent privacy monitoring and data security can help universities protect student information as well as their bottom lines.
Editor's note: This article was originally published on May 3, 2022.