How to Maintain FERPA Compliance
Because the IT department is responsible for storing, maintaining and securing student data, it’s important for IT teams to understand the nuances of FERPA and how to ensure the institution is compliant.
The Infosec Institute outlines the following best practices for IT departments to follow when evaluating FERPA compliance:
- Ensure data is encrypted on physical devices and while in transit. With proper encryption in place, data cannot be obtained in the event a device is stolen.
- Detect and resolve vulnerabilities in your IT infrastructure. Regularly scanning databases for weaknesses and fixing them as they are found can help ensure the tightest security controls.
- Employ consistent monitoring. Continuous monitoring solutions at work in the background of your IT operations can immediately detect threats both from the outside as well as from internal users.
- Stay on top of changing regulations. Like other compliance standards, FERPA is occasionally updated, so regularly assessing that your IT infrastructure complies with the latest version of the regulation is a must for continued compliance.
It’s also important to choose third-party vendors that understand the nuances of federal student data privacy legislation. Many vendors, such as Google, Amazon Web Services and Microsoft have documentation outlining how their products comply with FERPA. Some vendors may not be as familiar, so ensure that they have proper data access and control measures in place before opting to work with them.
Faculty and staff outside of the IT department should be properly trained on the importance of FERPA. This is to ensure that they don’t share private student data on purpose and that they are practicing proper cybersecurity hygiene, like using strong passwords and securing physical devices when not in use, to avoid accidentally creating a data breach.
Students can file FERPA complaints against their universities with the U.S. Department of Education, and all complaints are investigated. If found to be out of compliance, higher education institutions face the loss of federal funding, and state laws could result in additional penalties. Diligent privacy monitoring and data security can help universities protect student information as well as their bottom lines.
RELATED: The difference between security, privacy and confidentiality.