Navigant's Cyber Risk and Information Security PracticeLearn More

Blog

FERPA: 3 Basic Guidelines for General Compliance03 March 2015

By
Academia, Policy Development

The Family Educational Rights and Privacy Act, or FERPA, governs what information schools can share about students and their families and how that information can be shared. The law applies to any school, public or private, that receives any federal funds. Schools found in violation of FERPA can lose that funding.

In today’s world of social media and instant access to information, it is important to understand how and when FERPA applies to your school’s information security policies.

Schools are wise to consider three important guidelines when it comes to FERPA:

Virtually no information about a student may be shared without the written consent of the student’s parents. Originally enacted in the 1970s, FERPA now also applies to information that schools post online, including so-called “directory” information such as honor rolls, graduation lists, and student event information. Under FERPA, posting such directory information is allowed only when the school has clearly defined what it considers to be directory information — and gives parents the time to opt out of their children being included on these lists. This is usually done in the beginning of the year when paperwork is sent out. Directory information can include: student’s name, phone number, address or other identifiers as long as the school system has notified parents. Any information that can be used to identify a student is protected under FERPA, even if the information is not necessarily considered confidential.

There are a few exceptions to the written consent standard. One of them is organizations involved in giving financial aid to the student, such as scholarship or grant providers. Information about students may be provided to these organizations without any consent or notice being given to the student or their parents.

Teachers and other staff members have a personal responsibility to protect any student records in their possession. This is where teachers really need to be mindful of what is being posted on social media. Consider the following example: a student named Joey repeatedly pulls the pigtails of a little girl named Stacey in class, and makes her cry. Joey has been doing this every day for a week.

The teacher may keep notes about the incidents for his or her own review provided he or she doesn’t allow those notes to be seen by anyone else. If the teacher posts on social media about a little boy who has been pulling a little girl’s pigtails that would be a violation of FERPA. Even if the teacher does not directly name the children’s names, he or she has given enough information that someone could figure out which students are involved.

This is an issue that needs to be addressed in the school’s information security policies, for the privacy of everyone involved. Teachers can be held personally responsible for information that is leaked, and the consequences can range from suspension to termination.

Schools should adopt a need-to-know policy with respect to student information. That is, educators should not have access to any information that they don’t need to know to carry out their responsibilities as educators. For example, a special education classroom can’t be labeled as such, because such a label would provide information about the students in the classroom that the recipients of that information don’t need to know.

There are a lot of ins and outs of FERPA that can make it difficult to know exactly where it fits into your policies. COMPASS understands the rules of FERPA and has worked in school environments where these rules are all important.

Work With Us Learn How