Educational Institutions Must Comply With FERPA When Using Technology.

Educational institutions around the world process and store student information using various forms of technologies. Technological advancements bring with them productivity and efficiency capabilities. However, they also bring important security concerns regarding confidential student information.

Compliance with FERPA

FERPA (the Family Educational Rights and Privacy Act) is a Federal law administered by the Family Policy Compliance Office in the U.S. Department of Education. FERPA applies to all educational agencies and institutions that receive funding under any program administered by the Department. Once a student attends a postsecondary institution, he or she becomes an “eligible student” with the following rights:

• The right to view educational records.
• The right to seek to amend educational records.
• The right to have control over the disclosure of information from educational records.

According to FERPA, an educational institution may not disclose personally identifiable information from an eligible student’s education records to a third party, unless the student provides written consent for the educational institution to do so.

Cloud Computing and FERPA

Are you considering cloud computing for your school’s information technology needs? FERPA doesn’t prohibit the use of cloud computing services, however it does require educational institutions use reasonable security measures to ensure the security of their student records.

Student information must be protected, particularly when cloud-based SaaS (Software as a Service) applications are used to handle student records. In addition, you must ensure FERPA compliance when using email services and CRM (Customer Relationship Management) systems to transmit and process student information.

Before signing up with a cloud provider, ask these questions:

• Does the cloud solution offer adequate data security capabilities?
• Will you have control over the data within the cloud to ensure that confidentiality and integrity of the data remains protected?
• Are there appropriate access protections and user controls in place?

Review and compare available solutions, including:

• Firewalls,
• Security monitoring and response methods,
• Patch management procedures, and
• Other relevant data security measures.

Don’t rush into a cloud services agreement. Review your options to find a cloud provider who offers adequate data protection.

Don’t Make These IT Mistakes  

When it comes to FERPA and IT, educational institutions must prevent the following:

• Inadequate security measures due to a lack of clear responsibility or authority for the systems and data.
• Lack of access control policies and widely distributed access to systems.
• Lack of employee or user training.
• Group, default, or empty passwords and weak authentication.
• Lack of disaster recovery and business continuity plans.
• Systems that aren’t adequately monitored and tested for security standards.
• Using outdated, unpatched, unsupported, or flawed technology.

Fortunately, there are many types of information technology available today that can protect the confidentiality and integrity of student information. Educational institutions should discuss information security and student privacy with their IT provider to ensure compliance with FERPA.

To learn more about protecting confidential student information and FERPA compliance, give us a call at (713) 490-.5000 or send us an email at info@citoc.com. CITOC can help you deploy the proper IT to ensure adequate security and privacy.