FERPA regulations for education institutions advocate student privacy when handling personally identifiable information in regards to electronic student information.

FERPA

The Family Educational Rights and Privacy Act

The Family Educational Rights and Privacy Act (FERPA) is federal regulation protecting the privacy of student education records by preventing the disclosure of students' records without proper consent. Schools that receive funds from the U.S. Department of Education are required to comply or risk losing federal funding. FERPA gives students and parents certain rights in regards to student records. Procedures must be in place to allow a student access to education records.

These rights include:

  • the right to inspect and review a student's education records held by the school.
  • the right to request a correction to the record if it is false or misleading and , if contested, to have a formal hearing
  • Consent from the parent or student before a student's education record can be released, with the following exceptions:
    • School officials with legitimate educational interest
    • Schools a student transfers too
    • Officials for audit or evaluation purposes
    • Financial aid parties
    • Organizations conducting certain studies for or on behalf of the school
    • Accrediting organizations
    • When subpoenaed or required by judicial order
    • For health and safety emergencies
    • State and local authorities of law.

Schools may disclose, without consent, "directory" information considered not harmful, such as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must inform parents and eligible students about directory information and allow parents and students a reasonable amount of time to request that the school not disclose directory information about them. Student health records also fall under the protection of the FERPA as opposed to HIPAA which applies to healthcare institutions. Schools must notify parents and eligible students annually of their rights under FERPA.

FERPA Compliance

Educational institutions are required to protect student data and confidentiality although a specific methodology is not given. Educational institutions need to provide proper measures to combat system security vulnerabilities and threats and provide proper methods of authentication when accessing education records. It is recommended that all passwords and PINs be maintained in a secure database in an encrypted manner that is not generally accessible to school officials or other parties. FERPA suggests that a unique identification number may be used for ID cards but must be used in conjunction with one or more factors for authentication, such as a PIN or password, when accessing student directory information.

Electronic disclosures provides a complex problem in authentication. For authorization of disclosure to third parties, FERPA allows electronic consent which must identify and authenticate "a particular person as the source of the electronic consent" and indicate "such person's approval of the information contained in the electronic consent." This could come in the form of an electronic signature.

FERPA does not provide students the right to sue the education institution for violations. Rather, the penalty for FERPA vioaltions is the loss of federal funding which could materially adversely affect an education institution.