The Family Educational Rights Privacy Act (FERPA) and DMS
The Family Educational Rights Privacy Act of 1974 (FERPA or The Buckley Amendment) was enacted to protect student education records and pertains to any school that receives funds under an applicable program of the U.S. Department of Education. Basically, any school receiving this funding, (i.e.: public schools, local educational agencies (or LEAs), and postsecondary institutions), are required to create and maintain compliant retention, disclosure, and destruction policies for records containing the personally identifiable information (PII) of their students.
FERPA provides certain rights with respect to children’s education records which are then transferred to the student when he or she reaches the age of 18 or attends a school beyond high-school level. Student rights include things like:
The right to know about the purposes, content, and location of information kept as part of their educational records
The right to gain access to and challenge the content of their educational records
The right to expect that information kept as part of their educational records will be kept confidential, disclosed only with their permission or under provisions of law.
*Education Records are records, files, documents, and other materials that contain information directly related to a student and maintained by the institution or someone acting for the institution per policy.
FERPA laws define two types of educational records and makes no distinction between physical or electronic forms of those records; Personally Identifiable Information (PII) and Directory Information. Each type of record requires different disclosure governance and protection whether stored physically or digitally.
Examples of Personally Identifiable Information:
Social Security Numbers (SSN)
Grades & GPAs
Class Lists / Course Schedules
Certain Psychological Evaluations
K-12 Health Records
Collegiate Student Financial Info
Examples of Directory Information:
Place of Birth
Honors & Awards
Dates of Attendance
34 CFR Part 99
Non-Directory information or PII cannot be released without a student’s written consent and school staff can only access this information when there is a legitimate academic reason. Schools can disclose Directory Information without a student’s written consent unless the student has opted to restrict the release of this data during the annual notice sent by the school. 34 CFR Part 99 allows schools to disclose PII without consent to the following parties or under the following conditions:
The disclosure is to other school officials, including teachers, within the institution whom the institution has determined to have legitimate educational interests
Contractors, Consultants, Volunteers, or Outsourced Services
A contractor, consultant, volunteer, or other party to whom an institution has outsourced institutional services or functions may be considered a school official under this paragraph provided that the outside party –
- Performs an institutional service or function for which the institution would otherwise use employees;
- Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and
- Is subject to the requirements of § 99.33(a) governing the use and redisclosure of personally identifiable information from education records.
An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement in paragraph (a)(1)(i)(A) of this section.
requirements of § 99.34
The disclosure is, subject to the requirements of § 99.34, to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student’s enrollment or transfer.
FERPA compliance may not be as clearly defined as HIPAA or even SOX, but the standard generally states that institutions must use “reasonable methods” to protect all PII. FERPA does not outlay specifics for implementation to provide institutions the flexibility to do so in a way that works for them.
So, the implementation of these “reasonable methods” was purposely left a vague
to include any forms these records may take; be it written, digital, captured in film, audio, or
any other medium. When it comes to utilizing software, there are several considerations that
will ensure that you’re well within those “reasonable methods” and thus, able to meet FERPA compliance easily.
Access must be controlled to PII via means like unique user-rolls and user-based permissions.
All points of access to data, (database, file, folder, etc.), must be appropriately restricted to only provide access to those that are permitted.
How does Ademero measure up?
With Content Central, each user is unique and can be configured to automatically logoff after a set amount of inactivity.
Also, Content Central administrators have full control of user-based permissions so your users only have access to data they need.
Auditing and Logging
Audit controls monitor activity on software systems that contain protected information. The ability to monitor logon and logoff activity, file access, updates, edits, and any security incidents are the main features required for compliance. Common tools that provide this functionality include:
Document History – including updates, edits, etc. to any document
Event Logging – including user access, incidents, etc. system-wide
Tools and features could be named differently depending on your software solution but must cover these basic needs outlined above so administrators can easily view a document or system’s historic data for audits.
How does Ademero measure up?
Ademero‘s detailed system auditing and event logging allows you to track logon and logoff activity, file access, updates, edits, and helps you identify potential security incidents before they happen.
Each document has it’s own extensive auditing through our Document History that monitors other common file tasks as well like copying, checking in and out, downloading, and more.
Confidential information cannot be exposed to unauthorized entities. Features like Encryption and Decryption, Automatic User Logoff, and Unique User Login Credentials help ensure compliance is easily met.
Unique User Identification
A unique name and/or number for identifying and tracking user identity
Automatic termination of an electronic session after inactivity
Encryption & Decryption
The conversion of data from a readable to an unreadable format and back again.
How does Ademero measure up?
Ademero works closely with Google Cloud Platform to provide secure data-center facilities for your documents and information.
Pairing with such a trusted name has significant benefits for our hosted customers like third party auditing, trusted infrastructure and facility controls, and compliance with numerous standards beyond those for SOX Compliance.
Keeping it Simple
The hardest part about FERPA is knowing exactly what it takes to meet compliance with whatever software you choose, but it doesn’t have to be. It’s easy from the software side, which should help you narrow in on the one you want to purchase pretty quickly. After all, there’s flexibility provided in FERPA that allows each institution to implement policies that work for them, so long as there are “reasonable methods” in place to protect student records.
When it comes to picking a DMS, there are several features you’ll need in order to meet compliance. Individual software might call these by different names, but in the end, you’ll be looking for features that provide:
Unique User Identification
System Event Logging
f you’re using your DMS provider to host your system on the cloud, then you’ll also be looking for the requirements for Physical Safeguards like
Redundant Power Servers
Disaster Recovery Plan
Limited Access to Servers
When it’s all said and done, you’ll be looking for much more out of your DMS than just an electronic version of a file cabinet. You’re looking for a robust and simple solution that meets all your needs at one low price. One that’s fast to implement, has all the features you need, with a snappy user interface that everyone can use.
Content Central will keep your office moving with features that do more than just help you meet FERPA Compliance. But don’t just take our word for it, give it a try for yourself and see your customized solution in action.
Download a Copy of this Whitepaper
Download our FERPA Compliance Brochure