ferpa-compliant-seal-content-central-logo
parallax layerparallax layer

The Family Educational Rights Privacy Act (FERPA) and DMS

The Family Educational Rights Privacy Act of 1974 (FERPA or The Buckley Amendment) was enacted to protect student education records and pertains to any school that receives funds under an applicable program of the U.S. Department of Education. Basically, any school receiving this funding, (i.e.: public schools, local educational agencies (or LEAs), and postsecondary institutions), are required to create and maintain compliant retention, disclosure, and destruction policies for records containing the personally identifiable information (PII) of their students.

The Basics

FERPA provides certain rights with respect to children’s education records which are then transferred to the student when he or she reaches the age of 18 or attends a school beyond high-school level. Student rights include things like:

Right 1.

The right to know about the purposes, content, and location of information kept as part of their educational records

Right 2.

The right to gain access to and challenge the content of their educational records

Right 3.

The right to expect that information kept as part of their educational records will be kept confidential, disclosed only with their permission or under provisions of the law.

*Education Records are records, files, documents, and other materials that contain information directly related to a student and maintained by the institution or someone acting for the institution per policy.

FERPA laws define two types of educational records and makes no distinction between physical or electronic forms of those records; Personally Identifiable Information (PII) and Directory Information. Each type of record requires different disclosure governance and protection whether stored physically or digitally.

Examples of Personally Identifiable Information Include:

Examples of Directory Information:

34 CFR Part 99

Non-Directory information or PII cannot be released without a student’s written consent and school staff can only access this information when there is a legitimate academic reason. Schools can disclose Directory Information without a student’s written consent unless the student has opted to restrict the release of this data during the annual notice sent by the school. 34 CFR Part 99 allows schools to disclose PII without consent to the following parties or under the following conditions:

  • The disclosure is to other school officials, including teachers, within the institution whom the institution has determined to have legitimate educational interests

  • A contractor, consultant, volunteer, or other party to whom an institution has outsourced institutional services or functions may be considered a school official under this paragraph provided that the outside party –

    • Performs an institutional service or function for which the institution would otherwise use employees;

    • Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and

    • Is subject to the requirements of § 99.33(a) governing the use and redisclosure of personally identifiable information from education records.

  • An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement in paragraph (a)(1)(i)(A) of this section.

  • The disclosure is, subject to the requirements of § 99.34, to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student’s enrollment or transfer.

Compliance

FERPA compliance may not be as clearly defined as HIPAA or even SOX, but the standard generally states that institutions must use “reasonable methods” to protect all PII. FERPA does not outlay specifics for implementation to provide institutions the flexibility to do so in a way that works for them. So, the implementation of these “reasonable methods” was purposely left a vague
to include any forms these records may take; be it written, digital, captured in film, audio, or
any other medium. When it comes to utilizing software, there are several considerations that
will ensure that you’re well within those “reasonable methods” and thus, able to meet FERPA compliance easily.

Access Controls

Access must be controlled to PII via means like unique user-rolls and user-based permissions.
All points of access to data, (database, file, folder, etc.), must be appropriately restricted to only provide access to those that are permitted.

contentcentral-tip-icon

How Does Ademero Measure Up?

With Content Central, each user is unique and can be configured to automatically logoff after a set amount of inactivity.

Also, Content Central administrators have full control of user-based permissions so your users only have access to data they need.

Auditing & Logging

Audit controls monitor activity on software systems that contain protected information. The ability to monitor logon and logoff activity, file access, updates, edits, and any security incidents are the main features required for compliance. Common tools that provide this functionality include

Tool 1

Document History - including updates, edits, etc. to any document

Tool 2

Event Logging - including user access, incidents, etc. system-wide

Tools and features could be named differently depending on your software solution but must cover these basic needs outlined above so administrators can easily view a document or system’s historic data for audits.

contentcentral-tip-icon

How Does Ademero Measure Up?

Ademero‘s detailed system auditing and event logging allows you to track logon and logoff activity, file access, updates, edits, and helps you identify potential security incidents before they happen.

Each document has it’s own extensive auditing through our Document History that monitors other common file tasks as well like copying, checking in and out, downloading, and more.

Confidentiality

Confidential information cannot be exposed to unauthorized entities. Features like Encryption and Decryption, Automatic User Logoff, and Unique User Login Credentials help ensure compliance is easily met.

A unique name and/or number for identifying and tracking user identity

Unique User Identification

A unique name and/or number for identifying and tracking user identity

Automatic termination of an electronic session after inactivity

Automatic Logoff

Automatic termination of an electronic session after inactivity

The conversion of data from a readable to an unreadable format and back again.

Encryption & Decryption

The conversion of data from a readable to an unreadable format and back again.

contentcentral-tip-icon

How Does Ademero Measure Up?

Data security is one of the top reasons users choose Ademero. Whether files are at rest or in transit, data is encrypted with tools like SSL and protected against unauthorized intrusion.

Keeping it Simple

The hardest part about FERPA is knowing exactly what it takes to meet compliance with whatever software you choose, but it doesn’t have to be. It’s easy from the software side, which should help you narrow in on the one you want to purchase pretty quickly. After all, there’s flexibility provided in FERPA that allows each institution to implement policies that work for them, so long as there are “reasonable methods” in place to protect student records.

When it comes to picking a DMS, there are several features you’ll need in order to meet compliance. Individual software might call these by different names, but in the end, you’ll be looking for features that provide:

Unique User Identification

Password Protection

Automatic Logoff

Transmitting Data Encryption & Decryption

Complete Electronic History of Documents

System Event Logging

Login Monitoring

If you’re using your DMS provider to host your system on the cloud, then you’ll also be looking for the requirements for Physical Safeguards like

Data Backups

Redundant Power Servers

Disaster Recovery Plan

Physical Security

Video Surveillance

Fire Suppressant

Limited Access to Servers

contentcentral-tip-icon

How Does Ademero Measure Up?

Ademero works closely with Google Cloud Platform to provide secure data-center facilities for your documents and information.

Pairing with such a trusted name has significant benefits for our hosted customers like third party auditing, trusted infrastructure and facility controls, and compliance with numerous standards beyond those for FERPA Compliance.

When it’s all said and done, you’ll be looking for much more out of your DMS than just an electronic version of a file cabinet. You’re looking for a robust and simple solution that meets all your needs at one low price. One that’s fast to implement, has all the features you need, with a snappy user interface that everyone can use.

Content Central will keep your office moving with features that do more than just help you meet FERPA Compliance. But don’t just take our word for it, give it a try for yourself and see your customized solution in action.

Sign up for a free trial of our Document Management Software today to see just how Content Central works for meeting FERPA Compliance.

Sign Up For Free Trial

Sign up for a free trial of our Document Management Software today to see just how Content Central works for meeting FERPA Compliance.

Schedule a personalized demonstration today to see exactly how Content Central can help you do more than just meet FERPA Compliance.

Schedule a Demo

Schedule a personalized demonstration today to see exactly how Content Central can help you do more than just meet FERPA Compliance.

Learn more about Content Central and how it will help you meet compliance with videos, brochures, and other downloadable information.

There's More to Discover!

Learn more about Content Central and how it will help you meet compliance with videos, brochures, and other downloadable information.