Meeting FERPA Compliance with Ademero’s Content Central

by | Aug 17, 2021 | Compliance, FERPA

The Family Educational Rights Privacy Act (FERPA) and DMS

The Family Educational Rights Privacy Act of 1974 (FERPA or The Buckley Amendment) was enacted to protect student education records and pertains to any school that receives funds under an applicable program of the U.S. Department of Education. Basically, any school receiving this funding, (i.e.: public schools, local educational agencies (or LEAs), and postsecondary institutions), are required to create and maintain compliant retention, disclosure, and destruction policies for records containing the personally identifiable information (PII) of their students.

The Basics

FERPA provides certain rights with respect to children’s education records which are then transferred to the student when he or she reaches the age of 18 or attends a school beyond high-school level. Student rights include things like:

;

Right 1.

The right to know about the purposes, content, and location of information kept as part of their educational records

;

Right 2.

The right to gain access to and challenge the content of their educational records

;

Right 3.

The right to expect that information kept as part of their educational records will be kept confidential, disclosed only with their permission or under provisions of law.

*Education Records are records, files, documents, and other materials that contain information directly related to a student and maintained by the institution or someone acting for the institution per policy.

FERPA laws define two types of educational records and makes no distinction between physical or electronic forms of those records; Personally Identifiable Information (PII) and Directory Information. Each type of record requires different disclosure governance and protection whether stored physically or digitally.

Examples of Personally Identifiable Information:

E

Social Security Numbers (SSN)

E

Grades & GPAs

E

Transcripts

E

Academic Evaluations

E

Disciplinary Records

E

Class Lists / Course Schedules

E

Certain Psychological Evaluations

E

K-12 Health Records

E

Collegiate Student Financial Info

Examples of Directory Information:

E

Name

E

Grade Level

E

Address

E

Telephone Number

E

Email Address

E

Birth Date

E

Place of Birth

E

Honors & Awards

E

Dates of Attendance

34 CFR Part 99

Non-Directory information or PII cannot be released without a student’s written consent and school staff can only access this information when there is a legitimate academic reason. Schools can disclose Directory Information without a student’s written consent unless the student has opted to restrict the release of this data during the annual notice sent by the school. 34 CFR Part 99 allows schools to disclose PII without consent to the following parties or under the following conditions:

E

Disclosure

The disclosure is to other school officials, including teachers, within the institution whom the institution has determined to have legitimate educational interests

E

Contractors, Consultants, Volunteers, or Outsourced Services

A contractor, consultant, volunteer, or other party to whom an institution has outsourced institutional services or functions may be considered a school official under this paragraph provided that the outside party –

  • Performs an institutional service or function for which the institution would otherwise use employees;
  • Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and
  • Is subject to the requirements of § 99.33(a) governing the use and redisclosure of personally identifiable information from education records.
E

Reasonable Methods

An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement in paragraph (a)(1)(i)(A) of this section.

E

requirements of § 99.34

The disclosure is, subject to the requirements of § 99.34, to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student’s enrollment or transfer.

Compliance

FERPA compliance may not be as clearly defined as HIPAA or even SOX, but the standard generally states that institutions must use “reasonable methods” to protect all PII. FERPA does not outlay specifics for implementation to provide institutions the flexibility to do so in a way that works for them.

So, the implementation of these “reasonable methods” was purposely left a vague
to include any forms these records may take; be it written, digital, captured in film, audio, or
any other medium. When it comes to utilizing software, there are several considerations that
will ensure that you’re well within those “reasonable methods” and thus, able to meet FERPA compliance easily.

Access Controls

Access must be controlled to PII via means like unique user-rolls and user-based permissions.
All points of access to data, (database, file, folder, etc.), must be appropriately restricted to only provide access to those that are permitted.

How does Ademero measure up?

With Content Central, each user is unique and can be configured to automatically logoff after a set amount of inactivity.

Also, Content Central administrators have full control of user-based permissions so your users only have access to data they need.

Auditing and Logging

Audit controls monitor activity on software systems that contain protected information. The ability to monitor logon and logoff activity, file access, updates, edits, and any security incidents are the main features required for compliance. Common tools that provide this functionality include:

;

Tool 1

Document History – including updates, edits, etc. to any document

;

Tool 2

Event Logging – including user access, incidents, etc. system-wide

Tools and features could be named differently depending on your software solution but must cover these basic needs outlined above so administrators can easily view a document or system’s historic data for audits.

How does Ademero measure up?

Ademero‘s detailed system auditing and event logging allows you to track logon and logoff activity, file access, updates, edits, and helps you identify potential security incidents before they happen.

Each document has it’s own extensive auditing through our Document History that monitors other common file tasks as well like copying, checking in and out, downloading, and more.

Confidentiality

Confidential information cannot be exposed to unauthorized entities. Features like Encryption and Decryption, Automatic User Logoff, and Unique User Login Credentials help ensure compliance is easily met.

unique-user-identity-for-hipaa-compliance

Unique User Identification

A unique name and/or number for identifying and tracking user identity

electronic-hardware-disposal for hipaa compliance

Automatic Logoff

Automatic termination of an electronic session after inactivity

encryption-and-decryption-security

Encryption & Decryption

The conversion of data from a readable to an unreadable format and back again.

How does Ademero measure up?

Ademero works closely with Google Cloud Platform to provide secure data-center facilities for your documents and information.

Pairing with such a trusted name has significant benefits for our hosted customers like third party auditing, trusted infrastructure and facility controls, and compliance with numerous standards beyond those for SOX Compliance.

Keeping it Simple

The hardest part about FERPA is knowing exactly what it takes to meet compliance with whatever software you choose, but it doesn’t have to be. It’s easy from the software side, which should help you narrow in on the one you want to purchase pretty quickly. After all, there’s flexibility provided in FERPA that allows each institution to implement policies that work for them, so long as there are “reasonable methods” in place to protect student records.

When it comes to picking a DMS, there are several features you’ll need in order to meet compliance. Individual software might call these by different names, but in the end, you’ll be looking for features that provide:

Z

Unique User Identification

Z

Password Protection

Z

Automatic Logoff

Z

Transmission Encryption

Z

Document History

Z

System Event Logging

Z

Login Monitoring

f you’re using your DMS provider to host your system on the cloud, then you’ll also be looking for the requirements for Physical Safeguards like

Z

Data Backups

Z

Redundant Power Servers

Z

Disaster Recovery Plan

Z

Physical Security

Z

Video Surveillance

Z

Fire Suppressant

Z

Limited Access to Servers

When it’s all said and done, you’ll be looking for much more out of your DMS than just an electronic version of a file cabinet. You’re looking for a robust and simple solution that meets all your needs at one low price. One that’s fast to implement, has all the features you need, with a snappy user interface that everyone can use.

Content Central will keep your office moving with features that do more than just help you meet FERPA Compliance. But don’t just take our word for it, give it a try for yourself and see your customized solution in action.

Download a Copy of this Whitepaper

Download our FERPA Compliance Brochure

Categories

Interested in Ademero'S Paperless Office Software Suite?

With more than two decades of experience in the document management software industry, the pros at Ademero know exactly what is needed to get your organization up and running when you're looking to switch to a paperless office. Ademero Software offers businesses like yours:

Z

User-friendly and intuitive systems that are fast to implementfor your organization

Z

All-inclusive features at one low price - meaning you won’t get hit with a bunch of add-on fees when you least expect it.

Z

Adaptable software that fits any business, with a price point that’s perfect for small-to-medium businesses and feature-rich enough for enterprise needs, regardless of your industry.

If you’re interested in adding a DMS to streamline your organization to save time and money, we can help. Contact us today at 863-937-0272 or schedule a free customized demonstration of our Content Central DMS software.

Related Posts