As the use of electronically-provided educational services increases in the higher education industry, institutions of higher education (“Institutions”) and those contractors, consultants, and other parties to whom the Institutions have outsourced organizational services or functions, must remain vigilant in protecting education records and complying with the Family Educational Rights and Privacy Act of 1974, 20 U.S.C. § 1232g (“FERPA”) and the implementing regulations. FERPA compliance is mandatory and, as a good business practice, Institutions and third parties need to ensure that each of their contracts align with FERPA’s requirements.
Overview of FERPA
FERPA is a federal law that protects the privacy of student education records. The law, which is enforced by the U.S. Department of Education (“Department”) Family Policy Compliance Office, applies to all schools that receive federal education funds – both elementary and secondary schools as well as Institutions.
The regulations define an “education record” as those records that are:
(1) Directly related to a student; and
(2) Maintained by an educational agency or institution or by a party acting for the agency or institution.
As such, while transcripts and other obviously academic records are certainly “education records,” this definition encompasses many other records besides those related to academics. In addition, when the regulations speak of “records,” they do so very broadly. Records include “any information recorded in any way” – including in print, on film or video, or in digital and electronic formats. Also, “students” include those persons that have attended an Institution. Mere applicants are not “students” (although, applications of students are education records).
Under FERPA, Institutions may disclose education records in personally identifiable form, without consent, to “school officials.” School officials are contractors, consultants, and other parties (1) to whom the Institution has outsourced organizational services or functions, (2) that the Institution retains “direct control” over and (3) that are subject to the same conditions on the use, redisclosure, and destruction of education records that apply to the Institutions. In addition, “school officials” must only use the information disclosed for the purposes for which the information was disclosed. So, if an Institution provides student grade information to a third party, for example, to format and print transcripts, that third party cannot contact the student with an offer to help improve the student’s grades in future English classes.
Redisclosure of Information by Third Party School Officials
On typical cause for concern with third party “school officials” relates to the redisclosure of information. Generally, pursuant to 34 C.F.R. § 99.33(a), an Institution disclosing an education record in personally identifiable form must inform the recipient that it cannot redisclose that information without the consent of the student, and that it may use the information only for the purpose for which the disclosure was made. There are exceptions to this requirement, however. For example, pursuant to 34 C.F.R. § 99.33(c), redisclosures of “directory information” (including information such as name; physical and email addresses; telephone numbers; major; degrees, honors, and awards received; and participation in officially recognized activities and sports) are permissible in most cases.
It is often the case that third party school officials must redisclose the information in some form to perform the functions requested by an Institution. For example, if an Institution provides education records to a third party school official, that third party will typically upload the data to a computer server hosted by another party (“Data Host”). The Data Host, in turn, must access the network containing the data to perform maintenance of the site and, in the course of doing this maintenance, may have access to, or actually view, the data.
The regulations certainly restrict redisclosure of information – and disclosure to parties like Data Host that are not in the Institution’s “direct control” would seem to be an issue. The Department has acknowledged, however, that blanket prohibitions on subsequent redisclosures of FERPA-protected data may be impractical. While guidance is sparse, the Department has suggested:
Exercising direct control could prove more challenging in some situations than in others. Schools outsourcing information technology services, such as web-based and e-mail services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements established by the educational agency or institution that discloses the information.
As such, FERPA compliance will likely be achieved by requiring that any third-party school officials require that redisclosed data be used in accordance with the standards set forth by the Institution (and likely already imposed by the Institution on the third-party school official). Institutions would be wise to ask for contracts between the third-party school officials and parties such as Data Hosts to ensure compliance with this standard.
Records Retention & Destruction
FERPA does not specifically establish the records retention schedule for a FERPA-protected data. Nonetheless, Institutions should review the data stewardship plans for all contractors that will handle FERPA-protected data. Such a plan should detail the organization’s policies and procedures to protect privacy and data security, including the ongoing management of data collection, processing, storage, maintenance, use, and destruction. The plan could also include designating an individual to oversee the privacy and security of the PII from the education records it maintains. In addition, the Department has suggested that a contractor could return data from paper records to an Institution and electronic data should be destroyed.
Parties often retain records for a period after the student is no longer enrolled or making use of the third party’s services. Such a retention period allows the Institutions and third parties to comply with other legal obligations, resolve disputes, and enforce its agreement. It is important, however, to destroy data in a manner and time that preserves student privacy. As such, it may be the case that student data should be destroyed shortly after the student graduates or otherwise leaves the Institution. Of course, the Institution will often need to inform the third party of the student’s departure. Additionally, third parties should consult with their partner Institutions on other aspects of the records retention policy, specifically the setting forth of the protocols on data backup and appropriate contact persons for Institutional questions.
It also makes sense to address what to do in cases of data losses and breaches. While no one expects that a contractor or employee will lose data files while riding mass transit or that a hacker will compromise their systems, these events do occur. The Department has helpfully created a Data Breach Checklist of items to aid in responding to such an event. Nonetheless, Institutions should clarify in agreements what third parties need to do in the event of a data loss or breach. Institutions should also provide for a right to audit their third party school officials to ensure FERPA compliance.
Employee Access to Education Records
School officials are permitted access to education records when they are performing an “institutional service or function for which the agency or institution would otherwise use employees.” As a result, Institutions should get an understanding of which employees of a third party school official will have access to education records and what function those employees perform. Moreover, Institutions may need to document which employees have access to the data and receive periodic updates as employees and employee functions change.
FERPA is a vitally relevant law for Institutions and the contractors that work with them. Any good agreement covering education records should have a number of terms that protect both parties and define expectations. Some of these provisions include:
- Agreement on limitations of the use of education records and the PII from education records;
- Specific points of contact and data custodians;
- That the parties agree to follow the requirements of FERPA and the right to revise the agreement to conform with any amendments to FERPA requirements;
- Terms of data preservation and destruction;
- A right to audit the processes of any third party to ensure FERPA compliance; and
- Specify a plan to deal with data loss or breach.
Institutions should undergo a thoughtful and periodic review of the contracts that govern education records (and other PII). Such a review will better enable the Institutions to comply with the law and maintain their students’ privacy.