The HR Challenge: Family Educational Rights and Privacy Act

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.

By Joseph G. Jarret
July, 10 2015

It can be something as simple as a teacher or professor leaving a stack of graded papers in a box outside the classroom so students could pick them up at their convenience or posting grades under a student’s name, Social Security number, or any number that can identify a student. As any savvy HR professional will tell you, the aforementioned scenarios are just two of a myriad ways an entity can run afoul of the Family Educational Rights and Privacy Act of 1974 (FERPA).

FERPA: Policy & Process

FERPA became law in 1974. It applies to all educational agencies and institutions, such as schools, school districts and post secondary institutions that receive funds under any program administered by the United States Department of Education. FERPA is designed to ensure that educational records are kept private while guaranteeing parents the right to inspect and review “any and all official records, files and data directly related to their children.”

FERPA likewise gives students who reach the age of 18 or who attend a post-secondary institution the right to inspect and review their own education records, the right to request amendment of records and to have some control over the disclosure of personally identifiable information from these records. Such data includes, but is not limited to:

• Academic work completed.
• Level of achievement (grades, standardized achievement test scores).
• Attendance data.
• Scores on standardized intelligence and aptitude tests.
• Health data.
• Family background information.
• Teacher ratings. 

Although schools cannot legally disclose information considered part of an education record without the prior consent of the FERPA rights-holder, the law does provide a limited amount of exceptions to the nondisclosure rule. The National Association of Secondary School Principals suggests that information that can personally identify a student may be released without prior consent when:

• The information is considered “directory information.” FERPA defines “directory information” as information contained in an education record of a student that would generally not be considered harmful or an invasion of privacy if disclosed. Directory information may include elements such as the student’s name, address, telephone number, photograph, date of birth, place of birth, grade level or major field of study. This does not include a student’s GPA, Social Security number, student ID number, race, gender or ethnicity.

• One school official releases information to other school officials with a legitimate educational interest.

• One school sends information to another school that the student wishes to attend.

• The school releases the information to the federal or state authorities conducting an audit or monitoring compliance with education programs.

• The school has been ordered by a court subpoena to release the information.

• An adult student signs a written parental consent, or a parent provides documentation showing that the student is recognized as a dependent for Federal income tax purposes.

• There is an imminent health or safety emergency.

Risk of Data Breach:

Educational institutions from K12 to higher education are increasingly transitioning from paper records to electronic data systems and Web-based applications to store, process, and deliver education data to internal users and external partners. Consequently, student records that were previously paper-based are now being stored digitally. Because education records contain significant amounts of sensitive, personally identifiable information (PII), public entities must insure that PII is appropriately protected and managed lest your entity suffer undesirable consequences such as financial losses, reputation damage and loss of public confidence.

As such, the HR director should work collaboratively with the entity’s information technology (IT) team to insure that there is continuous monitoring for PII and other sensitive data leakage and loss. The IT team is responsible for employing automated tools, like Intrusion Detection/Prevention Systems, firewalls, anti-virus and anti-malware tools, to monitor and alert about suspicious activity. Conversely, it is the HR manager’s role to conduct frequent privacy and security awareness trainings as part of an on-going training and awareness program. Such training should include:

• Mandatory privacy and information security training on a recurring basis to all employees, school/college/university officials, contractors, and any other staff involved in data-related activities.

• Posting and communicating privacy policies to customers and users (for instance, on the agency Web page or on a bulletin board at the office, through statements inserted in documents or emails, etc).

• Clearly defining and making easily accessible processes for reporting privacy incidents and complaints (depending on the nature of the event, this may include reporting to the authorities, public, and/or individuals affected).

HR managers are responsible for assisting their entities in demonstrating high levels of responsibility and due diligence. They must take proactive security measures to identify the risks faced by confidential student information and employ counter measures that are commensurate with the amount of risk identified.

---

Author: Joe Jarret is a public sector manager, attorney and mediator who lectures on behalf of the master of public policy and administration program in the Department of Political Science at the University of Tennessee, Knoxville. He is the 2013-2014 president of the E. Tennessee Chapter of ASPA.

(No Ratings Yet)
Loading...