FERPA
34 CFR PART 99—FAMILY EDUCATIONAL RIGHTS AND PRIVACY
34 CFR Part 99 implementing section 444 of the General Education Provision Act (GEPA), which is commonly referred to as the Family Educational Rights and Privacy Act (FERPA), and Federal Register Notices of amendments to FERPA.
| FERPA Requirement | Company Policy Provision |
|---|---|
| School Official Exception | |
| A provider acting as a "school official" must perform an institutional service for which the school would otherwise use employees and be under the direct control of the school regarding the use and maintenance of education records. 1 | See Terms Of Use, School Addendum, Section 2 |
| Data may only be used for the specific purpose for which it was disclosed. The provider may not re-disclose personally identifiable information (PII) from education records. 1 | See Terms Of Use, School Addendum, Section 3; Privacy Policy, How We Share Your Information |
| Parental/Eligible Student Rights | |
| Parents or eligible students have the right to inspect and review the student's education records. The school must comply with a request within 45 days. 1 | See Security Statement, Section 6, "Viewing of RECORDS"; Privacy Policy, Access to Individual Data |
| Parents or eligible students have the right to request the amendment of education records they believe are inaccurate or misleading. 1 | See Security Statement, Section 6, "Correction of RECORDS" |
| Consent & Notice | |
| Schools must have written consent from the parent or eligible student to release any PII from a student's education record, unless an exception applies. 7 | See Terms Of Use, School Addendum, Section 1 |
| Schools must provide annual notification to parents and eligible students of their rights under FERPA. 1 | See Security Statement, Section 3.2 (Provides suggested notification text for schools to use) |
| Directory Information Exception | |
| Schools may disclose "directory information" (e.g., name, address, photograph) without consent if they have given public notice and provided parents/eligible students the right to opt out of the disclosure. 10 | See Terms Of Use, School Addendum, Section 1;Security Statement, Section 3.2 |
| Data Security & Retention | |
| While FERPA does not prescribe specific security measures, it requires that schools and their providers implement reasonable methods to protect student data from unauthorized disclosure. 13 | See Security Statement, Section 5; Policy Packet, Cryptography Policy, Access Control Policy, and Operations Security Policy |
| In the event of a data breach, the provider should have clear procedures for notification and response. 2 | See Privacy Policy, In the event of a data breach; Incident Response Plan |
| Data from education records should be destroyed or returned to the LEA when no longer needed for the specified purpose. | See Security Statement, Section 6, "Removal of RECORDS"; Policy Packet, Data Management Policy, Appendix A |
| De-Identified & Anonymized Data | |
| A provider may use de-identified data for purposes such as product development, research, or improvement of services. 2 | See Terms Of Use, School Addendum, Section 3, "ANONYMIZED DATA" |
