Skip navigation

Family Educational Rights and Privacy Act

FERPA

FERPA, The Family Educational Rights and Privacy Act (U.S. Regulations: 34 CFR Part 99) is a federal law designed to preserve the privacy and accuracy of student records. The law also provides students with rights as to how records are used and disclosed.

To maintain compliance, schools are increasingly leveraging leading Cloud applications such as Microsoft 365 and Google Workspace to retain information electronically and prevent unauthorized access.

DataParser can help Education organizations meet FERPA requirements.

More about DataParser

Let our Compliance Services team help

To be sure you’re staying compliant with FERPA, there are multiple factors to keep in mind including understanding PII and privacy considerations, record retention requirements and penalties for non-compliance.

Retention periods for Student Records vary by state

According to FERPA, there’s no formal retention time for student records. There are, however, many state laws that do set specific retention restrictions. As a general rule of thumb, schools should keep temporary student information like attendance records for 6 years after a student no longer attends. Permanent records should be kept for at least 60 years.

 

Non-compliance can lead to disastrous outcomes 

When schools, school districts, and other education agencies and institutions fail to comply with FERPA, they will lose their funding from the Department of Education. Depending on individual state guidelines, there may be additional penalties for improper disclosure or misuse of student education records.

Understanding FERPA and how Education institutions are managing remote students on platforms like Zoom

The Covid-19 Pandemic transformed how Colleges and Universities collaborate, communicate, and educate. Go to the IT Services Department website at any Higher Education institution, and there is a ‘Communications and Collaboration’ services offering page. Email, Chat, VoIP Telephony, Videoconferencing… there is no one clear winner but it’s usually one of the following platforms: Zoom, Slack, Cisco Webex, Microsoft Teams, and Google Meet.

Specifically, if we use Zoom Meeting as an example of the privacy and data governance issues schools are having to address when it comes to online learning and collaboration. Almost all schools have entered into an agreement directly with Zoom. Using Zoom does not require that students provide any payment information and includes additional protections for personal information. Any data provided to or collected by Zoom during a remote instruction session will be subject to the protections of FERPA and may only be used by Zoom for the purpose of providing the video conferencing services. Student personal information will not be used for marketing by Zoom or its affiliates without student prior consent. For further information on Zoom’s compliance with FERPA please refer to the FERPA Guide on the Zoom Education page, and for further information on Zoom’s privacy practices, please refer to their privacy policy.

Colleges and Universities, however, have complex record retention obligations under both FERPA and State Law. The type of student directory information that is required to be retained includes PII such as Student Name, Address, Telephone Number, University Email, Photographs and Videos, Financial, Student Transcript, Testing protocols and as a general rule of thumb, schools should keep temporary student information like attendance records for 6 years after a student no longer attends. Permanent records should be kept for at least 60 years.

One important emerging issue is whether an online meeting constitutes a Student Record under FERPA. Zoom has the ability to record meetings. This feature can be activated/deactivated and managed by the meeting host. For further information on this feature, please visit the Zoom recording page.

Zoom recordings, including video/audio/text of courses or chat sessions, that include personally identifiable student information should be considered education records that are FERPA protected and thus not subject to public disclosure. While there is older U.S. Department of Education guidance concerning class recordings in the traditional in-person classroom setting that suggests such recording are not FERPA protected, Zoom class recordings and student chat sessions likely identify individual student’s names and faces, students speaking or typing questions and thus are personally identifiable. As a result, best practice would be to treat these recordings as any other confidential education record under FERPA.

Zoom recordings, including video/audio/text of faculty/staff meetings or chats, that don’t include personally identifiable student information should be considered public records subject to disclosure, if requested. Although those meetings are not open to the public and are not required to be recorded or have minutes taken, once a recording is made, a public record is created that a school will need to retain pursuant to the appropriate public records retention schedule. How long a school is required to retain depends on the content of the record and can vary from “retain until obsolete” to permanent retention.

It is important to emphasize that while each school is working under unique circumstances, the same laws, record retention requirements, and privacy considerations apply. In the FERPA context, a record created and/or maintained by a University with personally identifiable information related to a student would have protection from disclosure but still need to be archived for 6 years. In the public records context, any record created by a University employee, regardless of format, that concerns official university business will be subject to disclosure indefinitely unless an exemption applies. Schools are increasingly capturing online meeting collaboration data, making individual assessments as to whether the constitute a public record and archiving for the appropriate corresponding time period.