The amount of student data stored digitally is ballooning. Schools around the nation are switching to computer-based standardized testing to align with the Common Core, while Apple and Google shipped over 1.4 million iPads and Chromebooks to classrooms just in the third quarter of 2014. The focus on data-driven education reform, together with the growing use of technology in the classroom and the rise of hacking, have made FERPA compliance more complicated — and more important — than ever.
Parents want to know that sensitive data about their children is protected by the schools they go to, and educational institutions face losing federal funding if they fall out of compliance. What happens when student data is let loose? How can teachers and schools stay on top of the legal implications of changing technology, all while writing lesson plans, differentiating instruction and grading hundreds of assignments per week?
Before diving into best practices, it’s important to understand which types of student data are protected under the law.
The Family Educational Rights and Privacy Act (FERPA)
Signed into law in 1974, FERPA set some ground rules for educational institutions that receive federal funding, and gave parents the right to review, challenge, and consent to the disclosure of their children’s educational records. Records protected by FERPA include grades, standardized test scores, health information and behavioral reports. After students turn 18 or transfer to an institution of higher education, those rights transfer to the student.
While FERPA doesn’t currently give parents a pass to sue a teacher or institution if an unauthorized person catches a glimpse of little Johnny’s Algebra test, it does pose a threat to a school’s funding. When a parent notifies the Family Policy Compliance Office (FPCO) of the Department of Education that a school has violated FERPA, the FPCO gives the school a period of time to make the necessary corrections. If the school doesn’t achieve FERPA compliance by this deadline, it could lose its federal funding.
Current Threats to FERPA Compliance
The world has changed a lot since 1974. Teachers and professors talk shop on Facebook, students submit work electronically and email has become a common avenue of communication about student progress. From posting grades with identifying information on Blackboard to leaving your grade book open on a school computer, it’s become all too easy to inadvertently let student data slip.
While the adoption of new technology opens up opportunities for negligence, it also creates new avenues for hackers and data thieves. In 2013, the education sector accounted for 9% of all data breaches. One of those breaches exposed the Social Security numbers of 300,000 University of Maryland students and alumni. That constituted not only a huge FERPA violation, but a $2.8 million bill after the university provided credit monitoring services to those affected by the breach.
Encryption and FERPA Compliance
How can schools protect against hackers and data leaks? One answer lies in encryption. While University of Maryland responded to its breach by encrypting sensitive data stored on its servers, it could have saved itself a couple million dollars by encrypting that information in the first place. Data encryption provides an extra layer of protection for your most sensitive data — even if a hacker breaks into a server (or an intrepid student tries to change a few grades, Ferris Bueller style), they can’t use the data unless they also have the key to decrypt it.
Encrypting stored data is a good start, but it’s not enough. Email is a common way educational institutions violate FERPA. According to data from CSID, a data security and identity protection firm, “50% of colleges and universities allow for the unprotected transmission of sensitive information over email,” and “25% of these institutions advised applicants to send personal information, including W2 forms, via unencrypted email to admissions and financial aid offices.”
Email encryption makes it easier for schools to protect sensitive student data and maintain FERPA compliance. Virtru’s solution for FERPA compliant email is client-side encryption, which means that messages are only ever accessible to the sender and an authorized and authenticated receiver. No one else ever has access to student content.
With growing rosters, shrinking budgets and constantly evolving technology, K-12 schools and colleges face a new crop of challenges when it comes to FERPA compliance and data protection. It’s more important than ever that educators and institutions know the law, follow best practices and invest in security measures to protect students. Data encryption, while not a bulletproof measure on its own, should be part of a comprehensive information security policy to maintain student privacy — not to mention federal funding.
Know any teachers or administrators who could use this information? Share this post and let them know how data and email encryption can help them stay FERPA compliant.