Digitalization, in addition to having revolutionized education globally, has highlighted the urgent need for measures to protect student privacy.
Many countries have enacted new laws in recent years to regulate privacy in the digital age. Others, like the U.S., have adapted their legislation to modern times.
In the United States, the FERPA law is applied, a regulation that has been updated throughout its more than 50-year history with the aim of protecting student records. This law, however, only applies to the educational records of institutions that receive federal funding, and not to those of all schools.
What is FERPA? Meaning
The FERPA law (Family Educational Rights and Privacy Act) is a US federal regulation intended to protect the privacy of students’ academic records.
Contrary to what might happen in other countries, the U.S. does not have a single general privacy law, but instead has different regulations by sector.
Healthcare, for example, is regulated by the HIPAA law. The RFPA, on the other hand, regulates government access to financial information, while the GLBA focuses on consumer privacy with respect to banking institutions.
While there is no federal regulation covering the entire education sector, the confidentiality of educational records is protected by the FERPA law in the United States.
FERPA law’s entry into force and amendments
The Family Educational Rights and Privacy Act, also known as the Buckley Amendment, came into force in November 1974.
Any academic institution that receives federal funds from the United States Department of Education (DoE) must comply with FERPA requirements. This includes all public schools, as well as many private institutions.
As a law from the seventies, FERPA has been modified 11 times to adapt to changes in the sector, with the last formal update occurring in 2011. Subsequently, the Department of Education has published relevant guides and interpretations for daily implementation.
What does FERPA protect?
The FERPA law protects the records of current and former students. Initially, it restricted the disclosure of Personally Identifiable Information (PII) to third parties.
However, with the 2008 amendment, the regulation made the transfer of data more flexible to third parties related to the exercise of education, including consultants, contractors, or service providers.
In any case, the involved third parties must act with legitimate educational interests, and contracts must limit the use of data for exclusively academic purposes.
The amendment allowed the regulation to adapt to modern technology, facilitating access to data without the need for explicit consent in justified cases.
Nevertheless, it is important to emphasize that explicit consent is still necessary for certain uses outside of the educational interest, and what is known as directory information can be disclosed if parents do not object.
FERPA law rights
The Family Educational Rights and Privacy Act in the United States grants three main rights to students:
| Right to access and review educational records.* | Right to modify or correct the data in their academic record. | Right to decide on the disclosure of Personally Identifiable Information (PII). |
It is important to clarify that, in the case of students under 18 years of age, the rights are transferred to their parents or legal guardians (parental rights).
*There are legal exceptions where the institution may temporarily deny access.
Do you want to stay on top of the latest trends in eLearning, EdTech, and Human Resources?
Fill out the form to receive our weekly newsletter with industry insights from our experts.
FERPA law obligations
Academic institutions, for their part, have the following obligations:
| 1. Notification of rights. Educational institutions must inform parents and students annually about their rights through accessible channels. | 2. Ensure access to information. Institutions must respond to requests within 45 days and maintain records of requests and modifications. | 3.Control information disclosure. Schools and universities must control the processing of student data, formalizing contracts with third parties and meeting other requirements detailed below. |
To ensure compliance with the regulation, institutions must:
- Provide the necessary training programs, ensuring the academic staff’s knowledge of the law.
- Have security protocols, such as encryption or access controls, and implement regular audits to ensure compliance with the FERPA law.
To facilitate compliance, the Department of Education provides guides and best practice templates that institutions can follow.
FERPA compliance: does SMOWL adhere to the regulation?
Yes, Smowltech’s digital exam supervision software complies with the FERPA privacy protocol. As a European company, Smowltech is governed by the GDPR, the world’s strictest regulation regarding data protection.
Therefore, academic institutions outside the European Union can implement SMOWL as an exam monitoring tool with the assurance that students’ personal information will be properly protected.
Smowltech, for its part, formalizes a contract with each institution governed by the FERPA law to ensure that data is used exclusively for educational purposes, based on current regulations.
For more information, you can check our privacy policy. If you have any concerns or questions about it or the treatment of the data we gather, feel free to reach out to us:
User Support Center
Portuetxe Kalea, 53 B, 20018 DONOSTIA/SAN SEBASTIÁN, GIPUZKOA
