Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Beyond FERPA: Safeguarding Student Data Is Key Obligation for Postsecondary Educational Institutions

Share

Most institutions of higher education are very familiar with the Family Educational Rights Protection Act (FERPA), which applies to all state and local, public and private educational institutions that receive federal funds through programs administered by the U.S. Department of Education (ED). Unless at least one of FERPA’s exceptions applies, institutions risk sanctions from ED – including the potential loss of all federal funding – if they disclose a student’s personally identifiable information (PII) from an education record without the student’s express prior written consent.  Beyond FERPA, higher education institutions have additional legal responsibilities to assiduously secure and protect student data from inadvertent disclosure, particularly financial information maintained by an institution regarding students or their families.

ED has repeatedly emphasized these broad obligations, including in Dear Colleague Letters GEN-15-18 (July 29, 2015) and GEN-16-12 (July 1, 2016), which outline institutional obligations under the Gramm-Leach-Bliley Act (GLBA). The GLBA applies to financial services organizations, which include postsecondary educational institutions. For institutions of higher education that participate in the federal student financial aid programs, which includes the vast majority of postsecondary institutions in the United States and certain eligible foreign institutions, the applicability of GLBA requirements is expressly referenced in the institution’s Program Participation Agreement (PPA) with ED. The GLBA mandates multiple precautions from each institution, including:

  • Developing written information security protocols;
  • Designating at least one information security program coordinator;
  • Identifying and assessing risks to student information; and
  • Choosing third-party servicers who maintain appropriate safeguards.

To monitor a postsecondary institution’s incorporation of these requirements into its operations, ED includes these requirements among the areas that must be reviewed as part of an institution’s annual compliance audit for continued participation in the federal student financial aid programs.  The responsibility to safeguard student data is further reflected in the Student Aid Internet Gateway (SAIG) Enrollment Agreement between an institution and ED, under which the institution must ensure that “all users are aware of and comply with” requirements to protect and secure data received from ED sources (which inherently includes significant student financial data).  The SAIG Enrollment Agreement thereby requires institutions to engage in meaningful education, training, and access management among its personnel who deal with student data.

Recognizing that many institutions are less familiar with GLBA requirements than they are with FERPA, the Dear Colleague Letters from ED “strongly encourage” schools to review a key document from the National Institute of Standards and Technology (NIST), Special Publication 800-171, which cites specific ways to handle controlled, unclassified information such as students’ PII. By following the recommendations set forth in NIST SP 800-171, institutions can take a substantial step toward eliminating gaps in their information security program.  ED also has indicated that these NIST standards are a key model of cybersecurity compliance, and that institutions should design their information security programs around its requirements.

ED has stated publicly, including at its annual FSA Training Conference for Financial Aid Professionals, that it will increase its oversight of postsecondary institutions for compliance with GLBA requirements.  All institutions of higher education should review their student information management systems to ensure that adequate security protocols and training are both presently in place and continuously monitored for ongoing effectiveness.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

August 14, 2017
Written by: Jonathan Tarnow and Sarah Pheasant
Category: Cybersecurity, Education
Tags: Department of Education, FERPA, Higher Education, NIST

Post navigation

Previous Previous post: FTC Updates COPPA Guidance to Approve New Parental Consent Methods; Clarify Obligations for Sites not Primarily Targeting Children
Next Next post: New FDA Guidance on Waiver of Informed Consent for Minimal Risk Investigations

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT