Purpose

To ensure compliance with the Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) and to safeguard personally identifiable and private data when using and sharing data for legitimate research purposes.

Policy

Personally identifiable and private data will never be 100% secure, but we are responsible to take reasonable measures. This includes StudentIDs, grades, GPAs, and other sensitive data (follow link for additional information). The Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) is a United States federal law. It applies only to educational agencies and institutions that receive funding under a program administered by the U.S. Department of Education.

FERPA gives parents access to their child's education records, an opportunity to seek to have the records amended, and some control over the disclosure of information from the records. With several exceptions, schools must have a student's consent prior to the disclosure of education records after that student is 18 years old.

FERPA permits an educational agency or institution to disclose, without consent, personally identifiable information from students’ education records only to school officials within the educational agency or institution that the educational agency or institution has determined to have legitimate educational interests in the information. 34 CFR § 99.31(a)(1). Generally, a school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.

An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement.


Procedure

Reports containing such data as StudentIDs, grades, GPAs, and other sensitive data should be distributed via GoogleDocs, rather than as e-mail attachments.

Limit the flow of such data (including StudentIDs) by asking requestors to:

  1. State their legitimate educational purpose, or why they need the information in order to do their job.
  2. Describe how they plan to use the data (when that is not obvious), rather than filling all requests without question. (Typically a short statement: a few sentences at most.)
  3. Acknowledge that they are responsible for data security, and/or state their particular plan to ensure that.

Additional Notes

This policy was presented to Senior Staff October 16, 2017 for their review, feedback, and approval.