The Ultimate Education Compliance Checklist for Data Archiving in 2023
For compliance officers and teaching staff in K12 and higher education institutions in the US - Both K12 and higher education institutions in the US are facing increasing challenges in ensuring compliance with all relevant laws on information governance in the education sector.
- In this education compliance checklist, you will get an overview of key compliance requirements for FERPA, FOIA, HIPAA, and GLBA.
- The checklist has been compiled consulting laws, opinions, and research by industry experts, and you can find a list of resources at the bottom of the page.
- Each chapter contains a compliance checklist, followed by key background information on the respective law, as well as a list of the most frequently asked questions and examples of violations of these laws and how to avoid them.
- The guide was written with the idea of using it on an as needed basis, so go directly to the regulation you want to check your compliance for.
- If you have any questions and suggestions on how we can improve this checklist, or would like to contribute to its improvement, drop us a line at: marketing@jatheon.com.
Chapter 1. FERPA
FERPA Regulations Summary
FERPA (Family Education Rights and Privacy Act) is a federal law which the Congress passed back in 1974 to protect educational information and records.
In this chapter, you will find a list of FERPA compliance requirements, followed by some commonly asked questions about this law and some real life examples that will help you determine how compliant you are with this Act and what areas of information governance you need to improve.
In this chapter, you will find a list of FERPA compliance requirements, followed by some commonly asked questions about this law and some real life examples that will help you determine how compliant you are with this Act and what areas of information governance you need to improve.
FERPA Compliance Checklist
- you need to grant students access to their own records
- you need to ask for students’ permission before disclosing their records, even to their parents
- you need to make education records ready for review within 45 days of the request
- you mustn’t destroy an education record if someone has filed a request to view that education record
- you need to grant parents/guardians to view records of their child, but you can’t disclose any part of that student’s records that refers to another student
- you are obliged to provide meaningful assistance to a student/parents who can’t understand English well
- while you’re generally not required to provide a copy of student records to a parent/student, eg in case they live outside the commuting distance of the school and can’t otherwise view the records, you do need to make it possible for them to see the records, which might include preparing a copy of the documents
- in case a student/parent makes a request to change parts of their records, you need to address that request; however you’re not obliged to grant it
- you shouldn’t disclose student records to a third party unless that third party has a written consent by the student/their parents
Why is FERPA important?
FERPA is important because it protects the privacy of education information and records. In a nutshell, FERPA guards the safety of students’ personal information, and governs access to these information by third parties.
FERPA gives the right to parents and students older than 18 to inspect and review their personal records, which helps maintain accuracy and protect the privacy and integrity of students. Who does FERPA apply to?
FERPA applies to educational institutions and agencies that are funded under a program managed by the US Department of Education. In most cases, this includes public K12 and higher education institutions.
This means that private schools and higher education institutions are generally not covered by FERPA, as they don’t receive funding from the Department of Education.
What information is protected by FERPA?
FERPA protects personal information of students, including their contact information, data on academic achievements, health information and more. What is an education record under FERPA?
Under FERPA, education records include information which public, private, and parochial schools have on their former and current students.These records include data such as
- a student’s name and contact information
- a parent’s name and contact information
- grades and test results
- discipline reports
- health records
- courses attended and information of attendance
- awards and degrees earned
When do FERPA rights begin?
Students can exercise their FERPA rights once they turn 18 or enter a postsecondary institution (regardless of age). Once this happens, you can disclose a student’s records to their parents only with prior consent from the student.Who is eligible to look at a student’s records?
A student older than 18, as well as parents/foster parents/legal guardians of a student can look at the student’s records.However, no student or parent can request to look at the records or parts of records that include personal information of another student.
What information can schools release without consent?
As a school/higher education institution, you have the right to release information without a student’s consent, in case you receive a request from a State education office or when you need to follow a court order.What happens if a school violates FERPA?
In case you or your school/college violate FERPA requirements, by, for example, disclosing a student’s records without proper consent, you can lose funding and be fined. This depends on the extent of the violation.Under a 2002 Supreme Court decision, parents or students can file a lawsuit against you only in line with a state law, not federal law.
Hence, it’s best you consider the consequences of FERPA violation by consulting the relevant laws of your state or with your solicitor.
Of course, acting as an institution, you have the right to ask for the employees who have violated FERPA requirements to be removed from their jobs.
FERPA Violation Examples
As a general rule, the key FERPA principle is protecting information that can help identify a person.Here are some instances could be technically understood to mean that you have violated FERPA rules:
- you place your monitor in such a location that people can see it through a window or a doorway
- a teacher puts up the test scores on the bulletin board or asks one student to distribute graded papers
- you use an educational software for which your school doesn’t have the contract with the vendor
- the vendor you chose mishandles students’ information – your school still holds accountability for improper data management
- a teacher uses social networks to connect students with classroom pages, without parents’ consent
- a teacher leaves their grade book open so that one student can see the grades of other students
- you opt for a vendor that relies on data mining to provide its services to you
Chapter 2. FOIA
FOIA Compliance Checklist
- you must make available all records, including records in electronic format, such as email, instant messaging, and social media
- you must reply to a FOIA request that was sent in writing within 20 business days.* However, this means that you only need to reply to the request, not provide the records. This deadline can be extended in several cases:
- these records are not located on your premises
- you need extensive efforts to find them
- you need to compile a large number of documents
- in case you think that someone is requesting information that is private, you have a right to deny the request
*This deadline can vary between school districts and states, so it’s best you always check with the relevant agency in your state first. FOIA vs FERPA
Under FOIA, schools and colleges might be asked to provide information of public interest.
In most cases, these requests will cover information that is not personal information of a person, such as student records.
When deciding on whether a FOIA request you have received is a valid request, check for the following:
- If the information is related to another third party, ie person other than the person submitting a request, you are not obliged to disclose that information, as that would contravene the 2018 Data Protection Act.
- If the information that is requested could likely prejudice the commercial interests of any person/body, you are not obliged to disclose such information under FOIA
- If the information is to be published at a future date, you are not required to disclose it under FOIA.
- If the information includes personal information, you are not obliged to disclose that information under FOIA.
- If the person submitting the request could obtain information via other means, you are not obliged to grant their FOIA request.
What this means in practice
In practice, student records are treated as personal information.
In cases where you receive a FOIA request to disclose a student’s personal information, FERPA would supersede FOIA, and hence you would not be required to publish this information.
Chapter 3. HIPAA
HIPAA in Schools
HIPAA (Health Insurance Portability and Accountability Act) regulates the way healthcare staff handle protected health information and medical records.
However, more and more school campuses offer healthcare services to both students and non-students.
This means that K12 and postsecondary institutions now need to take notice of HIPAA requirements as well.
So let’s untangle the intersections of HIPAA and FERPA and see which law you need to follow in which case.
However, more and more school campuses offer healthcare services to both students and non-students.
This means that K12 and postsecondary institutions now need to take notice of HIPAA requirements as well.
So let’s untangle the intersections of HIPAA and FERPA and see which law you need to follow in which case.
HIPAA vs FERPA
There are two key terms you need to be familiar with:
- Education records
- Treatment records
In broad terms, education records, in addition to data from Chapter 1 also include:
- a student’s health records, including immunization records, at the elementary or secondary level, kept by an educational agency or institution subject to FERPA, and records maintained by a school nurse.
- This information is subject to FERPA.
On the other hand, treatment records include:
- records on medical and psychological treatment of a student, which are used solely with regards to the treatment, at postsecondary institutions
- This information is subject to FERPA as well.
So depending on whether you run an elementary school or a college, different rules may apply.
Does HIPAA apply to schools?
Generally speaking, in most cases, HIPAA doesn’t apply to schools.
The reason is that information, including even students’ medical records are treated as education records, and thus subject to FERPA, not HIPAA.
The HIPAA Privacy Rule––which protects individuals’ health records and other identifiable health information and which regulates their disclosure––covers protected healthcare information (PHI).
However, in a school setting, most of the medical and treatment information that would be otherwise considered to fall under HIPAA, are in fact treated as part of FERPA’s education records.
Hence, the HIPAA Privacy Rule won’t apply.
Does HIPAA apply to colleges?
As a rule of thumb, in majority of cases, HIPAA doesn’t apply to colleges.
The reason is that under HIPAA, most colleges are not considered covered entities, even in cases when they employ medical staff.
The HIPAA Privacy Rule excludes from its coverage the records protected by FERPA.
As most records held by a postsecondary institution are covered by FERPA, it follows that in majority of cases FERPA compliance requirements supersede the HIPAA privacy rule.
Another thing is that even if an educational institution is covered by HIPAA, student health information is treated as education records, thus being subject to FERPA rules.
In these cases, you should refer to the FERPA compliance checklist above.
HIPAA vs FERPA Examples
So let’s look at an example to see how you can decide whether you should act in line covered by a HIPAA or FERPA.
- Let’s say you work at a college. One of the students has an STD and is treated on campus, at a clinic where you treat both students and the general public.
That student’s records will be covered by FERPA and in case that student requests the disclosure of the data, you are required to disclose the data.
In case student’s parents request the information, FERPA applies again, which means you first need to receive the student’s consent on the disclosure.- On the other hand, another person might be treated at the clinic. In that case, you will be required to abide by the HIPAA Privacy Rule, as the records of that person wouldn’t be covered by FERPA education records.
- A nurse working on a campus, but not employed by the school, provides immunization to students on campus. In this case, the records created by the nurse won’t be protected as FERPA education records. Instead, it will be subject to HIPAA.
HIPAA Compliance Checklist
- in case your postsecondary institution provides medical services to the general public, you are required to act in line with the HIPAA Privacy Rule, as the information is not considered to be education records.
Chapter 4. GLBA Compliance Requirements
GLBA (Gramm Leach Bliley Act) is a law that aims to protect consumer financial data, by regulating how privacy and information security are protected.
In the context of education, GLBA applies only to higher education institutions.
What it does is monitor and regulate how higher education institutions collect, store, and use student financial records.
These records include information such as tuition payments, financial aid, or any other financial records that contain personally identifiable information.
A key part for GLBA in higher education is the so-called Safeguards Rule, which aims to protect the privacy of students.
In the context of education, GLBA applies only to higher education institutions.
What it does is monitor and regulate how higher education institutions collect, store, and use student financial records.
These records include information such as tuition payments, financial aid, or any other financial records that contain personally identifiable information.
A key part for GLBA in higher education is the so-called Safeguards Rule, which aims to protect the privacy of students.
GLBA Compliance Checklist
To ensure full compliance with the GLBA Safeguards Rule, you need to: - create an information security program based on a risk level relevant to your institution's size and complexity and the one which accounts for the sensitivity of data you use
- carry out a risk assessment and mitigate the risks that you identify
- designate an official responsible for the program
- include training and awareness as part of the program
- pay attention to what service providers are doing with your data.
After the audit in 2018 and 2019, the rules have been amended. To check all the boxes of the GLBA compliance policy, you will need to ensure that:
- your higher education institution has named someone to coordinate your information security program
- you have carried out a risk assessment covering employee training and management, networks and information systems, and incident response
- you have implemented safeguards to address the identified risks in those areas.
Chapter 5. Education Compliance Software Requirements
Now that we’ve had a look at the key education legislation you need to comply with, let’s turn to the requirements you should meet software-wise in order to ensure full compliance.
In short, there are four key federal education laws in the US that you need to comply with:
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Freedom of Information Act (FOIA)
- Gramm-Leach-Bliley Act (GLBA)
Your task is to meet requirements regarding monitoring, capturing, storting, archiving, and retrieving of students’ information.
All these information is produced in a variety of formats.
On average, you need to be able to capture, monitor and store email, images, voice messages, text messages and much more.
This can be a daunting task, especially if your organization has a large number of employees and students.
Before you start looking for education compliance software, however, you should understand the needs and obligations that your archiving system needs to support.
Without understanding what you need to archive and preserve, no software will be a good match, as you won’t know how to implement it to the full potential. And, you might miss some of the essential information that you’re required to retain.
So, here are the crucial functionalities your data management system should have, alongside the benefits each of these functionalities provides.
All these information is produced in a variety of formats.
On average, you need to be able to capture, monitor and store email, images, voice messages, text messages and much more.
This can be a daunting task, especially if your organization has a large number of employees and students.
Before you start looking for education compliance software, however, you should understand the needs and obligations that your archiving system needs to support.
Without understanding what you need to archive and preserve, no software will be a good match, as you won’t know how to implement it to the full potential. And, you might miss some of the essential information that you’re required to retain.
So, here are the crucial functionalities your data management system should have, alongside the benefits each of these functionalities provides.
Compliance Software Checklist
- you can capture, monitor, and archive numerous formats of electronic communication (this will help you capture the entirety of communication involving school staff and students)
- you can find and retrieve information fast (this will help you answer FOIA and FERPA requests on time, as well as eDiscovery requests)
- your archiving solution supports data redaction (this will help you disclose only some parts of records, without compromising privacy)
- you can use your archiver to ensure zero evidence spoliation (if your school becomes involved in a lawsuit, you need to ensure that data is intact)
- your software supports data backup (this helps you preserve all important information)
- you can use your software to set custom policies, rules, and roles (this helps you keep all your staff aware of regulations and you will reduce the chances of unwanted data removal)
- your software doesn’t put much pressure on your storage space (you need to be able to save millions of emails, texts, voice messages, images, and other unstructured data)
- your software has deduplication capacities (by preserving a single copy of your records, you save up space for more information to be stored)
If you need a quick guide, grab a PDF of these checklists as they might come in handy as you work on ensuring compliance in your institution.
