< compliance
CenturyLink can help with DOE's FERPA compliance.

FERPA

CenturyLink can assist with FERPA compliance by providing any combination of IT services – Cloud, Managed Services and Colocation.

The Family Educational Rights and Privacy Act (FERPA) is a federal law that that protects the privacy of student education records and affords parents the right to:

  • Have access to their children’s education records
  • Seek to have the records amended
  • Have some control over the disclosure of Personally Identifiable Information (PII) from the education records

When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”). The FERPA statute is found at 20 U.S.C. § 1232g and the FERPA regulations are found at 34 CFR Part 99.

Overview

CenturyLink can assist with FERPA compliance by identifying and providing the right blend of IT services—Cloud, Managed Services and Colocation. From a single capable and reliable provider with integrated and optimized solutions to multiple IT infrastructure models, CenturyLink can align technology capabilities with the needs of your business. Choose from individual offerings, co-managed, or fully-managed solutions based on your business priorities; CenturyLink enables your organization to meet FERPA requirements.

It is important to keep in mind that FERPA may not be the only statute governing your planned migration to the cloud. In each specific situation, it’s necessary to take into consideration any additional applicable federal and individual state data privacy laws, such as Healthcare Insurance and Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI-DSS) that may contain more stringent requirements for data protection than FERPA.

Benefits

  • Enables your organization to remain aligned with FERPA requirements
  • Reassures Personally Identifiable Information (PII) is secure
  • Emphasizes your organization’s commitment to privacy and parental choice

Frequently Asked Questions

Does FERPA allow educational agencies and institutions to use cloud-computing solutions?

FERPA does not prohibit the use of cloud computing solutions for the purpose of hosting education records, rather, FERPA requires states to use reasonable methods to ensure the security of their information technology (IT) solutions. As noted in the amendments to the FERPA regulations, "the Federal Government itself is moving towards a model for secure cloud computing. Regardless of whether cloud computing is contemplated, States should take care that their security plans adequately protect student data, including PII from education records, regardless of where the data are hosted” (Family Educational Rights and Privacy, Final Rule, 76 Federal Register 75612 [December 2, 2011]).

Does FERPA permit educational agencies or institutions to outsource their IT functions?

FERPA permits a local education agency (LEA) or a school to disclose, without prior written consent, PII from education records to a contractor, consultant, volunteer, or other party to which the LEA or school has outsourced institutional services or functions (including IT functions) if the LEA or school meets certain conditions. The Department of Education commonly refers to this exception to the requirement of consent in FERPA as the “school official” exception. The “school official” exception sets forth the three conditions that the LEA or PTAC-FAQ-8, June 2012 (revised July 2015) school must meet to outsource institutional functions. Specifically, the outside party must:

  • Perform an institutional service for which the LEA or school would otherwise use employees
  • Be under the direct control of the LEA or school with respect to the use and maintenance of education records
  • Be subject to requirements in §99.33(a) of the FERPA regulations governing the use and re-disclosure of PII from education records

When the entity desiring to outsource its IT functions is a state education agency (SEA), rather than an LEA or a school, the school official exception does not apply. SEAs may rely on the audit or evaluation exception at 34 CFR §§99.31(a)(3) and 99.35 of the FERPA regulations to outsource IT functions. While outsourcing IT functions would not traditionally be considered an audit or evaluation, the Department of Education recognizes that the size and scope of state longitudinal data systems may necessitate outsourcing IT functions, and believes that the use of this exception is appropriate in this instance.

Does FERPA require that confidential information in the cloud be stored within the United States? Is there a best practice?

FERPA makes no distinctions based on State or international lines. However, transfers of PII from education records across international boundaries, in particular, can raise legal concerns about the Department of Education’s ability to enforce FERPA requirements against parties in foreign countries. It is important to keep in mind that for a data disclosure to be made without prior written consent under FERPA, the disclosure must meet all of the requirements under the exceptions to FERPA’s general consent requirement.

Glossary

Confidentiality of Student Records
The practice of controlling the use and disclosure of personal/academic record information so that only authorized faculty/staff or persons specifically authorized by the student have access to such information.
Dependent Student
Generally refers to a student who receives more than half of his/her support from the taxpayer. For a specific definition, refer to the Internal Revenue Code.
Education Records
Any academic information directly related to a student that is maintained by an institution, not including sole possession, law enforcement, employment or medical records or records created after a student has left the university.
Parent
A natural parent, a guardian or an individual acting as a parent in the absence of a parent or a guardian.
Personally Identifiable Information (PII)
Any information, directory and non-directory, easily traced to the student. This may include the student’s name, name of parents or family members, address, social security or UNF N number, a list of personal characteristics or any other information that clearly distinguishes the student’s identity.
Post-secondary Educational Institution
An institution that provides education to students beyond high school.

Related Products

Cloud Services

Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.

Managed Services

Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.

Managed Security

A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.

Managed Hosting

Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.

Managed Storage & Backups

Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.