CenturyLink can assist with FERPA compliance by providing any combination of IT services – Cloud, Managed Services and Colocation.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that that protects the privacy of student education records and affords parents the right to:
When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”). The FERPA statute is found at 20 U.S.C. § 1232g and the FERPA regulations are found at 34 CFR Part 99.
CenturyLink can assist with FERPA compliance by identifying and providing the right blend of IT services—Cloud, Managed Services and Colocation. From a single capable and reliable provider with integrated and optimized solutions to multiple IT infrastructure models, CenturyLink can align technology capabilities with the needs of your business. Choose from individual offerings, co-managed, or fully-managed solutions based on your business priorities; CenturyLink enables your organization to meet FERPA requirements.
It is important to keep in mind that FERPA may not be the only statute governing your planned migration to the cloud. In each specific situation, it’s necessary to take into consideration any additional applicable federal and individual state data privacy laws, such as Healthcare Insurance and Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI-DSS) that may contain more stringent requirements for data protection than FERPA.
FERPA does not prohibit the use of cloud computing solutions for the purpose of hosting education records, rather, FERPA requires states to use reasonable methods to ensure the security of their information technology (IT) solutions. As noted in the amendments to the FERPA regulations, "the Federal Government itself is moving towards a model for secure cloud computing. Regardless of whether cloud computing is contemplated, States should take care that their security plans adequately protect student data, including PII from education records, regardless of where the data are hosted” (Family Educational Rights and Privacy, Final Rule, 76 Federal Register 75612 [December 2, 2011]).
FERPA permits a local education agency (LEA) or a school to disclose, without prior written consent, PII from education records to a contractor, consultant, volunteer, or other party to which the LEA or school has outsourced institutional services or functions (including IT functions) if the LEA or school meets certain conditions. The Department of Education commonly refers to this exception to the requirement of consent in FERPA as the “school official” exception. The “school official” exception sets forth the three conditions that the LEA or PTAC-FAQ-8, June 2012 (revised July 2015) school must meet to outsource institutional functions. Specifically, the outside party must:
When the entity desiring to outsource its IT functions is a state education agency (SEA), rather than an LEA or a school, the school official exception does not apply. SEAs may rely on the audit or evaluation exception at 34 CFR §§99.31(a)(3) and 99.35 of the FERPA regulations to outsource IT functions. While outsourcing IT functions would not traditionally be considered an audit or evaluation, the Department of Education recognizes that the size and scope of state longitudinal data systems may necessitate outsourcing IT functions, and believes that the use of this exception is appropriate in this instance.
FERPA makes no distinctions based on State or international lines. However, transfers of PII from education records across international boundaries, in particular, can raise legal concerns about the Department of Education’s ability to enforce FERPA requirements against parties in foreign countries. It is important to keep in mind that for a data disclosure to be made without prior written consent under FERPA, the disclosure must meet all of the requirements under the exceptions to FERPA’s general consent requirement.
Hybrid-ready public cloud provides the agility, scalability and security expected from an enterprise-class cloud, backed by an industry leading global network.
Experts at the ready to maintain and administer your cloud deployments. Rapid provisioning, hourly billing, and highly automated.
A full complement of threat prevention, threat management, incident response and analysis services to support your hosted or on-premise enterprise security environments.
Maintain complex IT infrastructure and applications with our comprehensive portfolio of managed hosting services including, fully manage networks, servers, storage, operating systems, and security.
Gives a range of storage options including data replication and back up/archiving. CenturyLink solutions are secure, affordable and can provide data resilience with up to 5 nines.