CenturyLink and FERPA Compliance

Updated by Christian Brown on Nov 17, 2015
Article Code: kb/596

CenturyLink’s Compliance Management team is dedicated to continually improving and maintaining critical compliance certifications such as Family Educational Rights and Privacy Act (FERPA). Through our disciplined assessment and audit processes, CenturyLink has implemented comprehensive practices leveraging widely recognized security standards such as: SSAE 16 SOC 1, 2 & 3 and ISO 27001 to help enable our customers meet their privacy and security rules for Personally Identifiable Information (PII).

FERPA is a federal law that that protects the privacy of student education records and affords parents the right to:

  • Have access to their children's education records
  • The right to seek to have the records amended
  • The right to have some control over the disclosure of Personally Identifiable Information (PII) from the education records.

It is important to keep in mind that FERPA may not be the only statute governing your planned migration to the cloud. In each specific situation, it is necessary to take into consideration any additional applicable federal and individual state data privacy laws, such as Healthcare Insurance and Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI-DSS) that may contain more stringent requirements for data protection than FERPA.

When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student ("eligible student"). The FERPA statute is found at 20 U.S.C. § 1232g and the FERPA regulations are found at 34 CFR Part 99.

Privacy Technical Assistance Center (PTAC)

The U.S. Department of Education established the Privacy Technical Assistance Center (PTAC) as a “one-stop” resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data. PTAC provides timely information and updated guidance through a variety of resources, including training materials and opportunities to receive direct assistance with privacy, security, and confidentiality of student data systems.

PTAC Security Checklist

PTAC has developed a security checklist to assist stakeholder organizations, such as state and local education agencies, with developing and maintaining a successful data security program. An essential component to any organizations data governance plan is its data security program. A solid data security program involves the management of people, processes and technology to ensure physical and electronic data security of an organization’s data and is critical to protecting the individual privacy and confidentiality of education records. The summary below lists essential components that should be considered when building a data security program.

  • Policy and governance - Develop a comprehensive data governance plan that outlines organizational policies and standards regarding data security and individual privacy protection. Refer to PTAC’s Data Governance Checklist for more information.
  • Personnel security - Create an Acceptable Use Policy that outlines appropriate and inappropriate uses of Internet, Intranet, and Extranet systems.
  • Physical security - Make computing resources physically unavailable to unauthorized users.
  • Network mapping - Network mapping provides critical understanding of the enterprise (servers, routers, etc.) and its connections.
  • Inventory of assets - The inventory should include both authorized and unauthorized devices used in your computing environment.
  • Authentication - The ways in which someone may be authenticated fall into three categories: something you know, something you have, or something you are. Two-factor authentication (TFA) combines two of these elements and is more costly, but provides more security.
  • Provide a layered defense - Employ a “Defense in Depth” architecture that uses a wide spectrum of tools arrayed in a complementary fashion. The most common layers to protect are hosts (individual computers), application, network, and perimeter.
  • Secure configurations - It is a best practice not to put any hardware or software onto your network until it has been security tested and configured to optimize its security. Continuous scanning to ensure system components remain in a secure state is a critical capability that will enhance data security protection.
  • Access control - Securing data access includes requiring strong passwords and multiple levels of user authentication, setting limits on the length of data access, limiting logical access to sensitive data and resources, and limiting administrative privileges. Role-based access is essential for protecting PII and sensitive data; defining specified roles and privileges for users is a required security procedure.
  • Firewalls and Intrusion Detection/Prevention Systems (IDPS) - Firewalls are used to protect networks from unauthorized access, while permitting legitimate communications to pass. An IDPS is a monitoring device that is designed to detect malicious activity on the network.
  • Automated vulnerability scanning - When new vulnerabilities are discovered, hackers immediately scan networks for these vulnerabilities. Scanning your network and systems on a regular basis will minimize the time of exposure to known vulnerabilities.
  • Patch management - Patch management is the process of using a strategy and plan for the testing and roll out of software updates and patches on a regular basis.
  • Shut down unnecessary services - Each port, protocol, or service is a potential avenue for ingress into your enterprise. A best practice, which should be part of a secure configuration, should include shutting down all services and ports that are not required in your computing environment.
  • Mobile devices - When sensitive data is stored on servers or on mobile devices, such as laptops or smart phones, the data should be encrypted.
  • Emailing confidential data - Consider the sensitivity level of the data to be sent over the email. Emailing unprotected PII or sensitive data poses a high security risk. It is recommended that organizations use alternative practices to protect transmissions of these data.
  • Incident handling - When an incident does occur it is critical to have a process in place to both contain and fix the problem. Procedures for users, security personnel, and managers need to be established to define the appropriate roles and actions.
  • Audit and compliance monitoring - Audits are used to provide an independent assessment of your data protection capabilities and procedures (see Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records) and should be performed periodically.

Data Governance Checklist

The PTAC developed this checklist to assist stakeholder organizations, such as state and local educational agencies, with establishing and maintaining a successful data governance program to help ensure the individual privacy and confidentiality of education records.

  • Decision-making authority - Assigning appropriate levels of authority to data stewards and proactively defining the scope and limitations of that authority is a prerequisite to successful data management.
  • Standard policies and procedures - Adopting and enforcing clear policies and procedures in a written data stewardship plan is necessary to ensure that everyone in the organization understands the importance of data quality and security—and that staff are motivated and empowered to implement data governance.
  • Data inventories - Conducting an inventory of all data that require protection is a critical step for data security projects. Maintaining an up-to-date inventory of all sensitive records and data systems, including those used to store and process data, enables the organization to target its data security and management efforts. Classifying data by sensitivity helps the data management team recognize where to focus security efforts.
  • Data content management - Closely managing data content, including identifying the purposes for which data are collected, is necessary to justify the collection of sensitive data, optimize data management processes, and ensure compliance with federal, state, and local regulations.
  • Data records management Specifying appropriate managerial and user activities related to handling data is necessary to provide data stewards and users with appropriate tools for complying with an organization’s security policies.
  • Data quality Ensuring that data is accurate, relevant, timely, and complete for the purposes it’s intended to be used as a high priority issue for any organization. The key to maintaining high quality data is a proactive approach to data governance that requires establishing and regularly updating strategies for preventing, detecting, and correcting errors and misuses of data.
  • Data access - Defining and assigning differentiated levels of data access to individuals based on their roles and responsibilities in the organization is critical to preventing unauthorized access and minimizing the risk of data breaches.
  • Data security and risk management
    Ensuring the security of sensitive and personally identifiable data and mitigating the risks of unauthorized disclosure of these data is a top priority for an effective data governance plan.

United Security

  • Traditional IaaS Approach - CenturyLink operates on a United Responsibility model. Making cloud security everyone's responsibility ensures that our infrastructure and everything connected to it is safe. CenturyLink is responsible for the security of everything in our infrastructure; our customers are responsible for anything built on top of, or connected to that infrastructure.

  • Hybrid IT Approach – CenturyLink works with its customers to address their specific compliance needs by leveraging a “United Responsibility” security model depending on which services the client is required for CenturyLink to manage. As a recognized leader in Hybrid IT environments with the real-world experience to determine the right mix of technology, building blocks based on your business needs, workloads and end-user expectations with built in compliance requirements to meet most universally accepted security frameworks and standards.

Shared Security.png

CenturyLink identifies the right blend of IT services from a single capable and reliable provider.

  • Integrated and optimized solutions from multiple IT infrastructure models aligning technology capabilities with the needs of business.
  • Combining the best of your traditional IT with additional capabilities that your IT may not be able to deliver on its own.
  • Choose from individual offerings, co-managed, or fully managed solutions based on your business priorities.
  • All designed to meet your regulatory requirements.

Compliance and security is obviously a top-level consideration whenever considering a move to a hybrid IT model. Security concerns have long been a factor preventing companies from either experimenting with or fully embracing a cloud environment. Organizations are rapidly assessing the gaps in their current security policies vs. the requirements necessary to align with compliant standards. For its customers to become or remain aligned with relevant compliant certifications and security frameworks, CenturyLink possesses the necessary third party generated certifications required.

Products and Services

As a trusted partner, CenturyLink securely protects, stores and manages its customers data with reliable solutions that makes it readily accessible when and where they need it.

CenturyLink Cloud Services
The CenturyLink platform to easily manage your entire business application portfolio, from application development to business- critical workloads across public and private cloud infrastructure.

  • Supports Hybrid
    – Extend Exiting IT systems to Cloud Easily
    – Secure, Low Latency Private Networking
  • Self-Service, Elastic Cloud Services
  • Advanced Automation
  • Orchestration Engine
  • Integrated Managed Services
  • Global Network of Cloud Nodes
  • Flexible Support Options
  • Leading SLAs
  • Public Cloud, Private Cloud, Networking, Automated Managed Services across hosting and cloud and Colocation

Colocation Services
CenturyLink’s data centers provide hosting services in facilities that are specifically designed to provide hosting for mission- critical environments. Colocation services consist of physical and environmental protection services including, but not limited to, the following:

  • Physical security
  • Heating, ventilation and air conditioning (HVAC)
  • Fire detection and fire suppression
  • Power
  • Network connectivity
  • Remote hands
  • Training personnel for onsite support

Managed Security Services
CenturyLink offers a suite of security services such as installation, monitoring, and maintenance of security devices. Security professionals with relevant industry accreditations and/or vendor-specific certifications provide these services. Managed Security Services include but are not limited to the below solutions.

  • Intrusion Detection Systems (IDS)
  • Content Integrity Monitoring
  • Threat Management
  • Network-Based Distributed Denial of Service (DDoS) Mitigation
  • Firewall Management

Managed Storage Services
Managed Storage Services offers various options to outsource data storage needs. Data storage engineers administer redundant backup systems to help ensure the customer’s data is secure and available for retrieval. In addition to the technology provided by the storage system, CenturyLink’s fully managed Utility Storage Service helps prevent performance bottlenecks through monitoring and balancing storage area networks (SAN) and storage systems, as well as assisting customers to identify the right storage product or their performance needs.

Managed Backup and Archiving
CenturyLink’s backup and data restoration services are reliable solutions that protect PHI and make it readily accessible only when and where it’s needed. CenturyLink engineers with the required training and experience work to support the customer’s needs and help to ensure that backup jobs run and complete successfully.

CenturyLink provides variations of backup and data restoration services such as:

  • Utility Backup Service
  • Utility Backup Encryption Service
  • Utility Backup NAS Service
  • Utility Vaulting Service

Service Audits

Other CenturyLink audits can give you additional guidance and insight into ongoing compliance and level of operating standards, as well as the quality of service CenturyLink customers can expect to receive.

SOC 1 - CenturyLink provides an annual Statement on Standards for Attestation Engagements (SSAE) No. 16. The certification validates CenturyLink’s commitment to operational excellence and client satisfaction. The SSAE 16 SOC 1 Type 2 report indicates that an independent service auditor has formally evaluated and issued an opinion on the description of selected CenturyLink systems.

SOC 2 - In addition to individual data center audits, CenturyLink also publishes a Service Organization Controls 2(SOC 2), Type II report. The SOC 2 report provides the auditor’s detailed evaluation of the design suitability and effectiveness of the controls. The design is required to meet the criteria for the security and availability principles set forth in TSP Section 100, Trust Services Principles, Criteria, and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

ISO 27001
CenturyLink has received certification of the ISO/IEC 27001:2013 Information Security Management System (ISMS) Standard for data centers located in United States, Singapore, United Kingdom, Germany, and Japan. The certificate addresses global network services and managed hosting services in Asia and EMEA. As well as colocation services (including physical security and facilities management) for data centers in Asia, EMEA, and North America. ISO 27001 is an International Standard providing a model for establishing, operating, monitoring, and improving ISMS.

The ISO 27001 certification allows CenturyLink to demonstrate effective information security processes are defined and implemented. ISO 27001 conducts interim audits annually to support a three-year renewal cycle. The most recent renewal certification audit was completed in 2013.

ISO 27001 key benefits:
Includes security as part of the current quality system

  • Provides an opportunity to identify and manage risks to key information and systems assets
  • Provides confidence and assurance to both partners and clients
  • Allows for an independent review and assurance of information security practices to customers

CenturyLink adopted ISO 27001 for a variety of reasons, including:

  • Protecting critical and sensitive information.
  • A holistic approach to secure information and compliance.
  • Credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers.
  • Security status according to internationally accepted criteria.
  • Market differentiation due to prestige, image and external goodwill.
  • Globally accepted certification.

Corporate Quality

At the core of all compliance programs are quality systems and the management of those quality systems, allowing the organization to establish a baseline from which it can plan, implement and measure. The program is used to demonstrate compliance and also to measure improvement. Coupled with its ISO certifications, CenturyLink maintains a customer advocacy function that has a formal charter to evaluate, control and improve the company’s Quality of Service (QoS) to both internal and external customers. Customer advocacy implements this directive through the management of various quality improvement programs.


CenturyLink strives to provide assurance to existing and future customers that its service standards are among the best in the industry. One way CenturyLink has done this is through implementation and adherence to industry best practices known as Information Technology Infrastructure Library (ITIL).

Many of CenturyLink’s internal business units have adopted ITIL standards as the basis for management of their services. ITIL provides a comprehensive, consistent and coherent set of best practices for IT service management, promoting a quality approach to achieving efficient and effective business processes utilizing information systems.


Does FERPA allow educational agencies and institutions to use cloud-computing solutions?
FERPA does not prohibit the use of cloud computing solutions for the purpose of hosting education records; rather, FERPA requires states to use reasonable methods to ensure the security of their information technology (IT) solutions. As noted in the amendments to the FERPA regulations, "the Federal Government itself is moving towards a model for secure cloud computing. Regardless of whether cloud computing is contemplated, States should take care that their security plans adequately protect student data, including PII from education records, regardless of where the data are hosted” (Family Educational Rights and Privacy, Final Rule, 76 Federal Register 75612 [December 2, 2011]).

Does FERPA permit educational agencies or institutions to outsource their IT functions?
FERPA permits a local education agency (LEA) or a school to disclose, without prior written consent, PII from education records to a contractor, consultant, volunteer, or other party to which the LEA or school has outsourced institutional services or functions (including IT functions) if the LEA or school meets certain conditions. The Department of Education commonly refers to this exception to the requirement of consent in FERPA as the “school official” exception. The “school official” exception sets forth the three conditions that the LEA or PTAC-FAQ-8, June 2012 (revised July 2015) school must meet to outsource institutional functions. Specifically, the outside party must:

  • Perform an institutional service for which the LEA or school would otherwise use employees
  • Be under the direct control of the LEA or school with respect to the use and maintenance of education records
  • Be subject to requirements in §99.33(a) of the FERPA regulations governing the use and re-disclosure of PII from education records.

When the entity desiring to outsource its IT functions is a state education agency (SEA), rather than an LEA or a school, the school official exception does not apply. SEAs may rely on the audit or evaluation exception at 34 CFR §§99.31(a)(3) and 99.35 of the FERPA regulations to outsource IT functions. While outsourcing IT functions would not traditionally be considered an audit or evaluation, the Department recognizes that the size and scope of state longitudinal data systems may necessitate outsourcing IT functions, and believes that the use of this exception is appropriate in this instance.

Does FERPA require that confidential information in the cloud be stored within the United States? Is there a best practice?
FERPA makes no distinctions based on State or international lines. However, transfers of PII from education records across international boundaries, in particular, can raise legal concerns about the Department’s ability to enforce FERPA requirements against parties in foreign countries. It is important to keep in mind that for a data disclosure to be made without prior written consent under FERPA, the disclosure must meet all of the requirements under the exceptions to FERPA’s general consent requirement.


Confidentiality of Student Records - The practice of controlling the use and disclosure of personal/academic record information so that only authorized faculty/staff or persons specifically authorized by the student have access to such information.

Dependent Student - Generally refers to a student who receives more than half of his/her support from the taxpayer. For a specific definition, refer to the Internal Revenue Code.

Education Records - Any academic information directly related to a student that is maintained by an institution, not including sole possession, law enforcement, employment or medical records, or records created after a student has left the university.

Parent - A natural parent, a guardian or an individual acting as a parent in the absence of a parent or a guardian.

Personally Identifiable Information (PII) - Any information, directory and non-directory, easily traced to the student. This may include the student's name, name of parents or family members, address, social security or UNF N number, a list of personal characteristics, or any other information that clearly distinguishes the student’s identity.

Post-secondary Educational Institution - An institution that provides education to students beyond high school.