As the stewards of reams of sensitive, personal information about students, higher education institutions are subject to a variety of guidelines, regulations, and laws that require schools to keep that information secure and private and restrict access to that information only to appropriate parties. In this article, we will contemplate the Family Educational Rights and Privacy Act (FERPA) and the various ways Populi endeavors to help you follow its guidelines.
To whom does FERPA apply?
We are commonly asked, Is Populi FERPA-compliant?
The answer to this question isn't a straightforward Yes or No:
- According to 34 CFR §99.1, FERPA applies to educational institutions or agencies to which funds administrated by the U.S. Secretary of Education have been made available.
- According to 34 CFR §99.33, your school, in contracting to have Populi store education records, "discloses" it to Populi for the purposes of having us store it; we are thus constrained to only use it for those purposes. (Also see 34 CFR §99.31 for how this "disclosure" of information to Populi does not require consent because of the "school official" exception.)
We also endeavor to provide your school with tools that help you comply with FERPA. Put another way, compliance is ultimately your responsibility; it's our job to not get in the way of that if you're using Populi correctly.
Our various legal agreements codify our approach to data privacy. You should read them in full—especially the Terms of Service, which delineates your responsibilities and ours when it comes to the proper use of our tools. Here are a couple items to call to your attention:
These agreements cover all of the data and content you upload to Populi. However, most of the questions we get about FERPA pertain to a particular kind of information...
How does Populi handle "directory information"?
Access to most of the information in Populi is restricted to users who have the appropriate user roles to view that information. For example, only users with financial roles can view the particulars of student balances, payments, etc.; only users with academic roles can see details like grades, etc.; and so on.
Besides that particular kind of information, FERPA includes a category of information called "directory information", which is defined as "information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed". It includes things like contact information, dates of attendance, and a number of other items delineated in 34 CFR §99.13. Among other things, directory information can be disclosed without prior consent (See 34 CFR §§ 99.31(a)(11) and 34 CFR §§ 99.37).
In Populi, directory information is generally available to be viewed by all users at your school. However, every user can set their own Profile—or individual contact info items—to Private, which hides that information from all non-Staff users. (Staff users can also set any profile to Private).