As the stewards of reams of sensitive, personal information about students, higher education institutions are subject to a variety of guidelines, regulations, and laws that require schools to keep that information secure and private and restrict access to that information only to appropriate parties. In this article, we will contemplate the Family Educational Rights and Privacy Act (FERPA) and the various ways Populi endeavors to help you follow its guidelines.
To whom does FERPA apply?
We are commonly asked, Is Populi FERPA-compliant?
The answer to this question isn't a straightforward Yes or No:
- According to 34 CFR §99.1, FERPA applies to educational institutions or agencies to which funds administrated by the U.S. Secretary of Education have been made available.
- According to 34 CFR §99.33, your school, in contracting to have Populi store education records, "discloses" it to Populi for the purposes of having us store it; we are thus constrained to only use it for those purposes. (Also see 34 CFR §99.31 for how this "disclosure" of information to Populi does not require consent because of the "school official" exception.)
Strictly-speaking, only educational institutions or agencies fall under FERPA's purview. Your school is permitted to disclose education records to Populi for the purposes of storing them (and providing tools to access them, etc.), but would not be permitted to disclose anything to, say, some social media company for the purposes of targeting ads at your students. Our responsibility is to not disclose those records, and we give you various assurances of that in our Terms of Service and Privacy Policy (discussed in the next section of this article).
We also endeavor to provide your school with tools that help you comply with FERPA. Put another way, compliance is ultimately your responsibility; it's our job to not get in the way of that if you're using Populi correctly.
Populi's Terms of Service and Privacy Policy
Our various legal agreements codify our approach to data privacy. You should read them in full—especially the Terms of Service, which delineates your responsibilities and ours when it comes to the proper use of our tools. Here are a couple items to call to your attention:
- Our Customer Terms of Service directly addresses data privacy in Section 5, which refers you to our Privacy Policy for a detailed understanding of our approach to handling your data.
- Section 4.5 of our Privacy Policy contains this assurance: "When handling student education records as defined by the Family Educational Rights and Privacy Act (FERPA), Populi will abide by the limitations and requirements imposed by 34 CFR 99.33(a). Populi will disclose student education records as directed by school officials, or in order to comply with a court order, subpoena, or other legitimate demand by government authorities."
These agreements cover all of the data and content you upload to Populi. However, most of the questions we get about FERPA pertain to a particular kind of information...
How does Populi handle "directory information"?
Access to most of the information in Populi is restricted to users who have the appropriate user roles to view that information. For example, only users with financial roles can view the particulars of student balances, payments, etc.; only users with academic roles can see details like grades, etc.; and so on.
Besides that particular kind of information, FERPA includes a category of information called "directory information", which is defined as " information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed". It includes things like contact information, dates of attendance, and a number of other items delineated in 34 CFR §99.13. Among other things, directory information can be disclosed without prior consent (See 34 CFR §§ 99.31(a)(11) and 34 CFR §§ 99.37).
In Populi, directory information is generally available to be viewed by all users at your school. However, every user can set their own Profile—or individual contact info items—to Private, which hides that information from all non-Staff users. (Staff users can also set any profile to Private). Those controls are described in this article.
0 Comments