In the US, public education institutions are required to both archive and protect a wide variety of student data. Often for extended periods of time. Academic archiving can be challenging. When done incorrectly or incompletely, there are serious legal, student privacy and compliance impacts. Archiving has become extremely diverse, and regulatory requirements now include email, voice messages, text messages, video and much more. Understanding the regulations applicable to schools is vital to protect both students and their schools’ regulatory compliance.
The challenges of academic archiving
As technology has transformed education, almost all records are now digital. By being digital, they are potentially highly portable. That is both good and bad. It requires more accountability in the protection and management of student data. K-12 and higher education institutions are facing increasing complexity in ensuring compliance with laws geared to protect student data.
Properly managing student data can be a daunting task. Without understanding what you need to archive and why, retention strategies are open to problems and regulatory violations.
The four regulations behind academic archiving
The 4 key regulations driving archiving in the public academic environment are:
- Family Educational Rights and Privacy Act (FERPA)
- Health Insurance Portability and Accountability Act (HIPAA)
- Freedom of Information Act (FOIA)
- Gramm-Leach-Bliley Act (GLBA)
What is FERPA?
FERPA stands for the Family Education Rights and Privacy Act. It is a federal law passed in 1974 to protect educational records. It protects student information such as: contact information, data on academic achievements, health information and more. FERPA specifically defines rules for access to student data. Access to student records is protected and only available to parents and students over 18. Students over 18 can independently exercise their FERPA rights. As can those who enter a post-secondary institution (regardless of age). Once this happens, records can only be disclosed to parents only with prior consent from the student.
Where is FERPA applicable?
FERPA applies to educational institutions and agencies that are funded by the US Department of Education. In most cases, this includes all public K-12 and higher education institutions in the US, but not private ones.
What student data is protected under FERPA?
FERPA applies to any records and communications that include any of the following:
- a student’s name and contact information
- a parent’s name and contact information
- grades and test results
- discipline reports
- health records
- courses attended and information of attendance
- awards and degrees earned
Can student data be released without consent?
A school/higher education institution can release information without a student’s consent if the request is from a state education office or when following a court order.
What are examples of FERPA violations?
FERPA exists to protect personally identifiable student information. While almost no one wants to intentionally cause a FERPA violation, there are some situations where it happens due to a lack of experience or incomplete knowledge of the regulations. Here are some example scenarios that have tripped FERPA violations:
- a computer screen that accesses student information is located where it can be seen through a window or a doorway
- a teacher posts test scores on a bulletin board or asks a student to distribute graded papers
- a software vendor mishandles student information
- a teacher uses social networks to connect students with classroom pages without parental consent
- a teacher leaves their grade book open so that a student can see other students’ grades
- engaging a software vendor that relies on data mining to provide its services
What are the penalties for a FERPA violation?
A FERPA violation can be very painful for everyone involved. The student’s privacy is compromised, schools can be penalized with fines and/or funding losses. Employees responsible for data protection (or lack thereof) can lose their jobs. One important precedent to note is that following a 2002 Supreme Court decision, FERPA lawsuits are filed and heard in accordance with state law, not federal law.
FERPA compliance best practices:
- grant students access to their own records
- ask for students’ permission before disclosing their records, even to their parents
- make education records ready for review within 45 days of the request
- preserve an education record if someone has filed a request to view it
- allow parents/guardians to view records of their child, but redact any reference to other students referenced in the file
- ensure records accessibility to a student/parents who don’t understand English well
- record and address student/parent requests for a record change, however there is not an obligation to grant it
- protect student records from to a third party unless there is written consent from the student or their parents
What is the Freedom of Information Act (FOIA)?
Since 1967, the Freedom of Information Act (FOIA) has provided US citizens the right to request access to records from government agencies and entities. Under a FOIA request public entities disclose requested information unless it falls under one of nine allowed exemptions. These exemptions protect personal privacy, national security, and law enforcement. The act was intended to make government more transparent.
FOIA directs that you must make available all records, including records in electronic format, such as email, voicemail, messaging (group and one to one), and video conference recordings. Responses typically must occur within 20 business days, but these dates can vary by locality. However, this means that you only need to reply to the request, not complete delivery of the applicable records. This deadline can be extended in several cases:
- these records are not located on your premises
- you need extensive efforts to find them
- you need to compile many documents
FOIA in the academic environment.
Under FOIA, schools and higher education organizations might be asked to provide information of public interest. In most cases, these requests will cover information that is not personally identifiable. When deciding on whether a FOIA request requires disclosure, check for the following situations. In each of these cases, FOIA will not apply:
- If the information requested could likely prejudice the commercial interests of any person.
- If the information will be published at a future date.
- If the information includes personal information.
- If the person submitting the request could obtain information via other means.
Student records are classified as personal information. In cases where you receive a FOIA request to disclose a student’s personal information, FERPA would supersede FOIA, and hence you can reject the FOIA request.
HIPAA compliance & academic environments.
HIPAA (Health Insurance Portability and Accountability Act) regulates the way healthcare staff handle protected health information (PHI) and medical records. However, as more school campuses offer healthcare services to both students and non-students, the question of HIPPA applicability arises.
In an academic setting, most of the medical and treatment information that would be otherwise considered to fall under HIPAA, are an education record and therefore covered by FERPA.Hence in most cases, HIPAA won’t apply because FERPA already provides protection.
Education records can include a student’s health records, including immunization records, at the elementary or secondary level, and records maintained by a school nurse employed by the school. These records are already protected by FERPA. Treatment records subject to FERPA include records on medical and psychological treatment of a student, which are used solely for treatment, at postsecondary institutions.
HIPAA vs FERPA examples:
- You work at a college. One of the students has an STD. They are treated on campus at a clinic open to students and the public. That student’s records will be protected by FERPA. If the student’s parents request the information, FERPA requires the student’s consent.
- A person who is not a student might be treated at the clinic. In that case, the HIPAA Privacy Rule will apply, not FERPA.
Does HIPAA apply to Colleges/Universities?
HIPAA does not apply to colleges or universities unless they provide medical services to the public. Only then is HIPPA compliance a requirement. Regardless, student health information is protected by FERPA.
What is the Graham Leach Bliley Act (GLBA)?
GLBA (Gramm Leach Bliley Act) is a law that aims to protect consumer financial data. In the context of education, GLBA applies only to higher education institutions. GBLA monitors and regulates how higher education institutions collect, store, and use student financial records. These records include tuition payments, financial aid, or any other financial records that contain personally identifiable information. Compliance with GLBA tends to fall under data privacy and information security protection policies that organizations should be routinely managing.
GLBA compliance best practices:
To ensure full compliance with GLBA, you need to:
- create an information security program appropriate to both your institution’s size and the data sensitivity
- complete a risk assessment and mitigate the risks identified
- designate personnel responsible for information security and GLBA compliance
- provide training and awareness to employees on GLBA compliance
- pay close attention to what service providers are doing with your data
Multi-Data compliance archiving software features checklist
So now that you understand the regulations that drive the need for multi-data compliance archiving, you are now in a better position to assess the systems you require to manage compliance. Below is a summary of the common requirements to look for when selecting your compliance archiving solution:
|Archiving Solution Critical Features||Option A||Option B||OneVault|
|Intuitive user interface||YES|
|Fast data search results||YES|
|Search on message subject, sender, recipient, keywords & record type||YES|
|Unified searches across data types||YES|
|Flexible add on search refinement filters||YES|
|Automated keyword monitoring with notifications & workflow support||YES|
|Group and organize data for easy (legal case) management||YES|
|Preserves and produces data in its original format||YES|
|Provides context: attachments, conversation thread, participants, etc.||YES|
|Supports Legal hold tags and keeps records for legal purposes||YES|
|Role-based access to features, settings, policies and data||YES|
|Encrypts data for maximum security||YES|
|Audit trail to monitor and record users’ activities||YES|
|Cloud-based delivery for additional security & business continuity||YES|
|Exports to a variety of formats, with full chain of custody||YES|
|Online tamper-proof access to end user's own data records (optional)||YES|
|Supports a range of data types (Email, IM, Teams, Zoom, etc.)||YES|
|Fully automated data retention & destruction according to policy||YES|
|Supports multiple customizable policies||YES|
|Single pane of glass for management & usage||YES|
|Automated provisioning for those in compliance/archive-all mode||YES|
|Automatically delete messages after the retention period expires||YES|
|Can ingest saved data in a variety of formats (PST, EML, MP3/4/4A)||YES|
|Easy provisioning for expansion needs||YES|
|Reduces size of on-premises storage & backup||YES|
|Secure data production via email, download or export as allowed by policy||YES|
Donoma Archiving Solutions
Donoma Software has been providing compliance archiving solutions for over 10 years. If you’d like to learn how your organization can meet compliance requirements, reduce costs and risk, we’d like the opportunity to introduce you to our OneVault multi-data archiving platform. Just contact us or book a no obligation demo discussion. A member of our team will be happy to discuss your questions and show you how OneVault’s expandable archiving capabilities will make your multi-data archiving needs much more manageable.