FERPA, FOIA & More: Why They Matter in Academic Archiving

Posted on 8 Jun 2021

In the US, public education institutions are required to both archive and protect a wide variety of student data. Often for extended periods of time. Academic archiving can be challenging. When done incorrectly or incompletely, there are serious legal, student privacy and compliance impacts. Archiving has become extremely diverse, and regulatory requirements now include email, voice messages, text messages, video and much more. Understanding the regulations applicable to schools is vital to protect both students and their schools’ regulatory compliance.

The challenges of academic archiving

As technology has transformed education, almost all records are now digital. By being digital, they are potentially highly portable. That is both good and bad. It requires more accountability in the protection and management of student data. K-12 and higher education institutions are facing increasing complexity in ensuring compliance with laws geared to protect student data.

Properly managing student data can be a daunting task. Without understanding what you need to archive and why, retention strategies are open to problems and regulatory violations.

The four regulations behind academic archiving

The 4 key regulations driving archiving in the public academic environment are:

Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Freedom of Information Act (FOIA)
Gramm-Leach-Bliley Act (GLBA)

What is FERPA?

FERPA stands for the Family Education Rights and Privacy Act. It is a federal law passed in 1974 to protect educational records. It protects student information such as: contact information, data on academic achievements, health information and more. FERPA specifically defines rules for access to student data. Access to student records is protected and only available to parents and students over 18. Students over 18 can independently exercise their FERPA rights. As can those who enter a post-secondary institution (regardless of age). Once this happens, records can only be disclosed to parents only with prior consent from the student.

Where is FERPA applicable?

FERPA applies to educational institutions and agencies that are funded by the US Department of Education. In most cases, this includes all public K-12 and higher education institutions in the US, but not private ones.

What student data is protected under FERPA?

FERPA applies to any records and communications that include any of the following:

a student’s name and contact information
a parent’s name and contact information
grades and test results
discipline reports
health records
courses attended and information of attendance
awards and degrees earned

Can student data be released without consent?

A school/higher education institution can release information without a student’s consent if the request is from a state education office or when following a court order.

What are examples of FERPA violations?

FERPA exists to protect personally identifiable student information. While almost no one wants to intentionally cause a FERPA violation, there are some situations where it happens due to a lack of experience or incomplete knowledge of the regulations. Here are some example scenarios that have tripped FERPA violations:

a computer screen that accesses student information is located where it can be seen through a window or a doorway
a teacher posts test scores on a bulletin board or asks a student to distribute graded papers
a software vendor mishandles student information
a teacher uses social networks to connect students with classroom pages without parental consent
a teacher leaves their grade book open so that a student can see other students’ grades
engaging a software vendor that relies on data mining to provide its services

What are the penalties for a FERPA violation?

A FERPA violation can be very painful for everyone involved. The student’s privacy is compromised, schools can be penalized with fines and/or funding losses. Employees responsible for data protection (or lack thereof) can lose their jobs. One important precedent to note is that following a 2002 Supreme Court decision, FERPA lawsuits are filed and heard in accordance with state law, not federal law.

FERPA compliance best practices:

grant students access to their own records
ask for students’ permission before disclosing their records, even to their parents
make education records ready for review within 45 days of the request
preserve an education record if someone has filed a request to view it
allow parents/guardians to view records of their child, but redact any reference to other students referenced in the file
ensure records accessibility to a student/parents who don’t understand English well
record and address student/parent requests for a record change, however there is not an obligation to grant it
protect student records from to a third party unless there is written consent from the student or their parents

What is the Freedom of Information Act (FOIA)?

Since 1967, the Freedom of Information Act (FOIA) has provided US citizens the right to request access to records from government agencies and entities. Under a FOIA request public entities disclose requested information unless it falls under one of nine allowed exemptions. These exemptions protect personal privacy, national security, and law enforcement. The act was intended to make government more transparent.

FOIA directs that you must make available all records, including records in electronic format, such as email, voicemail, messaging (group and one to one), and video conference recordings. Responses typically must occur within 20 business days, but these dates can vary by locality. However, this means that you only need to reply to the request, not complete delivery of the applicable records. This deadline can be extended in several cases:

these records are not located on your premises
you need extensive efforts to find them
you need to compile many documents

FOIA in the academic environment.

Under FOIA, schools and higher education organizations might be asked to provide information of public interest. In most cases, these requests will cover information that is not personally identifiable. When deciding on whether a FOIA request requires disclosure, check for the following situations. In each of these cases, FOIA will not apply:

If the information requested could likely prejudice the commercial interests of any person.
If the information will be published at a future date.
If the information includes personal information.
If the person submitting the request could obtain information via other means.

Student records are classified as personal information. In cases where you receive a FOIA request to disclose a student’s personal information, FERPA would supersede FOIA, and hence you can reject the FOIA request.

HIPAA compliance & academic environments.

HIPAA (Health Insurance Portability and Accountability Act) regulates the way healthcare staff handle protected health information (PHI) and medical records. However, as more school campuses offer healthcare services to both students and non-students, the question of HIPPA applicability arises.

In an academic setting, most of the medical and treatment information that would be otherwise considered to fall under HIPAA, are an education record and therefore covered by FERPA.Hence in most cases, HIPAA won’t apply because FERPA already provides protection.

Education records can include a student’s health records, including immunization records, at the elementary or secondary level, and records maintained by a school nurse employed by the school. These records are already protected by FERPA. Treatment records subject to FERPA include records on medical and psychological treatment of a student, which are used solely for treatment, at postsecondary institutions.

HIPAA vs FERPA examples:

You work at a college. One of the students has an STD. They are treated on campus at a clinic open to students and the public. That student’s records will be protected by FERPA. If the student’s parents request the information, FERPA requires the student’s consent.
A person who is not a student might be treated at the clinic. In that case, the HIPAA Privacy Rule will apply, not FERPA.

Does HIPAA apply to Colleges/Universities?

HIPAA does not apply to colleges or universities unless they provide medical services to the public. Only then is HIPPA compliance a requirement. Regardless, student health information is protected by FERPA.

What is the Graham Leach Bliley Act (GLBA)?

GLBA (Gramm Leach Bliley Act) is a law that aims to protect consumer financial data. In the context of education, GLBA applies only to higher education institutions. GBLA monitors and regulates how higher education institutions collect, store, and use student financial records. These records include tuition payments, financial aid, or any other financial records that contain personally identifiable information. Compliance with GLBA tends to fall under data privacy and information security protection policies that organizations should be routinely managing.

GLBA compliance best practices:

To ensure full compliance with GLBA, you need to:

create an information security program appropriate to both your institution’s size and the data sensitivity
complete a risk assessment and mitigate the risks identified
designate personnel responsible for information security and GLBA compliance
provide training and awareness to employees on GLBA compliance
pay close attention to what service providers are doing with your data

Multi-Data compliance archiving software features checklist

So now that you understand the regulations that drive the need for multi-data compliance archiving, you are now in a better position to assess the systems you require to manage compliance. Below is a summary of the common requirements to look for when selecting your compliance archiving solution:

Archiving Solution Critical Features	Option A	Option B	OneVault
Intuitive user interface			YES
Fast data search results			YES
Search on message subject, sender, recipient, keywords & record type			YES
Unified searches across data types			YES
Flexible add on search refinement filters			YES
Automated keyword monitoring with notifications & workflow support			YES
Group and organize data for easy (legal case) management			YES
Preserves and produces data in its original format			YES
Provides context: attachments, conversation thread, participants, etc.			YES
Supports Legal hold tags and keeps records for legal purposes			YES
Tamper-proof archive			YES
Role-based access to features, settings, policies and data			YES
Encrypts data for maximum security			YES
Audit trail to monitor and record users’ activities			YES
Cloud-based delivery for additional security & business continuity			YES
Exports to a variety of formats, with full chain of custody			YES
Online tamper-proof access to end user's own data records (optional)			YES
Supports a range of data types (Email, IM, Teams, Zoom, etc.)			YES
Fully automated data retention & destruction according to policy			YES
Supports multiple customizable policies			YES
Single pane of glass for management & usage			YES
Automated provisioning for those in compliance/archive-all mode			YES
Automatically delete messages after the retention period expires			YES
Can ingest saved data in a variety of formats (PST, EML, MP3/4/4A)			YES
Easy provisioning for expansion needs			YES
Reduces size of on-premises storage & backup			YES
Secure data production via email, download or export as allowed by policy			YES

ArchivingSolutionBuyersGuideChecklist

Free Download: Archiving Buyers Guide Checklist (PDF Format)

Donoma Archiving Solutions

Donoma Software has been providing compliance archiving solutions for over 10 years. If you’d like to learn how your organization can meet compliance requirements, reduce costs and risk, we’d like the opportunity to introduce you to our OneVault multi-data archiving platform. Just contact us or book a no obligation demo discussion. A member of our team will be happy to discuss your questions and show you how OneVault’s expandable archiving capabilities will make your multi-data archiving needs much more manageable.