In the age of cyber attacks where reports of data breaches have become a common occurrence, protecting the privacy of students and safeguarding their records is a responsibility that must be enacted by every school – from K-12 right through university.
Last month, a University in Edmonton, Canada was defrauded for $11.8 million via an email phishing scam and is still trying to recover. Earlier this year, a hard drive containing personally identifiable information (PII) of a million people went missing at Washington State University. These examples demonstrate that it’s not only crucial for your institution to have a few security measures in place, but that there’s hope, and specific steps you can take if ever a data breach ever occurs. Read on to learn more about federal regulations that protect student records and to discover a few best practices that all schools can implement.
Compliance, compliance, compliance! A closer look at the basics of FERPA
Taking measures to protect student record confidentiality isn’t just a list of suggested best practices – it’s the law. Since student records contain so much PII, including student or parent financial and health information, educational institutions must comply with several regulations to keep sensitive data safe. These regulations may include:
- The Family Educational Rights and Privacy Act (FERPA)
- The Health Insurance Portability and Accountability Act(HIPAA)
- The Children’s Online Privacy Protection Act (CORPA)
The regulation that most commonly applies to schools is FERPA. The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. Educational institutions receiving funds under programs administered by the U.S. Secretary of Education are bound by FERPA regulations. The law basically outlines when and to whom it’s okay to disclose student PII to. Whether you’re a teacher, professor, school administrator or healthcare provider, a few key components of the FERPA act you should know are:
- Once a student turns 18, or begins attending college, university, or any higher education institution considered post high school, the rights transfer from the parents having the right to inspect and review a student’s record to the student themselves.
- School officials may not disclose PII about students, nor permit inspection of their records, without written permission from the student, unless such action is covered by exceptions permitted by the Act. An acceptable example would be disclosing information to school officials determined by the institution to have a legitimate educational interest.
- Students have the right to see and review their educational records within 45 days of a request. They also have the right to request an amendment of their education records that the they believe is inaccurate or in violation of their privacy rights.
For more information visit The US Department of Education – FERPA
Whether one, all of the above, or other compliance regulations for protecting student data apply to your educational institution, it’s clear that it’s important to have the proper security measures in place. Let’s take a look at a few best practices.
1. Appoint a data security leader: an educator for educators
One practice that’s required to adhere to strict compliance regulations in healthcare, financial services, technology and other sectors is to designate an individual who’s responsible for understanding regulations, educating staff, and ensuring that the right processes are in place. By tasking an individual (or a committee of individuals) who are responsible for overseeing compliance, you’re well on your way to creating effective security roadmap for protecting your student’s data.
Your data security leader, whether an appointed existing staff member or outside consultant, can stay informed of changes in the compliance landscape and determine the best and safest methods for responding to both internal and external for access and use of student data. In doing so, it would be this individual (or committee’s) responsibility to:
- Assess your data collection practices (and improve them accordingly)
- Identify and implement your security objectives (each institution has its own protocols for things like wireless network access, etc.)
- Provide ongoing training to educators and administrators
Which brings us to our next point…
2. Provide ongoing student privacy training
Training employees at every level is essential to a solid security program. Everyone in your organization should have a good understanding of the types of issues that can create student privacy and data security risks. In an educational environment, there are endless possibilities for creative training and messaging that will help familiarize all staff of good data privacy and security practices.
Try to make sure that training is performed regularly, is updated alongside any changes in the laws, and that new staff members receive security training within a reasonable amount of time.
3. Develop monitoring, auditing, and reporting processes
No matter which security processes and measures you choose to implement, monitoring is a critical element to keeping your security program in check. Your security processes need to be routinely tested, monitored, and updated to make sure your student data remains safe over time. Malicious computer malware, for example, is a rapidly evolving threat that will always be looking for new ways to make its way onto school databases, so only through continuous auditing by qualified internal or external individuals can your student privacy and security efforts maintain credibility. An important part of your reporting process should include clear protocols for identifying and reporting data breaches in case they occur.
Looking for a way to ensure your student records are protected in transit and at rest? Speak with an expert today about secure file exchange solutions that improve your security levels and help you adhere to strict compliance regulations.