When it comes to student records, the academic sector has two laws to comply with: the Family Educational Rights and Privacy Act (FERPA), and the Jeanne Clery Disclosure of Campus Security Policy and Campus Crimes Statistics Act (Clery Act). Both are enforced by the U.S. Department of Education (DOE). This includes all public K-12 schools and virtually all postsecondary institutions, public or private.
 

In many ways, FERPA is similar to FACTA and HIPAA, but focused on the needs of educational institutions. Essentially, FERPA protects and limits the unauthorized disclosure of personally identifiable student information (PII) from education records, such as SSNs, similar identifiers and student ID numbers; electronic identifiers that, when combined with other information, grant access to a student's records; and educational performance records.

 

However, there are exceptions to the authorization requirement for “eligible students” who are 18 or older, when student information may be released without their consent:

 

   > To parents when the student is a dependent on the parents’ Federal income tax;

 

   > In connection with a health or safety emergency;

 

   > When the student is a sex offender or officially considered a terrorism suspect;

 

   > When a postsecondary student under 21 has violated a law or an institution's rule regarding

      alcohol or a controlled substance.

 

Neither the statute nor regulations address the disclosure of education records without consent to non-employees who are retained to perform institutional services and functions. But the final rule does consider contractors, consultants, volunteers and other outside service providers as “school officials.”

 

Effectively, this set up a vendor management requirement similar to GLBA, FACTA and HIPAA. That is, outsourcing institutional functions does not relieve the institution of its responsibility to protect student information, and it needs to assure that such agents have a genuine need to access student information and take measures to protect their holdings. It behooves the institution to vet and manage its vendors.

 

While FERPA restricts education records, the Clery Act is the other side of the coin: it was passed to make certain educational records more available than they had been before Jeanne Clery was raped and murdered in her dorm room in 1986. Jeanne Clery's parents lobbied for the law when they discovered that their daughter and other students had not been told of 38 violent crimes on Clery’s college campus during the preceding three years. In a series of amendments over several years, the Clery Act has come to add several requirements on schools and institutions. Among them, the law—

 

   > Requires statistical crime reporting

 

   > Gives victims of sexual assault certain rights to information

 

   > Makes provisions to protect crime victims and “whistleblowers” from retaliation

 

The final regulations require that schools institute reasonable control to reduce the risk of unauthorized disclosure that are commensurate with the likely threat and potential harm. Reported violations, complaints or media coverage can be used by the DOE to initiate an investigation or find an institution in violation.