Student Education Records (FERPA)
#Why is this Important
#Reference
#Criticality
#Sample RFP Language
#Sample Contract Clauses
Why is this Important:
Institutions of higher education might have other obligations regarding use of data under federal, state, or local laws, regulations, or contractual obligations. Generally speaking, an institution may not be able to alleviate such obligations by contracting with a third party to perform functions that use regulated data. Clauses that include instructions to contracting third parties regarding regulatory requirements help to protect the institution in the event of an unauthorized disclosure or breach. The Family Educational Rights and Privacy Act (FERPA) provides specific protections for student education records. In situations where confidential student data is hosted or accessed by a vendor, the contract with the vendor should acknowledge and address FERPA protections and obligations.
Reference:
The Family Educational Rights and Privacy Act (FERPA) (Pub. L. No. 93-380 (1974), codified at 20 U.S.C. § 1232g)
Appendix 1 ISO/IEC 27002:2005, Reference 6.2.3(r); (s)
Appendix 2 NIST Sp. Pub. 800-53, Rev. 2; Control SA-9 (External Information System Services)
Criticality: Category 1, Category 2, and Category 4.
Sample RFP Language:
- Proposer may create, receive from or on behalf of Institution, or have access to, records or record systems that are subject to the Family Educational Rights and Privacy Act ("FERPA"), 10 U.S.C. Section 1232g. Describe the security features incorporated into the product to safeguard FERPA records.
Sample Contract Clauses:
- The [Vendor] acknowledges that certain information about the Institution's students is contained in records maintained by the [Vendor] and that this information can be confidential by reason of the Family and Educational Rights and Privacy Act of 1974 (20 U.S. C. 1232g) and related Institution policies currently at [insert applicable link [http://]] unless valid consent is obtained from the Institutions's students or their legal guardians. Both parties agree to protect these records in accordance with FERPA and Institution policy. To the extent permitted by law, nothing contained herein shall be construed as precluding either party from releasing such information to the other so that each can perform its respective responsibilities. The Institution shall advise [Vendor] whenever any Institution students have provided consent to release information to an extent broader than as provided for by FERPA or Institution policy.
- [Vendor] agrees that it may create, receive from or on behalf of Institution, or have access to, records or record systems that are subject to the Family Educational Rights and Privacy Act ("FERPA"), 20 U.S.C. Section 1232g (collectively, the "FERPA Records"). [Vendor] represents, warrants, and agrees that it will: (1) hold the FERPA Records in strict confidence and will not use or disclose the FERPA Records except as (a) permitted or required by this Agreement, (b) required by law, or (c) otherwise authorized by Institution in writing; (2) safeguard the FERPA Records according to commercially reasonable administrative, physical and technical standards that are no less rigorous than the standards by which [Vendor] protects its own confidential information; and (3) continually monitor its operations and take any action necessary to assure that the FERPA Records are safeguarded in accordance with the terms of this Agreement. At the request of Institution, [Vendor] agrees to provide Institution with a written summary of the procedures [Vendor] uses to safeguard the FERPA Records.
Federal, state, or local law, regulation, or contractual obligation
Questions or comments? 
Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).