Hostway is pleased to announce that we are now FERPA compliant. When combined with our PCI, HIPAA, and other compliance attestations—along with our HITRUST certification—our ability to maintain FERPA compliance makes Hostway one of the few hosting providers to have a full suite of compliance certifications. Further, this means that educational institutions and agencies can rely on us to store and maintain electronic student education records in accordance with FERPA regulations.
We accomplish this by employing multiple layers of security to guarantee the protection, privacy, and integrity of data. Our policies and processes—including strong authentication controls—keep data safeguarded at all times, both in physical storage and on the cloud.
What is FERPA?
The Family Educational Rights and Privacy Act (FERPA) is a federal law that ensures students’ paper and electronic education records stay private. In 1994, FERPA was amended to improve key areas, such as who can review education records, and how and when education records can be released to third parties, including parents.
This law applies to all public schools and state or local education agencies that receive federal education funds. Organizations that host and/or develop Integrated Data System (IDS) software must also ensure they are compliant with FERPA.
What counts as an education record?
Schools maintain education records, which include a range of information about a student. Examples include:
- Medical and health records
- Emergency contact information
- Grades, test scores, courses taken, academic specializations, and activities
- Disciplinary actions, attendance, schools attended, awards conferred, and degrees earned
- Identification information, such as codes, social security numbers, pictures, etc.
What DOES NOT count as an education record?
There are a few forms of documentation that seem like they would be classified as student education records, but are not. These exceptions include:
- Personal notes written by school officials that are not shared with others
- School or district law enforcement records created and maintained by a school or district’s law enforcement unit
- Directory information, such as a student’s name, address, telephone number, or photo
How does this apply to those who manage, transfer, and store educational data?
To ensure your educational data stays compliant, you need a security program with the right storage, authentication, and overall data management policies and procedures. Put simply, you must ensure your hosting and storage providers are equipped to keep you compliant.
For institutions and organizations that host and/or develop IDS software, FERPA requires that they ensure strong physical and IT security controls over the system, such as:
- Clearly written and strictly enforced security policies and procedures; components that include physical security, network mapping, authentication, layered defense architecture, secure configurations, access controls, firewalls and intrusion detection/prevention systems, automated vulnerability scanning, patch management, incident handling, and audit and compliance monitoring
- Documented guidelines and justifications for data collection, management, and access
- An established framework for reviewing and approving individual uses of student data
- Procedures for the external sharing of data analytics that ensure data is delivered in non-identifiable formats
What happens when an institution or agency violates FERPA?
If an institution or agency violates FERPA, that organization may lose some or all of their federal funding. To date, this kind of penalty has never occurred; most institutions that have been found in violation of the law have avoided losing any funding by correcting their practices.
Though ultimately, complying with FERPA is about more than just avoiding fines. It’s about protecting the overall data privacy of students so their information doesn’t fall into the wrong hands.
What does a FERPA compliant infrastructure need?
Whether your data is in the cloud or on-prem, you’ll want to follow these guidelines to stay compliant:
- Keep your records in the U.S. Transferring PII and education records across international boundaries can be risky. It can be challenging to enforce privacy laws outside of the U.S. and hold non-U.S. entities accountable for violations.
- Protect your data no matter where it lives. Review all appropriate administrative, physical, and technical safeguards that the provider may use to protect data, including how they destroy it.
- Partner with expert help. An experienced, compliant hosting provider can help you pass your FERPA audits, enabling you to focus on your job while they handle both your security and compliance management for you.
How Hostway’s FERPA-Compliant Solutions Can Help Your Organization
We are an EdTech company that works very closely with top educational institutions and students from around the globe, and we understand the extreme importance of maintaining the integrity of student data. We chose Hostway as our global managed hosting provider because of their commitment to strong security, strict compliance, and great customer service. Their announcement that they are FERPA compliant now is just another reminder of why we choose them. — Jamey Vester, CISSP, Chief Technology Officer, IES Abroad
Hostway helps organizations mitigate risks and gain the edge they need to become more agile, while spending less. Other than safely storing electronic student records, we also work with clients to host a wide variety of education applications, such as:
- Content management systems
- Digital education
- On-demand learning materials and webinars
- Academic research data
- Digital media for speaking events, sport events, and fine arts performances
To learn more about how our team of experts can help you ensure your data stays secure and compliant with FERPA, contact us today for a complimentary consultation today.