FERPA Compliance and Third Party Contracts
Overview
The Family Educational Rights and Privacy Act (FERPA) provides protections for student education records and grants access to student education records without the student’s written consent for those conducting business on behalf of the University under certain conditions. The Act specifies the conditions under which an institution may disclose confidential information to third parties (§ 99.31).
Our Policy
Confidentiality of Student Records
Contract Requirements
Specific to 1-g above, if confidential student data will be accessed and/or hosted by a third party contractor/agent, the contract with the contractor/agent must recognize and address FERPA compliance. As such, if a request for proposal (REP) is required, the REP should include this clause for compliance before accepting proposals from a third party contractor/agent. The service/product must be for a legitimate educational interest and the contractor/agent must be performing a business function or service that the institution would not normally perform itself. A contract should indicate:
- the security measures of the product/service that protects student data
- the student data will be used for intended purposes only
- the contractor/agent will not provide access to the data by any other third party unless legally able to do so
- the shared information is destroyed and/or returned when the work/service is concluded
Procedure
- The requesting office/entity should work with the Purchasing department to develop the RFP, when required
- The requesting office/entity should only accept proposals from contractors/agents that address FERPA compliance
- The requesting office/entity should seek approval of the contract from the Office of Legal Affairs (NOTE: Approval by the Office of Legal Affairs does not constitute approval by the Office of the Registrar regarding student data and FERPA compliance.)
Resources