By Laurie Head
AIS Network VP, Marketing Communications
Let’s say your school’s aging IT infrastructure is just not meeting expectations or perhaps you’re not altogether sure that it’s entirely FERPA-compliant. You recognize that moving school data to a secure cloud may be the answer to multiple challenges that you face, but you are unsure about how you should approach the move.
For those who don’t already know, The Family Educational Rights and Privacy Act (FERPA) is a U.S. privacy law designed to protect student education records, including PII (personally identifiable information), with administrative, physical and technical safeguards. Think HIPAA compliance for school records – because the concept is really not all that different.
To some school administrators, FERPA may seem like a barrier to migrating school records to the cloud. But, indeed, it’s not. In fact, moving data to the cloud is a cost-efficient option that is permitted by FERPA and even supported by the U.S. Department of Education, which was itself an early cloud adopter in the federal government.
But how do you move forward? Unfortunately, FERPA does not elaborate on the process of selecting and managing relationships with secure cloud hosting providers. So, if you are an educational institution either currently in the process of selecting a cloud hosting provider or deciding whether or not moving to the cloud is right for you, consider these five tips:
- Use best practices. As you evaluate your needs, be sure to conduct a risk management assessment for your institution and make a list of security considerations such as privacy, legal and compliance issues that must be addressed.
- Do your due diligence on security during the cloud hosting provider selection process. Review all appropriate administrative, physical and technical safeguards that the provider may use to protect the data, including data destruction policies.
- Contract with a FERPA-compliant cloud hosting provider. Select a reputable provider who understands FERPA compliance and the importance of protecting PII from a potential breach. An experienced, compliant hosting provider will help you pass your FERPA audits, enabling you to do your job better.
- Get compliance language into your contract. Ensure that your written contract or service agreement with your hosting provider is specific with regard to how data is being safeguarded.
- Keep sensitive student records in the U.S. While FERPA does not make distinctions based on state/ international lines, it’s important to remember that transferring PII and other education records across international boundaries may be risky. Among the legal concerns, be aware that it is often difficult to enforce privacy laws outside of the U.S. and hold non-U.S. entities accountable for violations.
Of course, your school should also have prepared and implemented adequate information governance protocols with regard to FERPA as well as any additional applicable federal and individual state data privacy laws that may contain more stringent requirements for data protection. Always consult with your organization’s legal staff to ensure that you have considered and addressed all applicable regulations.
For more government information, the U.S. Department of Education Privacy Technical Assistance Center is a great resource. Access the “Frequently Asked Questions” document on their site.
In the meantime, let us know if we can help you take those first steps toward cloud adoption. To begin, we can assist you in conducting a risk management assessment.
