Colleges and universities frequently hire third-party vendors to provide services that involve student data—cloud storage, online education delivery, and online grade books to name a few. Although the arrangements are common, they can run afoul of the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99) (FERPA) and other data privacy best practices. Colleges and universities should contemplate privacy and security issues when contracting with third-party vendors and include language in the service agreement that identifies exactly what information is being shared and protects how the information can be used in the future.
The School Official Exception
FERPA prohibits the disclosure of educational records unless a student provides express written consent. As a general matter, FERPA’s protections are broad and can prohibit disclosures to third-party vendors, even if the institution is just outsourcing an administrative function. FERPA does, however, contain several exceptions. One exception, the “School Official” exception, can be particularly helpful when working with third-party vendors for services that involve student information.
Colleges and universities can utilize the School Official exception where the third-party vendor:
- performs an institutional service or function for which the institution would otherwise use employees;
- is under the direct control of the institution with respect to the use and maintenance of education records;
- meets the criteria set forth in the institution’s notification of rights for being a school official with a legitimate educational interest in the education records; and
- uses education records only for authorized purposes and agrees not to re-disclose the education records unless the vendor is otherwise authorized to do so.
34 CFR § 99.31 and 99.33.
5 Simple Provisions to Comply with the School Official Exception and Other Best Practices
To comply with the requirements of the School Official exception and other data privacy best practices, every service agreement that involves student information should at least include these five simple provisions:
- Information definition – The institution should expressly define what information will be shared with the vendor.
- Use – The institution should expressly state how the vendor will be permitted to use the data. The institution should also prohibit any unauthorized use, including data mining and analysis unless that is a service that the vendor is being paid to provide for the institution.
- Re-disclosure – The vendor should acknowledge its obligations under FERPA and agree not to re-disclose the information unless otherwise permitted by FERPA.
- Access and control – The vendor should acknowledge the data is owned by the institution, and the agreement should provide a mechanism for the institution to access and audit the information.
- Security – The vendor should agree to maintain the information pursuant to specific security protocols approved by the institution. The vendor should typically agree not to store student information on servers located outside the U.S., and the vendor should also agree to be responsible for any breach of its systems.
What This Means for You
As colleges and universities look for different ways to store and utilize data, they must adhere to FERPA and other privacy best practices. Institutions should contemplate these obligations before contracting with third-party vendors for services that involve student data so that contractual protections can be included in the service agreement.