FERPA Compliance


Next Steps
Overview Auditing CCPA DLP FERPA GDPR HIPAA PCI DSS DMaaS Static Dynamic Real-Time Test Data/TDM

What are some of the key provisions of The Family Educational and Privacy Rights Act (FERPA) of 1974 as they relate to data at rest?

45 CFR § 1303.20 Establishing Procedures

A program must establish procedures to protect the confidentiality of any personally identifiable information (PII) in child records.

45 CFR § 1303.24 Maintaining Records

(a) A program must maintain child records in a manner that ensures only parents, and officials within the program or acting on behalf of the program have access, and such records must be destroyed within a reasonable timeframe after such records are no longer needed or required to be maintained.

This suggests the need for software capable of classifying and finding, de-identifying or removing, and auditing changes to student records that are maintained by educational institutions, and the entities serving them. All of these features are in the affordable IRI FieldShield, CellShield EE, and DarkShield data masking products, or the comprehensive IRI Voracity data management platform which includes them while also integrating, cleansing, migrating/replicating, and reporting on disparate data.

superintendent\'s office

PII can also include indirect information in a record, or "quasi-identifiers" which can also be used with or without uniquely-identifying information to nevertheless identify a student. Consider e-g in the list below:

As enforced under 20 U.S. Code § 1232g and defined under 34 CFR § 99.3, PII includes, but is not limited to:

The Re-ID Risk Scoring wizard included in IRI's static data masking software exploits peer-reviewed algorithms to determine and measure the risk of re-identification based on the distinction and separation attributes of one or more quasi-identifiers in a student record. So long as the data set is in a flat file (e.g., CSV) or JDBC-connected data source (e.g., SQL Server table), it will work.

These capabilities can also help data recipients and other authorized third parties comply with the Protection of Pupil Rights Amendment (PPRA) and the Student Privacy provisions (Section 1061) of the No Child Left Behind Act. Those data users can leverage the risk determination report results to further generalize (anonymize) the riskier quasi-idenifiers in ways that retain the utility of that data.

Request More Information

Live Chat

* indicates a required field.
IRI does NOT share your information.