Comparing FERPA & GDPR

March 13, 2018
  • FERPA
Solid blue background with the letters "GDPR" in the center and various icons such as a key, alarm clock, lock, etc positioned below the letters.

AACRAO has been approached several times to detail whether FERPA compliance is sufficient for complying with GDPR. Fundamentally, the scope and specific parameters are quite different. Specifically, FERPA pertains to the task of storing, handling and releasing student records.

This article is part one in a series on GDPR. (See more in this Inside Higher Ed article, "European Rules (and Big Fines) for American Colleges.")

The European Union General Data Protection Regulation and its articles refer to the processing of Personal Data, which for the purposes of the regulation means any information relating to an identified or identifiable natural person (‘data subject’). Thus,  the EU definition of personal data is very broad, whereas in the United States the processing of personal information is generally permitted and subject to a patchwork quilt of laws in the U.S. which define specific data elements as personal information (e.g., name in combination with SSN).  These include sectoral laws and regulations (e.g., FERPA, HIPAA, state data breach notification laws).

In the EU (and in many other countries around the world) processing of personal data is generally prohibited unless certain requirements are satisfied. In this article we will begin to compare one such sectoral regulation - the Family Education Rights and Privacy Act  (FERPA) - against GDPR.

 

Family Educational Rights and Privacy Act



 

GDPR

Purpose -

The Family Educational Rights and Privacy Act of 1974, as amended, sets forth requirements regarding the privacy of student records.

To enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.

Material Scope

FERPA applies to K-12 schools and postsecondary institutions.Specifically for this match-up the scope is limited to Eligible Students (those 18 or those attending an institution of higher education regardless of age).

Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law.

Territorial Scope

Any educational institution (school or other entity that provides educational services and is attended by students) or educational agency (entity that administers schools directly linked to it) that receive funds under any program administered by the U.S. Secretary of Education.

Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union.

Personal Data

Personally Identifiable Information (Information that would directly identify the student or make the student’s identity easily traceable) known as directory information. Educational Records - directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution

Personal data means any information relating to an identified or identifiable natural person (the ‘data subject’). An identifiable natural person is anyone that can be identified, either directly or indirectly, by reference to anything that can ultimately identify them. This includes a name, an identification number, location data, an online identifier or to data that relates to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Sensitive Personal Data

In the 2009 regulations clarification was provided that a social security number (SSN), or part of an SSN, cannot be designated as directory information. In addition, the revised regulations state that a Student Identification Number (SIN also cannot be directory information. For exception see below (1)

Grades, GPA, race, gender, religion and national origin are also items that cannot be designated as directory information.

Special categories of data that are considered particularly sensitive are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

(1) Noted Exception - “a student ID number, user ID, or other unique personal identifier used by the student for purposes of accessing or communicating in electronic systems” can be directory information “Only if the identifier cannot be used to gain access to education records without an additional factor. “ (p.25 FERPA 2012 guide)

 

Subscribe

AACRAO's bi-weekly professional development e-newsletter is open to members and non-members alike.