By Audience: Postsecondary School Officials

Letter of finding regarding the applicability of FERPA and attorney client privilege.

The Data Destruction Document is a best practices guide on properly destroying sensitive student data after it is no longer needed.  It details the life cycle of data and discusses various legal requirements relating to the destruction of data under FERPA, and examines a variety of methods for properly destroying data.  The guide also discusses best practices for data destruction and provides some real-world examples of how to implement it within your organization.

This guidance document consists of thirty-seven commonly asked questions about schools’ and school districts’ responsibilities under FERPA relating to disclosures of student information to school resource officers (SROs), law enforcement units and others, and seeks to explain and clarify how FERPA protects student privacy while ensuring the health and safety of students and others in the school community. SRO LEU LEO

Letter to School & College Legal Services of California in regards to a question about whether FERPA permits a school district to disclose personally identifiable information (PII) from a student’s “health records, such as immunizations data,” to county or State health officials without parental consent.

Letter in response to an inquiry on FERPA regarding a request from a parent for a copy of a suveillance video of a hazing incident involving multiple students, and for copies of witness statements regarding the incident.

This letter was sent to Liberty University in regards to a request for clarification on the extent FERPA would require Liberty University to provide individuals allegedly involved in fraud rings with the opportunity to inspect and review investigation reports prepared by the University related to suspected financial aid fraud.  

Schools have long been targets for cyber thieves and criminals.  We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records.  In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.

Any organization with electronic records is vulnerable to security breaches, and education agencies are no exception. The PTAC Data Breach Scenario is one of a series of exercises intended to assist schools, districts, and other educational organizations with internal data security training. The Password Data Breach interactive exercise is aimed at district management and provides a simulated response to a district-level data breach. Over the course of 1-2 hours, this customizable exercise leads participants through a scenario involving a breach of student information and other personally identifiable information. The exercise focuses on the processes, procedures, and skills needed to respond. The package includes three parts: Facilitator’s Guide, PowerPoint Slides, and Exercise Handouts.

This document is a template notice for notifying parents and eligible students (students over 18 years of age or attending a school beyond the high school level) about the type of information from student’s education records, designated by a School District as “directory information,” that schools may disclose without consent, unless advised to the contrary.  This version is the Spanish translation.