By Audience: Postsecondary School Officials

The resources on this page are intended for staff and educators of Postsecondary Institutions.  Resources found here typically address FERPA’s requirements and how they apply to the various day-to-day operations of postsecondary institutions that may be different than the K-12 setting.  Guidance is also provided for the particular challenges encountered at the postsecondary level as it relates to the handling and protection of students’ Personally Identifiable Information.

Guidance and Best Practices

Data Breach Response Training Kit

Any organization with electronic records is vulnerable to security breaches, and education agencies are no exception. The PTAC Data Breach Scenario is one of a series of exercises intended to assist schools, districts, and other educational organizations with internal data security training.

The Password Data Breach interactive exercise is aimed at district management and provides a simulated response to a district-level data breach. Over the course of 1-2 hours, this customizable exercise leads participants through a scenario involving a breach of student information and other personally identifiable information. The exercise focuses on the processes, procedures, and skills needed to respond. The package includes three parts: Facilitator’s Guide, PowerPoint Slides, and Exercise Handouts. 

Guidance and Best Practices

Best Practices for Data Destruction

The Data Destuction Document is a best practices guide on properly destroying sensitive student data after it is no longer needed.  It details the life cycle of data and discusses various legal requirements relating to the destruction of data under FERPA, and examines a variety of methods for properly destroying data.  The guide also discusses best practices for data destruction and provides some real-world examples of how to implement it within your organization.

Guidance and Best Practices

Protecting Student Privacy While Using Online Educational Services: Model Terms of Service

The Privacy Technical Assistance Center, working with the Department of Education’s Family Policy Compliance office, has developed a checklist document that provides a framework for evaluating online educational tools' Terms of Service Agreements.  This document is intended to assist users in understanding how a given online service or app will collect, use and/or transmit user information so that they can then decide whether or not to sign up.

The document is divided into several sections:

Guidance and Best Practices

Data Security Checklist

This checklist is designed to assist stakeholder organizations with developing and maintaining a successful data security program by listing essential components that should be considered when building such a program, with focus on solutions and procedures relevant for supporting data security operations of educational agencies.

Guidance and Best Practices

Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices

This document addresses privacy and security considerations relating to computer software, mobile applications (apps), and web-based tools provided by a third-party to a school or district that students and/or their parents access via the Internet and use as part of a school activity. Examples include online services that students use to access class readings, to view their learning progression, to watch video demonstrations, to comment on class activities, or to complete their homework.

Guidance and Best Practices

Frequently Asked Questions - Disclosure Avoidance

This document is intended to provide general guidance to State and local educational agencies and institutions about the best practice strategies for protecting personally identifiable information from education records in aggregate reports. The paper provides suggestions on how to ensure that necessary confidentiality requirements are met, including compliance with the Family Educational Rights and Privacy Act (FERPA). The information is presented in the form of responses to frequently asked questions (FAQs), followed by a list of additional resources at the end.

Guidance and Best Practices

Data Breach Response Checklist

This publication provides educational agencies and institutions with a checklist of critical breach response components and steps to assist stakeholder organizations in building a comprehensive data breach response capability. The checklist is meant to be used as a general example illustrating some current industry best practices in data breach response and mitigation applicable to education community.

Letters

Letter to Liberty University

This letter was sent to Liberty University in regards to a request for clarrification on the extent FERPA would require Liberty University to provide individuals allegedly involved in fraud rings with the opportunity to inspect and review investigation reports prepared by the University related to suspected financial aid fraud.  

Letters

Cyber Advisory - New Type of Cyber Extortion / Threat Attack

Schools have long been targets for cyber thieves and criminals.  We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records.  In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.