The Family Educational Rights and Privacy Act (FERPA), which sets out the law on students’ rights to privacy, and a vendor security assessment toolkit called HECVAT, are the subject of renewed focus in US universities. Higher education institutions are anxious to preserve student rights while also managing the growing mountain of data from the Covid-19-driven switch to virtual learning.
The cloud has become a popular storage point for many campus data managers, but with it comes scrutiny on the security of systems from potential third party vendors. The increase in data flow requires more stringent risk assessment, a role filled by HECVAT, a security evaluation toolkit used by universities when choosing new vendor partners. With efforts both to uphold student privacy and ensure security of their personal information, this article provides FERPA guidance and key facts on the role of HECVAT.
Steering a Path through Student Records
The urgent need to reach learners at home and facilitate exams online, while still promoting student recruitment, is racking up pressure on campus IT departments. Already they’re grappling with transferring large amounts of university data to the increasingly popular cloud. The increase in digital learning only serves to heighten long-running debates around ‘smart’ campuses, ethics of student data use, and related security measures.
FERPA1 is the key legislation enacted in 1974 to guide universities on student records management. The Act protects the privacy of student education records maintained by, or on behalf of, educational agencies, institutions or applicable programs funded by the US Department of Education (DoE). It allows parents or eligible students (ie. aged 18+) certain rights: to access such records and request that ‘inaccurate or misleading’ comments be amended or, if no agreement is reached, the right to include a supplementary statement attached next to the disputed comment; to provide consent to the disclosure of personally identifiable information (PII) from student education records; and to file a complaint under the Act.
FERPA and Virtual Learning Requirements Explained
The government advice answers a number of questions on security and best practice by examining different dilemmas arising from a virtual lesson taught from home. It covers times when a university can release information held digitally without consent and the use of video and other forms of digital instruction (emails, group chats, teleconferences, etc). It highlights the importance of defining education records, knowing what is meant by PII and when electronic consent (particularly in lockdown and other health-related situations) is legally acceptable.
Compliance with FERPA requires universities to consider a number of security questions in connection with the above areas. What, if any, PII from student education records may a lecturer take home when setting up digital instruction? Can videoconferencing or other virtual learning software apps be used to put on virtual classes? Can non-students view a virtual lesson? Can the classes be recorded? If so, are they being shared and with whom? Answers to these key questions are summarized in the Q&A section below.
HECVAT Labour-Saving Tool that Matches Campus to Vendor
Virtual learning with all its privacy issues has suddenly been sprung wholesale on universities. Privacy and data security issues loom large and, while some universities have created their own security assessment and review approach to cloud services, many other campuses lack the resources to carry out thorough testing. Due diligence is required around encryption, strong identity authentication, and compliance with FERPA in vendors’ use of PII. Universities spend endless time and resources assessing a range of providers before signing a deal, while vendors are continually presented with different sets of questions from various campuses. Yet all are attempting to establish the same kind of clarity and understanding.
There is a solution. HECVAT – or, to give it its full name, the Higher Education Community Vendor Assessment Toolkit– is a suite of risk assessment tools specially designed to help universities measure vendor risk. It reliably speeds up the process of partnering with the most suitable third-party vendors.
Created by the Higher Education Information Security Council Shared Assessments Working Group in October 2016, the toolkit carries questionnaires with a standardized set of key risk assessment questions pertinent to all types of student-linked software – questions that all universities should put to vendors across a range of different security situations.
Prior to buying a third-party solution, universities signed up to HECVAT simply ask solution providers for a completed HECVAT questionnaire. It details how they follow the necessary information, data, and cybersecurity policies to protect the higher education institutions’ own sensitive information and the privacy of their students’ PII.
Vendors, meanwhile, need to fill in the HECVAT assessment tool and share it in the toolkit’s Cloud Broker Index. A vendor’s completed assessment is then available to many institutions, saving the universities time and money previously spent on their own assessments.
Six Tools to Cut Risk and Increase Security
HECVAT combines vendor risk management best practices and common security control requirements. It offers various free-to-use risk assessment templates at different levels under the following tools:
Triage – initiates risk security assessment requests, identifying which tool is best to use for your assessment
Full – robust questionnaire to assess the most critical data-sharing engagements
Lite – a condensed questionnaire template to speed up the assessment process
On-premise – a questionnaire to evaluate on-premise appliances and software
Cloud broker index – a list of completed vendor assessments
Users’ group – a forum for asking questions and requesting changes
Further information on the tools is available from the Research and Education Networks Information Sharing and Analysis Center4.
Virtual Learning Going Mainstream
So what's been the feedback on HECVAT so far? To date, some 85 universities and colleges from the US and Canada are using the toolkit, along with more than 30 providers including Lorensbergs.
General reaction suggests that institutions and vendors already signed up to HECVAT show strong agreement on the key criteria to use in assessing potential cloud services – unity that is vital as virtual learning grows ever closer to mainstream status in the delivery of higher education.
Q&A – Virtual Learning and Adherence to FERPA
Q. May I, as a staff member, take home PII from student education (SE) records to help a switch to online teaching?
A. Yes, as long as you have a legitimate educational interest in education records, which has been agreed on by your institution, and you use reasonable ways (e.g. accessing physical, technological and admin controls) of protecting PII in SE records from further disclosure. Consider: what SE record (or the PII that it contains) is being taken home, and how will it be brought home and accessed?
Q. May we use videoconferencing or other virtual learning software apps for virtual classes
A. Yes, PII or SE records may be disclosed to a service/app provider who is taking a role that a staff member would otherwise fill, is fully vetted in line with FERPA as an institution's official, has a legitimate educational interest in SE records and does not disclose them to anyone else. Consider: does your institution allow this type of software and how does it review software requests?
Q. Does FERPA address which online software apps can be used?
A. No, it rules on privacy, not information security standards, so your institution should itself review information security requirements and terms of service.
Q. Can non-students observe a virtual lesson?
A. Yes, provided no PII (from SE records) is disclosed during the lesson. Consider: do you have polices on visitors to virtual classrooms and on sharing lessons or instructional materials?
Q. Can we record virtual lessons and share recordings with students unable to attend on campus?
A. Yes, provided no PII is disclosed during the recording unless written consent is obtained. Consider: are you keeping the recording as an SE record and with whom are you sharing it? How do you prevent unauthorised disclosure on recordings?
Q. How do we meet a parent’s request for access to their child's SE record when our campus is closed?
A. FERPA gives you 45 days to comply after receiving a request, but you do not generally have to provide parents with a copy of an SE record, unless they are unable physically to inspect and review it. Social distancing etc requires mutual agreement about viewing times.
Q. May we get students to give electronic consent to SE record disclosure when our campus is closed?
A. Yes, a signed and dated written consent must specify which records are being disclosed and why, and who will receive the disclosure. Consider: do you have a standard consent form under FERPA? How to verify the identity of an individual from their email?
Q. I'm a teacher at home planning a conference with a student but I have to share my workspace with my spouse – may I still go ahead?
A. Yes, as long as you only disclose PPI after written (electronic) consent and you discuss it out of your spouse’s earshot.
More detailed guidance on these and other issues is available from a range of US Department of Education (DoE) resources, including webinar materials, more in-depth FAQs5 and other documents produced by the DoE’s Privacy Technical Assistance Center – a one-stop resource for education institutions to learn about data privacy, confidentiality and security practices.
1) US Department of Education, Family Educational Rights and Privacy Act (FERPA) https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
3) FERPA and Virtual Learning during Covid-19 (webinar pages):
4) HECVAT information and resources: www.ren-isac/public-resources/hecvat.html
5) Protecting Student Privacy – detailed FAQs https://studentprivacy.ed.gov/frequently-asked-questions
Protecting Student Privacy: Online Training Modules: https://studentprivacy.ed.gov/content/online-training-modules
Data Security and Management Training: Best Practice Considerations: