Family Educational Rights and Privacy Act (FERPA)
Covered Entities: Public Educational Institutions
Governed by the U.S. Department of Education
The Family Educational Rights and Privacy Act of 1974 (FERPA) protects the privacy of sensitive and personally identifiable information (PII) in student education records and applies to all educational institutions that are the recipients of federal funding. FERPA prohibits the disclosure of student or parent information including health and immunization records; transcripts; disciplinary action; and student and parent PII such as name, address, telephone, and social security number unless given consent by the student (if over the age of 18) or the parent, or for reasons expressly required by the institution. In addition, the institution is required to document any disclosure of PII under FERPA.
While a specific disposal requirement is not mandated under FERPA, improper disposal of student records may result in non-compliance in two ways: 1) by disclosing PII without consent and 2) failing to document said disclosure. The federal government may penalize educational institutions found to be in non-compliance with FERPA by withholding further payments under applicable programs or even terminating eligibility to receive funding.
Best practice for FERPA compliance includes following NIST 800-88 data disposal requirements. All of SEM’s high security paper shredders, disintegrators, IT shredders, IT crushers, and degaussers are appropriate for the disposal of student records covered data following NIST 800-88 protocols.