Highlights:
- Regulatory requirements to protect student data privacy necessitate careful thought for higher education institutions.
- FERPA, HIPAA, IDEA, and GDPR all apply to student privacy.
- Choosing a secure communications platform is essential for higher education.
👩🏫 💻 📚 Need a refresher on virtual learning best practices? Grab our eBook for tips, techniques, and tools.
Students share so much information with their educational institutions. While the intention of this sharing is to ensure that students are safe and able to succeed at school, much of the information shared is confidential. Whether it is a student’s home address, health history, or immigration status, this information must be protected and shared with the appropriate authorities and no one beyond that.
What are your obligations when it comes to safeguarding student information, and how can you ensure compliant communications?
FERPA protects students’ educational records
FERPA exists to protect students’ rights in regards to their educational privacy. It protects students’ educational records such as report cards, college transcripts, schedules, school records, and key contact and family information. Parents have the right to access this information until a child turns 18 or enters a post-secondary institution. After that, the information is the student’s alone.
The educational institution may not share this information with anyone without the prior consent of the student. This information can be shared with others if there is an emergency and sharing is necessary to protect the health and safety of the student or those around them.
When communicating with students, your institution must ensure the privacy of student records and have administrative and security procedures in place. For instance, transcript requests and awards and disciplinary records may only be shared with others when the students request this.
HIPAA protects health information
Health information is sensitive information, and students and their families need to know that information is protected. HIPAA is a federal law also known as the Health Insurance Portability and Accountability Act of 1996. To comply with HIPAA standards, you must have multiple layers of security to ensure that electronic public health information is not compromised. These include administrative, physical, and technical strategies to safeguard health information. Health records may be disclosed to those who are treating the student, such as a doctor that the student has chosen.
While schools may not collect a student’s entire health history, they do collect information pertinent to a student’s in-class experience, including information about illnesses, allergies, and health-related issues such as vaccination. However, for many school-based purposes, health information falls under FERPA. In grades K-12, students’ health records are considered to be part of a student’s educational records, and they are actually protected under FERPA. The FERPA rules also apply to postsecondary institutions and on-campus health clinics. These are referred to as educational or treatment records under FERPA.
No matter where the health information is collected or what regulations it falls under, that health information must be protected, and there are rules around its disclosure to parties other than the student or their parents.
IDEA focuses on students with disabilities
The Individuals With Disabilities Education Act (IDEA) may also cover some of the students at your educational institution. The provisions of this act are similar to those of FERPA, but they may be broader than FERPA rules. This act has its own regulations around parent consent, and it also allows participating disability-related agencies to access some student information without parental consent.
SEVP/SEVIS relates to information about nonimmigrant students
All institutions need to maintain accurate information about students to preserve national security. The Student Exchange Visitor Program (SEVP) is the Department of Homeland Security (DHS) program that administers Student Exchange Visitor Information System (SEVIS). According to US Immigration, this program “acts as a bridge for government organizations that have an interest in information on nonimmigrants whose primary reason for coming to the United States is to be students.” These programs guide both students and institutions to allow students to maintain their status in the United States.
On behalf of Homeland Security, SEVIS maintains information about these student visitors. Students are placed in an F, M, or J nonimmigrant status, depending on their status as foreign students or exchange students. An F status denotes that the student is in full-time academic studies, while an M status denotes that the student is in a vocational or nonacademic program. Spouses and children of the students also maintain the same status in the country.
The educational institution is obligated to keep records of the students’ ongoing participation in educational programs. If a student violates the terms of their student or exchange visitor status, they may be denied admission or benefits or removed from the United States.
The GDPR protects EU residents
The GDPR is the General Data Protection Regulation (GDPR) passed by the European Union in 2018. This regulation expanded the personal privacy rights of EU residents, turning privacy rights into a binding regulation. If you are working with international students, this regulation is something to consider.
According to the Educause Review, “the GDPR’s coverage extends to entities with no physical EU footprint if they “control” or “process” covered personal information of EU data subjects residing in the EU.” If you are running online classes with EU participants, this regulation would apply to your institution.
The GDPR protects information such as educational and financial information, health information, and physical and online contact information. The definition of protected information is extremely similar to that used in US privacy law. If you are working with EU residents, consider working with a data collection program that operates within the parameters of this EU law.
State laws may also apply to student information
State privacy laws also apply to parent and student communication, data collection, and data sharing. However, since they are quite specific, they typically do not conflict with federal laws. If more than one law relates to a student’s data, then the strictest law applies.
Compliant communications with a cloud-based communications platform
How can a cloud-based communications platform ensure that your educational institution is in compliance with all national data regulations?
While you still need to ensure that you collect the correct data, a cloud-based communications platform is not only a tool for student communication—it also automates a lot of your data tracking.
You can easily track usage with data analytics, confirming a student’s participation in classes. You can also keep records of student communications and student information. This includes students’ names, screen names, contact information, IP accesses, and date- and time-stamped student data.
When you’re working with a cloud-based communications platform such as RingCentral, data is stored securely and accurately. This eases worries about data security, tracking, and compliance.
Simplify your school year: ensure that your campus communications and data tracking is effective, compliant, and secure. When you’re looking for compliant communications, RingCentral can help. See how it works today.
Originally published Jun 22, 2022