Tuesday, April 1, 2008

FERPA updates: Recommendations for Safeguarding Education Records

On March 24th, the Department of Education released 34 CFR Part 99, "Family Educational Rights and Privacy; Proposed Rule". This is a proposed update to FERPA (the Family Educational Rights and Privacy Act of 1974).

The document lists a number of recent incidents, ranging from grade exposures to SSN and personally identifiable information disclosures, and suggests that a number of steps are available to organizations after exposure. Most organizations should have similar steps in their incident response plan - if you don't, this provides at least a basic overview of the steps you'll want to take.

Remember, FERPA does not have a specific requirement regarding notification of students in the event of unauthorized release or theft of their education records - but organizations are required to maintain a record of each disclosure. This is very different many existing SSN and other PII disclosure laws.

As noted in the document, the Office of the Inspector General does provide a student focused identity theft resource site: http://ed.gov/about/offices/list/oig/misused/idtheft.html as well which includes a list of steps to take for victims: http://ed.gov/about/offices/list/oig/misused/victim.html. The FTC's identity theft guide is still an excellent resource as well: http://www.ftc.gov/bcp/edu/microsites/idtheft/

No comments: