Google Docs FERPA Compliance

FERPA – Family Education Rights & Privacy Act

Segment: Education
Google Apps Edition: Google Apps for EDU

The Standard – Background

The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

The act has 2 main aspects, ensuring that students can access their educational records while maintaining the privacy of those records:

  • Providing students with access to their educational data – parents or eligible students have the right to inspect and review the student’s education records maintained by the school
  • Privacy policy – schools must have written permission from the parent or eligible student (with certain exceptions) in order to release any information from a student’s education record
Challenges

With many schools and universities’ transition to Google Apps and the adoption of Google Docs, student educational records are now being stored in the cloud. The same FERPA guidelines apply both on-premise and in the cloud, and require the IT staff of these institutions to maintain adequate access controls to ensure that student records are not exposed.

Exposure can happen by the inappropriate sharing of sensitive information that can occur mistakenly, maliciously or by unauthorized 3rd party apps that gain access to the organization’s domain.

Meeting FERPA Requirements In Google Docs with CloudLock:
FERPA Requirements Action Required CloudLock Feature
Privacy Policy – student educational records should not be public and can be released only with authorization. Find all documents containing student PII CloudLock’s Compliance Scan provides the ability to effectively find files containing student Personally Identifiable information (PII). Once documents are identified they can be reviewed and secured to prevent unauthorized access.
Ongoing monitoring and alerting CloudLock’s Security Policy Engine lets IT set content, context and sharing based policies and put security monitoring on autopilot. The policy engine alerts designated security staff when sharing policies on student documents do not follow acceptable use policies.
Review permission settings and correct access rights CloudLock provides a full audit of all documents in the domain and their access rights. Domain administrators can notify document owners of document exposure or excessive permissions. They can also correct and change the access rights (even for documents they are not collaborating on).
Enable adoption of trusted apps CloudLock’s Apps Firewall gives IT visibility into all 3rd party applications installed in the domain and their access rights. 3rd party apps can then be classified based on risk profile and revoked if they do not conform with the organization’s approved applications policy (AAPs).