Google Docs FERPA Compliance
Google Apps Edition: Google Apps for EDU
The Standard – Background
The Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
The act has 2 main aspects, ensuring that students can access their educational records while maintaining the privacy of those records:
- Providing students with access to their educational data – parents or eligible students have the right to inspect and review the student’s education records maintained by the school.
With the transition of many schools and universities to Google Apps and the adoption of Google Docs, student educational records are now being stored in the cloud. The same FERPA guidelines apply both on-premise and in the cloud, and require the IT staff of these institutions to maintain adequate access controls to ensure that student records are not exposed.
Exposure can happen by the inappropriate sharing of sensitive information that can occur mistakenly or maliciously or by unauthorized 3rd party apps that gain access to the organization’s domain.
Meeting FERPA Requirements In Google Docs with CloudLock:
|FERPA Requirements||Action Required||CloudLock Feature|
|Ongoing monitoring and alerting||CloudLock’s Security Policy Engine lets IT set content, context and sharing based policies and put security monitoring on autopilot. The policy engine alerts designated security staff when sharing policies on student documents do not follow acceptable use policies.|
|Review permission settings and correct access rights.||CloudLock provides a full audit of all documents in the domain and their access rights. Domain administrators can notify document owners of document exposure or excessive permissions. They can also correct and change the access rights (even for documents they are not collaborating on).|
|Enable adoption of trusted apps||CloudLock’s Apps Firewall gives IT visibility into all 3rd party applications installed in the domain and their access rights. 3rd party apps can then be classified based on risk profile and revoked if they do not conform with the organization’s approved applications policy (AAPs)|