Information Security Standard
FERPA Protects Privacy
FERPA applies to public schools and state or local education agencies that receive Federal education funds, and it protects both paper and computerized records. State laws can supplement FERPA, but compliance with FERPA is necessary if schools are to continue to be eligible to receive Federal education funds (US Department of Education).
FERPA protected information falls into three categories:
- Personally identifiable information (level1 protected data).
- Educational data (level2 protected data).
- Directory information (information that is not generally considered to be harmful or an invasion of privacy if disclosed).
FERPA-Protected Data and Email
The US Department of Education has declared that unencrypted emails containing FERPA-protected data (FPD) are insecure and, therefore, prohibited. Institutions can be held liable for violating privacy rights if unauthorized individuals gain access to emails containing unencrypted FPD.
If a specific business practice (activity) requires the use of email as a form of communicating FPD, departments shall define business processes (specific steps) for that practice.
When emailing FPD, all District personnel (staff, faculty, or any other individual operating on behalf of the district) shall adhere to the following:
District Personnel Shall:
- Encrypt all emails containing FPD.
- Use approved District resources to email FPD.
- Email FPD to only those District personnel with the legitimate need to know.
District Personnel Shall Not:
Send an email containing FPD to non-LBCCD accounts unless the appropriate student release form has been signed and filed with Enrollment Services.
Use forms of personal technology (personal phones, email accounts, social media, etc.) to communicate with or about students. All communication regarding students is considered discoverable and, therefore, can be used in a formal student records request.
If District personnel receive an email that contains PII, they shall remove or redact that PII and respond to the sender with something to the following effect:
Long Beach Community College (LBCC) is committed to protecting your right to privacy. The Family Educational Rights and Privacy Act (FERPA) is a federal law that defines those rights and specifically prohibits institutions like LBCC from accepting or soliciting student passwords, social security numbers, or other forms of Protected Data. In the future, please do not email your confidential information to District personnel.
Examples of Educational and Directory Data
Educational Information contains but is not limited to:
- Academic specializations and activities
- Courses taken
- Date and place of birth
- Disciplinary records
- Medical and health records that the school creates or collects and maintains
- Official letters regarding a student’s status in school
- Parent(s) and/or guardian addresses
- Picture (ID)
- Schools attended
- Social security number
- Special education records
- Test scores
- Where parents can be contacted in emergencies
- Other information that would make it easy to identify or locate a student
Directory Information contains but is not limited to:
- Certificates or awards received
- Dates of attendance
- Height and weight of members of athletic teams
- Phone number
- Pictures of students
- Student ID
- Verification of student participation in school activities and sports
For more information about FERPA, please see Family Educational Rights and Privacy ACT.