Data privacy has never been more important, but data law in the U.S. is a patchwork of separate industry-specific guidance.
You may be familiar with the Family Educational Rights and Privacy Act (FERPA – 1974), landmark legislation that enacted rules for protection of student data. But FERPA is not the only law, or even the most recent, passed to protect students’ data.
The Gramm-Leach-Bliley Act (GLBA) was enacted in 1999 as an omnibus regulatory review of the financial industry. It protects customer data held by financial institutions, as well as any institutions with finance-adjacent activities. This includes the financial aid and scholarship programs at most colleges and universities.
While the GLBA is not legally applicable to secondary educational institutions such as private and charter schools, the two-fold data security approach recommended by the GLBA is an effective framework for protecting student data at all education levels.
Privacy Rule (16 CFR 313)
The ubiquitous data use disclosure form provided by the GLBA regulations
The first facet of the GLBA’s data protection regime requires institutions to provide a written notice of how they use the nonpublic data of their customers. It also requires customers be allowed to opt out of these uses. Currently, student data is primarily used in school directories and for demographic and public policy reasons by state, local, and federal government agencies. But data such as students’ grades or who uses tutoring services could be just as valuable to firms like the College Board or tutoring companies. Students and parents deserve to know whether and with whom their data is being shared.
Safeguards rule (16 CFR 314)
The second facet of the GLBA’s approach to data security requires that institutions maintain a comprehensive information security program and assign a specific employee responsibility over that program.
According to the GLBA’s regulations, this program should be designed in a way that secures customer information and protects it against unauthorized access. To increase accountability, the GLBA requires that this program be the responsibility of a specific person. Their job description includes:
- Cataloguing reasonable foreseeable internal and external risks to data security, including employee competence and training, software effectiveness, and risks of external intrusion
- Design, implement, and maintain safeguards against identified risks
- When using third-party service providers, ensure they are required by contract to implement and respect the safeguards put in place
- Continually evaluate the security program and keep it updated to changing circumstances and threats
While the GLBA may not apply to your organization in a legally-binding way, the best practices it outlines should be part of your overall strategy for stewardship of student data. For more information about educational data privacy, please contact Aronson at 301.231.6200.
Disclaimer: This article serves as an overview to help educational institutions become familiar with the main data protection regulations in the United States. It is not intended, nor can it be relied upon, as legal advice.