Family Educational Rights and Privacy Act (FERPA) Compliance on AWS
The Family Educational Rights and Privacy Act (FERPA) of 1974 was enacted to support and promote the protection of privacy and reasonable governance of student education records.
FERPA provides parents of students and eligible students:
- The right to inspect and review their education records.
- Governance over disclosure of their education records.
- A mechanism to amend incorrect education records.
FERPA requires educational agencies and institutions to use reasonable methods to ensure the security of their information technology (IT) solutions. This may be achieved by hosting education records on cloud computing solutions. The law, in general, requires covered institutions and agencies to reasonably safeguard student education records from improper use or disclosure. FERPA defines “education records” as “records, files, documents, and other materials that are maintained by an educational agency or institution, or by a person acting for such agency or institution.” Education records also include any record that pertains to an individual’s previous attendance as a “student of an institution.”
Securing student record information, including students’ personally identifiable information (“PII”), is essential for educational institutions and vendors that provide them services which fall under the purview of FERPA and state student data privacy laws.
AWS implements physical and logical controls for internal services and provides customers with access to security, identity and compliance services to help them build solutions that comply with student data privacy requirements. AWS offers a comprehensive set of features and services to make encryption of PII easier to manage and simpler to audit, including the AWS Key Management Service (KMS). Customers with student data privacy compliance requirements have a great deal of flexibility in how they can leverage AWS to help them meet encryption requirements for PII.
What is FERPA?
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”). The FERPA statute is found at 20 U.S.C. § 1232g and the FERPA regulations are found at 34 CFR Part 99.
Does AWS know what type of data a customer is storing, transmitting, or processing on AWS?
AWS has no insight as to what type of content the customer chooses to store in AWS and the customer retains complete control of how they choose to classify their content, where it is stored, used, archived and protected from disclosure.
What’s the risk of data access with the cloud compared to other methods?
Preventing unauthorized access requires practicing proper security hygiene and implementing robust preventive and detective capabilities. For example, systems should be designed to limit the “blast radius” of any intrusion so that one compromised node has minimal impact on any other node in the enterprise. AWS provides a full security tooling environment that is designed to enable customers to maintain encrypted communications and implement tampering protections to mitigate the risk of unauthorized access. AWS does not have visibility into, or knowledge of, the contents of a customer account, including whether or not that content includes any personal information.
For more information, read the AWS Risk and Compliance Whitepaper: Amazon Web Services: Risk and Compliance - Amazon Web Services: Risk and Compliance