FERPA and other compliance guidance around free software as a service offers
Many companies promote free web-based services (software as a service) to educators who are rapidly converting to virtual teaching. It is important to keep in mind that while we need to be nimble, we cannot forget our confidentiality obligations for use and disclosure of student data.
When you sign up for a web-based service, you are agreeing to legally binding terms and conditions.
Some companies may have terms and conditions that might actually violate FERPA or other regulatory laws. Others may be trying outright to get this data for their own gain. FERPA violations, even if unintended or unanticipated, expose the University to potential legal liability.
Use established software and services
Established software and services that have been identified by the Faculty Academy and IT should be used. These have been vetted and approved by the University already, and in many cases have existing legal agreements in place that mean you, our students, and the University are already protected. Please review the list of currently approved and supported titles for transitioning to virtual teaching.
Services that provide a "class code"
If you believe some other service may provide a better opportunity for your students, see if the provider offers an option to provide a class code for use. This prevents students from having to provide their email or other Personally Identifiable Information (PII) to the service. Please be aware that you may have to sign up online and by signing up and using the service, you provide your PII and other information at your own risk and pursuant to the terms of the service you agree to when you sign up.
Student Opt-In Services
If there is a service you are interested in where students must establish individual accounts to log in, please ensure that each student can sign up for the service independently. This allows the student to make a choice and bring any concerns about using the service to you prior to signing up.
Services that require faculty or University-created accounts
In a situation where the faculty member or the University is required to create the account on the student’s behalf in order for the service to be used, a reviewed and signed legal agreement must be in place. In this scenario, you and the University are liable for any unauthorized disclosure of student data under FERPA and other applicable privacy laws. Please don’t put our students, their PII, or yourself at risk.
There is no exception to this rule, even in times of crisis.
Please submit an IT Help Desk ticket if you have a service that needs to be reviewed. IT will check for any existing agreements for the service and coordinate a technical and legal review if needed.
Review FERPA guidelines
For general information or a refresher on FERPA, please review the following resources:
Special note about HIPAA Compliance and Protected Health Information
As required by the Health Insurance Portability and Accountability Act (HIPAA), all University use of Protected Health Information (PHI) on campus must be done as part of an approved business process by individuals designated in the “Covered Entity” or with a “Business Associate Agreement”. Additionally, no PHI should be stored or processed electronically whatsoever without prior approval of Information Technology and the Office of General Counsel. To ask a specific question about appropriate use of PHI or to have a business process involving PHI reviewed, please submit a ticket.