Most educators know about the federal student data privacy laws such as the Family Educational Rights and Privacy Act (FERPA) administered by the US Department of Education. However, modern schools increasingly adopt new technologies such as cloud service providers for managing everything from homework assignments in Google Drive to education data in records management data systems. In higher education, protecting student privacy rights may not only require knowing the federal law but also the applicable state privacy laws.

Student Data Privacy Law

What are the primary federal privacy protection laws?

FERPA protects the privacy of student education records. The law determines that parents have certain rights to their children’s student records while children are under age 18 or in a K-12 environment. Once the rights transfer to the student upon entrance to an institution of higher education, the student is considered an “eligible student” and becomes the custodian of their information.

Under FERPA, parents or eligible students may review education records and have the right to request corrections to records. Schools must have written permission to disclose the information except in certain conditions, such as providing it to schools to which a student is transferring, complying with a judicial order, or sharing with school officials who have a legitimate educational interest.

Nonpublic, personally identifiable information may be disclosed without consent in a directory. This authorized disclosure includes information such as birth date, place of birth, address, telephone number, honors and awards, and dates of attendance. However, the school must notify parents and eligible students, providing them the opportunity to opt out.

What are some critical state privacy laws?

To protect student information, several state legislatures have enacted their own laws governing data security. Some of these state laws impact higher education institutions outside the original state since they protect the students and the rights travel with them.


The California Consumer Privacy Act of 2018 (CCPA) established restrictions governing company use of consumer data. In higher education, this impacts educational companies collecting student information. Even more restrictive, the law protects residents. Therefore, if a student lists California as their primary state of residence, educational institutions outside of California need to ensure that their service providers maintain data privacy under the law.


In 2018, Connecticut established a working group to review student device privacy regarding search and seizure and the potential impact of social media posts that could signal student mental health issues. Although the working group focused on public education, the discussions could also lead to data privacy concerns for higher education institutions. The working group also noted that applications that schools use to enable student educational opportunities need to incorporate privacy policies. To the extent that future mandates are informed by the current working group, higher education may need to review the applications they use for student records.


Although specifically focused on public school districts and students in kindergarten through high school, the 2018 Iowa bill established additional third-party governance requirements over applications. Public schools need to ensure that their third-party vendors protect student nonpublic information. Although limited in nature, the bill heralds a potential future compliance risk for higher education should the state decide to expand protects in the future.

Rhode Island

This 2014 privacy legislation focused on online services. To protect student data, the law limits data and information that cloud services obtain when providing services for K-12 institutions.


The 2013 Student Data Accessibility, Transparency and Accountability Act focused on state data collection, mandating a statewide student data security plan. Moreover, the Act set specifications for individual student data that institutions collect and use.

What Data Security Impact Do These Laws Have?

In education, the privacy of student personal information incorporates not only giving students and parents control over information but ensuring data governance controls remain effective.

According to the Data Quality Campaign, more than 120 bills were introduced or passed in 2016 to help enforce data privacy. With the exception of the CCPA, most laws that protect students’ right to privacy focus on the public education K-12 sector. Although many institutions of higher education may feel that they do not need to align their controls with these laws, they need to consider the future of data governance.

Data security is a fundamental aspect of data privacy. While students and parents should have control over information disclosed, they also need assurance that institutions keep the data secure. A data breach, particularly one arising from a cloud service provider, can lead to unauthorized disclosure.

Thus, institutions of higher education need to ensure that they have appropriate vendor monitoring programs in place. These include establishing risk assessments, risk analyses, security policies, and service level agreements.

What Higher Education Needs to Know About Managing Vendor Risk

As higher education moves towards adopting more cloud service providers, it needs to look at how it manages data and cybersecurity risk.

Software-as-a-Service (SaaS) providers who help maintain student records leave nonpublic information at risk. Whether used by the registrar or financial aid office, the platform accesses student information such as birth date, social security number, and address. A data breach arising from one of these services can lead to identity theft.

Moreover, even shared drives that use the institutions’ networks can leave data at risk. Network security, in an increasingly connected world, means engaging in continuous monitoring over firewalls and email gateways.

How ZenGRC Enables Higher Education

Institutions need an automated process for tracking and documenting security reviews.

ZenGRC allows instituions of higher education to prioritize tasks so that everyone knows what to do and when to do it enabling more rapid reviews of the “to do” lists and “completed tasks” lists.

With our workflow tagging, users can assign tasks to the individuals responsible for the activities involved in vendor risk assessment, risk analysis, and risk mitigation.

Finally, with our audit trail capabilities, institutions can document remediation activities to prove that they maintained data confidentiality, integrity, and availability to protect student privacy.

For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.