Family Educational Rights and Privacy Act (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of students’ education records, including personally identifiable and directory information. FERPA was enacted to ensure that parents and students age 18 and older can access those records, request changes to them, and control the disclosure of information, except in specific and limited cases where FERPA allows for disclosure without consent.
The law applies to schools, school districts, and any other institution that receives funding from the US Department of Education—that is, virtually all public K–12 schools and school districts, as well as most post-secondary institutions, both public and private.
Security is central to compliance with FERPA, which requires the protection of student information from unauthorized disclosures. Educational institutions that use cloud computing need contractual reassurances that a technology vendor will manage sensitive student data appropriately.
FERPA does not require or recognize audits or other certifications, so any academic institution that is subject to FERPA must assess for itself whether and how its use of a cloud service affects its ability to comply with FERPA requirements. However, Microsoft has made the following contractual commitments that attest to its compliance:
- In its Online Services Terms, Microsoft agrees to be designated as a “school official” with “legitimate educational interests” in customer data as defined under FERPA. (Customer data would include any student records provided through a school’s use of Microsoft cloud services.) When handling student education records, Microsoft agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) just as school officials do.
- Furthermore, Microsoft commits to using customer data only to provide organizations with its cloud services and compatible purposes (such as improving malware detection), and does not mine customer data for advertising.
- Microsoft also contractually commits not to disclose customer data except as the educational institution directs, as described in the contract, or as required by law. Schools that provide education records to Microsoft through their use of a Microsoft cloud service can thus be assured that those records are subject to stringent contractual restrictions regarding their use and disclosure.
As a result of these contractual commitments, customers that are subject to FERPA—both educational institutions and third parties to whom they give access to sensitive student data—can confidently use in-scope Microsoft business cloud services to process, store, and transmit that data.
Frequently asked questions
Audit cycle and certification
FERPA does not require or recognize audits or certifications.
Microsoft in-scope cloud services
Services for which Microsoft agrees to be designated as a “school official” with “legitimate educational interests” in customer data include:
Azure Active Directory, API Management, App Services (API Apps, Mobile Apps, Web Apps), Automation, Backup, Batch, BizTalk Services, Cloud Services, Azure Cosmos DB, Event Hubs, Express Route, HDInsight, Key Vault, Load Balancer, Machine Learning, Management Portal, Media Services, Multi-Factor Authentication, Notification Hub, Operational Insights, Redis Cache, RemoteApp, Rights Management Service, Scheduler, Service Bus, Site Recovery, SQL Database, Storage, StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network, Visual Studio Team Services, and Workflow Manager