“Parchment is heavily invested in both privacy and security, including FERPA compliance. At the same time, we make sure that we balance protecting learners with providing a superior user experience.” – Erin Elliot, Director of Solution Engineering and Information Security, Parchment
Under FERPA (Family Educational Rights and Privacy Act of 1974), schools are responsible for protecting student data. However, privacy laws can be confusing and complex, making it difficult to comply completely. This is especially true with the transition from paper to digital information. What’s more, your school/district also must ensure that your third-party vendors have appropriate safeguards in place.
At Parchment, we understand your privacy and security concerns. That’s why our digital credentials solutions adhere to all FERPA regulations (and state regulations where necessary). And further, our digital records are securely stored and blue-ribbon certified, so receivers know records haven’t been altered.
Simply put, with FERPA, parents have the right to access their minor student’s high school records and authorized consent is required before disclosure of high school records, in accordance with the provisions of FERPA.
Once students turn 18 or enter a post-secondary institution (even if still a minor), they have sole access to their school records. For dual-enrollment students, parents can only access high school records, not those from a college or university.
FERPA also defines what information can be shared and when consent is required. FERPA designates certain information as directory information; this data includes first and last name, date of birth, student ID number, and graduation date. Any student education-related data (transcripts, diplomas, or any document that’s being fulfilled through Parchment) is protected under FERPA.
Today, protecting student information is more important than ever. So, it’s key for you to understand what, when, how, and with whom (internally and externally) you can share. That said, FERPA laws are complicated and often misunderstood.
In our conversations with schools and districts, there have been some misconceptions about FERPA requirements for K12, particularly about requesting a record. Do schools need to validate the student’s identity to release a record?
With FERPA, educational agencies and institutions are required to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and other parties before disclosing or permitting access to PII. For example, obtaining a photo ID (like a driver’s license) may be used as a reasonable method to validate a requester’s identity, however it is not the only method of validation that can be used and is NOT specifically required under FERPA.
About Electronic Signatures
When it comes to electronic signatures, FERPA requirements are somewhat generic:
- A valid FERPA consent must be signed and dated by the parent or eligible student
- Electronic signatures are accepted if they:
- Authenticate and identify the parent or eligible student as the electronic consent source
- Indicate that person’s approval of the electronic consent information
Thus, Parchment uses industry standards to authenticate the electronic consent source, and the person must approve the information. Plus, the signature must be attached to a downloadable/save-able file.
Parchment and FERPA Compliance
Parchment services include the electronic ordering, fulfillment, and delivery of academic credentials and data, including transcripts and related admissions documents, diplomas, test score reports, certificates, and certifications, as well as the electronic awarding of Credentials.
By accessing and using our site or by clicking “I accept” prior to registration on the site, students consent to the collection, use, and disclosure of their information and personal data by Parchment. When ordering transcripts via Parchment, students proceed through the checkout and clicks next, providing consent to release the transcripts and to receive email notifications regarding their order.
In summary, the Parchment’s responsibility under FERPA is relatively limited: transporting information from point A to point B, consenting for an employer, school, or scholarship provider to have access to the transcript. Note that it’s not a blanket permission. We collect consent for each individual order.
At Parchment, we understand how important student privacy is, and we take our role in protecting it very seriously.
While compliance with FERPA for the consent and release of records is your most common need, Parchment also takes additional steps to prevent unauthorized disclosure.
That means we use the highest industry-standard technology designed to protect your information and all transmissions made through our site. In addition, we also take measures to protect the confidentiality, security, and integrity of personally identifiable information collected on our site.
Parchment follows Industry-standard auditing procedures, including:
- SOC2 Type 2: audited for security, privacy, processing integrity, availability, and confidentiality
- PCI: Payment Card Industry
- Privacy policies: compliance with GDPR (EU’s General Data Protection Regulation) and CCPA (California Consumer Privacy Act)
- The Family Educational Rights and Privacy Act (FERPA, NACAC Knowledge Center
- Family Educational Rights and Privacy Act (FERPA), US Department of Education
- Protecting Student Privacy, By Audience: K-12 School Officials, US Department of Education
- FERPA Compliance in the Digital Age: What K12 Schools Need to Know. EdTech Magazine, 9/26/19
- FERPA Basics: How K-12 Schools Can Update Their Data Privacy Approach, EdTech Magazine, 9/20/19
- How K-12 Schools Can Balance Privacy and Security Protocols, EdTech Magazine, 5/21/19