- What is FERPA?
- What data does this cover?
- How is FERPA data legally shared with or collected by PeopleGrove?
- How does PeopleGrove ensure FERPA compliance with data once within the platform?
- What can partners do to limit FERPA issues?
This document is intended for any PeopleGrove client or potential client who wants to review how PeopleGrove approaches FERPA data.
FERPA is a federal law that prohibits schools from disclosing personally identifiable information from a student’s educational record to a third party without written consent from the parent. This right transfers to the student when the student turns 18 years old or matriculates at a college or university.
- "Educational Records" - Records that directly relate to a student and maintained by an educational agency/institution or by a party acting for the educational agency
- "Personal Information" - Direct identifiers (such as name, family name) and indirect identifiers (date of birth, mother’s maiden name)
PeopleGrove does often collect or receive data that would be covered by FERPA when launching the platform and importing users.
For example, the following data could be covered by FERPA:
- Name and email
- School, major, degree, and graduation date
- GPA or total credits
- Gender, ethnicity, or other demographic data
Schools share data with PeopleGrove under the "school official" exception to FERPA. Under this exception, schools may share personally identifiable information from the educational record without parent/student consent as long as the vendor:
- Performs a service or function for which the school would otherwise use its own employees (i.e. is acting as an outsourced service provider)
✔ PeopleGrove operates an an outsourced service provider
- Is under the direct control of the school with regard to the collection and use of data
✔ Our contracts specify that our clients own the data, and have full control over the use of this data
- Uses data only for authorized purposes and does not re-disclose personally identifiable information from the education record to other parties unless with consent of the school or permitted by FERPA
✔ PeopleGrove does not disclose this data to 3rd parties without consent and does not use personally identifiable data for any other purposes
With these conditions met, there is no legal concern with sharing student data with PeopleGrove after a contract has been signed.
When institutions disclose information to PeopleGrove that may be subject to FERPA, there is immediately no concern as we are acting as a "school official" and are not re-disclosing this data. However, once the PeopleGrove platform is configured and launched, PeopleGrove still needs to ensure that there is no unauthorized disclosure of personally identifiable information.
There are two ways in which this may be addressed.
First, there is the concept of admin-only data within the PeopleGrove platform. This data may be stored in the PeopleGrove platform, but is not visible or accessible to anyone other than administrators of the platform - all of whom would also be school officials authorized to view this data. This data is only used for reporting and for the benefit of platform administrators.
For example, if a partner wanted to populate a student’s class level and ethnicity so that reports could be pulled for meetings by ethnicity and class level, that would be imported into PeopleGrove as an admin-only field.
Public Profile Data
Second, there is public profile data. This data may be imported into the PeopleGrove platform and displayed on a user's profile, once the user has activated their account. For this data, PeopleGrove shows the user all data that has been populated during the signup process, meaning that the user has explicit control over the data that is shared within the community.
Since the user is explicitly consenting to this disclosure, it is permitted by FERPA.
The bottom line is that PeopleGrove will never disclose personally identifiable information without a user's consent. Since users opt-in to the platform, with a clear expectation of why they are opting in, FERPA should not be an issue.
Communicating with Students
Within the signup process, PeopleGrove allows our partners to insert a legally-binding document with an e-signature pad for all users to sign. This would be an appropriate place to add language letting students know that information they have provided or reviewed during the signup process could be disclosed with other members of the community.
This step would look like this:
This signup step and appropriate language should be enough to constitute informed disclosure by the student. You are able to view the signed agreements through the admin panel.
We believe that the steps outlined above are sufficient to ensure full FERPA compliance.
However, it is fully possible to launch the PeopleGrove platform without sharing any data with us in advance. If this is the case, all data is self-reported by users of the platform for the explicit purpose of sharing within the community, making the data not covered under FERPA. If your institution has an issue with sharing data in advance, that’s not a problem.
This document does not constitute legal advice and has not been vetted by a lawyer. We request that all of our partners review this document with their legal counsel, as every situation is unique.