Article Sections

• What is FERPA?
• What data does this cover?
• How is FERPA data legally shared with or collected by PeopleGrove?
• How does PeopleGrove ensure FERPA compliance with data once within the platform?
• What can partners do to limit FERPA issues?
• Disclosure

Overview

This document is intended for any PeopleGrove client or potential client who wants to review how PeopleGrove approaches FERPA data.

What is FERPA?

FERPA is a federal law that prohibits schools from disclosing personally identifiable information from a student’s educational record to a third party without written consent from the parent. This right transfers to the student when the student turns 18 years old or matriculates at a college or university.

What data does this cover?

FERPA covers:

• "Educational Records" - Records that directly relate to a student and maintained by an educational agency/institution or by a party acting for the educational agency
• "Personal Information" - Direct identifiers (such as name, family name) and indirect identifiers (date of birth, mother’s maiden name)

PeopleGrove does often collect or receive data that would be covered by FERPA when launching the platform and importing users.

For example, the following data could be covered by FERPA:

• Name and email
• School, major, degree, and graduation date
• GPA or total credits
• Gender, ethnicity, or other demographic data

How is FERPA data legally shared with or collected by PeopleGrove?

Schools share data with PeopleGrove under the "school official" exception to FERPA. Under this exception, schools may share personally identifiable information from the educational record without parent/student consent as long as the vendor:

• Performs a service or function for which the school would otherwise use its own employees (i.e. is acting as an outsourced service provider)
  ✔ PeopleGrove​ ​operates​ ​an​ ​an​ ​outsourced​ ​service​ ​provider
• Is under the direct control of the school with regard to the collection and use of data
  ✔ Our​ ​contracts​ ​specify​ ​that​ ​our​ ​clients​ ​own​ ​the​ ​data,​ ​and​ ​have​ ​full​ ​control over​ ​the​ ​use​ ​of​ ​this​ ​data
  
• Uses data only for authorized purposes and does not re-disclose personally identifiable information from the education record to other parties unless with consent of the school or permitted by FERPA
  ✔ PeopleGrove​ ​does​ ​not​ ​disclose​ ​this​ ​data​ ​to​ ​3rd​ ​parties​ ​without​ ​consent​ ​and does​ ​not​ ​use​ ​personally​ ​identifiable​ ​data​ ​for​ ​any​ ​other​ ​purposes

With these conditions met, there is no legal concern with sharing student data with PeopleGrove after a contract has been signed.

How does PeopleGrove ensure FERPA compliance with data once within the platform?

When institutions disclose information to PeopleGrove that may be subject to FERPA, there is immediately no concern as we are acting as a "school official" and are not re-disclosing this data. However, once the PeopleGrove platform is configured and launched, PeopleGrove still needs to ensure that there is no unauthorized disclosure of personally identifiable information.

There are two ways in which this may be addressed.

Admin-Only Data

First, there is the concept of admin-only​ ​data​ ​within the PeopleGrove platform. This data may be stored in the PeopleGrove platform, but is not visible or accessible to anyone other than administrators of the platform - all of whom would also be school officials authorized to view this data. This data is only used for reporting and for the benefit of platform administrators.

For example, if a partner wanted to populate a student’s class level and ethnicity so that reports could be pulled for meetings by ethnicity and class level, that would be imported into PeopleGrove as an admin-only field.

Public Profile Data

Second, there is public​ ​profile​ ​data​. This data may be imported into the PeopleGrove platform and displayed on a user's profile, once the user has activated their account. For this data, PeopleGrove shows the user all data that has been populated during the signup process, meaning that the user has explicit control over the data that is shared within the community.

Since the user is explicitly consenting to this disclosure, it is permitted by FERPA.

The bottom line is that PeopleGrove will never disclose personally identifiable information without a user's consent. Since users opt-in to the platform, with a clear expectation of why they are opting in, FERPA should not be an issue.

Communicating with Students

Within the signup process, PeopleGrove allows our partners to insert a legally-binding document with an e-signature pad for all users to sign. This would be an appropriate place to add language letting students know that information they have provided or reviewed during the signup process could be disclosed with other members of the community.

This step would look like this:

This signup step and appropriate language should be enough to constitute informed disclosure by the student. You are able to view the signed agreements through the admin panel.

What can partners do to limit FERPA issues?

We believe that the steps outlined above are sufficient to ensure full FERPA compliance.

However, it is fully possible to launch the PeopleGrove platform without sharing any data with us in advance. If this is the case, all data is self-reported by users of the platform for the explicit purpose of sharing within the community, making the data not covered under FERPA. If your institution has an issue with sharing data in advance, that’s not a problem.

Disclosure

This document does not constitute legal advice and has not been vetted by a lawyer. We request that all of our partners review this document with their legal counsel, as every situation is unique.