FERPA-Compliant Contracts With Third-Party Risk Management

Universities and K-12 schools are increasingly relying on companies to accomplish tasks, like IT and administrative functions. Companies that schools are outsourcing products and services to are considered their third-party vendors.

Even after tasks have been handed to a third-party vendor, schools must follow strict privacy regulations to protect sensitive student data. The Family Educational Rights and Privacy Act (FERPA) mandates that educational records cannot be shared without prior written authorization from the student or their guardian.

So, third parties don't have access to student data without first verifying with the student or their guardian that their data is safe, right? Well, not quite. 

There’s one notable exemption to this that schools can use to grant their third-party vendors’ access. Per FERPA, the third-party vendor must meet all the following conditions to meet the school official exemption:

Note: The italics indicate that it’s directly from the guidance. 

1. Perform an institutional service or function for which the agency or institution would otherwise use employees; 
2. Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and 
3. Is subject to the requirements of § 99.33(a) governing the use and redisclosure of personally identifiable information from education records.

This is why to comply with FERPA, educational organizations and institutions must ensure that their third-party vendor contracts follow the requirements that govern how student information is used. 

FERPA-Compliant Vendor Contracts Are a Requirement

Education technology (edtech) vendors are often regarded as those with the most access to protected data, but FERPA-compliant contracts shouldn't be limited just to edtech vendors. Any third-party vendor that has access to student information should have a contract in place that ensures compliance. 

There are two important reasons why your educational institution must implement FERPA-compliant contracts:

• Privacy policies aren’t enough: To comply with FERPA, many consumer-facing vendors have created educational platforms with education-specific privacy policies that include advertising restrictions. While these privacy policy changes are a step in the right direction, they may not adequately address FERPA compliance. 
• It’s a regulatory expectation: Along with FERPA, schools and third-party vendors must also comply with state student privacy laws. Further restrictions may be placed on the deletion of educational data under these laws. Specific contractual provisions may be required, and excessive penalties may be imposed if these laws are violated.
  

Essential Inclusions in FERPA-Compliant Vendor Contracts

Your third-party risk management team should work closely with the legal department and the school board or board of trustees to ensure that all vendor contracts comply with FERPA’s regulations on student data. A well-structured contract is one the best risk management tools an educational institution can have to protect its students. The vendor contract outlines and formalizes the expectations for the relationship. After all, if a requirement is not in the contract, it won't likely be met.

Incorporating these 13 essential components listed below into vendor contracts ensures that educational institutions achieve FERPA compliance with their vendors. It will also safeguard student privacy and build a robust data security framework. 

1. Definition of student information: Clearly define the scope and types of student information that will be shared with the vendor, ensuring alignment with FERPA regulations.
2. Ownership and control: State that the institution retains ownership of the student information and establish provisions for the institution to maintain control, access, and ability to audit the data.
3. Authorized use of data: Specify the vendor's permissible uses of student information and prohibit unauthorized activities such as data mining and analysis unless explicitly contracted for such services.
4. Non-disclosure agreement: Require the vendor to acknowledge and adhere to FERPA obligations, ensuring that the student information will not be re-disclosed to other third parties without explicit consent or legal requirements.
5. Training and awareness: Require the vendor to provide comprehensive training to its employees regarding FERPA requirements, data privacy, and cybersecurity practices.
6. Data retention and disposal: Define the retention period for student information and specify procedures for its secure disposal when no longer needed. Be sure to emphasize the vendor's responsibility for proper data destruction.
7. Data security measures: The vendor must implement adequate security protocols to safeguard student information, aligning with industry best practices and institution-approved standards.
8. Data breach notification: Establish clear guidelines for the vendor to promptly notify the institution in the event of a data breach. You’ll need to outline the required information and timeline for notification.
9. Indemnification: Incorporate indemnification clauses to hold the vendor liable for any damages with data security breaches or legal consequences arising from non-compliance with FERPA.
10. Changes in regulations: Address how changes in FERPA or relevant privacy or student data laws will be communicated, implemented, and incorporated into the vendor contract to ensure ongoing compliance.
11. Subcontractor compliance: If the vendor engages subcontractors (or fourth parties) to handle student data, require the vendor to ensure that these subcontractors also comply with FERPA regulations and maintain the same level of data protection.
12. Compliance monitoring and auditing: Grant the institution the right to conduct periodic audits or assessments to verify the vendor's compliance with FERPA regulations and data security standards.
13. Dispute resolution and termination: Establish mechanisms for resolving disputes and outline the process for contract termination in case of non-compliance with FERPA or breach of contractual obligations.

Use Third-Party Risk Management to Ensure Vendor Compliance With Contracts

Of course, compliance doesn’t just end with the signed contract. Once you’ve set your expectations and standards with your vendor in the contract, you’ll need to ensure that they follow through with it. 

To do this, your third-party risk management team should store vendor contracts in a central location for ease of access and monitoring to prevent important dates from lapsing, like the contract non-renewal notice period. Automated alert notifications prior to a contract auto-renewing or expiring are helpful.

Additionally, your third-party risk management team should conduct regular ongoing monitoring to review the vendor’s product and service delivery on a continuous basis. Ongoing monitoring of the vendor risk and contract ensures:

• Your vendor remains in compliance
• Expectations and performance metrics are met
• The controls put in place by your vendor continue to be effective
• Emerging risks are caught early and mitigated

If there are any changes or issues with the vendor’s compliance, risk, or performance level, those should be documented so they can be resolved or escalated to senior management. That will then help you make decisions about contract renewals or potential termination. 

Follow the Third-Party Risk Management Lifecycle for Effective Contract Management

Having a robust third-party risk management program that follows the third-party risk management lifecycle (onboarding, ongoing, and offboarding) is the best way to ensure that vendor requirements are met in all your contracts. The lifecycle was initially developed by financial regulators, but is now a best practice for all industries.

It serves as a roadmap for managing your vendor relationships. The lifecycle illustrates each step and activity necessary for identifying, assessing, mitigating, and monitoring vendor risk throughout the relationship.

From the initial due diligence and contract negotiations for onboarding a vendor, monitoring a vendor’s compliance, cybersecurity, and privacy controls during the ongoing relationship, to offboarding a vendor in a safe and secure way, the third-party risk management lifecycle guides the team through each step. 

FERPA prohibits sharing private data without the prior written consent of students or their guardians and educational institutions must comply with the regulation when using third-party vendors. Implementing robust third-party risk management practices and a carefully written contract can go a long way toward ensuring FERPA compliance and protecting student data.