The Family Educational Rights and Privacy Act (FERPA) generally prohibits the improper disclosure of personally identifiable information derived from education records.

Schools may share basic “directory” information, such as student names and phone numbers, if they give parents the opportunity to opt out. However, advance written permission is required to release all other student-level information, such as student coursework, class discussions, recorded comments, and grades, if they are linked to any information that would enable a member of the school community to identify the student.

Several exceptions in the law allow individuals such as teachers and administrators with a legitimate educational interest in the student’s record to access personally identifiable student data without prior parent consent.

Educational institutions using My Docs Online should configure and use their My Docs Online account(s) in a manner consistent with the educational institution’s overall FERPA guidelines. My Docs Online technical guidelines to ensure protection of protected information include:

• Use a multi-user account (administrator ID plus multiple group user IDs)
• Avoid the shared use of individual group user IDs except where justified by shared work role and information access rights
• Set appropriate folder permissions based on the access privileges of each group user ID
• When practical for private information avoid using “Share” or “Give” to deliver files. Use group user IDs and folders with permissions
• Where “Share” is used include a password or PIN, and keep link expirations as short as is practical.
• Enforce transmission encryption by requiring the use of SSL for all subaccounts.
• Safeguard login IDs and passwords.
• Assign strong passwords, using a mixture of letters and numbers, or special characters or upper and lower case
• Avoid the inclusion of individually identifiable information in the names of uploaded files or comments associated with files.