Student educational records are protected under the Family Educational Rights and Privacy Act (FERPA). FERPA is the primary federal student privacy law protecting student education records and the student PII they contain from unauthorized disclosure (20 U.S.C. § 1232g; 34 C.F.R. § 99). FERPA applies to educational institutions receiving federal funding. Due to the US Department of Education’s (DoE’s) distribution of federal funds to the vast majority of educational institutions, FERPA applies to a wide range of education services providers.
tawk.to is committed to protecting the privacy and security of clients’ data. It includes our privacy practices and technical security measures to help our educational institution clients ensure that they are compliant with FERPA. While FERPA does not require or recognize audits or other certifications, any academic institution that is subject to FERPA must assess for itself whether and how its use of a cloud service affects its ability to comply with FERPA requirements. FERPA classifies protected information into three related, but distinct categories: Education records, PII (FERPA PII), and Directory information, which is a subset of FERPA PII. FERPA’s requirements and protections vary for each information category. However, FERPA generally requires covered educational institutions to:
- Grant parents and students over 18 or enrolled in a postsecondary institution at any age (eligible students) certain rights regarding their education records.
- Prohibit certain disclosures of education records, FERPA PII, and directory information unless specific conditions or exceptions are met.
- Set maintenance requirements and re-disclosure restrictions for third parties receiving student education records or FERPA PII.
tawk.to has in place the following protocols that assist the educational institution clients with FERPA compliance:
- our cloud-based software and all communications use HTTPS protocol.
- all communication between the application and authentication servers is conducted via secure connections.
- we leverage off the security of our hosting partners like Google Cloud Services, AWS & Digital Ocean which have both physical and technological safeguards
- all data is encrypted in transit by TLS 1.2 and at rest using 256-bit Advanced Encryption Standard (AES-256)
- no one will have access to, nor will we disclose any information from, a student educational records without the prior written consent of the student.
Exceptions to FERPA’s Prior Written Consent Rule
FERPA contains several statutory exceptions to the rule requiring written consent before disclosing a student’s education records or FERPA PII. The most relevant exceptions to education service providers include:
- Outsourced educational functions or services. FERPA permits disclosures to other school officials, such as teachers or other school employees, with legitimate educational interests.
- Student financial aid. FERPA permits disclosures directly related to a student’s financial aid application or award (20 U.S.C. § 1232g(b)(1)(D); 34 C.F.R. § 99.31(a)(6)).
- Education research. FERPA permits disclosures to organizations conducting certain studies for educational institutions under specified conditions (20 U.S.C. § 1232g(b)(1)(F); 34 C.F.R. § 99.31(a)(6)).
- Accreditation. FERPA permits required disclosures to accreditation organizations (20 U.S.C. §1232g(b)(1)(G); 34 C.F.R. § 99.31(a)(7)).
- Health or safety. Under specific conditions, FERPA permits disclosures for:
health or safety emergencies (20 U.S.C. §1232g(b)(1)(I); 34 C.F.R. §§ 99.31(a)(10), 99.36); or treatment purposes, assuming the disclosures satisfy the HIPAA Privacy Rule if disclosed to a HIPAA covered entity (20 U.S.C. § 1232g(a)(4)(B)(iv); 34 CFR § 99.3).
- Directory information. FERPA permits disclosure of properly designated and noticed directory information (20 U.S.C. § 1232g(a)(5); 34 C.F.R. §§ 99.31(a)(11), 99.37).