Family Educational Rights and Privacy Act (FERPA)
FERPA overview
The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of students' education records, including personally identifiable and directory information. FERPA was enacted to ensure that parents and students age 18 and older can access those records, request changes to them, and control the disclosure of information, except in specific and limited cases where FERPA allows for disclosure without consent.
The law applies to schools, school districts, and any other institution that receives funding from the US Department of Education—that is, virtually all public K-12 schools and school districts, as well as most post-secondary institutions, both public and private.
Security is central to compliance with FERPA, which requires the protection of student information from unauthorized disclosures. Educational institutions that use cloud computing need contractual reassurances that a technology vendor manages sensitive student data appropriately.
Microsoft and FERPA
FERPA doesn't require or recognize audits or other certifications, so any academic institution that is subject to FERPA must assess for itself whether and how its use of a cloud service affects its ability to comply with FERPA requirements. In the Online Services Terms Data Protection Addendum (DPA), Microsoft agrees to be designated as a 'school official' with 'legitimate educational interests' in customer data as defined under FERPA. Customer data would include any student records provided through a school's use of Azure. When Microsoft handles student education records, Microsoft agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) just as school officials do. Microsoft has published guidance documentation to assist Azure customers with satisfying their FERPA compliance requirements.
Microsoft in-scope cloud platforms & services
Services for which Microsoft agrees to be designated as a 'school official' with 'legitimate educational interests' in customer data include:
- Azure and Azure Government
- Azure DevOps Services
- Dynamics 365
- Intune
- Office 365, Office 365 U.S. Government, Office 365 U.S. Government - High, and Office 365 U.S. Government Defense
Azure guidance documents
You can download the following documents for assistance with satisfying FERPA compliance requirements:
Office 365 and FERPA
Office 365 environments
Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.
This section covers the following Office 365 environments:
- Client software (Client): commercial client software running on customer devices.
- Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
- Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
- Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
- Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.
Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.
Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.
Office 365 applicability and in-scope services
Use the following table to determine applicability for your Office 365 services and subscription:
Applicability | In-scope services |
---|---|
Commercial | Microsoft Entra ID, Azure Information Protection, Bookings, Compliance Manager, Delve, Exchange Online, Exchange Online Protection, Forms, Kaizala, Microsoft Analytics, Microsoft Booking, Microsoft Defender for Office 365, Microsoft Graph, Microsoft Teams, Microsoft To-Do for Web, MyAnalytics, Office 365 Advanced Compliance add-on, Office 365 Cloud App Security, Office 365 Groups, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, StaffHub, Stream, Sway, Viva Engage |
GCC | Microsoft Entra ID, Compliance Manager, Delve, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, MyAnalytics, Office 365 Advanced Compliance add-on, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business, Stream |
GCC High | Microsoft Entra ID, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office Online, Office Pro Plus, OneDrive for Business, Planner, PowerApps, Power Automate, Power BI, SharePoint Online, Skype for Business |
DoD | Microsoft Entra ID, Exchange Online, Forms, Microsoft Defender for Office 365, Microsoft Teams, Office 365 Advanced Compliance add-on, Office Online, Office Pro Plus, OneDrive for Business, Planner, Power BI, SharePoint Online, Skype for Business |
Office 365 audits, reports, and certificates
FERPA doesn't require or recognize audits or certifications.
Frequently asked questions
Why is FERPA important?
This US federal law mandates the protection of the privacy of students' education records. It also gives parents and eligible students access to those records and the ability to correct them, as well as certain rights related to the release of records to third parties.
What compliance implications do COPPA and CIPA have on Azure?
COPPA and CIPA are additional laws intended to protect the privacy of children; however, they aren't directly applicable to Azure. The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law enacted to protect the privacy of children under 13. The Federal Trade Commission (FTC) manages COPPA. COPPA applies to websites and online services directed to children and stipulates that these sites and services must require parental consent for the collection and use of any personal information belonging to children. The Children's Internet Protection Act (CIPA) was enacted to address concerns about children's access to harmful content over the Internet. The Federal Communications Commission (FCC) issued rules implementing CIPA and defined requirements for schools and libraries subject to CIPA. Customers with questions about COPPA and CIPA in the context of Azure adoption should review the section titled Educational Institutions in the Online Services Terms DPA where we explain that customers are responsible for obtaining any parental consent for any end user's use of Microsoft online services.
Use Microsoft Purview Compliance Manager to assess your risk
Microsoft Purview Compliance Manager is a feature in the Microsoft Purview compliance portal to help you understand your organization's compliance posture and take actions to help reduce risks. Compliance Manager offers a premium template for building an assessment for this regulation. Find the template in the assessment templates page in Compliance Manager. Learn how to build assessments in Compliance Manager.