Dear FERPA Professor,
We’ve run into a situation that I’m sure is common but isn’t thought about much by schools.
We have made Company A a school official for student advising software. We pass along education record information
to Company A, and they provide web software that our advisors use. Everything there is good from a FERPA perspective. We were approached to turn on a function in the advising software that essentially “tracks” messages/emails that are
sent through that system to see if a student opens the message/email. Company A has contracted with Company B for them to provide this service. Company A provides access to email subject, sender email, and recipient email, which would be classified
as education data because it is collected/maintained by Company A and is identifiable to a student.
We do not have any school official contract with Company B, and Company A does not collect consent from students to release this information
to Company B (and we do not collect consent either).
It appears that they are essentially redisclosing information to Company B without the written consent of the student and Company B doesn’t appear to meet the school's official requirement
either since we don’t have a contract with them. When asked about this, the company responded with:
Company B operates as a sub-processor for Company A to provide the Company A service and only has access to the minimum amount of information
required to provide the Services. As such, the same disclosure given to students about their data in Company A’s Software would cover to Company B.
Is such a disclosure by Company A to Company B permissible? If so, it seems like a contract
school official could delegate duties to as many sub-contractors as they’d like without the institution ever knowing and therefore losing control of the data?
Dear Mr. Teal,
Educational institutions are required, under the outsourcing provisions in the "school official" exception in FERPA, to exercise “direct control” with respect to the use and maintenance of those outsourced education records. See § 99.31(a)(1)(i)(B) of the FERPA regulations. This should be done at the time the contract is entered into with Company A, rather than after the fact. However, at this point, the appropriate course of action would be for the University to go back and add language to the contract with Company A that sets out the limits on Company B's maintenance and use of the records.
I hope this is helpful in answering your questions. You can find the above-cited regulation on page 159 of the 2012 AACRAO FERPA Guide.
The FERPA Professor