Dear FERPA Professor
A follow-up question for you regarding the use of publisher products such as “Vendor 1”. These programs often require students to create an ID and then take quizzes, exams, and complete assignments. What are the FERPA red flags
here? These products are very popular leading me to believe they are compliant but it does seem the publisher is now collecting information as part of the student academic record and we don’t control that. Any direction here is much appreciated.
Unfortunately, in this day of creative vendors and vendor products, popularity of a vendor product does not necessarily equate with FERPA compliance. I am not familiar with the “Vendor 1” offering but if this vendor is creating
student records on behalf of Centenary, then those records would be subject to FERPA, just as if the University had created them. If an institution is outsourcing institutional services or functions under § 99.31(a)(i)(B), then it MUST
administer “direct control” over the use and maintenance of those education records. Also, according to
§ 99.33, the entity may not use the PII for any other purpose other than the reason for which they were contracted. The best means to ensure that vendors and other outside parties are aware of and comply with the FERPA requirements related
to the use and disclosure of PII contained in education records is to have a written agreement (contract) specifying the vendor's requirements and responsibilities to comply with FERPA.
You can find the above-cited FERPA regulations on pages 159 and 164 of the 2012 AACRAO FERPA Guide. In addition, Appendix N of the Guide has model vendor contract examples that you may find helpful. Appendix N can be found starting on
page 383 of the Guide.
I hope this information is helpful in answering your questions.
The FERPA Professor