FERPA Compliance

De-ID Student PII & Determine Re-ID Risk

What are some of the key provisions of The Family Educational and Privacy Rights Act (FERPA) of 1974 as they relate to data at rest?

45 CFR § 1303.20 Establishing Procedures

A program must establish procedures to protect the confidentiality of any personally identifiable information (PII) in child records.


This suggests the need for software capable of finding and classifying, de-identifying or removing, and auditing changes to student records that are maintained by educational institutions, and the entities serving them. All of these features are in the affordable IRI FieldShield and CellShield data masking products, and comprehensive IRI Voracity data management platform.

45 CFR § 1303.24 Maintaining Records

(a) A program must maintain child records in a manner that ensures only parents, and officials within the program or acting on behalf of the program have access, and such records must be destroyed within a reasonable timeframe after such records are no longer needed or required to be maintained.

PII can also include indirect information in a record, or "quasi-identifiers" which can also be used with or without uniquely-identifying information to nevertheless identify a student. Consider e-g in the list below:

As enforced under 20 U.S. Code § 1232g and defined under 34 CFR § 99.3, PII includes, but is not limited to:

The Re-ID Risk Scoring wizard included in IRI's static data masking software exploits peer-reviewed algorithms to determine and measure the risk of re-identification based on the distinction and separation attributes of one or more quasi-identifiers in a student record. So long as the data set is in a flat file (e.g., CSV) or JDBC-connected data source (e.g., SQL Server Table), it will work.

These capabilities can also help data recipients and other authorized third parties comply with the Protection of Pupil Rights Amendment (PPRA) and the Studen Privacy provisions (Section 1061) of the No Child Left Behind Act.