FERPA

Overview

Microsoft is committed to helping educational institutions create a safe and engaging learning environment, meet privacy standards, and ensure continuous legal compliance.  Microsoft maintains high standards of security, privacy, and compliance to keep students, teachers, and schools safe with built-in capabilities and cloud-powered intelligence.

Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99)

The Family Educational Rights and Privacy Act (“FERPA”) is a U.S. federal law that mandates privacy protection for students’ education records.  The law also gives parents and eligible students access to those records and the ability to correct them, as well as certain rights related to the release of records to third parties.  The law applies to schools, school districts, and any other institution that receives funding from the U.S. Department of Education.

Microsoft and FERPA

Security is central to compliance with FERPA, which requires the protection of student information from unauthorized disclosures.  Educational institutions that use cloud computing need contractual reassurances that a technology vendor manages sensitive student data appropriately.

FERPA does not require audits or other certifications, so any academic institution that is subject to FERPA must assess for itself whether and how its use of a cloud service affects its ability to comply with the law.  However, Microsoft has made the following contractual commitments that attest to its compliance:

  • In its Online Services Terms, Microsoft agrees to be designated as a “school official” with “legitimate educational interests” in customer data as defined under FERPA.  When handling student education records, Microsoft agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) in the same manner as school officials do.
  • Microsoft commits to using customer data only to provide organizations with its cloud services and compatible purposes.  Microsoft does not mine students’ personal data for advertising or marketing.
  • Microsoft contractually commits not to disclose customer data except as the educational institution directs, as described in the contract, or as required by law. Schools that provide education records to Microsoft through their use of a Microsoft cloud service can be assured that the records are subject to stringent contractual restrictions regarding their use and disclosure.

As a result of these contractual commitments, customers that are subject to FERPA—both educational institutions and third parties to whom they give access to sensitive student data—can confidently use Microsoft’s cloud services to process, store, and transmit the data.

Services for which Microsoft agrees to be designated as a “school official” with “legitimate educational interests” in customer data include the following:

  • Azure
  • Dynamics 365
  • Intune
  • Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense
  • Power BI, PowerApps, and Power Automate (formerly Microsoft Flow) either as a standalone service or as included in an Office 365 branded plan or suite
  • Azure DevOps Services
  • Windows Defender ATP