What FERPA Requires from Universities
The Family Educational Rights and Privacy Act (FERPA) has governed how universities handle student records since 1974. Fundamentally, FERPA is a federal privacy law that grants students the ability to exert some meaningful authority over their academic information. At the same time, it also assigns responsibility for the maintenance and safeguarding of student education records to the universities that maintain them. Any educational institution, agency, or program that receives federal funding (which applies to all public and most private higher education institutions in the U.S.) is legally required to comply.
Most administrators don’t realize just how wide the definition of FERPA “protected information” really is. Student education records include all information directly related to a student and maintained by the institution – grades, transcripts, enrollment status, financial aid data, disciplinary records, and any personally identifiable information tied to those records. Under FERPA, students have the right to inspect their records, request corrections (if the information is believed to be inaccurate), and provide written consent before the institution discloses their records to third parties.
The ramifications for non-compliance are substantial, as well. Institutions found in violation risk losing access to federal funding and suffering lasting reputational damage.
FERPA compliance breaks down at the infrastructure level—not in policy. The necessary training programs, consent forms, and disclosure procedures are well-documented in most institutions. Policy enforcement at the infrastructure level is the main challenge – particularly in collaboration tools, file storage environments, and endpoints.
Where FERPA Compliance Breaks Down in Modern IT Environments
FERPA regulations were designed for a world of locked filing cabinets and controlled records offices. University data is now digital. Student records no longer exist in only one place. It’s stored across cloud applications, collaborative tools, and endpoints, making it incredibly difficult to manage and restrict access effectively. The gap between a university’s FERPA policy and its data practices can lead to breaches and violations.
Oversharing in Microsoft SharePoint and Teams
Most higher education institutions already use Microsoft 365 for collaboration. This same openness is what makes Microsoft 365 a huge FERPA liability if not configured correctly.
By default, SharePoint sites and Teams Channels are permissive in their behavior. Open channels are discoverable by everyone in the institutional tenant; a channel created for administrative personnel to coordinate aid disbursement may be discovered by many individuals whose knowledge of that information is not necessary.
The permissions system used for SharePoint sites is inherited by default, with any new folders or libraries automatically carrying the access rights of the parent site. Such a pattern can lead to student records being visible to individuals who don’t have any educational need to access them.
Another layer of exposure comes from external collaboration. Since universities routinely share information with third-party vendors, accreditation bodies, and research collaborators, there is pressure to provide extended access to SharePoint and Teams outside of the university network. Internal permission models are not automatically extended to external guest accounts, so those external permissions are widely provided and rarely audited. Student records that would never be shared willfully with the public could inadvertently become accessible through inherited permissions in a shared document library.
Most FERPA violations aren’t malicious—they result from default settings and poor permission design.
Unstructured Data Sprawl
The next significant compliance risk isn’t so much about who can access the data, but rather where the data is actually stored. A typical university does not have a centralized governing system for all of its education records. The same student data that exists within a record management system will more than likely also exist within an instructor’s OneDrive folder, a department’s SharePoint document library, as well as email attachments and individual endpoints – none of which the university may be aware of, or be able to control.
The issue of data sprawl is further compounded by the variety of file formats. While records in a structured database have corresponding metadata and security controls, unstructured data (PDFs, spreadsheets, scanned files, exported reports) lacks these metadata values and controls and is more difficult to identify, categorize, and secure.
The sheer scale of data sprawl makes it a noteworthy FERPA compliance risk rather than a basic edge case. Education records are often duplicated across university systems over the years, creating an ever-growing inventory of sensitive data. Auditing this inventory or cleaning it up is nearly impossible. A university that does not have a strong understanding of where its student records reside cannot realistically protect this data against unauthorized disclosure, as FERPA requires.
Lack of Context-Aware Access Controls
This next compliance gap is structural more than anything. The majority of university IT infrastructures rely on role-based access control (RBAC), assigning permissions and authority based on job title or department. However, RBAC is insufficient for the specific disclosure obligations imposed by FERPA. It can be used to determine someone’s position as a faculty member, but it can’t determine whether that faculty member has a legitimate educational interest in specific student records.
What FERPA compliance requires is more granular control, which attribute-based access control (ABAC) can provide. This methodology evaluates access rights based on a variety of values or attributes: the user, their environment, and the sensitivity of the data they’re trying to access, not just their role.
The attributes that are important in a university context include:
- Department and function – Whether the requesting party has institutional responsibility for the relevant student
- Student enrollment status – Whether the student is currently active, withdrawn, or graduated
- Nationality and jurisdiction – Relevant where international data privacy obligations intersect with FERPA Act requirements
- Authorization and need-to-know – Whether the specific record type falls within the user’s legitimate scope
Without this level of attribute-based enforcement, access decisions are made based on broad role assignments, routinely permitting far more access than FERPA standards allow. Unintentional disclosure lives in the gap between RBAC capabilities and the demands of FERPA, leaving many institutions inadvertently exposed despite adopting formal compliance programs.
What FERPA-Compliant Controls Should Look Like
Modern IT environments can introduce compliance challenges that simply cannot be overcome by issuing new policy documents or conducting staff training. Institutions that successfully achieve FERPA compliance build controls into the systems and processes that are used to generate, retain, and transmit student records. The foundation of a successful compliance program is essentially the same for institutions of any size: you have to know where your sensitive data lives.
Accurate Discovery of Student PII
The first step toward successful FERPA compliance involves identifying the location of all personally identifiable information (PII) of students across the institution’s environment. This discovery must not only include structured databases but also unstructured file types containing education records. The absence of reliable, ongoing discovery processes means that any downstream control will work with an incomplete picture from the start.
Context-Aware Classification
Discovery alone is not enough; the identified data must also be classified appropriately based on its contents and sensitivity. The system must understand that not only does the document contain a student name and/or student ID number, but that the mix of information contained within it makes it a FERPA-compliant education record. A balance is necessary; over-classification leads to noise, while under-classification leaves certain records unprotected.
Attribute-Based Access Control
Once data has been categorized, access rights decisions must be enforced. Attribute-based access control (ABAC) evaluates requests using a number of factors (user role, department, student status, institutional need) to make access decisions that mirror what FERPA actually permits rather than relying on broad role assignments.
Dynamic Enforcement of Sharing Policies
Access controls should be able to dynamically react to changing circumstances. Dynamic policy enforcement ensures that when a student drops out, a staff member takes on a new role, or an external collaboration window expires, the permissions attached to the relevant records change automatically, rather than relying on a manual review process that may never happen.
Audit-Ready Reporting
FERPA compliance is not only about preventing unauthorized access – it is also about demonstrating that access has been appropriately managed. Audit-ready reporting should provide a definitive, uncorrupted history of all users who accessed each record, along with the specific reasons and authority under which they gained access.
How archTIS Strengthens FERPA Compliance
The specific controls required for FERPA compliance – the capability to correctly discover sensitive data, appropriately classify it based on the sensitivity of its contents, and enforce access rules based on attributes, while complex, are achievable. archTIS addresses these controls using a comprehensive set of features designed for Microsoft 365 collaboration environments.
Sensitive Data Discovery and Classification
The discovery of student PII throughout the entire institutional environment is the foundation for achieving FERPA compliance.
archTIS’ Spirion Sensitive Data Platform provides discovery capabilities built for high-accuracy detection, designed to reduce both false positives (compliance noise) and false negatives. SDP provides coverage for the M365 ecosystem and beyond, including endpoints and hybrid environments where unstructured data accumulates outside governed systems.
What distinguishes this approach from basic search indexing is the classification layer operating in parallel with discovery. Once data has been found, it is classified in context and can be recognized as FERPA-protected information based on a combination of attributes. This creates a precise, dynamic list of all PII within the institution, which is a necessary foundation for any downstream access control or audit capability.
Policy-Enforced Access Control in Microsoft 365
Spirion identifies student records and properly categorizes and labels them. When paired with NC Protect, those labels can be used in its dynamic policies to determine who can access a file and under what conditions.
NC Protect utilizes an attribute-based access control (ABAC) model, in which access rights and file protection are controlled by policies that dynamically compare file, user, and environmental attributes against the policies. The attributes that drive access decisions might include:
- User Role
- Department
- Device
- Time of Day
- File classification
The policies not only control access, but they also determine what a user can do with a file if access is granted and who they can share it with. This prevents broad inherited permissions that create FERPA compliance exposure scenarios in default configurations of SharePoint and Teams.
The dynamic nature of its policy enforcement is the primary reason why NC Protect is particularly relevant in university environments. As student enrollment status changes, staff roles are modified, or external collaboration windows arise, access policies can be updated automatically to match the current authorization state.
Reducing Oversharing in Microsoft Teams and SharePoint
The oversharing risks (open channels, inherited permissions, widely granted external access) created by default Microsoft 365 configurations are directly addressed by NC Protect’s policy enforcement layer.
Instead of an administrator auditing and manually restricting settings on both SharePoint and Teams, archTIS uses dynamic, contextual policies to control access and apply file-level protection. It governs collaborative activity in SharePoint and Teams using a single set of attribute-based policies across the environment.
The practical outcome is that unauthorized access to education records (through platforms where most day-to-day university collaborations occur) becomes a policy-enforcement issue rather than a user-behavior problem. Access for external guests can be controlled with the same policies, thereby closing the gap left by the default Microsoft 365 sharing settings. The end result is an environment that enables operational continuity while still being aligned with the policy goals that FERPA violation standards are intended to prevent.
Adopting a Proactive Approach to FERPA Compliance
For most universities, the challenge with FERPA compliance is not understanding the law. It is consistently enforcing it across complex collaboration environments.
FERPA risk now lives in collaboration tools, cloud storage, and endpoints. Institutions that enforce policies and control access at the data level significantly reduce operational risks. By adopting a proactive compliance approach, these institutions integrate necessary compliance measures into the collaboration platforms that staff use daily.
archTIS closes the gap between FERPA policy and enforcement by discovering and classifying FERPA-protected data and embedding access control directly into Microsoft 365.
