FERPA Compliance
Principal Brief is fully committed to compliance with the Family Educational Rights and Privacy Act (FERPA). We operate as a "school official" under FERPA and handle all student education records with the highest standards of care.
Our Role Under FERPA
Under FERPA, schools may disclose education records to contractors, consultants, and other parties to whom the school has outsourced institutional services, provided that the outside party:
- Performs an institutional service or function for which the school would otherwise use employees
- Has been determined to meet the criteria for being a "school official"
- Is under the direct control of the school with respect to the use and maintenance of education records
- Uses education records only for authorized purposes
Principal Brief meets all of these criteria. We process student data solely to provide analytics and insights services that support the educational mission of our partner schools.
Our Commitments
Data Use Limitations
We use student education records only for the purposes specified in our agreements with schools. We do not use student data for marketing, advertising, or any purpose unrelated to providing our contracted services.
No Unauthorized Disclosure
We do not disclose personally identifiable information from education records to any third party without proper authorization. Our employees and contractors who access student data are bound by confidentiality obligations.
Data Security
We implement appropriate administrative, technical, and physical safeguards to protect education records. This includes encryption, access controls, audit logging, and regular security assessments.
Data Retention and Deletion
We retain education records only as long as necessary to provide our services. Upon termination of services or request by the school, we delete student data in accordance with FERPA requirements.
School Control
Partner schools maintain control over their education records at all times. Schools can request access to, correction of, or deletion of their data. We respond promptly to all such requests.
Data Processing Agreement
Before processing any student data, we execute a Data Processing Agreement (DPA) with each partner school that includes:
- Description of data to be processed
- Purpose and scope of processing
- Security requirements and certifications
- Breach notification procedures
- Data retention and deletion policies
- Audit rights
Breach Notification
In the unlikely event of a data breach affecting education records, we will:
- Notify affected schools within 24 hours of discovery
- Provide detailed information about the nature and scope of the breach
- Cooperate fully with any investigation
- Take immediate steps to mitigate harm and prevent recurrence
Questions?
If you have questions about our FERPA compliance or would like to review our Data Processing Agreement template, please contact us at privacy@principalbrief.com.