The Family Educational Rights and Privacy Act (FERPA) is a United States federal law that governs the access and management of student education records. FERPA grants certain rights to students and their parents regarding the privacy of these records, which include the right to inspect and review the student's education records, the right to request the amendment of records that the parent or eligible student believes are inaccurate, and the right to have some control over the disclosure of personally identifiable information (PII) from the education records.
Esri's ArcGIS products and services are utilized by educational institutions for various purposes, including research, instruction, and administration. Frequently, ArcGIS is not utilized for handling education records by educational institutions and can be configured to minimize FERPA compliance demands. However, when these products and services are used to store, process, or transmit education records, they may fall within the purview of FERPA. Therefore, it is in the customer's hands for determining if their workflow aligns with FERPA requirements or not.
Esri's commitment to protecting the security and privacy of our customers' data includes:
- Submitting our privacy practices to independent assessment and certification
- Undergoing an annual FedRAMP audit by a qualified independent third-party
- Performing vulnerability scans at least every 30 days and testing to evaluate our security posture and identify new threats
- Protecting K-12 students' privacy by disabling targeting cookies
FERPA FAQ's
Are there any FERPA certification programs?
- No. Currently there are not any specific FERPA certification programs to assess third-party compliance. The academic institution must perform its own assessment to determine if a product or service affects its ability to comply.
What ArcGIS Online security and privacy measures help with FERPA compliance?
- Providing a variety of ArcGIS Online product security features, such as role-based access control.
- Protecting data in transit by TLS 1.2 and at rest using 256-bit Advanced Encryption Standard (AES-256).
- Leveraging the physical and environmental protection of our cloud providers: Esri's hosting facilities have 24x7 staffed security and monitoring through multiple layers of physical security controls including perimeters fences, staffed lobbies, surveillance cameras (CCTV), man trap, locked cages, motion detectors, and biometric access requirements.
- Not viewing customers' ArcGIS Online non-public content except as part of response to a security incident or support case with the customer's approval.
- Not sharing customer data with third parties.
- "Freezing" customer data (read-only access) for a legal hold, upon request to Technical Support.
- Not storing customer data other than account information which consists of email address and Username.
- Only retaining accounts for up to 60 days after termination to assist with product reactivation (if requested by customer): the account is permanently deleted after this time.
How do I configure an ArcGIS Online organization to minimize collecting PII?
- Organization administrators can block the optional user profile fields (such as first and last name, company name, phone number, and profile picture) from being populated to minimize the transfer of personally identifiable information.
- For more extensive privacy guidance concerning the use of our products within educational institutions, see our ArcGIS Online School Guidance paper and ArcGIS Location Sharing Privacy Best Practices paper in the resources area below.
What compliance implications does COPPA have on ArcGIS Online?
- The Children's Online Privacy Protection Act (COPPA) is an additional law intended to protect the privacy of children; however, it is not directly applicable to ArcGIS Online. The Children's Online Privacy Protection Act (COPPA) is a U.S. federal law enacted to protect the privacy of children under 13. It's managed by the Federal Trade Commission (FTC).
- COPPA applies to websites and online services directed to children and stipulates that these sites and services must require parental consent for the collection and use of any personal information belonging to children.
- Customers are responsible for obtaining any parental consent for any end user's use of ArcGIS Online if applicable.
- ArcGIS Online does not specifically target children under 13, however it may be utilized by such children, most likely as part of a school-based education program. By following the ArcGIS Online School Guidance below, educational institutions can better align with common student privacy regulations such as COPPA, FERPA, and even GDPR.
- To ensure the privacy of minors, Esri automatically turns off targeting cookies for students using ArcGIS for Schools Bundle accounts.
ArcGIS Online HECVAT Lite
Esri’s self-assessment answers to the Higher Education Information Security Council (HEISC) Higher Education Community Vendor Assessment Tool (HECVAT Lite) for ArcGIS Online. This provides a comprehensive understanding of the security measures implemented by ArcGIS Online using the HECVAT Lite framework. Essential to higher education institutions, the HECVAT Lite helps to ensure strong information security and security control practices, updated security programs, and effective incident response plans. This is designed for IT professionals and administrators in higher education to assist institutions in making informed decisions in the use of ArcGIS Online securely and in compliance with their institution's policies.
Resources
- ArcGIS Online School Guidance (Public)
- HECVAT Lite 2024 (Public Trust Center document)
- ArcGIS Security Adviser Validation Tool (Public Trust Center page)
- ArcGIS Online and Enterprise Best Practices Checklist (Public)
- Esri Products and Services Privacy Statement Supplement (Public)
- ArcGIS Location Sharing Privacy Best Practices (Public Trust Center document)