Welcome to part two of our Data Privacy Week articles. As I mentioned in part one, this article discusses privacy from the perspective of the responsibilities of the college and you as an employee or student worker. There are a number of laws that address protecting collected personal data and a few specifically aimed at higher education. We’ll discuss a couple and then I’ll fill you in on how cybersecurity awareness training will work for this semester.
Higher education institutions carry significant responsibility for safeguarding the private data of their students, faculty, staff, and other stakeholders. Foundational federal regulations—most notably the Family Educational Rights and Privacy Act (FERPA)—require colleges and universities to protect personally identifiable information (PII) in student education records and control how such information is accessed, stored, and disclosed. FERPA applies to virtually all postsecondary institutions receiving U.S. Department of Education funding and grants students specific rights over their data, including access, correction, and consent requirements for disclosure. These responsibilities are heightened in modern digital environments where institutions manage extensive databases, cloud systems, and online learning platforms, all of which introduce additional privacy challenges. This U.S. government website provides a “101” course to explain FERPA to college and university employees. The Public Interest Privacy Center has a somewhat dated explanation of FERPA, but it does a good job breaking down the requirements. An in-depth discussion from the legal standpoint is presented at this site if you really want to dive deep into how colleges are addressing complying with FERPA.
Beyond FERPA, colleges and universities must comply with the Gramm‑Leach‑Bliley Act (GLBA) when handling financial information related to tuition payments, financial aid, or other student financial records. GLBA mandates both privacy and security controls, and institutions receiving federal financial aid (Title IV institutions) are explicitly considered financial institutions under the law as of early 2020, when a clarification was posted by the U.S. Department of Education. While FERPA compliance generally satisfies GLBA’s privacy requirements, the GLBA Safeguards Rule imposes additional cybersecurity expectations—such as risk assessments, security controls, and ongoing monitoring—that institutions must meet to protect nonpublic financial data. (FYI – That’s part of my job.) These obligations underscore the importance of both technical safeguards and employee awareness, since institutional compliance depends on consistent, secure handling of PII across all departments and systems. A handy info-sheet about GLBA requirements in relation to higher education is located here. Educause, the leading higher education nonprofit association in regards to managing technology, also has an explainer on their site.
Higher education employees—from faculty to IT to administrative staff, including student workers with jobs in particular offices—play an essential role in maintaining privacy. Because colleges manage broad categories of sensitive information, including health data governed by HIPAA, research data, and third‑party vendor systems, they must foster a culture of training, accountability, and security‑conscious behavior. This includes understanding when consent is required (faculty and staff’s jobs), how to properly handle digital records (again, faculty and staff’s jobs), recognizing risks in third‑party tools (OIT’s job), and preventing inadvertent disclosures (EVERYONE’S JOB!!). FERPA compliance guidance emphasizes that modern privacy protection requires not just written policies but also strong technical infrastructure, consistent staff training (hence, our twice-a-year cybersecurity awareness training), and institutional commitment to data governance. By prioritizing protecting privacy, the college builds trust, meets regulatory expectations, and protects the academic and financial well‑being of their communities, including students, employees, alumni, and donors.
We’ve only touched on federal law and moreover, only U.S. federal law. There are myriad state laws that also apply. Other countries have their own laws governing student data privacy, and they will apply to you if you happen to get an opportunity to teach or learn in another country. Maintaining data privacy is a part of what college administration deals with every day, and that requires good policies, procedures, practices, and training.
What does this mean for you, as an employee or student worker at Berry College? Know the policies of your department. All departments have internal policies and procedures for maintaining the privacy of collected data. If you have a question, ask your supervisor. Generally, this will mean that you don’t send or process Berry College data anywhere other than on Berry College systems. You should never be processing, manipulating or sending the college’s data to any outside systems – this includes cloud storage, email, and particularly generative AI systems. Also, always complete the cybersecurity awareness training.
On that topic, you should receive an invitation to complete your Spring 2026 training no later than Monday, Feb. 2nd (next week). It may be earlier than that, but I learned to expect the unexpected when dealing with training platforms. This training will be short, less than 20 minutes, and identical across all parts of the community, as everyone needs to understand how to protect their privacy.
Thanks for reading my Data Privacy Week articles and good luck with the rest of the semester and your cybersecurity awareness training!
Data Privacy and “O.P.P.”