What It Is

FERPA (Family Educational Rights and Privacy Act of 1974, 20 U.S.C. §1232g; 34 CFR Part 99) is a U.S. federal regulation establishing privacy protections for student education records. It grants parents and eligible students (age 18+ or postsecondary) rights to access, amend, and control disclosures of personally identifiable information (PII). Scope covers institutions receiving federal education funds, using a rights-based approach with consent rules and enumerated exceptions.

Key Components

• Core rights: inspect/review (45 days), amend inaccurate records, prior consent for disclosures.
• PII definition: direct/indirect identifiers linkable to students.
• Exceptions: school officials/legitimate interests, emergencies, directory info.
• Obligations: annual notices, disclosure logs, vendor controls. No certification; compliance enforced via complaints, fund withholding.

Why Organizations Use It

Mandated for federal fund recipients; mitigates enforcement risks, lawsuits. Builds student/parent trust, enables safe data sharing for operations/research. Supports edtech innovation, vendor management.

Implementation Overview

Phased: governance, data inventory, policies/training, technical controls (RBAC, logging), vendor DPAs. Applies to K-12/postsecondary; ongoing audits/incident response. Focuses operational controls over certification.

What It Is

ISO 31000:2018 Risk management — Guidelines is an international standard offering principles and a framework for managing risk. It is a voluntary, non-certifiable guideline applicable across sectors, defining risk as the effect of uncertainty on objectives. The approach emphasizes systematic, integrated processes for identification, analysis, evaluation, treatment, monitoring, and improvement.

Key Components

• **Three pillars8 principles (integrated, structured, customized, inclusive, dynamic, best information, human factors, continual improvement); framework (leadership, integration, design, implementation, evaluation, improvement); process (scope/context, assessment, treatment, monitoring, recording).
• Flexible, no fixed controls; principles-based.
• Aligns with PDCA cycle.

Why Organizations Use It

• Drives strategic decisions, resilience, value creation/protection.
• Meets regulatory benchmarks (e.g., Basel III), lowers insurance premiums, reduces litigation.
• Builds stakeholder trust, accelerates market entry, optimizes capital.
• Fosters innovation via risk-opportunity nexus.

Implementation Overview

• Phased: diagnose/design, build/deploy, operate/optimize, institutionalize.
• Gap analysis, policy, tools, training, integration.
• All sizes/industries; no certification, uses internal audits/reviews. (178 words)