Frequently Asked Questions

What about FERPA?

Microsoft's contract addresses FERPA requirements.

Microsoft and Institution acknowledge and understand that Institution may disclose to Microsoft personally identifiable information from education records, subject to the Family Educational Rights Privacy Act of 1974, as amended (20 U.S.C. § 1232g) and its implementing regulations promulgated by the United States Department of Education (“FERPA”), as may be necessary for Microsoft to provide services under this Agreement and hereby agree to the terms and conditions set forth on Exhibit B to this Agreement with respect to such information and Microsoft and Institution’s respective obligations under FERPA.

Exhibit B

FAMILY EDUCATIONAL RIGHTS PRIVACY ACT (FERPA)
This Exhibit sets forth the terms under which Institution shall provide Microsoft Corporation (“Microsoft”) information subject to the Family Educational Rights Privacy Act of 1974, as amended (20 U.S.C. § 1232g) and its implementing regulations promulgated by the United States Department of Education (“FERPA”) in connection with services to be provided under the Agreement.

Definitions:
“Directory information” means information contained in education records that would not generally be considered harmful or an invasion of privacy if disclosed, including not limited to the student’s name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status; dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors and awards received; and the most recent educational agency or institution attended. Directory Information does not include (a) a student’s social security number, or any other personal identifier that can be used to gain access to education records without an additional factor to authenticate the user’s identity, such as a personal identification number, password, or other factor known or possessed only by the authorized user, or (b) any other information that would otherwise be directory information but that Institution has not designated in accordance with FERPA’s requirements as directory information. A complete list of information covered by subsection (b) above is attached to this Addendum as Annex 1. Directory information also does not include any information that is excluded due to the student’s refusal of such designation under FERPA for which Institution notifies Microsoft under Section 5 below.

“Disclose” or “disclosure” means the act of permitting access to, or the release, transfer, or other communication of education records, or personally identifiable information from such education records, by any means, including oral, written, or electronic means, to any other party.

“Education records” means records that are directly related to a student and are maintained by or for Institution, including such records in handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche form. Education records do not include records created or received by or for Institution after an individual is no longer a student in attendance and that are not directly related to the individual’s attendance as a student.

“Personally identifiable information” means, for the purposes of this Exhibit only: the student’s name; the name of the student’s parent or other family members; the address of the student or student’s family; a personal identifier, such as the student’s social security number, student number, or biometric record; other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name; other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or information requested by a person whom Institution or a party acting for Institution reasonably believes knows the identity of the student to whom the requested information relates. 

Institution represents and warrants that it is in compliance with the requirements of FERPA related to the provision of personally identifiable information to Microsoft under the Agreement. Pursuant to FERPA regulations permitting an educational agency or institution to disclose, without the prior consent of a student (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, a student’s parent), personally identifiable information from education records to a party to whom the agency or institution has outsourced institutional services or functions, Institution shall disclose to Microsoft such information from education records as may be necessary for Microsoft to provide services under the Agreement. Institution shall inform its students of its policy regarding such disclosure in its annual notification of FERPA rights. Institution shall provide an annual notification of FERPA rights in compliance with 34 C.F.R. § 99.7.

Institution shall provide Microsoft, at Microsoft’s reasonable request, with copies of all policies and notifications distributed to students (or, with respect to students under 18 years of age and not in attendance at a postsecondary institution, distributed to students’ parents) regarding Institution’s outsourcing of institutional services and functions, and such other information as Microsoft may reasonably request in order for Microsoft to comply with its obligations under this Exhibit.

Institution shall comply with FERPA’s requirements regarding the designation of such information as directory information and permitting students to refuse all or part of such designation. Institution shall at all times inform Microsoft in writing of any student who has refused all or part of any directory information designation.

Microsoft shall not use or allow access to personally identifiable information from education records, other than directory information, except in connection with services to be provided under the Agreement or as Institution otherwise directs. Without limiting the foregoing:

Microsoft may disclose personally identifiable information from education records in its possession in connection with an emergency if knowledge of the information is reasonably determined by Microsoft to be necessary to protect the health or safety of the student or other individuals. In making such determination, Microsoft shall take into account the totality of the circumstances pertaining to a threat to the health or safety of a student or other individual.

Upon receipt of a judicial order or lawfully issued subpoena requiring the disclosure of personally identifiable information from education records in its possession, Microsoft shall disclose such information in accordance with the order or subpoena; provided, that unless otherwise prohibited by applicable law, Microsoft shall first make a reasonable effort to notify the student (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, the student’s parent) of the order or subpoena such that the affected individual may seek protective action before the disclosure occurs.