Mentor Collective and FERPA Compliance FAQ

What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

What are FERPA Education Records?

FERPA defines education records as “records that are: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution” (20 U.S.C. §1232g (a)(4)(A); 34 CFR § 99.3). These records include, but are not limited to, transcripts, class lists, student course schedules, health records, student financial information, and student disciplinary records. It is important to note that any of these records maintained by a third party acting on behalf of a school or district are also considered education records.

How Does FERPA Protect the Disclosure of Student Information?

FERPA is designed to give students over the age of 18 control over the disclosure of their educational records. Directory Information is defined as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. FERPA is designed to protect a student’s Educational Record, not their Directory Information.

What is FERPA PII?

FERPA defines the term personally identifiable information (PII) to include direct identifiers (such as a student’s or other family member’s name) and indirect identifiers (such as a student’s date of birth, place of birth, or mother’s maiden name). Indirect identifiers, metadata about students’ interaction with an app or service, and even aggregate information can be considered PII under FERPA if a reasonable person in the school community could identify individual students based on the indirect identifiers together with other reasonably available information, including other public information.

What Data does Mentor Collective Collect from Educational Institutions?

For data that the institution shares with Mentor Collective for mentors (typically current students and alumni) and mentees (typically current students), the following user data elements -- generally considered FERPA directory level information -- are collected for the purpose of delivering required mentorship services:

• Required
  • First Name and Last Name
  • Email Address
• Strongly Recommended
  • Mobile Phone Number: educational institutions which share this experience better outcomes
  • Student # or School ID (or database identifier): this enables higher-quality program success analysis in the event a student or mentor changes their email address (see below)

For data that the institution shares with Mentor Collective for mentees, the following user data elements – generally considered FERPA PII -- are also collected for the sole purposes of providing program success analysis:

• Required
  • Student # or School ID (or database identifier)
  • Email Address
• Depending on the mentoring program design (the following are only examples; the exact student data fields can vary based upon the institution and desired success outcomes), the following data may be requested by Mentor Collective in order to provide required functionality and services as defined in the contract:
  • Demographics data, such as (examples only):
    • Pell Grant status, or
    • First-generation status
  • Outcome data, such as (examples only):
    • Fall/Spring enrollment status, or
    • GPA and academic probation

Learn more about providing participant directory information here. 

Learn more about providing additional institution provided data here. 

How is this Data Shared with Mentor Collective?

Mentor and mentee data can be shared with Mentor Collective through secure file exchange (encrypted CSV delimited file) platforms, such as SFTP or one-time “file locker” products such as LiquidFiles, Sharefile, etc. Mentor and mentee data sets are provided during the program onboarding process prior to recruitment. Please discuss with your Mentor Collective representative about the exact date(s) required for mentoring program launch.

How Does FERPA Apply to Mentor Collective?

Most of the user data shared by an educational institution with Mentor Collective is considered Directory Information. When assessing the Mentor Collective mentorship program impact, the sharing of FERPA PII and/or more sensitive information from educational records between an educational institution and Mentor Collective may be required.

Mentor Collective follows industry best practices for the handling, storage, and management of personal or potentially sensitive information, including complying with all applicable federal, state and local laws, rules, regulations and ordinances regarding its employees, including as to the protection of confidential student information, including, without limitation, the Family Educational Rights and Privacy Act (FERPA).

Mentor Collective qualifies for the “School Official” exception under FERPA. FERPA permits the disclosure of PII from education records to contractors, consultants, volunteers, or other third parties provided that the outside party:

• performs an institutional service or function for which the institution would otherwise use employees;
• is under the direct control of the institution with respect to the use and maintenance of education records;
• meets the criteria set forth in the institution’s notification of rights for being a school official with a legitimate educational interest in the education records; and
• uses education records only for authorized purposes and may not re-disclose PII from education records to other parties, unless the provider has specific authorization from the school or district to do so and it is otherwise permitted by FERPA. (See 34 CFR § 99.31(a)(1)(i) and 99.33).

To comply with the requirements of the “School Official” exception and other data privacy best practices, Mentor Collective agrees to the following provisions:

• Use – Mentor Collective is prohibited from any unauthorized use, including data mining and analysis unless that is part of or related to a service that the vendor is being paid to provide for the institution.
• Re-disclosure – Mentor Collective acknowledges its obligations under FERPA and agrees not to re-disclose the information unless otherwise permitted by FERPA.
• Access and control – Mentor Collective acknowledges the data is owned by the institution, and the agreement should provide a mechanism for the institution to access and audit the information.
• Security – Mentor Collective agrees to maintain the information pursuant to data security protocols and best practices.

What are Mentor Collective’s Practices for Collecting, Processing, and Storage of FERPA PII, Education Records, and Other Potentially Sensitive Information?

Mentor Collective follows industry best practices for the secure collection, processing, and storage of FERPA PII, education records, and other user data, including:

• Required encryption (TLS, SCP, HTTPS/SSL) of data in transit;
• Required encryption (block-level) of data at rest;
• Criminal background checks for employees and contractors with access to user data;
• Antivirus and hard drive encryption for all employee computers;
• Required MFA for authentication for required services and systems, including development and production cloud infrastructure;
• Formal information security policies describing standard methods, tools, and services for the handling, processing, retention, and destruction of student data;
• Formal software security program, including static code analysis, regular vulnerability and penetration testing, regular library and patch/OS updates, and industry best practices for network, host, and application security;
• Formal company written information security program (WISP)

As part of its standard customer deprovisioning process, Mentor Collective has a process to purge and delete non-member institution- and related user data from its application databases and related backups and storage media within 30 days of subscription termination. Mentor Collective reserves the right to use de-identified Mentor Collective proprietary user data in aggregate form only for the sole purposes of improving its products and services. Non-Mentor Collective generated data provided by the institution is destroyed.

Mentor Collective does not collect or store social security numbers, credit card data, passport information, or bank account information.

Mentor Collective does not sell or resell student data to third parties in any form.