Google Forms FERPA Compliance

Google Forms FERPA Compliance

Google Forms is FERPA-compliant within our Google for Education environment. However, compliance is not a "set it and forget it" feature; it is a shared responsibility. While the platform is compliant, your process defines your legality. If you accidentally email a spreadsheet of student grades to the wrong parent, the tool was compliant, but the usage was not.

FERPA (Data Processing) - Google’s Workspace for Education terms include specific commitments regarding FERPA and data ownership. Consumer @gmail.com accounts are never compliant).

User Responsibilities (The "Must-Dos")

To maintain compliance for student PII, the form creator must follow these protocols:

  • Restrict Form Access: You must restrict the form to our trusted domain. If a form is set to "Public" or "Anyone with the link," it is non-compliant for sensitive data.
  • Secure the Linked Spreadsheet: Responses automatically flow into a Google Sheet. You must disable "Link sharing" on that sheet and manually audit who has "Editor" or "Viewer" permissions.
  • Disable Email Notifications: This is a critical fail-point. You must disable "Get email notifications for new responses," as standard email can expose sensitive data in plain text.
  • Make sure to check the Form Response Settings. "View results summary" should be turned OFF when collecting data from students. This is the setting that resulted in the recent FERPA violation.
  • The "Legitimate Educational Interest" Rule (FERPA): Under FERPA, you should only share student data with school officials who have a "legitimate educational interest." Do not share the results sheet with staff who don't strictly need it for their job.
  • Sanitize Titles: Never put a student’s name or a specific diagnosis in the Form title or Spreadsheet name. These titles can appear in unencrypted browser history or admin logs.
  • Data Retention: Per FERPA, student records shouldn't live forever. Delete the form and spreadsheet once the data is no longer required for its original educational purpose.

This image shows a screenshot of the Settings menu within a Google Form, specifically highlighting a critical security configuration for FERPA compliance.+1Under the