Privacy FAQ
In this article
About FERPA and privacy
When writing and publishing stories via Merit about student achievements, you should only ever include directory information. Under the Family Educational Rights and Privacy Act, it is lawful to disclose "directory information" without first needing a student's consent. Read more about FERPA and directory information at the US Department of Education website.
FERPA's "directory information" clause is what enables institutions to have hometown news programs (more than 80% of colleges do), release the dean's list publicly, publish news stories about student athletes and scholarship award winners, and more.
Institutions are required to allow students to opt-out of releasing their directory information. Most colleges handle this during the orientation process or via a form on the college's website, but you should check with your registrar to be clear on what the procedure is at your institution. Students who have opted not to release their directory information should not be included in stories you publish via Merit. Ensure that when your registrar provides you with the list of students who made the dean's list or graduated, for example, that students who have opted-out of releasing directory information are omitted or deleted from the list before you import it to Merit.
Student emails and Merit
The US Department of Education includes student email addresses in its definition of "directory information". Though you include students' emails in the spreadsheets you upload to Merit to create your stories, Merit requires student emails to be included only so that a notification email can be sent from your college to your students telling them that their Merit page has been updated with a story published by your college. Students cannot find their Merit achievement or Merit page online if you don't notify them.
We DO NOT share or release student emails with any other third-party. You can refer to our privacy policy and subscription agreement:
Merit and student opt-outs:
Merit has robust opt-out procedures built right into the software. Any student, regardless of whether they have opted out of releasing their directory information with your college, may separately choose to opt out of Merit. This will remove their Merit page from the web and disable your college from publishing or distributing any stories about that student in the future via Merit.
There are three ways students can be opted-out of Merit:
- An opt-out link is included at the bottom of the email notification students receive when you publish their first Merit story, or can do so after signing into their Merit page. Learn more
- Students can also contact Merit directly and we will remove their story or page.
- You can manually opt-out students from within your college's Merit account. Learn more about managing opt-outs within Merit.
How is Merit Data Stored?
Users must log in to the Merit application (again via HTTPS) in order to upload or access student data. Data, once uploaded, is securely stored in two “areas" within the Amazon Web Services platform: uploaded spreadsheets are stored on S3 and the resulting imported student data is stored in databases on RDS. The RDS instances are located within a Merit VPC (Virtual Private Cloud).
Please refer to the following documents for more information on AWS-related security:
http://aws.amazon.com/vpc/
http://aws.amazon.com/s3/faqs/