FERPA requirements for protecting student information

The Family Educational Rights and Privacy Act (FERPA) is a federal statute that protects the privacy of student education records. The law states that, "The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education."

In other words, if a school, public or private, K–12 or university receives any federal funding, FERPA applies to it. There are no exceptions to this threshold requirement.

What are ‘education records’?

FERPA's protections attach to "education records," a defined term. The statute defines them at 20 U.S.C. § 1232g(a)(4)(A) as, "Those records, files, documents, and other materials which contain information directly related to a student and are maintained by an educational agency or institution, or by a party acting for such agency or institution."

Under the implementing regulations at 34 CFR § 99.3, this definition covers records regardless of physical form, paper files, digital databases, emails, photographs, and cloud-stored data are all potentially covered. What matters is whether the record (1) directly relates to a student and (2) is maintained by the school or someone acting on its behalf.

What is not an education record?

FERPA notes several categories that are not education records:

• Sole-possession records kept only by the person who made them and never shared
• Law enforcement unit records
• Records of employees who are not also enrolled students
• Records about adults who are no longer students (in most cases)
  
  

Rights under FERPA

FERPA grants rights to parents of minor students. Those rights transfer to the student at age 18 or upon enrollment in a postsecondary institution. 20 U.S.C. § 1232g(d) states that, "At age 18 or upon entry into a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student ('eligible student')."

1. The right to inspect and review records

20 U.S.C. § 1232g(a)(1)(A) states that, "The school or State Education Agency (SEA) must provide the relevant parent, guardian, or 'eligible student' access to 'education records' within 45 days of receiving the request."

Furthermore, 34 CFR § 99.10(d) states that, "If circumstances effectively prevent the parent or eligible student from exercising the right to inspect and review the student's education records, then the school must [p]rovide the parent or eligible student with a copy of the records requested or [m]ake other arrangements for the parent or eligible student to inspect and review the requested records."

In practice, schools cannot ignore a records request. The 45-day window period is a legal requirement.

2. The right to request amendment of records

Parents and eligible students can challenge records they believe are inaccurate or misleading. If the school declines to amend the record, the student has the right to a formal hearing.

3. The right to control disclosure

The general prohibition at 20 U.S.C. § 1232g states that, "No funds shall be made available … to any educational … institution which has a policy or practice of permitting the release of education records (or personally identifiable information contained therein other than directory information …) of students without the written consent of their parents to any individual, agency, or organization."

Written consent must include:

1. The identity of the person or group receiving the disclosure
2. A description of the records to be disclosed
3. The purpose of the disclosure
4. A signature and date from the parent or eligible student

Exceptions to the written consent requirement

The full list of exceptions is in 34 CFR § 99.31, which outlines more than fifteen categories where disclosure without consent is permitted. The four most commonly encountered are:

Exception 1: School officials with legitimate educational interest

34 CFR § 99.31(a)(1)(i) states that, "Records may be disclosed to school officials who have a legitimate educational interest in the information. A legitimate interest is defined as the need to review a record to fulfill a professional responsibility on behalf of the institution." 34 CFR § 99.31(a)(1)(ii) adds onto that by stating that, "An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests."

Schools must define who qualifies as a "school official" and what constitutes a "legitimate educational interest" in their annual FERPA notification to students and families.

Exception 2: Transfer to another school

34 CFR § 99.31(a)(2) states that records may be disclosed "to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student's enrollment or transfer."

Exception 3: Health and safety emergencies

34 CFR §§ 99.31(a)(10) provides an exception that allows educational agencies and institutions to disclose personally identifiable information from student education records to appropriate parties in connection with the emergency without prior consent, the regulates notes, "given that the party's knowledge of the information is necessary to protect the health or safety of students or other individuals," and, "The determination of an 'emergency' is left to the discretion of local authorities and educational agencies or institutions themselves and is a flexible standard that may differ from case to case."

Examples of appropriate parties include public health officials and trained medical personnel.

Exception 4: Directory information

34 CFR §§ 99.31(a)(11) states that, "Education records that have been appropriately designated as 'directory information' by the educational agency or institution may be disclosed without prior consent."

FERPA defines directory information as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed

Directory information can include a student's name, address, phone number, dates of attendance, and degree information. However, schools must:

1. Provide public notice of what information is designated as directory information
2. Inform parents and eligible students of their right to opt out
3. Allow a reasonable period for written opt-out requests

34 CFR § 99.37(a) states that, "A school may disclose directory information if it has given public notice of the types of information which it has designated as 'directory information,' the parent or eligible student's right to restrict the disclosure of such information, and the period of time within which a parent or eligible student has to notify the school in writing that he or she does not want any or all of those types of information designated as 'directory information.'"

The recordkeeping requirement

Schools must log every time education records are disclosed to a third party. 34 CFR § 99.32(a)(1) provides that, "A school must maintain a record of each request for access to and each disclosure of personally identifiable information from the education records of each student."

This disclosure log must be available for inspection by the parent or eligible student. The log must document: (1) who requested or received the information, and (2) their legitimate interest in obtaining it.

Penalties for noncompliance

FERPA enforcement is handled by the Family Policy Compliance Office (FPCO) within the U.S. Department of Education. The office investigates complaints and seeks voluntary compliance first, but the ultimate penalty is stated in 34 CFR Part 99, Subpart E, "The Secretary of Education can withhold further payments to the institution, issue a cease-and-desist order, or terminate the school's eligibility to receive federal funding entirely."

It is worth noting that FERPA does not create a private right of action, meaning individual students cannot sue a school directly under FERPA. The Supreme Court confirmed this in Gonzaga University v. Doe, 536 U.S. 273 (2002). However, students may still pursue claims under state privacy laws.

Compliance checklist for schools

To meet FERPA's requirements, institutions should have:

• An annual notification informing parents and eligible students of their FERPA rights
• A defined policy on who qualifies as a "school official" and what constitutes "legitimate educational interest"
• A directory information policy
• Written consent forms that meet statutory requirements before any non-exempt disclosure
• A disclosure log (34 CFR § 99.32) maintained for each student's records
• Staff training on what constitutes an education record and when consent is required
• A data breach response procedure, per U.S. Department of Education guidance

Read also: Protect student data with secure email for education

FAQs

Does FERPA apply to private schools?

Private and religious K-12 schools generally do not receive federal Department of Education funding and are therefore not subject to FERPA.

Can a parent still access their college student's records?

Once a student turns 18 or enrolls in a postsecondary institution, FERPA rights transfer to the student.

Does FERPA protect records held by third-party apps or platforms used by schools?

Yes, if a school uses a third-party vendor to perform institutional services.

What is the difference between FERPA and HIPAA when it comes to student health records?

Health records created by a school nurse or counselor and maintained by the school are education records under FERPA, not protected health information under HIPAA, so FERPA governs their privacy rather than HIPAA.