Guide to

The Family Education Rights and Privacy Act (FERPA)

What Is The Family Education Rights and Privacy Act (FERPA)?

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. The law affords parents the right to access their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old or enters a postsecondary institution at any age the rights under FERPA transfer from the parents to the student.

Further, FERPA prohibits the disclosure of a student’s “protected information” to a third party, whether the disclosure is made verbally or by hand delivery, fax, mail, or electronic transmission. Disclosure also includes the provision of access to the educational institution’s career center database of student resumes.

According to FERPA, a “student” is an individual who is enrolled in and attends an educational institute. FERPA classifies protected information into three categories: educational records, personally identifiable information, and directory information. FERPA provides different levels of protection for each category.

How Does FERPA Define Personally Identifiable Information?

“Personally identifiable information” includes a student’s name or identification number, a student’s date of birth and other information which can be used to distinguish an individual’s identity. “Personally identifiable information” can only be disclosed if the educational institution obtains the signature of the parent or student (if over 18 years of age) on a document specifically identifying the information to be disclosed, the reason for the disclosure, and the parties to whom the disclosure will be made.

“Educational information/records” are defined as “records, files, documents, and other materials” that are “maintained by an educational agency or institution, or by a person acting for such agency or institution.” It includes a student’s transcripts, GPA, grades, social security number, academic evaluation, psychological evaluations, and attendance records. FERPA prohibits the disclosure of educational records without the signature of a parent or student (if over 18 years of age).

“Directory information” is defined as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” This includes such items as a list of students’ names, addresses, and telephone numbers, and also includes a student ID number (which includes electronic identifiers) provided it cannot be used to gain access to education records. Directory information can be disclosed provided that the educational institution has given public notice of the type of information to be disclosed, the right of every student to forbid disclosure, and the time period within which the student or parent must act to forbid the disclosure.

Whom this applies to: All educational institutions receiving federal funding in the United States need to remain FERPA compliant. Further, all third-parties that receive educational records from educational institutions must be compliant with certain aspects of FERPA, such as not improperly disclosing the information they receive.

What Does FERPA Require of Educational Institutions?

To remain in compliance with FERPA, educational institutions must do the following:

Advise students annually of their rights under FERPA.
Obtain signed, written consent from a student before a school official, administrator, career services staff member, or faculty member releases personally identifiable information to an employer, third-party recruiter, or resume referral database.
Train staff and faculty members with respect to FERPA requirements and prohibitions
Notify employers, employment agencies, contract recruiters, resume databases, and other entities that student records are subject to FERPA, and such entities cannot subsequently disclose these records without student consent.
Notify third parties that improper disclosure will result in future denials of access to such records.
Define and communicate to students what information will be considered directory information prior to disclosure and provide students with a reasonable time to notify the education institution if they want to restrict access to directory information.
Draft and maintain policies with regard to the retention of records that pertain to the disclosure of information for health and publicly safety concerns.
Review and revise any and all third-party agreements to ensure such agreements comply with FERPA requirements.
Implement policies for responding to data breaches.

Who Enforces FERPA and What are the penalties for non-compliance?

The Department of Education is responsible for investigating all complaints regarding FERPA. An educational institution that fails to comply with FERPA may lose its federal funding. Although FERPA does not create a private right of action against educational institutions, some states allow for monetary damages for the disclosure of private information.

FERPA: Frequently Asked Questions

The most common FERPA violation is the improper disclosure of personally identifiable information (PII) from a student’s education records without the appropriate consent. This often occurs when school officials share information with third parties, such as parents of other students, external vendors, or unauthorized school personnel, without obtaining the required written consent from the parent or eligible student. Another frequent violation includes the inadvertent exposure of student records, such as through unprotected digital files, misplaced documents, or careless handling of paper records. These breaches can have legal and financial consequences for the educational institution, including the potential loss of federal funding for severe and repeated violations.

FERPA applies to all educational institutions that receive funding from any program administered by the U.S. Department of Education. This includes most public and private K-12 schools, school districts, colleges, and universities across the United States. Any school that receives federal funds must comply with FERPA regulations, which means nearly all public and many private educational institutions are subject to FERPA. Rights are granted to parents of students under 18 and to eligible students (students who are 18 years old or who attend a postsecondary institution).

FERPA generally requires consent before disclosing PII from student education records, but there are several key exceptions:

School officials with legitimate educational interests: Information can be shared with school officials who have a legitimate educational interest in accessing the student’s records to perform their professional responsibilities.
Transfer to another school: PII can be disclosed without consent when a student is transferring to another school or enrolling in another institution. This ensures continuity of the student’s education.
Judicial orders or subpoenas: Schools may disclose records in compliance with a judicial order or lawfully issued subpoena, provided the institution makes a reasonable effort to notify the parent or eligible student in advance of compliance, except in specific cases of federal grand jury subpoenas or other similar circumstances.
Health and safety emergencies: In cases where there is an immediate threat to the health or safety of students or other individuals, PII can be disclosed to appropriate parties, such as law enforcement, public health officials, or medical personnel, to address the emergency.

FERPA protects all “education records,” which are records that contain information directly related to a student and are maintained by an educational agency, institution, or a party acting on its behalf. This includes but is not limited to:

Academic records: Grades, transcripts, class schedules, and standardized test scores
Disciplinary records: Information related to disciplinary actions or behavioral incidents
Personal information: Student’s name, identification number, date of birth, social security number, and contact information
Health information: Records maintained by the school’s health clinic or school nurse, but only when these records are directly related to the student’s educational experience
Special education records: Individualized Education Programs (IEPs) and other records related to special education services
Financial information: Records related to financial aid, tuition payments, and scholarship awards
Attendance records: Data on attendance, tardiness, and absences

FERPA does not protect information that is not maintained as part of a student’s education record or information that is considered “directory information.” Examples of information not protected under FERPA include:

Directory information: Information that schools can disclose without consent unless the parent or eligible student has opted out, such as a student’s name, address, telephone number, email address, photograph, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of athletes, dates of attendance, degrees and awards received, and the most recent educational institution attended.
Records of school employees: Records created and maintained by an educational institution related to its employees, not students.
Records created by a law enforcement unit: Records that are created and maintained by a law enforcement unit of the school, which are used for law enforcement purposes and not shared with others in the school system.
Peer-graded papers before collection by a teacher: Student work that has been graded by peers and not yet collected by the teacher is not protected under FERPA.

FERPA covers students who are currently or were previously enrolled in an educational institution that receives federal funding. This includes students in elementary, secondary, and postsecondary institutions. The rights under FERPA initially belong to the parents of students under 18 years of age. Once a student turns 18 or attends a postsecondary institution, the rights under FERPA transfer to the student, who is then considered an “eligible student.”

An education record under FERPA is any record that contains information directly related to a student or is maintained by an educational agency or institution or by a party acting on behalf of the agency or institution. Education records can take many forms, including written documents, computer files, digital records, audio or video recordings, and even emails. Examples include:

Grades and transcripts: Records of academic performance
Student schedules: Class schedules, enrollment records
Disciplinary records: Records documenting disciplinary actions
Health records: Health information maintained by the school’s health services, such as a school nurse or health clinic
Special education records: Documentation related to special education services, such as Individualized Education Programs (IEPs)
Student financial information: Records related to financial aid, tuition, and scholarships

A FERPA waiver is a document signed by a student (or their parent if the student is under 18) that waives their rights under FERPA to keep certain education records private. This waiver allows the educational institution to share the specified records with designated individuals or entities. FERPA waivers are commonly used in situations such as:

Letters of recommendation: Students may waive their rights to view letters of recommendation written on their behalf.
Job or college applications: Students may waive their rights to allow schools to share transcripts or other records with potential employers or colleges.
Parental access for eligible students: Eligible students may waive their FERPA rights to allow their parents continued access to their education records.

It’s important to note that the penalties for violating FERPA vary on a case by case basis. The primary penalty for violating FERPA is the potential loss of federal funding for the educational institution, though this penalty is typically reserved for severe or repeated violations. If the U.S. Department of Education’s Family Policy Compliance Office (FPCO) determines that a school has violated FERPA, the institution could lose its eligibility to receive federal funds. However, this is rarely enforced, and only would happen if an institution had failed to implement corrective measures from the FPCO. Additionally, the institution may face legal challenges from affected individuals, reputational damage, and increased scrutiny from regulatory bodies. While FERPA does not provide a private right of action, meaning individuals cannot sue directly under FERPA, violations can lead to civil lawsuits based on other laws.

FERPA rights do not expire; they persist as long as the individual is alive. The rights initially belong to the parents until the student turns 18 or enrolls in a postsecondary institution, at which point the rights transfer to the student, now considered an “eligible student.” These rights continue to apply even after the student graduates or leaves the institution. However, FERPA rights do not persist indefinitely after the student’s death. Generally, FERPA protections end upon the death of the student, though individual institutions may have their own policies regarding the privacy of records posthumously. Educational institutions are required to comply with FERPA regulations for as long as they maintain education records for living students.

Hyperproof makes FERPA compliance simple

Leverage an out-of-the-box FERPA framework template to get started quickly and seamlessly
Map FERPA controls effortlessly to multiple regulatory standards
Reduce the time and effort required to achieve FERPA compliance by efficiently collecting and documenting evidence to support your FERPA compliance efforts
Integrate seamlessly with the productivity tools your team already uses
Reuse evidence collected for FERPA compliance for various frameworks
Identify and prioritize critical workflows to maintain ongoing FERPA compliance