The Family Education Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. The law affords parents the right to access their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old or enters a postsecondary institution at any age the rights under FERPA transfer from the parents to the student.

Further, FERPA prohibits the disclosure of a student’s “protected information” to a third party, whether the disclosure is made verbally or by hand delivery, fax, mail, or electronic transmission. Disclosure also includes the provision of access to the educational institution’s career center database of student resumes.

According to FERPA, a “student” is an individual who is enrolled in and attends an educational institute. FERPA classifies protected information into three categories: educational records, personally identifiable information, and directory information. FERPA provides different levels of protection for each category.

How Does FERPA Define Personally Identifiable Information?

“Personally identifiable information” includes a student’s name or identification number, a student's date of birth and other information which can be used to distinguish an individual’s identity. “Personally identifiable information” can only be disclosed if the educational institution obtains the signature of the parent or student (if over 18 years of age) on a document specifically identifying the information to be disclosed, the reason for the disclosure, and the parties to whom the disclosure will be made.

“Educational information/records” are defined as “records, files, documents, and other materials” that are “maintained by an educational agency or institution, or by a person acting for such agency or institution.” It includes a student’s transcripts, GPA, grades, social security number, academic evaluation, psychological evaluations, and attendance records. FERPA prohibits the disclosure of educational records without the signature of a parent or student (if over 18 years of age).

“Directory information” is defined as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” This includes such items as a list of students’ names, addresses, and telephone numbers, and also includes a student ID number (which includes electronic identifiers) provided it cannot be used to gain access to education records. Directory information can be disclosed provided that the educational institution has given public notice of the type of information to be disclosed, the right of every student to forbid disclosure, and the time period within which the student or parent must act to forbid the disclosure.

Whom this applies to: All educational institutions receiving federal funding in the United States need to remain FERPA compliant. Further, all third-parties that receive educational records from educational institutions must be compliant with certain aspects of FERPA, such as not improperly disclosing the information they receive.

What Does FERPA Require of Educational Institutions?

To remain in compliance with FERPA, educational institutions must do the following:
  • Advise students annually of their rights under FERPA.

  • Obtain signed, written consent from a student before a school official, administrator, career services staff member, or faculty member releases personally identifiable information to an employer, third-party recruiter, or resume referral database.

  • Train staff and faculty members with respect to FERPA requirements and prohibitions

  • Notify employers, employment agencies, contract recruiters, resume databases, and other entities that student records are subject to FERPA, and such entities cannot subsequently disclose these records without student consent.

  • Notify third parties that improper disclosure will result in future denials of access to such records.

  • Define and communicate to students what information will be considered directory information prior to disclosure and provide students with a reasonable time to notify the education institution if they want to restrict access to directory information.

  • Draft and maintain policies with regard to the retention of records that pertain to the disclosure of information for health and publicly safety concerns.

  • Review and revise any and all third-party agreements to ensure such agreements comply with FERPA requirements.

  • Implement policies for responding to data breaches.

Who Enforces FERPA and What are the penalties for non-compliance?

The Department of Education is responsible for investigating all complaints regarding FERPA. An educational institution that fails to comply with FERPA may lose its federal funding. Although FERPA does not create a private right of action against educational institutions, some states allow for monetary damages for the disclosure of private information.
Image

Get the latest from Hyperproof

Stay ahead of the risk and compliance curve. Get the latest regulation updates and analysis, guidance on achieving continuous compliance, and exclusive opportunities. Sign up for Hyperproof's bimonthly newsletter.
Stay in-the-know