FERPA Compliance & Requirements [Checklist Included!]
As the amount of student data collected by public K–12 schools and higher education institutions continues to increase, so does their obligation to keep that data secure and private. In order to ensure that these institutions meet a uniform standard for data security and privacy, the U.S. government signed the Family Educational Rights and Privacy Act (FERPA) into law in 1974.
Disclaimer: This article is not intended as legal advice.
What is FERPA?
The Family Educational Rights and Privacy Act — more commonly known as FERPA — is a Federal law designed to protect the privacy of student education records. It applies to educational institutions and agencies that are funded under a program managed by the U.S. Department of Education (DoE).
Under FERPA, parents or legal guardians of eligible students have the right to request, inspect and review their child’s education records as maintained by the school. For reference, “education records” are defined under 34 CFR § 99.3 as any records “directly related to a student” and “maintained by an educational agency or institution or by a party acting for the agency or institution.” It’s important to note that education records can appear in any format or medium, and that FERPA applies to both paper and electronic student records.
On the other hand, FERPA does not apply to:
- Records kept in the sole possession of the maker
- Records relating to the law enforcement unit of an educational agency or institution
- Records relating to an individual who is employed by an educational agency or institution
- Records on a student who is 18 or older, or attending an institution of postsecondary education, that are made or maintained by a medical professional acting in a professional capacity; made, maintained or used only in connection with treatment of the student; or disclosed only to individuals providing treatment
- Records created or received by an educational agency or institution after an individual is no longer a student in attendance
- Grades on peer-graded papers before they are collected and recorded by a teacher
Parents or legal guardians may also request that an education record be amended if they believe that record to be inaccurate. Should the school decline to amend the record in question, the parent or legal guardian reserves the right to a formal hearing. Once a student turns 18, all of the rights listed above automatically transfer from the parent or legal guardian to the student. In fact, an academic institution can be found in violation of FERPA if it shares education records with the parent or legal guardian of an eligible student after that student has come of age. If, at any point, a student or the parent or legal guardian of a student believe that their rights under FERPA have been violated, they can file a complaint through the DoE’s website.
FERPA also stipulates that academic institutions are not allowed to provide copies of an eligible student’s records without the express written permission of that student’s parent or legal guardian. There are certain exceptions to this disclosure rule. According to 34 CFR § 99.31, schools do not require consent for disclosure to parties that meet the following conditions:
- School officials, including teachers, who are determined to have legitimate educational interests
- Contractors, consultants, volunteers or other parties to whom the school has outsourced institutional services or functions
- Officials from another school, school system or institution of postsecondary education where the student seeks or intends to enroll
- Appropriate parties in connection with financial aid to the student
- Organizations conducting studies for, or on behalf of, educational agencies or institutions to develop, validate or administer predictive tests; administer student aid programs; or improve instruction
- Accrediting organizations carrying out accrediting functions
- In compliance with a judicial order or lawfully issued subpoena
- Appropriate parties in connection with a health or safety emergency (according to the conditions described in 34 CFR § 99.36)
- State and local authorities if the allowed disclosure concerns the juvenile justice system and its ability to effectively serve the student in question (according to the conditions described in 34 CFR § 99.38)
Schools are also permitted to disclose, without consent, directory information — that is, a student’s name, address, telephone number, date and place of birth, honors and awards and dates of attendance — provided that they notify parents/legal guardians and students about the disclosure of this information.
What are FERPA’s Requirements?
For the most part, FERPA requirements are fairly straightforward:
- Produce requested educational data to a parent, legal guardian or student within 45 days
- Amend education records as requested (or prepare to hold hearings to contest amendments)
- Remind parents/legal guardians and students of their rights under FERPA on an annual basis
- Barring certain exceptions, do not share an eligible student’s education records without the written consent of their parent or legal guardian — or, if they are of age, the student themselves
What’s less clear is FERPA’s requirements for storing and securing education data. FERPA does not specify a time period for retaining education records; it merely states that an education record may not be destroyed if there are any outstanding requests to inspect or review the file. Based on that, it’s in an academic institution’s best interest to store both paper and electronic education records indefinitely. And, according to the DoE, FERPA “does not require educational institutions to adopt specific security controls,” despite the fact that “security threats can pose a significant risk for student privacy.”
As far as electronic records are concerned, the best way to accommodate FERPA’s storage and security requirements — or lack thereof — is to invest in a scalable archiving solution with built-in security features, such as end-to-end encryption, two-factor authentication and Secure Sockets Layer protocol.
The Importance of FERPA Compliance
Protecting students’ privacy should be a priority for any academic institution, but the need for FERPA compliance extends far beyond ethical obligation. A potential FERPA violation could lead to an investigation of the school by the DoE. If found in violation of FERPA, the school under investigation could face withdrawal of federal funding from the DoE and other federal agencies. This is a significant penalty, given that federal contribution accounts for approximately 8% of the budget for U.S. elementary and secondary education.
Federal contribution accounts for approximately 8% of the budget for U.S. elementary and secondary education.
Other FERPA violations penalties include:
- School administrators could receive cease and desists orders from the DoE, the parents or legal guardians of students, or advocacy groups that represents parents, legal guardians and students.
- Depending on the specifics of the situation, an employee found in violation of FERPA compliance could find themselves subject to disciplinary action, lawsuits, FERPA violation fines and even prosecution.
- In some FERPA violation cases, a parent, legal guardian or student may be eligible to seek monetary damages in recompense for an unauthorized disclosure. Finally, a school
- Additional penalties may apply if an institution is also found in violation of state privacy laws.
For these reasons and more, it’s imperative that academic institutions make every effort to meet FERPA requirements.
FERPA Violations Examples
To help you better understand what constitutes a FERPA violation — and what doesn’t — let’s look at a few examples of FERPA violation scenarios:
- A school shares a letter of recommendation from a teacher or professor with a student’s potential employer
- A vendor that the school works with grants an unauthorized individual access to a student’s education records
- A school contracts with a vendor that relies on data mining either to complete its services or as a form of compensation
- A school releases education records to the parent or legal guardian of a student who is 18 or over
- A school official shares confidential information about a student or an incident that took place on school grounds with friends and family members, members of the press or on social media
- A school official accidentally hits “Reply All” or BCCs multiple students on an email that includes information pertaining to one specific student
- A school official posts test scores with identifying information attached on a public bulletin board
- A school official provides information about a student (class schedule, GPA, etc.) over the phone from someone who claims to be that student’s parent or legal guardian
As you can see, many of these FERPA violations are unintentional, so it’s important that elementary, secondary and postsecondary institutions be vigilant.
Real-World FERPA Violation Cases
Countless educational institutions — and vendors that service educational institutions — have been brought to court over alleged FERPA violations. Here are just a few examples of FERPA violation cases and their outcomes:
- Gonzaga University v. Doe (2002): A Gonzaga University student required an affidavit of good moral character from the school in order to teach at a Washington public elementary school. After hearing that the student had engaged in alleged acts of sexual misconduct, his teacher certification specialist discussed the allegations with the state agency responsible for teacher certification, identifying the student by name. As a result, the student was denied his certification affidavit. The student sued Gonzaga University, alleging that the school had violated his rights under FERPA. Although a jury awarded the student compensatory and punitive damages, the State Supreme Court ruled that FERPA’s nondisclosure provisions do not give rise to private cause of action against schools that divulge students’ personal information.
- United States v. Miami (2002): The United States, on behalf of the Department of Education, sued Miami University in Ohio to prohibit it from releasing student disciplinary records to a local newspaper, arguing that the records constituted education records under FERPA on the basis that they “directly relate to a student and are kept by that student’s university.” The United States Court of Appeals for the Sixth Circuit ultimately ruled that disciplinary records are, in fact, education records under FERPA and thereby protected from disclosure.
- Owasso Independent School District No. I-011 v. Falvo (2002): Kristja J. Falvo, the parent of a child in the Owasso Independent School District, asked that the school district prohibit peer grading. When the school district declined her request, Falvo filed an action against the school district, claiming that student grades constitute education records and that peer grading is, therefore, a FERPA violation. The District Court held that grades put on papers by other students did not qualify as “education records,” however, the Court of Appeals reversed this decision, stating that the act of grading is an impermissible release of information. Ultimately, the Supreme Court ruled that peer-graded papers do not constitute education records protected by FERPA until they are collected by a teacher and recorded in a teacher’s grade book.
8 Key FERPA Compliance Tips
Given the ambiguity around certain FERPA requirements and the integration of new technologies, achieving FERPA compliance can seem a formidable task — but with these tips, it doesn’t have to be:
- 1. Heighten awareness of FERPA across your institution. On the faculty side, provide training on FERPA compliance, as well as educational resources for further, self-guided research. Be sure to routinely retrain staff as FERPA requirements change, so that they’re up to date on the latest measures. On the student side, annually remind parents, legal guardians and students of their rights under FERPA and explain the different between what constitutes “personally identifiable information” (which is protected under FERPA) vs. what is considered “directory information.”
- 2. Understand the difference between FERPA and FOIA. The Freedom of Information Act (FOIA) “has provided the public the right to request access to records from any federal agency” — including federally funded academic institutions. FOIA requests typically relate to operational records rather than personally identifiable information, but it’s still important for academic institutions to understand their obligations under FOIA, and how they relate to FERPA.
- 3. Develop record retention policies and share them with faculty. Remember, FERPA doesn’t designate a mandatory record retention period, which means you’ll likely have to hold onto education records indefinitely. Therefore, it’s in your best interest to develop your own record retention policy, educate faculty on the policy and invest in an archiving solution that offers scalable storage and built-in security to meet your institution’s data storage needs.
- 4. Familiarize yourself with FERPA exceptions. As mentioned, there are certain situations in which an academic institution does not require the written consent of a parent, legal guardian or student for disclosure. Make sure that your faculty understands these exceptions. It might even be helpful to provide some sort resource, such as a pamphlet that educators can keep handy or a webpage on your institution’s website, for quick reference.
- 5. When in doubt, seek consent. If you’re unsure whether a potential disclosure qualifies as a FERPA exception, it’s best to play it safe and obtain signed, written consent from the parent, legal guardian or eligible student in question.
- 6. Establish a timeline for requests. FERPA requires academic institutions to supply requested education records within 45 days. Based on this information, clearly communicate to parents, legal guardians and students when they should ideally submit a request. For example, if a parent knows that they need access to their child’s education records by June 15, recommend that they submit their request no later than May 1. Not only does this provide you with ample time to produce the requested materials — it also ensures that the party requesting the information receives it exactly when they need it.
- 7. Work only with compliant vendors. If one of your third-party vendors discloses a student’s education records without authorization — even accidentally — your institution will be forced to face the consequences. To avoid this risk, be sure to thoroughly screen all vendors and ask in-depth questions about how they intend to handle education records and control data access. Avoid online vendors who offer their services for free, as they’re more likely to make their money from data mining. Once you’ve selected a vendor, make sure your contract with them clearly outlines their obligations under FERPA; regularly revise these agreements to reflect any changes to FERPA requirements.
- 8. Create policies to address security breaches. Determine how your institution will respond to potential data breaches or unauthorized disclosures well before they actually take place; this should include a thorough investigation into the nature of the breach or disclosure and all parties involved or affected.
FERPA Compliance Checklist
Want to make sure that your elementary, secondary or postsecondary institution checks all the boxes for FERPA compliance? Download our free FERPA compliance checklist to help stay on top of changing rules and requirements: