What is FERPA?
According to a federal law called FERPA, educators, administrators, registrars, and other school employees in the United States are responsible for securing the student data that passes through their hands. But what is FERPA, exactly?
FERPA stands for the Family Educational Rights and Privacy Act, which mandates certain privacy rights regarding education data for students and their parents. The law states that parents have the right to access their children’s education records. It also forbids the sharing of that data without a parent’s written permission. When eligible students turn 18 or graduate high school, these rights pass to them.
Violations of the act can restrict access to Department of Education funding, so compliance with FERPA is a crucial concern for schools at every level (with a few notable exceptions, which we’ll discuss in Chapter 3). If you work with student data, it’s likely that you’re responsible for protecting it, but the details of FERPA make things a little less clear-cut. This comprehensive guide will help you understand the background, intent, and concrete requirements of the law, as outlined in the following chapters.
Note that, while this article introduces FERPA and provides a few starting points for compliance, nothing here is intended as legal advice. For guidance on a specific situation, contact an attorney who specializes in privacy law.
What is FERPA? Chapter synopsis
- Introduction.
- The history of FERPA. When was FERPA passed? Why do we need this type of privacy law? This chapter discusses the history and purpose of the act.
- FERPA requirements and exceptions. Learn about the rights and responsibilities the law guarantees students, parents, and educational institutions. We’ll also cover exceptions to some of these requirements.
- FERPA compliance. What do you need to do to make sure your facility fully complies with FERPA? Here are some resources to get you started.
- FERPA violations and consequences. Here, we’ll introduce common FERPA violations and the potential penalties they can incur. This is also where you’ll learn about the U.S. Department of Education’s Family Policy Compliance Office, which enforces FERPA.
- FERPA training. The best way to protect your institution from FERPA violations is to provide comprehensive training for all relevant staff. We’ll discuss what that looks like.
- FERPA waivers and forms. This chapter goes into greater detail on the subject of “written consent,” describing the forms — both digital and print — that may allow the sharing of limited student data.
Feel free to skip directly to Chapter 3 if your main concern is FERPA compliance, but bookmark the whole guide before you do. Questions about FERPA have a way of popping up unexpectedly, and you may need other chapters sooner than you think.
The history of FERPA
Prior to FERPA’s enactment, unsecured student data led to real-world problems, says Millicent Kelly in her FERPA Training for Educators online course.
“By the early 1970s, almost anyone with a badge could obtain personal and academic records of students. Oftentimes, the files contained medical and mental health information, which could result in a student being removed from one program and placed into a program for children with special needs. This could take place without so much as notifying a student’s parents or guardians.”
Despite transgressions like these, FERPA would have to wait for a broader concern over privacy rights to sweep through the nation. This occurred in the mid-1970s when national events brought privacy abuses to the forefront of public consciousness.
When was FERPA passed?
You can draw a direct line between FERPA and Watergate. Strange as the connection may sound, the Nixon Administration’s secret data collection during the scandal created a strong appetite for privacy protections in the legislature in the early 1970s.
Nixon resigned on August 8, 1974. Less than two weeks later, on August 21, President Gerald Ford signed FERPA into law. By the end of that year, the 93rd Congress would follow FERPA with the much broader Privacy Act.
“This gives you a sense of what must have been going on back then,” says LeRoy Rooker, senior fellow at the American Association of Collegiate Registrars and Admissions Officers (AACRAO). “There was an obvious heightened concern for protection of information on individuals, and this included parents and students.”
Rooker is the leading authority on FERPA. As a senior fellow at AACRAO, he conducts FERPA training and consultation. Prior to joining AACRAO, Rooker spent 21 years as director of the U.S. Department of Education’s Family Policy Compliance Office (FPCO), the agency that administers the law and investigates alleged violations.
The purpose of the Family Educational Rights and Privacy Act
The purpose of the Family Educational Rights and Privacy Act (FERPA) is to protect access to educational records for students and parents, while preventing that access for unauthorized third parties. When FERPA was passed, there was little to compare it to — but that soon changed. It’s essentially a data security law, related to the Privacy Act of 1974 and the later Health Insurance Portability and Accountability Act (HIPAA) of 1996.
In fact, there’s often some confusion within schools about whether FERPA or HIPAA take priority in the case of student health records. Here are a few things to know about how FERPA and HIPAA interact:
- When school nurses keep records of student health in elementary and high schools, those records are typically covered by FERPA, not HIPAA.
- This means school nurses can share health data with other school staff when there’s “legitimate educational interest” — a topic we’ll cover in Chapter 2.
- Once a student of any age enters post-secondary school (like a college or university), or that student turns 18, FERPA no longer covers any of their health records. In this case, HIPAA or other state or federal privacy laws take precedence.
For more information on the difference between FERPA and HIPAA, see our coverage here. We’ll discuss the details of what sort of data is protected in Chapter 3. For now, let’s look at how FERPA governs the activity of education staff at relevant institutions.
FERPA requirements and exceptions
The full text of the Family Educational Rights and Privacy Act is in the Code of Federal Regulations, Title 34, Subtitle A, Part 99. It contains more than 13,000 words of dense legislative language, and there’s a 45-year case history that influences its application. In other words, there’s a lot to learn.
We’ve pulled a few main details every parent, student, and school representative should know about FERPA. At the end of this chapter, we’ll discuss FERPA exceptions — like the fact that, in cases of legitimate educational interest, FERPA may allow data to be shared without consent.
FERPA rights for eligible students and parents
The rights guaranteed by FERPA belong to students and their parents, but not necessarily both at the same time. Parents hold these rights until a student turns 18 or begins post-secondary education. So if you graduate high school at 15 and enter college at 16, these rights belong to you, not your parents — and schools can violate FERPA by sharing data with a parent after a student becomes the holder of these rights.
Mirroring FERPA’s language, we’ll call any student who has become the rights holder in this case “eligible.” In other words, an eligible student under FERPA is one who’s 18 or older, or whose education is continuing past high school. Broadly speaking, FERPA guarantees three basic rights to eligible students or their parents:
- Institutions cannot disclose education data without written permission from the rights holder, except in a few narrowly defined instances.
- The parent or the eligible student has the right to access that student’s education records.
- If the eligible student or parent disagrees with the content of a record, they can request a change.
This third scenario has the potential to get complicated. In cases where school officials refuse to grant a requested edit to a document, eligible students or their parents have a right to an official hearing. If the hearing doesn’t convince the school that the data should be changed, the student or parent can then enter a statement detailing their complaint into the record.
While the student’s right to data privacy is at the heart of this law, in some instances, institutions can share educational data without written permission from the rights holder. Here are a few of the most common examples.
FERPA exceptions for educational institutions
If you think you’re in a situation where FERPA allows you to share student data without signed consent, be careful. While there are a handful of exceptions to this key rule, they are both rare and narrowly defined.
“Exceptions where an institution doesn’t need consent are very specific,” Rooker says. “There’s one for a health or safety emergency, and one for audit evaluation by the Secretary of Education. But as a general rule, students have to consent, or parents have to consent, to records being disclosed outside the school or institution.”
Even when FERPA doesn’t require signed consent in order to share information, institutions, erring on the side of caution, may ask for that permission before releasing any records. The safest bet is to ask the eligible student or parent for a signed form, Rooker says.
All the official FERPA exceptions are in Subpart §99.31 of the act. We’ll go over the most common ones here. In addition to the carve-outs Rooker mentions, you may not have to obtain signed consent before sharing student data if
- The data constitutes “directory information.” You don’t need signed consent to disclose the kind of identifying data you’d find in a yearbook. According to the law, “directory information” in this context may include “the student’s name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.”
- The data is going to another school in which the student plans to enroll. “Generally, if a student is applying to another institution, you wouldn’t need signed consent to send a letter of recommendation,” says Rooker, citing one example of student information that can sometimes be shared without signed consent. “Now, if they were sending a letter of recommendation to a potential employer, then they would need consent because there’s not an exception that lets them provide information from the student’s record to a potential employer.”
- Financial aid providers need the data to determine the eligibility; amount; or conditions of the grant, scholarship, or other education funding. Note that this financial aid may have already been granted to the student, or they may be in the application stage. Either way, data can occasionally be shared if it helps students pay for school.
- The data is requested as part of an eligible study. Universities, educational agencies, and others can sometimes access student data in connection with a study to “develop, validate, or administer predictive tests; administer student aid programs; or improve instruction,” according to the act.
There are also exceptions to FERPA’s signed consent requirement for the legal world. Judicial orders and subpoenas can overrule the need for consent, and states have their own laws regarding student data and the juvenile justice system.
The list goes on, but there’s one FERPA exception that we need to discuss in more depth because it requires a detailed definition of an unfamiliar term: The case of “legitimate educational interest.”
When an institution can prove legitimate educational interest, FERPA may allow data to be shared without written consent
According to FERPA, data holders can share student information with “school officials with legitimate educational interests” without prior consent. So what exactly constitutes legitimate educational interest? The National Center for Education Statistics (NCES), a division of the U.S. Department of Education, says that it’s up to schools and agencies to establish their own criteria.
The NCES does suggest including the following factors in a FERPA-compliant “legitimate educational interest” policy:
- The data in question must be necessary for a school official to complete the tasks described in their job descriptions or contracts.
- The data must be relevant to a proper educational goal.
- Any education records shared between school staff must only be used for education, not for outside issues.
- School staff must use the student data for the reason the data was kept in the first place.
You can see why FERPA training is such an important part of establishing student privacy protocols. Go to Chapter 5 to learn more about this training, or keep reading to learn a few key facts about FERPA compliance.
FERPA compliance
Some of FERPA’s provisions are fairly straightforward. To comply with FERPA, educational institutions must
- Provide requested educational data to a student (or their parent) within 45 days
- Make requested changes to student records or be ready to convene hearings to contest those requests
- Notify parents and eligible students of their data rights under FERPA at least once a year
With plans and permissions in place, it’s simple enough to comply with these three requirements. But FERPA compliance can get trickier when it comes to sharing student data. What counts as education data under the law? What level of digital data security is needed to comply with FERPA? We’ll get deeper into these questions in this chapter.
Does FERPA apply to your educational institution?
Not all educational organizations are bound by FERPA. There’s one simple way to tell: If your school receives funding from programs administered by the U.S. Department of Education, it must comply with FERPA or risk losing those funds.
The educational agencies and institutions that typically receive funding through the Department of Education programs include
- Public elementary (or primary) schools
- Public middle and high (or secondary) schools
- Colleges and universities (or postsecondary schools)
According to the Department of Education, private or parochial schools below the postsecondary level usually don’t receive funds from programs that bind them by FERPA’s rules. Such institutions are often exempt from FERPA compliance.
Even private colleges and universities, however, are likely to accept payments through federal programs administered by the Department of Education: Pell Grants and the federal guaranteed student loan program are two examples. So most institutions of higher education must comply with FERPA to accept federally assisted tuition.
Once you determine that FERPA does apply to your institution, you’ll need to spread awareness of the law’s details to all relevant staff. You may want to get FERPA certification. If you do, understand that there’s no official certification program from the Department of Education.
Institutions often certify their own employees or seek certification from third-party organizations, but there’s no national standard. To increase FERPA awareness among school staff, you’ll need FERPA training. We’ll discuss that topic in detail in Chapter 5 of this guide.
Because many FERPA violations are the result of mishandling education data, it’s important to discuss what that data is and how schools can maintain it in a FERPA-compliant manner — whether it’s on paper or in the cloud.
What are “education records” according to FERPA?
Under FERPA, school employees are forbidden from disclosing information from “education records” without an eligible student or parent’s written consent. But not every word jotted down by a teacher counts as an education record. Here’s how education records are defined in the Act:
- According to 34 CFR § 99.3, education records are “directly related to a student” and maintained by the “educational agency or institution or by a party acting for the agency or institution.”
- These records can take any form in any medium: paper, digital, audio, video, etc. “FERPA is technology neutral,” Rooker says. “It doesn’t say, ‘You have to create records in this format only.’ It says, ‘It doesn’t matter the format you create the record in — your institution is responsible for protecting it.’ ”
- For the most part, then, all data your school retains about students can be considered education records — with a few exceptions:
- Notes for personal use don’t count as education records, so teachers can write down memory aids about students without concern.
- Student information that’s created and maintained by or for law enforcement agencies is not considered an education record under FERPA.
- Records a school receives after the student leaves that school don’t qualify under FERPA unless they concern the student’s earlier attendance at that school.
As Rooker explains, both paper and electronic student records must be protected under FERPA. For paper files, restricting access to a few authorized employees and keeping files under lock and key are traditional methods of protecting student data. The question of digital security requires a bit more unpacking.
FERPA compliance with digital student records
“Electronic records are no different than paper records when it comes to protecting the privacy of these documents,” Rooker says. “You have to make sure that whatever security you have works.”
Unfortunately, FERPA doesn’t prescribe a particular type or level of digital security. It simply states that the data must not be disclosed without signed consent. Both data-collection and data-storage systems must be protected from accidental disclosure and malicious attacks.
Complying with industry security standards is a great place to start with digital FERPA compliance. For example, JotForm provides secure transmission of its online forms with the highest available levels of data security, including
- 256-bit SSL encryption for all forms
- Optional RSA 2048 encryption
- PCI DSS Service Provider Level 1 compliance
- GDPR compliance
- HIPAA-compliant forms and integrations
- Optional CAPTCHA protection
- Adjustable privacy settings
For more information on data security, see our comprehensive guide.
In addition to these basic protections, however, FERPA compliance also requires school officials to authenticate the identity of eligible students or parents before providing access to digital records.
Establishing a “reasonable expectation of authentication” for student data
FERPA compliance requires strong identification procedures to make sure you’re actually interacting with the eligible student or parent before disclosing protected information. “If you’re giving access to your student information system, there has to be a robust process in place for establishing a secret PIN or password,” Rooker explains. He advises that education officials learn from the banking industry, which shares these identification concerns.
Rooker says, “If you forget your ATM PIN, you can’t call up the bank and say, ‘Hey, can you give me a new PIN?’ They won’t do that. They’ll say, ‘We’ll send you one to your address on record. It’ll come through the U.S. mail and you’ll get it that way.’”
Educational institutions should use a similar process to establish what the Department of Education calls a “reasonable expectation of authentication.” That doesn’t have to be a PIN sent in the mail; it may take the form of displaying a driver’s license on a video call, mailing a notarized copy of state ID, or other, more novel approaches.
But taking the caller or emailer’s word as proof of identity is not enough. “There needs to be a robust identification process before you give access to education records,” Rooker says.
With security protocols in place for both physical and digital student records, you’re one step closer to full FERPA compliance. But what happens if you fail to fully comply with the act? In the next chapter, we’ll go deeper into the subject of FERPA violations — and how to avoid them.
With security protocols in place for both physical and digital student records, you’re one step closer to full FERPA compliance. But what happens if you fail to fully comply with the act? In the next chapter, we’ll go deeper into the subject of FERPA violations — and how to avoid them.
FERPA violations and consequences
“FERPA violations run the gamut from denying the student access to their education records to improperly disclosing information,” Rooker says. “Institutions disclosing information without consent or without meeting one of the exceptions to signed consent are big ones.”
Improper disclosure can occur in lots of ways. To illustrate that point, Rooker shares an example of a real-life FERPA violation he investigated while at the Department of Education.
The institution provided a web-based portal that gave eligible students online access to their own education information. This access was protected by the student’s password, which could have been acceptable under FERPA rules — except that the system only required a social security number and date of birth to reset the password through the website.
Rooker describes how that system violated FERPA, and how this violation was uncovered:
“In this particular instance, it was the [eligible student’s] father who went to the records website, clicked a button that said, ‘I forgot my password,’ and put in his son’s social security number and date of birth, and then got access to all of [his son’s] records. The son became aware [of the breach] because his parents were going through a divorce, and his records ended up in court as part of the divorce proceedings.”
The school officials in this story made one major mistake. They failed to establish a reasonable expectation of authentication. But the broader implication is that they failed to fully understand the law. They weren’t thorough and intentional about FERPA compliance.
“You have to make a reasonable effort to protect student records, and that school’s effort clearly was not reasonable,” Rooker says.
Often, FERPA violations involving improper disclosure occur in a moment of absentmindedness. Without training and constant attention, it’s easy to make mistakes. Consider these other FERPA violation examples:
- Emailing protected student information to everyone in the class
- Including social security numbers on shared documents
- Posting grades and identifying information in public
- Publicly disclosing a student athlete’s academic status
For more examples of FERPA violations from the field, read our blog on the subject.
If you do get caught violating FERPA and refuse to come into compliance, here’s what might happen.
FERPA violation penalties
The most extreme consequence for violating FERPA is the loss of federal education funds. To get to that point, however, would take willful disobedience of the Department of Education’s Family Policy Compliance Office (FPCO).
Prior to banning institutions from receiving federal funds, FPCO takes a number of steps. Most FPCO investigations begin as complaints or are self-reported — and FPCO encourages schools to self-report since the ultimate goal isn’t punishment but rather voluntary compliance with FERPA.
Upon discovery of a violation, the FPCO first offers to help schools come into compliance with FERPA. If the institution still fails to fix the problem, FPCO may take punitive steps. According to training documents from the Department of Education, potential FERPA violation penalties include
- Cease and desist orders
- Freezing payments from Department of Education programs
- Denying eligibility for Department of Education funding
Again, these dire consequences won’t enter the picture unless an institution refuses to work with FPCO to improve its procedures. You’d have to completely ignore the law to risk the most serious penalties. “Ultimately, they could take away Department of Education funds,” Rooker says. “But that would take an institution not coming into compliance with FERPA after an investigation.”
The best way to avoid FERPA violations, of course, is to provide adequate training for all relevant employees. We’ll discuss what that looks like in the next chapter.
FERPA training
“The best protection for education records is training,” Rooker says. “There’s no substitute for that. You’re not going to know if your records are secure unless you’re really steeped in [FERPA].” So how do you provide FERPA training for teachers and other school staff? Many organizations provide FERPA certification programs; here are some of the top options:
- Conduct FERPA training in house. University registrars often provide FERPA training for teachers and other employees themselves. Initial and refresher training courses from experts at your institution can help reduce the likelihood of violations. Many postsecondary schools operate in-house FERPA certification programs for staff, including Purdue University, the University of Massachusetts Amherst, and Washington State University.
- Online training modules from the Department of Education. Free, introductory online training courses are available from the Department of Education’s Privacy Technical Assistance Center and the Student Privacy Policy Office. Courses may change and/or grow, but for now, they offer modules called FERPA 101: For Colleges & Universities, FERPA 101: For Local Education Agencies, and FERPA 201: Data Sharing under FERPA.
- FERPA compliance training from AACRAO. AACRAO offers FERPA training for faculty and staff at colleges and universities, both online and on campus. Rooker conducts interactive FERPA training through AACRAO and tailors each session to match the audience’s needs. During AACRAO FERPA training, “I start at the beginning of the regulations, hit the highlights, and, in the process, generate questions. I tell stories about investigations we did when I was at the Department and give vignettes about the way violations can happen,” Rooker says. “A lot of the training content is generated through interaction with the participants and answering their questions.”
The goals of any FERPA training should include raising awareness among staff, covering compliance basics, and answering staff questions. Teachers as well as any employees with access to student data should receive FERPA training on an ongoing basis.
Two questions that often come up at FERPA training sessions involve the transmission of digital data and the proper use of signed consent forms. The next chapter provides introductory guidance on the use of these instruments, which we’ll refer to collectively as “FERPA forms.”
FERPA waivers and forms
If you work in education, odds are you’ve heard the term — but what is a “FERPA form?” In most cases, it’s a document that provides signed consent for the release of education records to anyone other than the parent or eligible student. Other common terms that refer to signed consent forms under FERPA include
- FERPA waiver form
- FERPA release form
- FERPA release authorization
- FERPA consent form
They’re all essentially the same thing and serve the purpose of providing signed consent to disclose the records FERPA protects. “The consent requirement is part of protecting the privacy of the record,” Rooker explains. “The student has a right to determine who can be given access to those records.”
A FERPA signed consent form for an eligible student (one who’s 18 years old or attending a postsecondary school) should contain, at minimum, the following elements:
- Student name and identifying information (student ID number, date of birth, etc.)
- Student contact information (phone number, email address, etc.)
- Institution name and identifying information
- Authorized recipient name, contact information, and relationship to student
- All records the form gives permission to release (e.g., transcripts, application documents, recommendation letters, etc.)
- A statement of permission to share protected education records
- Student signature and date
Depending on the institution and the application, FERPA signed consent forms may require other information than what appears on this list; again, it’s always best to check with a privacy attorney about specific questions.
FERPA release forms for parents
For students under 18 years of age and in elementary or high school, a parent must provide the signed consent to release education records. A FERPA release form for parents should contain essentially the same information listed above, along with
- Parent name and relationship to student (mother, father, legal guardian, etc.)
- Parent signature and date
- Parent contact information (phone number, email address, etc.)
Note that an eligible student may wish to provide signed consent to release education records to their own parents. This is the student’s right; when they become eligible, students have power over their own education records, and school officials cannot release those records to parents without the student’s signed consent form.
A signed consent form permitting a parent to receive an eligible student’s grades is another type of “FERPA release form for parents.” Typically, though, the term refers to forms signed by the parent for an ineligible student. Learn more about FERPA forms in this blog post.
Online FERPA release forms from JotForm
Remember that FERPA is technology neutral. The law doesn’t state that signed consent forms must be paper and ink — and there are a lot of good reasons to choose online forms. Not only are they more convenient and incredibly secure, but online forms reduce paper consumption, which helps the environment.
Online FERPA forms from JotForm meet the highest standards of data security to safely protect student records during transmission. And JotForm has a long history of working with educational institutions to simplify all sorts of processes, both in the classroom and in administrative offices. We even offer a 50-percent discount on paid plans for educators. If you’re ready to start collecting FERPA signed consent forms digitally, sign up for JotForm today.