FERPA Compliance and Requirements
Learn about FERPA compliance requirements. Safeguard student privacy, stay compliant and protect education records with the help of expert guidance.
In this article, we look at what FERPA legislation is, how FERPA has evolved, and how to comply with the FERPA privacy rights provided to parents and students.
What is FERPA?
The U.S. Department of Education provides this description of FERPA:
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student (“eligible student”).
When did FERPA become law and why was it introduced?
The Electronic Privacy Information Center explains that FERPA was signed into law by President Ford in 1974, when it was commonly known as the Buckley Amendment after its principal sponsor Senator James Buckley.
In a speech explaining the Act to the Legislative Conference of Parents and Teachers, Senator Buckley said FERPA was adopted in response to “the growing evidence of the abuse of student records across the nation.”
Senator Buckley and Senator Claiborne Pell explained that the intent of FERPA was to answer the need for parents to have access to information contained in student education records in order to protect their children’s interests.
How has FERPA evolved since its enactment?
FERPA has been amended eleven times since its enactment, often to identify which personally identifiable information (PII) can be disclosed without the consent of parents or students.
In 1979, state and local educational officials were granted access to records that might be necessary in connection with the audit or evaluation of any federal- or state-supported education program.
Amendments in the 1990s granted alleged victims of violent crimes access to student disciplinary records, and crime logs were exempted from FERPA.
As part of the 2001 USA PATRIOT Act, Congress added an amendment that allowed the attorney general, or representative, to request a court order requiring an educational institution to permit the attorney general to collect, retain, disseminate and use education records relevant to an authorised investigation or prosecution of an act of domestic or international terrorism.
A 2008 amendment changed the definition of PII to include a definition for “biometric record,” which includes fingerprints, DNA, facial characteristics, and handwriting. Finally, in 2013 FERPA compliance requirements were amended to permit educational agencies and institutions to disclose PII of students in foster care to an agency caseworker.
FERPA protects the privacy rights of parents and eligible students
FERPA provides privacy rights to parents with regard to their children’s education records. The privacy rights transfer to the child when he or she reaches the age of 18, when a student becomes eligible for rights under FERPA.
Schools are required to respond to parents and eligible students’ inspection requests within 45 days. Parents and eligible students have the right to request that education records be amended if the records contain information that is inaccurate, misleading, or in violation of the student’s privacy.
If schools decide to decline to make requested changes, the matter is referred to a hearing.
‘Legitimate interest’ requests for PII under FERPA
As under GDPR, ‘legitimate interest’ is a required component under FERPA for acquiring access to PII.
Someone with a legitimate interest in a student’s PII is likely to be granted access. However, abuse of, or wrongly claiming legitimate interest is likely to lead to prosecution.
Acknowledged legitimate interest requests to access student PII, include:
School officials who have a legitimate educational interest in the information
Other schools or post-secondary institution where the student is planning to enrol
Government departments for purposes of audit or evaluation
Disclosure for matters related to financial aid
Disclosure to officials within a juvenile justice system
Disclosure for studies intended to improve educational instruction
Disclosure in connection with a health or safety emergency
Compliance with a court order
Requests can also be made for ‘Directory information’ such as the student’s name, address, telephone number, date and place of birth, field of study, dates of attendance, photographs, and e-mail addresses. However, parents and eligible students must be afforded time to inform the school that they refuse to allow their information to be treated as directory information.
Schools are required to maintain a record of all individuals or organisations that have made requests or obtained a student’s education records.
Schools’ records of PII requests must state the specific interest that each requesting party has in the student’s information. Third parties who obtain access to student education records must agree not to disclose the information to anyone else without a parent or eligible student’s written consent.
COVID-19 pandemic: a FERPA ‘health or safety emergency’
Health records, including immunisation records, are classified as education records under FERPA.
While schools are generally prohibited under FERPA from disclosing PII from student records without prior consent, the COVID-19 pandemic was deemed a ‘health or safety emergency,’ which meant FERPA’s general consent rule no longer applied.
Educational agencies and institutions are able to disclose PII from student records to appropriate parties in connection with the emergency without prior consent. School officials can make a decision on a case-by-case basis to disclose PII about a student if it is considered necessary to protect the safety of other individuals.
What are FERPA compliance requirements for schools?
Complying with FERPA legislation is relatively straightforward:
Provide data to a parent or student within 45 days
Amend records as requested, or hold hearings
Remind parents and students annually of their FERPA rights
Do not share students’ education records without written consent, unless the request is a recognised exception
However, FERPA is unclear on the requirements for storing and securing education data. The legislation does not specify how data is to be stored or a data retention period. FERPA only states that a record may not be destroyed if outstanding requests to inspect the file exist.
Summary of FERPA protections and exclusions
What records are protected by FERPA?
FERPA guidelines define two main categories of protected data.
Educational information, namely records related to grades, transcripts, financial records, assessments and attendance
Directory information, which is administrative PII such as addresses, phone numbers and enrolment dates. Directory information is only kept private if the student requests privacy
What records are not protected by FERPA?
Records that are unrelated to a student’s education are exempt from FERPA regulations. Exemptions include:
Law enforcement records
Employment records for students hired by the institution
Medical records such as counselling and clinic services
Records created after the student has left the institution
After a student attains 18 years of age, their parents or guardians must have the authorisation of the student to see FERPA protected documents.
Who is exempt from FERPA jurisdiction?
FERPA exemptions include:
Officials who have legitimate educational interest in the student’s records
Contractors outsourced by the institution for educational services
Other institutions where the student seeks enrolment
Financial aid entities
Bodies compelled to disclose information based on a subpoena or judicial order
Health or safety emergency services
Authorities associated with juvenile justice systems
What are the penalties for FERPA compliance failure?
Under FERPA, affected students or parents are not allowed to sue an institution that exposed their information. Only the U.S. Department of Education can sue educational institutions, and there is a range of penalties that includes financial penalties.
Individual personnel who breach FERPA may find themselves:
Barred from accessing institutional resources related to their jobs, including access to educational platforms or student records
Prosecuted individually under criminal codes related to theft or fraud
Terminated from their position in the institution
Additionally, an institution that does not follow FERPA compliance and shows no move to do so may face a total loss of federal funding.
Check our article on FERPA violation examples and consequences.
When is a photo or video of a student an education record under FERPA?
The U.S Department of Education says that, as with any other education record, a photo or video of a student is an education record, subject to specific exclusions, when the photo or video is: (1) directly related to a student; and (2) maintained by an educational agency or institution or by a party acting for the agency or institution.
However, FERPA regulations do not define what it means for a record to be “directly related” to a student, as opposed to incidentally related to him or her. The DoE suggests that educational agencies and institutions should examine photos and videos on a case-by-case basis to determine if they directly relate to any of the students shown.
The DoE identifies factors to help determine if a photo or video should be considered “directly related” to a student, such as:
The educational agency uses the data for disciplinary action
The data shows a student in violation of a law
The data shows a student getting injured, attacked, victimised, ill, or having a health emergency;
The body taking the photo or video intends to make a specific student the focus of the photo or video (e.g., ID photos, or a recording of a student presentation)
A photo or video should not be considered directly related to a student in the absence of these factors and if the student’s image is incidental or captured only as part of the background, or if a student is shown participating in school activities that are open to the public and without a specific focus on any individual.
Does FERPA require video data redaction?
Historically FERPA regulations covered paper and computerised education records, directory information and de-identified data. Today, data may be held in the form of digital records such as video and audio. De-identified data is data from which all PII has been removed and a reasonable determination has been made that a student is not personally identifiable.
FERPA guidelines suggest that a surveillance video that, for example, shows two students fighting in a hallway, that the school uses and maintains to discipline the two students, would be “directly related to” and, therefore, the education record of both students. However, are other students and people captured in the video footage to be considered incidental or is their PII at risk?
When a video is an education record of multiple students, in general, FERPA regulations require the educational institution to allow, upon request, a parent or eligible student to inspect and review the video. However, the DoE advises that schools make best efforts to protect the PII of people captured in videos and photographs whose data is not directly related.
If the educational institution can reasonably redact or segregate out the portions of the video directly related to other students, without destroying the meaning of the record, then the educational agency or institution would be required to do so prior to providing the parent or eligible student with access.
The importance of FERPA compliance and FERPA training
Protecting students’ privacy should be a priority for any academic body. FERPA violations can lead to DoE investigations, which in turn can result in withdrawal of federal funding from the DoE and other federal agencies.
Teachers, administrators, and third-party vendors must be trained to ensure that records aren’t disclosed without authorisation. Training is especially important to prevent accidents happening, such as accidentally sending emails containing academic information to unauthorised parties.
Recommended FERPA best practice
Recommended best practices include:
Encryption to prevent unauthorised data disclosure during use or transmission
Security controls such as firewall security and anti-malware software to prevent unauthorised data access
Access control such as role-based access controls to limit the disclosure of information to authorised parties
Monitoring log record- and user-level events to ensure security and integrity
Stakeholder disclosures, including annual updates on parent and student rights under FERPA, with PII opt-out of options
Continuous training of administrators, teachers and contractors about their FERPA obligations
Facit helps educational bodies to comply with FERPA privacy regulations
Complete our enquiry form to find out about our video redaction and document redaction tools that enable schools to manage compliance in-house by automatically removing PII and sensitive data prior to releasing information.