In this article we look at why FERPA compliance is becoming more difficult, some common FERPA violations, potential penalties, and ways in which schools can minimise the risk of FERPA violations.
Are you looking for help with FERPA compliance?
Contact us now to find out more or check out Facit’s Video Redaction software.
What is FERPA?
The U.S. Department of Education (DoE) records that The Family Educational Rights and Privacy Act (FERPA) is deigned to protect student data at schools that receive funding from the DoE. DoE funding covers about 8 percent of the budget for U.S. elementary, middle schools and high schools, and also contributes to college and university operations through student aid programs.
Download Facit's guide to FERPA
Check out Facit’s guide to School Data Privacy: Understanding FERPA and Ensuring Compliance
As we noted in our recent article on FERPA Compliance, the fundamentals of FERPA are relatively straightforward, and comprise two core elements.
Institutions must protect the privacy of their students’ education records
Institutions must give students access to their education records on request
However, FERPA compliance is becoming more complicated and the risk of violations are more involved owing to several factors.
Why are FERPA violations becoming a bigger risk?
The amount of student data being collected and stored is increasing exponentially. As more technology is used to store and transmit data, it requires additional effort by schools to comply with FERPA.
Disentangling FERPA requirements can also prove difficult owing to its ambiguous definitions and multiple exceptions. FERPA has been amended eleven times since its enactment in 1974, often to identify which personally identifiable information can be disclosed without the consent of parents or students.
Educational institutions require strict guidelines for implementing measures to protect the privacy of their staff and students. Specialist software tools, such as Facit’s document redaction software, accelerate the process in achieving this goal.
What are the most common examples of FERPA violations?
A former FERPA administrator has published a list of the most common FERPA violations, which range from accidental to negligent in nature.
FERPA violation example No. 1: Letters of recommendation
This FERPA violation is complicated by the fact that there are exceptions. Letters of recommendation typically qualify as a component of a student’s education record, which would suggest that a parent or eligible student’s consent is required. However, educational institutions do not need consent to send letters of recommendation to other schools.
This ‘no-consent’ exception does not apply when schools share letters of recommendation outside of the educational system. To provide a letter of recommendation to a potential employer, the school needs consent in writing.
FERPA violation example No. 2: A group email to multiple recipients
As we have noted many times previously, email transmission errors are the cause of many GDPR data privacy breaches logged by the ICO. Email formatting errors present a comparable risk of FERPA data breach.
When the email sender forgets to use blind carbon copy (BCC) it can quickly lead to sharing protected or sensitive information inadvertently with multiple recipients.
FERPA violation example No. 3: Explaining a student’s absence
It is easy to violate FERPA unintentionally when sharing information casually. The former FERPA administrator identifies a case in which a sports coach discloses that a star player is not eligible to play because of academic failing.
Students’ academic standing is protected information. Telling other students that their classmate is on probation, or suspended from activities, owing to a declining grade point average, is a FERPA violation.
What are the penalties for FERPA violations?
Violating FERPA can have serious consequences. Here are some of the potential penalties for FERPA violations:
Penalties for FERPA violations include:
Loss of funding: Educational institutions face a loss of federal funding support for violating FERPA.
Legal action: Individuals whose privacy rights have been violated may file lawsuits against the violating institution and seek damages.
DoE action: The DoE can take action against institutions, for example, by imposing fines.
Accreditation loss: Institutions may lose accredited status, which can affect its reputation and, potentially, its ability to operate.
Employee disciplinary action: Employees who violate FERPA may face disciplinary action, such as reprimands, suspensions, or termination.
Injunctions: Courts can issue injunctions to prevent further violations and instruct corrective actions.
Civil penalties: The DoE can impose substantial civil penalties on institutions that violate FERPA.
Criminal charges: Wilful violations of FERPA can result in criminal charges and imprisonment.
Corrective measures: FERPA offenders may be required to take corrective measures, to improve privacy policies, staff training and data security measures.
The severity of penalties varies based on factors such as the nature of the violation, the amount of harm caused, and whether the violation was intentional or unintentional.
Recommended steps to avoid common FERPA violations
Make staff, parents and students aware of FERPA
By making stakeholders fully aware of FERPA’s mission, FERPA violation consequences and the requirements for compliance, educational institutions build better understanding and reduce the likelihood of privacy breaches.
Be clear about what information FERPA protects
Student records contain an enormous amount of information, including report cards, grades, GPA, transcripts, medical records, disciplinary records, family contact information, course schedules, attendance records and psychological evaluations.
Student information falls into one of two categories: personally identifiable information (PII) or directory information.
PII is information that directly, or indirectly, identifies a student. Typical examples of PII are a student’s name and social security number. Indirect examples of PII include date of birth, place of birth and mother's maiden name.
It is a FERPA violation to disclose PII without the written consent of the parent or eligible student, a document that identifies the information to be disclosed, the reason for the disclosure and the parties to whom it will be disclosed.
Directory information is information contained in an educational record that would not generally be considered to be an invasion of privacy. Directory information may include the student’s name and contact details, age, academic major, sports participation, and awards received.
Directory information is either not PII or is otherwise publicly available. However, a student’s name may constitute PII as well as directory information, and staff should be made aware of circumstances when directory information should be considered confidential.
Releasing FERPA information without consent
Under FERPA, high schools and the Department of Education are generally prohibited from disclosing personally identifiable information from a student's education records without the consent of the parent or eligible student. However, there are several exceptions where information can be released without consent:
1. School officials with legitimate educational interests
Information can be disclosed to school officials (teachers, administrators or contractors) who need access to the records to perform their professional duties.
2. Other schools
Records can be released to other schools or institutions where the student intends to enrol, or where the student is already enrolled, as long as the disclosure is for purposes related to the student's enrolment or transfer.
3. Authorised representatives
Certain government agencies and authorities (such as the U.S. Department of Education, state education authorities and accrediting organisations) can access records for audit, evaluation, compliance or enforcement purposes.
Information can also be released without permission to determine a student’s eligibility for financial aid.
These exceptions allow educational institutions to manage student records effectively while still protecting student privacy. Schools must also keep records of these disclosures and provide them upon request to the parent or eligible student.
Learn about all FERPA consent exceptions
In certain circumstances, schools are legally able to disclose records without consent. An example would be when providing information to another school where the student plans to enrol. There are many FERPA exceptions ranging from information requests by the Attorney General to information requests by bodies to which the student has applied for financial aid.
A full list of the US Department of Education’s FERPA exceptions is available online.
Promulgate the rights that FERPA provides
FERPA provides rights to parents and to students who are 18 years old or older, or entering post-secondary education. Parents or eligible students must be notified annually by the school of their FERPA rights. FERPA rights include the right to review records, to correct information, to refuse disclosure of directory information, to consent to PII disclosure, and to file a complaint about FERPA violations.
Staff training and sound FERPA policies
At Facit, we have long advocated that training is key to maintaining robust data privacy policies. FERPA has many exceptions that are easy to forget, but an unintentional violation is still a violation.
Training, together with the implementation of policies and procedures that comply with FERPA, make it easier for teachers and administrators to comply.
Facit helps educational bodies with in-house FERPA data protection tools
Data encryption, server vulnerability tests, and compliance monitoring on school computers all help to prevent data privacy breaches.
One of the biggest risks of FERPA violations occurs when data is shared with third parties. Complete our enquiry form to find out about our video redaction and document redaction tools that enable schools to manage compliance by automatically removing PII and sensitive data prior to releasing information.