FERPA: What It Means and How It Works

The Family Educational Rights and Privacy Act (FERPA), also known as the Buckley Amendment, was signed into law by President Ford in 1974. FERPA was created to protect the personally identifiable information stored in student education records. The rights and protections of FERPA are complex, with some limitations and exceptions. 

Schools need to maintain FERPA compliance to protect their students and avoid penalties. FERPA violations are common in educational administrations that don’t fully understand the law. In this guide, we’ll discuss FERPA in detail and provide tips on improving student privacy at your school. 

What Is FERPA?

FERPA is a federal law that protects student education records. FERPA applies to any K-12 and postsecondary public or private school that receives funds from the U.S. Department of Education. The two main purposes of FERPA are to give families control over their child’s education records and to prevent schools from sharing information from a student’s education records without written consent. 

FERPA gives parents or caregivers the following rights: 

• To access their child’s education records.
• To request changes if their child’s records are inaccurate or misleading.
• To control who has access to their child’s education records (with some exceptions).

When a student turns 18 or enrolls in postsecondary education, these rights pass from the parent or caregiver to the child. 

What Are Education Records?

Education records include any files or documents maintained by the school system that are directly related to a student. FERPA applies to any printed or handwritten education records in a visual, audio, or digital format. For example, FERPA protects: 

• Information about a student’s race, gender, citizenship, address, and social security number.
• Attendance records, enrollment records, discipline records, a student’s class schedule, and grades.
• Notes written by a teacher or administrator that have been shared or discussed with other staff.

Permitted Disclosures

There are a few exceptions where FERPA permits schools to disclose student education records without consent. Permitted disclosures include: 

• When a student transfers to another school
• When a student applies for financial aid
• For evaluation or auditing purposes
• For research studies 
• For accrediting organizations 
• In health and safety emergencies 
• To comply with a lawful subpoena 
• For state and local authorities 
• When school officials display a legitimate educational interest

What About Directory Information?

Another exception to FERPA is directory information. According to FERPA, schools can disclose directory information without consent as long as they provide public notice of what is considered a directory. Parents and eligible students must also be allowed to opt-out to keep their directory information private. Directory information is basic demographics that schools can share without harming students or invading their privacy. Examples of directory information include a student’s: 

• Name
• Address
• Telephone number
• Birthday
• Participation in school sports
• Honors and awards

What Does FERPA Mean for Students?

FERPA helps protect students by protecting their private information. Student records are full of personal details and academic information that could affect the student’s reputation and opportunities in the future. While a student is under the age of 18 and enrolled in K-12 education, their parents can access their education records and consent to share those records on their behalf. Once a student turns 18 or enrolls in postsecondary education, they become responsible for their education records. 

Why Is Student Privacy Important?

Schools collect a lot of data about their students and may not realize how important it is to keep this information secure. Here’s why student privacy and data protection should be a priority.

Quantity of Information

Student privacy is especially important as students are being asked to share more information with educational institutions than ever before. For example, in some cases, distance learning has become standard when school is closed due to inclement weather. Online classes that record audio and video collect large amounts of student data.

Cyberthreats

In the digital age, more information is stored online, where it’s vulnerable to cyberattacks. Education is targeted by malware frequently. Microsoft Security Intelligence reported nearly 7 million malware encounters in the education industry just in the past month. Schools must consider the safety of online learning software before implementation.

Student Safety

FERPA protects student information except in the case of medical emergencies. If something happens, revealing this information helps ensure that students receive the proper medical treatment. 

Protecting Students With Disabilities

While a student’s education record should not contain specific medical records, it may include notes or messages that reveal a child’s disability or medical condition. Students and their families have the right to decide who has access to this information since revealing their health could expose them to discrimination or harassment. 

What Are the Most Common FERPA Violations?

FERPA violations often occur when schools don’t fully understand the law. Here are the most common FERPA violations that teachers and administrators should take extra precautions to avoid.

1. Releasing Information Without Consent

One of the most common FERPA violations is releasing student education records without consent. Examples of this violation include: 

• Accidentally or purposefully emailing student information to unauthorized parties. 
• Sharing a student athlete’s academic status with unauthorized parties.
• Sharing a student’s grades or identifying information with unauthorized parties. 
• Including a student’s social security number on shared or unprotected documents.

2. Not Securing Student Records Properly

Under FERPA, schools are responsible for protecting student records, whether they are stored electronically or in paper form. A violation occurs when schools allow unauthorized personnel to access these documents on purpose or by mistake. It’s also considered a violation when schools fail to properly dispose of records that are no longer needed. 

3. Denying Authorized Access

According to FERPA, parents have the right to access their child’s records while the student is under age 18 or enrolled in K-12. Denying authorized parties access to these education records is a FERPA violation. 

4. Failing to Inform Parents of Their Rights

Schools are obligated to inform parents and students of their rights at least once a year. They are also required to announce any changes to the school’s FERPA policy. Not meeting this expectation is a common violation. 

FERPA Violation Consequences and Penalties

The most extreme penalty for misuse or improper disclosure of student education records is loss of funding from the U.S. Department of Education. However, it would take a major act of intentional disobedience for a school to reach that point. 

The Department of Education’s Family Policy Compliance Office (FPCO) is responsible for resolving FERPA violations. FPCO’s mission is to help schools maintain FERPA compliance instead of punishing them for their mistakes. When a violation is reported, FPCO offers to help schools adjust their operations to become compliant. Schools that refuse to make any changes may experience the following consequences: 

• Ordered to cease and desist 
• Ordered to pay fines 
• Paused payments from the Department of Education 
• Denied eligibility for future funding from the Department of Education
• Loss of accreditation 

FERPA FAQ 

Understanding FERPA is crucial to maintaining compliance. Here are answers to some of the most commonly asked FERPA questions.

What Is a FERPA-Eligible Student?

A FERPA-eligible student is one who has turned 18 years old or is enrolled in postsecondary education. For example, a 17-year-old child attending college is considered an eligible student, according to FERPA. When a student becomes eligible, the rights that belong to the parent under FERPA are transferred to the student. 

However, some postsecondary institutions may still allow parents to access their child’s education records if they still claim the student as a dependent on their federal taxes. 

What Are the Two Types of Educational Records According to FERPA?

The two kinds of educational records are: 

1. Any record, file, or document that contains information directly related to a student.
2. Any record, file, or document maintained by the educational institution or their employees.

The following examples are not considered educational records: 

• Notes taken by a teacher or staff member that have not been shared with any other person besides a substitute
• Records made by law enforcement for the sole purpose of enforcing the law
• Student information that is considered directory information 
• School calendars or general announcements 
• A student’s private health records 
• Grades given by peers before they have been collected and recorded by the teacher 

Does FERPA Apply to K-12?

Yes, FERPA protects student records throughout grades K-12 and beyond. While a child is under 18 and enrolled in K-12 education, the rights extended under FERPA apply to the parent or guardian of the student. When they turn 18 or enroll in postsecondary education, FERPA rights are passed to the student. 

Does FERPA Apply to Private and Independent Schools?

FERPA only applies to private or independent schools that receive funds from the U.S. Department of Education. Private, independent, and parochial schools that do not receive federal funding are not subject to FERPA. 

Does FERPA Prohibit Classroom Observations?

No, FERPA doesn’t prohibit classroom observations. School staff members are often required to observe the classroom for teacher evaluations. 

Parents are also permitted to schedule a formal classroom observation to help determine their child’s educational placement. However, under FERPA, a teacher is not allowed to discuss a student’s education record with the parent of another student who is observing the class. The school can also prohibit families from taking any photos or recordings in the classroom without consent from the families of every child.

Does FERPA Apply to Videos?

Yes, videos recorded by a qualifying school that contain information directly related to a student are protected under FERPA. If a parent asks to review a video of their student, the school must arrange a viewing. However, FERPA doesn’t apply to videos of routine student activities that don’t relate to any particular child. For example, security footage of students eating lunch or walking through the hallway is not applicable, unless the video captures an incident like bullying or a fight. 

What Should Schools Include in an Education Record?

Under FERPA, there are no specific rules about what kind of information schools should collect. Here’s what most schools include in an education record: 

• Attendance: Complete attendance history while the student is enrolled at the school
• Immunizations: Record of immunizations that the student has received that are required for school entry 
• Physical exams: Record of yearly physical examinations 
• Disciplinary records: Complete disciplinary history while the student is enrolled at the school
• Emergency contact information: Record of who to contact in case of an emergency
• Test scores: Record of standardized test scores 
• Confidential file: Extra file for students in special education with an IEP or 504 plan

Do Private or Independent Schools Have to Share Student Education Records With Military Recruiters? 

Secondary schools—or high schools—are required by the Elementary and Secondary Education Act (ESEA) to share the following directory information with military recruiters:

• Student name 
• Student address
• Telephone listing 

If a parent or eligible student has opted out of sharing directory information, the school must get written consent first. 

Private secondary schools that receive funding from the federal government are also subject to this law. The only exception is private secondary schools with a verifiable religious objection to serving in the military. 

Can School Officials Share Personal Knowledge or Observations?

Since FERPA specifically protects education records that are recorded and maintained by the school, information that a school official obtains through their own observations or personal knowledge is not protected.

Teachers and administrators can share information they learned from their own experiences unless that knowledge was obtained through their official role. For example, if the school principal suspends a student for poor behavior, they can’t disclose that information without consent. 

How Are Education Records Protected in a School Study?

Schools are allowed to disclose personally identifiable information from education records to community-based organizations for the purpose of a study if: 

• There is a written agreement between the school and the community-based organization that outlines how sensitive information will be handled.
• Personally identifiable information is only disclosed to members of the organization who have a legitimate need to access the information to complete the study.
• The organization agrees to destroy personally identifiable information when it’s no longer needed for the study.

How to Improve Student Data Privacy at Your School

As schools collect more information from students on digital platforms, protecting student education records must be a priority. Follow these tips and best practices to better protect student data and privacy.

1. Assess Your Strengths and Weaknesses

The first step to improving student data privacy is assessing your current security efforts. Evaluate the strengths and weaknesses of your record keeping and ensure your operations are FERPA compliant if necessary. Make sure you also consider the security policy and procedures of any third-party software that you use for data collection. This will help you identify and prioritize necessary changes to your student privacy policies. 

2. Implement Strict Data Privacy Policies

A strict data privacy policy serves as the foundation for maintaining FERPA compliance. Schools should establish clear rules and directions for collecting and sharing student data. 

Your data privacy policy will ensure that teachers and administrators handle student education records properly. A transparent privacy policy helps establish trust with parents and eligible students by recognizing their rights and responsibilities. Implementing a detailed data privacy guide also makes it easier to identify when a violation is committed. 

3. Destroy Outdated or Unused Files

Storing a bunch of old files creates more opportunities for security breaches and FERPA violations. Assign an administrator to find and dispose of unused and outdated files regularly. This includes digital and physical documents. Paper files with personal student information should be shredded before they are thrown away. 

4. Encrypt Sensitive Data

Encrypting sensitive information before sharing it on digital platforms like email provides an extra layer of protection from cyber threats. Apps or software with an encryption service makes this process extremely easy. 

5. Provide Staff Training

Accidental data leaks and FERPA violations are often caused by staff. Help prevent mistakes by teaching your employees about FERPA and how to keep education records secure. Faculty members who are well-versed in FERPA and understand the importance of student data privacy are less likely to cause a breach. 

Provide staff training on when and with whom it’s appropriate to share FERPA-protected information. Use real-life examples that teachers and administrators may experience during their careers. Encourage them not to access sensitive student information without a legitimate reason.

6. Monitor Cybersecurity Threats

Schools are often a target for ransomware attacks because they collect and maintain a lot of sensitive data. The frequency and severity of cybersecurity attacks against K-12 schools have been increasing in recent years. Hackers are stealing and threatening to leak confidential student information unless a ransom is paid. Schools must invest in technology and IT staff to monitor cyber threats and test digital security to prevent a major data breach. 

7. Limit Access to Records

One of the most common causes of data breaches in schools is human error. Limiting who has access to sensitive student information can help minimize this risk. Giving your entire faculty access to every student record increases the risk of FERPA violations. 

Only allow teachers and administrators to access education records when they have a legitimate need. For example, teachers should only be permitted to view student records for the children in their class, and only the nurse should be able to see students’ vaccination records. 

8. Review the Privacy Policy of Third-Party Tools

Many schools rely on third-party tools and applications for collecting and storing student education records. Carefully review the terms of service and privacy policy of any external software to ensure it meets your standards for FERPA compliance. Pay close attention to the kind of data they collect and how they keep it secure. 

Protect Student Data With Ravenna 

At Ravenna, we understand the importance of keeping sensitive student information private and secure. We offer sophisticated admissions software for independent K-12 schools. Our solution has built-in encryption software to protect student data from hackers. We’ll help you streamline your admissions process while maintaining FERPA compliance. 

Ravenna integrates with BigSIS to provide a completely secure school management and student information system. Request a demo today and discover how Ravenna and BigSIS can help you protect student data.