FERPA compliance is the adherence to a federal regulation which requires educational institutions to protect the privacy of student education records. So, what does this law state, and what does it require?

Let’s find out.

What Is FERPA?

The Family Educational Rights and Privacy Act (FERPA), also known as the Buckley Amendment, came into existence in November 1974. Any school, school district, or institution that receives funding from the U.S. Department of Education (DoE) must comply with it.

This federal law covers any student details, including personally identifiable information (PII) and directory information, and serves two purposes:

  1. It gives parents of the student—or the student if they’re over 18 years of age—the right to see their records. If the records are incorrect, the parents can ask for them to be rectified. If the school refuses, the parents have the right to a formal hearing.
  2. It stops the school from sharing a student’s information without permission from the parents or the eligible student.

At this point, it’s important to note that not every document that mentions a student’s name is covered under FERPA. The law specifically applies to official school records only. And, those records don’t have to be paper documents either. Digital, email, video, or any other format maintained by the school is covered under FERPA.

The regulation does make a distinction between PII and directory information. Sensitive personal information, like social security numbers, grades, and disciplinary records, cannot be shared without explicit written permission, except in certain legal situations.

However, directory information is more general information, such as the student’s name, graduation year, or whether they participated in any sports. It can be shared without permission unless the student or their parent has opted out.

The law also automatically transfers rights from the parents to the student once they turn 18, or enroll in a college or university, whichever comes first. After this point, the school cannot disclose information to the parents without the student’s written consent—except in specific cases—as that counts as a violation of FERPA.

What’s Not Covered Under FERPA?

So, we mentioned earlier that not all documents mentioning the student are covered by FERPA. Here’s a list of some of them:

  • Any record created by a teacher, professor, or staff member, for their own use and not shared with anyone: For example, a teacher’s private notes about a student are exempt. However, if the teacher shares them with other teachers, the notes become part of the student’s records and are, as such, covered under FERPA.
  • Police or security records maintained by the school’s law enforcement department: These are not educational records, so the law doesn’t apply to them.
  • Records of individuals who are employees of the school: These are covered by labor laws, as these individuals aren’t students. However, if the employee is also a student, their documentation is protected under FERPA.
  • A student’s health records created by the school’s health services: These are covered under HIPAA as they are medical information and not educational data.
  • Alumni records created after the student has graduated: This one’s somewhat obvious; once they’ve graduated and left the school, they are no longer students. Therefore, any information about them that’s collected from that point onward—alumni donation history, post-graduation contact details etc—is not covered under FERPA. However, any records that are from their days as students are still protected.
  • Peer-graded papers before the teacher collects and records them: Any assignments or quizzes that are graded by other students are not official records and don’t require FERPA compliance. However, once the teacher collects and officially records them, they are protected under the law.

What Is FERPA Compliance?

The requirements for FERPA compliance are fairly simple. They can be divided into the following three categories:

Consent

Consent is the most important requirement of FERPA. A school cannot share a student’s PII from their educational records without the explicit written permission of either the parent or guardian, or the student, if they’re over the age of 18 or have enrolled in an institution of higher learning. This includes:

  • Grades, report cards, or transcripts
  • Disciplinary records
  • Special education records (e.g. IEPs)
  • Student health records, if they are maintained by the school and not a medical facility
  • Financial aid and tuition records

It does provide some exceptions for which consent is not required. Information can be shared with:

  • School officials—like teachers, counsellors, administrators, and IT staff—who need the information to do their job
  • Another school, if the student is transferring or enrolling, and they ask for records
  • Medical personnel, in case of health or safety emergencies
  • Financial aid offices, who need the data to process grants, loans, and scholarships
  • Law enforcement agencies and courts, if the information is required by a subpoena or legal process
  • The state or juvenile justice authorities in certain legal situations
  • The parents, if the student is under 21 years old and is facing disciplinary action for drugs or alcohol abuse

As part of FERPA compliance, schools must also give the student or their parents access to their official records within 45 days, if they request it. The stakeholder may ask for amendments to the information if it is incorrect.

The students can waive the right to view their records, but they must receive guidance and counseling before they can do so. This protects them from giving away their rights without understanding the full implications of doing so.

As we mentioned before, directory information, such as the student’s name, address, phone number, and awards, can be shared by the school without explicit permission from the parents or student. However, the relevant party must be given a chance to opt out of sharing beforehand.

Read Our Blog on Opt-In vs Opt-Out Consent

Training

It’s the school’s responsibility to train its employees on FERPA rules, including what is and isn’t protected, when information can be shared, and how to handle records properly. The people who need to be trained include:

  • Teachers and professors, who need to know what they can and can’t share
  • Office and administrative staff, because they handle student records every day
  • IT personnel, as they often manage databases with sensitive student information
  • Campus security, as they must understand FERPA’s limits on law enforcement records
  • Third-party vendors, such as learning platforms, who are handling student data on behalf of the school

All of these parties must understand the kinds of student records that are covered under FERPA. For example, teachers should know that discussing a student’s failing grade with another student is a violation.

They should know how to handle record requests, including when they do and don’t need consent. If they do receive requests from parents or students, whether it is to view the documentation or to correct inaccuracies, they should know how to correctly process it.

Disposing of records is as important a part of data management as storing. Employees should be trained on how to destroy old and unwanted records. Training should include how the records are deleted or shredded to reduce the risk of unintentional disclosure.

Security

As is the case with other data protection laws, FERPA compliance requires schools to adequately protect student records. This includes both physical and electronic formats.

In case of paper records, the filing cabinets should have locks, and should be stored in a designated area where unauthorized people can’t enter. Only people who need access should be allowed in.

For digital records, there should be appropriate cybersecurity measures in place. All information, such as that stored in databases, must be password-protected. Stored data should be encrypted, so even if threat actors force their way in, they can’t easily read it.

Measures like rule-based access control (RBAC) and principles of least privilege should be enforced. This ensures that only employees who need the information can view it. Most importantly, all cybersecurity processes should be audited regularly to check if they are effective and whether they need to be improved.

Who Must Comply with FERPA?

Any educational institution, agency, or program that receives federal funding must be FERPA compliant. As a result, most—but not all—public schools, school districts, and universities are covered by the regulation.

For example, if a private university accepts federal loans, it has to comply with FERPA. However, a K-12 school that’s privately funded doesn’t.

What Is the Penalty for FERPA Violations?

Penalties for Schools and Institutions

Educational institutions have an ethical obligation to protect the PII of their students. However, the regulation makes it a legal obligation as well, imposing severe penalties for violations.

If a complaint is made against an educational institution, it could face an official investigation into its data handling and employee practices. It may also receive formal cease and desist orders from the DoE, parents, or advocacy groups to stop unauthorized disclosures.

If found guilty, one of the most severe consequences of not complying with FERPA is that the school could lose the funding it receives from the DoE and other federal agencies. Since a large number of colleges and universities rely heavily on federal student aids, this is a significant punishment.

Then there are the state-specific privacy laws. If the FERPA violation also breaks a state law, there would be additional penalties for that.

Such violations often result in bad press and lawsuits, which can affect the institution’s reputation, often leading to a loss of credibility with students, parents, and staff. Finally, the senior management might face temporary suspension or be replaced.

Penalties for Employees

Any employee of the educational institution who is responsible for unauthorized disclosure of a student’s protected information can lose their job. They may be internally investigated and may be barred from accessing school systems and records.

While FERPA doesn’t allow private lawsuits, they may be prosecuted under other laws, including fraud or identity theft. Finally, they may have to pay fines for FERPA violation.

Penalties for Third-Party Vendors

If a vendor fails to secure student data adequately, the schools may terminate their contract. They could also be sued for breach of data under contract laws or the state privacy laws, such as the Virginia Data Privacy Law or the ICDPA. Additionally, since it affects their reputation, other schools and institutions may cancel their contract as well.

See How BigID Protects Student Data

Common Examples of FERPA Violations

Not all FERPA violations are intentional; some of them can be accidental but they lead to the same consequences. Here are some common examples of violations, both intentional and unintentional:

Letters of Recommendation

This violation is tricky, because even though letters of recommendation are part of a student’s PII, a school can send them to other educational institutions with no consent required. However, this exception doesn’t apply to entities that aren’t educational, such as potential employers. This is an important distinction that the administrative staff should be aware of.

Emails to Multiple Recipients

If an institution is sending emails to a group of students, they can inadvertently disclose everyone’s identities if they forget to use BCC for the students’ emails. This might not be a FERPA violation if the content of the mail contains only directory information. However, if the email contains sensitive information about the students, like their academic probation status, that is a problem. Sending individual emails to each student or using a secure portal for private messages might help avoid this situation.

Explaining a Student’s Absence

Let’s say a student is unable to participate in an activity due to their academic performance. In this case, if a teacher mentions the reason in a casual conversation with another student, it constitutes a FERPA violation. Again, training the teaching staff on what they can and can’t disclose helps in reducing such incidents.

Third-Party Vendor Error

Schools and educational institutions often work with third-party vendors, and give them access to student records. If the vendor accidentally or deliberately shares the information with a person who isn’t authorized to view it, it’s a FERPA violation. Similarly, if the vendor uses data mining for commercial purposes, it’s a violation.

Who’s liable for the violation depends on whether the school vetted the contractor properly and included data privacy clauses in the contract or not. If the school did its due diligence and included a clause in their contract about following FERPA regulations, then the contractor will be liable. If it didn’t, the school would be penalized.

Releasing Records to an Adult Student’s Parents

As per FERPA, once a student reaches the age of 18 years or enrolls in a college or university, the ownership of their information transfers over to them. In this case, sharing their information with their parents, without written consent, is a violation of FERPA.

Parents should be informed of the FERPA transfer rules when the student reaches the age of majority, and if they must receive the student’s information, it must be with consent from the stakeholder.

Sharing Confidential Student Information Publicly

If a school official is speaking to a journalist or posting on social media about a school incident or update, and mentions a student’s academic record, health status, or even disciplinary action, they’d be in violation of FERPA.

Similarly, if they posted test results with the marks against the names or ID of the students, they’d be sharing part of each student’s personal education record. Again, training the staff on what they can and can’t share helps reduce such instances. Also, using secure student portals for communicating with students instead of public announcements will reduce accidental exposure of student records.

Giving Away Information Over the Phone

If someone calls the school claiming to be a student’s parent and asks for information that’s protected under FERPA, it’s the school’s responsibility to verify that the person is who they claim to be and whether they are authorized to receive the information. This includes checking if the student is over the age of 18 years and if they’ve provided consent to share information with their parents.

FERPA Compliance with BigID

Student data, like all other types of data, must be managed and governed properly. That’s why BigID is such a perfect solution for your school or educational institution.

Our platform offers data discovery and classification, so you know what information you have and how sensitive it is. It will also help you implement and enforce data minimization, so you’re not storing unnecessary information.

BigID also helps with data rights management, making it easier for you to get students’ consent and respond to their—or their parents’—requests to view their information.

Finally, our comprehensive platform provides AI-powered data security posture management capabilities, so all your data, whether on your premises or in the cloud, is secure. You can also use it to assess your data risk and conduct audits.

While training your employees still remains your responsibility, BigID can significantly ease the process of consent management and data security for FERPA compliance. Schedule a 1:1 demo with our data privacy experts today!