FERPA Exceptions: When Schools Can Share Student Records Without Consent

Last updated 2 months ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.

Introduction

The Family Educational Rights and Privacy Act (FERPA) is the cornerstone federal law protecting student education records in the United States. FERPA gives parents and eligible students specific rights regarding these records. The fundamental principle is clear: educational institutions must obtain written permission before sharing personally identifiable information (PII) from student records.

However, FERPA recognizes that absolute restrictions would make school operations impossible. The law permits disclosure without consent in specific circumstances. Understanding these exceptions matters for parents and students protecting their rights, and for schools ensuring legal compliance while meeting their educational mission.

FERPA Fundamentals

What Are “Education Records”?

FERPA protects “education records,” defined broadly as any records directly related to a student and maintained by an educational agency or institution. This includes:

• Academic transcripts and grades
• Class schedules
• Standardized test results
• Disciplinary records
• Health and immunization records maintained by the school
• Family history records maintained by the school
• Student information in school-managed online learning platforms

This definition affects nearly every aspect of school operations.

FERPA specifically excludes certain records from this definition:

• Sole Possession Records: Personal notes kept by a teacher or administrator as memory aids and not shared with others (except temporary substitutes).
• Law Enforcement Unit Records: Records created and maintained by a school’s law enforcement unit for law enforcement purposes.
• Employment Records: Records about a student’s employment by the school, if the employment isn’t contingent on student status.
• Treatment Records: Records on an eligible student made by healthcare professionals and used only for treatment.
• Applicant Records: Records on individuals who applied but weren’t admitted.
• Alumni Records: Records created after an individual is no longer a student and not directly related to their attendance.
• Peer Grades: Grades on peer-graded papers before collection and recording by a teacher.

What Is “Personally Identifiable Information” (PII)?

FERPA protects personally identifiable information within education records, including:

• Direct Identifiers: Student’s name, parents’ names, address, Social Security number, student ID number, biometric records.
• Indirect Identifiers: Date of birth, place of birth, mother’s maiden name.
• Other Information: Information that would allow a reasonable person in the school community to identify a specific student with reasonable certainty.

This “reasonable person” test is critical. Schools must consider context and potential data linkage when determining if information constitutes PII. Even seemingly anonymous data, like online learning metadata or small group statistics, could become PII if it allows identification when combined with other information.

Who Holds FERPA Rights?

FERPA rights initially belong to parents of students under 18. The term “parent” includes natural parents, guardians, or individuals acting as parents. These rights apply equally to custodial and noncustodial parents unless a court order specifies otherwise.

Rights transfer to the student when they:

• Reach age 18, OR
• Enroll in higher education at any age

Once rights transfer, the student becomes an “eligible student.” This means colleges and high schools with students 18 or older must interact directly with students regarding FERPA rights, including obtaining consent for disclosures.

FERPA addresses this practical challenge through the “dependent student” exception, allowing (but not requiring) institutions to share records with parents if the student is claimed as a tax dependent.

The General Requirement: Consent for Disclosure

The default FERPA rule is straightforward: educational institutions must obtain signed and dated written consent before disclosing PII from student records. This consent must:

• Specify which records may be disclosed
• State the purpose of the disclosure
• Identify who may receive the disclosed information

FERPA allows electronic consent, but this requires reliable authentication of the person providing consent and verification of the signature’s integrity. This requires schools to establish secure procedures, adding technical complexity compared to paper forms.

These requirements come from the FERPA statute and the implementing regulations from the U.S. Department of Education.

When Consent Isn’t Needed: FERPA Exceptions

While consent is standard practice, FERPA recognizes schools need to share information in certain situations. Section 99.31 of the FERPA regulations outlines specific conditions permitting disclosure without prior consent.

These exceptions are permissions, not mandates. Schools generally aren’t required by FERPA to disclose information just because an exception applies (though other laws might compel disclosure). The exceptions balance individual privacy against legitimate operational, safety, and compliance needs of educational institutions.

Quick Guide: FERPA Exceptions to Consent Requirement (§ 99.31)

Exception Category	Regulation(s)	Brief Description	Requires Record-Keeping? (§ 99.32)
School Officials with Legitimate Educational Interests	§ 99.31(a)(1)	Disclosure to internal staff or specified third-party contractors/volunteers performing school functions who need access for their duties.	No
Other Schools (Transfer)	§ 99.31(a)(2), § 99.34	Disclosure to schools where student seeks/intends to enroll or is enrolled, for enrollment/transfer purposes.	Yes
Audit or Evaluation Purposes	§ 99.31(a)(3), § 99.35	Disclosure to authorized federal/state officials/representatives for audit, evaluation, compliance, or enforcement of education programs.	Yes
Financial Aid	§ 99.31(a)(4)	Disclosure related to determining eligibility, amount, conditions, or enforcing terms of financial aid applied for or received by the student.	Yes
Organizations Conducting Studies	§ 99.31(a)(6)	Disclosure to organizations conducting studies for/on behalf of the school (test development, aid administration, improving instruction).	Yes
Accrediting Organizations	§ 99.31(a)(7)	Disclosure to organizations carrying out accrediting functions.	Yes
Judicial Orders & Lawfully Issued Subpoenas	§ 99.31(a)(9)	Disclosure to comply with court orders or valid subpoenas (with prior notification efforts, unless excepted).	Yes (unless specific subpoena types listed in § 99.32(d)(5))
Health or Safety Emergencies	§ 99.31(a)(10), § 99.36	Disclosure necessary to protect health/safety of student or others during an articulable and significant threat.	Yes (Specific details required)
Directory Information	§ 99.31(a)(11), § 99.3, § 99.37	Disclosure of information designated by the school as “directory information” after providing public notice and opt-out opportunity.	No
Parent of a Dependent Student	§ 99.31(a)(8)	Disclosure to parents of an eligible student if the student is claimed as a dependent for tax purposes.	Yes
Parent of Non-Eligible Student / Eligible Student	§ 99.31(a)(12)	Disclosure to the parent (if student is <18 and not postsecondary) or to the eligible student themselves.	No
Victim of Crime of Violence / Non-Forcible Sex Offense	§ 99.31(a)(13), § 99.39	Postsecondary disclosure of final disciplinary results to the victim.	Yes
Disciplinary Proceeding Disclosure (Crime Perpetrator)	§ 99.31(a)(14), § 99.39	Postsecondary disclosure of final results if student perpetrator found responsible for crime of violence/non-forcible sex offense violation.	Yes
Alcohol/Drug Violation Disclosure (Under 21)	§ 99.31(a)(15)	Postsecondary disclosure to parents of student <21 found responsible for alcohol/drug violation.	Yes
State Juvenile Justice Statutes	§ 99.31(a)(5), § 99.38	Disclosure pursuant to specific state statutes concerning the juvenile justice system.	Yes
Sex Offender Information	§ 99.31(a)(16)	Disclosure of information provided to the school under federal sex offender registration laws.	Yes
De-Identified Information	§ 99.31(b)	Release of information after all PII has been removed according to specific standards.	No (Not considered a disclosure of PII)

Key FERPA Exceptions

School Officials with Legitimate Educational Interests (§ 99.31(a)(1))

This commonly used exception allows schools to function internally and use necessary external services.

Who is a “School Official”? The term includes teachers, administrators, counselors, school board members, registrars, support staff, and health staff. It extends beyond employees to contractors, consultants, volunteers, and third parties to whom the school has outsourced institutional services or functions. Examples include providers of learning platforms, cloud storage, student information systems, legal counsel, auditors, and parent volunteers under specific conditions.

Conditions for Third Parties: For an outside party to qualify as a “school official,” these conditions must be met:

• The party must perform a function the school would otherwise use its own employees for
• The party must be under the school’s direct control regarding use and maintenance of education records
• The party must follow FERPA’s requirements about use and redisclosure of PII
• The party must meet criteria in the school’s annual FERPA notification for school officials with legitimate educational interests

The “direct control” requirement is crucial when working with vendors, especially for educational technology. Schools must retain authority over how vendors handle student data through carefully negotiated contracts limiting data use, requiring security measures, prohibiting unauthorized sharing or advertising use, and potentially requiring data return or destruction.

What is “Legitimate Educational Interest”? Schools define this in their annual FERPA notifications. Generally, officials have legitimate educational interest if they need record access to fulfill professional responsibilities. For example, teachers need grade information for their students, counselors need records for academic advising, and administrators need disciplinary records to address behavioral issues.

School’s Responsibility: Schools must use “reasonable methods” to ensure officials access only records in which they have legitimate interests. This can include technological controls (role-based access), physical controls (locked cabinets), or administrative policies and training.

Record-Keeping: Disclosures under the school official exception don’t require recording in the access log.

Other Schools Upon Transfer (§ 99.31(a)(2), § 99.34)

This exception facilitates smooth student transitions between educational institutions.

Purpose: Schools may share education records without consent with officials of another school where the student seeks/intends to enroll or is already enrolled, for enrollment or transfer purposes. This includes transferring disciplinary records related to suspensions or expulsions and applies to transfers to juvenile justice facilities if considered schools.

Conditions (§ 99.34): When making such disclosures, the sending school must:

• Make reasonable attempts to notify the parent or eligible student at their last known address (unless the disclosure was requested by the parent/student or if the school’s annual FERPA notice states it forwards records upon request)
• Provide copies of disclosed records if requested
• Offer an opportunity for a hearing to challenge the records’ content if requested

The option to cover transfer disclosures in annual notifications streamlines the process, avoiding individual letters for every transfer. However, parents and students may not know records were sent unless they carefully review the annual notice or specifically request confirmation.

Record-Keeping: These disclosures generally require recording under § 99.32.

Audit or Evaluation Purposes (§ 99.31(a)(3), § 99.35)

This exception allows specific government officials and representatives access to student records for oversight of educational programs.

Who Can Receive: Disclosures are permitted only to authorized representatives of specific federal and state officials: the Comptroller General, the Attorney General, the Secretary of Education, and state and local educational authorities.

Purpose: Access is strictly limited to conducting audits or evaluations of Federal- or State-supported education programs, or for enforcing compliance with Federal legal requirements related to those programs.

Written Agreement: If the authorized representative isn’t a direct employee of one of the permitted authorities (e.g., an external contractor), a formal written agreement is mandatory. This agreement must:

• Clearly designate the individual or entity as an authorized representative
• Specify the PII to be disclosed
• State that the purpose fits within the audit/evaluation/compliance/enforcement scope
• Describe the activity with sufficient specificity
• Mandate destruction of PII when no longer needed
• Specify the destruction timeframe
• Establish policies to protect PII from further disclosure

The Department of Education provides a Guidance for Reasonable Methods and Written Agreements and a Written Agreement Checklist.

Data Handling: The receiving entity must protect PII from unauthorized redisclosure and use it only for the authorized purpose. The PII must be destroyed once no longer needed, according to the timeline in the written agreement. Published results must be de-identified to prevent student identification.

Record-Keeping: Disclosures under this exception must be logged according to § 99.32.

Financial Aid (§ 99.31(a)(4))

This exception facilitates administration of student financial aid programs.

Purpose: Schools may disclose PII without consent when necessary for financial aid the student has applied for or received. These purposes include:

• Determining eligibility
• Determining the amount
• Determining conditions
• Enforcing terms and conditions

Scope: This applies to disclosures needed for federal, state, local, or institutional financial aid programs. Recipients might include the Department of Education, state aid agencies, lenders, guarantee agencies, and scholarship organizations. Financial aid information maintained by schools—including FAFSA data, ISIRs, or the school’s own aid systems—is part of the student’s education record protected by FERPA.

Record-Keeping: These disclosures require logging per § 99.32.

Organizations Conducting Studies (§ 99.31(a)(6))

This exception allows schools to partner with external organizations for research and development aimed at educational improvement.

Purpose: Disclosure is permitted only for studies conducted for or on behalf of the educational institution for:

• Developing, validating, or administering predictive tests
• Administering student aid programs
• Improving instruction

Who Can Receive: Recipients can include federal, state, or local agencies, or independent research organizations.

Written Agreement: A written agreement between the school and organization is mandatory and must:

• Specify the purpose, scope, and duration of the study
• Identify the PII to be disclosed
• Require using the PII only for the specified study purpose
• Require conducting the study to prevent personal identification by unauthorized parties
• Require destroying the PII when no longer needed, specifying the timeframe

Data Handling: The organization must prevent identification of individuals by those outside the study team. All PII must be destroyed according to the agreement when the study concludes. Published findings must be de-identified.

Record-Keeping: These disclosures must be logged according to § 99.32.

Accrediting Organizations (§ 99.31(a)(7))

This exception supports quality assurance processes in education.

Purpose: Schools may disclose PII without consent to organizations that accredit the institution or its programs, solely for accrediting functions.

Scope: This allows accrediting bodies access to necessary student information (enrollment data, outcome statistics, student work samples) to evaluate institutional adherence to accreditation standards.

Record-Keeping: These disclosures require logging per § 99.32.

Judicial Orders & Lawfully Issued Subpoenas (§ 99.31(a)(9))

This exception addresses situations where legal processes compel disclosure of education records.

Requirement: Schools may disclose PII without consent if necessary to comply with a judicial order or lawfully issued subpoena.

Notification Requirement: Before complying, the institution must make reasonable efforts to notify the parent or eligible student whose records are sought. This gives them opportunity to contest the order/subpoena or seek a protective order.

Exceptions to Notification: Prior notification is waived when:

• Complying with a Federal grand jury subpoena with a court-ordered non-disclosure
• Complying with any other subpoena for law enforcement with a non-disclosure order
• Complying with an ex parte court order obtained by the U.S. Attorney General related to terrorism investigations

Verification and Legal Counsel: Schools should verify the validity and type of any subpoena. Judicial subpoenas generally must be complied with, while administrative subpoenas may not be immediately enforceable without court action. Schools should consult legal counsel upon receiving a subpoena or court order.

Record-Keeping: These disclosures must be logged under § 99.32, unless the disclosure falls under specific notification exceptions listed in § 99.32(d)(5).

Health or Safety Emergencies (§ 99.31(a)(10), § 99.36)

This critical exception allows schools to share information necessary to protect students and others in emergencies.

Standard: Disclosure without consent is permitted if the school determines there is an “articulable and significant threat” to health or safety, and the information is necessary for appropriate parties to address the threat.

Determination: The decision to disclose rests with school officials on a case-by-case basis, considering the totality of circumstances. The Department of Education generally defers to the school’s judgment if there was a rational basis for determining a threat existed.

Scope and Limitations: This exception is strictly limited to the duration of the actual emergency. It cannot be used for blanket releases or emergency planning. The threat must be actual and imminent—such as a school shooting, terrorist attack, natural disaster, or disease outbreak—not hypothetical or past. Information disclosed should be limited to what’s necessary to address the specific emergency.

Appropriate Parties: Recipients might include law enforcement, first responders, public health officials, medical personnel, and potentially parents.

Record-Keeping: These disclosures have specific logging requirements under § 99.32(a)(5), including: (1) the articulable and significant threat forming the basis for disclosure, and (2) the parties receiving the information.

Parent of a Dependent Student (§ 99.31(a)(8))

This exception provides a pathway for parental access to records after FERPA rights have transferred to the student.

Condition: Schools may disclose PII from an eligible student’s records to parents, without student consent, if the student qualifies as a dependent for federal income tax purposes under Section 152 of the Internal Revenue Code.

Discretionary Nature: This exception is permissive, not mandatory. The institution decides whether to release records to parents under this condition. If either parent claims the student as a dependent, the school generally has discretion to disclose to both parents.

Record-Keeping: These disclosures must be logged per § 99.32.

Other Specific Exceptions

FERPA includes several other narrow exceptions:

• State Juvenile Justice Statutes (§ 99.31(a)(5), § 99.38): Permits disclosures required by state laws concerning the juvenile justice system’s ability to serve the student. Requires logging.
• Victim of Crime of Violence/Non-Forcible Sex Offense (§ 99.31(a)(13), § 99.39): Allows postsecondary institutions to disclose final disciplinary results to victims, regardless of outcome. Requires logging.
• Disciplinary Proceeding Disclosure (Crime Perpetrator) (§ 99.31(a)(14), § 99.39): Allows postsecondary institutions to disclose final results if the student is found responsible for violating rules related to a crime of violence or non-forcible sex offense. Victim/witness names cannot be disclosed without consent. Applies only to proceedings concluded on or after October 7, 1998. Requires logging.
• Alcohol/Drug Violation Disclosure (Under 21) (§ 99.31(a)(15)): Permits postsecondary institutions to notify parents if a student under 21 violates laws or policies concerning alcohol or controlled substances. Requires logging.
• Sex Offender Information (§ 99.31(a)(16)): Allows disclosure of information provided to schools under federal sex offender registration laws. Requires logging.
• To Parent or Student Themselves (§ 99.31(a)(12)): Clarifies that disclosing records to the parent (of a non-eligible student) or to the eligible student doesn’t require consent. Exempt from logging.

Directory Information: The Public Exception (§ 99.3, § 99.37)

One widely used exception allows schools to release designated “directory information” without consent, following specific procedures.

Definition: Directory information is information from a student’s education record that wouldn’t generally be considered harmful or privacy-invasive if disclosed.

Examples: FERPA regulations provide examples including: student’s name, address, phone number, email, photo, birth date and place, major, grade level, enrollment status, attendance dates, activity participation, athletic information, degrees, honors, awards, and previous educational institutions. A student ID can be designated as directory information only if it cannot be used to access education records without additional authentication.

Exclusions: Directory information cannot include Social Security numbers or student IDs except under specific secure conditions. Schools cannot disclose directory information if a student’s SSN or other non-directory PII is used to identify the student or their records.

Process Requirements: To use this exception, schools must:

1. Designate which specific information types they consider directory information
2. Provide annual public notice to parents and eligible students stating:
   • The specific types of information designated as directory information
   • The right to opt out of designation
   • The timeframe for providing opt-out notification The Model Notice for Directory Information provides a template.
3. Provide a reasonable opportunity to opt out
4. Honor opt-out requests, which remain effective even after the student leaves the school unless rescinded

Failure to follow these procedures makes any non-consensual directory information disclosure a FERPA violation.

Record-Keeping: Properly designated directory information disclosures (with no opt-out in effect) don’t require logging under § 99.32.

De-Identified Information: Removing Identifiers (§ 99.31(b))

FERPA allows releasing information from education records if properly “de-identified.”

Concept: Schools or parties who have received education records may release information without consent after removing all personally identifiable information.

Standard: This requires more than removing names or IDs. The releasing party must make a “reasonable determination” that a student’s identity is not personally identifiable from direct identifiers, indirect identifiers, or information linked to the student. This determination must consider other available information and potential identification by a reasonable person in the school community.

Methods: Proper de-identification often requires statistical disclosure limitation techniques, especially with granular data or small populations:

• Suppression: Removing records for individuals in small subgroups
• Aggregation: Combining data into larger groups
• Blurring/Recoding: Replacing exact values with ranges
• Perturbation: Introducing controlled statistical noise

The Department of Education provides resources like Data De-identification: An Overview of Basic Terms.

Coded Data for Research: FERPA allows releasing de-identified student-level data with unique non-PII codes for research, allowing record linkage without identifying students.

Record-Keeping: De-identified information releases aren’t considered PII disclosures under FERPA and don’t require logging.

Practical Scenarios: Applying FERPA Exceptions

Sharing Information with Law Enforcement

Interactions between schools and law enforcement involve several FERPA pathways:

Law Enforcement Unit Records: If a school has a distinct law enforcement unit creating and maintaining records for law enforcement purposes, these specific records aren’t “education records” under FERPA. The law enforcement unit can share these records with external agencies. However, if the administration maintains these records, or if education records are shared with the unit, those shared records remain protected.

SROs as School Officials: School Resource Officers may qualify as “school officials” if they meet the criteria: performing an institutional service, being under the school’s direct control regarding record use/maintenance, and being defined in the annual FERPA notice. If qualifying, they can receive PII from education records without consent, provided they have legitimate educational interest.

Health or Safety Emergencies: In situations with articulable and significant threats (active shooters, credible bomb threats), schools can disclose necessary PII to law enforcement under § 99.36.

Subpoenas and Court Orders: Schools must comply with lawfully issued judicial orders or subpoenas, following required notification procedures.

Directory Information: Schools can release properly designated directory information to law enforcement unless opted out.

Personal Observation vs. Education Records: FERPA protects information from education records but generally doesn’t prevent officials from sharing what they personally observed, unless that knowledge came from accessing an education record. For detailed guidance, consult School Resource Officers, School Law Enforcement Units, and FERPA.

Responding to Health Emergencies

The health or safety emergency exception (§ 99.36) is the primary mechanism for sharing PII during public health crises:

Application: Schools must determine case-by-case if an “articulable and significant threat” exists. During a confirmed contagious disease outbreak, a school might share immunization records with public health officials to manage the outbreak.

Limitations: Disclosure must relate to the specific, immediate threat and be time-limited. It cannot be used preemptively or for general reporting. While schools must manage health situations like COVID-19, FERPA generally prohibits disclosing identities of specific students who tested positive unless the health/safety emergency conditions are met, or the information can be shared in a de-identified way. See FERPA & Coronavirus Disease 2019 (COVID-19) Frequently Asked Questions.

Working with Third-Party Online Service Providers

Schools increasingly use online tools provided by external vendors. Sharing student data typically relies on the “school official” exception.

Mechanism: The vendor must qualify as a school official under § 99.31(a)(1).

Key Requirements: The vendor must:

• Perform an institutional service or function
• Be under the school’s direct control regarding PII use and maintenance
• Adhere to FERPA’s use limitations and redisclosure prohibitions

Contracts and Terms of Service: Establishing “direct control” depends on contractual agreements. Schools must scrutinize these agreements for problematic clauses allowing:

• Mining student data for commercial purposes
• Broad data sharing with third parties
• Ownership claims over student data
• Unilateral terms of service changes
• Inadequate security or breach notification

Schools should seek agreements explicitly limiting data use, prohibiting unauthorized redisclosure, requiring robust security, mandating data return/destruction, and affirming school ownership. Resources include Protecting Student Privacy While Using Online Educational Services.

Best Practices: Schools should practice data minimization and transparency, sharing only necessary PII and publishing contracts and data-sharing details. Parents and students retain FERPA rights, including inspecting records held by vendors.

Record-Keeping for Disclosures Without Consent (§ 99.32)

FERPA requires schools to maintain logs of certain disclosures made without consent.

Requirement: For each student, schools must record each request for access to, and disclosure of, PII from education records made under a FERPA exception, unless specifically exempted.

Content of Record: The log must include:

• The parties requesting or receiving PII
• Their legitimate interest in the information
• For health/safety emergency disclosures, the specific threat and recipients

Duration: This record must be kept with the student’s education records for as long as those records are maintained.

Exceptions to Record-Keeping (§ 99.32(d)): Schools need not log disclosures:

• To the parent or eligible student themselves
• To qualifying school officials
• Made with prior written consent
• Of properly designated directory information
• Made under specific exempted subpoenas/orders

This structure focuses record-keeping on external disclosures under less common or more sensitive exceptions, where an audit trail is most valuable.

Finding Help and Filing Complaints

Resources

The main resource hub is the Department of Education’s Student Privacy Policy Office (SPPO) website.

Available Resources:

• Official Guidance: Including parent guides and eligible student guides
• FAQs: Addressing common FERPA questions
• Training Materials: Online modules, webinars, and videos
• Model Forms: Templates for annual notifications and directory information notices
• Technical Assistance: SPPO operates the Privacy Technical Assistance Center (PTAC) offering help via toll-free helpdesk (1-855-249-3072) and email ([email protected])

Filing a FERPA Complaint

If rights are violated, parents or eligible students can file formal complaints with SPPO.

Who Can File: Complaints must come from the parent (for students under 18 not in postsecondary education) or the eligible student.

Process: Submit the official FERPA Complaint Form via email to [email protected] or mail.

Deadline: Complaints must be filed within 180 days of the alleged violation or when the complainant reasonably should have known about it. Missing this deadline can prevent redress even for actual violations.

Content: The form requires specific, factual allegations providing reasonable cause to believe FERPA was violated. Supporting documentation can be included.

Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.