FERPA and Recommendation Letters: Navigating Consent and Access

Last updated 10 hours ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.

The Family Educational Rights and Privacy Act (FERPA) is a cornerstone federal law enacted in 1974, designed to protect the privacy of student education records. This law applies to educational agencies and institutions that receive funding under any program administered by the U.S. Department of Education, which includes virtually all public K-12 schools and postsecondary institutions, as well as many private postsecondary institutions.

FERPA serves two primary purposes: it grants parents (and students aged 18 or older, or those attending a postsecondary institution, known as “eligible students”) the right to access their education records, and it protects that information from disclosure to third parties without appropriate consent.

A common element in academic and professional advancement is the letter of recommendation. Whether applying for college, graduate school, scholarships, or employment, these letters provide crucial context about a student’s abilities and character. However, the process of requesting, writing, and submitting these letters intersects directly with FERPA’s privacy protections.

This article clarifies how FERPA applies to recommendation letters, focusing specifically on when they are considered protected education records, what consent is required for sharing information within them, and how students can manage their right to review these letters. Understanding these rules is helpful for students, parents, and educators to navigate the recommendation process confidently and in compliance with federal law.

What FERPA Protects: Understanding “Education Records”

FERPA’s protections revolve around the concept of “education records.” Understanding what constitutes an education record is fundamental to grasping FERPA’s scope.

Defining Education Records

Under FERPA, “education records” are defined broadly as records that are:

1. Directly related to a student; and
2. Maintained by an educational agency or institution or by a party acting for the agency or institution.

This definition is intentionally wide-ranging and covers a vast amount of information schools keep about students. Examples include:

• Grades and transcripts
• Class lists and student course schedules
• Student disciplinary files
• Enrollment records
• Health and immunization records maintained by K-12 schools. At the postsecondary level, health records might be education records or separate “treatment records.”
• Student financial information maintained by postsecondary institutions.

The physical format of the record does not matter; FERPA applies regardless of the medium used to store the information. This includes handwriting, print, email, computer media, video and audio tapes, film, microfilm, and microfiche. Essentially, almost any recorded information directly related to a student and kept by the school qualifies.

A critical aspect of this definition is the requirement that the record be “maintained” by the institution or its agent. This means the school must keep the record in some official capacity. A document about a student isn’t automatically an education record just because it exists; its status under FERPA is tied to its official maintenance by the institution. This distinction becomes particularly relevant when considering items like draft letters or notes.

Personally Identifiable Information (PII)

FERPA specifically protects the privacy of “personally identifiable information” (PII) contained within education records. PII includes information that, alone or in combination, could identify a specific student. This encompasses obvious identifiers like:

• Student’s name
• Name of the student’s parent or other family members
• Address of the student or student’s family
• Personal identifiers such as a social security number, student ID number, or other unique identifier

It also includes indirect identifiers or other information that could make a student’s identity easily traceable, such as:

• Date of birth
• Place of birth
• Mother’s maiden name
• Biometric records (e.g., fingerprints, facial characteristics, handwriting)

The core function of FERPA is to give students (or their parents) control over the disclosure of this PII from their education records.

What’s Not Usually an Education Record

To clarify FERPA’s boundaries, the law and its implementing regulations explicitly exclude certain types of records from the definition of “education records”:

• Sole Possession Records: These are private notes made by a school official (like a teacher or counselor) for their own use, kept in their sole possession, and not accessible or revealed to any other person except a temporary substitute for the maker of the record. If these notes are shared or placed in a public area, they can become education records.
• Law Enforcement Unit Records: Records created and maintained by an institution’s law enforcement unit for a law enforcement purpose are not considered education records under FERPA. This allows for the necessary functioning of campus security and police.
• Employment Records: Records relating to an individual employed by the institution that are made in the normal course of business, relate exclusively to their capacity as an employee, and are not available for any other purpose are excluded. However, if a student’s employment is contingent on their status as a student (e.g., work-study positions), those employment records are considered education records.
• Treatment Records: These apply to students aged 18 or older or attending a postsecondary institution. They are records made or maintained by a physician, psychologist, or other recognized health professional acting in their professional capacity, used only in connection with the treatment of the student, and are not disclosed to anyone other than individuals providing the treatment. These records can be reviewed by a physician or other appropriate professional of the student’s choice.
• Alumni Records: Records created or received by an institution after an individual is no longer a student there, and which do not relate to the person as a student (e.g., information on alumni activities and donations), are not education records.
• Peer-Graded Papers: Grades on papers graded by other students before they are collected and recorded by a teacher are not considered education records.
• Information from Personal Observation or Knowledge: FERPA generally does not restrict a school official from sharing information derived from their own personal knowledge or observation, provided that information was not obtained by accessing an education record. For example, if a teacher observes a student giving an insightful presentation, they can share that observation without FERPA constraints. However, if the teacher shares the grade the student received (information from the education record), FERPA rules apply. This distinction is crucial: FERPA governs recorded information maintained by the school, not necessarily everything a school official knows about a student through direct interaction. The source of the information matters significantly.

Are Recommendation Letters “Education Records”? It Depends

The question of whether a letter of recommendation falls under FERPA’s definition of an “education record” is nuanced. A letter is not automatically an education record simply because it discusses a student. It becomes an education record subject to FERPA protections only when it meets both criteria mentioned earlier: it is directly related to a student AND it is maintained by the educational institution or someone acting for it.

When Does a Letter Become an Education Record?

A recommendation letter typically becomes part of a student’s education record under two main circumstances:

1. Inclusion of PII from Education Records: If the letter contains personally identifiable information (PII) that was obtained from the student’s existing education records – such as specific grades, GPA, class rank, course enrollment details, or disciplinary status – the letter itself incorporates protected data. Sharing this information externally generally requires the student’s prior written consent.
2. Maintenance by the Institution: Regardless of whether it contains PII from other records, if a copy of the recommendation letter is kept on file by the institution, it becomes an education record subject to FERPA’s access provisions. This could happen if:
   • The recommender (acting in their official capacity) keeps a copy.
   • The letter is placed in the student’s official academic file, a career services file, or other institutional repository.
   • The institution receiving the letter (e.g., a college admissions office) maintains it as part of the applicant’s or enrolled student’s file.

When Might It Not Be (or Not Yet Be) an Education Record?

There are situations where a recommendation letter might not be considered an education record, at least initially:

• Based Solely on Personal Observation: If a recommender writes a letter based entirely on their personal knowledge and observations of the student, without including any PII derived from the student’s official education records (like grades or GPA), the content itself doesn’t trigger FERPA’s consent requirements for disclosure. However, if a copy of this observation-based letter is maintained by the institution, it still becomes an education record that the student may have the right to access later (unless waived).
• Sole Possession Drafts: A draft letter that exists only in the recommender’s private notes or personal files, which are not shared with others or accessible by the institution, might qualify as a “sole possession record” and thus not be an education record under FERPA. However, the moment that draft is shared, submitted officially, or filed by the institution, it likely loses its “sole possession” status and becomes an education record if maintained.

Understanding the lifecycle of a recommendation letter helps clarify FERPA’s application. A letter might start as a personal note outside FERPA’s scope. If it incorporates data like GPA, it contains PII from education records, and its external disclosure requires consent. Once submitted and maintained by an institution (either the sender or receiver), it generally becomes part of the student’s education record, triggering the student’s potential right of access under FERPA, unless that right has been waived. Both the content (presence of PII from records) and the handling (maintenance by an institution) are key factors in determining how FERPA applies at different stages.

Getting Permission: FERPA Consent Rules for Recommendations

The default rule under FERPA is clear: an educational institution must obtain prior written consent from the parent or eligible student before disclosing personally identifiable information (PII) from the student’s education records to most third parties.

Applying Consent to Recommendations

This general rule directly impacts letters of recommendation. If a recommender (such as a teacher, professor, or counselor) wishes to include specific, non-directory PII obtained from a student’s education record in a letter that will be sent outside the institution, they must secure the student’s signed and dated written consent before releasing the letter. Examples of PII commonly found in education records that would require consent if included in an externally shared letter include:

• Specific course grades
• Grade Point Average (GPA)
• Class rank
• Specific enrollment activity or history
• Standardized test scores on file with the school
• Information about academic standing or disciplinary actions

Crucially, a student simply asking for a letter of recommendation does not automatically grant the recommender permission to disclose PII from their education records. The consent must be explicit and meet FERPA’s requirements.

What Makes Consent Valid?

According to the FERPA regulations (specifically 34 CFR § 99.30), valid written consent must meet several criteria:

• Be in Writing: Oral consent is not sufficient. The consent must be documented.
• Be Signed and Dated: The consent must bear the signature of the parent or eligible student and the date it was signed. Electronic signatures or authentication methods meeting certain criteria may be acceptable, such as confirmation via a university email account.
• Specify the Records: The consent must clearly identify the specific education records or information that may be disclosed (e.g., “overall GPA,” “grades in science courses,” “transcript information”).
• State the Purpose: The consent must state the reason for the disclosure (e.g., “for inclusion in letters of recommendation for college applications,” “to support my application for the XYZ scholarship”).
• Identify the Recipient(s): The consent must identify the party or class of parties to whom the disclosure may be made (e.g., “admissions offices of universities I apply to,” “potential employers contacted through the career center,” “the National Merit Scholarship Corporation”).

Practical Consent Forms

To ensure compliance, many educational institutions have developed specific FERPA release forms for students to use when requesting letters of recommendation that will contain PII from their education records. Using these forms helps ensure all necessary elements for valid consent are captured. Students should inquire about such forms with their school’s registrar, counseling office, or the recommender’s department.

Exceptions to Consent

It is important to note that FERPA permits disclosure of PII from education records without prior consent in certain specific circumstances outlined in the regulations (34 CFR § 99.31). These exceptions include disclosures:

• To school officials within the institution who have legitimate educational interests.
• To officials of another school where the student seeks or intends to enroll.
• In connection with financial aid for which the student has applied or received.
• To organizations conducting studies for or on behalf of the school (under specific conditions).
• To accrediting organizations.
• To comply with a judicial order or lawfully issued subpoena (often with prior notification to the student/parent).
• In connection with a health or safety emergency.
• Of designated “directory information” (unless the student has opted out).

While these exceptions exist, they generally do not cover the typical scenario of sending a recommendation letter containing non-directory PII (like GPA or specific grades) to external parties like potential employers, scholarship committees, or most graduate school admissions offices, unless the disclosure fits squarely within an exception like the transfer exception or is related to financial aid at that institution. Therefore, obtaining explicit, written consent remains the standard requirement for including such PII in letters sent externally.

The need for consent is triggered specifically by the act of disclosure – the release, transfer, or communication of PII from education records to an outside party. While a professor might internally access a student’s grades under the “school official” exception to inform their own assessment, the moment they incorporate that grade into a letter sent externally, it becomes a disclosure requiring student consent.

Waiving Your Right to Look: The FERPA Recommendation Letter Waiver

One of the fundamental rights granted by FERPA is the right of parents or eligible students to inspect and review the student’s education records maintained by the institution. This right generally applies to all education records, including letters of recommendation if they are maintained by the institution as part of the student’s record.

Defining the Waiver Provision (34 CFR § 99.12)

However, FERPA includes a specific provision that allows students to waive this right of access for certain types of records, most notably confidential letters of recommendation (34 CFR § 99.12). This waiver applies to letters and statements of recommendation placed in the student’s record after January 1, 1975, that relate to:

• Admission to any educational institution;
• An application for employment; or
• The receipt of an honor or honorary recognition.

According to the FERPA regulations (34 CFR § 99.12(b)(3)), for a waiver of access to these confidential recommendations to be valid, several conditions must be met:

• Voluntary: The waiver must be voluntary. An educational institution cannot require a student to waive their right of access as a condition for admission, financial aid, or any other service or benefit from the institution.
• Written and Signed: The waiver must be in writing and signed by the student, regardless of age. This means even students under 18 can sign such a waiver for these specific types of recommendations.
• Notification of Names: If the student has waived their right, the institution must still, upon request, provide the student with the names of the individuals who provided the letters and statements of recommendation.
• Purpose Limitation: The letters and statements must be used by the institution only for the specific purpose(s) for which they were originally intended (e.g., admission, employment consideration, honor selection).
• Revocability: A student can revoke their waiver in writing at any time. The revocation applies to actions occurring after the revocation, meaning it doesn’t grant access to letters received while the waiver was in effect, but it would apply to any future recommendations placed in the file.

Crucial Clarification on Timing

A common point of confusion relates to when the FERPA right of access applies to recommendation letters. The right to inspect these letters, even if not waived, generally becomes effective only after the student has been admitted to and enrolled in the institution that is maintaining the letter as part of their education record.

FERPA does not grant students the right to review recommendation letters before they are submitted or before they enroll at the receiving institution. Whether a recommender chooses to show a student the letter before sending it is a matter of personal discretion, not a FERPA requirement.

Waiver Relates to Access, Not Disclosure Content

It is vital to distinguish the waiver of access (Section V) from the consent for disclosure (Section IV). The waiver discussed here under § 99.12 concerns only the student’s future right to inspect the letter after enrolling. It is entirely separate from the consent required under § 99.30 for the recommender to include PII (like GPA or specific grades) from the student’s education records in the letter when sending it externally.

A student applying to college will likely encounter both issues:

1. They may need to provide consent to their high school counselor or teacher to include their GPA or class rank in a recommendation letter being sent to colleges (a disclosure issue under § 99.30).
2. They will almost certainly be asked on the college application (e.g., the Common Application) to waive their right to access those recommendation letters later if they enroll at that college (an access issue under § 99.12).

These are two distinct decisions related to the same letter. Consent permits the inclusion and sending of specific data; the waiver relinquishes the future right to see the final product. Recognizing this distinction is key to correctly navigating FERPA requirements for recommendations.

To Waive or Not to Waive? Why It Matters

When faced with the FERPA waiver question on college applications and other forms requesting recommendations, students must decide whether to retain or give up their right to potentially review these letters in the future. While the choice is legally the student’s, there is a strong consensus and prevailing practice within the academic community.

The Common Practice: Waive the Right

Overwhelmingly, the standard, expected, and strongly recommended practice is for students to waive their right to review confidential letters of recommendation, particularly for college and graduate school admissions. Application platforms like the Common Application explicitly ask this question and often provide context explaining why waiving is common.

Rationale for Waiving

The preference for waived rights stems from deeply ingrained beliefs within academia about confidentiality and honesty:

• Encourages Candor: The primary argument is that recommenders will provide more honest, candid, and potentially critical feedback if they are assured the student will never read the letter. Confidentiality is seen as essential for obtaining an unvarnished assessment.
• Increases Credibility: Admissions committees and other evaluators tend to place greater trust and weight on recommendations written under the assumption of confidentiality. A waived right signals that the letter is likely unbiased and genuine. It also demonstrates the student’s trust in their recommenders and confidence in their own qualifications.

Potential Consequences of Not Waiving

Choosing not to waive the right of access, while legally permissible under FERPA (as long as it’s not required by the institution), can carry significant practical disadvantages:

• Recommender Reluctance or Refusal: Some teachers, counselors, or professors may be uncomfortable writing a letter that they know the student could eventually read. They might decline the request altogether, or their institution or department might have a policy against writing non-confidential letters. Some high schools might even prevent teachers from writing recommendations if the student doesn’t waive their rights.
• Reduced Weight or Credibility: Admissions committees may view a non-waived letter with skepticism, potentially questioning its candor or authenticity. It might be perceived as less valuable or given less consideration compared to confidential letters, potentially raising a “red flag”.
• More Generic Letter: Knowing the letter might be reviewed could cause the recommender to be overly cautious, leading to a more generic, less impactful letter that avoids specific (potentially negative, but constructively critical) details.

Addressing Student Anxiety

It’s understandable that some students feel anxious about not being able to see what is written about them. The best way to mitigate this anxiety is to choose recommenders carefully – individuals who know the student well, support their goals, and can be trusted to provide a strong and fair evaluation. While students should not expect or demand to see the letters, some recommenders may voluntarily offer to share a copy or discuss the content beforehand; this is entirely at the recommender’s discretion.

The decision to waive or not ultimately highlights a tension between a student’s legal right to access their records under FERPA and the powerful institutional norms and perceptions surrounding the recommendation process. The academic and admissions culture strongly values confidentiality, believing it ensures honesty. This creates an environment where exercising the legal right not to waive is often perceived negatively and can disadvantage the applicant. Consequently, while FERPA provides a choice, the practical reality, especially for applicants to selective programs, heavily favors waiving the right of access.

Putting It Into Practice: Consent and Waivers in Action

Navigating the FERPA requirements for recommendation letters involves practical steps for both students and recommenders, especially within common application systems.

College Applications (Common App Example)

Many students apply to college using platforms like the Common Application. These platforms typically integrate the FERPA waiver process directly into the application workflow:

1. FERPA Release Authorization: After adding colleges to their list, students are usually prompted to complete a FERPA Release Authorization section, often found under a “Recommenders and FERPA” tab within the “My Colleges” section.
2. Two Key Permissions: This authorization typically asks for two things:
   • Permission for the student’s high school(s) to release necessary educational records (like transcripts) to the colleges.
   • The student’s decision on whether to waive or not waive their FERPA right to review recommendations and accompanying forms submitted on their behalf.
3. Making the Choice: The student must select one option regarding the waiver. As discussed previously, waiving the right is the standard and recommended choice. The platform often provides explanatory text about the implications of this choice.
4. Finalizing: Once the choice is made and the authorization is electronically signed and submitted, it typically applies to all colleges the student applies to through that platform for that application cycle. The choice regarding the waiver usually cannot be changed after recommenders have been invited or forms submitted.

Guidance for Students Requesting Letters

Successfully obtaining strong, compliant recommendation letters involves careful planning:

• Choose Recommenders Wisely: Select teachers, counselors, or mentors who know the student well personally and academically, preferably from recent (e.g., junior year) core subject courses or significant activities related to the student’s goals. They should be individuals the student trusts to provide a positive, specific, and insightful evaluation.
• Ask Politely and Early: Request letters in person if possible, showing respect for the recommender’s time. Ask well in advance of the deadline – at least four weeks is a common recommendation, potentially earlier for popular teachers.
• Provide Necessary Information: Make the recommender’s job easier by providing a comprehensive packet, either physically or electronically. This should include:
  • A clear list of the schools/programs the letters are for, along with their deadlines and submission instructions.
  • A resume or “brag sheet” detailing academic achievements, extracurricular activities, work experience, honors, relevant projects, and future goals. This helps the recommender recall specifics and tailor the letter.
  • Any specific forms required by the institutions or application platforms.
  • Crucially, if the student wants the recommender to include PII like GPA, specific grades, or class rank, they must provide a signed and dated FERPA consent form that meets the requirements outlined in Section IV. Check if the school provides a standard form for this.
• Confirm Waiver Expectations: Be prepared to waive the right to access the letter on application platforms. Students should also be aware if their chosen recommenders or high school have a policy requiring waiver.

Guidance for Recommenders

Faculty, counselors, and others writing recommendations play a key role in FERPA compliance:

• Understand Content Source: Be mindful of the distinction between sharing personal observations (which generally doesn’t require FERPA consent for disclosure) and including PII derived directly from the student’s education records (which does require consent for external disclosure).
• Obtain Written Consent for PII: Before including non-directory PII (grades, GPA, class rank, specific course details, etc.) in a letter being sent to parties outside the institution, obtain a signed, dated, specific written consent form from the student. Do not rely on a verbal request or the general request for a letter as sufficient consent for disclosing this protected information. Use official institutional forms if available.
• Note the Waiver Status: Be aware of whether the student has waived their right to future access. While the primary focus should be an honest and fair assessment, this information is relevant to the confidentiality context under which the letter is written.
• Record Keeping and Security: Maintain copies of the student’s written consent forms. Follow institutional policies regarding retaining copies of the recommendation letters themselves. If transmitting letters electronically, use secure methods as recommended by institutional IT security policies, especially when sensitive data is involved.

Summary Table: FERPA Actions for Recommendation Letters

The following table summarizes the key FERPA considerations for common recommendation letter scenarios:

This table illustrates the distinct nature of consent for disclosure and waiver of access, guiding users through the appropriate actions based on the specific situation.

Know Your Rights: Official FERPA Resources

Navigating FERPA, especially concerning nuanced situations like recommendation letters, requires access to accurate and authoritative information. The primary source for guidance and enforcement of FERPA is the U.S. Department of Education’s Student Privacy Policy Office (SPPO).

Individuals seeking comprehensive information should consult the following official resources:

• Student Privacy Policy Office (SPPO) Website: The main hub for FERPA information from the Department of Education.
• SPPO FERPA Page: Contains links to regulations, guidance documents, training materials, and frequently asked questions.
• SPPO Guidance for Parents and Students: Offers resources tailored to the rights of parents and eligible students. This page includes essential guides such as:
  • “A Parent Guide to the Family Educational Rights and Privacy Act (FERPA)”
  • “An Eligible Student Guide to the Family Educational Rights and Privacy Act (FERPA)”
• FERPA Regulations (34 CFR Part 99): The official legal text of the FERPA regulations can be found in the Code of Federal Regulations, accessible online via the Electronic Code of Federal Regulations (eCFR). Key sections relevant to recommendation letters include:
  • § 99.3: Definitions (including “education records,” “personally identifiable information,” “disclosure”)
  • § 99.10: Right to inspect and review education records
  • § 99.12: Limitations on the right to inspect and review (including waivers for recommendations)
  • § 99.30: Conditions under which prior consent is required for disclosure
  • § 99.31: Conditions under which prior consent is not required for disclosure
  • § 99.33: Limitations on redisclosure
• Letter Regarding Waiver at Secondary Level: A specific guidance letter confirming that students can waive access rights to recommendations even at the secondary level.

In addition to these federal resources, students, parents, and educators should always consult their specific educational institution’s official FERPA policy. These policies are often available on the school or university registrar’s website or in student handbooks. Institutional policies provide details on local procedures for requesting access to records, obtaining consent forms, handling directory information opt-outs, and filing complaints.

Understanding both the federal law and local implementation is key to effectively managing privacy rights and obligations related to recommendation letters.

Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.