Last updated 4 days ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
The Family Educational Rights and Privacy Act (FERPA) is the cornerstone federal law in the United States safeguarding the privacy of student education records. Enacted in 1974, this legislation grants parents specific rights concerning their children’s education records, and transfers these rights to students when they turn 18 or attend a postsecondary institution. FERPA also establishes rules for how educational institutions may disclose personally identifiable information from student records.
FERPA applies to all educational agencies and institutions that receive funding under any program administered by the U.S. Department of Education. This includes public and private elementary, secondary, and postsecondary schools, as well as state and local education agencies.
The law operates as a condition attached to federal education funds. Institutions that deny parents or eligible students their FERPA rights or improperly release student records without consent risk losing federal funding. The Department of Education enforces FERPA, though the Supreme Court ruled in Gonzaga University v. Doe that individuals cannot sue institutions directly for violations.
Private schools that don’t receive federal funding are generally exempt from FERPA requirements. However, most private colleges and universities receive federal funding through student financial aid programs and must comply with FERPA.
In today’s digital educational landscape, FERPA’s principles remain essential for administrators, educators, technology providers, parents, and students navigating student data privacy issues.
History of FERPA
FERPA, often called the Buckley Amendment after Senator James L. Buckley of New York, was signed into law by President Gerald Ford on August 21, 1974. Its passage responded to growing concerns about student record misuse nationwide.
Before FERPA, schools often denied parents access to their children’s records while granting access to third parties without parental knowledge. The post-Watergate political climate, with heightened awareness of government surveillance, provided momentum for the legislation.
FERPA was introduced as an amendment to the Elementary and Secondary Education Act reauthorization, bypassing typical committee hearings. This expedited passage resulted in ambiguities that required clarification through the Buckley/Pell Amendment in December 1974.
Core Rights Under FERPA
FERPA establishes three fundamental rights for parents and eligible students:
Right to Inspect Education Records
Parents of students under 18 and eligible students (those 18 or older or attending college) have the right to inspect and review the student’s education records. This applies to records maintained by any educational agency subject to FERPA.
Institutions must fulfill access requests within a “reasonable period,” not exceeding 45 calendar days. They must also respond to reasonable requests for explanations of the records.
The right primarily covers inspection and review. Schools aren’t automatically required to provide copies unless circumstances prevent in-person inspection. If copies are provided, the school may charge a reasonable fee, but cannot charge for searching or retrieving records.
If a record contains information about multiple students, requesters may only access information about the specific student in question.
At the postsecondary level, eligible students generally cannot inspect:
- Financial records submitted by their parents
- Confidential recommendation letters placed in their file before January 1, 1975
- Confidential recommendation letters placed after January 1, 1975, relating to admission, employment, or honors, if the student has waived access rights
Schools cannot destroy records if there’s an outstanding inspection request.
Right to Amend Records
FERPA allows parents and eligible students to request that schools amend education records they believe are inaccurate, misleading, or violate the student’s privacy rights.
When receiving such a request, the institution must review it and decide within a reasonable time. If the institution agrees, it must correct the record. If it refuses, it must notify the parent or student of their right to a formal hearing.
The hearing must meet procedural requirements including reasonable timing, adequate notice, and an impartial hearing officer. The decision must be written, evidence-based, and include an explanation.
If the hearing determines the information is inaccurate or misleading, the institution must amend the record. If not, the parent or student has the right to place a statement in the record commenting on the contested information or explaining their disagreement with the decision. This statement must be maintained with the record and disclosed whenever the contested portion is disclosed.
The amendment process typically addresses factual inaccuracies rather than challenging subjective evaluations like grades or disciplinary outcomes.
Right to Control Disclosure
FERPA requires that educational institutions protect personally identifiable information (PII) in student records. The default rule is that institutions must obtain signed, dated written consent before disclosing PII to most third parties.
This consent must specify which records may be disclosed, state the purpose, and identify the party receiving the disclosure. Electronic consent is permitted if it reliably identifies the person giving consent.
While consent is the general rule, FERPA includes numerous exceptions allowing disclosure without consent in specific situations related to educational functions, legal requirements, or safety concerns.
Parties receiving PII under consent exceptions generally cannot redisclose that information without separate consent. Institutions must inform recipients about this limitation.
Key FERPA Definitions
Education Records
“Education records” are materials that:
- Contain information directly related to a student
- Are maintained by an educational agency or institution
The format doesn’t matter—records can include handwriting, print, computer media, video, audio, film, or other media. Common examples include grades, transcripts, class lists, schedules, disciplinary records, financial information, and health records maintained by the school.
FERPA excludes several types of records from this definition:
- Sole Possession Records: Private notes kept by a staff member as a memory aid, not shared with others
- Law Enforcement Unit Records: Records created and maintained by a school’s law enforcement unit for law enforcement purposes
- Employment Records: Records related exclusively to a person’s employment, unless employment depends on student status
- Treatment Records: Health records for college students made by health professionals and used only for treatment
- Applicant Records: Records of individuals who applied but weren’t admitted
- Alumni Records: Records created after a student is no longer enrolled
- Peer Grades: Grades on papers before they’re collected by the teacher
A critical distinction exists between information in records and personal knowledge. FERPA restricts disclosure of information from records but doesn’t prohibit sharing information based on personal observation.
Personally Identifiable Information (PII)
FERPA protects “personally identifiable information” in education records. PII includes:
- Student’s name
- Names of parents or family members
- Student’s or family’s address
- Personal identifiers like social security numbers, student IDs, or biometric records
- Indirect identifiers like birth date, birthplace, or mother’s maiden name
- Information that could reasonably identify a specific student
- Information requested by someone who the institution believes already knows the student’s identity
The definition includes biometric records (fingerprints, retina patterns, DNA, facial features, etc.). Context matters in determining whether combined information could identify a student.
Directory Information
FERPA allows schools to designate certain PII as “directory information,” which can be disclosed without consent under specific conditions. Directory information is defined as information that wouldn’t generally be considered harmful or an invasion of privacy if disclosed.
Examples include:
- Student’s name, address, phone number, email, photograph
- Birth date and place
- Major, grade level, enrollment status
- Attendance dates
- Activities and sports participation
- Degrees, honors, awards
- Most recent previous school attended
Social Security Numbers cannot be designated as directory information. Student ID numbers generally aren’t directory information unless they require additional authentication to access records.
Before disclosing directory information, institutions must:
- Provide public notice about what information is designated as directory information
- Allow parents or eligible students time to opt out of disclosure
If a parent or student opts out, the institution cannot disclose that information without consent. The opt-out remains effective even after the student leaves the institution, unless rescinded.
Schools have discretion in managing directory information. They can choose which categories to designate or choose not to designate any information as directory information.
Eligible Student
An “eligible student” is a student who:
- Has reached age 18, OR
- Is attending a postsecondary institution at any age
When a student becomes eligible, all FERPA rights transfer from parents to the student.
This transfer doesn’t necessarily prevent parent access. Postsecondary institutions may disclose records to parents of eligible students without consent in specific circumstances:
- If the student is claimed as a dependent for tax purposes
- In health or safety emergencies
- If the student (under 21) has violated alcohol or drug policies
These exceptions are permissive, not mandatory. Institutions have discretion in handling parent requests.
Legitimate Educational Interest
The “legitimate educational interest” standard governs internal access to student records. A school official has legitimate educational interest if they need to review records to fulfill professional responsibilities.
This includes tasks related to instruction, advising, administration, discipline, student services, or supporting student success. “School officials” can include teachers, administrators, staff, contractors, consultants, or volunteers performing institutional functions.
Legitimate educational interest isn’t automatic access to all records. Access should be limited to specific records needed for job-related tasks. This represents a “need-to-know” standard.
Institutions must define this standard in their annual FERPA notification and use reasonable methods to ensure appropriate access.
When Can Schools Disclose Records Without Consent?
FERPA includes specific exceptions allowing disclosure without consent:
School Officials
Disclosure is permitted to school officials with legitimate educational interests. This includes teachers, administrators, and contractors performing institutional functions.
Outside contractors must:
- Perform a function the school would otherwise use employees for
- Be under the school’s “direct control” regarding record use and maintenance
- Follow FERPA’s use and redisclosure restrictions
Transfers to Other Schools
Records can be disclosed to officials at schools where the student seeks enrollment or is already enrolled, provided the disclosure relates to enrollment or transfer.
The sending institution must generally notify the parent or student of the disclosure unless the disclosure was student-initiated or the annual FERPA notice mentioned this practice.
Audits and Evaluations
Disclosure is allowed to authorized representatives of specific federal and state officials for audits, evaluations, or enforcement of education programs.
These officials include the Comptroller General, Secretary of Education, state educational authorities, and the Attorney General for law enforcement purposes.
The data must be protected from further identification and destroyed when no longer needed.
Financial Aid
Institutions may disclose PII when necessary for financial aid purposes, including determining eligibility, amount, conditions, or enforcing terms.
Studies for Educational Institutions
Disclosure is permitted to organizations conducting studies for educational institutions that develop tests, administer aid, or improve instruction.
This requires a written agreement specifying the study’s purpose, scope, duration, data protection, and destruction timeline.
Accrediting Organizations
FERPA allows disclosure to accrediting organizations for their accrediting functions.
Judicial Orders and Subpoenas
Institutions may disclose PII to comply with judicial orders or lawfully issued subpoenas.
Generally, institutions must notify the parent or student before complying, unless the order prohibits disclosure (as with federal grand jury subpoenas, law enforcement subpoenas with non-disclosure orders, or terrorism investigation orders under the USA Patriot Act).
Health and Safety Emergencies
Perhaps the most critical exception, FERPA permits disclosure to appropriate parties if necessary to protect health or safety during an emergency.
This requires an “articulable and significant threat.” The Department of Education generally defers to institutional judgment if there’s a rational basis for the decision.
Disclosure must be limited to the emergency period and include only necessary information. Appropriate parties may include law enforcement, health officials, parents, or others who can address the threat.
Other Key Exceptions
- Parents of Dependent Students: Colleges may disclose records to parents if the student is claimed as a tax dependent.
- Victims of Violent Crimes: Postsecondary institutions may disclose disciplinary proceeding results to victims.
- Alcohol/Drug Violations: Colleges may notify parents if a student under 21 violates alcohol or drug policies.
- USA Patriot Act: Allows disclosure for terrorism investigations under court order.
- Juvenile Justice: Permits disclosures allowed by state statutes concerning juvenile justice.
- Child Welfare Agencies: Allows disclosure to agency representatives legally responsible for student care.
- De-identified Information: Permits release of records after removing all PII.
FERPA in Practice
K-12 vs. Higher Education Differences
FERPA applies differently across educational levels:
- Rights Holder: In K-12, parents hold FERPA rights until the student turns 18. In college, students hold rights regardless of age.
- Parental Access: In K-12, parental access is the default for minors. In college, access requires student consent or meeting specific exceptions.
- Record Types: “Treatment records” exclusions mainly apply to college health records. K-12 nurse records are typically education records.
- Specific Disclosures: Some exceptions, like those for violence/sex offenses or alcohol violations, specifically target colleges.
Parental Access to College Records
A common issue involves parents seeking access to their child’s college records. Since FERPA rights transfer to students upon college enrollment, parents no longer have automatic access.
However, colleges may disclose records to parents if the student is claimed as a tax dependent. Institutions often require proof of dependency, like a tax return copy. This exception is permissive, not mandatory—institutions decide whether to disclose.
Parents may also gain access through student consent or under health/safety emergency or alcohol/drug violation exceptions for students under 21.
FERPA vs. HIPAA
Confusion often surrounds the relationship between FERPA and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
The key principle: if a health record is maintained by an educational institution and directly relates to a student, it’s an education record governed by FERPA, not HIPAA. HIPAA regulations explicitly exclude FERPA-covered education records.
HIPAA applies in school contexts primarily when:
- Healthcare comes from entities not affiliated with the school
- A school health center is operated by a HIPAA-covered entity like a hospital
- A university hospital treats students as patients
- A postsecondary institution designates itself as a “hybrid entity” under HIPAA
Information sharing between entities covered by different laws requires careful consideration.
Data Sharing with Vendors and EdTech
Educational technology and third-party services present FERPA compliance challenges. When schools share PII with external entities, disclosure typically occurs under the “School Official” exception.
For vendors to qualify under this exception, they must:
- Perform a function the school would otherwise use employees for
- Be under the school’s “direct control” regarding data use
- Follow FERPA’s limitations on use and redisclosure
While not explicitly required by regulations, written contracts are essential best practices for demonstrating “direct control.” Contracts should define:
- Data scope and ownership
- Authorized purposes and prohibited uses
- FERPA compliance obligations
- Security measures
- Data retention and destruction procedures
- Breach notification requirements
- Audit rights
- Liability provisions
Schools remain responsible for vendor data handling. This requires due diligence before engagement, contract negotiation, and ongoing monitoring.
Posting Grades and Returning Assignments
Everyday classroom practices can create FERPA violations if PII is improperly exposed.
Posting Grades: Publicly posting grades using names, SSNs, or IDs violates FERPA. Even posting alphabetical lists with unique codes should be avoided. Better options include secure online grade books, individual communication, or truly anonymous codes.
Returning Assignments: Leaving graded papers in unsecured locations where students might see others’ grades constitutes improper disclosure. Secure methods include individual returns, ID verification, or sealed envelopes.
FERPA Enforcement and Violations
FERPA enforcement primarily rests with the U.S. Department of Education’s Student Privacy Policy Office (SPPO).
Parents or eligible students can file complaints with SPPO within 180 days of alleged violations. SPPO investigates timely complaints containing specific allegations and may initiate investigations independently.
If SPPO finds non-compliance, it typically works with the institution toward voluntary compliance. If that fails, the Secretary of Education can withdraw federal funding, issue cease and desist orders, or terminate program eligibility.
While funding termination is rare, the threat encourages compliance. For third parties who misuse student data, schools must prohibit further access to PII for at least five years.
Individual employees who violate FERPA may face institutional discipline, including termination.
As established in Gonzaga University v. Doe, FERPA doesn’t create a private right of action. Individuals cannot sue educational institutions directly under FERPA. The sole federal recourse is through the SPPO complaint process, though state laws may provide additional protections.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.