Department of EducationEducation RightsHigher EducationPrivacy of Education RecordsTeachers and School Staff

Understanding FERPA: Responsibilities for School Faculty and Staff

GovFacts
GovFacts

Last updated 2 days ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.

Contents

The Family Educational Rights and Privacy Act (FERPA), enacted in 1974 and also known as the Buckley Amendment, is a federal law designed to protect the privacy of student education records. Found at 20 U.S.C. § 1232g and detailed in regulations at 34 CFR Part 99, FERPA applies to educational agencies and institutions that receive funding under any program administered by the U.S. Department of Education.

This includes virtually all public K-12 schools and school districts, as well as most public and private postsecondary institutions. Private and faith-based elementary and secondary schools generally do not receive such funding and are therefore often not subject to FERPA.

The core purpose of FERPA is twofold: it grants parents rights concerning their children’s education records, and it protects that information from disclosure to third parties without appropriate consent. These rights transfer from the parents to the student when the student reaches the age of 18 or attends a school beyond the high school level. Such students are known as “eligible students.”

FERPA’s Three Fundamental Rights

FERPA grants parents and eligible students three fundamental rights regarding education records:

  • The Right to Inspect and Review: Parents or eligible students have the right to inspect and review the student’s education records maintained by the school within a reasonable timeframe, not exceeding 45 days of the request. Schools generally aren’t required to provide copies unless circumstances (like distance) prevent review.
  • The Right to Seek Amendment: Parents or eligible students can request that the school amend records they believe are inaccurate, misleading, or violate the student’s privacy rights. If the school refuses, the parent/eligible student has the right to a formal hearing and to place a statement in the record. This right does not extend to challenging grades or disciplinary decisions themselves, only their accurate recording.
  • The Right to Consent to Disclosure: Generally, schools must obtain written consent from the parent or eligible student before releasing any personally identifiable information (PII) from a student’s education record. The consent must be signed, dated, specify the records, state the purpose, and identify the recipient.

Schools are required to notify parents and eligible students annually of their rights under FERPA.

Defining “Education Records”

Understanding what constitutes an “education record” is crucial for compliance. FERPA defines education records broadly as records that are:

  1. Directly related to a student; AND
  2. Maintained by an educational agency or institution, or by a party acting for the agency or institution.

These records can exist in any medium, including handwriting, print, email, computer files, video, or audio recordings. Examples include grades, transcripts, class lists, student course schedules, health records maintained by the school (like immunization records or school nurse records), student financial information held by the school, and student discipline files.

What’s Not Considered an Education Record

FERPA explicitly excludes certain types of records from this definition:

  • “Sole Possession” Records: Notes kept by a faculty or staff member for their personal use as a memory aid and not shared with others (except a temporary substitute). Sharing these notes makes them education records. If you don’t want a note reviewed, it’s best not to write it down in a way that could be considered maintained by the institution.
  • Law Enforcement Unit Records: Records created and maintained by a school’s designated law enforcement unit for a law enforcement purpose. If these records are shared with other school officials (e.g., for disciplinary action), they may become education records.
  • Employment Records: Records related to school employees who are not employed as a result of their student status. Records for students employed due to their student status (e.g., work-study) are education records.
  • Treatment Records: Medical or psychological records made, maintained, and used only in connection with the treatment of a student (age 18 or older, or attending postsecondary) and disclosed only to individuals providing the treatment. These may be covered by HIPAA in some contexts.
  • Alumni Records: Records created or received after an individual is no longer a student, which are not directly related to their attendance.
  • Peer-Graded Papers: Grades on papers before they are collected and recorded by the instructor.

Information obtained through a school official’s personal knowledge or observation, if not derived from an education record, is also generally not protected by FERPA’s disclosure limitations.

Faculty and Staff Responsibilities: The Duty of Confidentiality

As faculty or staff members at an institution subject to FERPA, you are considered “school officials” and have a direct legal responsibility to protect the confidentiality of student education records. This means you cannot disclose PII from education records without prior written student consent, unless a specific FERPA exception applies.

Access to student information is not automatic; it is granted based on your role and responsibilities within the institution. The guiding principle is “legitimate educational interest,” often described as the “need to know.” You may only access and use student education records to perform tasks directly related to your official duties. Curiosity or personal interest does not constitute a legitimate educational interest.

Improper release of student records, even accidentally, violates federal law and institutional policy. This includes sharing lists of students, discussing student progress with unauthorized individuals (including parents of eligible students without consent), or leaving records unsecured.

While written consent is the default rule, FERPA recognizes specific situations where PII from education records can be disclosed without obtaining prior consent from the parent or eligible student. Faculty and staff must understand these exceptions to act appropriately.

School Officials with Legitimate Educational Interest

This is perhaps the most relevant exception for daily operations. FERPA allows schools to disclose PII from education records to “school officials” within the institution whom the school has determined have a “legitimate educational interest” in the information.

Who is a “School Official”?

Institutions define this in their annual FERPA notification. It typically includes teachers, principals, counselors, administrators, registrars, attorneys, health staff, clerical staff, trustees, and potentially campus police or security officers. Importantly, it can also include contractors, consultants, volunteers, or other third parties to whom the school has outsourced institutional services (e.g., software vendors, legal counsel, auditors, collection agencies, volunteer tutors), provided they meet specific criteria:

  • Perform a service the school would otherwise use employees for.
  • Are under the school’s direct control regarding the use and maintenance of records.
  • Use the information only for the purposes for which it was disclosed and are subject to redisclosure requirements.
  • Meet the school’s criteria for having a legitimate educational interest.

What is “Legitimate Educational Interest”?

FERPA does not strictly define this term, leaving it to institutions to establish criteria in their annual notification. Generally, a school official has a legitimate educational interest if they need to review an education record to fulfill their professional responsibility for the institution.

Examples: Performing tasks specified in a job description; tasks related to a student’s education (teaching, advising, counseling); tasks related to student discipline; providing student services (health care, financial aid, job placement). A professor checking a student’s prerequisites, an advisor reviewing a transcript for course planning, or a disciplinary board member accessing records relevant to a hearing would likely qualify.

Limitations: This exception is not a blank check. It does not grant access to all student records. Access is role-specific and task-dependent. Accessing records out of personal curiosity or for reasons unrelated to official duties is a violation. It also does not authorize disclosure to parties outside the institution without separate consent or another applicable exception.

Directory Information

FERPA allows schools to designate certain PII as “directory information,” which can be disclosed without consent if specific procedures are followed. Directory information is defined as information generally not considered harmful or an invasion of privacy if disclosed.

What Can Be Directory Information?

Each institution decides what to designate, but common examples include:

  • Student’s Name
  • Address (local/permanent)
  • Telephone Listing
  • Email Address (institutional)
  • Photograph
  • Date and Place of Birth
  • Major Field of Study / College
  • Grade Level / Classification (e.g., Freshman, Senior)
  • Enrollment Status (e.g., undergraduate/graduate, full-time/part-time)
  • Dates of Attendance (academic terms enrolled, not daily presence)
  • Participation in officially recognized activities and sports
  • Weight and height of members of athletic teams
  • Degrees, honors, and awards received
  • Most recent educational agency or institution attended

What CANNOT Be Directory Information?

FERPA explicitly prohibits certain data points from ever being designated as directory information:

  • Social Security Number (SSN)
  • Student ID Number (except under limited circumstances for display/access with authentication)
  • Race / Ethnicity
  • Nationality
  • Gender
  • Grades / GPA
  • Religion

Directory vs. Non-Directory Information Examples

CategoryExamples Often Designated as Directory (If Not Opted Out)Examples NEVER Directory Information
IdentificationName, Address, Phone, Email, Photo, Date/Place of BirthSSN, Student ID Number (generally), Race, Ethnicity, Nationality, Gender
AcademicMajor, College, Grade Level, Enrollment Status, Dates of Attendance, Degrees/Honors Awarded, Previous InstitutionGrades, GPA, Specific Course Schedule, Transcript Details, Test Scores, Academic Standing
ActivitiesParticipation in Sports/Activities, Athletic Team Member Weight/HeightDisciplinary Records (generally)

Notification and Opt-Out

This is a critical step. Before disclosing directory information, schools must annually notify parents/eligible students about:

  • The types of PII designated as directory information.
  • Their right to refuse or “opt out” of the disclosure of their directory information.
  • The period of time within which they must notify the school to opt out.

If a parent or eligible student opts out, the school cannot disclose any directory information for that student without their prior written consent. This opt-out remains effective even after the student leaves the institution, unless they rescind it.

Proper Disclosure Practices

Faculty and staff must always check if a student has placed a privacy block or opted out of directory information disclosure before releasing such information. Many student information systems display a warning for confidential records. Remember, FERPA permits disclosure of directory information under these conditions; it does not require it. Institutions can choose to be more restrictive. The conditional nature of this exception cannot be overstated; failure to follow the notification and opt-out procedures, or releasing information for a student who has opted out, is a FERPA violation.

Health and Safety Emergencies

FERPA permits disclosure of PII from education records without consent when the disclosure is necessary to protect the health or safety of the student or other individuals in the face of an actual, impending, or imminent emergency.

Standard: This requires an “articulable and significant threat” to health or safety, determined by the school based on the totality of the circumstances known at the time. The Department of Education gives deference to school officials’ judgments if they have a rational basis for their determination.

Appropriate Parties: Disclosure is limited to parties whose knowledge of the information is necessary to protect health and safety. This could include law enforcement, public health officials, trained medical personnel, emergency responders, and parents (including parents of eligible students in emergencies).

Limitations: The disclosure must be narrowly tailored to the emergency. It is temporary, limited to the period of the emergency, and does not permit blanket releases of information.

Documentation: The school must record the articulable and significant threat that formed the basis for the disclosure and the parties to whom the information was disclosed.

This exception provides critical flexibility in emergencies, such as active threats, medical crises, or natural disasters. However, it demands careful judgment and documentation. School officials must reasonably determine a genuine threat exists and share only the necessary information with appropriate parties for the duration required to mitigate the threat. It should not be used as a routine mechanism for information sharing.

Other Common Exceptions

FERPA includes several other exceptions to the consent requirement, which faculty and staff should be aware of, although they may be handled more frequently by administrative offices:

  • To Other Schools: Disclosure to officials of another school, school system, or postsecondary institution where the student seeks or intends to enroll, or is already enrolled, for purposes related to enrollment or transfer. The school must make a reasonable attempt to notify the parent/eligible student unless the disclosure was initiated by them or is covered in the school’s annual FERPA notice.
  • Audit or Evaluation: Disclosure to authorized representatives of federal, state, or local educational authorities to audit or evaluate federal- or state-supported education programs or enforce compliance with legal requirements related to those programs. Requires a written agreement specifying purpose, data use, destruction, and confidentiality protections.
  • Financial Aid: Disclosure in connection with a student’s application for, or receipt of, financial aid.
  • Studies: Disclosure to organizations conducting studies for, or on behalf of, the school to develop tests, administer aid programs, or improve instruction. Requires a written agreement similar to the audit/evaluation exception.
  • Accrediting Organizations: Disclosure to organizations carrying out accrediting functions.
  • Judicial Order or Subpoena: Disclosure to comply with a judicial order or lawfully issued subpoena. Schools must generally make a reasonable effort to notify the parent/eligible student before complying, unless the subpoena specifies otherwise (e.g., grand jury, law enforcement). Requests are often handled via the Registrar’s or legal office.
  • Parents of Dependent Students (Postsecondary): Postsecondary institutions may (but are not required to) disclose education records to parents of an eligible student if the student is claimed as a dependent for federal income tax purposes. Proof of dependency (e.g., tax return) is typically required.
  • Disciplinary Proceeding Results: Disclosure of the final results of a disciplinary proceeding concerning an alleged perpetrator of a crime of violence or non-forcible sex offense. Specific rules apply regarding what can be disclosed and to whom (e.g., victim, public under certain conditions).
  • Parental Notification of Alcohol/Drug Violations (Postsecondary): Postsecondary institutions may notify parents of an eligible student (under age 21) if the institution determines the student violated laws or policies concerning alcohol or controlled substance use/possession.

FERPA in Practice: Daily Compliance Strategies for Faculty and Staff

Applying FERPA principles requires diligence in everyday tasks. Here are practical strategies:

Handling Grades and Student Work

  • No Public Posting: Never post grades or scores in a way that publicly links a student’s identity (name, ID number, SSN) to their performance. This includes posting on office doors, hallways, public websites, or unsecured shared drives. Grades are highly sensitive PII. Using secure, password-protected learning management systems (LMS) or providing grades individually is essential. If public posting is unavoidable (which should be rare), use a unique, confidential code known only to the instructor and each individual student.
  • Secure Return of Work: Do not leave graded assignments, exams, or papers in unattended, publicly accessible locations (e.g., a box outside an office) for students to pick up by sorting through others’ work. This practice violates confidentiality. Return work directly to students or use secure electronic methods. Convenience must yield to privacy protection.
  • Peer Grading Nuance: While FERPA doesn’t protect grades assigned by peers before the instructor collects and records them, once those grades become part of the official education record maintained by the school, they gain FERPA protection.

Email Best Practices

Email is a common tool, but it carries inherent privacy risks for PII.

  • Use Official Accounts: Whenever possible, use your official institutional email account to communicate with students about educational matters, and encourage students to use their official accounts. This helps verify identity and keeps communication within the institution’s managed systems, which may offer better security and record-keeping.
  • Caution with Sensitive PII: Exercise extreme caution when sending non-directory PII (grades, specific academic feedback, disciplinary information, ID numbers, SSNs) via standard email. Standard email is generally not considered a secure transmission method. Check your institution’s specific policy, as many prohibit sending grades or other highly sensitive data via email. If institutional policy allows it, or if no other option exists, consider using secure, encrypted methods if available (e.g., encrypted attachments, secure file transfer portals). Discussing grades via email can also lead to protracted “negotiations” better handled in person.
  • Use BCC for Group Emails: When emailing a group of students (e.g., a class list), always place recipient addresses in the Blind Carbon Copy (BCC) field. This prevents students from seeing each other’s email addresses, which could be considered directory information they opted out of sharing or could implicitly reveal class enrollment.
  • Verify Recipients: Double-check the “To” field before sending any email containing student information to prevent accidental disclosure to the wrong person. Email autocomplete features can increase this risk.
  • Professional Content: Keep email communications professional and focused on the educational matter at hand. Avoid including unnecessary PII or engaging in casual discussions about sensitive student issues.
  • Record Keeping: Your institution may have policies on retaining email communications. Keeping records of significant interactions can help demonstrate compliance if questions arise. Be aware that emails on institutional servers may be subject to public records requests or legal discovery.

Writing Letters of Recommendation

Letters of recommendation often require balancing personal assessment with FERPA rules.

  • Consent Required for Non-Directory PII: If you plan to include specific, non-directory information directly from the student’s education record (e.g., GPA, specific grades, class rank, disciplinary status) in a letter of recommendation, you must obtain the student’s prior, specific, written consent. This consent should specify the records to be disclosed, the purpose (the recommendation), and the party receiving the letter.
  • Permissible Content Without Specific Consent: You are generally permitted to include information based on your own observations of the student’s abilities, performance, and character gained through your interactions in class or advising. You can also include information the student provided to you specifically for the purpose of writing the letter (e.g., details from their resume or personal statement). The key distinction is whether the information comes from your direct observation/interaction or is being pulled from the protected education record.

Classroom Management Considerations

  • Attendance Records: Avoid circulating class rosters or sign-in sheets that display student names alongside non-directory PII like student ID numbers or grades. Use methods that protect student privacy, such as calling roll or using an LMS check-in feature.
  • Parent Communication (K-12 vs. Postsecondary): This is a critical distinction.
    • K-12: Faculty and staff generally can communicate with parents about their child’s education records and progress, as parents hold the FERPA rights.
    • Postsecondary: Once a student becomes an “eligible student” (age 18 or attending postsecondary), FERPA rights transfer to them. Faculty and staff generally cannot discuss the student’s education records (grades, progress, attendance, etc.) with parents without the student’s explicit, written consent. Simply being a parent does not grant access rights at this level. Refer parent inquiries about specific records to the student or the appropriate administrative office (e.g., Registrar). You can discuss general course requirements, grading philosophies, or institutional policies. Exceptions exist (e.g., health/safety emergency, proof of tax dependency status allowing optional disclosure by the institution), but direct consent from the eligible student is the standard pathway.
  • Class Recordings: If classes are recorded (audio or video) and students are identifiable (e.g., speaking, visible in presentations), these recordings can become part of the education record and are subject to FERPA. Students should be informed about recording practices. Avoid sharing recordings containing identifiable students outside the class context without consent or de-identification.
  • Public Comments: Avoid discussing a student’s academic standing, performance, or behavior in a way that identifies them publicly within the classroom or other group settings.
  • In-Class Identification: Using a student’s name or institutional email address for normal classroom functions (e.g., calling on them, using a class email list generated by the institution) is generally permissible, even if the student has opted out of directory information disclosure, as it falls under the legitimate educational interest needed to conduct the class.

Basic Data Security Measures

Protecting physical and electronic records is fundamental.

  • Secure Storage: Keep paper records containing PII in locked cabinets or drawers when not in use. Use strong passwords, encryption where available, and secure institutional servers or drives for electronic records. Avoid storing sensitive student data on personal laptops, portable drives (flash drives), or unsecure cloud services unless explicitly permitted and secured according to institutional policy.
  • Device and Screen Security: Lock your computer screen when stepping away. Do not leave sensitive student data displayed where unauthorized individuals might see it. Log out of applications and systems containing student data when finished. Restrict physical access to your workspace and devices.
  • Proper Data Disposal: When records containing PII are no longer needed according to institutional retention schedules, dispose of them securely. Shred physical documents; use secure methods for deleting electronic files. Simply throwing records in the trash is a violation.
  • Situational Awareness: Be mindful of your surroundings when discussing PII orally or viewing it on screen to prevent inadvertent disclosure.

Consequences of FERPA Violations

Failure to comply with FERPA can lead to significant consequences for both the educational institution and the individuals involved.

For the Institution

  • Loss of Federal Funding: The most severe penalty under FERPA is the withdrawal of all federal funding administered by the U.S. Department of Education. While the Department’s Family Policy Compliance Office (FPCO) has historically sought voluntary compliance and has not ultimately withdrawn funds, this remains the ultimate enforcement tool. The FPCO investigates complaints and works with institutions to correct violations.
  • Legal Action and Financial Penalties: While FERPA itself does not provide a private right for individuals to sue for damages, institutions may face lawsuits under other federal or state laws stemming from privacy violations. This can result in costly litigation, settlements, or fines imposed by courts or regulatory bodies.
  • Department of Education Enforcement: If an institution fails to achieve voluntary compliance after an investigation, the FPCO can issue cease-and-desist orders or initiate proceedings to withhold funds.
  • Reputational Damage: FERPA violations can significantly damage an institution’s reputation and erode trust among students, parents, alumni, and the wider community.
  • Accreditation Issues: Non-compliance could potentially impact an institution’s accreditation status.
  • Mandated Corrective Actions: Institutions found in violation are often required to implement specific corrective actions, such as revising policies, conducting mandatory staff training, and enhancing data security measures. Even without the loss of funding, the process of investigation and remediation can be substantial and costly.

For Individuals (Faculty/Staff)

  • Institutional Disciplinary Action: Employees who violate FERPA through negligence or intentional misconduct may face disciplinary actions imposed by their institution, ranging from formal reprimands to suspension or even termination of employment.
  • Prohibition on Future Access: Third parties (such as researchers or vendors) found to have improperly disclosed PII from education records can be barred by the Department of Education from accessing such records at any institution for a minimum of five years.
  • Other Potential Legal Consequences: While individuals typically aren’t sued directly under FERPA, egregious violations could potentially lead to action under other state or federal laws (e.g., related to fraud, identity theft, or state privacy statutes). Willful violations could potentially lead to criminal charges. Individual actions directly contribute to institutional compliance or non-compliance, highlighting the personal responsibility every school official bears.

Official FERPA Resources for Deeper Learning

Continuous learning and access to authoritative guidance are key to maintaining FERPA compliance. The primary source for official information is the U.S. Department of Education’s Student Privacy Policy Office (SPPO).

Key official resources include:

Faculty and staff should also consult their own institution’s specific FERPA policies and training materials, as institutional procedures often provide necessary local context and may include requirements stricter than FERPA’s baseline.

Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.

TAGGED:
ByGovFacts
Follow:
Our articles are created and edited using a mix of AI and human review. Learn more about our article development and editing process.We appreciate feedback from readers like you. If you want to suggest new topics or if you spot something that needs fixing, please contact us.
Previous Article FERPA and Online Learning Privacy: Protecting Student Data in the Digital Age
Next Article Classroom Recordings and FERPA: What You Need to Know

An Independent Team to Decode Government

GovFacts is a nonpartisan site focused on making government concepts and policies easier to understand — and government programs easier to access.

Our articles are referenced by trusted think tanks and publications including Brookings, CNN, Forbes, Fox News, Pew Research, Snopes, The Hill, and USA Today.

You Might Also Like