Last updated 4 months ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
The Family Educational Rights and Privacy Act (FERPA) is a cornerstone federal law in the United States that governs the privacy of student education records. This law establishes a framework balancing the need to protect student privacy with the rights of parents and students to access and review educational information.
FERPA applies to educational agencies and institutions receiving funding from the U.S. Department of Education, including most public K-12 schools, school districts, colleges, and universities, as well as some private institutions accepting federal education funds.
Most private K-12 schools generally don’t receive such funding and are therefore often not subject to FERPA’s requirements.
This article explains FERPA, detailing the responsibilities it places on schools and colleges, and the rights it grants to parents and students.
What is FERPA?
The Law Defined
FERPA, officially The Family Educational Rights and Privacy Act, is the primary federal law regulating the privacy of student education records. The statute is located in federal law at 20 U.S.C. § 1232g, with detailed implementing regulations issued by the U.S. Department of Education found in the Code of Federal Regulations at 34 CFR Part 99.
At its core, FERPA grants parents specific rights concerning their children’s education records:
- The ability to access and review these records
- The right to request corrections to records they believe are inaccurate
- The right to exercise control over the disclosure of personally identifiable information (PII) contained within those records
Purpose
FERPA serves two fundamental purposes:
First, it protects the privacy interests of students and their parents by restricting the unwarranted disclosure of PII from education records to third parties. Schools covered by FERPA generally cannot release protected information without appropriate consent, safeguarding sensitive details about a student’s academic life and personal information.
Second, FERPA empowers parents and eligible students by guaranteeing them the right to access the student’s education records. This access allows them to review the information schools maintain and provides a process to challenge and seek correction of records they believe are inaccurate, misleading, or violate the student’s privacy rights.
Scope of Coverage
FERPA’s requirements apply to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This includes:
- Virtually all public K-12 schools and school districts (Local Education Agencies or LEAs)
- State Education Agencies (SEAs)
- Public colleges and universities
- Private and charter schools that receive federal education funding
- Private postsecondary institutions participating in federal student aid programs
Institutions solely receiving non-monetary benefits, or where students receive benefits but the institution itself does not receive funds, may not be covered.
Transfer of Rights: The “Eligible Student”
A critical aspect of FERPA is the transfer of rights from the parent to the student. When a student reaches the age of 18 or attends a postsecondary institution at any age, the student becomes an “eligible student” under FERPA.
At this point, all the rights previously held by the parent under FERPA transfer directly to the student, including the right to:
- Inspect and review records
- Seek amendments
- Consent to disclosures
This transfer has significant practical implications:
- The parents of a 17-year-old student enrolled in college courses generally don’t have the right to access the student’s college records without the student’s consent
- Parents retain FERPA rights for their 18-year-old child who is still enrolled in high school
- Postsecondary institutions must primarily interact with the eligible student regarding their education records, although exceptions exist, such as when a student is claimed as a dependent for tax purposes
Key FERPA Terms
Understanding FERPA requires familiarity with several key terms defined in the law and its regulations.
Education Records
Definition: FERPA defines “education records” broadly as records that are:
- Directly related to a student; and
- Maintained by an educational agency or institution, or by a party acting for the agency or institution
This definition applies regardless of format: handwriting, print, computer media, electronic files, video or audio tape, film, microfilm, and microfiche.
Examples Included:
- Official transcripts
- Class schedules and course lists
- Grades and test scores (including standardized tests)
- Student financial aid information
- Health and immunization records maintained by the school
- Student disciplinary files
- Special education records such as Individualized Education Programs (IEPs)
- School photos or videos directly related to a student
- Records maintained by third-party vendors or service providers acting on behalf of the school
Examples Excluded:
- Sole Possession Notes: Private notes made by a teacher or staff member for their own use as a personal memory aid, kept in their sole possession and not revealed to anyone except a temporary substitute
- Law Enforcement Unit Records: Records created by a school’s designated law enforcement unit, created for a law enforcement purpose, and maintained by that law enforcement unit
- Employment Records: Records relating to a student’s employment by the institution, unless the employment is contingent on their status as a student (e.g., work-study records)
- Treatment Records (Postsecondary): Records on an eligible student made by a health professional, used only for treatment, and disclosed only to those providing treatment
- Applicant Records/Post-Attendance Records: Records on individuals who applied but never attended, or records created after a student is no longer enrolled
- Peer-Graded Papers: Grades on papers or exams graded by fellow students before they are collected and recorded by the teacher
Personally Identifiable Information (PII)
Definition: PII under FERPA includes information that can be used to identify a specific student. This encompasses obvious identifiers and information that, either alone or combined with other reasonably available information, could allow someone to identify the student with reasonable certainty.
Includes:
- Direct Identifiers: Student’s name, parent or family member names, address, personal identifiers like Social Security or student ID numbers
- Indirect Identifiers: Date of birth, place of birth, mother’s maiden name, biometric records
- Other Linkable Information: Any other information linked or linkable to a specific student that meets the “reasonable certainty” identification standard
Even seemingly anonymous data points, like participation in a very small extracurricular activity or specific demographic details in a small school, could potentially become PII if they allow for easy identification in that specific context.
Eligible Student
An “eligible student” is one who has reached 18 years of age OR is attending a postsecondary institution at any age. Once a student meets this definition, all FERPA rights transfer from the parent to the student.
School Official & Legitimate Educational Interest
School Official Definition: FERPA allows schools to disclose PII from education records without consent to “school officials” within the institution whom the school has determined have “legitimate educational interests” in the information.
The term “school official” typically includes:
- Employees such as teachers, principals, administrators, registrars, counselors, attorneys, support staff, and school board members
- Non-employees like contractors, consultants, volunteers, or third parties (e.g., EdTech vendors) if they are performing an institutional service or function that the school would otherwise use its own employees to perform
Conditions for Outside Parties as School Officials: For an outside party to be considered a “school official,” several strict conditions must be met:
- They must perform an institutional service or function for which the school would otherwise use employees
- They must be under the direct control of the school with respect to the use and maintenance of the education records
- They must be subject to FERPA’s requirements regarding the use and redisclosure of PII
- They must meet the criteria specified in the school’s annual notification of FERPA rights
Legitimate Educational Interest Definition: While FERPA gives schools significant discretion in defining this term, it generally means that the official needs to review an education record to fulfill their professional responsibilities.
Access is not automatic for all school officials to all records; it is role-based and tied to specific job duties. For example, a registrar might have a legitimate educational interest in reviewing transcripts for graduation requirements but likely not in counseling notes unrelated to that function.
The school must specify its criteria for determining who is a school official and what constitutes a legitimate educational interest in its required annual notification to parents and eligible students.
Core FERPA Responsibilities
Educational institutions subject to FERPA have several core responsibilities designed to protect student privacy while ensuring appropriate access.
Safeguarding Student Records
The primary responsibility is to protect PII from students’ education records against unauthorized disclosure. This involves implementing policies and procedures to control access and release of information.
Institutions must use “reasonable methods” to ensure the security of records, a requirement particularly important with digital records, online platforms, and third-party service providers.
While FERPA itself doesn’t mandate specific security technologies, institutions must ensure their systems and agreements with vendors provide adequate protection.
Providing Annual Notification of Rights
Schools and LEAs (but not typically SEAs) must notify parents (of K-12 students) and eligible students (students 18+ or in postsecondary) of their FERPA rights annually. Postsecondary institutions notify only eligible students.
This notification doesn’t have to be sent individually but must be provided through methods likely to reach the intended audience (e.g., student handbooks, school websites, newsletters).
It must also be provided in ways that are understandable to individuals with disabilities or whose primary language is not English.
Content of Notice: The annual notice must include:
- The right to inspect and review education records and the procedures for doing so
- The right to seek amendment of records believed to be inaccurate, misleading, or in violation of privacy rights, and the procedures for making such a request
- The right to consent to disclosures of PII from education records, except where FERPA authorizes disclosure without consent
- The right to file a complaint with the U.S. Department of Education concerning alleged failures by the institution to comply with FERPA
- The criteria the institution uses to determine who constitutes a “school official” and what constitutes a “legitimate educational interest”
- If the institution has a policy of disclosing “directory information” without consent, the notice must specify the types of information designated as such, explain the right to opt out, and state the method and timeline for opting out
Handling Requests to Inspect, Review, and Amend Records
Institutions must establish and follow procedures for handling requests from parents or eligible students.
Inspection/Review: Access must be granted within a reasonable period, not to exceed 45 calendar days from receiving the request. The school must make arrangements for access and notify the requester of the time and place. If a request for access is pending, the school cannot destroy the requested records.
Amendment: Schools must have procedures to consider requests to amend records. If a request is denied, the school must inform the parent or eligible student of the decision and their right to a formal hearing.
If the hearing also results in a denial, the parent or eligible student has the right to place a statement in the record explaining their disagreement, which must be maintained and disclosed with the contested part of the record.
Obtaining Consent for Disclosures
As a default principle, schools must obtain signed and dated written consent from the parent or eligible student before disclosing PII from education records.
The consent form must specify:
- The records to be disclosed
- The purpose of the disclosure
- The party or class of parties to whom the disclosure may be made
Oral consent is not sufficient. Electronic signatures and consents are permissible if they reliably identify and authenticate the person providing consent and indicate their approval.
Keeping Records of Disclosures
For most disclosures made without prior written consent under FERPA’s exceptions, the institution must keep a record. This record must be maintained with the student’s education records for as long as the records themselves are maintained.
Record Content: The disclosure record must indicate:
- The specific PII disclosed
- The party who requested or received the PII
- The legitimate interest that party had in requesting or obtaining the information
Exceptions to Recordkeeping: Schools are not required to keep a record of disclosures when PII is released to:
- The parent or eligible student themselves
- A school official under the § 99.31(a)(1) exception (including vendors acting as school officials)
- A party who has obtained prior written consent from the parent or eligible student
- A party seeking designated directory information
- A party receiving information pursuant to certain judicial orders or subpoenas where the institution was prohibited from notifying the parent/student
Your Rights Under FERPA
FERPA grants specific, enforceable rights to parents of students under 18 (in K-12) and to eligible students (those 18+ or in postsecondary education).
Right to Inspect and Review Education Records
This is a fundamental right under FERPA. Parents or eligible students have the right to access and review nearly all education records the school maintains about the student.
Process: To exercise this right, the parent or eligible student should submit a written request to the appropriate school official (e.g., principal, registrar) identifying the records they wish to inspect. The school must respond and provide access within a reasonable time frame, legally not exceeding 45 days from the date the request is received.
Copies: While the right is primarily to inspect and review, schools must provide copies if circumstances prevent the parent or eligible student from exercising this right directly (e.g., if they live too far away to visit the school). Schools may charge a reasonable fee for copies, but only if the fee does not effectively prevent access to the records.
Limitations: The right to inspect pertains only to the student’s own records. If a record contains information about multiple students, the school must permit access only to the portion pertaining to the requesting student, or inform the requester of the specific content related to their child/themselves.
Right to Request Amendments to Education Records
If a parent or eligible student believes that information in the student’s education records is inaccurate, misleading, or violates the student’s privacy rights under FERPA, they have the right to ask the school to amend the record.
Process: The request should be made in writing to the appropriate school official, clearly identifying the part of the record they want changed and specifying why it is inaccurate, misleading, or violates privacy. The school must consider the request and decide whether or not to make the amendment.
Hearing Rights: If the school decides not to amend the record as requested, it must inform the parent or eligible student of the decision and advise them of their right to a formal hearing on the matter. The school must provide information about the hearing procedures.
Statement Placement: If, after the hearing, the school still decides not to amend the record, the parent or eligible student has the right to place a written statement in the education record commenting on the contested information or stating their disagreement with the decision.
Limitations: This right is intended to correct factual inaccuracies or misleading information, not to challenge substantive decisions made by school officials. For example, a parent or eligible student generally cannot use the FERPA amendment process to change a grade they disagree with or contest a disciplinary outcome.
Right to Consent to Disclosures of Personally Identifiable Information
FERPA’s default position is that schools must obtain written consent from the parent or eligible student before disclosing PII from a student’s education records to third parties.
This right to consent gives parents and eligible students significant control over who sees the student’s private educational information.
When Consent Isn’t Needed: Exceptions to FERPA’s Disclosure Rule
While obtaining prior written consent is the general rule under FERPA, the law acknowledges specific circumstances where schools are permitted—but generally not required—to disclose PII from education records without consent.
School Officials with Legitimate Educational Interests
Disclosure is permitted to school officials whom the institution has determined have a “legitimate educational interest”.
Conditions: The school must define “school official” and “legitimate educational interest” in its annual FERPA notification. Access must be necessary for the official to perform their professional duties.
If disclosing to a third party under this exception (e.g., an EdTech vendor), that party must be performing an institutional service, be under the school’s direct control regarding data use, use the data only for authorized purposes, and adhere to redisclosure limitations.
Recordation: Not required.
Other Schools upon Transfer
Disclosure is permitted to officials of another school, school system, or postsecondary institution where the student seeks or intends to enroll, or is already enrolled, for purposes related to enrollment or transfer.
Conditions: The school must make a reasonable attempt to notify the parent or eligible student about the disclosure, unless the school’s annual notice includes a statement that it forwards records upon request to schools where the student seeks to enroll, or if the disclosure was initiated by the parent/student.
Recordation: Required.
Audit or Evaluation Purposes
Disclosure is permitted to authorized representatives of the U.S. Comptroller General, the U.S. Attorney General, the U.S. Secretary of Education, or state and local educational authorities.
Conditions: The disclosure must be for auditing or evaluating Federal or State-supported education programs, or for enforcement of or compliance with Federal legal requirements related to those programs.
Recordation: Required.
Financial Aid
Disclosure is permitted in connection with a student’s application for, or receipt of, financial aid.
Conditions: Disclosure is limited to information necessary to determine eligibility for aid, determine the amount of aid, determine the conditions for aid, or enforce the terms and conditions of the aid.
Recordation: Required.
Studies Conducted for or on Behalf of Schools
Disclosure is permitted to organizations conducting studies for, or on behalf of, educational agencies or institutions.
Conditions: The study must be for the purpose of:
- Developing, validating, or administering predictive tests
- Administering student aid programs
- Improving instruction
A written agreement is required that specifies the purpose, scope, and duration of the study; limits the use of PII to the study’s purpose; ensures PII is protected from unauthorized disclosure; and requires the return or destruction of PII when the study is complete.
Recordation: Required.
Accrediting Organizations
Disclosure is permitted to organizations that accredit the institution.
Conditions: Disclosure must be to carry out their accrediting functions.
Recordation: Required.
Compliance with Judicial Order or Lawfully Issued Subpoena
Disclosure is permitted to comply with a court order or subpoena.
Conditions: The school must make a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance, so they may seek protective action.
However, prior notification is not required if the disclosure is in compliance with a federal grand jury subpoena or any other subpoena issued for a law enforcement purpose, and the court or issuing agency has ordered the school not to disclose the existence or contents of the subpoena.
Recordation: Required (unless prior notification was prohibited by the court/agency).
Health and Safety Emergencies
Disclosure is permitted if knowledge of the PII is necessary to protect the health or safety of the student or other individuals in the face of an actual, impending, or imminent emergency.
Conditions: The school determines, on a case-by-case basis considering the totality of circumstances, that an articulable and significant threat exists. Disclosure is limited to the period of the emergency and made only to parties who need the information to protect health or safety.
This exception cannot be used for hypothetical or future emergencies or for blanket releases of information.
Recordation: Required.
Directory Information
Disclosure of information designated by the school as “directory information” is permitted under specific conditions (detailed later).
Recordation: Not required.
Summary of Key FERPA Exceptions to Consent Requirement
The following table summarizes key exceptions allowing disclosure without prior written consent, highlighting critical conditions.
| Exception Name | Typical Recipient(s) | Key Conditions | Disclosure Record Required? |
|---|---|---|---|
| School Officials | School employees, contractors, volunteers acting for school | Must have “legitimate educational interest” as defined by school in annual notice. If contractor, must meet specific criteria (service function, direct control, data use limits). | No |
| Transfer to Other Schools | Officials of school where student seeks/intends to enroll | For enrollment/transfer purposes. School must make reasonable attempt to notify parent/student (unless covered in annual notice or initiated by parent/student). | Yes |
| Audit/Evaluation | Federal/State education authorities | For audit/evaluation of education programs or compliance. Requires written agreement if not agency employee. | Yes |
| Financial Aid | Parties involved in determining/administering aid | Necessary to determine eligibility, amount, conditions, or enforce terms. | Yes |
| Studies for Schools | Organizations conducting studies for/on behalf of school | For specific purposes (predictive tests, aid admin, improving instruction). Requires written agreement with data protection, use limits, and destruction clauses. | Yes |
| Accrediting Organizations | Accrediting bodies | To carry out accrediting functions. | Yes |
| Judicial Order/Subpoena | Court, issuing agency | Compliance required. Reasonable effort to notify parent/student before compliance, unless prohibited by court/agency (e.g., law enforcement subpoena). | Yes |
| Health & Safety Emergency | Law enforcement, medical personnel, parents, public health officials, others needed to respond | Articulable & significant threat to health/safety. Disclosure limited to information/parties necessary during emergency. | Yes |
| Directory Information | General public, third parties | Information designated by school as “directory info” in annual notice. Parents/students must have right to opt out. | No |
| Parents of Dependent Student (Postsec.) | Parents of eligible student | Student must be claimed as a dependent for tax purposes. | Yes |
| Disciplinary Results (Postsec.) | Victim (of violence/sex offense), Public (if perpetrator found responsible for violence/sex offense), Parents (<21, alcohol/drug) | Specific rules for disclosing results of disciplinary proceedings in certain cases. | Yes |
| Juvenile Justice Authorities | State/local juvenile justice system | Pursuant to specific state laws for serving student pre-adjudication. | Yes |
| Foster Care Agencies | Child welfare agencies/tribal organizations | Agency must be legally responsible for student’s care; for accessing case plan. Redisclosure limited. | Yes |
Directory Information: What It Is and How It Works
One of the most commonly used exceptions to FERPA’s consent requirement involves “directory information.” This exception allows schools to disclose certain types of PII about students without individual consent, provided specific procedures are followed.
Definition and Examples
Directory information is defined as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Each school or district must decide what types of information it will designate as directory information.
Typical examples include:
- Student’s name
- Address
- Telephone listing
- Email address
- Photograph
- Date and place of birth
- Major field of study
- Grade level
- Enrollment status (e.g., undergraduate or graduate; full-time or part-time)
- Dates of attendance
- Participation in officially recognized activities and sports
- Weight and height of members of athletic teams
- Degrees, honors, and awards received
- Most recent educational agency or institution attended
What Cannot Be Directory Information
FERPA explicitly prohibits schools from designating a student’s Social Security number or student ID number as directory information (except under specific, limited circumstances).
Other sensitive data like grades, specific course schedules, disciplinary records, race/ethnicity, or country of citizenship are generally not considered directory information and require consent for disclosure unless another FERPA exception applies.
Required Procedures
Before disclosing directory information without consent, a school must meet two key requirements:
- Annual Notification: The school must inform parents or eligible students, through its annual FERPA notice, about its directory information policy. This notice must specify the types of PII the institution has designated as directory information.
- Opportunity to Opt-Out: The school must give parents or eligible students a reasonable amount of time to inform the school, in writing, that they do not want any or all of the designated directory information disclosed without their prior written consent. The annual notice must explain the procedure for exercising this right.
School Discretion
The designation of directory information and the decision to release it are ultimately at the discretion of the school. FERPA permits, but does not require, schools to disclose directory information.
A school can choose to designate certain items as directory information but then decide not to release them, or to release them only to specific parties or for specific purposes.
Limitations
Once a parent or eligible student properly opts out, the school must honor that request and cannot disclose the designated directory information for that student without specific consent (unless another FERPA exception applies).
The opt-out applies only to disclosures made after the opt-out is processed. It typically remains in effect until revoked by the parent or eligible student.
Schools must have procedures to ensure opt-outs are respected, which can be particularly complex with automated systems or third-party contracts involving directory information.
FERPA in the Digital Age
The proliferation of digital technologies in education creates new challenges and necessitates careful consideration of FERPA responsibilities.
Cloud Services and Third-Party Vendors
Schools increasingly rely on third-party vendors to provide educational software, apps, cloud hosting, and other digital services. When these vendors handle or store student PII, FERPA compliance is critical.
The “School Official” Exception: Often, schools provide vendors access to PII under the “school official” exception. To do this properly, the vendor must be performing a service the school would otherwise do itself, be under the school’s direct control regarding the use and maintenance of the data, use the data only for the authorized purpose, and not redisclose it without permission.
Contractual Safeguards: Schools must have clear contracts or agreements with vendors that explicitly detail data privacy and security obligations, including:
- Compliance with FERPA
- Limitations on data use (especially prohibiting data mining for commercial purposes or targeted advertising)
- Security requirements
- Breach notification procedures
- Data retention/deletion policies
- Provisions for auditing vendor compliance
Vetting Vendors: Schools should carefully vet vendors before engaging them, assessing their privacy policies, security practices, and track record.
Data Security
While FERPA requires “reasonable methods” to protect records, it doesn’t prescribe specific technologies. However, in the digital context, “reasonable methods” increasingly means implementing robust safeguards:
- Access Controls: Limiting access to digital records based on roles and legitimate educational interest
- Authentication: Using strong passwords, multi-factor authentication, and other measures to verify user identities
- Encryption: Encrypting sensitive student data both at rest and in transit
- Training: Regularly training staff and authorized vendors on FERPA requirements and data security protocols
- Auditing and Monitoring: Implementing systems to log access to sensitive data and monitor for unauthorized activity
- Incident Response Plan: Having a plan in place to quickly respond to data breaches or security incidents
Student-Generated Data and Metadata
Online platforms often generate vast amounts of data about student interactions, such as login times, content accessed, participation patterns, and even keystroke data.
If this data is “directly related to a student” and “maintained by” the school or its agent (the vendor), it likely constitutes an “education record” under FERPA.
Schools must ensure their agreements with vendors clarify ownership, access rights (including student/parent rights to inspect), and limitations on the use of such metadata.
Enforcement and Complaints
Primary Enforcement Agency
The U.S. Department of Education, specifically the Student Privacy Policy Office (SPPO), is responsible for investigating, processing, reviewing, and adjudicating complaints of alleged FERPA violations. SPPO also provides technical assistance and guidance on FERPA compliance.
Filing a Complaint
Parents or eligible students who believe their FERPA rights have been violated by an educational agency or institution can file a written complaint with SPPO.
Timeline: The complaint must generally be filed within 180 calendar days of the date the complainant knew or reasonably should have known of the alleged violation. SPPO may grant an extension for good cause shown.
Content: The complaint must be signed and contain specific allegations of fact giving reasonable cause to believe a violation occurred, including dates and relevant details. Information about how to file a complaint is available on the SPPO website.
Investigation Process
If SPPO accepts a complaint for investigation, it will typically notify the complainant and the educational institution. SPPO may request information and documentation from the institution and may conduct site visits. Both parties have the opportunity to submit relevant information.
Findings and Remedies
If SPPO finds that an institution has failed to comply with FERPA, it will notify the institution in writing of its findings and the specific steps the institution must take to come into compliance. SPPO works with the institution to achieve voluntary compliance.
Potential Sanctions: If an institution fails to voluntarily comply after being notified of a violation, the Department of Education has several enforcement options:
- Withholding of further Department funds from the institution
- Issuing a cease-and-desist order
- Entering into a compliance agreement with the institution that mandates specific corrective actions
No Private Right of Action
A significant aspect of FERPA enforcement is that the U.S. Supreme Court has ruled that FERPA does not provide individuals with a “private right of action”—meaning individuals generally cannot sue the school or district directly in federal court solely for a FERPA violation to seek damages or compel compliance (Gonzaga University v. Doe, 536 U.S. 273 (2002)).
While state laws might offer separate avenues or remedies related to student privacy, enforcement of FERPA itself primarily relies on the administrative complaint process through the Department of Education.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.