The Family Educational Rights and Privacy Act
The Family Educational Rights and Privacy Act, or FERPA, of 1974 protects the privacy of student education records and allows parents and students to keep their educational information private. We’ll look at the law, what it means for organizations, and how Compliant can help your website stay on the right side of the law.
FERPA is a federal law that regulates the access and privacy of a student’s educational records. A person can request corrections to inaccurate information that can ultimately result in a formal hearing.
Schools must get the written consent of the student, a parent, or a guardian to release educational records.
The basic premise of FERPA is to ensure the protection of children’s rights by keeping their educational records private unless the parent or guardian explicitly consents to have that information released. FERPA also gives guardians and students the right to challenge information in their academic records that they feel is incorrect or misleading.
FERPA mandates that any objection must be heard out and given a trial. If the school ultimately decides an amendment of the educational records is not necessary, they are still required to note the objection and the student’s account of the information presented in the educational records.
Schools that receive federal funding are subject to FERPA’s restrictions. This list of schools includes all public schools and many private schools.
This regulation also means that private schools that do not receive federal or state government funding are not subject to FERPA.
Under FERPA, there are three types of protected information: personally identifiable, directory, and educational.
Personally Identifiable Information
Personally identifiable information is anything that can be used to pick out a single individual like a student or their parent or guardian. This information can only be disclosed with a parent’s or guardian's permission unless the student is 18, in which case they must provide consent. This information includes the student's family address, student ID number, e-mail address, or other records with personal information. It also includes information created or maintained by a physician, psychologist, or psychiatrist.
Directory information often overlaps with personally identifiable data and can include the student’s name, address, date of birth, telephone number, and enrollment at the school. This information can be freely disclosed as long as the school notifies the student and their guardians of the impending disclosure and gives them a reasonable timeframe to object to the disclosure.
Such records are kept at the registrar's office and include
Educational records cannot be disclosed without explicit permission from the student or their guardians.
There are seven primary steps involved in being compliant with FERPA. Considering how costly non-compliance can be, it is essential to follow and implement these steps. We’ll address them in detail below.
A critical part of complying with FERPA is to ensure that everyone associated with an educational institution is aware of the Act and the implications of violating it.
Knowing the different protections extended to the various types of student data and what steps need to be taken to ensure their safety is essential. It is also important to understand the rights of students and their parents when it comes to contesting student records.
Institutions will need to have resources available to protect students’ personally identifiable information and allow students or parents to opt-out of informational disclosure.
There are exceptions to FERPA where student information can be disclosed without explicit permission:
One of the biggest problems for schools can come from third-party services and vendors. For example, school health care providers will need to have a comprehensive understanding of both FERPA and HIPAA to protect student information.
Whether a vendor intentionally or unintentionally violates FERPA, the school, not the vendor, will be held legally responsible.
Institutions may send their staff to annual training programs to learn about amendments or revisions to the FERPA regulations and review general data policies. Training helps keep everyone up to date on regulations and decreases the likelihood of accidental mistakes that reveal protected information.
In addition to training your staff, your educational institution will need to create and implement compliant policies to make it easier for your teachers and administrators to stay within the bounds of the law. These policies should account for the storage of student records, explanations of who can access these records, and when student information should be destroyed.
Your policies should also include what to do in the event of an offense, data breach, or system hacking. Having a data breach plan in place can help to minimize the exposure of protected information. In addition, the data breach may be accidental or the result of malicious actors outside of your institution’s control, but your response can be construed as a FERPA violation if the proper protocols are not in place.
Besides restricting access to confidential information, encryption adds another layer of security that should be prioritized. School officials can make mistakes or forget to log out of their systems, so encrypting emails and files containing sensitive information make them harder to access and less likely to be breached or disclosed.
FERPA does not protect law enforcement records. Law enforcement agencies can refuse to allow students or guardians to see law enforcement records and share that information freely without obtaining permission.
Once a year, schools must transmit a FERPA notice to all students and their guardians, if under 18. The notice includes information about student and guardian rights under FERPA, asking if they consent to have their children’s personal information disclosed, a description of FERPA, and notifying guardians of the complaint process if they wish to file one.
FERPA does not mandate how the notice should be distributed or published. It can be published on the school’s website, the student handbook, or a separate notice sent to parents or guardians.
Teachers must take FERPA’s regulations into account when storing students’ personal information or disclosing it. Without explicit consent from parents, teachers cannot share non-directorial personally identifiable information about students. Typically, these situations arise when teachers want to use tools and technologies that the school has not officially approved or contracted.
Another recommendation is not to send any educational records or identifiable information through email or use other social network platforms to post student information.
FERPA covered information can be disclosed in specific emergencies when the safety and welfare of the student or others are at stake. For example, suppose a student has been disciplined for bringing a weapon to school and has recently made threats. In that case, the disciplinary information (normally covered under FERPA) should be revealed to other school officials and law enforcement in the interests of safety.
Although FERPA does not outline penalties for individuals who violate FERPA, it does propose penalties for the entire institution. The reasoning behind it is that the institution will then penalize the individual(s) in violation and then take additional steps to prevent the violations from happening again in the future.
The institution must pay for the violation by having its federal funding withdrawn. Considering how heavily most educational institutions rely on federal funding, this can be a significant incentive for the institution to react to any FERPA violations immediately.
Interestingly, although the Act was originally passed four decades ago, no institution has ever been successfully prosecuted or found to violate the Act. It appears the threat of losing federal funding has been enough to entice institutions to police themselves effectively.
FERPA mandates that educational institutions must take steps to protect the personally identifiable information of current students by requiring consent before disclosing the data except for emergencies and giving their parents or guardians the right to contest their records. Contact us today to see how we can help your website stay Compliant with changing laws.