FERPA is a federal privacy law that protects the privacy of students’ personally identifiable information (PII) in education records. FERPA primarily does two things: ensures appropriate access and limits unauthorized disclosure. Access is embodied through FERPA’s guarantee that parents and eligible students–students 18+ or attending higher education institutions–have the right to access their education records and to challenge the information in them as inaccurate or no longer relevant. FERPA prohibits all other disclosures of PII in education records unless there is consent or an applicable exception to FERPA’s consent requirement and certain safeguards are in place.

Why was FERPA enacted?

When Congress enacted FERPA in 1974, there were growing concerns about the kinds of private, personal information that public entities–such as schools–had access to and control over, the broader community’s limited awareness of and input in these data practices, and the potential for inaccurate records to limit people’s future opportunities. FERPA was intended to address the power imbalance between schools, parents, and students by codifying certain rights regarding access to and sharing of PII in student records.

Who does FERPA regulate?

All educational agencies and institutions that receive federal funding must follow FERPA. This means that public schools–whether elementary, secondary, or postsecondary–as well as many private schools–such as private postsecondary institutions that receive federal financial aid on behalf of their students–have to abide by FERPA.

Which data is protected by FERPA?

FERPA protects PII in education records . In general, PII is any information about a student that can reasonably be linked back to them. Under FERPA, PII includes both direct identifiers (such as first and last name) and indirect identifiers (such as grade level or year of birth). Vague descriptions like “the freshman student in yearbook club” can constitute PII under FERPA in the right circumstances, such as when there is only one freshman in the yearbook club. The test for when information is PII under FERPA is if it would allow a reasonable person in the school community to identify a specific student with reasonable certainty. Essentially, if the information can be linked back to an individual fairly easily, it falls under FERPA’s PII definition. To be protected by FERPA, the PII must be located in education records. “Education records” are records that are: 1) directly related to a student; and 2) maintained by an educational agency or institution, or by a party acting for the agency or institution ( 34 CFR 99.3(a) ). This includes a wide variety of formats, regardless of whether information is physically kept in the school filing cabinet or virtually stored in the cloud.

Which data is not protected by FERPA?

Want to see the full chart on another page? Click here. EAI = Educational Agency or Institution IEP = Individualized Education Program LEA = Local Educational Agency PII = Personally Identifiable Information SEA = State Educational Agency SIS = Student Information System FERPA Exempt Description Example De-Identified Records and Information (34 CFR 99.31(b)) EAIs may release records or information after removal of all PII, provided that the EAI or another party has made a reasonable determination that a student cannot be reidentified. A school could redact student names before releasing a list of student test scores with each student’s grade (and no other information) listed so long as enough grades are included to make particular students’ grades not reasonably re-identifiable. Personal Notes (34 CFR 99.3 “Education records”) Records an individual keeps as a personal memory aid that are not shared with any other person, except for a temporary substitute. A math teacher’s personal notes on which students they anticipate needing the most help on tomorrow’s long division lesson, to be shared only with tomorrow’s substitute math teacher. Information Obtained Through Personal Knowledge or Observation (Guidance) Information about a student that was obtained through school personnel’s personal knowledge or observation, unless that knowledge is obtained through their official role in making a determination maintained in an education record about the student. What a teacher heard students discussing in the hallway or whether they thought that a student appeared to be upset. Law enforcement unit records (34 CFR 99.3 “Education records” and 34 CFR 99.8) An EAI’s law enforcement unit records that are created by a law enforcement unit for a law enforcement purpose and maintained by the law enforcement unit. These records can become education records if they are shared for a non-law enforcement purpose (such as the school disciplining a student) or are maintained exclusively for a non-law enforcement purpose. School camera footage showing a student spray-painting classroom doors, so long as the cameras are used exclusively for security purposes and maintained by the school resource officer (SRO). If, however, the SRO discloses the footage to the school principal for the purpose of disciplining the student, that footage would become protected by FERPA. Student employee records (34 CFR 99.3 “Education records”) Records relating to a student who is employed by an educational agency or institution that are made and maintained in the normal course of business, relate exclusively to the individual in their capacity as an employee, and are not available for use for any other purpose. However, records relating to a student in attendance at the EAI who is employed as a result of his or her status as a student are subject to FERPA. How a student is performing at their part-time job in the alumni relations office, so long as the student was hired independently by that office (for example, not hired through a work-study program). Medical Records of Higher Ed Students (34 CFR 99.3 “Education records”) Physician, psychiatrist, psychologist, or other professional or paraprofessional’s records about the treatment of a student who is 18+ or attending an institution of postsecondary education that are made, maintained, or used only in connection with their professional treatment of the student and only disclosed to individuals providing treatment. The appointment notes of a psychiatrist at a college detailing sessions with a student at the college. Denied Applicant Records (34 CFR 99.3 “Student”) The information an EAI has about applicants that are not admitted, or about accepted applicants who choose not to enroll in that EAI. The information a school used when deciding to deny admittance to an applicant. Alumni Records (34 CFR 99.3 “Education records”) Records created or received by an EAI after an individual is no longer a student in attendance and that are not directly related to the individual's attendance as a student. An alumni relations office’s collection and sharing of survey responses from alumni about their post-graduation careers. Peer-Grading Grades (34 CFR 99.3 “Education records”) Grades on peer-graded papers before they are collected and recorded by a teacher. Peer graded assignments before the teacher logs the grades in their gradebook. PII of Deceased Eligible Students (Guidance) FERPA rights of eligible students expire upon the death of the student. However, non-eligible students’ rights are held by parents of students until the student turns 18 or enters postsecondary education, so those rights do not lapse until both the non-eligible student and their parents are deceased. The disciplinary record of a 22 year old student who passed away.

Who has FERPA rights?

FERPA gives privacy rights to the parents or guardians of students who are under the age of 18 and enrolled in K-12 education. These rights transfer to the students themselves when they reach the age of 18 or are attending a postsecondary institution.

What are the rights that FERPA provides?

Rights conveyed by FERPA include the rights to: Annual notification of the school’s FERPA policy; Access the student's PII in educational records; Seek to amend and/or correct the student's PII in educational records; Confidentiality of the student’s PII in educational records; and File a complaint with the U.S. Department of Education for an alleged FERPA violation. FERPA also gives the right to consent before student PII in education records is disclosed. However, there are many exceptions to this right, and the vast majority of FERPA-protected information is disclosed through a FERPA exception.

What does FERPA say about consent?

Under FERPA, schools can share PII in education records with third parties when parents or eligible students provide written consent. To constitute valid consent under FERPA, written consent must: Be signed and dated; Specify what records can be disclosed; State the purpose for disclosure; and Identify to whom the disclosure may be made. Without such consent, schools can only share PII from education records with third parties if an exception to FERPA’s consent requirement applies and the necessary safeguards are in place.

Why are exceptions to FERPA's consent requirement so frequently used?

While obtaining parental consent seems easy enough in theory, the practical hurdles to getting parental consent can complicate this process exponentially for schools. Sometimes it may be parents’ busy schedules or a potential language barrier hindering their ability to provide consent. Other times, the form may accidentally be lost or misplaced or parents may be skeptical of consenting to data sharing when the reason for sharing is not obvious. Check out our recent blog to find out more. It would likely be impossible for schools to operate if student PII could only be disclosed with consent because there are many times that obtaining parental consent may not be feasible in the education context. For example: Student Grades When a student transfers to a new school, their grades have to go with them regardless of whether parental consent is obtained. Student Medical Information Requiring parental consent for sharing student medical information may result in students not receiving necessary care in medical emergencies. Foreign Language App Requiring parental consent to use a translation app with students may result in teachers not being able to communicate with students who are English language learners. Approved Apps Requiring parental consent to use educational technologies that have already been thoroughly vetted for privacy, security, and legal compliance by the school district may prevent students from using educational technology to support or enhance their learning. Transportation Services Requiring parental consent to share student addresses with transportation services may result in some students not having access to reliable transportation to and from school. Free Lunch Data Requiring parental consent to share student eligibility to participate in the National School Lunch Program with school and district staff that facilitate the program may result in eligible students not receiving this service and going hungry. FERPA accounts for situations like these by enumerating several exceptions to its consent requirement.

Are there safeguards when a FERPA exception is used?

Some advocates have argued that FERPA’s exceptions undercut the law’s protections by allowing for indiscriminate sharing of student data without consent, but this perception is often inaccurate. FERPA requires additional safeguards to be employed when an exception to its consent requirement is used to disclose student PII to third parties. While each exception is different, they typically mandate that information shared under an exception: Can only be used for a specific educational purpose; Can only be shared with the people who need it, and then those people cannot reshare it; and Must be under the direct control of the school– meaning that school staff must be able to access, delete, and share the information, and the person receiving the data cannot act without permission from the school. Often, this control is provided through a contract. To learn about all of FERPA’s exceptions and data that is exempt from FERPA, see the charts below.

What are the exceptions to FERPA’s consent requirement?

Want to see the full chart on another page? Click here. EAI = Educational Agency or Institution IEP = Individualized Education Program LEA = Local Educational Agency PII = Personally Identifiable Information SEA = State Educational Agency SIS = Student Information System FERPA Exceptions Description Example School Official (34 CFR 99.31(a)(1) and 34 CFR 99.33(a)) EAIs may disclose student PII to a school official if that school official has a legitimate educational interest in the student PII. Third parties to whom the EAI has outsourced institutional services or functions may be considered a school official if they are performing a function the EAI would otherwise perform themselves, only use the data for the reason it was shared with them, and are under the EAI’s direct control in regards to the use and maintenance of the data. A teacher could talk to an administrator or another educator about how to help a particular student. A school could store student data in a third-party vendor’s SIS with a contract in place that specifies the student data can only be used to maintain the SIS and that the vendor is under the school’s direct control. Student Transfer or Enrollment (34 CFR 99.31(a)(2) and 34 CFR 99.34) EAIs can share student PII with other EAIs when a student is transferring or enrolling (or intending to enroll) at a new EAI, so long as the disclosure is only for purposes related to the student’s enrollment or transfer. The EAI must usually make a reasonable attempt to notify the parent or eligible student of the sharing. A school can send a student’s transcript without consent to a postsecondary institution that the student has applied to. Audit and Evaluation (34 CFR 99.31(a)(3) and 34 CFR 99.35) EAIs may share student PII with an authorized representative of the Comptroller General, the Attorney General, the Secretary of Education, or state and local educational authorities, so long as there is a written agreement that includes the specific safeguards listed in 34 CFR 99.35(a)(3). An LEA could designate a university as an authorized representative for the purposes of enabling an evaluation and share PII from education records on its former students with the university those students attended. The university can then share those former students’ transcripts back to the LEA, thus permitting the LEA to evaluate how effectively the LEA prepared its students for success in postsecondary education. Financial Aid (34 CFR 99.31(a)(4)) EAIs may disclose student PII in connection with financial aid the student has applied for or received if the PII will help determine the eligibility, amount, or conditions of the aid, or if it will be used to enforce the terms and conditions of the financial aid. A postsecondary institution could disclose a student’s grades to the financial aid office each semester if there is a requirement that the student maintains above a certain GPA to continue receiving financial aid. Juvenile Justice (34 CFR 99.31(a)(5) and 34 CFR 99.38) EAIs may disclose student PII to state and local authorities of the juvenile justice system if a state statute allows the disclosure and the disclosure concerns the juvenile justice system's ability to effectively serve the student prior to adjudication. When state statute permits such disclosure, a school could disclose a student’s IEP to officials at a detention facility where the student is being held pending trial. Studies (34 CFR 99.31(a)(6)) EAIs may disclose student PII to develop, validate, or administer predictive tests, to administer student aid programs, or to improve instruction. PII can only be shared when there is a written agreement in place that includes the specific safeguards listed in 34 CFR 99.31(a)(6)(iii)(C). An SEA may disclose student grades to an organization conducting a study that compares program outcomes across school districts to find which programs provide the best instruction and then duplicate the successful programs in other districts. Accrediting Organizations (34 CFR 99.31(a)(7)) EAIs may disclose student PII to an accrediting organization for the purpose of carrying out their accrediting functions. A college accreditor could access student PII as part of assessing a college’s student support services. Parents of a Dependent Student (34 CFR 99.31(a)(8)) EAIs may share student PII with parents that claim an “eligible student” (a student who is 18+ or attending a postsecondary institution) as a dependent on their taxes. The parent of a college student could request access to their child’s grades and, if the EAI verifies that their child is claimed as a dependent on their taxes, the EAI may provide those grades to the parent. Judicial Order or Subpoena (34 CFR 99.31(a)(9)) EAIs may share student PII to comply with a judicial order or a legally issued subpoena, but must make a reasonable effort to notify the parent or eligible student of the subpoena within a reasonable amount of time, unless the court or issuing agency has ordered that it not be disclosed. A school can disclose attendance information in response to a court order requiring the school to share which students were not in attendance on the date and time that a local store was robbed. Legal Action (34 CFR 99.31(a)(9)(iii)) EAIs may share student PII if they initiate legal action against a parent or student or if a parent or student initiates legal action against the EAI. The disclosure must be relevant for the EAI to proceed with the legal action or defend itself. A postsecondary institution being sued by a student for inadequate support after a violent crime on campus could disclose the student’s counseling records from the institution’s mental health center to defend against the lawsuit. Health or Safety Emergency (34 CFR 99.31(a)(10) and 34 CFR 99.36) EAIs may disclose student PII in an emergency to help protect the health or safety of the student or other individuals, taking into account the totality of the threat based on information available to the EAI at the time. Student PII should only be shared if there is an articulable and significant threat to the student or others, and should only be shared with individuals whose knowledge of the situation is necessary to protect the health or safety of the student or others. A school official could call 911 when a student has a medical emergency and disclose any health conditions in the student’s record, such as allergies, that might help first responders assess and treat the student’s medical emergency. Directory Information (34 CFR 99.31(a)(11) and 34 CFR 99.37) EAIs may share information generally considered not to be harmful or an invasion of privacy if released to the public so long as that information has been designated as directory information in an annual notice to parents or eligible students. Parents and eligible students must be given the right to opt out of a student’s PII being disclosed under this exception. Schools are permitted to list the names of students who are on the honor roll or participating in the school play so long as listing student names for the honor roll and extracurriculars is included in the school’s annual FERPA notice and the school checks to make sure that students have not been opted out of directory information disclosure. Disclosure to Parent (34 CFR 99.31(a)(12) and 34 CFR § 99.4) EAIs must disclose data about a non-eligible student to both parents and allow them to exercise FERPA rights unless there is a court order, state statute, or legally binding document related to divorce, separation, or custody that specifically revokes those rights. A non-custodial parent must be given access to their child’s education record upon request unless there is a legal restriction against such disclosure. Non-Eligible Students (34 CFR 99.31(a)(12)) EAIs may disclose data about a student to that student and provide them with FERPA rights even when they are not yet “eligible students.” Schools can share the information that online monitoring software has collected about a non-eligible student upon request by that student. Victim of Alleged Violent Crime or Non-Forcible Sex Offense at Postsecondary Institution (34 CFR 99.31(a)(13) and 34 CFR 99.39) A postsecondary institution may disclose the final results of a disciplinary proceeding for a violent crime or non-forcible sex offense to the victim of the alleged crime or offense, regardless of whether the institution concluded a violation was committed. No additional information can be disclosed under this exception. A college can tell a rape victim whether the alleged perpetrator was found “guilty” or not in a disciplinary proceeding conducted by the college. Violent Crime or Non-Forcible Sex Offense at Postsecondary Institution: Rule or Policy Violations (34 CFR 99.31(a)(14), 34 CFR 99.39, and Appendix A to Part 99, Title 34) If a postsecondary institution’s post-1998 disciplinary proceeding has determined that a student who has allegedly perpetrated a violent crime or non-forcible sex offense has committed a violation of the institution’s rules or policies in regards to that allegation, the institution may disclose the name of the student who committed the violation, the violation committed, and any sanctions against the student. No additional information can be disclosed under this exception. A university has a policy prohibiting violence against students. If the university’s disciplinary proceeding finds that John Doe hit another student, the institution could disclose John Doe’s name, that they hit a student, and what John Doe’s punishment will be. Alcohol or a Controlled Substance (34 CFR 99.31(a)(15)) If a postsecondary institution determines that a student under 21 has violated a law or policy governing the use or possession of alcohol or a controlled substance, the university may disclose the violation to the student’s parents unless a state law precludes the disclosure. An Academic Dean could tell the parents of a 20-year-old student that their child was illegally drinking alcohol. Sex Offenders (34 CFR 99.31(a)(16)) EAIs may disclose student PII if the disclosure relates to sex offenders or other individuals required to register under Section 170101 of the Violent Crimes Control and Law Enforcement Act of 1994. A school could provide a list of students who are registered sex offenders. Food and Nutrition Service Monitoring, Evaluations, and Performance Measurements (20 USC 1232g(b)(1)(K)) EAIs may share student PII with the Secretary of Agriculture or their authorized representative working for or on behalf of the Food and Nutrition Services for the purposes of conducting program monitoring, evaluations, and performance measurements of EAIs or other agencies or institutions receiving funding or providing benefits under the National School Lunch Act or the Child Nutrition Act of 1966. A school can provide a list of students who receive a free lunch paid for by a National School Lunch Act program as part of an audit into whether the school is only using the funding to provide services to eligible students. Caseworkers (20 USC 1232g(b)(1)(L) and guidance) EAIs may share student PII with an agency caseworker or other representative of a State or local child welfare agency, tribal organization caseworkers, or other representatives of state or local child welfare agencies or other tribal organizations, so long as such agency or organization is legally responsible for the “care and protection” of the student (as defined by state law) and the individual has the right to access the student’s case plan. A school can tell a student’s child welfare caseworker that the student will need additional help in order to pass algebra. Military Recruiters (Guidance) K-12 EAIs must provide student names, addresses, and telephone numbers to military recruiters unless parents have opted out of disclosure of directory information. If names, addresses, and telephone numbers are not already designated as directory information, the EAI must send a separate notice to parents about this information and give them an opportunity to opt-out of sharing. A school must provide all students’ names, addresses, and telephone numbers to a military recruiter, except for the information of students whose parents have opted out of that disclosure.

FERPA is a federal privacy law that protects the privacy of students’ personally identifiable information (PII) in education records. FERPA primarily does two things: ensures appropriate access and limits unauthorized disclosure. Access is embodied through FERPA’s guarantee that parents and eligible students–students 18+ or attending higher education institutions–have the right to access their education records and to challenge the information in them as inaccurate or no longer relevant. FERPA prohibits all other disclosures of PII in education records unless there is consent or an applicable exception to FERPA’s consent requirement and certain safeguards are in place.

Why was FERPA enacted?

When Congress enacted FERPA in 1974, there were growing concerns about the kinds of private, personal information that public entities–such as schools–had access to and control over, the broader community’s limited awareness of and input in these data practices, and the potential for inaccurate records to limit people’s future opportunities. FERPA was intended to address the power imbalance between schools, parents, and students by codifying certain rights regarding access to and sharing of PII in student records.

Who does FERPA regulate?

All educational agencies and institutions that receive federal funding must follow FERPA. This means that public schools–whether elementary, secondary, or postsecondary–as well as many private schools–such as private postsecondary institutions that receive federal financial aid on behalf of their students–have to abide by FERPA.

Which data is protected by FERPA?

FERPA protects PII in education records . In general, PII is any information about a student that can reasonably be linked back to them. Under FERPA, PII includes both direct identifiers (such as first and last name) and indirect identifiers (such as grade level or year of birth). Vague descriptions like “the freshman student in yearbook club” can constitute PII under FERPA in the right circumstances, such as when there is only one freshman in the yearbook club. The test for when information is PII under FERPA is if it would allow a reasonable person in the school community to identify a specific student with reasonable certainty. Essentially, if the information can be linked back to an individual fairly easily, it falls under FERPA’s PII definition. To be protected by FERPA, the PII must be located in education records. “Education records” are records that are: 1) directly related to a student; and 2) maintained by an educational agency or institution, or by a party acting for the agency or institution ( 34 CFR 99.3(a) ). This includes a wide variety of formats, regardless of whether information is physically kept in the school filing cabinet or virtually stored in the cloud.

Which data is not protected by FERPA?

Want to see the full chart on another page? Click here. EAI = Educational Agency or Institution IEP = Individualized Education Program LEA = Local Educational Agency PII = Personally Identifiable Information SEA = State Educational Agency SIS = Student Information System FERPA Exempt Description Example De-Identified Records and Information (34 CFR 99.31(b)) EAIs may release records or information after removal of all PII, provided that the EAI or another party has made a reasonable determination that a student cannot be reidentified. A school could redact student names before releasing a list of student test scores with each student’s grade (and no other information) listed so long as enough grades are included to make particular students’ grades not reasonably re-identifiable. Personal Notes (34 CFR 99.3 “Education records”) Records an individual keeps as a personal memory aid that are not shared with any other person, except for a temporary substitute. A math teacher’s personal notes on which students they anticipate needing the most help on tomorrow’s long division lesson, to be shared only with tomorrow’s substitute math teacher. Information Obtained Through Personal Knowledge or Observation (Guidance) Information about a student that was obtained through school personnel’s personal knowledge or observation, unless that knowledge is obtained through their official role in making a determination maintained in an education record about the student. What a teacher heard students discussing in the hallway or whether they thought that a student appeared to be upset. Law enforcement unit records (34 CFR 99.3 “Education records” and 34 CFR 99.8) An EAI’s law enforcement unit records that are created by a law enforcement unit for a law enforcement purpose and maintained by the law enforcement unit. These records can become education records if they are shared for a non-law enforcement purpose (such as the school disciplining a student) or are maintained exclusively for a non-law enforcement purpose. School camera footage showing a student spray-painting classroom doors, so long as the cameras are used exclusively for security purposes and maintained by the school resource officer (SRO). If, however, the SRO discloses the footage to the school principal for the purpose of disciplining the student, that footage would become protected by FERPA. Student employee records (34 CFR 99.3 “Education records”) Records relating to a student who is employed by an educational agency or institution that are made and maintained in the normal course of business, relate exclusively to the individual in their capacity as an employee, and are not available for use for any other purpose. However, records relating to a student in attendance at the EAI who is employed as a result of his or her status as a student are subject to FERPA. How a student is performing at their part-time job in the alumni relations office, so long as the student was hired independently by that office (for example, not hired through a work-study program). Medical Records of Higher Ed Students (34 CFR 99.3 “Education records”) Physician, psychiatrist, psychologist, or other professional or paraprofessional’s records about the treatment of a student who is 18+ or attending an institution of postsecondary education that are made, maintained, or used only in connection with their professional treatment of the student and only disclosed to individuals providing treatment. The appointment notes of a psychiatrist at a college detailing sessions with a student at the college. Denied Applicant Records (34 CFR 99.3 “Student”) The information an EAI has about applicants that are not admitted, or about accepted applicants who choose not to enroll in that EAI. The information a school used when deciding to deny admittance to an applicant. Alumni Records (34 CFR 99.3 “Education records”) Records created or received by an EAI after an individual is no longer a student in attendance and that are not directly related to the individual's attendance as a student. An alumni relations office’s collection and sharing of survey responses from alumni about their post-graduation careers. Peer-Grading Grades (34 CFR 99.3 “Education records”) Grades on peer-graded papers before they are collected and recorded by a teacher. Peer graded assignments before the teacher logs the grades in their gradebook. PII of Deceased Eligible Students (Guidance) FERPA rights of eligible students expire upon the death of the student. However, non-eligible students’ rights are held by parents of students until the student turns 18 or enters postsecondary education, so those rights do not lapse until both the non-eligible student and their parents are deceased. The disciplinary record of a 22 year old student who passed away.

Who has FERPA rights?

FERPA gives privacy rights to the parents or guardians of students who are under the age of 18 and enrolled in K-12 education. These rights transfer to the students themselves when they reach the age of 18 or are attending a postsecondary institution.

What are the rights that FERPA provides?

Rights conveyed by FERPA include the rights to: Annual notification of the school’s FERPA policy; Access the student's PII in educational records; Seek to amend and/or correct the student's PII in educational records; Confidentiality of the student’s PII in educational records; and File a complaint with the U.S. Department of Education for an alleged FERPA violation. FERPA also gives the right to consent before student PII in education records is disclosed. However, there are many exceptions to this right, and the vast majority of FERPA-protected information is disclosed through a FERPA exception.

What does FERPA say about consent?

Under FERPA, schools can share PII in education records with third parties when parents or eligible students provide written consent. To constitute valid consent under FERPA, written consent must: Be signed and dated; Specify what records can be disclosed; State the purpose for disclosure; and Identify to whom the disclosure may be made. Without such consent, schools can only share PII from education records with third parties if an exception to FERPA’s consent requirement applies and the necessary safeguards are in place.

Why are exceptions to FERPA's consent requirement so frequently used?

While obtaining parental consent seems easy enough in theory, the practical hurdles to getting parental consent can complicate this process exponentially for schools. Sometimes it may be parents’ busy schedules or a potential language barrier hindering their ability to provide consent. Other times, the form may accidentally be lost or misplaced or parents may be skeptical of consenting to data sharing when the reason for sharing is not obvious. Check out our recent blog to find out more. It would likely be impossible for schools to operate if student PII could only be disclosed with consent because there are many times that obtaining parental consent may not be feasible in the education context. For example: Student Grades When a student transfers to a new school, their grades have to go with them regardless of whether parental consent is obtained. Student Medical Information Requiring parental consent for sharing student medical information may result in students not receiving necessary care in medical emergencies. Foreign Language App Requiring parental consent to use a translation app with students may result in teachers not being able to communicate with students who are English language learners. Approved Apps Requiring parental consent to use educational technologies that have already been thoroughly vetted for privacy, security, and legal compliance by the school district may prevent students from using educational technology to support or enhance their learning. Transportation Services Requiring parental consent to share student addresses with transportation services may result in some students not having access to reliable transportation to and from school. Free Lunch Data Requiring parental consent to share student eligibility to participate in the National School Lunch Program with school and district staff that facilitate the program may result in eligible students not receiving this service and going hungry. FERPA accounts for situations like these by enumerating several exceptions to its consent requirement.

Are there safeguards when a FERPA exception is used?

Some advocates have argued that FERPA’s exceptions undercut the law’s protections by allowing for indiscriminate sharing of student data without consent, but this perception is often inaccurate. FERPA requires additional safeguards to be employed when an exception to its consent requirement is used to disclose student PII to third parties. While each exception is different, they typically mandate that information shared under an exception: Can only be used for a specific educational purpose; Can only be shared with the people who need it, and then those people cannot reshare it; and Must be under the direct control of the school– meaning that school staff must be able to access, delete, and share the information, and the person receiving the data cannot act without permission from the school. Often, this control is provided through a contract. To learn about all of FERPA’s exceptions and data that is exempt from FERPA, see the charts below.

What are the exceptions to FERPA’s consent requirement?

Want to see the full chart on another page? Click here. EAI = Educational Agency or Institution IEP = Individualized Education Program LEA = Local Educational Agency PII = Personally Identifiable Information SEA = State Educational Agency SIS = Student Information System FERPA Exceptions Description Example School Official (34 CFR 99.31(a)(1) and 34 CFR 99.33(a)) EAIs may disclose student PII to a school official if that school official has a legitimate educational interest in the student PII. Third parties to whom the EAI has outsourced institutional services or functions may be considered a school official if they are performing a function the EAI would otherwise perform themselves, only use the data for the reason it was shared with them, and are under the EAI’s direct control in regards to the use and maintenance of the data. A teacher could talk to an administrator or another educator about how to help a particular student. A school could store student data in a third-party vendor’s SIS with a contract in place that specifies the student data can only be used to maintain the SIS and that the vendor is under the school’s direct control. Student Transfer or Enrollment (34 CFR 99.31(a)(2) and 34 CFR 99.34) EAIs can share student PII with other EAIs when a student is transferring or enrolling (or intending to enroll) at a new EAI, so long as the disclosure is only for purposes related to the student’s enrollment or transfer. The EAI must usually make a reasonable attempt to notify the parent or eligible student of the sharing. A school can send a student’s transcript without consent to a postsecondary institution that the student has applied to. Audit and Evaluation (34 CFR 99.31(a)(3) and 34 CFR 99.35) EAIs may share student PII with an authorized representative of the Comptroller General, the Attorney General, the Secretary of Education, or state and local educational authorities, so long as there is a written agreement that includes the specific safeguards listed in 34 CFR 99.35(a)(3). An LEA could designate a university as an authorized representative for the purposes of enabling an evaluation and share PII from education records on its former students with the university those students attended. The university can then share those former students’ transcripts back to the LEA, thus permitting the LEA to evaluate how effectively the LEA prepared its students for success in postsecondary education. Financial Aid (34 CFR 99.31(a)(4)) EAIs may disclose student PII in connection with financial aid the student has applied for or received if the PII will help determine the eligibility, amount, or conditions of the aid, or if it will be used to enforce the terms and conditions of the financial aid. A postsecondary institution could disclose a student’s grades to the financial aid office each semester if there is a requirement that the student maintains above a certain GPA to continue receiving financial aid. Juvenile Justice (34 CFR 99.31(a)(5) and 34 CFR 99.38) EAIs may disclose student PII to state and local authorities of the juvenile justice system if a state statute allows the disclosure and the disclosure concerns the juvenile justice system's ability to effectively serve the student prior to adjudication. When state statute permits such disclosure, a school could disclose a student’s IEP to officials at a detention facility where the student is being held pending trial. Studies (34 CFR 99.31(a)(6)) EAIs may disclose student PII to develop, validate, or administer predictive tests, to administer student aid programs, or to improve instruction. PII can only be shared when there is a written agreement in place that includes the specific safeguards listed in 34 CFR 99.31(a)(6)(iii)(C). An SEA may disclose student grades to an organization conducting a study that compares program outcomes across school districts to find which programs provide the best instruction and then duplicate the successful programs in other districts. Accrediting Organizations (34 CFR 99.31(a)(7)) EAIs may disclose student PII to an accrediting organization for the purpose of carrying out their accrediting functions. A college accreditor could access student PII as part of assessing a college’s student support services. Parents of a Dependent Student (34 CFR 99.31(a)(8)) EAIs may share student PII with parents that claim an “eligible student” (a student who is 18+ or attending a postsecondary institution) as a dependent on their taxes. The parent of a college student could request access to their child’s grades and, if the EAI verifies that their child is claimed as a dependent on their taxes, the EAI may provide those grades to the parent. Judicial Order or Subpoena (34 CFR 99.31(a)(9)) EAIs may share student PII to comply with a judicial order or a legally issued subpoena, but must make a reasonable effort to notify the parent or eligible student of the subpoena within a reasonable amount of time, unless the court or issuing agency has ordered that it not be disclosed. A school can disclose attendance information in response to a court order requiring the school to share which students were not in attendance on the date and time that a local store was robbed. Legal Action (34 CFR 99.31(a)(9)(iii)) EAIs may share student PII if they initiate legal action against a parent or student or if a parent or student initiates legal action against the EAI. The disclosure must be relevant for the EAI to proceed with the legal action or defend itself. A postsecondary institution being sued by a student for inadequate support after a violent crime on campus could disclose the student’s counseling records from the institution’s mental health center to defend against the lawsuit. Health or Safety Emergency (34 CFR 99.31(a)(10) and 34 CFR 99.36) EAIs may disclose student PII in an emergency to help protect the health or safety of the student or other individuals, taking into account the totality of the threat based on information available to the EAI at the time. Student PII should only be shared if there is an articulable and significant threat to the student or others, and should only be shared with individuals whose knowledge of the situation is necessary to protect the health or safety of the student or others. A school official could call 911 when a student has a medical emergency and disclose any health conditions in the student’s record, such as allergies, that might help first responders assess and treat the student’s medical emergency. Directory Information (34 CFR 99.31(a)(11) and 34 CFR 99.37) EAIs may share information generally considered not to be harmful or an invasion of privacy if released to the public so long as that information has been designated as directory information in an annual notice to parents or eligible students. Parents and eligible students must be given the right to opt out of a student’s PII being disclosed under this exception. Schools are permitted to list the names of students who are on the honor roll or participating in the school play so long as listing student names for the honor roll and extracurriculars is included in the school’s annual FERPA notice and the school checks to make sure that students have not been opted out of directory information disclosure. Disclosure to Parent (34 CFR 99.31(a)(12) and 34 CFR § 99.4) EAIs must disclose data about a non-eligible student to both parents and allow them to exercise FERPA rights unless there is a court order, state statute, or legally binding document related to divorce, separation, or custody that specifically revokes those rights. A non-custodial parent must be given access to their child’s education record upon request unless there is a legal restriction against such disclosure. Non-Eligible Students (34 CFR 99.31(a)(12)) EAIs may disclose data about a student to that student and provide them with FERPA rights even when they are not yet “eligible students.” Schools can share the information that online monitoring software has collected about a non-eligible student upon request by that student. Victim of Alleged Violent Crime or Non-Forcible Sex Offense at Postsecondary Institution (34 CFR 99.31(a)(13) and 34 CFR 99.39) A postsecondary institution may disclose the final results of a disciplinary proceeding for a violent crime or non-forcible sex offense to the victim of the alleged crime or offense, regardless of whether the institution concluded a violation was committed. No additional information can be disclosed under this exception. A college can tell a rape victim whether the alleged perpetrator was found “guilty” or not in a disciplinary proceeding conducted by the college. Violent Crime or Non-Forcible Sex Offense at Postsecondary Institution: Rule or Policy Violations (34 CFR 99.31(a)(14), 34 CFR 99.39, and Appendix A to Part 99, Title 34) If a postsecondary institution’s post-1998 disciplinary proceeding has determined that a student who has allegedly perpetrated a violent crime or non-forcible sex offense has committed a violation of the institution’s rules or policies in regards to that allegation, the institution may disclose the name of the student who committed the violation, the violation committed, and any sanctions against the student. No additional information can be disclosed under this exception. A university has a policy prohibiting violence against students. If the university’s disciplinary proceeding finds that John Doe hit another student, the institution could disclose John Doe’s name, that they hit a student, and what John Doe’s punishment will be. Alcohol or a Controlled Substance (34 CFR 99.31(a)(15)) If a postsecondary institution determines that a student under 21 has violated a law or policy governing the use or possession of alcohol or a controlled substance, the university may disclose the violation to the student’s parents unless a state law precludes the disclosure. An Academic Dean could tell the parents of a 20-year-old student that their child was illegally drinking alcohol. Sex Offenders (34 CFR 99.31(a)(16)) EAIs may disclose student PII if the disclosure relates to sex offenders or other individuals required to register under Section 170101 of the Violent Crimes Control and Law Enforcement Act of 1994. A school could provide a list of students who are registered sex offenders. Food and Nutrition Service Monitoring, Evaluations, and Performance Measurements (20 USC 1232g(b)(1)(K)) EAIs may share student PII with the Secretary of Agriculture or their authorized representative working for or on behalf of the Food and Nutrition Services for the purposes of conducting program monitoring, evaluations, and performance measurements of EAIs or other agencies or institutions receiving funding or providing benefits under the National School Lunch Act or the Child Nutrition Act of 1966. A school can provide a list of students who receive a free lunch paid for by a National School Lunch Act program as part of an audit into whether the school is only using the funding to provide services to eligible students. Caseworkers (20 USC 1232g(b)(1)(L) and guidance) EAIs may share student PII with an agency caseworker or other representative of a State or local child welfare agency, tribal organization caseworkers, or other representatives of state or local child welfare agencies or other tribal organizations, so long as such agency or organization is legally responsible for the “care and protection” of the student (as defined by state law) and the individual has the right to access the student’s case plan. A school can tell a student’s child welfare caseworker that the student will need additional help in order to pass algebra. Military Recruiters (Guidance) K-12 EAIs must provide student names, addresses, and telephone numbers to military recruiters unless parents have opted out of disclosure of directory information. If names, addresses, and telephone numbers are not already designated as directory information, the EAI must send a separate notice to parents about this information and give them an opportunity to opt-out of sharing. A school must provide all students’ names, addresses, and telephone numbers to a military recruiter, except for the information of students whose parents have opted out of that disclosure.

PIPC Resources – Page 4 – Public Interest Privacy Center

Apr 3 2024

FERPA Exemptions

FERPA Exemptions While FERPA is renowned for its robust privacy protections for student data, it’s easy to overlook the flip side of the coin: the student data that falls outside of FERPA’s protections. Understanding the scope of FERPA’s protections is crucial for navigating the nuances of student privacy today, especially since the line between student data that is and is not covered is not always intuitive. To help illustrate what student data is not protected under FERPA, we’ve created the following table explaining the FERPA exemptions with clear descriptions and real-world examples. Search FERPA Exempt Description Example De-Identified Records […]

FERPA Exemptions Read More »

Apr 3 2024

FERPA Exceptions

New Resources, PIPC Resources, Recommended Resources / By Amelia Vance and Morgan Sexton / April 3, 2024 / Fixing FERPA

FERPA Exceptions FERPA typically requires consent prior to disclosing any student personally identifiable information (PII) from education records. Nevertheless, FERPA includes several exceptions that allow for certain sharing without consent while still ensuring that the necessary safeguards are in place to protect the privacy of student data. To make understanding these exceptions a little easier, we have put together the following table that details every exception in FERPA–offering clear and concise explanations, criteria for when they may be applicable, and tangible examples that shed light on their practical application. Search FERPA Exceptions Description Example School Official (34 CFR 99.31(a)(1)

FERPA Exceptions Read More »

Dec 20 2023

Tis the Season for Rulemaking: FTC Announces New COPPA NPRM

Blogs, Featured News, Legislative Analysis, Newsletter, PIPC Resources / By Morgan Sexton, Katherine Kalpos, and Amelia Vance / December 20, 2023

Tis the Season for Rulemaking: FTC Announces New COPPA NPRM December 20, 2023 Katherine Kalpos, Morgan Sexton, and Amelia Vance CC BY-NC 4.0 Hello all, While we might have thought child and student privacy work for the year was winding down, the FTC had other ideas. Today the FTC released a notice of proposed rulemaking (NPRM) for the Children’s Online Privacy Protection Rule (COPPA Rule) that would mean big changes for companies and schools, codifying some of the changes stakeholders have been advocating for. We’ll be going through the NPRM in detail over the next few days.

Tis the Season for Rulemaking: FTC Announces New COPPA NPRM Read More »

Dec 13 2023

A Privacy Protective Path to Using Technology in Schools: Parental Consent is Not a Panacea

Articles, Featured Resources, PIPC Resources, Recommended Resources / By Morgan Sexton, Katherine Kalpos, and Amelia Vance / December 13, 2023

Parental Consent is Not a Panacea: A Privacy Protective Path to Using Technology in Schools December 2023 Katherine Kalpos, Morgan Sexton, and Amelia Vance CC BY-NC 4.0 Introduction Data collection, use, and sharing are everywhere–and classrooms are no exception. Schools increasingly use a wide array of technologies for many different reasons, ranging from promoting student learning and success, to making data-informed decisions, and also operationalizing administrative tasks. When harnessed correctly with appropriate privacy protections in place, technology in schools can enhance teaching and learning in powerful ways. But there are also serious privacy risks to introducing technology

A Privacy Protective Path to Using Technology in Schools: Parental Consent is Not a Panacea Read More »

Nov 6 2023

Practical Considerations for AI & Integrated Data Systems: Implicit Bias

Articles, Featured Resources, PIPC Resources / By Morgan Sexton, Katherine Kalpos, and Amelia Vance / November 6, 2023

Practical Considerations for AI & Integrated Data Systems: Implicit Bias November 6, 2023 Morgan Sexton, Katherine Kalpos, and Amelia Vance There has been lots of hype recently around artificial intelligence (AI), including its magical promises and potential risks. While it may be tempting to get swept up in the potential around AI and incorporate it into Integrated Data Systems (IDSs) right away, it is crucial to understand that AI is only as good as the information fed into it and the soundness of the algorithms that it relies on. Additionally, the implementation of AI into IDSs can create significant ethical

Practical Considerations for AI & Integrated Data Systems: Implicit Bias Read More »

Sep 12 2023

What New Amendment to the Kids Online Safety Act May Mean for Integrated Data Systems

Blogs, Featured News, Legislative Analysis, Newsletter, PIPC Resources / By Morgan Sexton, Katherine Kalpos, and Amelia Vance / September 12, 2023

What New Amendment to the Kids Online Safety Act May Mean for Integrated Data Systems September 2023 Katherine Kalpos, Morgan Sexton, and Amelia Vance CC BY-NC 4.0 A new amendment to the Kids Online Safety Act (KOSA) isn’t just about kids. On July 27th, the Senate Committee on Commerce, Science and Transportation passed KOSA as amended out of committee. While KOSA is designed to protect kids online, one of its new amendments – the Filter Bubble Transparency Act (aka Thune 2), hereafter referred to as “the amendment” – regulates platforms providing content to users of all ages. And notably for governmental integrated data system

What New Amendment to the Kids Online Safety Act May Mean for Integrated Data Systems Read More »

Jun 8 2023

Webinar: Fixing Student & Child Privacy Laws: The Current Landscape

Events, Legislative Analysis, PIPC Resources, Webinars / By Amelia Vance / June 8, 2023

Webinar: Fixing Student & Child Privacy Laws: The Current Landscape June 8, 2023 It is shaping up to be the most active child and student privacy year in more than two decades. Between February and May, we saw child privacy mentioned in the State of the Union, discussed at three Congressional hearings, and prioritized in numerous state and federal bills. The Parents Bill of Rights passed the House and includes stunning amendments to FERPA & PPRA. To help guide stakeholders through these landscape shifts, the Student & Child Privacy Center at AASA, The School Superintendents Association and the Public Interest

Webinar: Fixing Student & Child Privacy Laws: The Current Landscape Read More »

May 24 2023

48 Hours of Student Privacy News

Newsletter, PIPC Resources / By Morgan Sexton, Katherine Kalpos, and Amelia Vance / May 24, 2023

48 Hours of Student Privacy News May 24, 2023 In the past two days, the child and student privacy landscape has been overwhelmed with an influx of news and announcements. The biggest? The FTC’s new settlement with edtech company Edmodo might break school technology use in a few different ways, including shifts on which education entities edtech vendors can contract with and what rights parents have to modify or delete their children’s education data. While that would certainly be enough to hold our attention, we also saw: A major conservative think tank stating publicly that they believe that the pending

48 Hours of Student Privacy News Read More »

Mar 16 2023

Privacy Impact of the Federal Parent Bill of Rights

Blogs, Legislative Analysis, PIPC Resources / By Amelia Vance / March 16, 2023

Privacy Impacts of the Federal Parent Bill of Rights March 16, 2023 PIPC supports the technical work of AASA’s Student and Child Privacy Center. AASA has established policy priorities specific to student and child data and privacy. This analysis is informational, and any AASA advocacy positions or nuance are available on the AASA website. In just over a week, the Parents Bill of Rights Act(PBOR) – a bill intended to give parents more control over their child’s education – was reintroduced, marked up, and passed out of the House Education and Workforce Committee. It will be voted on by the

Privacy Impact of the Federal Parent Bill of Rights Read More »

Feb 23 2023

February Updates

Newsletter, PIPC Resources / By Morgan Sexton, Katherine Kalpos, and Amelia Vance / February 23, 2023

February Updates February 23, 2023 TLDR: February has been (unofficial) child privacy month. These issues were the focus of last week’s Senate Judiciary Committee hearing, received the “loudest ovation” during the State of the Union, and popped up during the recent House Education and Workforce Committee hearing. Here are this month’s highlights and our big takeaways: Senate Hearing: Protecting Our Children Online “Senators from both parties are once again taking aim at big tech companies, reigniting their efforts to protect children from “toxic content” online. At a Senate Judiciary Committee hearing on Tuesday, they said they plan to “act swiftly”

February Updates Read More »

FERPA Exemptions

FERPA Exceptions

A Privacy Protective Path to Using Technology in Schools: Parental Consent is Not a Panacea

Practical Considerations for AI & Integrated Data Systems: Implicit Bias

Webinar: Fixing Student & Child Privacy Laws: The Current Landscape

Privacy Impact of the Federal Parent Bill of Rights

Get In Touch!

Additional Resources

About Us