FERPA 101 For Higher Education
October 2018
Sara Collins, Trevor Schmitt, and Amelia Vance
Future of Privacy Forum
Shared Under Creative Commons License
Overview
The Family Educational Rights and Privacy Act (FERPA) is a federal law enacted in 1974 that governs information in a student's education record. The law guarantees, among other things, that an "eligible student" who attends a post-secondary institution has access to their own education record and restricts who else can access, use, and re-disclose student information. FERPA is the primary federal law addressing student data rights and protections.
FERPA applies to schools that receive funding from the U.S. Department of Education, which includes virtually all post-secondary institutions (both public and private).
Education Record
An "education record" includes any record that contains information related to a student and is maintained by an educational agency or institution. This also includes any third-party service providers acting on behalf of the student's school, college, or university (see school official section below). Education records can come in any form but in today's technology enriched environment, most education records are stored in computer databases.
Student Rights
Students that are 18+ years old or enrolled in a post-secondary institution (regardless of age) are "eligible students." Eligible students have specific rights to their own education records, including the right to:
- Inspect and review their education record;
- Request correction (or deletion) of inaccuracies; and
- Consent to, or deny consent for, disclosure of some of student information in certain circumstances.
When a high school student under the age of 18 takes college courses while still enrolled in a secondary institution, the student holds the rights to their college education records and their parent holds the rights to the student's education records at the high school.
Personally Identifiable Information (PII)
FERPA covers "personally identifiable information" (PII) contained within an "education record" that may be used to identify a specific student. PII could be a single piece of information such as a student's social security number, address, or academic accommodations. PII may also include information that can be combined to identify a single student such as a student's date and place of birth, a student's race and extracurricular activities, or a record of which websites a student has visited.
In general, a school, college, or university must have written consent from an eligible student before it may share a student's PII; there are some exceptions to this requirement.
Exceptions to Consent for Disclosure of PII
Schools may disclose student PII without explicit consent if it falls into the "Directory Information" category. This is akin to what is normally contained student contact booklets or announced at sporting events. Schools must disclose - in their annual FERPA notices - what information they consider "directory information," and students must be provided with an opportunity to opt out of sharing directory information. Directory information can include (but is not limited to) information such as student's name, photograph, participation in extracurricular activities, awards received, home or dorm address, email address, and phone number. A student's Social Security Number is never considered directory information.
Additionally, a school may share PII with "school officials" who have a legitimate educational interest. A school official is anyone performing a task that would normally be performed by the school. This category includes individuals and entities like third-party service providers and others operating at the direction of the institution. Under this exception, the school must retain full control over and access to the shared data.
Schools are also allowed to disclose student PII without consent under the "study" or "audit and evaluation" exceptions. Disclosure under the study exception is only allowed if it is done to develop, administer, or validate a predictive test, administer student aid programs, or improve instruction. The audit and evaluation exception only allows disclosure if the research being conducted is evaluating a federal or state supported education program or is required under federal law.
Navigating FERPA
The chart below provides a brief outline of educational institutions' responsibilities to protect student data under FERPA.
This guide provides a brief overview of how certain student information may be protected under FERPA. It is by no means a replacement for sound legal advice. Educational institutions and third-party service providers should seek legal counsel for all of their legal compliance activities.
