FERPA Exceptions

FERPA typically requires consent prior to disclosing any student personally identifiable information (PII) from education records. Nevertheless, FERPA includes several exceptions that allow for certain sharing without consent while still ensuring that the necessary safeguards are in place to protect the privacy of student data. To make understanding these exceptions a little easier, we have put together the following table that details every exception in FERPA–offering clear and concise explanations, criteria for when they may be applicable, and tangible examples that shed light on their practical application.

 

School Official (34 CFR 99.31(a)(1) and 34 CFR 99.33(a)) EAIs may disclose student PII to a school official if that school official has a legitimate educational interest in the student PII. Third parties to whom the EAI has outsourced institutional services or functions may be considered a school official if they are performing a function the EAI would otherwise perform themselves, only use the data for the reason it was shared with them, and are under the EAI’s direct control in regards to the use and maintenance of the data. A teacher could talk to an administrator or another educator about how to help a particular student. A school could store student data in a third-party vendor’s SIS with a contract in place that specifies the student data can only be used to maintain the SIS and that the vendor is under the school’s direct control.
Student Transfer or Enrollment (34 CFR 99.31(a)(2) and 34 CFR 99.34) EAIs can share student PII with other EAIs when a student is transferring or enrolling (or intending to enroll) at a new EAI, so long as the disclosure is only for purposes related to the student’s enrollment or transfer. The EAI must usually make a reasonable attempt to notify the parent or eligible student of the sharing. A school can send a student’s transcript without consent to a postsecondary institution that the student has applied to.
Audit and Evaluation (34 CFR 99.31(a)(3) and 34 CFR 99.35) EAIs may share student PII with an authorized representative of the Comptroller General, the Attorney General, the Secretary of Education, or state and local educational authorities, so long as there is a written agreement that includes the specific safeguards listed in 34 CFR 99.35(a)(3). An LEA could designate a university as an authorized representative for the purposes of enabling an evaluation and share PII from education records on its former students with the university those students attended. The university can then share those former students’ transcripts back to the LEA, thus permitting the LEA to evaluate how effectively the LEA prepared its students for success in postsecondary education.
Financial Aid (34 CFR 99.31(a)(4)) EAIs may disclose student PII in connection with financial aid the student has applied for or received if the PII will help determine the eligibility, amount, or conditions of the aid, or if it will be used to enforce the terms and conditions of the financial aid. A postsecondary institution could disclose a student’s grades to the financial aid office each semester if there is a requirement that the student maintains above a certain GPA to continue receiving financial aid.
Juvenile Justice (34 CFR 99.31(a)(5) and 34 CFR 99.38) EAIs may disclose student PII to state and local authorities of the juvenile justice system if a state statute allows the disclosure and the disclosure concerns the juvenile justice system's ability to effectively serve the student prior to adjudication. When state statute permits such disclosure, a school could disclose a student’s IEP to officials at a detention facility where the student is being held pending trial.
Studies (34 CFR 99.31(a)(6)) EAIs may disclose student PII to develop, validate, or administer predictive tests, to administer student aid programs, or to improve instruction. PII can only be shared when there is a written agreement in place that includes the specific safeguards listed in 34 CFR 99.31(a)(6)(iii)(C). An SEA may disclose student grades to an organization conducting a study that compares program outcomes across school districts to find which programs provide the best instruction and then duplicate the successful programs in other districts.
Accrediting Organizations (34 CFR 99.31(a)(7)) EAIs may disclose student PII to an accrediting organization for the purpose of carrying out their accrediting functions. A college accreditor could access student PII as part of assessing a college’s student support services.
Parents of a Dependent Student (34 CFR 99.31(a)(8)) EAIs may share student PII with parents that claim an “eligible student” (a student who is 18+ or attending a postsecondary institution) as a dependent on their taxes. The parent of a college student could request access to their child’s grades and, if the EAI verifies that their child is claimed as a dependent on their taxes, the EAI may provide those grades to the parent.
Judicial Order or Subpoena (34 CFR 99.31(a)(9)) EAIs may share student PII to comply with a judicial order or a legally issued subpoena, but must make a reasonable effort to notify the parent or eligible student of the subpoena within a reasonable amount of time, unless the court or issuing agency has ordered that it not be disclosed. A school can disclose attendance information in response to a court order requiring the school to share which students were not in attendance on the date and time that a local store was robbed.
Legal Action (34 CFR 99.31(a)(9)(iii)) EAIs may share student PII if they initiate legal action against a parent or student or if a parent or student initiates legal action against the EAI. The disclosure must be relevant for the EAI to proceed with the legal action or defend itself. A postsecondary institution being sued by a student for inadequate support after a violent crime on campus could disclose the student’s counseling records from the institution’s mental health center to defend against the lawsuit.
Health or Safety Emergency (34 CFR 99.31(a)(10) and 34 CFR 99.36) EAIs may disclose student PII in an emergency to help protect the health or safety of the student or other individuals, taking into account the totality of the threat based on information available to the EAI at the time. Student PII should only be shared if there is an articulable and significant threat to the student or others, and should only be shared with individuals whose knowledge of the situation is necessary to protect the health or safety of the student or others. A school official could call 911 when a student has a medical emergency and disclose any health conditions in the student’s record, such as allergies, that might help first responders assess and treat the student’s medical emergency.
Directory Information (34 CFR 99.31(a)(11) and 34 CFR 99.37) EAIs may share information generally considered not to be harmful or an invasion of privacy if released to the public so long as that information has been designated as directory information in an annual notice to parents or eligible students. Parents and eligible students must be given the right to opt out of a student’s PII being disclosed under this exception. Schools are permitted to list the names of students who are on the honor roll or participating in the school play so long as listing student names for the honor roll and extracurriculars is included in the school’s annual FERPA notice and the school checks to make sure that students have not been opted out of directory information disclosure.
Disclosure to Parent (34 CFR 99.31(a)(12) and 34 CFR § 99.4) EAIs must disclose data about a non-eligible student to both parents and allow them to exercise FERPA rights unless there is a court order, state statute, or legally binding document related to divorce, separation, or custody that specifically revokes those rights. A non-custodial parent must be given access to their child’s education record upon request unless there is a legal restriction against such disclosure.
Non-Eligible Students (34 CFR 99.31(a)(12)) EAIs may disclose data about a student to that student and provide them with FERPA rights even when they are not yet “eligible students.” Schools can share the information that online monitoring software has collected about a non-eligible student upon request by that student.
Victim of Alleged Violent Crime or Non-Forcible Sex Offense at Postsecondary Institution (34 CFR 99.31(a)(13) and 34 CFR 99.39) A postsecondary institution may disclose the final results of a disciplinary proceeding for a violent crime or non-forcible sex offense to the victim of the alleged crime or offense, regardless of whether the institution concluded a violation was committed. No additional information can be disclosed under this exception. A college can tell a rape victim whether the alleged perpetrator was found “guilty” or not in a disciplinary proceeding conducted by the college.
Violent Crime or Non-Forcible Sex Offense at Postsecondary Institution: Rule or Policy Violations (34 CFR 99.31(a)(14), 34 CFR 99.39, and Appendix A to Part 99, Title 34) If a postsecondary institution’s post-1998 disciplinary proceeding has determined that a student who has allegedly perpetrated a violent crime or non-forcible sex offense has committed a violation of the institution’s rules or policies in regards to that allegation, the institution may disclose the name of the student who committed the violation, the violation committed, and any sanctions against the student. No additional information can be disclosed under this exception. A university has a policy prohibiting violence against students. If the university’s disciplinary proceeding finds that John Doe hit another student, the institution could disclose John Doe’s name, that they hit a student, and what John Doe’s punishment will be.
Alcohol or a Controlled Substance (34 CFR 99.31(a)(15)) If a postsecondary institution determines that a student under 21 has violated a law or policy governing the use or possession of alcohol or a controlled substance, the university may disclose the violation to the student’s parents unless a state law precludes the disclosure. An Academic Dean could tell the parents of a 20-year-old student that their child was illegally drinking alcohol.
Sex Offenders (34 CFR 99.31(a)(16)) EAIs may disclose student PII if the disclosure relates to sex offenders or other individuals required to register under Section 170101 of the Violent Crimes Control and Law Enforcement Act of 1994. A school could provide a list of students who are registered sex offenders.
Food and Nutrition Service Monitoring, Evaluations, and Performance Measurements (20 USC 1232g(b)(1)(K)) EAIs may share student PII with the Secretary of Agriculture or their authorized representative working for or on behalf of the Food and Nutrition Services for the purposes of conducting program monitoring, evaluations, and performance measurements of EAIs or other agencies or institutions receiving funding or providing benefits under the National School Lunch Act or the Child Nutrition Act of 1966. A school can provide a list of students who receive a free lunch paid for by a National School Lunch Act program as part of an audit into whether the school is only using the funding to provide services to eligible students.
Caseworkers (20 USC 1232g(b)(1)(L) and guidance) EAIs may share student PII with an agency caseworker or other representative of a State or local child welfare agency, tribal organization caseworkers, or other representatives of state or local child welfare agencies or other tribal organizations, so long as such agency or organization is legally responsible for the “care and protection” of the student (as defined by state law) and the individual has the right to access the student’s case plan. A school can tell a student’s child welfare caseworker that the student will need additional help in order to pass algebra.
Military Recruiters (Guidance) K-12 EAIs must provide student names, addresses, and telephone numbers to military recruiters unless parents have opted out of disclosure of directory information. If names, addresses, and telephone numbers are not already designated as directory information, the EAI must send a separate notice to parents about this information and give them an opportunity to opt-out of sharing. A school must provide all students’ names, addresses, and telephone numbers to a military recruiter, except for the information of students whose parents have opted out of that disclosure.

FERPA 101

It is interesting to think that a law enacted in 1974—pre-smartphone, mobile app, and modern computer—still governs the vast technological landscape and data collection practices of modern education. In the age of online learning and student one-to-one devices, the Family Educational Rights and Privacy Act of 1974 (FERPA) remains the primary federal law protecting student privacy. FERPA analysis has grown increasingly complex over the years as rules and guidance were added to account for emerging technologies–as  highlighted during the COVID-19 pandemic when the education community struggled to apply FERPA in light of schools’ increasing reliance on educational technology. It can be a struggle to fit schools’ modern technology adoption and use within FERPA’s outdated framework, making it difficult to know which data and practices are subject to the law, let alone what the legal obligations are for educational agencies and institutions.


These FAQs serve as a primer for the Fixing FERPA series, providing key background information, historical context, and an overview of various provisions in the law.

FERPA is a federal privacy law that protects the privacy of students’ personally identifiable information (PII) in education records. FERPA primarily does two things: ensures appropriate access and limits unauthorized disclosure. Access is embodied through FERPA’s guarantee that parents and eligible students–students 18+ or attending higher education institutions–have the right to access their education records and to challenge the information in them as inaccurate or no longer relevant. FERPA prohibits all other disclosures of PII in education records unless there is consent or an applicable exception to FERPA’s consent requirement and certain safeguards are in place.

Other Fixing FERPA Publications