FERPA Exemptions

While FERPA is renowned for its robust privacy protections for student data, it's easy to overlook the flip side of the coin: the student data that falls outside of FERPA's protections. Understanding the scope of FERPA’s protections is crucial for navigating the nuances of student privacy today, especially since the line between student data that is and is not covered is not always intuitive. To help illustrate what student data is not protected under FERPA, we've created the following table explaining the FERPA exemptions with clear descriptions and real-world examples.

 

De-Identified Records and Information (34 CFR 99.31(b)) EAIs may release records or information after removal of all PII, provided that the EAI or another party has made a reasonable determination that a student cannot be reidentified. A school could redact student names before releasing a list of student test scores with each student’s grade (and no other information) listed so long as enough grades are included to make particular students’ grades not reasonably re-identifiable.
Personal Notes (34 CFR 99.3 “Education records”) Records an individual keeps as a personal memory aid that are not shared with any other person, except for a temporary substitute. A math teacher’s personal notes on which students they anticipate needing the most help on tomorrow’s long division lesson, to be shared only with tomorrow’s substitute math teacher.
Information Obtained Through Personal Knowledge or Observation (Guidance) Information about a student that was obtained through school personnel’s personal knowledge or observation, unless that knowledge is obtained through their official role in making a determination maintained in an education record about the student. What a teacher heard students discussing in the hallway or whether they thought that a student appeared to be upset.
Law enforcement unit records (34 CFR 99.3 “Education records” and 34 CFR 99.8) An EAI’s law enforcement unit records that are created by a law enforcement unit for a law enforcement purpose and maintained by the law enforcement unit. These records can become education records if they are shared for a non-law enforcement purpose (such as the school disciplining a student) or are maintained exclusively for a non-law enforcement purpose. School camera footage showing a student spray-painting classroom doors, so long as the cameras are used exclusively for security purposes and maintained by the school resource officer (SRO). If, however, the SRO discloses the footage to the school principal for the purpose of disciplining the student, that footage would become protected by FERPA.
Student employee records (34 CFR 99.3 “Education records”) Records relating to a student who is employed by an educational agency or institution that are made and maintained in the normal course of business, relate exclusively to the individual in their capacity as an employee, and are not available for use for any other purpose. However, records relating to a student in attendance at the EAI who is employed as a result of his or her status as a student are subject to FERPA. How a student is performing at their part-time job in the alumni relations office, so long as the student was hired independently by that office (for example, not hired through a work-study program).
Medical Records of Higher Ed Students (34 CFR 99.3 “Education records”) Physician, psychiatrist, psychologist, or other professional or paraprofessional’s records about the treatment of a student who is 18+ or attending an institution of postsecondary education that are made, maintained, or used only in connection with their professional treatment of the student and only disclosed to individuals providing treatment. The appointment notes of a psychiatrist at a college detailing sessions with a student at the college.
Denied Applicant Records (34 CFR 99.3 “Student”) The information an EAI has about applicants that are not admitted, or about accepted applicants who choose not to enroll in that EAI. The information a school used when deciding to deny admittance to an applicant.
Alumni Records (34 CFR 99.3 “Education records”) Records created or received by an EAI after an individual is no longer a student in attendance and that are not directly related to the individual's attendance as a student. An alumni relations office’s collection and sharing of survey responses from alumni about their post-graduation careers.
Peer-Grading Grades (34 CFR 99.3 “Education records”) Grades on peer-graded papers before they are collected and recorded by a teacher. Peer graded assignments before the teacher logs the grades in their gradebook.
PII of Deceased Eligible Students (Guidance) FERPA rights of eligible students expire upon the death of the student. However, non-eligible students’ rights are held by parents of students until the student turns 18 or enters postsecondary education, so those rights do not lapse until both the non-eligible student and their parents are deceased. The disciplinary record of a 22 year old student who passed away.

FERPA 101

It is interesting to think that a law enacted in 1974—pre-smartphone, mobile app, and modern computer—still governs the vast technological landscape and data collection practices of modern education. In the age of online learning and student one-to-one devices, the Family Educational Rights and Privacy Act of 1974 (FERPA) remains the primary federal law protecting student privacy. FERPA analysis has grown increasingly complex over the years as rules and guidance were added to account for emerging technologies–as  highlighted during the COVID-19 pandemic when the education community struggled to apply FERPA in light of schools’ increasing reliance on educational technology. It can be a struggle to fit schools’ modern technology adoption and use within FERPA’s outdated framework, making it difficult to know which data and practices are subject to the law, let alone what the legal obligations are for educational agencies and institutions.


These FAQs serve as a primer for the Fixing FERPA series, providing key background information, historical context, and an overview of various provisions in the law.

FERPA is a federal privacy law that protects the privacy of students’ personally identifiable information (PII) in education records. FERPA primarily does two things: ensures appropriate access and limits unauthorized disclosure. Access is embodied through FERPA’s guarantee that parents and eligible students–students 18+ or attending higher education institutions–have the right to access their education records and to challenge the information in them as inaccurate or no longer relevant. FERPA prohibits all other disclosures of PII in education records unless there is consent or an applicable exception to FERPA’s consent requirement and certain safeguards are in place.

Other Fixing FERPA Publications