Privacy Law Basics: Back to School. Family Educational Rights and Privacy Act

The fourth law in our series is the Family Educational Rights and Privacy Act, often abbreviated as "FERPA."

Statute Family Educational Rights and Privacy Act
Reference 20 U.S.C. §1232g; 34 C.F.R. Part 99
Year Passed 1974
Covered Entity Educational institutions and agencies
Regulated Activity Disclosure and use of education records by educational institutions and agencies
Private Right of Action None
Enforcement Agency U.S. Department of Education
Preemption No
Remedies/Penalties Loss of federal funding; compliance orders and citations

A.     Background. Often referred to as the Buckley Amendment, FERPA and the related Protection of Pupil Rights Amendment of 1978 were put in place to give students control over the disclosure of information contained in their school files. Ultimately, the law seeks to not only protect the privacy of student educational records, but provide transparency to a student and their parents (if a minor) as to the contents of those records.

B.     Who is covered? FERPA applies to U.S. educational institutions that receive federal funding and maintain education records of eligible students. An "eligible student" means a student who has reached 18 years of age or is attending or has attended an institution of post-secondary education. Generally, FERPA rights transfer to the student when the student reaches 18 years of age. However, any attendance at a post-secondary institution of education can make a student, even if under 18 years of age, an “eligible student.” For students under the age of 18, or in grade or high school, parental consent to record disclosure is required. A "parent" includes a natural parent, a guardian, or individual acting as a parent in absence of a parent or guardian. Federal funds include funds provided to the institution or agency by grant, cooperative agreement, contract, subgrant, or subcontract. Another way institutions can be required to comply is when they receive federal funds via the student, as through a federal grant or student loan.

C.     What personally identifiable information is covered? Personally identifiable information contained in "education records." PII under FERPA includes, but is not limited to:

  • Student name and names of parents or family members
  • Student or family address
  • Direct identifiers, such as student SSN and student ID number
  • Indirect identifiers, such as student date of birth

But the definition also includes a broader category, which requires covered entities to think more extensively about the data in use.

  • Other information that, alone or in combination, can be linked to a student or would allow the student to be identified with reasonable certainty
  • Information requested by a person whom the providing institution would know or have reason to know the student to which the education record is linked.

Beyond PII, "education records" are broadly defined as "those records, files, documents and other materials which (i) contain information that are directly related to the student, and (ii) are maintained by the educational agency or institution or by a person acting for such agency or institution." Such records are not limited to paper records, but also include computer media (e-mails, texts), videos, audio records, and yes, even "microfiche."

Recognized exceptions to the "education record" definition include:

  • Records in the sole possession of the maker (teacher, administrator) and not shared
  • Employment records (student employee)
  • Medical treatment records
  • Alumni records (individuals not currently enrolled)
  • Grades on peer-graded assignments
  • Campus police records
  • Applicant records (individuals not currently enrolled)

Another important definition is that of "directory information." Directory information is defined as "information in an education record that a student would not consider an invasion of privacy or harmful, if disclosed." Examples include the student's name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.

D.     What you can and can't do.

          1.     Educational institutions or agencies must provide students the ability to:

  • Control the disclosure of information contained in their education records
  • Receive annual notice of their rights under FERPA
  • Review and seek changes to their own education records
  • Filing complaints with the Department of Education

          2.     Institutions or agencies can disclose records without student consent in certain cases, including but not limited to: processing of financial aid requirements, criminal investigations, to the parents of dependent children that are students, and to school officials for purposes where a "legitimate and educational interest" in the records exist.

          3.     An educational institution or agency can disclose education records if an exception applies or one of the following conditions is met:

  • The information in not personally identifiable.
  • The information is directory information not barred by the student.
  • The student has consented to the disclosure.
  • The student is the recipient of the disclosure.

E.     What happens if you don't comply. FERPA does not currently impose fines for compliance failures. Enforcement generally arises out of complaints filed with the Department of Education.  The most severe penalty for an educational institution would be a loss of federal funding.  The more likely result of finding a violation is a report to that effect and a requirement to implement various changes to bring the covered entity's program into compliance.

F.     Risks and Recommendations

         1.  Blurred lines. Take time to understand the exceptions to an "education record" and those situations when student consent is not required to disclose information. As with many things with the law, not everything is clear cut. For example, it is important to note that medical records are also federally protected under HIPAA. This is a place where there can be a lot of confusion, enough to where the Department of Education and HHS have issued guidance to help educational institutions under FERPA and covered entities under HIPAA comply.

          2.  It takes TWO.  A common issue or error made in determining applicability of the law and whether a record qualifies as an "educational record" is whether the information is both directly related to the student AND maintained by the school.  You must have both.  The reality is that often information included in a school document may not identify an individual or be capable of identifying an individual.  Or, the document is not maintained by the covered educational institution or agency.  The record is under the control of a third party, such as a doctor (treatment record) or law enforcement (campus police record).

          3.  Think broadly and conservatively. There are reasons to be conservative and think broadly with FERPA.  One, the language of the statute is broadly written.  Thus, generally, documents are more likely to be educational records because of their ability to identify a student.  This is because the linkable nature of information today more likely than not is capable of identifying a student.  In truth, this is just a best practice with all data in the modern era. Such an approach includes the use of school video and surveillance cameras installed in buses or other vehicles or properties under the control of the school.

          4.  Stay tuned. Another reason to be more conservative is that Congress is currently considering a bill that would overhaul FERPA.  Potential changes include reducing the timeframe to respond to student requests, expanding the definition of "educational record," and changes to the opt-out process. The bill would also authorize the imposition of fines upon educational agencies or institutions for failures to voluntarily comply with FERPA.  The fine could range from $100 to $1.5 million, depending on the severity of the violation.

         5.  When in doubt, get consent. This is tried and true advice for all privacy matters, but especially valuable with FERPA and especially now. A new incoming administration, the law in flux and the expanding means with which information is being collected and shared all combine to create an environment when such a conservative approach is merited.

About The Author

Scot Ganow |