Family Educational Rights and Privacy Act (FERPA)

Overview

The Family Educational Rights and Privacy Act of 1974 (FERPA) is the primary federal law governing privacy of student education records. FERPA applies to all educational institutions that receive federal education funding from the U.S. Department of Education.

Key Purposes:

• Protect privacy of student education records


• Give parents and eligible students right to access education records


• Give parents and eligible students right to seek amendments to education records


• Limit disclosure of personally identifiable information from education records without consent

Legislative Authority

• Statute: 20 USC 1232g (enacted November 19, 1974 as part of Educational Amendments of 1974)


• Regulations: 34 CFR Part 99


• Enforcement: Family Policy Compliance Office (FPCO), U.S. Department of Education


• Effective Date: November 19, 1974 (initial); December 9, 2008 (current regulations)

Applicability

Covered Entities

FERPA applies to educational agencies and institutions that receive federal education funding:

1. K-12 Schools:

- Public school districts
- Charter schools receiving federal funds
- Private schools receiving federal funds (e.g., Title I, special education grants)

1. Postsecondary Institutions:

- Public colleges and universities
- Private colleges and universities receiving federal student aid
- Community colleges
- Technical and vocational schools

1. Other Educational Institutions:

- Educational service agencies (ESAs)
- State educational agencies (SEAs)
- Any educational institution receiving federal education funds

Note: Private K-12 schools NOT receiving federal funding are NOT subject to FERPA.

"Parent" vs. "Eligible Student"

Parent: Parent or legal guardian of student under age 18 or not attending postsecondary institution

Eligible Student: Student who:

• Has reached age 18, OR


• Is attending postsecondary institution (regardless of age)

When student becomes "eligible student," FERPA rights transfer from parents to student.

Education Records

Definition

Education Records: Records that are:

1. Directly related to a student, AND


2. Maintained by educational agency or institution or party acting for institution

Includes (examples):

• Transcripts


• Class schedules and grades


• Disciplinary records


• Special education records and IEPs


• Student financial information (tuition, billing)


• Standardized test scores


• Attendance records


• Advisor/counselor notes if maintained in student file

Exclusions (NOT Education Records)

1. Sole Possession Records: Records kept in sole possession of maker, used only as personal memory aid, not accessible or revealed to any other person (e.g., teacher's personal notes not shared)

1. Law Enforcement Unit Records: Records created and maintained by law enforcement unit of educational institution for law enforcement purposes

1. Employment Records: Records of individual in capacity as employee (not student employee)

1. Medical Treatment Records: Records created and maintained by physician, psychiatrist, psychologist, or other recognized professional acting in professional capacity for treatment of student age 18 or older

1. Post-Attendance Records: Information obtained after individual is no longer student (e.g., alumni records)

1. Grades on Peer-Graded Papers: Grades on peer-graded papers before collected and recorded by teacher

Three Core FERPA Rights

Right 1: Inspect and Review Education Records

Parents and eligible students have right to:

• Inspect and review student's education records


• Receive copies of education records (school may charge reasonable fee for copies)


• Have school official explain or interpret records


• Obtain list of types and locations of education records

Timeline:

• School must comply with request within 45 days of request


• Many schools have shorter timelines (e.g., 10 business days)

Procedures:

• School should have procedures for requesting access to records


• School may require written request (but cannot require it)

Right 2: Seek to Amend Inaccurate or Misleading Records

Parents and eligible students have right to:

• Request amendment of records they believe are inaccurate, misleading, or violate privacy

Amendment Process:

1. Request Amendment: Parent/eligible student submits written request to amend record


2. School Decision: School decides whether to amend within reasonable time


3. If Granted: School amends record and notifies parent/student in writing


4. If Denied: School:

- Informs parent/student of decision and right to hearing
- Provides information about hearing procedures

1. Hearing: If parent/student requests hearing:

- Hearing conducted by official with no direct interest in outcome
- Parent/student has opportunity to present evidence
- School makes decision based on evidence
- Decision provided in writing

1. If Hearing Denies Amendment:

- Parent/student has right to place statement in record
- Statement must remain with contested record
- Statement disclosed whenever record disclosed

Important Limitation: Right to amend does NOT include right to challenge grades or opinions of school officials (only factual inaccuracies).

Right 3: Control Disclosure of Personally Identifiable Information

Written Consent Required: School must obtain written consent from parent or eligible student before disclosing personally identifiable information from education records.

Written Consent Must:

• Specify records to be disclosed


• State purpose of disclosure


• Identify party or class of parties to whom disclosure may be made


• Be signed and dated

Recordkeeping: School must maintain record of each disclosure (with specific exceptions).

Exceptions to Consent Requirement

FERPA permits disclosure of education records without consent in specific circumstances:

1. School Officials with Legitimate Educational Interest

Who: Teachers, administrators, counselors, support staff who need access to perform their duties

Requirements:

• School must define "school official" and "legitimate educational interest" in annual FERPA notification


• Access must be necessary to fulfill professional responsibilities

Contractors and Consultants: May be considered "school officials" if:

• Performing institutional service or function school would otherwise use employees to perform


• Under direct control of school regarding use and maintenance of records


• Subject to requirements governing use and redisclosure

2. Other Schools (Transfer of Student)

Disclosure Permitted: To officials of another school where student seeks or intends to enroll

Requirements:

• School must make reasonable attempt to notify parent/student of transfer (unless annual notification states school forwards records on request)


• Parent/student has right to receive copy of records


• Parent/student has right to hearing to challenge content

3. Specified Officials for Audit or Evaluation

Who:

• Authorized representatives of U.S. Comptroller General


• U.S. Attorney General


• U.S. Secretary of Education


• State and local education authorities

Purpose: Audit or evaluation of federal or state-supported education programs, or enforcement of federal legal requirements

4. Financial Aid

Disclosure Permitted: In connection with student's application for, or receipt of, financial aid

Purpose: Determine eligibility, amount, conditions, or enforce terms and conditions

5. State and Local Authorities (Juvenile Justice)

Disclosure Permitted: To state and local authorities pursuant to state statute concerning juvenile justice system

Requirements:

• Information must concern ability of system to serve student before adjudication


• State statute must require protection of disclosed information

6. Organizations Conducting Studies

Who: Organizations conducting studies for, or on behalf of, educational agencies/institutions

Purposes:

• Develop, validate, administer predictive tests


• Administer student aid programs


• Improve instruction

Requirements:

• Written agreement that study conducted in manner not permitting personal identification by individuals other than representatives of organization


• Information destroyed when no longer needed


• Cannot be redisclosed (except with consent or as permitted by FERPA)

7. Accrediting Organizations

Disclosure Permitted: To accrediting organizations to carry out accrediting functions

8. Compliance with Judicial Order or Lawfully Issued Subpoena

Disclosure Permitted: To comply with judicial order or lawfully issued subpoena

Requirements:

• School must make reasonable effort to notify parent/student before compliance (unless court orders nondisclosure or subpoena issued for law enforcement purpose and orders nondisclosure)

9. Health or Safety Emergency

Disclosure Permitted: In connection with health or safety emergency

Requirements:

• Information necessary to protect health or safety of student or other individuals


• Disclosure to appropriate parties (e.g., law enforcement, medical personnel, parents)


• School determines on case-by-case basis considering:

- Severity of threat
- Need for information to meet emergency
- Whether parties to whom disclosed are in position to deal with emergency
- Time required to deal with emergency

FPCO Review: After emergency, FPCO may review decision to determine whether disclosure was appropriate.

10. Directory Information

Definition: Information that would not generally be considered harmful or invasion of privacy if disclosed (e.g., name, address, phone, email, photo, dates of attendance, enrollment status, degrees/awards, participation in activities/sports, height/weight of athletes).

Opt-Out Requirement:

• School must provide parents/eligible students opportunity to opt out of directory information disclosures


• School must provide annual notification of directory information categories


• Parents/eligible students must be given reasonable time to opt out

Uses: Directory information may be disclosed to anyone without consent (unless parent/student opted out).

11. Parent of Dependent Student (Postsecondary)

Disclosure Permitted: To parents of eligible student if student is dependent for federal income tax purposes

Verification: Institution may require documentation of dependency (e.g., copy of tax return).

12. Disclosure of Disciplinary Proceedings (Postsecondary)

Victims of Crimes of Violence or Non-Forcible Sex Offenses:

• Postsecondary institution may disclose to alleged victim final results of disciplinary proceeding regarding alleged perpetrator


• Can disclose: name, violation, sanction

Public Disclosure of Disciplinary Proceedings:

• Postsecondary institution may publicly disclose final results of disciplinary proceeding if:

- Student is 21 or older
- Violation is crime of violence or non-forcible sex offense
- Institution determined student committed violation

13. Disclosure of Alcohol/Drug Violations (Postsecondary)

Parents of Students Under 21: Postsecondary institution may disclose to parents if student under age 21 and institution determines student violated law or policy concerning alcohol or controlled substances.

14. Sex Offender Registry Information

Disclosure Permitted: Information provided to institution under federal or state sex offender registry program.

Annual Notification

Requirement: Educational institution must annually notify parents and eligible students of their FERPA rights.

Content Must Include:

• Right to inspect and review education records


• Right to seek to amend education records


• Right to consent to disclosures (with exceptions)


• Right to file complaint with FPCO


• Procedures for exercising rights


• Definition of "school official" and "legitimate educational interest" (if using school official exception)


• Directory information categories (if applicable) and right to opt out

Methods: Notification may be by any means reasonably likely to inform parents/students:

• Student handbook


• Newspaper


• School website


• Email


• Parent newsletter

Record of Disclosures

Requirement: For each disclosure of education records, school must maintain record indicating:

• Parties to whom disclosure was made


• Legitimate interests parties had in information

Exceptions (No Record Required):

• Disclosures to parent or eligible student


• Disclosures pursuant to written consent


• Disclosures to school officials with legitimate educational interest


• Disclosures of directory information

Access: Parent or eligible student may inspect and review record of disclosures.

Enforcement

Enforcement Agency: Family Policy Compliance Office (FPCO), U.S. Department of Education

Complaint Process:

1. File Complaint: Parent or eligible student files written complaint with FPCO alleging violation


2. Timeline: Complaint must be filed within 180 days of violation or date complainant knew or reasonably should have known of violation


3. FPCO Review: FPCO reviews complaint and may investigate


4. Resolution:

- FPCO may determine violation occurred and require corrective action
- If institution does not comply, Secretary of Education may withhold further federal education funding

1. Appeals: Institution may request hearing

No Private Right of Action: Courts have generally held that FERPA does not create private right of action (i.e., cannot sue institution for money damages for FERPA violation). Enforcement is exclusively through FPCO.

Enforcement Remedy: Withholding of federal education funds (rarely used; most violations resolved through corrective action).

FERPA vs. HIPAA

Educational institutions may be subject to BOTH FERPA and HIPAA depending on circumstances:

Scenario	Applicable Law
----------	---------------
Student health records maintained by school	FERPA
Records of school nurse or school psychologist	FERPA (if maintained in education records)
Treatment records of physician/psychologist providing treatment to student 18+	NOT education records (excluded from FERPA); May be HIPAA if provider is HIPAA covered entity
University hospital or health clinic	HIPAA (if operated as healthcare provider)
School-based health center operated by outside health system	HIPAA

Gap Analysis: FPCO and HHS Office for Civil Rights have published FERPA/HIPAA gap analysis to help institutions understand differences.

Massachusetts Student Records Regulations (603 CMR 23.00)

Massachusetts has its own student records regulations that work in conjunction with FERPA. Where conflicts exist, more protective requirement applies.

Key Differences:

Requirement	FERPA	603 CMR 23.00	More Protective
------------	-------	---------------	-----------------
Access Timeline	45 days	10 days (2 days for special education)	603 CMR 23.00
Amendment Timeline	Reasonable time	Within 1 week	603 CMR 23.00
Record Retention	Not specified	Temp records destroyed within 7 years	603 CMR 23.00
Types of Records	Education records	Transcript and temporary records (detailed definitions)	603 CMR 23.00 (more specific)
Notice to Third Parties	Not required	Required when disclosing to third parties	603 CMR 23.00

Massachusetts schools must comply with BOTH sets of requirements.

Compliance Checklist

Annual Notification

• [ ] Provide Annual Notification: Notify parents and eligible students of FERPA rights at start of each school year


• [ ] Include Required Elements:

- [ ] Right to inspect and review records
- [ ] Right to seek to amend records
- [ ] Right to consent to disclosures
- [ ] Right to file complaint with FPCO
- [ ] Procedures for exercising rights
- [ ] Definition of "school official" and "legitimate educational interest"
- [ ] Directory information categories and opt-out procedures

Access to Records (Right 1)

• [ ] Procedures for Access: Establish procedures for parents/students to request access to education records


• [ ] Respond Within 45 Days: Provide access within 45 days of request (Massachusetts: 10 days K-12, 2 days special ed)


• [ ] Allow Inspection and Review: Allow parent/student to inspect and review records


• [ ] Provide Copies if Requested: Provide copies of records (may charge reasonable fee)


• [ ] Explain Records: Have school official available to explain or interpret records

Amendment of Records (Right 2)

• [ ] Procedures for Amendment: Establish procedures for requesting amendments to records


• [ ] Consider Request: Consider request to amend record within reasonable time (Massachusetts: 1 week)


• [ ] Hearing if Denied: Provide hearing if amendment request denied


• [ ] Allow Statement: If hearing denies amendment, allow parent/student to place statement in record

Consent for Disclosure (Right 3)

• [ ] Obtain Written Consent: Obtain written consent before disclosing personally identifiable information (unless exception applies)


• [ ] Verify Consent Elements: Ensure consent specifies records, purpose, recipient, signature, date


• [ ] Maintain Record of Disclosures: Maintain record of each disclosure (with exceptions)


• [ ] Allow Access to Disclosure Record: Allow parent/student to inspect record of disclosures

Directory Information (If Applicable)

• [ ] Define Directory Information: Define categories of directory information in annual notification


• [ ] Provide Opt-Out Opportunity: Give parents/students opportunity to opt out of directory information disclosures


• [ ] Honor Opt-Outs: Do NOT disclose directory information for students who opted out


• [ ] Review Annually: Review and update directory information categories annually

Exceptions to Consent

• [ ] School Officials: Define "school official" and "legitimate educational interest" in annual notification


• [ ] Transfer of Records: Notify parent/student when transferring records to another school (or state in annual notification)


• [ ] Health/Safety Emergencies: Document determination that health or safety emergency exists before disclosure


• [ ] Subpoenas: Make reasonable effort to notify parent/student before complying with subpoena (unless prohibited)

Training and Policies

• [ ] Train Staff: Train all staff with access to education records on FERPA requirements


• [ ] Written Policies: Maintain written policies and procedures for FERPA compliance


• [ ] Update Policies: Review and update policies annually

FPCO Complaints

• [ ] Monitor Complaints: Monitor for FPCO complaints filed against institution


• [ ] Respond to FPCO: Respond timely to FPCO investigations


• [ ] Corrective Action: Implement corrective action if FPCO determines violation occurred

Related Frameworks

• 603 CMR 23.00 (Massachusetts): Massachusetts student records regulations providing greater protections than FERPA


• HIPAA Privacy Rule: Healthcare privacy (overlaps with FERPA for university hospitals, school-based health centers)


• COPPA: Children's Online Privacy Protection Act (applies to edtech services collecting information from children under 13)


• PPRA: Protection of Pupil Rights Amendment (surveys, analysis, evaluations involving students)


• IDEA: Individuals with Disabilities Education Act (additional privacy protections for special education records)


• GLBA: Student financial aid records at postsecondary institutions may be subject to GLBA

Resources

Official Sources

• Student Privacy (FPCO): https://studentprivacy.ed.gov/


• FERPA Main Page (ED.gov): https://www.ed.gov/ferpa


• 34 CFR Part 99 (Regulations): https://www.ecfr.gov/current/title-34/subtitle-A/part-99


• 20 USC 1232g (Statute): https://uscode.house.gov/view.xhtml?req=granuleId:USC-prelim-title20-section1232g&num=0


• FERPA Regulations: https://studentprivacy.ed.gov/resources/ferpa-regulations


• FERPA FAQs: https://studentprivacy.ed.gov/resources/frequently-asked-questions


• Disclosure Exceptions Chart: https://studentprivacy.ed.gov/sites/default/files/resource_document/file/FERPA%20Exceptions_HANDOUT_horizontal.pdf


• FERPA/HIPAA Gap Analysis: https://studentprivacy.ed.gov/resources/ferpa-and-hipaa-gap-analysis

Massachusetts-Specific

• 603 CMR 23.00 (MA Student Records): https://www.mass.gov/regulations/603-CMR-2300-student-records


• MA Department of Elementary and Secondary Education (DESE): https://www.doe.mass.edu/


• MA DESE Student Privacy: https://www.doe.mass.edu/privacy/