What is FERPA? A guide for educators and administrators< What is FERPA? A guide for educators and administrators<

What is FERPA? A guide for educators and administrators

Co-ordinate to a federal law chosen FERPA, educators, administrators, registrars, and other school employees in the U.s.a. are responsible for securing the educatee data that passes through their easily. But what is FERPA, exactly?

FERPA stands for the Family unit Educational Rights and Privacy Deed, which mandates certain privacy rights regarding education data for students and their parents. The police states that parents take the right to admission their children's education records. It also forbids the sharing of that data without a parent's written permission. When eligible students plow 18 or graduate high schoolhouse, these rights laissez passer to them.

Violations of the act can restrict access to Department of Education funding, so compliance with FERPA is a crucial concern for schools at every level (with a few notable exceptions, which we'll discuss in Affiliate three). If you work with student information, information technology's probable that you're responsible for protecting it, but the details of FERPA brand things a little less lucent. This comprehensive guide will aid you understand the background, intent, and physical requirements of the law, every bit outlined in the post-obit chapters.

Annotation that, while this commodity introduces FERPA and provides a few starting points for compliance, nada here is intended every bit legal advice. For guidance on a specific situation, contact an attorney who specializes in privacy law.

What is FERPA? Chapter synopsis

  • Introduction.
  • The history of FERPA. When was FERPA passed? Why practise we need this type of privacy constabulary? This chapter discusses the history and purpose of the act.
  • FERPA requirements and exceptions. Learn most the rights and responsibilities the law guarantees students, parents, and educational institutions. We'll also cover exceptions to some of these requirements.
  • FERPA compliance. What do you demand to do to make sure your facility fully complies with FERPA? Here are some resources to get y'all started.
  • FERPA violations and consequences. Hither, we'll innovate mutual FERPA violations and the potential penalties they tin incur. This is also where yous'll larn nigh the U.S. Section of Education'southward Family unit Policy Compliance Office, which enforces FERPA.
  • FERPA training. The best fashion to protect your establishment from FERPA violations is to provide comprehensive training for all relevant staff. We'll talk over what that looks like.
  • FERPA waivers and forms. This chapter goes into greater particular on the subject of "written consent," describing the forms — both digital and print — that may allow the sharing of express pupil information.

Feel free to skip direct to Affiliate 3 if your main business is FERPA compliance, only bookmark the whole guide before you do. Questions almost FERPA have a way of popping up unexpectedly, and y'all may need other chapters sooner than you call up.

The history of FERPA

Prior to FERPA'due south enactment, unsecured student information led to existent-world problems, says Millicent Kelly in her FERPA Training for Educators online course.

"By the early 1970s, nearly anyone with a bluecoat could obtain personal and academic records of students. Oftentimes, the files independent medical and mental wellness data, which could consequence in a student being removed from i program and placed into a program for children with special needs. This could accept place without so much as notifying a student's parents or guardians."

Despite transgressions similar these, FERPA would have to expect for a broader business over privacy rights to sweep through the nation. This occurred in the mid-1970s when national events brought privacy abuses to the forefront of public consciousness.

When was FERPA passed?

You can draw a direct line between FERPA and Watergate. Strange every bit the connection may audio, the Nixon Administration's secret information collection during the scandal created a strong appetite for privacy protections in the legislature in the early on 1970s.

Nixon resigned on August 8, 1974. Less than two weeks later, on August 21, President Gerald Ford signed FERPA into law. By the cease of that yr, the 93rd Congress would follow FERPA with the much broader Privacy Act.

"This gives you lot a sense of what must have been going on back then," says LeRoy Rooker, senior fellow at the American Association of Collegiate Registrars and Admissions Officers (AACRAO). "At that place was an obvious heightened business organisation for protection of information on individuals, and this included parents and students."

Rooker is the leading authorization on FERPA. As a senior swain at AACRAO, he conducts FERPA training and consultation. Prior to joining AACRAO, Rooker spent 21 years as manager of the U.Southward. Department of Education's Family unit Policy Compliance Role (FPCO), the bureau that administers the police force and investigates alleged violations.

The purpose of the Family Educational Rights and Privacy Deed

The purpose of the Family unit Educational Rights and Privacy Act (FERPA) is to protect access to educational records for students and parents, while preventing that admission for unauthorized tertiary parties. When FERPA was passed, there was petty to compare it to — but that before long changed. It'due south essentially a data security law, related to the Privacy Act of 1974 and the after Health Insurance Portability and Accountability Act (HIPAA) of 1996.

In fact, in that location'due south often some confusion within schools about whether FERPA or HIPAA take priority in the instance of pupil health records. Hither are a few things to know about how FERPA and HIPAA interact:

  • When school nurses continue records of student health in elementary and high schools, those records are typically covered by FERPA, not HIPAA.
  • This means school nurses can share health information with other school staff when there'southward "legitimate educational interest" — a topic we'll cover in Affiliate 2.
  • Once a educatee of any age enters post-secondary school (like a higher or academy), or that student turns xviii, FERPA no longer covers any of their health records. In this case, HIPAA or other land or federal privacy laws accept precedence.

For more than data on the difference between FERPA and HIPAA, encounter our coverage here. We'll discuss the details of what sort of data is protected in Chapter 3. For at present, allow's wait at how FERPA governs the activity of education staff at relevant institutions.

FERPA requirements and exceptions

The full text of the Family Educational Rights and Privacy Act is in the Code of Federal Regulations, Title 34, Subtitle A, Part 99. Information technology contains more than 13,000 words of dense legislative linguistic communication, and there's a 45-yr case history that influences its application. In other words, there'southward a lot to acquire.

We've pulled a few main details every parent, student, and schoolhouse representative should know virtually FERPA. At the stop of this chapter, we'll talk over FERPA exceptions — like the fact that, in cases of legitimate educational interest, FERPA may allow information to be shared without consent.

FERPA rights for eligible students and parents

The rights guaranteed past FERPA belong to students and their parents, merely not necessarily both at the same time. Parents hold these rights until a student turns 18 or begins postal service-secondary education. So if you graduate high school at xv and enter college at 16, these rights belong to you lot, non your parents — and schools tin violate FERPA by sharing data with a parent later a student becomes the holder of these rights.

Mirroring FERPA'south language, we'll phone call any student who has go the rights holder in this case "eligible." In other words, an eligible student nether FERPA is one who's xviii or older, or whose educational activity is continuing by high school. Broadly speaking, FERPA guarantees iii basic rights to eligible students or their parents:

  1. Institutions cannot disclose education information without written permission from the rights holder, except in a few narrowly defined instances.
  2. The parent or the eligible student has the right to access that student's pedagogy records.
  3. If the eligible student or parent disagrees with the content of a tape, they can request a change.

This tertiary scenario has the potential to get complicated. In cases where school officials refuse to grant a requested edit to a document, eligible students or their parents take a correct to an official hearing. If the hearing doesn't convince the school that the data should be inverse, the educatee or parent can so enter a statement detailing their complaint into the tape.

While the student'due south right to data privacy is at the center of this law, in some instances, institutions can share educational data without written permission from the rights holder. Here are a few of the most common examples.

FERPA exceptions for educational institutions

If you lot recall yous're in a state of affairs where FERPA allows you to share student data without signed consent, be careful. While there are a handful of exceptions to this fundamental rule, they are both rare and narrowly defined.

"Exceptions where an institution doesn't need consent are very specific," Rooker says. "There's one for a health or safety emergency, and one for audit evaluation by the Secretarial assistant of Education. Simply as a full general dominion, students have to consent, or parents take to consent, to records existence disclosed exterior the schoolhouse or institution."

Fifty-fifty when FERPA doesn't require signed consent in social club to share data, institutions, erring on the side of caution, may ask for that permission before releasing any records. The safest bet is to ask the eligible educatee or parent for a signed form, Rooker says.

All the official FERPA exceptions are in Subpart §99.31 of the act. We'll go over the most common ones hither. In improver to the carve-outs Rooker mentions, yous may not have to obtain signed consent before sharing educatee data if

  • The data constitutes "directory information." You don't need signed consent to disclose the kind of identifying information yous'd find in a yearbook. According to the constabulary, "directory data" in this context may include "the student's name; address; telephone list; electronic mail address; photograph; date and place of nascence; major field of study; grade level; enrollment status (eastward.g., undergraduate or graduate, full-fourth dimension or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of able-bodied teams; degrees, honors, and awards received; and the about recent educational agency or institution attended."
  • The information is going to another school in which the student plans to enroll. "Generally, if a student is applying to another institution, you wouldn't demand signed consent to send a letter of recommendation," says Rooker, citing 1 example of student data that can sometimes be shared without signed consent. "Now, if they were sending a letter of recommendation to a potential employer, and then they would need consent because there's not an exception that lets them provide information from the educatee'due south tape to a potential employer."
  • Financial help providers need the data to decide the eligibility; amount; or weather condition of the grant, scholarship, or other education funding. Note that this financial assist may have already been granted to the student, or they may be in the application stage. Either mode, data tin occasionally be shared if information technology helps students pay for school.
  • The data is requested every bit part of an eligible study. Universities, educational agencies, and others tin sometimes access pupil data in connection with a study to "develop, validate, or administer predictive tests; administer student aid programs; or ameliorate instruction," co-ordinate to the act.

There are also exceptions to FERPA'due south signed consent requirement for the legal earth. Judicial orders and subpoenas tin overrule the need for consent, and states have their own laws regarding student information and the juvenile justice system.

The list goes on, but there'due south one FERPA exception that we need to talk over in more than depth considering it requires a detailed definition of an unfamiliar term: The case of "legitimate educational interest."

When an institution tin can prove legitimate educational interest, FERPA may allow information to be shared without written consent

Co-ordinate to FERPA, data holders tin share student data with "school officials with legitimate educational interests" without prior consent. So what exactly constitutes legitimate educational interest? The National Center for Education Statistics (NCES), a division of the U.South. Department of Education, says that it'due south upward to schools and agencies to found their ain criteria.

The NCES does propose including the following factors in a FERPA-compliant "legitimate educational interest" policy:

  • The data in question must be necessary for a school official to complete the tasks described in their job descriptions or contracts.
  • The data must be relevant to a proper educational goal.
  • Any didactics records shared between schoolhouse staff must simply be used for education, non for outside issues.
  • School staff must employ the student data for the reason the information was kept in the first identify.

You tin see why FERPA preparation is such an important function of establishing student privacy protocols. Go to Chapter 5 to larn more virtually this training, or proceed reading to learn a few key facts about FERPA compliance.

FERPA compliance

Some of FERPA'due south provisions are adequately straightforward. To comply with FERPA, educational institutions must

  • Provide requested educational data to a student (or their parent) within 45 days
  • Make requested changes to pupil records or be ready to convene hearings to contest those requests
  • Notify parents and eligible students of their information rights under FERPA at to the lowest degree once a yr

With plans and permissions in place, it's unproblematic enough to comply with these three requirements. Merely FERPA compliance tin can go trickier when it comes to sharing student information. What counts equally didactics data under the law? What level of digital data security is needed to comply with FERPA? We'll get deeper into these questions in this chapter.

Does FERPA use to your educational institution?

Not all educational organizations are leap by FERPA. There'south one simple style to tell: If your school receives funding from programs administered by the U.S. Section of Teaching, it must comply with FERPA or adventure losing those funds.

The educational agencies and institutions that typically receive funding through the Department of Education programs include

  • Public elementary (or primary) schools
  • Public eye and high (or secondary) schools
  • Colleges and universities (or postsecondary schools)

Co-ordinate to the Department of Education, individual or parochial schools below the postsecondary level normally don't receive funds from programs that bind them past FERPA's rules. Such institutions are often exempt from FERPA compliance.

Even private colleges and universities, yet, are likely to accept payments through federal programs administered past the Department of Instruction: Pell Grants and the federal guaranteed student loan plan are ii examples. And so most institutions of higher education must comply with FERPA to accept federally assisted tuition.

In one case y'all determine that FERPA does apply to your establishment, you'll need to spread sensation of the police force'south details to all relevant staff. Yous may want to get FERPA certification. If you do, understand that at that place's no official certification programme from the Department of Education.

Institutions often certify their own employees or seek certification from third-political party organizations, merely at that place'southward no national standard. To increment FERPA awareness amidst school staff, you'll need FERPA training. We'll talk over that topic in detail in Chapter five of this guide.

Considering many FERPA violations are the result of mishandling didactics data, it'southward of import to discuss what that data is and how schools can maintain it in a FERPA-compliant manner — whether it's on paper or in the cloud.

What are "education records" according to FERPA?

Under FERPA, schoolhouse employees are forbidden from disclosing data from "pedagogy records" without an eligible educatee or parent's written consent. But not every give-and-take jotted down by a instructor counts equally an instruction record. Hither's how education records are divers in the Act:

  • According to 34 CFR § 99.three, education records are "directly related to a student" and maintained by the "educational agency or institution or by a party acting for the agency or institution."
  • These records can take any form in whatever medium: paper, digital, audio, video, etc. "FERPA is engineering science neutral," Rooker says. "Information technology doesn't say, 'You have to create records in this format only.' It says, 'It doesn't matter the format you create the record in — your establishment is responsible for protecting it.' "
  • For the most part, then, all data your school retains almost students tin can be considered teaching records — with a few exceptions:
  • Notes for personal utilize don't count as education records, so teachers tin can write down memory aids nigh students without concern.
  • Student data that's created and maintained by or for law enforcement agencies is not considered an teaching record under FERPA.
  • Records a school receives after the student leaves that school don't qualify under FERPA unless they concern the educatee'southward earlier omnipresence at that school.

As Rooker explains, both paper and electronic student records must exist protected under FERPA. For newspaper files, restricting admission to a few authorized employees and keeping files under lock and key are traditional methods of protecting student data. The question of digital security requires a bit more unpacking.

FERPA compliance with digital student records

"Electronic records are no different than newspaper records when it comes to protecting the privacy of these documents," Rooker says. "You accept to make sure that whatever security y'all have works."

Unfortunately, FERPA doesn't prescribe a particular type or level of digital security. It only states that the data must non be disclosed without signed consent. Both data-collection and data-storage systems must be protected from adventitious disclosure and malicious attacks.

Complying with industry security standards is a swell identify to start with digital FERPA compliance. For case, Jotform provides secure transmission of its online forms with the highest available levels of data security, including

  • 256-bit SSL encryption for all forms
  • Optional RSA 2048 encryption
  • PCI DSS Service Provider Level 1 compliance
  • GDPR compliance
  • HIPAA-compliant forms and integrations
  • Optional CAPTCHA protection
  • Adaptable privacy settings

For more than information on data security, run into our comprehensive guide.

In addition to these basic protections, all the same, FERPA compliance as well requires school officials to authenticate the identity of eligible students or parents before providing access to digital records.

Establishing a "reasonable expectation of hallmark" for pupil data

FERPA compliance requires strong identification procedures to make sure you're actually interacting with the eligible student or parent before disclosing protected data. "If you're giving admission to your student information organisation, there has to be a robust procedure in place for establishing a hush-hush Pin or password," Rooker explains. He advises that teaching officials learn from the banking industry, which shares these identification concerns.

Rooker says, "If you forget your ATM PIN, you lot tin can't call up the banking concern and say, 'Hey, can you requite me a new PIN?' They won't do that. They'll say, 'We'll send you one to your address on tape. It'll come through the U.S. mail and you lot'll become it that way.'"

Educational institutions should use a like procedure to found what the Department of Educational activity calls a "reasonable expectation of authentication." That doesn't have to be a PIN sent in the mail; it may take the form of displaying a driver'south license on a video call, mailing a notarized copy of state ID, or other, more novel approaches.

But taking the caller or emailer's give-and-take as proof of identity is not enough. "At that place needs to exist a robust identification process before you give admission to education records," Rooker says.

With security protocols in place for both physical and digital student records, you're one step closer to full FERPA compliance. Simply what happens if yous fail to fully comply with the human action? In the next affiliate, we'll get deeper into the subject of FERPA violations — and how to avoid them.

FERPA violations and consequences

"FERPA violations run the gamut from denying the student admission to their education records to improperly disclosing information," Rooker says. "Institutions disclosing information without consent or without meeting one of the exceptions to signed consent are big ones."

Improper disclosure can occur in lots of ways. To illustrate that signal, Rooker shares an example of a real-life FERPA violation he investigated while at the Section of Education.

The establishment provided a web-based portal that gave eligible students online access to their ain instruction data. This admission was protected by the student'due south password, which could have been acceptable under FERPA rules — except that the system only required a social security number and engagement of birth to reset the countersign through the website.

Rooker describes how that system violated FERPA, and how this violation was uncovered:

"In this item instance, it was the [eligible student's] father who went to the records website, clicked a button that said, 'I forgot my password,' and put in his son's social security number and date of birth, and then got access to all of [his son's] records. The son became aware [of the alienation] because his parents were going through a divorce, and his records ended up in courtroom every bit part of the divorce proceedings."

The school officials in this story fabricated one major mistake. They failed to constitute a reasonable expectation of authentication. Simply the broader implication is that they failed to fully empathize the law. They weren't thorough and intentional about FERPA compliance.

"You accept to make a reasonable attempt to protect pupil records, and that school's effort clearly was not reasonable," Rooker says.

Often, FERPA violations involving improper disclosure occur in a moment of absentmindedness. Without training and constant attention, it's easy to make mistakes. Consider these other FERPA violation examples:

  • Emailing protected student information to everyone in the course
  • Including social security numbers on shared documents
  • Posting grades and identifying information in public
  • Publicly disclosing a student athlete'southward academic status

For more than examples of FERPA violations from the field, read our web log on the subject field.

If you do become caught violating FERPA and reject to come up into compliance, here's what might happen.

FERPA violation penalties

The about extreme consequence for violating FERPA is the loss of federal education funds. To go to that indicate, however, would take willful disobedience of the Department of Educational activity'southward Family Policy Compliance Function (FPCO).

Prior to banning institutions from receiving federal funds, FPCO takes a number of steps. Most FPCO investigations brainstorm equally complaints or are self-reported — and FPCO encourages schools to self-study since the ultimate goal isn't punishment but rather voluntary compliance with FERPA.

Upon discovery of a violation, the FPCO first offers to help schools come into compliance with FERPA. If the institution withal fails to fix the problem, FPCO may take punitive steps. Co-ordinate to training documents from the Department of Instruction, potential FERPA violation penalties include

  • Finish and desist orders
  • Freezing payments from Section of Education programs
  • Denying eligibility for Department of Education funding

Again, these dire consequences won't enter the motion-picture show unless an institution refuses to work with FPCO to improve its procedures. You'd accept to completely ignore the law to run a risk the nearly serious penalties. "Ultimately, they could accept abroad Department of Educational activity funds," Rooker says. "But that would accept an institution non coming into compliance with FERPA after an investigation."

The best way to avoid FERPA violations, of course, is to provide adequate training for all relevant employees. We'll discuss what that looks like in the adjacent chapter.

FERPA training

"The best protection for education records is training," Rooker says. "At that place's no substitute for that. You're not going to know if your records are secure unless you're really steeped in [FERPA]." So how practice you provide FERPA grooming for teachers and other school staff? Many organizations provide FERPA certification programs; here are some of the top options:

  • Conduct FERPA preparation in house. Academy registrars oft provide FERPA training for teachers and other employees themselves. Initial and refresher preparation courses from experts at your institution tin help reduce the likelihood of violations. Many postsecondary schools operate in-business firm FERPA certification programs for staff, including Purdue University, the University of Massachusetts Amherst, and Washington State University.
  • Online training modules from the Department of Education. Free, introductory online grooming courses are available from the Department of Education's Privacy Technical Assistance Center and the Student Privacy Policy Role. Courses may modify and/or grow, only for now, they offering modules called FERPA 101: For Colleges & Universities, FERPA 101: For Local Education Agencies, and FERPA 201: Data Sharing under FERPA.
  • FERPA compliance training from AACRAO. AACRAO offers FERPA training for faculty and staff at colleges and universities, both online and on campus. Rooker conducts interactive FERPA training through AACRAO and tailors each session to friction match the audience'southward needs. During AACRAO FERPA preparation, "I first at the beginning of the regulations, hitting the highlights, and, in the process, generate questions. I tell stories about investigations nosotros did when I was at the Department and give vignettes nearly the way violations tin can happen," Rooker says. "A lot of the training content is generated through interaction with the participants and answering their questions."

The goals of any FERPA preparation should include raising awareness among staff, covering compliance basics, and answering staff questions. Teachers besides as any employees with access to educatee data should receive FERPA training on an ongoing footing.

Two questions that oft come at FERPA training sessions involve the transmission of digital data and the proper utilize of signed consent forms. The adjacent affiliate provides introductory guidance on the use of these instruments, which we'll refer to collectively as "FERPA forms."

FERPA waivers and forms

If you work in education, odds are you've heard the term — but what is a "FERPA form?" In most cases, information technology's a document that provides signed consent for the release of instruction records to anyone other than the parent or eligible student. Other mutual terms that refer to signed consent forms nether FERPA include

  • FERPA waiver form
  • FERPA release class
  • FERPA release authorization
  • FERPA consent form

They're all essentially the same affair and serve the purpose of providing signed consent to disclose the records FERPA protects. "The consent requirement is part of protecting the privacy of the record," Rooker explains. "The student has a correct to determine who can be given admission to those records."

A FERPA signed consent course for an eligible educatee (1 who'southward 18 years one-time or attending a postsecondary schoolhouse) should contain, at minimum, the following elements:

  • Student proper noun and identifying data (student ID number, appointment of nascency, etc.)
  • Student contact information (phone number, email address, etc.)
  • Institution name and identifying information
  • Authorized recipient proper name, contact information, and relationship to student
  • All records the form gives permission to release (e.g., transcripts, awarding documents, recommendation letters, etc.)
  • A statement of permission to share protected educational activity records
  • Student signature and engagement

Depending on the institution and the application, FERPA signed consent forms may require other information than what appears on this listing; once again, it's e'er all-time to cheque with a privacy attorney about specific questions.

FERPA release forms for parents

For students under 18 years of historic period and in elementary or high school, a parent must provide the signed consent to release instruction records. A FERPA release form for parents should contain essentially the same information listed to a higher place, along with

  • Parent proper name and relationship to student (mother, father, legal guardian, etc.)
  • Parent signature and date
  • Parent contact information (phone number, email address, etc.)

Annotation that an eligible student may wish to provide signed consent to release didactics records to their own parents. This is the student'south right; when they become eligible, students have ability over their ain education records, and schoolhouse officials cannot release those records to parents without the student's signed consent class.

A signed consent course permitting a parent to receive an eligible student's grades is some other type of "FERPA release course for parents." Typically, though, the term refers to forms signed by the parent for an ineligible educatee. Larn more than about FERPA forms in this blog post.

Online FERPA release forms from Jotform

Remember that FERPA is technology neutral. The constabulary doesn't state that signed consent forms must be paper and ink — and there are a lot of skilful reasons to cull online forms. Non simply are they more convenient and incredibly secure, but online forms reduce paper consumption, which helps the environment.

Online FERPA forms from Jotform meet the highest standards of data security to safely protect pupil records during transmission. And Jotform has a long history of working with educational institutions to simplify all sorts of processes, both in the classroom and in authoritative offices. We even offer a 50-per centum discount on paid plans for educators. If you're ready to start collecting FERPA signed consent forms digitally, sign up for Jotform today.

This article is originally published on Aug 31, 2020, and updated on December 08, 2021.

RECOMMENDED ARTICLES