Privacy Primer: Family Educational Rights and Privacy Act (FERPA)

FERPA is a U.S. law, passed in 1974, that protects the privacy of student educational records.  FERPA applies to all schools, from elementary schools to postsecondary education institutions, that receive federal funds under a program of the U.S. Department of Education.  FERPA and the regulations promulgated under it provide a right to inspect educational records, a right to request amendment of educational records, and a right to privacy of educational records.

First, the rights under FERPA apply to “educational records,” which are records that are directly related to a student and are maintained by the educational institution or by a party acting on the institution’s behalf.  Educational records, however, do not include, for example, personal notes, records of law enforcement units (i.e., campus police), or employment records of students who may also be employees of the institution.

The right to inspect educational records initially belongs to parents.  Once a student turns 18 or attends school beyond the high school level, he or she becomes an “eligible student,” and the inspection rights transfer from the parent to the student.

Parents or eligible students have a right to review the student’s educational records and request that the school amend records that they believe are inaccurate, misleading, or in violation of the privacy rights of the student.  If the school does not make a requested amendment, the parent or eligible student has a right to a formal hearing with the school.  If the school decides not to make the requested amendment after the hearing, the parent or eligible student has the right to place a statement in the record as to why he or she believes the information is inaccurate, misleading, or in violation of the privacy rights of the student.  Any time the school discloses the disputed part of the record, it must also disclose the parent or eligible student’s statement.

Covered institutions generally cannot disclose to a third party any personally identifiable information from an educational record of a student without the parent or eligible student’s written consent.  The written consent must specify the records that the institution can disclose, the purpose of the disclosure, and to whom the institution can make the disclosure.

Covered institutions, however, can disclose personally identifiable information from an educational record without written consent to the following parties for the following reasons:

  • To school officials who have a legitimate educational interest in the information
  • To officials of another school for purposes related to a student’s enrollment in or transfer to that school
  • To certain federal officials or state and local educational authorities
  • To appropriate parties in connection with a student’s application for financial aid
  • To organizations conducting studies for a school to develop, validate, or administer predictive tests, administer student aid programs, or improve instruction
  • To accrediting organizations
  • To comply with a judicial order or lawfully issued subpoena, after making a reasonable effort to notify the parent or eligible student of the order or subpoena before disclosure, so that the parent or eligible student may seek a protective order.
  • To appropriate parties in connection with a health or safety emergency
  • To comply with laws regarding registered sex offenders
  • To parents of eligible students at postsecondary education institutions who are under 21 and commit a disciplinary violation with respect to the use or possession of alcohol or a controlled substance
  • To appropriate parties in connection with disciplinary proceedings at postsecondary education institutions, provided that the student is an alleged perpetrator of a violent crime or non-forcible sex offense and has committed a violation of the institution’s rules or policies


Covered institutions can also disclose “directory information” without written consent.  Directory information consists of information that would not generally be considered an invasion of privacy if disclosed, such as a student’s name, address, telephone number, e-mail address, field of study, grade level, enrollment status, dates of attendance, or degrees, honors, and awards received.  Before disclosing directory information, however, the institution must give notice to parents and attending students as to what categories of information it consideres directory information and give them a reasonable opportunity to opt out of having any or all of those categories of information designated directory information for the particular student.

The Department of Education is responsible for enforcing FERPA.  There is no private right of action, but parents or eligible students who believe an institution has violated FERPA can file a complaint with the Department of Education’s Office of the Chief Privacy Officer.  The Office will investigate the claim and issue findings.  If it determines that the institution violated FERPA, it may set forth corrective actions that the institution must take.  If the institution fails to take such corrective actions within a reasonable time, as set by the Office, the Department can withhold further payments to the institution or terminate the institution’s eligibility to receive funding under any Department program.

About The Author
Tagged with: ,
Posted in Privacy
About Cyber Law Monitor
In the new digital world, individuals and businesses are almost entirely dependent on computer technology and electronic communications to function on a daily basis. Although the power of modern technology is a source of opportunity and inspiration—it also poses huge challenges, from protecting privacy and securing proprietary data to adhering to fast-changing statutory and regulatory requirements. The Cyber Law Monitor blog covers privacy, data security, technology, and cyber space. It tracks major legal and policy developments and provides analysis of current events.
Subscribe For Updates


Cozen O’Connor Blogs