Lena Radosavljevic | 06 Nov 2020 | 6 min read

What Are the Key Principles of FERPA?

With the surge of new tech solutions in the education industry, it has become more challenging to protect the incredible amount of student data. The Family Educational Rights and Privacy Act (FERPA) is the U.S. education law enacted in 1974 that regulates the use of student records, who has the access, and what data and when can it be disclosed for public purposes.

Since then, education institutions are obliged to follow FERPA requirements that guarantee the security and legitimate use of students' records. Parents and students are afforded certain rights that give them more control over their data. However, the way institutions establish FERPA compliance has changed.

Both industry leaders and respected schools and universities follow the latest tech trends in the education sector to employ the best solutions and attract more talents.

This plan has led to abandoning massive paperwork and successfully switching to electronic records that keep all the student data in one place. It is great that we now have  online student profiles; however, the risk of malicious attacks hasn’t disappeared, it has only moved to the digital sphere.  

Thus, it is essential for your organization’s success to establish procedures and add tools that guarantee the maxim safety and minimum loss. If you don’t incorporate FERPA  compliance within your official privacy policy, you may not only face penalties, it could be catastrophic in terms of the number of stolen records, damaged reputation, and reduced revenue.

1. The key definitions

FERPA was created with the goal to increase the safety of student records while empowering parents and students to practice their rights and introducing ways to implement FERPA compliance. To have a quality insight into how FERPA has impacted education, we should first define the key concepts related to authorized access to the student records.

There are always two basic authorized accessors. One accessor access is the educational institution. The other one is a parent, in case a student is underaged, or the student who has turned 18 years old or has enrolled in courses in a postsecondary institution at any age. But also a student who has turned 18 years old or has enrolled courses in a postsecondary institution at any age.

Under FERPA law, a student is any person who regularly attends classes at an educational institution, physically, by correspondence, or from a distance using tech tools such as video conferencing and similar. That said, “student” does not refer to individuals who entered a specific school or university but do not attend classes.

FERPA law prohibits disclosure of students’ personal information to any third party, regardless of the medium used to transmit the data, such as electronically, by hand, or by mail. However, in case of exceptions when there is a need to share student data with a third party, the educational institution must follow certain FERPA requirements to preserve the maximum security and confidentiality of the student data.

The third party is any organization or individual other than the educational institution, student or parent who already has access to the student data that is involved in the disclosure of a student’s records. When the institution shares student data they must ensure that subsequent actions taken by the third party toward students data disclosure follow the FERPA requirements.

2. Who needs to follow FERPA requirements?

According to FERPA, an educational institution is any federally funded organization which is a part of programs administered by the U.S. Department of Education. For instance, private and parochial schools at elementary and secondary levels don’t receive federal funding and are not subject to FERPA. However, postsecondary private schools usually receive funding and are subject to FERPA.

These and public educational institutions must develop specific methods and procedures for safeguarding and maintaining student data while following FERPA requirements. FERPA wasn’t put into force to completely stop the disclosure of student data just because there is a student name on the record. It is legislation created to protect student personal data and their status as a student.

2. What information is protected?

There are three types of student data that fall under FERPA law: educational information, personal identifiable information (PII), and directory information. PII is any student’s information pertaining to their data as a person and citizen, such as their Social Security number.

To disclose these kinds of data, educational institutions must receive consent from parents or students that outlines the reason for disclosure, which PII will be disclosed, and to whom the disclosure will be made. On the other hand, the disclosure of directory information is not prohibited. This kind of information relates to any kind of education data whose disclosure won’t be harmful or considered invasive to a student's privacy.  

The directory information implies data such as a student’s name, home addresses, or telephone number but also ID number as it can be used to gain access to a student record. To disclose directory information, an educational institution must send a 2 day notice to parents or students clearly noting the reason for disclosure and the third-party.

The meaning of educational information may be the trickiest one as it is still a litigation subject in the industry. FERPA defines educational information as information contained in educational records, which are all records, files, or documents or other material handled by an educational institution or an agency, or by a person representing these kinds of organizations. Those documents most often consist of information such as student GPA or grades.

This all may seem like a big burden to the educational institutions, which is why FERPA officials added a rule that enables institutions to process data that falls under the routine use of data category, or in other words, data that needs to be disclosed frequently.

Institutions are permitted to disclose such data only to designated parties. As you can see, even the regular use of data is regulated, thus be careful about using your student database.

3. What are the consumer rights?

FERPA lawmakers have granted certain rights to students and parents to give them more power regarding the control of student data use.

The set of student and parent rights include:

  • The right to inspect and review the student record: Students and parents must be allowed to examine a student record when they find it necessary. The institution doesn’t need to provide a copy of the data unless it is impossible to review it in any other way.
  • The right to correct records: Every student and parent can practice their right to correct student grade, exam date, or similar to rid the education record from false data. This right is good for both the institution and the students and parents, right?
  • Halting the disclosure of student PII: The student or their parents can stop the sharing of the student’s PII.
  • The right to request a copy of the institution's privacy and protection policy: Students and their parents must know how, why, and where the institution will collect education data.

Remember, for any disclosure you must obtain a written permission from authorized parties. Otherwise, your action will be considered a violation of FERPA.

4. The permitted data disclosures

FERPA allows educational institutions to disclose sensitive data from a student’s education record, without consent, under the following conditions or to the following parties:

  • Specified officials responsible for record evaluation processes
  • School officials with legitimate educational purpose of use
  • Educational institutions to which a student is transferring its record
  • Third-parties in connection with student financial aid
  • Entities conducting certain studies for, or on behalf of, the educational institution
  • Accrediting organizations
  • Designated officials in cases of safety and health emergencies
  • State and local authorities (within a juvenile justice system, in accordance with a specific state law)
  • Compliance with a lawfully issued subpoena or judicial order

5. FERPA penalties

By failing to establish FERPA compliance you risk losing many essential factors that make your institution sustainable and attractive to students. First, you can lose federal funding which is most often the key driver of a school’s performance.

Second, you may face a fine as low as 100$ and as high as $1.5 million depending on the nature of the FERPA violation, like whether it was a data breach or the institution’s negligence. It’s safe to assume that the latter costs a lot.

Lastly, you can lose the prestige you have been building for years, in other words lose multiple talents and resources that kept your institution respected and desirable. Once you lose public trust, it will become so much harder for parents and students to decide to choose your institution.

No one prefers attending a school where communication of student PII is not safe. To stay competitive and remain an institution with a good reputation that can skyrocket student careers, you need to employ the latest tech solutions that ensure the highest service quality.

Digital natives and their parents expect a helpdesk software solution that includes AI chat, Live Chat, a Helpcenter, and efficient automated ticketing system that makes the whole interaction and conversation quicker and more precise. There is no doubt that all of us want that in any online interaction, educational or otherwise.


Join 1000s of businesses in delivering customer support in the most secure way possible.

Get Started Now
  • No credit card required
  • 14 day free trial