The Family Educational Rights and Privacy Act gives parents and eligible students control over education records and restricts how schools can disclose student information. Violations can result in loss of federal funding—a consequence that affects virtually every school receiving Department of Education funds.
This guide covers what FERPA actually requires, who has rights under the law, what disclosures are permitted without consent, and practical steps for building a compliant records management program.
FERPA applies to all educational institutions receiving federal funding from the Department of Education. This includes public schools K-12, most private schools, colleges, universities, and vocational schools. The law creates two categories of requirements: rights granted to parents and students, and restrictions on institutional disclosure of education records.
Education records include any records directly related to a student that the school maintains. This encompasses transcripts, grades, class schedules, discipline records, financial aid information, and enrollment status. The definition is broad—if it identifies a student and the school keeps it, FERPA likely covers it.
Records explicitly excluded from FERPA protection include sole possession records (notes kept by a single staff member not shared with others), law enforcement records maintained by campus police, employment records for students employed by the school, medical records covered by HIPAA, and records created after the student is no longer enrolled.
Rights belong to parents while students are under 18 and attending K-12 schools. Rights transfer to students when they turn 18 or enroll in postsecondary education—these students become “eligible students.” After transfer, parents lose automatic access to records unless the student provides written consent or the student is claimed as a dependent for tax purposes.
FERPA establishes four fundamental rights that schools must honor.
Right to inspect and review. Parents and eligible students can request access to education records. Schools must comply within 45 days. Schools cannot charge for access but may charge reasonable copying fees.
Right to request amendment. If records contain inaccurate or misleading information, parents and eligible students can request corrections. Schools must respond and, if they refuse, must offer a formal hearing. Students can add a statement to the record if the school denies the amendment request.
Right to consent to disclosure. Schools generally cannot release personally identifiable information from education records without written consent. The consent must specify what records can be released, to whom, and for what purpose.
Right to file complaints. Parents and eligible students can file complaints with the Department of Education’s Student Privacy Policy Office if they believe a school violated FERPA.
FERPA includes exceptions allowing disclosure without consent in specific circumstances. Understanding these exceptions prevents both over-restriction (refusing legitimate requests) and violations (disclosing when you shouldn’t).
Schools can share records with employees, contractors, and volunteers who need access to perform their job functions. This exception requires a defined policy specifying who qualifies as a school official and what constitutes legitimate educational interest. Schools must include this policy in their annual FERPA notification.
Records can transfer to schools where the student seeks or intends to enroll. Schools must make a reasonable attempt to notify the parent or eligible student of the transfer and provide a copy of the records if requested.
Schools can designate certain information as “directory information” and release it without consent. Typical directory information includes name, address, phone number, email, photograph, date and place of birth, grade level, enrollment status, participation in activities and sports, and degrees and honors received.
Critical requirement: Schools must give parents and eligible students the opportunity to opt out of directory information disclosure. The annual notification must explain what the school considers directory information and how to opt out.
Additional disclosure exceptions include compliance with judicial orders or subpoenas (with notification to parent/student in most cases), health and safety emergencies where disclosure is necessary to protect the student or others, state and local education authorities for audit or evaluation purposes, and organizations conducting studies on behalf of the school.
Schools must annually notify parents and eligible students of their FERPA rights. The notification must include the right to inspect and review records, the right to request amendment, the right to consent to disclosure (with exceptions), the right to file complaints with the Department of Education, and the school’s criteria for determining school officials and legitimate educational interest.
Schools have flexibility in how they provide notification—student handbooks, mailings, school websites, or newsletters all satisfy the requirement as long as notification reasonably reaches all parents and eligible students.
FERPA doesn’t specify retention periods—state law typically governs how long schools must keep records. However, FERPA does restrict destruction: schools cannot destroy records if there’s an outstanding request to inspect them.
When destroying records, schools must ensure complete destruction. Shredding paper records and securely wiping electronic records prevents unauthorized access to discarded student information.
FERPA intersects with other privacy regulations that schools must navigate.
HIPAA. Student health records maintained by the school are generally education records under FERPA, not HIPAA. Records maintained by healthcare providers (including school nurses in some circumstances) may fall under HIPAA instead. The distinction depends on who maintains the records and in what capacity.
State privacy laws. Many states have additional student privacy requirements beyond FERPA. California’s Student Online Personal Information Protection Act (SOPIPA), for example, restricts how educational technology vendors can use student data. Compliance requires understanding both federal and state obligations.
COPPA. The Children’s Online Privacy Protection Act governs collection of personal information from children under 13 by websites and online services. Schools using educational technology with young students must ensure vendors comply with COPPA or obtain appropriate consent.
The Department of Education enforces FERPA through the Student Privacy Policy Office. Enforcement typically involves complaint investigation and, if violations are found, requiring schools to take corrective action.
The ultimate penalty is withdrawal of federal funding—a severe consequence that rarely occurs because schools typically remediate violations when identified. However, the funding threat gives the Department significant leverage to compel compliance.
FERPA doesn’t provide a private right of action. Parents and students cannot sue schools directly for FERPA violations. However, violations may support other legal claims, and reputational damage from publicized violations can significantly impact institutions.
Understanding typical violations helps schools build controls that prevent them.
Improper disclosure to parents after rights transfer. Once a student turns 18 or enrolls in postsecondary education, parents no longer have automatic access. Schools that release records to parents without student consent violate FERPA, even for well-intentioned reasons.
Posting grades publicly. Posting grades by name, student ID, or Social Security number violates FERPA. Even posting by partial student ID may violate the law if students can identify each other.
Discussing students in public settings. Conversations about student performance, behavior, or records in hallways, faculty lounges, or social settings can constitute unauthorized disclosure if overheard.
Email and fax errors. Sending records to the wrong recipient—mistyped email addresses or incorrect fax numbers—constitutes unauthorized disclosure. Schools need verification procedures before transmitting sensitive records.
Directory information without opt-out. Releasing directory information without first offering opt-out opportunities violates FERPA, even though the information itself is less sensitive.
Inadequate access controls. Failing to restrict system access to those with legitimate educational interest exposes records to unauthorized viewing. Technical controls must match policy requirements.
Educational institutions face increasing complexity in managing student data across multiple systems, vendors, and operational contexts. IT GOAT provides comprehensive support for schools building and maintaining FERPA compliance programs.
Policy development creates institution-specific FERPA policies that address your operational reality, not generic templates that miss your actual practices.
Technical implementation deploys access controls, encryption, audit logging, and secure communication tools that enforce FERPA requirements across your technology environment.
Training programs equip staff at all levels with practical FERPA knowledge relevant to their roles, from front-office staff handling parent requests to IT administrators managing system access.
Effective compliance requires systematic attention to policies, training, and technical controls.
Start with a comprehensive FERPA policy that defines education records for your institution, specifies who qualifies as a school official, articulates what constitutes legitimate educational interest, identifies directory information categories, establishes opt-out procedures and deadlines, and documents consent and disclosure procedures.
Review policies annually and update when regulations change or operational practices evolve.
Everyone who accesses student records needs FERPA training—not just the registrar’s office. Teachers, counselors, coaches, administrative staff, and IT personnel all handle student information. Training should cover what information is protected, when disclosure is permitted, how to handle requests from parents and students, and how to recognize and report potential violations.
Annual refresher training maintains awareness and addresses new staff who join mid-year.
Technology must enforce FERPA requirements. Access controls should limit record access to those with legitimate educational interest—role-based access prevents over-broad permissions. Audit logging tracks who accesses what records and when, supporting both compliance verification and incident investigation.
Encryption protects records in transit and at rest. Secure disposal procedures ensure electronic records are unrecoverable when no longer needed.
Maintain records of consent forms, disclosure logs, access requests, and policy acknowledgments. This documentation demonstrates compliance and supports response if complaints arise.
Regular audits verify that practices match policies. Review access logs for inappropriate access, test opt-out procedures, and verify that annual notifications reach their intended audience.
Recognized for excellence with numerous industry awards, reflecting our commitment to delivering top-tier IT solutions. Our accolades showcase our dedication to innovation, quality service, and client satisfaction.
Private schools that receive federal funding must comply with FERPA. Most private K-12 schools don’t receive direct federal funding and aren’t subject to FERPA, though they may still be bound by state privacy laws. Private colleges and universities typically receive federal financial aid funds and must comply.
Generally no, unless the student provides written consent or is claimed as a tax dependent. FERPA rights transfer to students at age 18 or upon enrollment in postsecondary education. Schools may—but aren’t required to—disclose records to parents of dependent students.
The Department of Education investigates complaints and can require corrective action. Repeated or severe violations can result in loss of federal funding, though this penalty is rarely imposed. More commonly, schools face reputational damage and must implement remediation measures.
Student emails maintained by the school are generally education records if they’re directly related to a student. However, FERPA doesn’t give students or parents the right to access all emails—only those that constitute education records. Transactional emails may not qualify.
FERPA doesn’t specify retention periods—state law governs. However, schools cannot destroy records while a request to inspect them is pending. Check your state’s retention requirements for specific guidance.
IT GOAT simplifies cybersecurity by integrating over 750+ enterprise apps to make sure your business runs smoothly.
FERPA gives parents and eligible students control over education records while restricting institutional disclosure, including:
These requirements apply to all educational institutions receiving federal funding—public K-12 schools, colleges, universities, and vocational schools.
The ultimate penalty is withdrawal of federal funding. Violations also create reputational damage and may support other legal claims.
Connect with IT GOAT to build compliant systems that protect student privacy.