FERPA Compliance for Education
This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Education privacy regulations and requirements evolve — consult a qualified compliance professional about your specific situation.
You work in education — K-12 administration, higher education IT, or you develop software that schools use. A parent just requested access to all the records you keep about their child. Or a teacher is asking whether they can share student grades with a parent through email. Or you're implementing a new learning management system and the vendor's data handling practices are raising questions about FERPA compliance.
FERPA — the Family Educational Rights and Privacy Act — is education's privacy law. It's older than HIPAA (1996) but smaller in scope than HIPAA. It's been around since 1974, which means it predates most modern thinking about privacy and data protection. Despite its age, FERPA remains the foundational privacy requirement for schools and educational institutions, and it creates obligations that often trip up administrators who misunderstand what the law actually requires versus what myths have accumulated around it over decades.
Understanding FERPA is essential if you work in education or sell technology to schools. The law grants students and parents powerful privacy rights, restricts how schools can share educational records, and imposes consequences for violations that include loss of federal education funding — potentially devastating for schools. But FERPA is also less technically prescriptive than HIPAA, which creates both flexibility and ambiguity.
What FERPA Covers: Educational Records and Personally Identifiable Information
FERPA applies to any educational record that's directly related to a student and is kept by a school or educational agency. This includes grades, test scores, attendance records, health and vaccination records, special education records, disciplinary records, and any other information documenting a student's educational experience. It also covers records that contain personally identifiable information linked to a student — a spreadsheet with student names and test scores is an educational record under FERPA.
The definition is broad enough to include digital records, spreadsheets, databases, even photographs if they identify a student. If it's about a student, kept by a school, and can be used to identify or track that student, it's an educational record under FERPA.
One important boundary: FERPA covers educational records, not all information schools keep. Records kept purely for personal reasons (a teacher's private notes that aren't shared with anyone) aren't educational records. Records from law enforcement that are kept separately from educational records aren't educational records. But this boundary is narrower than many schools think. Most information schools keep about students qualifies as educational records.
Another important point: FERPA applies to schools that receive federal education funding. Nearly all public schools and many private schools receive federal funding, so they're in scope. A small private school that receives no federal funding isn't subject to FERPA, but this is rare. If you're working in education, assume FERPA applies unless you've specifically verified otherwise.
Student Rights and Parental Rights
FERPA grants students and parents the right to access educational records. For students under 18, parents generally have this right. Once a student turns 18 or enrolls in postsecondary education, the rights transfer to the student (except in specific circumstances involving financial aid or medical records). The right to access means the student or parent can see what's in the record, who has access to it, and what the school knows about that student.
This right sounds simple until you realize the operational implications. If a parent requests access to their child's educational records, the school is required to provide copies within a reasonable timeframe (FERPA doesn't specify an exact number of days, but practice suggests 15-45 days depending on the school's interpretation). The school can't restrict what they show — it's all the records, including notes teachers have written about the student's behavior or progress.
FERPA also grants the right to request correction of inaccurate information. If a student's record contains a grade that was recorded incorrectly, or a description of behavior that the student disputes, the student or parent can request correction. If the school doesn't agree the information is inaccurate, the student or parent can request a hearing. This process is administrative, not quick, but the right to contest inaccurate records is powerful.
Most importantly for schools, FERPA restricts the disclosure of educational records to third parties without consent. A school can't share student records with a third party without written consent from the student (if the student is old enough) or parent (if the student is under 18). There are exceptions, but the default is that sharing requires consent.
Exceptions to Disclosure: Legitimate Educational Interest and More
The disclosure restrictions include important exceptions that many schools misunderstand. Schools often assume FERPA prohibits all information sharing, when in fact there are legitimate reasons schools can share information without consent.
The biggest exception is "legitimate educational interest." A school employee who has a legitimate educational interest in a student's record can access that record without consent. A teacher needs to know a student's grades, attendance, and behavior to teach effectively. That's legitimate educational interest. A school counselor needs to know about a student's health and disability status to provide effective counseling. That's legitimate educational interest. The dean of students needs to know about a student's disciplinary history to maintain school safety. That's legitimate educational interest.
What counts as legitimate educational interest varies by role. A teacher doesn't have legitimate educational interest in accessing the records of every student in the school — only the students she teaches. The dean of students has interest in disciplinary records across the school. The IT director has interest in accessing student information to manage IT systems. Each role's legitimate interest is defined differently.
Many schools overly restrict legitimate educational interest out of caution. They make it harder for teachers to access even their own students' grades or attendance records without written consent, thinking they're being more private. In reality, they're over-complying and creating operational friction.
Other exceptions include school-to-school transfers (a school can share records when a student transfers without consent), certain health and safety emergencies (if a student has a medical condition that poses risk, staff who need to know can be informed), disclosure to the Department of Education for compliance audits, and disclosure when there's a court order or subpoena.
The practical reality is that schools can share student records more broadly than many assume, as long as they can articulate a legitimate basis for the sharing.
Information Sharing and Consent
When consent is required, schools must obtain written consent before sharing educational records. FERPA specifies what consent must include: the records being released, the purpose of the release, and identification of the party to whom records will be released. A school can't get blanket consent for all future sharing — consent is specific to each release.
This creates operational complexity for schools. If a parent wants their child's school records sent to a doctor, the school needs written consent. If a teacher wants to discuss a student's progress with a parent over email, that's not sharing an educational record — it's teacher-parent communication. But if the school is sharing official records, consent is needed.
Schools often get consent as part of enrollment or at the start of each year. A form might say "I consent to sharing my child's educational records with physicians, counselors, and other educational institutions as needed for educational purposes." But if consent is too broad, it might not be specific enough. If consent is too narrow, parents might need to provide new consent for each type of sharing.
Understanding FERPA's exceptions means understanding that not every information sharing requires consent. Schools that understand legitimate educational interest can operate more flexibly. Schools that misunderstand FERPA often become overly restrictive, which creates educational friction.
Security and Confidentiality: What FERPA Actually Requires
This is where FERPA diverges significantly from HIPAA or SOC 2. FERPA is primarily about privacy and access rights, not security. The law doesn't prescribe specific technical controls. It doesn't require encryption. It doesn't require multifactor authentication. It doesn't require security monitoring.
What FERPA does require is that schools implement "reasonable" safeguards to protect educational records from unauthorized access and disclosure. What counts as reasonable is ambiguous and has been debated in litigation. Some courts have suggested that basic security measures are reasonable. Others have suggested that more robust safeguards are necessary depending on what data is at risk.
Many schools now use NIST Cybersecurity Framework or SOC 2 controls as their guide for what "reasonable" means under FERPA, even though FERPA doesn't explicitly require these. This creates a practical baseline: if your security practices align with NIST or SOC 2, you're likely meeting FERPA's reasonableness standard.
But FERPA doesn't require SOC 2 or NIST. A small rural school with limited IT resources can meet FERPA's requirements with basic controls: locked filing cabinets for paper records, password-protected access to digital systems, regular backups, incident response procedures. The controls should be appropriate to the school's size and risk level.
This ambiguity creates both flexibility and risk. Schools have flexibility in how they implement safeguards. But the ambiguity also means enforcement can be unpredictable — what regulators deem reasonable in one case might differ from another case.
Enforcement and Consequences
FERPA is enforced by the Department of Education's Family Policy Compliance Office (FPCO). The enforcement mechanism is different from most compliance frameworks. The FPCO receives complaints from students or parents, investigates, and if it finds violations, can require schools to implement corrective action plans.
Unlike HIPAA, FERPA doesn't impose direct financial penalties on schools. The consequence for violating FERPA is the threat of losing federal education funding. For schools, particularly public schools that depend on federal funding for substantial portions of their budgets, this threat is severe. The loss of federal education funding could be catastrophic.
Practically, the FPCO investigates complaints, determines whether violations occurred, and issues findings. If violations are found, the school is required to develop a corrective action plan. The FPCO monitors the school's implementation of the plan. If the school doesn't comply, the FPCO can recommend that the Department of Education enforce through loss of funding.
This enforcement mechanism is slower and less direct than HIPAA or SOC 2 enforcement, but the potential consequences are severe enough to take seriously.
Vendors and Technology Providers: FERPA Obligations
This is where many technology vendors get surprised. If you're a software company providing a learning management system, grade book system, or any tool that handles educational records, you're bound by FERPA. Schools are responsible for vendor compliance with FERPA, which means vendors can be caught in the regulatory net even if they don't directly employ anyone in education.
The practical implication is that if you're selling to schools, you need to understand FERPA and ensure your systems handle educational records appropriately. Schools will ask whether your systems meet FERPA requirements. They'll ask about data security, data retention, and data sharing practices. They'll require contractual commitments that you'll meet FERPA standards.
Written contracts addressing FERPA are essential but often missing. Many vendors don't have FERPA language in their standard terms. Schools don't always require it. But when a breach or compliance issue occurs, the absence of clear contractual language creates problems.
Vendors should ensure their contracts with schools include FERPA language. Specifically: acknowledgment that student data is educational records under FERPA, commitment to use the data only for the purposes specified by the school, commitment to implement reasonable safeguards, commitment to honor student and parent access rights, and commitment to delete or return data when the relationship ends.
Common FERPA Misconceptions
Many misconceptions about FERPA persist and lead schools to over-comply or under-comply in unhelpful ways. Understanding what FERPA actually requires versus what myths suggest is important.
Misconception: FERPA requires encryption. Truth: FERPA doesn't require encryption specifically. It requires reasonable safeguards. Encryption helps demonstrate reasonable safeguards, but it's not mandatory. A school that uses strong passwords, access controls, and regular backups might meet the reasonableness standard without encryption.
Misconception: FERPA prohibits all email communication about students. Truth: FERPA doesn't prohibit email. Teachers communicate about students via email regularly. What FERPA prohibits is sharing official educational records without consent. Teacher-parent email about student progress is communication, not sharing educational records. The distinction is subtle but important.
Misconception: FERPA requires written consent for any information sharing. Truth: Legitimate educational interest and other exceptions allow sharing without consent. Schools often require written consent where FERPA doesn't mandate it, creating unnecessary friction.
Misconception: FERPA applies to all school information. Truth: FERPA applies to educational records — information kept by schools that relate to students' education. Schools also keep other information (visitor logs, facility security records, personnel files) that isn't covered by FERPA.
Misconception: Schools must keep all records forever. Truth: FERPA doesn't mandate record retention periods. Schools can delete records after they're no longer needed, as long as they honor legal hold requirements and maintain records for statutory periods. Many schools warehouse records indefinitely out of caution, but FERPA doesn't require this.
Understanding what FERPA actually requires versus what schools assume it requires is the foundation for reasonable compliance.
FERPA Compliance for Educational Institutions
For schools, FERPA compliance means clearly understanding your student privacy obligations, ensuring your administrative systems handle educational records appropriately, being able to honor student and parent access rights, and implementing safeguards appropriate to your size and risk level.
Start by understanding what counts as educational records. Nearly everything your school keeps about students is covered. Ensure staff understand FERPA obligations. Many FERPA violations occur because staff don't understand the law's requirements or exceptions.
Build processes for responding to access requests. Parents and students will request access to records. Develop a process for fulfilling these requests within a reasonable timeframe and providing all requested information.
Assess your vendor ecosystem. If you use third-party systems that handle educational records, ensure you have FERPA language in your contracts and reasonable confidence that vendors are meeting FERPA standards.
Implement safeguards appropriate to your school. You don't need enterprise-grade security, but you do need reasonable protections. Basic access controls, regular backups, secure deletion, and incident response procedures are foundational.
The practical reality of FERPA compliance is that it's less about meeting specific technical standards and more about respecting student and parent rights to privacy and access, implementing reasonable safeguards, and being able to explain your practices if FERPA comes into question.
Fully Compliance provides educational content about IT compliance and education regulations. This article reflects general information about FERPA as of its publication date. Regulations, penalties, and requirements evolve — consult a qualified compliance professional for guidance specific to your institution.