FERPA Compliance for Education

Reviewed by Sarah Mitchell, Ed.D., CIPP/US

FERPA is education's foundational privacy law, granting students and parents rights to access and correct educational records while restricting disclosure to third parties without consent. It applies to virtually every school receiving federal funding. Unlike HIPAA, FERPA prescribes no specific technical controls — only "reasonable" safeguards. The enforcement consequence is loss of federal education funding, which makes it existential for public schools.

You work in education — K-12 administration, higher education IT, or you develop software that schools use. A parent just requested access to all the records you keep about their child. Or a teacher is asking whether they can share student grades with a parent through email. Or you're implementing a new learning management system and the vendor's data handling practices are raising questions about FERPA compliance.

FERPA — the Family Educational Rights and Privacy Act — is education's privacy law. It's been around since 1974, which means it predates most modern thinking about privacy and data protection. Despite its age, FERPA remains the foundational privacy requirement for schools and educational institutions, creating obligations that often trip up administrators who misunderstand what the law actually requires versus what myths have accumulated over decades. The law grants students and parents powerful privacy rights, restricts how schools share educational records, and imposes consequences that include loss of federal education funding — devastating for schools. But FERPA is also less technically prescriptive than HIPAA, which creates both flexibility and ambiguity.

FERPA covers any record about a student kept by a school receiving federal funds

FERPA applies to any educational record directly related to a student and kept by a school or educational agency. This includes grades, test scores, attendance records, health and vaccination records, special education records, disciplinary records, and any other information documenting a student's educational experience. It also covers records containing personally identifiable information linked to a student — a spreadsheet with student names and test scores is an educational record under FERPA. The definition is broad enough to include digital records, spreadsheets, databases, and photographs if they identify a student.

One important boundary: FERPA covers educational records, not all information schools keep. Records kept purely for personal reasons (a teacher's private notes never shared with anyone) aren't educational records. Records from law enforcement kept separately from educational records aren't covered. But this boundary is narrower than many schools think. Most information schools keep about students qualifies.

FERPA applies to schools that receive federal education funding. Nearly all public schools and many private schools receive federal funding, so they're in scope. A small private school receiving no federal funding isn't subject to FERPA, but this is rare. If you're working in education, assume FERPA applies unless you've specifically verified otherwise. According to HHS and Department of Education data, educational institutions reported over 1,300 data security incidents affecting student records between 2016 and 2023 — and each incident potentially triggers FERPA obligations on top of state breach notification requirements.

Parents control access until age 18 — then rights transfer to the student

FERPA grants students and parents the right to access educational records. For students under 18, parents generally have this right. Once a student turns 18 or enrolls in postsecondary education, the rights transfer to the student. The right to access means the student or parent can see what's in the record, who has access to it, and what the school knows about that student.

If a parent requests access to their child's educational records, the school must provide copies within a reasonable timeframe — practice suggests 15-45 days depending on the school's interpretation. The school cannot restrict what they show; it's all the records, including notes teachers have written about the student's behavior or progress.

FERPA also grants the right to request correction of inaccurate information. If a student's record contains an incorrect grade or a disputed behavioral description, the student or parent can request correction. If the school disagrees, the student or parent can request a hearing. The process is administrative, not quick, but the right to contest inaccurate records is enforceable.

Most importantly, FERPA restricts disclosure of educational records to third parties without consent. A school cannot share student records with a third party without written consent from the student (if old enough) or parent (if under 18). There are exceptions, but the default is that sharing requires consent.

Legitimate educational interest allows more sharing than most schools realize

The disclosure restrictions include important exceptions that many schools misunderstand, often assuming FERPA prohibits all information sharing when it does not.

The biggest exception is "legitimate educational interest." A school employee with a legitimate educational interest in a student's record can access it without consent. A teacher needs to know a student's grades, attendance, and behavior to teach effectively — that's legitimate educational interest. A school counselor needs to know about a student's health and disability status for effective counseling. The dean of students needs disciplinary history for school safety. Each role's legitimate interest is defined differently, and a teacher doesn't have legitimate interest in every student's records — only the students she teaches.

Many schools overly restrict this exception out of caution, making it harder for teachers to access their own students' records without written consent. In reality, they're over-complying and creating operational friction that impedes education.

Other exceptions include school-to-school transfers (records can be shared when a student transfers without consent), health and safety emergencies (staff who need to know about medical conditions posing risk can be informed), disclosure to the Department of Education for compliance audits, and disclosure pursuant to court orders or subpoenas. The practical reality is that schools can share student records more broadly than many assume, as long as they can articulate a legitimate basis.

When consent is required, it must be specific to each release

When consent is required, schools must obtain written consent specifying the records being released, the purpose of the release, and identification of the receiving party. A school cannot get blanket consent for all future sharing — consent is specific to each release.

This creates operational complexity. If a parent wants records sent to a doctor, written consent is needed. If a teacher discusses a student's progress with a parent over email, that's teacher-parent communication, not sharing an official educational record. But if the school is sharing official records, consent is required.

Schools often get consent as part of enrollment or at the start of each year, but if consent is too broad, it may not be specific enough; if too narrow, parents may need to provide new consent for each type of sharing. Understanding FERPA's exceptions means understanding that not every information sharing requires consent. Schools that understand legitimate educational interest operate more flexibly. Schools that misunderstand FERPA become overly restrictive, creating friction that undermines educational objectives.

FERPA requires "reasonable" safeguards — not specific technical controls

This is where FERPA diverges significantly from HIPAA or SOC 2. FERPA is primarily about privacy and access rights, not security. The law does not prescribe specific technical controls, does not require encryption, does not require multifactor authentication, and does not require security monitoring.

What FERPA requires is that schools implement "reasonable" safeguards to protect educational records from unauthorized access and disclosure. What counts as reasonable is ambiguous and has been debated in litigation. Many schools now use NIST Cybersecurity Framework or SOC 2 controls as guidance for what "reasonable" means, even though FERPA doesn't explicitly require these.

A small rural school with limited IT resources can meet FERPA's requirements with basic controls: locked filing cabinets for paper records, password-protected access to digital systems, regular backups, and incident response procedures. The controls should be appropriate to the school's size and risk level. This ambiguity creates both flexibility and risk — what regulators deem reasonable in one case may differ from another.

The 2024 Verizon DBIR found that the education sector experienced a significant increase in ransomware attacks, with 30% of education breaches involving ransomware. Schools that rely on minimal security controls face growing exposure, and "reasonable" safeguards will increasingly need to include protections against these specific threat vectors.

Enforcement means potential loss of federal funding — not direct fines

FERPA is enforced by the Department of Education's Family Policy Compliance Office (FPCO). The enforcement mechanism is different from most compliance frameworks. The FPCO receives complaints, investigates, and if it finds violations, requires corrective action plans.

Unlike HIPAA, FERPA does not impose direct financial penalties on schools. The consequence for violating FERPA is the threat of losing federal education funding. For public schools that depend on federal funding for substantial portions of their budgets, this threat is severe — potentially catastrophic. The FPCO investigates complaints, determines whether violations occurred, issues findings, and monitors corrective action. If the school doesn't comply, the FPCO can recommend that the Department of Education enforce through funding loss.

This enforcement mechanism is slower and less direct than HIPAA or SOC 2 enforcement, but the potential consequences are severe enough to take seriously.

Vendors and EdTech companies are bound by FERPA through their school contracts

If you're a software company providing a learning management system, grade book system, or any tool that handles educational records, you're bound by FERPA. Schools are responsible for vendor compliance, which means vendors get caught in the regulatory net even if they don't directly employ anyone in education.

If you're selling to schools, you need to understand FERPA and ensure your systems handle educational records appropriately. Schools will ask whether your systems meet FERPA requirements — data security, retention, and sharing practices. They'll require contractual commitments.

Vendor contracts should include FERPA language: acknowledgment that student data constitutes educational records under FERPA, commitment to use data only for school-specified purposes, commitment to implement reasonable safeguards, commitment to honor student and parent access rights, and commitment to delete or return data when the relationship ends. Many vendors don't have FERPA language in their standard terms, and many schools don't always require it. But when a breach or compliance issue occurs, the absence of clear contractual language creates problems.

FERPA myths lead to over-compliance and under-compliance in equal measure

FERPA does not require encryption specifically — it requires reasonable safeguards. Encryption helps demonstrate reasonableness, but a school using strong passwords, access controls, and regular backups may meet the standard without encryption.

FERPA does not prohibit email communication about students. Teachers communicate about students via email regularly. What FERPA prohibits is sharing official educational records without consent. Teacher-parent email about student progress is communication, not record sharing. The distinction is subtle but important.

FERPA does not require written consent for any information sharing — legitimate educational interest and other exceptions allow sharing without consent. Schools often require consent where FERPA doesn't mandate it, creating unnecessary friction.

FERPA does not apply to all school information — it applies to educational records relating to students' education. Schools also keep visitor logs, facility security records, and personnel files not covered by FERPA.

Schools are not required to keep all records forever. FERPA doesn't mandate record retention periods. Schools can delete records after they're no longer needed, as long as they honor legal hold requirements. Many schools warehouse records indefinitely out of caution, but FERPA doesn't require this.

Understanding what FERPA actually requires versus what schools assume it requires is the foundation for compliance that protects students without impeding education.

Frequently Asked Questions

Does FERPA apply to private schools?
Only if the private school receives federal education funding. Most private schools receive some form of federal funding (such as through Title I or school lunch programs), which brings them into FERPA scope. A private school receiving no federal funding is not subject to FERPA, but this is uncommon.

Can a teacher email a parent about their child's grades?
Yes. Teacher-parent communication about student progress is not the same as sharing official educational records. A teacher discussing a student's performance, behavior, or class standing with a parent is normal educational communication. However, emailing official transcripts, standardized test scores, or other formal records to unauthorized third parties would require consent.

Does FERPA require encryption of student data?
No. FERPA requires "reasonable" safeguards but does not specify encryption or any other particular technical control. However, encryption is increasingly considered part of a reasonable security posture, especially for data stored on mobile devices or transmitted over networks. Schools should assess their risk profile and implement safeguards proportional to their exposure.

What happens if a school violates FERPA?
The Department of Education's FPCO investigates complaints and can require corrective action plans. The ultimate enforcement mechanism is the threat of withdrawing federal education funding — a severe consequence for schools dependent on federal dollars. Unlike HIPAA, FERPA does not impose direct monetary fines.

Do EdTech vendors need to be FERPA compliant?
Vendors themselves are not directly regulated by FERPA, but schools are responsible for ensuring their vendors handle educational records appropriately. In practice, this means vendors must contractually commit to FERPA-compliant practices. Schools that fail to ensure vendor compliance are themselves in violation. Vendors without FERPA-appropriate terms and practices will increasingly lose school contracts.

Fully Compliance provides educational content about IT compliance and education regulations. This article reflects general information about FERPA as of its publication date. Regulations, penalties, and requirements evolve — consult a qualified compliance professional for guidance specific to your institution.