Family Educational Rights and Privacy Act (FERPA)

Family Educational Rights and Privacy Act (FERPA): A Comprehensive Guide for CIPP/US Exam Preparation

Introduction

The Family Educational Rights and Privacy Act (FERPA) is a foundational U.S. federal privacy law that governs how educational institutions handle student records. For anyone preparing for the Certified Information Privacy Professional/United States (CIPP/US) exam, FERPA is a critical topic that falls under the domain of limits on private-sector collection and use of personal information. Understanding FERPA thoroughly is essential not only for passing the exam but also for practicing privacy law and compliance in educational settings.

Why FERPA Is Important

FERPA is important for several key reasons:

1. Protection of Student Privacy: FERPA protects the privacy of student education records, ensuring that sensitive information about students is not disclosed without proper authorization. This is vital because education records can contain highly personal details including grades, disciplinary records, health information, and financial data.

2. Parental and Student Rights: FERPA grants parents (and eligible students aged 18 or older, or those attending postsecondary institutions) specific rights over education records, including the right to access, review, and request amendments to those records.

3. Accountability for Educational Institutions: FERPA creates a framework of accountability for schools and universities that receive federal funding. Institutions that fail to comply risk losing federal financial assistance, which is a powerful enforcement mechanism.

4. Intersection with Private Sector: FERPA has significant implications for private-sector companies that provide services to educational institutions, such as ed-tech vendors, cloud service providers, and data analytics companies. These entities must understand FERPA's requirements when handling student data on behalf of schools.

5. Foundation for Modern Education Privacy: FERPA serves as the baseline for student privacy in the United States and interacts with other laws such as COPPA (Children's Online Privacy Protection Act), state student privacy laws, and institutional policies.

What FERPA Is

FERPA, also known as the Buckley Amendment, was enacted in 1974 (20 U.S.C. § 1232g) and is administered by the U.S. Department of Education's Student Privacy Policy Office (formerly the Family Policy Compliance Office). It applies to all educational agencies and institutions that receive funding under any program administered by the U.S. Department of Education.

Key Definitions Under FERPA:

- Education Records: Records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution. This is a broad definition and includes records in any format — handwritten, printed, electronic, digital, video, audio, etc.

- Eligible Student: A student who has reached 18 years of age or is attending an institution of postsecondary education. At this point, rights under FERPA transfer from the parent to the student.

- Directory Information: Information contained in an education record that would not generally be considered harmful or an invasion of privacy if disclosed. Examples include name, address, telephone number, date and place of birth, honors and awards, dates of attendance, and degree conferred. Schools must give public notice of the types of information they designate as directory information and allow parents/eligible students to opt out of disclosure.

- Personally Identifiable Information (PII): FERPA defines PII broadly to include direct identifiers such as a student's name, the name of the student's parent or other family members, the student's Social Security number, student ID number, and indirect identifiers or information that, alone or in combination, can be linked to a specific student.

Exceptions to the Definition of Education Records:

Not all records maintained by a school are considered education records under FERPA. Key exceptions include:

- Sole possession records: Notes made by a single school official that are kept in the sole possession of the maker, are used only as a personal memory aid, and are not accessible or revealed to any other person (except a temporary substitute).
- Law enforcement unit records: Records created and maintained by a law enforcement unit of the educational institution for law enforcement purposes.
- Employment records: Records relating to individuals who are employed by the institution (unless employment is contingent on student status).
- Medical/treatment records: Records made or maintained by a physician, psychiatrist, psychologist, or other recognized professional acting in a professional capacity, used only in connection with treatment and disclosed only to individuals providing treatment. (Note: these become education records if disclosed to anyone other than treatment providers.)
- Alumni records: Records created or received after the individual is no longer a student and that are not directly related to the individual's attendance as a student.

How FERPA Works

FERPA operates through two primary mechanisms: rights granted to parents and eligible students and restrictions on disclosure of education records.

1. Rights of Parents and Eligible Students

Right to Inspect and Review: Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools must comply with requests within 45 days. Schools are not required to provide copies of records unless circumstances (such as great distance) make it impossible for parents or eligible students to inspect records in person.

Right to Request Amendment: Parents or eligible students may request that a school correct records they believe to be inaccurate, misleading, or in violation of the student's privacy rights. If the school refuses to amend the record, the parent or eligible student has the right to a formal hearing. If the school still decides not to amend the record after the hearing, the parent or eligible student may place a statement in the record commenting on the contested information.

Right to Consent to Disclosure: Generally, schools must have written consent from the parent or eligible student before disclosing PII from education records. The consent must specify the records to be disclosed, the purpose of the disclosure, and the party or class of parties to whom the disclosure may be made.

Right to File a Complaint: Parents and eligible students have the right to file a complaint with the U.S. Department of Education concerning alleged failures by the school to comply with FERPA requirements.

2. Restrictions on Disclosure and Key Exceptions

FERPA's general rule requires prior written consent before disclosing PII from education records. However, there are several critical exceptions that allow disclosure without consent. These are heavily tested on the CIPP/US exam:

a. School Officials with Legitimate Educational Interest: Disclosure is permitted to school officials whom the institution has determined have a legitimate educational interest. A school official can include teachers, administrators, attorneys, counselors, and contractors or consultants who perform institutional services or functions. Schools must define what constitutes a "legitimate educational interest" in their annual FERPA notification.

b. Transfer to Another School: Schools may disclose education records without consent to officials of another school where the student seeks or intends to enroll, or where the student is already enrolled, as long as the disclosure is for purposes related to the student's enrollment or transfer. The school must make a reasonable attempt to notify the parent or eligible student of the transfer of records (unless the disclosure is initiated by the parent/eligible student or the school's annual notification indicates this practice).

c. Directory Information: Schools may disclose directory information without consent, provided they have given public notice of the categories of information designated as directory information and have given parents/eligible students a reasonable period to opt out.

d. Audit or Evaluation Exception: Disclosure is permitted to authorized representatives of the Comptroller General, the U.S. Attorney General, the Secretary of Education, or state and local educational authorities for audit, evaluation, or compliance/enforcement purposes related to federally or state-supported education programs.

e. Financial Aid Exception: Disclosure is permitted in connection with financial aid for which the student has applied or received, if the information is necessary to determine eligibility, amount, conditions, or enforcement of the terms of the aid.

f. Studies Exception: Schools may disclose education records without consent to organizations conducting studies for or on behalf of the school to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction. The study must be conducted in a manner that does not permit personal identification of parents and students by anyone other than representatives of the organization, and the information must be destroyed when no longer needed for the study.

g. Health or Safety Emergency: Disclosure is permitted to appropriate parties in connection with a health or safety emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals. This exception is to be strictly construed and applies only during the period of the emergency.

h. Judicial Order or Subpoena: Schools may disclose education records in compliance with a judicial order or lawfully issued subpoena, but the school must make a reasonable effort to notify the parent or eligible student of the order or subpoena before complying (unless the order or subpoena specifically directs that the student or parent not be notified, as in certain grand jury or law enforcement subpoenas).

i. Sex Offender Information: Information provided to the school under state sex offender registration and community notification programs may be disclosed.

j. Victims of Crimes of Violence or Non-Forcible Sex Offenses: The school may disclose to an alleged victim the final results of a disciplinary proceeding with respect to the alleged perpetrator of a crime of violence or non-forcible sex offense, regardless of the outcome. If the alleged perpetrator is found to have committed a violation, disclosure may be made to anyone.

k. De-identified Records: Schools may release education records without consent if all PII has been removed and the school has made a reasonable determination that a student's identity is not personally identifiable, whether through single or multiple releases, taking into account other reasonably available information.

3. Recordkeeping Requirements

Schools must maintain a record of each request for access to and each disclosure of PII from education records. This record must include the parties who have requested or received PII and the legitimate interests they had in requesting or obtaining the information. This recordkeeping requirement does not apply to requests by the parent or eligible student, disclosures made with the written consent of the parent or eligible student, disclosures of directory information, or disclosures to school officials with legitimate educational interests.

4. Annual Notification

Schools must annually notify parents and eligible students of their rights under FERPA. The notification must include information about the right to inspect and review records, the right to request amendment, the right to consent to disclosure, and the right to file a complaint. The notification must also specify the criteria for determining who constitutes a school official and what constitutes a legitimate educational interest.

5. Enforcement

FERPA is enforced by the U.S. Department of Education's Student Privacy Policy Office. The primary enforcement mechanism is the potential loss of federal funding. FERPA does not provide a private right of action. This means that individuals cannot sue schools directly under FERPA for violations. The U.S. Supreme Court confirmed this in Gonzaga University v. Doe (2002), holding that FERPA's nondisclosure provisions create no personal rights enforceable under 42 U.S.C. § 1983.

6. FERPA and Third-Party Service Providers (Ed-Tech Vendors)

A critical area for the CIPP/US exam involves how FERPA applies to third-party vendors and technology companies that provide services to schools. Under FERPA's school official exception, a school may outsource institutional services or functions to a third party (such as a cloud computing provider or learning management system vendor) without obtaining parental consent, provided that:

- The contractor performs an institutional service or function for which the school would otherwise use employees.
- The contractor is under the direct control of the school with respect to the use and maintenance of education records.
- The contractor uses the education records only for the purposes for which the disclosure was made.
- The contractor complies with FERPA's re-disclosure requirements.

This is an increasingly important area as schools adopt more digital tools and services. Vendors who receive student data under this exception cannot use the data for their own purposes (such as targeted advertising) and must comply with the school's FERPA obligations.

7. FERPA and COPPA Interaction

When online services are used in a school context and involve children under 13, both FERPA and COPPA may apply. The FTC has acknowledged that schools may consent to the collection of student information by online operators on behalf of parents, provided the information is used solely for a school-authorized educational purpose. This does not relieve the operator of its obligations under COPPA.

Key Differences Between FERPA and Other Privacy Laws

- FERPA vs. HIPAA: FERPA generally takes precedence over HIPAA for records maintained by a school's health clinic that are education records. If a school is both a covered entity under HIPAA and subject to FERPA, the student treatment records maintained by the school are governed by FERPA, not HIPAA.
- FERPA vs. State Laws: Many states have enacted additional student privacy laws (such as California's SOPIPA) that supplement FERPA with additional requirements, particularly for ed-tech companies.
- FERPA vs. COPPA: FERPA applies to educational institutions; COPPA applies to operators of commercial websites and online services directed to children under 13 or that have actual knowledge of collecting information from children under 13.

Exam Tips: Answering Questions on Family Educational Rights and Privacy Act (FERPA)

Preparing for FERPA questions on the CIPP/US exam requires a strong grasp of both the conceptual framework and specific details. Here are essential tips:

Tip 1: Know the Scope and Applicability
FERPA applies to educational agencies and institutions that receive federal funding from the Department of Education. It does not directly regulate private-sector companies, but private companies that handle education records on behalf of schools must comply through contractual arrangements under the school official exception. Be prepared for questions that test whether a particular entity or record falls within FERPA's scope.

Tip 2: Master the Definition of Education Records
Understand what qualifies as an education record and, equally important, what does not. Exam questions often test exceptions such as sole possession records, law enforcement unit records, employment records, and treatment records. Remember that the format of the record (paper, electronic, video, etc.) does not matter — it is the nature and maintenance of the record that counts.

Tip 3: Memorize the Key Exceptions to the Consent Requirement
The disclosure exceptions are among the most heavily tested FERPA topics. Focus on the school official exception, the directory information exception, the health or safety emergency exception, the judicial order/subpoena exception, and the studies exception. Know the conditions that must be met for each exception to apply.

Tip 4: Understand the Transfer of Rights
Rights under FERPA transfer from parents to eligible students when the student turns 18 or begins attending a postsecondary institution, regardless of age. This is a common exam point. Note that even after rights transfer, schools may (but are not required to) share information with parents if the student is a dependent for tax purposes, or in health/safety emergencies.

Tip 5: Remember That FERPA Has No Private Right of Action
This is a critical and frequently tested point. The only remedy under FERPA is the potential loss of federal funding enforced by the Department of Education. Individuals cannot sue under FERPA. Reference Gonzaga University v. Doe for this principle.

Tip 6: Know Directory Information Rules
Schools must give public notice of what they designate as directory information and must provide an opt-out opportunity. If a parent or eligible student opts out, the school cannot disclose that information as directory information. Questions may test whether a particular type of information can be released as directory information and what procedures must be followed.

Tip 7: Understand the Relationship Between FERPA and HIPAA
For exam purposes, remember that education records covered by FERPA are expressly excluded from HIPAA's coverage. If a school maintains health records as part of education records, FERPA (not HIPAA) governs those records. This is a common area for tricky exam questions.

Tip 8: Pay Attention to the School Official Exception for Vendors
Questions about ed-tech companies and cloud service providers are increasingly common. Know the four conditions that must be satisfied for a vendor to qualify as a school official under FERPA. Be particularly aware that the vendor must be under the direct control of the school regarding the use and maintenance of education records.

Tip 9: Focus on the Health or Safety Emergency Exception
This exception is narrowly construed and applies only during the period of the emergency. The school must determine on a case-by-case basis that a specific, articulable, and significant threat exists. Know that the Department of Education allows schools to take into account the totality of the circumstances when making this determination.

Tip 10: Read Questions Carefully for Key Qualifiers
FERPA exam questions often include subtle qualifiers such as "generally," "always," "never," or "except." Pay close attention to these words. For example, FERPA generally requires consent before disclosure, but the exceptions are numerous and important. An answer choice that says FERPA "always" requires consent would be incorrect because of the many exceptions.

Tip 11: Understand the Recordkeeping Requirements
Schools must maintain a record of each disclosure (with exceptions for disclosures to parents/eligible students, disclosures with consent, directory information, and disclosures to school officials). This administrative requirement can appear in exam questions about compliance obligations.

Tip 12: Know the Annual Notification Requirement
Schools must provide annual notification to parents and eligible students about their FERPA rights. The method of notification is flexible — schools may use special letters, inclusion in a student handbook, PTA bulletin, or other means reasonably likely to inform parents and eligible students.

Tip 13: Review the De-identification Standard
FERPA allows release of de-identified education records. The school must make a reasonable determination that the student is not identifiable. Some exam questions may test whether data has been sufficiently de-identified to fall outside FERPA's consent requirements.

Tip 14: Practice with Scenario-Based Questions
Many FERPA exam questions present scenarios and ask you to apply the law. Practice identifying whether a particular disclosure is permitted, which exception applies, or what rights a parent or student has in a given situation. The more scenarios you work through, the more comfortable you will be on exam day.

Tip 15: Don't Confuse FERPA with Other Student Privacy Laws
Be clear on the distinctions between FERPA and PPRA (Protection of Pupil Rights Amendment), COPPA, and state student privacy laws. FERPA governs education records and their disclosure; PPRA governs surveys, analyses, and evaluations funded by the Department of Education; COPPA governs online collection of information from children under 13. Each has distinct requirements and applicability.

Summary

FERPA is a cornerstone of education privacy law in the United States. It establishes rights for parents and eligible students regarding education records and places significant restrictions on how educational institutions may disclose those records. Its intersection with the private sector — particularly through ed-tech vendors and service providers — makes it a critical area of knowledge for CIPP/US candidates. By mastering the definitions, rights, exceptions, and enforcement mechanisms outlined above, and by applying the exam tips provided, you will be well-prepared to answer FERPA questions with confidence on the CIPP/US exam.