What Is FERPA and How Does It Actually Work?
Jump to section
Picture a parent calling the school to ask how their child is doing in class, only to be told the teacher can't share that information with them. Frustrating? Sure.
But it also means the same rules that blocked that call are protecting every student's records from people who have no right to see them.
That's FERPA, the Family Educational Rights and Privacy Act, a federal law that gives parents and eligible students control over who can access educational records.
In this post, we'll cover what FERPA actually covers, who holds what rights, when schools can legally share information, and what it all means for you in the classroom.
What FERPA Is and Who It Covers
Most teachers have heard of FERPA, but knowing the acronym isn't the same as knowing what it actually requires. FERPA (the Family Educational Rights and Privacy Act) does three things:
- it protects the privacy of student education records
- it gives parents and eligible students the right to access and amend those records
- it restricts who else can see them
It also comes up alongside HIPAA, so let's settle that quickly: FERPA and HIPAA are not the same thing. HIPAA covers medical records held by health providers; FERPA covers education records held by schools.
A student's doctor is bound by HIPAA; your school's registrar is bound by FERPA.
What FERPA does and why it exists
Signed into law by President Ford on August 21, 1974, and originally called the Buckley Amendment, FERPA was a direct response to concerns that schools were sharing student information too freely.
Its core promise: parents (and students once they turn 18) have the right to review records, request corrections, and control most outside disclosures.
Which schools must follow FERPA
FERPA applies to any institution that receives federal funds, public or private. Critically, if any part of a school receives federal funding, the entire institution is covered.
Schools that accept only non-monetary federal benefits don't fall under the law.
How FERPA has changed since 1974
FERPA has been amended eleven times since its enactment, with significant changes in 1990, 1992, 1998, 2001, 2008, and 2011.
Post-9/11 legislation brought the biggest expansions: the USA PATRIOT Act created new law-enforcement disclosure permissions, and the Clery Act tied campus security reporting directly to FERPA's framework.
What Counts as an Education Record
Not every document that mentions a student falls under FERPA. The law protects a specific category of records, and knowing exactly where that line sits will save you from both over-sharing and over-restricting.
Records FERPA Protects
Education records are documents that are directly related to a student and maintained by the school or someone acting on its behalf. That covers a wide range: grades, transcripts, disciplinary files, health records, and attendance records all qualify.
So do IEPs (Individualized Education Programs) and 504 plans, since both are directly tied to a student and kept by the institution.
The Supreme Court has described the core of this category as centrally maintained institutional records, meaning the school holds them in an official capacity, not just in someone's personal file drawer.
Records FERPA Does Not Cover
Some records fall outside FERPA's reach entirely:
- Sole-possession personal notes: private memory aids a teacher keeps to themselves and never shares
- Law enforcement unit records: created and maintained by the school's security or police department
- Non-student employee records: staff personnel files that have no student connection
- Treatment records: medical or counseling records for students 18 and older, when used only for treatment
- Peer-graded papers: before the teacher records the grade, those papers are not yet education records
- Post-attendance records: documents created after a student has left and that don't relate to their time enrolled
How Directory Information Works
Directory information is the subset of education records a school may release publicly without prior consent, unless a student (or parent) has opted out.
It typically includes name, address, phone number, email, photo, dates of attendance, and honors or awards. Schools must give families a genuine opt-out opportunity. One firm limit: a Social Security number alone can never be directory information.
A student ID number can be included, provided it's used alongside an authentication factor.
What Counts as Personally Identifiable Information
Personally identifiable information (PII) is broader than it sounds. The obvious pieces are there: name, family address, SSN, and biometric records (a category formally added in 2008).
But indirect identifiers matter too, including birthdates and any combination of data points that, taken together, would let someone identify a specific student. When in doubt, treat it as PII.
Rights of Parents and Students Under FERPA
FERPA gives parents and students real, enforceable rights over education records. You can inspect them, challenge what's inaccurate, and expect your school to keep you informed. Here's how each of those rights works in practice.
Your right to inspect school records
Under FERPA, your school must grant access to education records within a reasonable period, and no more than 45 days after receipt of a request. Once you have access, the school must explain and interpret anything in the records you ask about.
To write a FERPA request, keep it short and direct:
- put it in writing
- identify yourself
- name the student
- describe the specific records you want
Submit it to the school's registrar or main office.
If distance or circumstances prevent in-person review, the school must provide copies. According to the National Center for Education Statistics, the school may not charge for search and retrieval of records, though it can charge a reasonable copying fee.
How to request a correction to your records
If you believe a record is inaccurate or misleading, you can ask the school to correct it. The school must respond within a reasonable time. If it refuses, you have the right to a formal hearing. The hearing decision must be issued in writing.
If the outcome still doesn't go your way, you can insert your own written statement into the record explaining your position.
When rights shift from parents to students
Rights transfer to the student at age 18 or upon enrollment in a postsecondary institution, whichever comes first. At that point the student becomes an eligible student under FERPA.
Parents of students who qualify as dependents for tax purposes may still receive certain disclosures. Postsecondary students, however, cannot access their parents' financial records.
Students can also waive their right to view confidential letters of recommendation, which is common in college application contexts.
How schools must notify you each year
Schools are required to notify parents and eligible students of their FERPA rights annually. That notice must:
- describe how to inspect records and request amendments
- explain the criteria for who qualifies as a school official
- be accessible to parents with disabilities and those who don't speak English
When Schools Can Share Student Records
FERPA protects student records, but it doesn't lock them away completely. Schools share information constantly and legally — the rules just determine when consent is required and when it isn't.
Getting consent before sharing records
The default is simple: before releasing a student's education records, the school needs written consent. That consent must be signed and dated, name the specific records being released, state the purpose, and identify the recipient.
Electronic signatures are permitted. An eligible student (18 or older, or attending a postsecondary institution) can also waive their own consent rights, such as when applying for a job and authorizing a reference letter.
What information can be shared under FERPA
Several exceptions let schools share records without student or parent consent:
- School officials with a legitimate educational interest, such as a counselor reviewing grades to plan a student's schedule
- Receiving schools the student is seeking to enroll in
- Federal and state authorities for audit, evaluation, or compliance purposes
- Financial aid offices determining eligibility
- Judicial orders or subpoenas (though the school must make a reasonable effort to notify the student or parent first)
- Accrediting organizations carrying out their accrediting functions
- Juvenile justice agencies, under certain state-law conditions
One easy-to-miss scenario: reading grades aloud in class, or posting them publicly in a way that identifies a student, is a potential FERPA violation. The audience matters as much as the medium.
Sharing records during a health or safety emergency
If there's an articulable and significant threat to the safety of a student or others, schools may share relevant records with appropriate parties — even without consent.
The school has discretion in making that call, but it must document the threat and record who received the information. During COVID-19, this provision became relevant as schools weighed what health information could appropriately be shared.
Notably, parents of an eligible student (who would normally control their own records) may still be notified in a genuine emergency.
Disclosing disciplinary records
Postsecondary institutions have specific authority here. They may disclose the final results of a disciplinary proceeding involving a crime of violence or non-forcible sex offense:
- the student's name
- the violation
- the sanction imposed
The alleged victim is entitled to that outcome regardless of the result. Schools may also notify parents when an eligible student under 21 violates laws or policies related to alcohol or drug use.
Limits on sharing records a second time
When a school shares records under one of these exceptions, the recipient can't simply pass them on. They must be informed that redisclosure without consent is prohibited, and the school must maintain a log of every disclosure.
One important release valve: de-identified data with all personally identifiable information removed may be shared freely, which is how aggregate research and reporting typically works.
FERPA Compliance Checklist for Teachers
FERPA compliance isn't an annual training video; it's a handful of small habits you run every day. This checklist covers the three places teachers most often slip: daily record handling, casual classroom moments, and formal record requests.
Daily habits to confirm before you leave the room
These aren't steps in order; they're conditions to verify each day.
- Paper attendance sheets are locked away. A locking drawer, not a desk corner or an open binder.
- No grades are displayed with student names. This includes hallway postings and projected gradebooks.
- Every record shared with a third party is logged. One line is enough:
Oct 14: progress report shared with after-school tutor, parental consent on file, sent via district email.
Here's what the grade-posting rule looks like in practice:
- ✅ Scores posted by randomly assigned codes only students know
- ❌ Scores posted by student ID in alphabetical order
The difference: in the second version, classmates can match scores to names in seconds, and that's a disclosure.
Mistakes that feel harmless in the moment
Each of these is routine classroom behavior, and each one is a FERPA problem. Find your habit on the left, swap in the move on the right.
| Instead of... | Do this... |
|---|---|
| Reading grades aloud while returning work | Hand papers back face down, score inside |
| Leaving the roster open on your desk or screen | Flip it over; blank the projector first |
| Emailing records to an address a caller gives you | Send only to addresses verified in the system |
⚠️ Watch out: the unverified email is the costliest mistake here. Anyone can claim to be a parent over the phone. If the address isn't on file, route the request through the office before sending anything.
When a parent or student requests records
Requests for educational records follow a formal process, and your job is to start it, not to fulfill it yourself.
- Route the request through the school office the same day you receive it.
- Say: "I'll send this to our front office today so the official process starts right away."
- Know the 45-day window. Schools must provide access within 45 days of the request.
- Routing fast protects that clock; the timer starts at the request, not at your handoff.
- Document the request and your response. Date received, what was asked, where you sent it.
- Example: Nov 3: Ms. Rivera requested attendance records, forwarded to registrar same day.
The pattern across all three areas is the same: lock it, anonymize it, log it. EMStudio's attendance and records tools keep those logs timestamped and access-controlled, so your FERPA compliance is easier to maintain and to prove.
How FERPA Is Enforced
Knowing your rights under FERPA is only half the picture. Understanding what happens when those rights are violated, and what schools must do to stay on the right side of the law, is where it gets practical.
Common violation examples include sharing grades publicly, releasing transcripts without consent, and discussing a student's records with unauthorized staff.
How to file a FERPA complaint
If you believe a school has violated FERPA, you file a complaint with the Family Policy Compliance Office (FPCO), the federal office that oversees enforcement.
According to Protecting Student Privacy, the complaint must be filed within 180 days of when you knew (or reasonably knew) of the violation, and it must state specific factual allegations. The Department of Education then investigates and issues findings.
Penalties for FERPA violations
Here's where enforcement gets complicated. The ultimate penalty is withholding federal funding, but as the Student Press Law Center notes, the Department of Education has never actually revoked funding for a FERPA violation.
Cease-and-desist orders are available, but the teeth are mostly theoretical.
Parents and students can't sue under FERPA either. The Supreme Court confirmed in Gonzaga University (2002) that FERPA creates no personal rights enforceable under Section 1983, and the full case record makes clear there's no private right of lawsuit.
What schools must do to stay compliant
Compliance is ongoing, not a one-time policy post. Schools must maintain disclosure recordkeeping logs, notify the Department of Education of any conflicts with state law within 45 days, and submit policies and training materials on request.
They also need reasonable methods to verify identity before releasing records. Best practice: log every record disclosure immediately, before you forget the details.
New Technology and Student Privacy Risks
Digital tools have changed how student data flows, and FERPA's rules haven't always kept pace. Two gaps stand out: who can access records, and whether schools are transparent about it.
When third-party vendors access student data
A 2008 regulatory update expanded the definition of "school officials" to include outside contractors, meaning companies like Google or Facebook can access student records under an educational services contract.
That access can happen with limited oversight once the contract is signed.
The Electronic Privacy Information Center (EPIC) has raised concerns that this framework allows unrestricted data sharing, with student information flowing to third parties in ways parents rarely see or understand.
Where FERPA transparency falls short
Parents can only exercise their rights if they know those rights exist.
The numbers here are sobering: only 54% of local educational agencies (LEAs, the school districts and other bodies that receive federal education funds) post a FERPA notice online, and just 7% include contact information for privacy questions.
New classroom technologies add another layer of complexity, because many tools arrive in classrooms faster than any accountability framework can follow.
Critics and privacy advocates have called for stronger FERPA protections to close these gaps, particularly as schools adopt more apps, platforms, and data-driven tools that weren't imaginable when the law was written in 1974.
FERPA and Journalism
FERPA protects students, but schools sometimes use it as a shield against accountability. Knowing where the law actually ends helps journalists (and the teachers caught in the middle) push back.
How schools misuse FERPA to block public records
Schools regularly over-cite FERPA to deny requests that have nothing to do with education records. Parking tickets, meeting minutes, and budget documents aren't student records, so FERPA doesn't touch them.
Crucially, FERPA cannot preempt state open records laws: when the two conflict, courts read FERPA narrowly. The burden of justification sits with the school, not the requester.
How journalists can work around FERPA denials
A denial isn't a dead end. Practical options include:
- Request redacted records. Removing names and identifiers often satisfies FERPA while preserving the data you need.
- Seek anonymous statistical data. Aggregate figures (graduation rates, discipline counts) aren't tied to individual students.
- Obtain a student FERPA waiver. Students can consent to release their own records.
- Interview students directly. What a student tells you voluntarily isn't a FERPA issue.
- Publicize wrongful denials. Transparency pressure often moves institutions.
- Escalate to school lawyers. A formal legal inquiry frequently reverses an overstated denial.
How state open records laws interact with FERPA
Every state has a public records law, and those laws coexist with FERPA rather than surrendering to it. Once a record is redacted of student-identifying information, it loses FERPA protection and becomes subject to normal disclosure rules.
Courts consistently apply a narrow reading of what counts as an education record. One important limit: private schools aren't covered by state open records laws, so those avenues don't apply there.
FERPA isn't just a compliance checkbox. It's the foundation of trust between schools, families, and students: a commitment that the information you collect about learners stays in the right hands.
When you understand the rules, you protect your students and yourself.
The details matter, and so do the systems you build around them. Ready to sharpen how you track and store student information? Check out Attendance & Records to see how the right tools keep you organized and compliant.
References
- Legislative History of Major FERPA Provisions — studentprivacy.ed.gov
- How long does an educational agency or institution have to comply ... — studentprivacy.ed.gov
- How may a parent or eligible student file a FERPA complaint with the Department of Education? — studentprivacy.ed.gov
- GONZAGA UNIV. V. DOE — law.cornell.edu
- Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies — nces.ed.gov
- U.S. Reports: Gonzaga University et al. v. Doe, 536 U.S. 273 (2002). — tile.loc.gov
- Family Educational Rights and Privacy Act (FERPA) – EPIC — epic.org
- FERPA: What it means and how it works — splc.org
Frequently asked questions
What is FERPA and how is it used?
FERPA, the Family Educational Rights and Privacy Act, is a federal law that protects the privacy of student education records. It grants parents and eligible students control over who can access these records, and the right to inspect and amend them.
How serious is FERPA?
FERPA is a serious federal law designed to protect student privacy. While the ultimate penalty of withholding federal funding for violations has never been explicitly revoked, schools must still comply with FERPA requirements to avoid potential investigations and findings by the Family Policy Compliance Office.
What are examples of FERPA violations?
Examples of FERPA violations include publicly displaying student grades in a way that identifies them, releasing a student's transcripts without proper consent, or discussing a student's private education records with unauthorized staff members.
What cannot be shared under FERPA?
Without consent, schools generally cannot share education records that are directly related to a student and maintained by the school, such as grades, transcripts, disciplinary files, health records, or attendance records. They also cannot disclose personally identifiable information like a student's name, address, Social Security number, or indirect identifiers that could lead to identification.
Is FERPA good or bad?
FERPA's primary purpose is to safeguard student privacy by giving parents and eligible students control over educational records. While it can sometimes lead to frustration when information sharing is restricted, its core function is to protect sensitive student data from unauthorized access, implying it is beneficial for student privacy.
Should I say yes or no to FERPA?
You should typically say yes to FERPA or, more accurately, understand and comply with its provisions. FERPA is a federal law designed to protect student education records by giving parents and eligible students control over who can access them. Adhering to FERPA protects student privacy and ensures your school maintains federal funding.
What happens to schools who do not comply with FERPA?
Schools that do not comply with FERPA can face investigation by the Family Policy Compliance Office (FPCO). While the most severe penalty, withholding federal funding, has never been enforced, cease-and-desist orders are available, and schools must maintain compliance through recordkeeping and policies to avoid issues.
What cannot be disclosed without consent in FERPA?
Without explicit consent, FERPA generally prohibits the disclosure of "education records," which include grades, transcripts, disciplinary files, health records, and attendance records directly related to a student and maintained by the school. This also extends to personally identifiable information such as names, addresses, Social Security numbers, or any combination of data that could identify a student.
