FERPA and Education Privacy Requirements

The Family Educational Rights and Privacy Act (FERPA) establishes the federal framework governing access to and disclosure of student education records across institutions receiving federal funding. Enforced by the U.S. Department of Education, FERPA defines the rights of students and parents, the obligations of educational institutions, and the boundaries of permissible data sharing. For professionals navigating privacy compliance landscapes, FERPA sits at the intersection of institutional data governance, cybersecurity obligations, and civil rights law.

Definition and scope

FERPA, codified at 20 U.S.C. § 1232g and implemented through 34 CFR Part 99, applies to all educational agencies and institutions that receive funding under programs administered by the U.S. Department of Education. This encompasses virtually all public K–12 schools, school districts, and post-secondary institutions, covering an estimated 99% of U.S. colleges and universities (U.S. Department of Education, FERPA Overview).

The statute protects education records — defined as records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational agency or institution. The rights under FERPA transfer from parents to students at age 18 or upon enrollment in a post-secondary institution, whichever comes first.

FERPA distinguishes between two primary data categories:

1. Education records — all records maintained by the institution that relate to a student, including transcripts, disciplinary files, financial aid records, and health records held by the institution.
2. Provider Network information — a defined subset that institutions may disclose without prior consent unless a student has opted out. Provider Network information typically includes name, address, phone number, enrollment status, and dates of attendance, as specified in 34 CFR § 99.3.

Excluded from protection are sole-possession records (personal notes not shared with others), law enforcement unit records, and employment records for individuals who are not enrolled students.

How it works

FERPA operates through a consent-and-disclosure framework with enumerated exceptions. By default, institutions may not release education records without prior written consent from the eligible student or parent. Consent must specify the records to be disclosed, the purpose of disclosure, and the party or class of parties to whom disclosure may be made.

The statute enumerates 14 exceptions under which disclosure without consent is permissible (34 CFR § 99.31). The most operationally significant exceptions include:

1. School officials with legitimate educational interest — faculty, staff, and contracted service providers acting within their defined institutional role.
2. Transfer institutions — records may be forwarded to schools where the student seeks enrollment.
3. Federal or state education authorities — disclosures required for audit and evaluation of education programs.
4. Financial aid — limited to information necessary to receive or repay aid.
5. Health and safety emergencies — institutions may disclose to appropriate parties when there is an articulable and significant threat to health or safety.
6. Judicial orders or lawfully issued subpoenas — with specific notice requirements attached.
7. State and local officials — for juvenile justice system reporting under applicable state statutes predating November 19, 1974.

Institutions must maintain records of each disclosure (with limited exceptions) and make those disclosure logs available to the eligible student upon request. Annual notification of FERPA rights is also a standing compliance requirement under 34 CFR § 99.7.

Common scenarios

FERPA compliance requirements surface in predictable operational contexts across the education sector. Understanding the purpose and scope of privacy frameworks clarifies how FERPA intersects with broader data governance obligations.

Scenario 1 — Third-party vendor contracts: Institutions frequently engage software vendors for learning management systems, student information systems, and cloud storage. Under FERPA, vendors designated as "school officials" with legitimate educational interest must agree to use education records only for the specified purpose and must be governed by institutional data governance policy. The U.S. Department of Education's Student Privacy Policy Office (SPPO) publishes guidance on vendor agreements.

Scenario 2 — Media and law enforcement inquiries: Reporters and law enforcement agencies requesting student records present distinct frameworks. Disclosure to law enforcement generally requires a subpoena or court order, with narrow exceptions for registered sex offender disclosures and health/safety emergencies. Institutions may not confirm or deny enrollment status in response to general media inquiries unless that information has been designated as provider network information.

Scenario 3 — Parent access after age 18: A common institutional failure mode involves parents of college-age students requesting transcripts or disciplinary records. Once a student reaches age 18 or enrolls post-secondary, parental access requires either student consent or a documented dependency claim under IRS rules (26 U.S.C. § 152).

Scenario 4 — Data breach and notification: FERPA does not prescribe a breach notification obligation, but unauthorized disclosure of education records constitutes a FERPA violation. Institutions must then assess obligations under applicable state breach notification laws, which in 47 states carry independent notification requirements. Cybersecurity professionals should cross-reference FERPA with state statutes and with NIST Cybersecurity Framework guidance when structuring incident response plans.

Decision boundaries

FERPA violations can result in withdrawal of all federal education funding administered by the Department of Education — a sanction significant enough that enforcement has historically operated through corrective action rather than funding termination. Complaints are filed with the Family Policy Compliance Office (FPCO), a unit within the U.S. Department of Education.

Key boundary distinctions include:

• FERPA vs. HIPAA: Health records maintained by a school nurse or campus health clinic are subject to FERPA, not HIPAA, when the institution receives federal education funding. HIPAA's exclusion at 45 CFR § 160.103 explicitly removes education records covered by FERPA from HIPAA's scope.
• FERPA vs. COPPA: For students under age 13, the Children's Online Privacy Protection Act (15 U.S.C. § 6501) may apply to online service providers contracted by institutions, creating a layered compliance obligation distinct from FERPA's institutional framework.
• FERPA vs. state student privacy laws: California (AB 1584), New York, and Colorado have enacted student data privacy statutes that impose requirements beyond FERPA. In states with stricter laws, the state standard governs where it exceeds the federal floor.

Privacy professionals cross-referencing FERPA within broader compliance programs should consult the privacy resource index for mapped intersections with other federal and state frameworks.