• FERPA Primer: The Basics and Beyond

    by George C. Hlavac, Esq., and Edward J. Easterly, Esq.
    NACE Journal, April 2015

    Career services professionals should know the key points of the Family Educational Rights and Privacy Act (FERPA) and how they can ensure their institutions are in compliance with FERPA’s requirements. They should also be aware of regulatory changes to FERPA that have occurred in 2008 and 2011.

    FERPA was enacted by Congress to protect the privacy of students and their parents. The act is designed to ensure that students and parents of students may obtain access to the student’s educational records and challenge the content or release of such records to third parties.

    Summary FERPA Restrictions

    FERPA requires that federally funded institutions, under programs administered by the U.S. Department of Education, comply with certain procedures with regard to disclosing and maintaining educational records. FERPA was not enacted to preclude the disclosure of educational records simply because the records identify a student by name; rather, it was designed to protect the student’s educational information and status as a student.


    To understand the scope of FERPA, it is necessary to define “student.” According to FERPA, a student is an individual who is enrolled in and actually attends an educational institution. The regulations provide that attendance includes, but is not limited to, attendance in person or by correspondence. Courts have held that individuals who merely audit classes or who are accepted to an educational institution but do not attend any classes are not “students” for purposes of FERPA. Individuals who “attend” classes but are not physically located on a campus are also students, thus including those who attend classes by videoconference, satellite, Internet, or other electronic information and telecommunications technologies.

    FERPA prohibits the disclosure of a student’s “protected information” to a third party. This disclosure is prohibited whether it is made by hand delivery, verbally, fax, mail, or electronic transmission. Disclosure also includes the provision of access to the educational institution’s career center database of student resumes.

    For purposes of FERPA, a “third party” includes any individual or organization other than the student or the student’s parent(s). With respect to third parties, even if the initial disclosure of protected information is permissible, FERPA limits the subsequent disclosure of the information by the third party. As such, once an educational institution discloses protected information to a third party, it must ensure that the third party does not itself improperly disclose the information in violation of FERPA.

    Protected Information

    FERPA classifies protected information into three categories: educational information, personally identifiable information, and directory information. The limitations imposed by FERPA vary with respect to each category.

    Although personally identifiable and directory information are often similar or related, FERPA provides different levels of protection for each. Personally identifiable information can only be disclosed if the educational institution obtains the signature of the parent or student (if over 18 years of age) on a document specifically identifying the information to be disclosed, the reason for the disclosure, and the parties to whom the disclosure will be made. Failure to comply with these requirements will result in a violation of FERPA.

    On the other hand, with respect to directory information, FERPA does not bar disclosure by the educational institution. Directory information is defined as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” This includes such items as a list of students’ names, addresses, and telephone numbers, and also includes a student ID number (which includes electronic identifiers) provided it cannot be used to gain access to education records. Directory information, however, does not include a student’s social security number nor can the social security number be used to confirm directory information. Directory information can be disclosed provided that the educational institution has given public notice of the type of information to be disclosed, the right of every student to forbid disclosure, and the time period within which the student or parent must act to forbid the disclosure. If a student decides to “opt out” of the disclosure of directory information, the “opt out” continues indefinitely. Therefore, an educational institution cannot release such information even after a student is no longer in attendance. However, the 2011 revisions to the act prohibit a student from opting out as a way to prevent schools from requiring students to wear an identification card
    or badge.

    The 2011 revised regulations also reduced the burden on educational institutions of receiving consent prior to the disclosure of information for routine uses of student information. Educational institutions are now permitted to adopt a limited directory information policy that allows the schools to disclose designated information to designated parties. To create such a policy, however, educational institutions must provide notice to parents or eligible students.

    FERPA precludes the disclosure of educational information without the prior approval of the student or parent. The issue of what constitutes “educational information” has been hotly contested and subject to much litigation since the inception of FERPA. FERPA defines “education records” as “records, files, documents, and other materials” that are “maintained by an educational agency or institution, or by a person acting for such agency or institution.” While it is clear that educational information includes a student’s transcripts, GPA, grades, social security number, and academic evaluations, courts have also included in this category certain psychological evaluations. “Education records” also include any record that pertains to an individual’s previous attendance as a student of an institution. In this regard, information pertaining to lawsuits or other claims that are related to a former student are covered under the definition of “education record” under FERPA and are precluded from disclosure absent prior approval.

    FERPA has, however, excluded from the definition of “education record” the use of “peer grading.” In this regard, the 2008 revisions to FERPA implemented the U.S. Supreme Court decision in Owasso Independent School District v. Kristja Falvo, which held that peer grading was not educational information for purposes of FERPA. According to the court, “peer grading,” a practice whereby one student scores/grades the work of another student, is generally not encompassed by FERPA because the information is not created or “maintained” by the educational institution or an agent of the institution. Rather, the information is created and maintained by another student. This exception, however, stops at the time the test or assignment is collected and recorded by the teacher.

    Courts have adopted similar reasoning with respect to teacher evaluations and negative letters of recommendation written by the teacher but not “maintained” by the educational institution in its files. Courts have been reluctant to find that these records are subject to FERPA because they do not meet the strict definition of an “educational record” according to FERPA.

    Regarding reference letters and resumes, the key is whether these records include or incorporate the student’s “educational information” (i.e., GPA, grades, social security numbers, and so forth). If these documents contain “protected” educational information, they cannot be disclosed without satisfying FERPA’s predisclosure requirements. An educational institution may not provide an employer, headhunter, or other employment agency with a student’s resume or confidential letter of reference that contains protected educational information unless it first obtains approval from the student or the student’s parent.

    Revisions to FERPA

    Additional exceptions to the nondisclosure requirements of FERPA were established in the recent revisions. The 2008 revisions allow for the disclosure of educational records in connection with certain emergencies. An educational institution can release such records if it determines that there is an articulable and significant threat to the health and safety of a student or other individuals. Such information may be disclosed to appropriate parties—including the student’s parents—whose knowledge of the information is necessary to protect the health and safety of the student or others. The educational institution must maintain records of any such disclosures. Educational institutions are also now permitted to disclose, without consent, information concerning registered sex offenders. Further, FERPA now requires educational institutions to disclose to the alleged victim of any crime of violence or a sex offense the results of any disciplinary proceeding conducted by the institution against a student who is the alleged perpetrator of such a crime or offense.

    Also, the 2008 revisions permit educational institutions to disclose educational information and personally identifiable information without prior consent to contractors, volunteers, or other nonemployees performing services for the educational institution. The request must be based upon a legitimate educational interest. An educational institution must apply “reasonable methods” to limit disclosure and restrict access to such information.

    FERPA also allows the disclosure of information without consent if all personally identifiable information has been removed from the records. In order to disclose such information, a school has to remove all information that, alone, or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

    The 2011 revisions further clarified how educational institutions could disclose information to audit the effectiveness of its programs. FERPA allows educational institutions to disclose information to third parties to audit or evaluate its programs. Previously, educational institutions could only disclose such information to entities or individuals under their direct control. Now, FERPA allows for the disclosure of information to “any entity or individual designated by a state or local educational authority to conduct any audit or evaluation, or any compliance or enforcement activity in connection with federal legal requirements that regulate programs.” This would include any audits of job placement, secondary education, or training programs. The institution must enter into a written agreement with any third party to which it discloses information. Such an agreement must contain provisions that protect against the redisclosure of the information, provide plans to handle a data breach, and offer methods to record the data provided. According to the Department of Education, the revisions were done to “improve access to data that will facilitate states’ ability to evaluate education programs, to ensure limited resources are invested effectively, to build upon what works and discard what does not, and to contribute to a culture of innovation of continuous improvement in education.”

    Students’ Rights

    FERPA gives students the right to inspect their educational records (excluding information on other students, the financial records of parents, and confidential letters of recommendation if the student has waived the right to access) before giving consent to disclose information. If a student does request the right to inspect, the educational institution must comply within 45 days of the receipt of the request.

    In many cases, students have seen, or are aware of, the contents of their files. For example, a student knows what courses he or she has taken and/or his or her GPA, both of which are included in the student’s “educational record.” Even if a student has waived the right to access his or her file, the school must provide a list of the file’s contents (including the names of all persons making confidential recommendations) upon the student’s request. If the student file has changed in any way, e.g., a letter of recommendation has been altered or replaced, career services should notify the student that there has been a change before disclosing the file’s contents to a potential employer or graduate school.

    Credential Files

    FERPA does not specify a time period for retaining credential/placement files or reference letters. The law merely provides that an education record may not be destroyed if there is an outstanding student request to inspect the file. The school has the discretion to develop a record retention policy and communicate that policy to its students. The policy should include a deadline by which students/alumni must respond if they do not wish to have their files destroyed. Once the deadline has passed, and there has been no request for retention, the records may be destroyed.

    Recommendations to Ensure FERPA Compliance

    In order to ensure compliance with FERPA, educational institutions should adhere to the following:

    • Advise students annually of their rights under FERPA.
    • Obtain signed, written consent from a student before a school official, administrator, career services staff member, or faculty member releases personally identifiable information to an employer, third-party recruiter, or resume referral data base;
      • Train and retrain faculty members with respect to the requirements and prohibitions of FERPA;
      • Notify employers, employment agencies, contract recruiters, resume data bases, and other entities that student records are subject to FERPA, and that such entities cannot subsequently disclose these records without student consent; and
      • Notify third parties that improper disclosure will result in future denials of access to such records.
    • Determine, clearly define, and communicate to students what information will be considered directory information prior to disclosure and provide students with a reasonable time to notify the educational institution if they want to restrict access to directory information.
    • Obtain a new consent form if any student information is changed, such as revisions to a letter of recommendation, prior to fulfilling an information request.
    • Note that FERPA does not address the issue of placing amended letters of recommendation into students’ files: Each educational institution is responsible for establishing and consistently enforcing its own policies with respect to this issue.
    • Draft and maintain policies with regard to the retention of records that pertain to the disclosure of information for health and safety concerns.
    • Review and revise any and all third-party agreements to ensure such agreements comply with FERPA requirements.
    • Implement policies that include how an institution will respond to data breaches or unauthorized disclosures and conduct an investigation into how such a breach occurred.
    • Advise students with respect to the implications of waiving their right to inspect their files or letters of recommendation.

    Penalty for Noncompliance

    Courts have routinely held that FERPA does not create a private right of action against the educational institution. Complaints, however, may be filed with the Department of Education, which will investigate all issues. An educational institution that fails to comply with FERPA may forfeit its federal funding. It should be noted, however, that some states allow for monetary damages for the disclosure of private information.


    Clearly, FERPA remains an important federally created protection for student privacy, but the act is ever changing. In May 2014, several U.S. senators introduced a bill that would modify FERPA to ensure that student data handled by private companies would be protected. The proposed bill would restrict federal money provided to schools that do not have information security policies and procedures in place. While this is only a proposed bill, it further indicates the heightened scrutiny educational institutions face when disclosing student information. Therefore, it is imperative that all educational institutions understand the existing restrictions and limitations imposed by FERPA.

    George C. Hlavac, Esq., and Edward J. Easterly, Esq. are attorneys in the labor and Employment Law Department at Norris, McLaughlin & Marcus P.A.

    Copyright 2015 by the National Association of Colleges and Employers. All rights reserved.