NACE Journal / Fall 2024

Career services professionals should know the key points of the Family Educational Rights and Privacy Act (FERPA) and how they can ensure their institutions are in compliance with FERPA’s requirements.

FERPA was enacted by the U.S. Congress to protect the privacy of students and their parents. The act is designed to ensure that students and parents of students may obtain access to the student’s educational records and challenge the content or release of such records to third parties.

Summary of FERPA Restrictions

FERPA requires that federally funded institutions, under programs administered by the U.S. Department of Education (DOE), comply with certain procedures with regard to disclosing and maintaining educational records. FERPA was not enacted to preclude the disclosure of educational records simply because the records identify a student by name; rather, it was designed to protect the student’s educational information and status as a student.

Definitions: What Is a “Student”? A “Third Party”?

To understand the scope of FERPA, it is necessary to define “student.” According to FERPA, a student is an individual who is enrolled in and actually attends an educational institution. The regulations provide that attendance includes, but is not limited to, attendance in person or by correspondence. Courts have held that individuals who merely audit classes or who are accepted to an educational institution but do not attend any classes are not “students” for purposes of FERPA. Individuals who attend classes but are not physically located on a campus are also students, thus including those who attend classes by videoconference, satellite, internet, or other electronic information and telecommunications technologies.

FERPA prohibits the disclosure of a student’s “protected information” to a third party. This disclosure is prohibited whether it is made by hand delivery, verbally, fax, mail, or electronic transmission. Disclosure also includes the provision of access to the educational institution’s career center database of student resumes.

For purposes of FERPA, a third party includes any individual or organization other than the student or the student’s parent(s). With respect to third parties, even if the initial disclosure of protected information is permissible, FERPA limits the subsequent disclosure of the information bythe third party. As such, once an educational institution discloses protected information to a third party, it must ensure that the third party does not itself improperly disclose the information in violation of FERPA.

Protected Information

FERPA classifies protected information into three categories: educational information, personally identifiable information, and directory information. The limitations imposed by FERPA vary with respect to each category.

Although personally identifiable and directory information are often similar or related, FERPA provides different levels of protection for each. Personally identifiable information can only be disclosed if the educational institution obtains the signature of the parent or student (if over 18 years of age) on a document specifically identifying the information to be disclosed, the reason for the disclosure, and the parties to whom the disclosure will be made. Failure to comply with these requirements will result in a violation of FERPA.

On the other hand, with respect to directory information, FERPA does not bar disclosure by the educational institution. Directory information is defined as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” This includes such items as a list of students’ names, addresses, and telephone numbers, and also includes a student ID number (including electronic identifiers) provided it cannot be used to gain access to education records. Directory information, however, does not include a student’s Social Security number nor can the Social Security number be used to confirm directory information. Directory information can be disclosed provided that the educational institution has given public notice of the type of information to be disclosed, the right of every student to forbid disclosure, and the time period within which the student or parent must act to forbid the disclosure. If a student decides to opt out of the disclosure of directory information, the opt out continues indefinitely. Therefore, an educational institution cannot release such information even after a student is no longer in attendance. Students, however, are prohibited from opting out as a way to prevent schools from requiring students to wear an identification card or badge.

In 2011, the FERPA regulations were revised to reduce the burden on educational institutions with respect to receiving consent prior to the disclosure of information for routine uses of student information. Educational institutions are now permitted to adopt a limited directory information policy that allows the schools to disclose designated information to designated parties. To create such a policy, however, educational institutions must provide notice to parents or eligible students.

FERPA precludes the disclosure of educational information without the prior approval of the student or parent. The issue of what constitutes “educational information” has been hotly contested and subject to much litigation since the inception of FERPA. FERPA defines “education records” as “records, files, documents, and other materials” that are “maintained by an educational agency or institution, or by a person acting for such agency or institution.” While it is clear that educational information includes a student’s transcripts, GPA, grades, Social Security number, and academic evaluations, courts have also included in this category certain psychological evaluations. “Education records” also include any record that pertains to an individual’s previous attendance as a student of an institution. In this regard, information pertaining to lawsuits or other claims that are related to a former student are covered under the definition of “education record” under FERPA and are precluded from disclosure absent prior approval.

FERPA has, however, excluded from the definition of “education record” the use of “peer grading.” The 2008 revisions to FERPA implemented the U.S. Supreme Court’s decision in Owasso Independent School District v. Kristja Falvo, which held that peer grading was not educational information for purposes of FERPA. According to the court, “peer grading,” a practice whereby one student scores/grades the work of another student, is generally not encompassed by FERPA because the information is not created or maintained by the educational institution or an agent of the institution. Rather, the information is created and maintained by another student. This exception, however, ends at the time the test or assignment is collected and recorded by the teacher.

Courts have adopted similar reasoning with respect to teacher evaluations and negative letters of recommendation written by the teacher but not maintained by the educational institution in its files. Courts have been reluctant to find that these records are subject to FERPA because they do not meet the strict definition of an “education record.”

Regarding reference letters and resumes, the key is whether these records include or incorporate the student’s “educational information,” i.e., GPA, grades, Social Security numbers, and so forth. If these documents contain protected educational information, they cannot be disclosed without satisfying FERPA’s predisclosure requirements. An educational institution may not provide an employer, headhunter, or other employment agency with a student’s resume or confidential letter of reference that contains protected educational information unless it first obtains approval from the student or the student’s parent.

Providing FERPA Information in Response to Subpoenas

Educational institutions are often faced with subpoenas requesting FERPA information, both when they are parties to litigation and when they are not a party, but the litigation involves a student.

In Doe v. Yale University, et al., the court held that “FERPA addressed certain perceived societal and policy needs, but the statute was not intended to abrogate the rules of discovery in civil litigation, nor does it have that preclusive effect.” Courts in multiple jurisdictions have found that FERPA records can be disclosed pursuant to subpoena if the need for records outweighs the affected student’s privacy interest. In addition, the educational institution can request protective orders that limit the further transmission of the records and can require redactions be made to help alleviate the concerns for student privacy. Courts have favored redaction whenever possible to permit disclosure consistent with the Freedom of Information Act and many state equivalents.

Revisions to FERPA

In 2008, the regulations governing FERPA were revised to allow for the disclosure of educational records in connection with certain emergencies. An educational institution can release such records if it determines that there is an articulable and significant threat to the health and safety of a student or other individuals. Such information may be disclosed to appropriate parties—including the student’s parents—whose knowledge of the information is necessary to protect the health and safety of the student or others. The educational institution must maintain records of any such disclosures. Educational institutions are also permitted to disclose, without consent, information concerning registered sex offenders. Further, FERPA now requires educational institutions to disclose to the alleged victim of any crime of violence or a sex offense the results of any disciplinary proceeding conducted by the institution against a student who is the alleged perpetrator of such a crime or offense.

The 2008 regulatory revisions further enabled educational institutions to disclose educational information and personally identifiable information without prior consent to contractors, volunteers, or other nonemployees performing services for the educational institution. The request must be based upon a legitimate educational interest. An educational institution must apply reasonable methods to limit disclosure and restrict access to such information.

FERPA also allows the disclosure of information without consent if all personally identifiable information has been removed from the records. In order to disclose such information, a school has to remove all information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.

In 2011, additional regulatory revisions further clarified how educational institutions could disclose information to audit the effectiveness of its programs. FERPA allows educational institutions to disclose information to third parties to audit or evaluate its programs. Previously, educational institutions could only disclose such information to entities or individuals under their direct control. Subsequent to 2011, FERPA has permitted the disclosure of information to “any entity or individual designated by a state or local educational authority to conduct any audit or evaluation, or any compliance or enforcement activity in connection with federal legal requirements that regulate programs.” This would include any audits of job placement, secondary education, or training programs. The educational institution must enter into a written agreement with any third party to which it discloses information. Such an agreement must contain provisions that protect against the redisclosure of the information, provide plans to handle a data breach, and offer methods to record the data provided. According to the DOE, the 2011 revisions were intended to “improve access to data that will facilitate states’ ability to evaluate education programs, to ensure limited resources are invested effectively, to build upon what works and discard what does not, and to contribute to a culture of innovation of continuous improvement in education.”

The DOE continues to provide guidance on issues as they evolve. In September 2020, it issued guidance on what educational institutions can disclose related to the COVID-19 pandemic. The guidance supported the disclosure of generalized COVID-19 information, such as the number of students or teachers currently infected or possible contacts with those infected, without providing enough information to identify individuals. While it is preferred to provide this generalized information, the DOE did acknowledge that there will be instances when disclosing the identity, or information that makes the identity almost certain, will occur and should be addressed on a case-by-case basis. Some examples include athletes when it would be obvious that there is only one teammate missing or when disclosure is needed to alert a high-risk individual.

Another area where the DOE has recently provided guidance is related to photographs and videos. As this form of media has become increasingly prevalent, it is best to keep in mind that photographs and video can become educational records if they directly relate to a student. Things to consider in this evaluation include if the media was used for disciplinary action, if it contains activity that could result in disciplinary or legal action, and whether the person taking the photo or video intended to target a specific student. If the answer to any of these questions is yes, then it is likely that the photo or video will be deemed related to a specific student. Similar to other types of disclosure, redaction or segregation is encouraged if possible. This type of media is still subject to regular exceptions and definitions of FERPA and may or may not be protected based on individual circumstances.

Students’ Rights

FERPA gives students the right to inspect their educational records (excluding information on other students, the financial records of parents, and confidential letters of recommendation if the student has waived the right to access) before giving consent to disclose information. If a student does request the right to inspect, the educational institution must comply within 45 days of the receipt of the request.

In many cases, students have seen, or are aware of, the contents of their files. For example, a student knows what courses they have taken and/or their GPA, both of which are included in the student’s educational record. Even if a student has waived the right to access their file, the school must provide a list of the file’s contents (including the names of all persons making confidential recommendations) upon the student’s request. If the student file has changed in any way, e.g., a letter of recommendation has been altered or replaced, career services should notify the student that there has been a change before disclosing the file’s contents to a potential employer or graduate school.

Credential Files

FERPA does not specify a time period for retaining credential/placement files or reference letters. The law merely provides that an education record may not be destroyed if there is an outstanding student request to inspect the file. The school has the discretion to develop a record retention policy and communicate that policy to its students. The policy should include a deadline by which students/alumni must respond if they do not wish to have their files destroyed. Once the deadline has passed and there has been no request for retention, the records may be destroyed.

Recommendations to Ensure FERPA Compliance

To ensure compliance with FERPA, educational institutions should adhere to the following:

• Advise students annually of their rights under FERPA.
• Obtain signed, written consent from a student before a school official, administrator, career services staff member, or faculty member releases personally identifiable information to an employer, third-party recruiter, or resume referral database.
  • Train and retrain faculty members with respect to the requirements and prohibitions of FERPA.
  • Notify employers, employment agencies, contract recruiters, resume databases, and other entities that student records are subject to FERPA, and that such entities cannot subsequently disclose these records without student consent.
  • Notify third parties that improper disclosure will result in future denials of access to such records.
• Determine, clearly define, and communicate to students what information will be considered directory information prior to disclosure and provide students with a reasonable time to notify the educational institution if they want to restrict access to directory information.
• Obtain a new consent form if any student information is changed, such as revisions to a letter of recommendation, prior to fulfilling an information request.
• Note that FERPA does not address the issue of placing amended letters of recommendation into students’ files: Each educational institution is responsible for establishing and consistently enforcing its own policies with respect to this issue.
• Draft and maintain policies with regard to the retention of records that pertain to the disclosure of information for health and safety concerns.
• Review and revise any and all third-party agreements to ensure such agreements comply with FERPA requirements.
• Implement policies that include how an institution will respond to data breaches or unauthorized disclosures and conduct an investigation into how such a breach occurred.
• Advise students with respect to the implications of waiving their right to inspect their files or letters of recommendation.

Penalty for Noncompliance

Courts have routinely held that FERPA does not create a private right of action against the educational institution. Complaints, however, may be filed with the DOE which will investigate all issues. An educational institution that fails to comply with FERPA may forfeit its federal funding. Typically, funding will not be withdrawn for individual violations but may be forfeited if a policy or practice of unauthorized release of information is established. Notwithstanding the foregoing, some states do allow for monetary damages for the disclosure of protected educational information.

***

Clearly, FERPA remains an important federally created protection for student privacy. The act, however, is constantly evolving. On virtually an annual basis, there are multiple proposed amendments to the statute. Although most do not become law, such proposed amendments present the potential for changes at any time. Additionally, the regulations governing FERPA have been revised on numerous occasions since its enactment. The DOE has and will continue to provide guidance on such changes, as well as new issues that arise in modern education.