Family Education Rights and Privacy Act (FERPA)

Question 1

Sector

Answer 1

Education

Question 2

Year Passed/Amended

Answer 2

1974

Question 3

Original Purpose

Answer 3

Protect student privacy

Question 4

Primary Requirements

Answer 4

Educational institutions cannot disclose education record information without student consent

Question 5

Entities subject to the law

Answer 5

Educational institutions that receive federal funding (which is practically all of them)

Question 6

Term for relevant PII or regulated data

Answer 6

Education record

Question 7

Definition of PII or regulated data

Answer 7

All records that are (1) “personally identifiable,” (2) directly related to the student, and (3) maintained by the school or by a party on behalf of the school.

“Personally identifiable” includes but is not limited to (similar to other statutes):

(a) student’s name;
(b) parent or family member’s name;
(c) student or family’s address;
(d) SSN or student ID number;
(e) other identifiers, such as date of birth;
(f) other information that, alone or in combination, can be linked to a student and would allow the student to be identified with reasonable certainty;
(g) information requested by a person whom the school reasonably believes knows the identity of the student to which the record is linked

Exclusions:

(a) campus police records;
(b) employment records, when the employee is not a student;
(c) treatment records (note: not all health-related info, just records maintained specifically for treatment and to be shared solely with those providing treatment. Does not include, for example, immunization records);
(d) applicant records for those not enrolled at the school;
(e) alumni records created after the alumnus is no longer a student;
(f) grades on peer-graded papers, before they are collected and recorded by the school’s agent.

Does NOT include:

Question 8

Enforcing authority - civil

Answer 8

Department of Education, Family Policy Compliance Office

Question 9

Civil or criminal?

Answer 9

Civil only

Question 10

Penalties - civil

Answer 10

Primary enforcement mechanism is withholding federal funding. However, generally DOE works with noncompliant institutions to bring them into voluntary compliance (it has never actually withheld funds based on a FERPA violation)

Question 11

Preemption?

Answer 11

Preempts HIPAA for records that would otherwise be considered PHI (so FERPA applies instead)

Question 12

Private right of action?

Answer 12

No

Question 13

FIP individual rights addressed

Answer 13

Notice, choice and consent, access (so, all of them)

Question 14

Notice requirements

Answer 14

Students get notice of disclosure to law enforcement (which is one of the statutory exceptions to written consent).

Institutions must provide notice of the right to opt out of publishing “directory information” before they can do so.

Question 15

Exceptions for notice

Answer 15

Most exceptions to consent do not require notice (just disclosure to law enforcement?)

Question 16

Choice and consent provisions

Answer 16

Requires written, opt-in consent for disclosure of most records. That consent must include:

(a) the record(s) to be disclosed;
(b) the purpose of disclosure; and
(c) the parties to whom the disclosure is being made.

Requires opt-out consent for “directory information” not linked to a particular grade/record (not specifically enumerated–institutions can create their own list–but examples include name, DOB, address, email address, phone, field of study, and honors received). SSNs can never be directory information; student ID numbers can only be directory information if a person needs additional, non-directory information to access a student’s records.

Question 17

Exceptions for consent

Answer 17

(a) disclosure to school officials who have determined a “legitimate educational interest” in the records. Can include third-party vendors under the direct control of the school, used for the purpose of maintaining the records;
(b) disclosure to educational institutions where student seeks to enroll or transfer, when disclosure is for a related purpose;
(c) disclosure related to seeking or keeping financial aid;
(d) disclosure to organizations doing educational research;
(e) disclosure to fulfill accrediting duties;
(f) disclosure to the alleged victim of a sex offense;
(g) disclosure pursuant to sex offender laws;
(h) disclosure to the party that created the record, e.g. a high school transcript to that high school;
(i) disclosure to law enforcement (requires notice unless it’s a legal matter that requires no notice);
(j) disclosure in connection with a health or safety emergency

Question 18

Access requirements

Answer 18

Must provide access within 45 days of a request, and respond to reasonable requests for explanation of records. However, no access to financial records of parents, confidential letters of recommendation, treatment records, or attorney-client privileged records. In the case of records pertaining to multiple students, each student only gets access to the portions of a record pertaining to that student.

Students may request corrections.

Question 19

FIP information controls addressed

Answer 19

Information Quality (not security)

Question 20

Information quality provisions

Answer 20

Students may request corrections, and have the right to a hearing if denied

Question 21

FIP Information Lifecycle provisions addressed

Answer 21

Disclosure (not collection/disposal, use and retention

Question 22

Disclosure requirements

Answer 22

Permitted where:

(a) information is not “personally identifiable;”
(b) information is “directory information” which release the student has not blocked;
(c) consent has been provided by the parent or of-age student;
(d) disclosure is made to the parent or of-age student;
(e) there is a statutory exception, such as for health or safety purposes.

Question 23

Redisclosure requirements?

Answer 23

None

Question 24

Right to list of disclosures?

Answer 24

No? Notice of disclosure to law enforcement is required, but that is the only relevant provision

Question 25

FIP Management principles addressed

Answer 25

None