By Audience: Postsecondary School Officials

The resources on this page are intended for staff and educators of Postsecondary Institutions.  Resources found here typically address FERPA’s requirements and how they apply to the various day-to-day operations of postsecondary institutions that may be different than the K-12 setting.  Guidance is also provided for the particular challenges encountered at the postsecondary level as it relates to the handling and protection of students’ Personally Identifiable Information.

Guidance and Best Practices

School Resource Officers, School Law Enforcement Units, and the Family Educational Rights and Privacy Act (FERPA)

This guidance document consists of thirty-seven commonly asked questions about schools’ and school districts’ responsibilities under FERPA relating to disclosures of student information to school resource officers (SROs), law enforcement units and others, and seeks to explain and clarify how FERPA protects student privacy while ensuring the health and safety of students and others in the school community. SRO LEU LEO

Guidance and Best Practices

Improving the Effectiveness and Efficiency of FERPA Enforcement

The Department is committed to protecting student privacy. To provide more timely and effective assistance to parents and students and to address a recommendation made by the Department’s Office of the Inspector General to “implement a risk-based approach to processing and resolving FERPA complaints,”  the Department is modifying its investigatory practices to more efficiently address and resolve complaints and violations under FERPA.  

Guidance and Best Practices

Joint Guidance on the Application of FERPA and HIPAA to Student Health Records

The U.S. Department of Education and the Office for Civil Rights at the U.S. Department of Health and Human Services released updated joint guidance addressing the application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to records maintained on students. 

Guidance and Best Practices

Best Practices for Data Destruction

The Data Destruction Document is a best practices guide on properly destroying sensitive student data after it is no longer needed.  It details the life cycle of data and discusses various legal requirements relating to the destruction of data under FERPA, and examines a variety of methods for properly destroying data.  The guide also discusses best practices for data destruction and provides some real-world examples of how to implement it within your organization.

Letters

Letter to Liberty University

This letter was sent to Liberty University in regards to a request for clarrification on the extent FERPA would require Liberty University to provide individuals allegedly involved in fraud rings with the opportunity to inspect and review investigation reports prepared by the University related to suspected financial aid fraud.  

Letters

Cyber Advisory - New Type of Cyber Extortion / Threat Attack

Schools have long been targets for cyber thieves and criminals.  We are writing to let you know of a new threat, where the criminals are seeking to extort money from school districts and other educational institutions on the threat of releasing sensitive data from student records.  In some cases, this has included threats of violence, shaming, or bullying the children unless payment is received.