What should the school or local educational agency do if it finds that a community-based organization has misused or inappropriately redisclosed the personally identifiable information (PII) from the education records it received from the school or LEA?

If the community-based organization misuses or inappropriately rediscloses personally identifiable information (PII) from education records, the school or LEA should immediately take steps to address and mitigate any harm or damage caused by the violation. The LEA or school should evaluate its options under the penalty and termination provisions of its written agreement, contract, or arrangement with the community-based organization and check any relevant state or local laws.  Depending on the severity of the circumstance, the LEA or school may decide to terminate its relationship with the community-based organization and require the organization to destroy or return the education records to the school or LEA. 

While FERPA does not require that you notify us, we recommend that you contact SPPO if a community-based organization violates FERPA, and provide us with information concerning the violation and any actions that you have taken.  SPPO has the authority to impose what is informally known as “the five-year rule ban” against the community-based organization if SPPO determines that it has violated certain provisions under FERPA.  The five-year rule means that SPPOcan instruct the originating LEA or school to not provide the community-based organization with further access to PII from students’ education records for a minimum period of five years.  SPPO may impose a longer period of time in which the community-based organization may not have access to PII.  The five-year rule ban applies regardless of whether the community-based organization is a recipient of Department funds.  For more information on penalties for FERPA violations, see 34 CFR § 99.67

K-12 School Officials
Community Based Organizations