Frequently Asked Questions

This section is designed to allow stakeholders easy access to all Frequently Asked Questions about student privacy.  All of the questions contained on this page have been tagged for easy browsing by either topic or audience.  This section is regularly updated as new questions are received.  You may also search the FAQs by using the search box on the top right of the page.

When the organization publishes the results of the study can it publish results in a way that allows individual students to be identified?

No.  Absent the prior, written consent from the parent or eligible student, FERPA prohibits personally identifiable information (PII) from education records from being published in a way that would allow individual students and their parents to be identified.  The organization conducting the study can use PII from education records to conduct the study for the school, but results must be published in a way that protects the privacy and confidentiality of the individuals involved. For example, when publishing data tables, the organization may need to use cell suppression or other methods of disclosure avoidance so that students cannot be identified through small numbers displayed in table cells. 

Who are considered “appropriate parties” that may receive information under the health or safety emergency exception?

Typically, local or state law enforcement officials, public health officials, trained medical personnel, and parents (including parents of an eligible student) are the types of appropriate parties to whom schools may disclose information under this FERPA exception.  An appropriate party under the health or safety emergency exception to FERPA’s general consent requirement is a party whose knowledge of such information is necessary to protect the health or safety of the student or other persons.  

Who is a “school official” under FERPA?

A “school official” includes a teacher, school principal, president, chancellor, board member, trustee, registrar, counselor, admissions officer, attorney, accountant, human resources professional, information systems specialist, and support or clerical personnel.    

FERPA (§ 99.31(a)(1)(i)(B)) permits schools to outsource institutional services or functions that involve the disclosure of education records to contractors, consultants, volunteers, or other third parties provided that the outside party:

  1. Performs an institutional service or function for which the agency or institution would otherwise use employees;
  2. Is under the direct control of the agency or institution with respect to the use and maintenance of education records;
  3. Is subject to the requirements in § 99.33(a) that the personally identifiable information (PII) from education records may be used only for the purposes for which the disclosure was made, e.g., to promote school safety and the physical security of students, and governing the redisclosure of PII from education records; and
  4. Meets the criteria specified in the school or local educational agency’s (LEA’s) annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records.

Who is responsible for obtaining written consent from the parent or eligible student: the school or the community-based organization?

FERPA requires that the parent or eligible student “provide a signed and dated written consent” before a school or LEA discloses personally identifiable information (PII) from a student’s education record, unless one of the conditions in § 99.31 of the regulations applies.  There is nothing in FERPA that would preclude a community-based organization from obtaining a signed and dated written consent as long as the consent: (1) specifies the education records that may be disclosed, (2) states the purpose of the disclosures; and (3) identifies the organization or other parties to whom the disclosure may be made.  34 CFR § 99.30(b).  

Would a Child Welfare Agency (CWA) or tribal organization be subject to FERPA’s “five-year rule” if it improperly redisclosed personally identifiable information (PII) from education records?

Yes.  FERPA requires that entities to which educational agencies and institutions disclose PII from education records protect that information from further disclosure.  See § 99.33.  Additionally, § 99.67(e) of the FERPA regulations provides that if the Family Policy Compliance Office (FPCO) determines that a third party outside the LEA or school improperly redisclosed PII from education records in violation of § 99.33 of the FERPA regulations, then the educational agency or institution may not provide that third party access to education records for a minimum period of five years. Thus, if FPCO determines that a CWA or tribal organization improperly redisclosed PII from the education records that it had received from the school or LEA, the school or LEA then would be banned from providing the CWA or tribal organization with access to education records for a minimum of five years.