Frequently Asked Questions

This section is designed to allow stakeholders easy access to all Frequently Asked Questions about student privacy.  All of the questions contained on this page have been tagged for easy browsing by either topic or audience.  This section is regularly updated as new questions are received.  You may also search the FAQs by using the search box on the top right of the page.

May a school disclose directory information to a community-based organization without written consent?

Generally, yes.  FERPA allows schools that have adopted directory information policies to disclose properly designated directory information without consent on students whose parents (or eligible students) have not opted out of the disclosure of directory information.  See § 99.37(a).  However, if a school adopts a directory information policy specifying that disclosure of directory information will be limited to specific parties, for specific purposes, or both, then the school is required to limit its directory information disclosures to those specified in its public notice.  See § 99.37(d).

May a social security number or other student identification number be listed as directory information?

A school may not designate a student’s social security number as directory information.  However, directory information may include a student’s user ID or other unique identifier used by the student to access or communicate in electronic systems, but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student’s identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the student or authorized user. 34 CFR § 99.3

May an educational agency or institution disclose directory information without prior consent?

Education records that have been appropriately designated as "directory information" by the educational agency or institution may be disclosed without prior consent.  See 34 CFR §§ 99.31(a)(11) and 99.37.  FERPA defines directory information as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.  34 CFR § 99.3. 

FERPA provides that a school may disclose directory information if it has given public notice of the types of information which it has designated as "directory information," the parent or eligible student’s right to restrict the disclosure of such information, and the period of time within which a parent or eligible student has to notify the school in writing that he or she does not want any or all of those types of information designated as "directory information."  34 CFR § 99.37(a).  A school is not required to inform former students or the parents of former students regarding directory information or to honor their request that directory information not be disclosed without consent.  34 CFR § 99.37(b).  However, if a parent or eligible student, within the specified time period during the student's last opportunity as a student in attendance, requested that directory information not be disclosed, the school must honor that request until otherwise notified.

May an educational agency or institution disclose information over the phone?

While FERPA does not specifically prohibit a school from disclosing personally identifiable information from a student’s education records over the telephone, it does require that the school use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the school discloses personally identifiable information from education records. 34 CFR § 99.31(c).

May an educational agency or institution disclose personally identifiable information from students education records for the purpose of a specified audit, evaluation, or for compliance and enforcement purposes under FERPA?

FERPA permits schools to disclose PII from students’ education records, without consent, to authorized representatives of state and local educational authorities, the Secretary of Education, the Comptroller General of the United States, and the Attorney General of the United States for specified purposes.  Disclosures may be made under this exception as necessary in connection with the audit or evaluation off federal- or state-supported education programs, or in connection with the enforcement of federal legal requirements that relate to those programs. 34 CFR §§ 99.31(a)(3) and 99.35.

May an educational agency or institution disclose personally identifiable information from students education records to third parties for the purpose of conducting a study on its behalf?

FERPA contains an exception to its general consent rule under which an educational agency or institution may disclose personally identifiable information from education records without consent to organizations conducting studies for, or on its behalf.  Studies must be only for the purpose of: developing, validating, or administering predictive tests; administering student aid programs; or improving instruction. A written agreement with the organization is required, specifying the purposes of the study and the use and destruction of the information. 34 CFR § 99.31(a)(6)

May an LEA non-consensually disclose personally identifiable information (PII) from education records to a community-based organization in order to conduct an audit or evaluation of the school system’s education programs?

Yes.  FERPA’s audit or evaluation exception allows an LEA to designate a community-based organization as its authorized representative and disclose PII from education records without consent of parents or eligible students to audit or evaluate a federal- or state-supported education program, or to enforce or comply with federal legal requirements that relate to those education programs (audit, evaluation, or enforcement or compliance activity).  See 34 CFR § 99.35.  (This provision does not apply to individual schools that are not considered local educational authorities under state or local law.)  

May an SEA redisclose, on behalf of its LEAs, the education records of students in foster care placement to the students’ Child Welfare Agencies (CWAs) or tribal organizations that are legally responsible for their care and protection?

Yes.  An SEA may redisclose personally identifiable information (PII) from the education records of students in foster care placement to a CWA or tribal organization that is legally responsible for the care and protection of the student.  The disclosure must be made on behalf of the LEA, as permitted under § 99.33(b)(1) of the FERPA regulations.