Frequently Asked Questions

This section is designed to allow stakeholders easy access to all Frequently Asked Questions about student privacy.  All of the questions contained on this page have been tagged for easy browsing by either topic or audience.  This section is regularly updated as new questions are received.  You may also search the FAQs by using the search box on the top right of the page.

May postsecondary institutions disclose results of disciplinary proceedings?

Postsecondary institutions may disclose the final results of disciplinary proceedings if the institution has found that the student has violated the institution’s rules or policies in regard to a crime of violence or a non-forcible sex offense.  However, the institution may not disclose the name of any other student, including a victim or witness, without the prior written consent of that student.

May the community-based organization receiving personally identifiable information (PII) from education records redisclose PII from education records without written consent?

No.  Regardless of whether the community-based organization received the PII under the school official, studies, or audit/evaluation exception, the answer is the same – the community-based organization may not redisclose it unless such redisclosure is on behalf of the disclosing entity and is consistent with FERPA.  (34 CFR § 99.33).  If further redisclosure is contemplated, we recommend that provisions addressing authorized redisclosures be included in any agreement with the community-based organization.

May the LEA disclose personally identifiable information (PII) from education records to a community-based organization under the audit or evaluation exception for the purpose of the community-based organization evaluating its own program?

Generally, no.  The audit or evaluation by an community-based organization of its own program (i.e., to determine whether or not the organization’s program is effective) in most cases would not be permitted under the audit or evaluation exception because the audit or evaluation exception only permits the audit or evaluation of federal- or state-supported education programs, which FERPA defines as any program principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution. 

May the school or LEA non-consensually disclose personally identifiable information (PII) from education records to a community-based organization that is conducting a study for the school or LEA?

Yes.  The studies exception allows for the disclosure of PII from education records without consent to community-based organizations conducting studies for, or on behalf of, the school or LEA.  FERPA limits the purpose of the studies conducted under this exception to: (1) developing, validating, or administering predictive tests; (2) administering student aid programs; or (3) improving instruction.  See 34 CFR § 99.31(a)(6)(i).  

Must a school have a written agreement or contract with a community-based organization to which it non-consensually discloses education records to outsource an institutional service under the school official exception?

No.  While FERPA does not require written agreements or contracts when a school chooses to outsource an institutional service or function to a community-based organization under the “school official” exception, it is a best practice to do so.  Written agreements help ensure that the community-based organization understands its obligations and responsibilities with respect to the use of and privacy protections accorded to the FERPA protected information.  Further, appropriate contractual provisions can establish the direct control required by FERPA under this exception.  Additionally, local or state policies or laws may require the use of written agreements or contracts for procurement. 

Must a school inform parents and eligible students if the school non-consensually discloses personally identifiable information from their education records to a community-based organization to which the school has outsourced an institutional service?

No.  While there is no specific notification requirement regarding disclosures under the exceptions to consent, FERPA does require that each school or LEA annually notify parents and eligible students of their rights under FERPA.  34 CFR § 99.7.  As a part of the annual notice, the school or LEA must include in the notification a specification of the criteria for determining who constitutes a school official and what constitutes a legitimate educational interest.  34 CFR § 99.7(3)(iii).    

Must a school or LEA record the non-consensual disclosure of personally identifiable information (PII) from education records to a community-based organization?

Yes.  Generally, when a school or LEA discloses without consent PII from education records to a community-based organization, with the exception of disclosures made under the “school official” exception, the disclosure must be recorded.  FERPA require schools to record all requests for access to, and all disclosures of, PII from the education records of each student, except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the parent or eligible student.  See 34 CFR § 99.32(d).  Schools and LEAs must maintain these records with the student’s education records for as long as the student’s records are maintained.  The recorded information must include the parties who have requested or received PII and their legitimate interests in requesting or obtaining the information. Parents and eligible students have a right to inspect and review the record of disclosures.  See 34 CFR § 99.32 for the full list of recordation requirements.