Frequently Asked Questions

This section is designed to allow stakeholders easy access to all Frequently Asked Questions about student privacy.  All of the questions contained on this page have been tagged for easy browsing by either topic or audience.  This section is regularly updated as new questions are received.  You may also search the FAQs by using the search box on the top right of the page.

Who is a “school official” under FERPA?

A “school official” includes a teacher, school principal, president, chancellor, board member, trustee, registrar, counselor, admissions officer, attorney, accountant, human resources professional, information systems specialist, and support or clerical personnel.    

FERPA (§ 99.31(a)(1)(i)(B)) permits schools to outsource institutional services or functions that involve the disclosure of education records to contractors, consultants, volunteers, or other third parties provided that the outside party:

  1. Performs an institutional service or function for which the agency or institution would otherwise use employees;
  2. Is under the direct control of the agency or institution with respect to the use and maintenance of education records;
  3. Is subject to the requirements in § 99.33(a) that the personally identifiable information (PII) from education records may be used only for the purposes for which the disclosure was made, e.g., to promote school safety and the physical security of students, and governing the redisclosure of PII from education records; and
  4. Meets the criteria specified in the school or local educational agency’s (LEA’s) annual notification of FERPA rights for being a school official with a legitimate educational interest in the education records.

Who is responsible for obtaining written consent from the parent or eligible student: the school or the community-based organization?

FERPA requires that the parent or eligible student “provide a signed and dated written consent” before a school or LEA discloses personally identifiable information (PII) from a student’s education record, unless one of the conditions in § 99.31 of the regulations applies.  There is nothing in FERPA that would preclude a community-based organization from obtaining a signed and dated written consent as long as the consent: (1) specifies the education records that may be disclosed, (2) states the purpose of the disclosures; and (3) identifies the organization or other parties to whom the disclosure may be made.  34 CFR § 99.30(b).  

Would a Child Welfare Agency (CWA) or tribal organization be subject to FERPA’s “five-year rule” if it improperly redisclosed personally identifiable information (PII) from education records?

Yes.  FERPA requires that entities to which educational agencies and institutions disclose PII from education records protect that information from further disclosure.  See § 99.33.  Additionally, § 99.67(e) of the FERPA regulations provides that if the Family Policy Compliance Office (FPCO) determines that a third party outside the LEA or school improperly redisclosed PII from education records in violation of § 99.33 of the FERPA regulations, then the educational agency or institution may not provide that third party access to education records for a minimum period of five years. Thus, if FPCO determines that a CWA or tribal organization improperly redisclosed PII from the education records that it had received from the school or LEA, the school or LEA then would be banned from providing the CWA or tribal organization with access to education records for a minimum of five years.