Frequently Asked Questions

This section is designed to allow stakeholders easy access to all Frequently Asked Questions about student privacy.  All of the questions contained on this page have been tagged for easy browsing by either topic or audience.  This section is regularly updated as new questions are received.  You may also search the FAQs by using the search box on the top right of the page.

Must postsecondary institutions provide a parent with access to an eligible student’s education records?

While the rights under FERPA transfer from the parents to the student when the student turns 18 or enrolls in a postsecondary institution at any age, FERPA provides ways in which an institution can share education records on the student with his or her parents.  Schools may disclose any and all information to parents, without the consent of the eligible student, if the student is a dependent for tax purposes under the IRS rules.  FERPA also permits a school to disclose information from an eligible student’s education records to parents if a health or safety emergency involves their son or daughter.  Another provision in FERPA permits a college or university to let parents of students under the age of 21 know when the student has violated any law or policy concerning the use of possession of alcohol or a controlled substance.  School officials may also share information with a parent about an eligible student that is based on that official’s personal knowledge or observation and that is not based on information contained in an education record.

Must the Child Welfare Agency (CWA) or tribal organization record any redisclosure of personally identifiable information (PII) from education records made by the welfare agency or tribal organization to an individual or entity?

No.  FERPA does not require the CWA or tribal organization to record any redisclosure of PII from education records that it may make to an individual or entity, such as a contractor providing services to address a student’s education needs.  However, if the CWA or tribal organization does redisclose PII from an education record on a student in foster care placement to anyone other than an agency- or organization-employed caseworker or other representative who has the right to access a student’s case plan, the Department recommends, as a good data management practice, that the CWA or tribal organization record the redisclosure and inform the school of the redisclosure for record keeping purposes. 

Must the LEA ensure that a community-based organization designated as its authorized representative complies with FERPA?

Yes.  Before the LEA discloses personally identifiable information (PII) from education records to a community-based organization designated as an authorized representative, the LEA is required to use “reasonable methods” to ensure to the greatest extent practicable that the community-based organization is FERPA-compliant. This specifically means ensuring that the community-based organization:

  1. Uses PII from education records only to carry out an audit or evaluation of federal- or state-supported education programs, or for the enforcement of or compliance with, federal legal requirements related to these programs.  The LEA should make sure that the proposed audit or evaluation is legitimate, and require in the written agreement that the community-based organization use the PII from education records only for that audit, evaluation, or enforcement or compliance activity. 
  2.  Protects the PII from education records from further disclosures or other uses, except as authorized by the LEA in accordance with FERPA. The agreement must specify that the community-based organization may not further disclose the PII from education records, unless authorized.
  3.  Destroys the PII from education records when no longer needed for the audit, evaluation, or enforcement or compliance activity.  The agreement must specify that the community-based organization is required to destroy the PII from education records when it is no longer needed and specify the time period in which the PII must be destroyed.  See 34 CFR § 99.35(a)(2).

Must the LEA have a written agreement with the community-based organization prior to disclosing personally identifiable information (PII) from education records under the Audit Evaluation Exception?

Yes.  The LEA must use a written agreement to designate the community-based organization as its authorized representative.  The written agreement must include certain mandatory components as described in § 99.35(a)(3)(ii) of the regulations.  The specific policies and procedures outlined in the agreement should be consistent with FERPA and all other applicable laws.)  For additional information, see § 99.35 of the regulations

Must the school or LEA have a written agreement with the community-based organization conducting the study?

Yes.  Written agreements are required under the studies exception, §99.31(a)(6)(iii)(C), and must

  1. Specify the purpose, scope, and duration of the study and the information to be disclosed. 
  2. Require the community-based organization to use personally identifiable information (PII) from education records only to meet the purpose(s) of the study as stated in the written agreement.
  3. Require the community-based organization to conduct the study in a manner that does not permit the personal identification of parents and students by anyone other than representatives of the organization with legitimate interests.  This typically means that the organization should allow internal access to PII from education records only to individuals with a need to know, and that the organization should take steps to maintain the confidentiality of the PII from education records at all stages of the study.
  4. Require the community-based organization to destroy all PII from education records when the information is no longer needed for the purposes for which the study was conducted, and specify the time period in which the information must be destroyed.

Must the SEA record the redisclosure of education records to the Child Welfare Agency (CWA) or tribal organization?

Yes.  Section 99.32(b)(2)(i) of the FERPA regulations generally requires that an SEA that makes further disclosures of personally identifiable information (PII) from education records must record the names of the additional parties (e.g., the CWA) to which it discloses PII from education records on behalf of the LEA and their legitimate interests in the information under FERPA.  However, the SEA would not have to make a record of the redisclosure if the LEA had made a record of the disclosure to the SEA and included in that record the name of the CWA or tribal organization and its legitimate interest (i.e., to permit the CWA or tribal organization to address the education needs of the child) to which the additional disclosure of the education records would be made.

Should the school or LEA contact SPPO if the community-based organization has violated FERPA?

While FERPA does not require that you notify us, we recommend that you contact SPPO if a community-based organization violates FERPA and provide us with information concerning the violation and any actions that you have taken.  SPPO has the authority to impose what is informally known as “the five-year rule ban” against the community-based organization if SPPO determines that it has violated certain provisions under FERPA.  The five-year rule means that SPPO can instruct the originating LEA or school to not provide the community-based organization with further access to PII from students’ education records for a minimum period of five years.  SPPO may impose a longer period of time in which the community-based organization may not have access to PII.  The five-year rule ban applies regardless of whether the community-based organization is a recipient of Department funds.  For more information on penalties for FERPA violations, see 34 CFR § 99.67.

To which educational agencies or institutions does FERPA apply?

FERPA applies to educational agencies or institutions that receive funds from programs administered by the U.S. Department of Education.  By “educational agencies or institutions” we mean public schools, school districts (or “local educational agencies” (LEAs)), and postsecondary institutions, such as colleges and universities.  Private and parochial schools at the elementary and secondary level generally do not receive such funding and are, therefore, not subject to FERPA. 

Under FERPA, may an educational agency or institution disclose education records to any of its employees without consent?

No.  FERPA permits an educational agency or institution to disclose, without consent, personally identifiable information from students’ education records only to school officials within the educational agency or institution that the educational agency or institution has determined to have legitimate educational interests in the information. 34 CFR § 99.31(a)(1).  Generally, a school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.

Under § 9528 of the ESEA, what notification must LEAs provide to parents before disclosing names, addresses, and telephone numbers of secondary students to military recruiters and officials of institutions of higher education?

Under FERPA, an LEA must provide notice to parents of the types of student information that it releases publicly.  This type of student information, commonly referred to as “directory information,” includes such items as names, addresses, and telephone numbers and is information generally not considered harmful or an invasion of privacy if disclosed.  The notice must include an explanation of a parent’s right to request that the information not be disclosed without prior written consent.  Additionally, § 9528 requires that parents be notified that the school routinely discloses names, addresses, and telephone numbers to military recruiters upon request, subject to a parent’s request not to disclose such information without written consent.  A single notice provided through a mailing, student handbook, or other method that is reasonably calculated to inform parents of the above information is sufficient to satisfy the parental notification requirements of both FERPA and § 9528.  The notification must advise the parent of how to opt out of the public, nonconsensual disclosure of directory information and the method and timeline within which to do so.