FERPA Primer: The Basics and Beyond

Family Educational Rights and Privacy Act (FERPA) was enacted by Congress to protect the privacy of students and their parents. The act is designed to ensure that students and parents of students may obtain access to the student’s educational records and challenge the content or release of such records to third parties.

Summary FERPA Restrictions

FERPA requires that federally funded institutions, under programs administered by the U.S. Department of Education, comply with certain procedures with regard to disclosing and maintaining educational records. FERPA was not enacted to preclude the disclosure of educational records simply because the records identify a student by name; rather, it was designed to protect the student’s educational information and status as a student.


To understand the scope of FERPA, it is necessary to define “student.” According to FERPA, a student is an individual who is enrolled in and actually attends an educational institution. The regulations provide that attendance includes, but is not limited to, attendance in person or by correspondence. Courts have held that individuals who merely audit classes or who are accepted to an educational institution but do not attend any classes are not “students” for purposes of FERPA. Individuals who “attend” classes but are not physically located on a campus are also students, thus including those who attend classes by videoconference, satellite, Internet, or other electronic information and telecommunications technologies.

FERPA prohibits the disclosure of a student’s “protected information” to a third party. This disclosure is prohibited whether it is made by hand delivery, verbally, fax, mail, or electronic transmission. Disclosure also includes the provision of access to the educational institution’s career center database of student resumes.

For purposes of FERPA, a “third party” includes any individual or organization other than the student or the student’s parent(s). With respect to third parties, even if the initial disclosure of protected information is permissible, FERPA limits the subsequent disclosure of the information by the third party. As such, once an educational institution discloses protected information to a third party, it must ensure that the third party does not itself improperly disclose the information in violation of FERPA.

Protected Information

FERPA classifies protected information into three categories: educational information, personally identifiable information, and directory information. The limitations imposed by FERPA vary with respect to each category.

Although personally identifiable and directory information are often similar or related, FERPA provides different levels of protection for each. Personally identifiable information can only be disclosed if the educational institution obtains the signature of the parent or student (if over 18 years of age) on a document specifically identifying the information to be disclosed, the reason for the disclosure, and the parties to whom the disclosure will be made. Failure to comply with these requirements will result in a violation of FERPA.

On the other hand, with respect to directory information, FERPA does not bar disclosure by the educational institution. Directory information is defined as “information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” This includes such items as a list of students’ names, addresses, and telephone numbers, and also includes a student ID number (which includes electronic identifiers) provided it cannot be used to gain access to education records. Directory information, however, does not include a student’s social security number nor can the social security number be used to confirm directory information. Directory information can be disclosed provided that the educational institution has given public notice of the type of information to be disclosed, the right of every student to forbid disclosure, and the time period within which the student or parent must act to forbid the disclosure. If a student decides to “opt out” of the disclosure of directory information, the “opt out” continues indefinitely. Therefore, an educational institution cannot release such information even after a student is no longer in attendance. However, the 2011 revisions to the act prohibit a student from opting out as a way to prevent schools from requiring students to wear an identification card or badge.

The 2011 revised regulations also reduced the burden on educational institutions of receiving consent prior to the disclosure of information for routine uses of student information. Educational institutions are now permitted to adopt a limited directory information policy that allows the schools to disclose designated information to designated parties. To create such a policy, however, educational institutions must provide notice to parents or eligible students.

FERPA precludes the disclosure of educational information without the prior approval of the student or parent. The issue of what constitutes “educational information” has been hotly contested and subject to much litigation since the inception of FERPA. FERPA defines “education records” as “records, files, documents, and other materials” that are “maintained by an educational agency or institution, or by a person acting for such agency or institution.” While it is clear that educational information includes a student’s transcripts, GPA, grades, social security number, and academic evaluations, courts have also included in this category certain psychological evaluations. “Education records” also include any record that pertains to an individual’s previous attendance as a student of an institution. In this regard, information pertaining to lawsuits or other claims that are related to a former student are covered under the definition of “education record” under FERPA and are precluded from disclosure absent prior approval.

FERPA has, however, excluded from the definition of “education record” the use of “peer grading.” In this regard, the 2008 revisions to FERPA implemented the U.S. Supreme Court decision in Owasso Independent School District v. Kristja Falvo, which held that peer grading was not educational information for purposes of FERPA. According to the court, “peer grading,” a practice whereby one student scores/grades the work of another student, is generally not encompassed by FERPA because the information is not created or “maintained” by the educational institution or an agent of the institution. Rather, the information is created and maintained by another student. This exception, however, stops at the time the test or assignment is collected and recorded by the teacher.

Courts have adopted similar reasoning with respect to teacher evaluations and negative letters of recommendation written by the teacher but not “maintained” by the educational institution in its files. Courts have been reluctant to find that these records are subject to FERPA because they do not meet the strict definition of an “educational record” according to FERPA.

Regarding reference letters and resumes, the key is whether these records include or incorporate the student’s “educational information” (i.e., GPA, grades, social security numbers, and so forth). If these documents contain “protected” educational information, they cannot be disclosed without satisfying FERPA’s pre-disclosure requirements. An educational institution may not provide an employer, headhunter, or other employment agency with a student’s resume or confidential letter of reference that contains protected educational information unless it first obtains approval from the student or the student’s parent.