Additional exceptions to the nondisclosure requirements of FERPA were established in the recent revisions. The 2008 revisions allow for the disclosure of educational records in connection with certain emergencies. An educational institution can release such records if it determines that there is an articulable and significant threat to the health and safety of a student or other individuals. Such information may be disclosed to appropriate parties—including the student’s parents— whose knowledge of the information is necessary to protect the health and safety of the student or others. The educational institution must maintain records of any such disclosures. Educational institutions are also now permitted to disclose, without consent, information concerning registered sex offenders. Further, FERPA now requires educational institutions to disclose to the alleged victim of any crime of violence or a sex offense the results of any disciplinary proceeding conducted by the institution against a student who is the alleged perpetrator of such a crime or offense.
Also, the 2008 revisions permit educational institutions to disclose educational information and personally identifiable information without prior consent to contractors, volunteers, or other non-employees performing services for the educational institution. The request must be based upon a legitimate educational interest. An educational institution must apply “reasonable methods” to limit disclosure and restrict access to such information.
FERPA also allows the disclosure of information without consent if all personally identifiable information has been removed from the records. In order to disclose such information, a school has to remove all information that, alone, or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.
The 2011 revisions further clarified how educational institutions could disclose information to audit the effectiveness of its programs. FERPA allows educational institutions to disclose information to third parties to audit or evaluate its programs. Previously, educational institutions could only disclose such information to entities or individuals under their direct control. Now, FERPA allows for the disclosure of information to “any entity or individual designated by a state or local educational authority to conduct any audit or evaluation, or any compliance or enforcement activity in connection with federal legal requirements that regulate programs.” This would include any audits of job placement, secondary education, or training programs. The institution must enter into a written agreement with any third party to which it discloses information. Such an agreement must contain provisions that protect against the re-disclosure of the information, provide plans to handle a data breach, and offer methods to record the data provided. According to the Department of Education, the revisions were done to “improve access to data that will facilitate states’ ability to evaluate education programs, to ensure limited resources are invested effectively, to build upon what works and discard what does not, and to contribute to a culture of innovation of continuous improvement in education.”
FERPA gives students the right to inspect their educational records (excluding information on other students, the financial records of parents, and confidential letters of recommendation if the student has waived the right to access) before giving consent to disclose information. If a student does request the right to inspect, the educational institution must comply within 45 days of the receipt of the request.
In many cases, students have seen, or are aware of, the contents of their files. For example, a student knows what courses he or she has taken and/or his or her GPA, both of which are included in the student’s “educational record.” Even if a student has waived the right to access his or her file, the school must provide a list of the file’s contents (including the names of all persons making confidential recommendations) upon the student’s request. If the student file has changed in any way, e.g., a letter of recommendation has been altered or replaced, career services should notify the student that there has been a change before disclosing the file’s contents to a potential employer or graduate school.