Another day, another acronym in the school communications world: FERPA. This federal law outlines an important component of a school’s responsibility to its families and students. This responsibility applies to anyone who works with student data, so it’s especially crucial that school administrators understand this law and can ensure their school remains compliant with it. Here’s what you need to know.
What is FERPA?
FERPA stands for the Family Educational Rights and Privacy Act. Essentially, this law says that American parents and guardians have three essential rights when it comes to their student’s educational records:
- They can access the records
- They can ask to have the records changed or updated
- They can influence how the record discloses identifying information
FERPA rights belong to families until one of two things happen: the student turns 18 or joins a postsecondary institution. Whenever one of these things happens, the FERPA rights are transferred from the parent or guardian to the student.
FERPA also outlines some distinct data protection responsibilities for schools. The primary one is this: schools cannot hand over a student’s education records to anyone without written consent from the rights holder.
FERPA and Student Health Records
The world of data protection laws is complex and interrelated, so it’s natural that learning about FERPA might leave you wondering how it relates to privacy around a student’s medical records.
Records created by a school nurse are usually protected under FERPA, not the Health Insurance Portability and Accountability Act (HIPAA). This is significant because it means that a school nurse can actually communicate relevant health information to other staff in some cases.
What Qualifies as an Educational Record Under FERPA?
FERPA puts student data into three broad categories:
- Directory information
- Personally identifiable information
- Educational information
The only category of student data that isn’t protected by FERPA—meaning you don’t need signed consent to release it—is “directory information.” This is basic information you might find in a yearbook, like a student’s name, photo, address, phone number, or email address. These items alone are fine to be released without consent, but if such data is attached to educational records, it becomes classified as “personally identifiable information,” for which you’ll need consent.
The final category of educational information is often contested and can get a little gray. The law defines this data as “records, files, documents, and other materials . . . maintained by an educational agency or institution, or by a person acting for such agency or institution.”
We know this category includes items like a student’s GPA, grades, or transcripts. It also generally includes testing and evaluations, though a 2001 Supreme Court decision said that evaluations provided by peers were not protected under FERPA. As with so many legal issues, the categories and definitions are somewhat fluid, which can be risky for school administrators. This is part of why it’s best to err on the side of caution and try to always get written consent before releasing a student’s information.
When is Written Consent Not Required?
FERPA is applicable to any institution that receives U.S. Department of Education funds. This can include public and private schools at all levels, as well as local and state agencies. It’s unlikely your school is exempt from FERPA requirements.
That said, there are some times when schools don’t need to obtain written consent. Here are some examples of exemptions from FERPA:
- Emergencies. The word emergency is subject to some interpretation, but if a school ends up in a situation where they need to disclose student data quickly in order to protect health and safety, they are theoretically exempt from FERPA requirements.
- Future schools. If another institution has requested data about an incoming student who is enrolling there, you can usually send this without consent.
- Financial aid requests. Financial aid providers can be given to student data to complete applications that will help that student pay for school.
This isn’t an exhaustive list. There are other scenarios in which written consent may not be required to release student data. But even if you think a situation qualifies as an exemption from FERPA, it’s still advisable to ask for permission before releasing student data whenever possible. Better to be safe than sorry.
The Consequences of a FERPA Violation
One of the reasons that compliance is so important is because the consequences of a FERPA violation are often severe. Student privacy is a serious matter and when schools make a mistake with this, they often pay a high price.
A school can lose its U.S. Department of Education funding for a FERPA violation. Before this happens, though, schools will have a chance to address the complaint with the Family Policy Compliance Office (FPCO). If the school is uncooperative or unable to fix the complaint, they risk a few other consequences before losing their funding entirely. These penalties can include a pause or freeze on their DOE funding, a change in their eligibility for the funding, or a cease and desist order.
The FPCO investigation usually offers schools plenty of opportunity to correct their errors and maintain their funding, but it’s best to avoid one in the first place with FERPA compliance.
How to stay FERPA-Compliant
So, you obviously want to avoid getting sideways with FERPA’s requirements. Here’s how to keep your school compliant with student data privacy.
1. Have a response team for FERPA requests
What happens when a FERPA request lands in your school’s lap? There needs to be a workflow to ensure the process goes smoothly. You only have 45 days to respond to provide the requested educational data, so you need to be prepared. This means having a point person for FERPA requests and also having a team on deck if a change request requires you to convene a hearing.
Your FERPA point person(s) will also be responsible for drafting and sending the required annual notice about data rights to all eligible students and families.
Furthermore, you’ll need a system in place for requesting written consent for data sharing when it’s needed. Obtaining written consent from the rights holder is a crucial part of staying in compliance with FERPA. The more you can simplify and streamline your access to that written consent, the better.
Pro Tip: To learn more about saving staff hours on distributing forms, manual data entry, and back-and-forth emails and phone calls, check out our eBook: How K-12 Administrators Can Save Time on Forms and Workflows.
2. Establish solid identification protocols
FERPA applies to digital records, too, which are subject to a wider array of security risks than hard copy records. This means all of your school’s systems for storage and collection of student data must be well protected.
Even when you’re sharing data with a family or student, you need to have security measures in place to ensure that the person you’re sharing with is, in fact, the rights holder. Much in the same way your bank requires a PIN number, you need to have additional levels of security to verify a data recipient’s identity. The Department of Education calls this a “reasonable expectation of authentication.”
3. Use training and certification for peace of mind
One of the best lines of defense when it comes to FERPA compliance is keeping school staff trained about FERPA requirements. Have someone on your staff complete the Vendor Family Data Privacy Certification. This training can be done in-house if you already have a FERPA expert. The Department of Education also offers training resources around FERPA, as does the American Association of Collegiate Registrars and Admissions Officers (AACRAO).
It’s also imperative to work with vendors who are certified in protecting family and student data. Their products need to guarantee secure storage and handling of sensitive data.
“Vetting your data and communication suppliers is so important,” said Jason Deroner, Chief Product Officer at SchoolStatus. On the heels of his company’s recent certification from 1EdTech, DeRoner said school administrators need to understand the key issues facing family data privacy, and insist on EdTech communication and data vendors that are certified. “Everyone should be focusing on secure data practices, and schools are most vulnerable,” he said in a recent article.
Your school is likely outsourcing some tasks, such as website construction, to other companies. Schools have to use a variety of products to get through their day-to-day operations. This means that, even if your school is FERPA-compliant, your student data might be at risk in other ways. One way to assuage any fear about a third party violating FERPA is by only using products that are FERPA certified. This indicates that a company or product has gone through a detailed assessment and can be relied upon to keep your student data safe.
Student and Family Privacy is Your Responsibility
Understanding and complying with the law is the best way to ensure your school avoids a FERPA complaint and protects student privacy. This is a moral obligation as much as a legal one, so don’t postpone FERPA training and certification for your school.
Stay Connected
News, articles, and tips for meeting your district’s goals—delivered to your inbox.