The Family Educational Rights and Privacy Act of 1974 (FERPA) protects the privacy of student records by requiring prior written consent before disclosing personally identifiable information to a third party. It applies to colleges and universities that receive funding from the federal government.
FERPA applies to the Financial Aid Office
Records created and maintained by the financial aid office are considered to be education records and may not be disclosed without the student’s consent. This includes at least all of the following records:
- Records relating to eligibility and disbursement of Federal student aid funds
- Student account
- Federal work-study payroll records
- Financial aid applications
- SARs and ISIRs
- Documentation of professional judgment decisions
- Documentation relating to a refusal to certify Federal education loans
- Financial aid history information (for transfer students)
- Cost of attendance information, including documentation relating to any adjustments
- Satisfactory Academic Progress (SAP) documentation
- Documents used for verification
- Entrance and exit counseling records
- Financial records
Educational records include any materials received from the student and/or parents. It also includes any records that were used to make decisions about the student.
Only those records that are directly related to the student are considered to be educational records.
Although employment records are not considered education records by FERPA, student employment records are considered to be education records. So the employment records of a university employee who takes a class are not protected by FERPA, but the employment records of a work-study student are protected by FERPA. The distinction is whether the employment resulted from the individual’s status as a student.
Medical records are not necessarily protected by FERPA. If such records are not protected by FERPA, they may be protected by HIPAA.
Format of Records
Educational records include records, files, documents, video tapes, audio tapes, film, microfilm, microfiche, electronic records and other materials that contain information that is directly related to the student (i.e., personally identifiable information).
Certain documents must be maintained either in hardcopy format or in an imaged media format. This includes any documents for which a visible mark is used to validate authenticity, such as documents that contain a signature, seal or other certification. Examples include income tax returns, notarized documents, verification statements, and SARs.
FERPA proper only requires that one keep a record of all disclosures of education records and that one retain any records that are subject to a pending disclosure request. The General Education Provisions Act, as amended by the Improving America’s Schools Act of 1994, requires education records to be retained for at least three years. In most cases this means that records must be kept at least three years from the end of the award year. For some records, a different reference date is used. For example, records concerning education loans must in most cases be kept for at least three years from the end of the award year in which the student last attended.
Right to Review and Challenge Records
FERPA also requires the school to give the student the opportunity to review his or her records and request a change to the records. If the request to change the records is denied, the student may request a hearing to challenge the contents on the grounds that the records are inaccurate, misleading, or violate the rights of the student. If the school does not amend the records after the hearing, the student has the right to place a statement in the record concerning the contested information.
While FERPA requires the school to allow the student to inspect and review his educational records, it does not require the school to provide the student with copies of those records, unless the requirement to inspect the records in person would effectively deny access to the records. No fees may be charged for retrieving the records, but a reasonable fee may be charged for providing copies of the records, provided that the fee would not prevent access to the records.
The school may disclose the education records of a student to his or her parents, without the student’s consent, if the student is dependent according to IRS rules (i.e., claimed as a dependent on the parents’ income tax return, per IRC Section 152). This includes both parents even if the parents are divorced. The non-custodial parent may see the student’s education records even if he or she doesn’t claim the student as a dependent, so long as the other parent claims the student as a dependent. (This may also include financial records, which is often a concern to parents who are divorced. 34 CFR 99.12(b) specifies that a school does not have to permit a student to review the financial records of his parents. Accordingly, many schools have more restrictive disclosure policies, requiring consent of the individual who supplied the education records before disclosing that information to the student or the other parent.) If the student is not claimed as a dependent by his or her parents, the parents do not have the right to review the student’s education records, not even if they pay the tuition bills.
If a divorce decree, separation agreement, custody agreement, restraining order, or other legally binding agreement or court order revokes a parent’s right to see the student’s education records, the school may not disclose the student’s education records to that parent.
The student’s spouse or ex-spouse does not have the right to review the student’s educational records. For example, if a student’s ex-spouse alleges that the student provided false information on her financial aid application, the school may not disclose the student’s records to the ex-spouse. (This is a tricky situation, and the school should generally seek the advice of counsel before proceeding.) The school may receive information from the ex-spouse and treat it as conflicting information, but should take care to avoid disclosing any information in the student’s file to the ex-spouse and may wish to have the ex-spouse sign a FERPA waiver if the ex-spouse is also a student. If the school receives a subpoena for the information, the school should refer the matter to the school’s attorneys and wait for instructions from the attorneys before disclosing any information.
Some education lenders have been attempting to use the Freedom of Information Act (FOIA, 5 USC 552) and similar state statutes to obtain student information. When these efforts try to obtain anything other than directory information, including directory information that has been subsetted by any nondirectory information such as financial aid status, they represent a violation of FERPA and the school should not comply.
The US Department of Education wrote in Dear Colleague Letter GEN-07-05 that “The Federal FOIA only applies to Federal agencies and their employees. Institutions that participate in the Title IV, HEA programs are not subject to the Federal FOIA and therefore are not required to release any student information under this law.”
State freedom of information laws are trumped by FERPA. It would be a good idea to ask school counsel to review any request to obtain student records under FOIA or other laws.
Exceptions to Consent
Disclosure of education records without consent is permitted in certain circumstances.
FERPA does not preclude the disclosure of statistical, non-personally identifiable information.
Disclosure of education records is permitted to authorized representatives of the US Department of Education (including contractors and the Office of the Inspector General) as well as state and local education authorities.
Disclosure of education records is also permitted to the INS for international students who have signed a Form I-20 or who are attending under an M-1 or J-1 visa.
If the student applied for financial aid or received financial aid, disclosure is permitted if needed to determine financial aid eligibility or the amount of aid, or to enforce the terms and conditions of the aid.
For example, the school must provide directory information to the US Department of Education for recipients of Federal student aid funds who attend or attended the school. Likewise, the school must provide directory information for FFEL borrowers to the relevant lender and/or guarantee agency.
Disclosures to other departments or business units of the school are generally prohibited unless they have a legitimate educational interest in the records. For example, the financial aid office may not disclose information in the student’s financial aid records to the alumni or development office. (Typically, the development office will want to use this information to identify wealthy parents. FERPA prohibits providing the development office with this information, since the disclosure is not narrowly limited to a legitimate educational interest. Even if the college establishes it as a legitimate educational interest in advance through the annual notice of FERPA rights, one must ask whether this disclosure is for the benefit of the student or the benefit of the institution. Disclosures that are contrary to the interest of the student may have a chilling effect. For example, many families say they prefer private education loans over Federal education loans because of concerns over privacy. They trust the education lenders with their private information more than they trust the college.) When disclosure to a different school department is permitted, the disclosure must be limited to just the information for which they have a legitimate educational interest. For example, although some information may be shared with the registrar, the registrar does not have a legitimate educational interest in some of the information contained in ISIR records, so the financial aid office may not give the registrar copies of the full ISIR records.
Note, however, that at many schools the alumni office is a separate corporate entity. If the alumni office is not part of the university, it would be a FERPA violation to share educational records with them even if they have a legitimate educational interest in the records. FERPA only allows an exception to consent on the basis of an educational interest when the records are being disclosed to university employees, not a separate entity.
As part of the annual notice of the student’s FERPA rights, the school is required to identify which school officials (i.e., which offices and employees) have a legitimate educational interest and may access the student’s education records without the student’s consent.
The school must also control redisclosure of records. In particular, if the financial aid office shares information with another office, that office must agree to not redisclose the information it has received.
The student’s education records may be disclosed to either parent of a dependent student, where dependent follows the IRS definition (i.e., 50% support test), not the Federal student aid definition. Since this technically means that divorced parents could see the information submitted by the other ex-spouse, many schools go beyond the minimal FERPA requirements in their own policies, requiring consent of the party that provided the information before releasing it to the other parent or to the student. FERPA does not require the school to disclose the parent’s financial records to the student. (See 34 CFR 99.4, 34 CFR 99.7, 34 CFR 99.10, 34 CFR 99.12(b), 34 CFR 99.31(8) and 34 CFR 99.32 for details.)
The health or safety emergency exception allows disclosure without consent where the information that is disclosed will help prevent or mitigate a serious threat to the health or safety of the student, other students, or other members of the school community. The threat must be imminent and the disclosure must be narrowly tailored to the nature of the emergency.
Law enforcement unit records may be released without the student’s consent. This includes, for example, records maintained by the campus police.
Schools may disclose information concerning sex offenders that they received under a State sex offender registration and community notification program.
Educational records may be disclosed in response to a lawfully issued subpoena or court order or an ex parte order in connection with the investigation or prosecution of terrorism crimes. Since financial aid office staff are not qualified to determine whether a subpoena or court order is properly issued and qualifies for the disclosure exception, all such requests for disclosure should be turned over to the school’s attorney. The school’s attorney may take steps to challenge the subpoena (e.g., have it limited, modified or quashed) and will comply with any requirements to notify the student. Do not do anything in response to a subpoena or court order until the school’s attorney tells you what to do. (Schools most often encounter this kind of problem when a student is getting divorced. Such requests for educational records may or may not satisfy the requirements for a FERPA exception, and only the school’s attorney can make that call.)
Directory information, which is information that is not considered harmful or an invasion of privacy if released, may be disclosed without consent. However, the school must provide students and parents with the opportunity to opt-out of such disclosures. The school may not disclose directory information for a subset based on non-directory information, such as race or gender, as that would implicitly disclose the non-directory information. Dear Colleague Letter GEN-07-05 emphasizes that directory information that is linked to non-directory information, such as financial aid status, may not be disclosed. Directory information includes the student’s name, address, telephone number, email address, dates of attendance, year in school, enrollment status (full or part-time, graduate or undergraduate), photograph, majors, degrees, honors and awards, age or date of birth, place of birth, participation in extracurricular activities and sports, and height/weight for members of athletic teams. Directory information does not include race, gender, national origin, GPA, amounts of any awards (e.g., donor awards), student ID number, or Social Security Number.
Because the Solomon Amendment (10 USC 983 and 32 CFR 216) was enacted after FERPA and is more specific than FERPA, it appears to override FERPA. The Solomon Amendment gives the Armed Forces the authority to request the following information about currently enrolled students age 17 years and older: name, address, telephone numbers, date of birth (or age), place of birth, level of education (e.g., freshman, sophomore, junior, senior), academic majors, degrees received, and most recent education institution in which the student was enrolled. This means that the US Armed Forces may request directory information for currently enrolled students for military recruitment purposes. (32 CFR 216.4(5) contains an opt-out requirement similar to FERPA.) So there is apparently no real conflict with FERPA; FERPA permits the disclosure of directory information without requiring consent when the student hasn’t opted-out, while the Solomon Amendment mandates the disclosure to the US Armed Forces Recruiting. However, FERPA does allow a school to have a more restrictive policy, and the Solomon Amendment appears to trump that. If a school refuses to permit such a disclosure, they will lose access to federal funds from the Departments of Defense, Labor, Health and Human Services, Homeland Security, and Education. However, Public Law 106-79, excludes Federal Student Aid from the limitation, so a failure to comply with the Solomon Amendment would not necessarily affect a school’s eligibility for federal student aid according to current law, although other US Department of Education grants might be affected. The financial aid office should forward all such requests to the school’s attorneys. (Enforcement of the Solomon Amendment is subject to ongoing litigation. The US Court of Appeals for the Third Circuit ruled on November 29, 2004 in FAIR et al. v Rumsfeld that colleges with policies that prohibit discrimination against gays and lesbians may bar military recruiters from their campuses without penalty because the armed forces discriminate against openly gay men and women. The ruling was focused on First Amendment issues, indicating that the Solomon Amendment would violate the Constitution’s guarantee of free speech. The Third Circuit Court of Appeals includes Delaware, New Jersey, Pennsylvania, and the Virgin Islands.)
FERPA does not apply to students who have been admitted but not yet enrolled. This can allow more open discussion of education records with prospective students. Once a student registers or begins attending classes, consent is required. FERPA also does not apply to records relating to alumni after they are no longer enrolled, provided that the records do not pertain to the alumni’s previous activities as a student.
Most third party disclosures of a student’s education records must be documented in the student’s file. The main exception is in response to an ex parte order.
Be careful about disclosing information over the telephone or email. Unless you’ve clearly authenticated the student’s identity (e.g., via a prearranged PIN or password), you have no way of knowing that you’re talking to the student. If it is merely someone pretending to be the student (e.g., a roommate, significant other, or relative), you’ve disclosed personally identifiable information without consent. Keep in mind that these individuals may know many of the identifiers you might ordinarily use to authenticate identity, such as date of birth, social security number, and mother’s maiden name, so those identifiers are insufficient to guarantee the privacy of the student’s information.
Even caller ID cannot be trusted, since it is relatively easy to spoof the caller ID. (The caller ID information provided to businesses in connection with a toll free number uses a different system that is much more difficult to spoof.) If you are going to disclose information over the telephone, only do so after you’ve called back the individual at a telephone number you have on file for them.
The informal nature of a telephone call makes it very easy to accidentally disclose information. Private investigators routinely use pretexting (pretending to be someone that they aren’t) and other techniques to extract information. For example, getting someone to correct an error is often used. They ask you “when did so and so graduate” and when you say “they haven’t graduated yet”, you just disclosed that they are a student.
It is also a good idea to establish disclosure rules governing who has access to review educational records, modify educational records, grant access to the records, and revoke access to the records. For example, even though the student make consent to disclosure to a third party, that third party then does not have the authority to redisclose that information or grant access to someone else to the records.
Leaving messages by telephone, email and fax are also potentially problematic, because you don’t know who has access to their voicemail or email account.
Except for the exceptions mentioned above, the school must obtain prior written consent from the student before making a disclosure of the student’s education records.
A school may release directory information to a collection agency in connection with collecting a delinquent student account, even if the student opted-out of the release of directory information. However, the school is liable for any failure by the collection agency to comply with FERPA.
If the student’s tuition is being paid by a third party (e.g., the student’s company is paying for his or her MBA degree), the school may not disclose the student’s financial aid information without consent. In particular, if a student who is not dependent according to IRS rules is receiving financial support from a parent, the parent does not have the right to see that student’s records without the student’s consent. It is generally a good idea to get the student to sign a FERPA waiver that specifies who may access their records.
A school may not release a list of the recipients to an award donor or other third party without prior written consent of the recipients unless the disclosure is necessary for verifying eligibility, selecting recipients (if the student applied for the award), disbursing the award, or otherwise part of the terms and conditions of the award. Even if disclosure is permitted, it is generally a good idea to specify on the award letter whether the school releases information about recipients to award donors, and to identify the information that is disclosed. Note that the school may not release a list of eligible students to the award donor to allow the award donor to select the recipients unless the students have applied for the award or have otherwise provided written consent to the disclosure. Likewise, the school may not publish a list of the recipients of an award without the students consent, unless the student applied for the award and such disclosure was included in the terms and conditions of the award.
FERPA prohibits posting lists of students with refund checks in the bursar’s office.
Computer screens that display educational records should not be visible from public areas, nor should such computers be left unsecured and unattended.
If the education records contain information about more than one student, each student may only see the part that relates to them. Generally, if allowing a student to review his or her education records would violate the privacy of a different student’s records, either the other student’s information must be redacted or consent must be obtained before disclosure.
Mailing labels for mailings to students should contain only the student’s name and address. FERPA prohibits including the student ID or Social Security Number on the label on envelope.
Since a Social Security Number represents non-directory information, a school may not use a Social Security Number to interface with databases maintained by third parties, as that would represent a disclosure of education records in violation of FERPA. To use a Social Security Number to index into a third party database, either the school must obtain the student’s consent or one of the exceptions to the consent requirements must apply (e.g., the third party is an authorized representative of the US Department of Education or the student’s lender/guarantor).
Since Social Security Numbers are education records that are personally identifiable, schools may not post lists containing Social Security Numbers, in whole or in part, in any public area. In particular, the practice of posting lists of grades in a class according to the last four digits of the students’ Social Security Numbers is prohibited by FERPA. Similar restrictions apply to the use of the student ID number. The professor may, however, assign each student a temporary number known only to the professor and the student for the purpose of posting grades.
FERPA prohibits telling anyone the student’s current location without the student’s consent, unless the student’s health or safety is in imminent danger or the health or safety of another student or member of the school community is in imminent danger. Schools should exercise care before disclosing the student’s current location, as often the person requesting the information does not have the right to that information and may be alleging an emergency in order to get access to that information. In most circumstances the situation can be resolved without disclosing the student’s current location.
Class rosters and class schedules are not considered directory information and may not be disclosed without consent. This is partly because of concerns about student safety and partly because they may lead to the indirect disclosure of sensitive information (e.g., enrollment in special education and remedial classes, student id numbers and social security numbers included on class rosters).
If the student is transferring to another school, the old school may provide the student’s educational records to the new school without consent, but must notify the student of the request for the records.
If a student is attending a school and applies to a different component of that school (e.g., an undergraduate applying to graduate school or to a different department), the student does not have the right to review the education records maintained by that component until the student is accepted and attends that component.
If the student signed a waiver of his right to see a letter of recommendation, the school may not disclose the letter of recommendation to the student. This includes letters of recommendation for employment and awards, in addition to letters of recommendation for admission. There is no defense of infancy with regard to such waivers. If the letter of recommendation was added to the student’s file before January 1, 1975, the school does not have to allow the student to review the letter even if the student did not sign a waiver.
Examples of personally identifiable information include the student’s name, the name of the student’s parents or other family members, the address of the student, the address of the student’s family members, social security numbers, student id numbers, a physical description or other personal characteristics that are easily traceable, and other information that would make the student’s identity easily traceable.
Personally identifiable information includes any single characteristic or combination of characteristics which would make it possible to identify the student. This includes any information which, when combined with an external database, would enable the identification of a particular student. All information which may be potentially traced to an individual student must be redacted. If no information is left after such information is removed, then no disclosure is permitted. As a general rule, anonymized data about individual students should not be disclosed, as the information is still potentially traceable. On the other hand, information may be released in statistical aggregate summaries so long as the cohorts are of sufficient size to prevent an individual student from being identified. It is common to perturb data in small data sets to prevent such disclosure, or to omit information in small data sets if the mere existence of the data set is problematic.
School disciplinary records are protected by FERPA and may not be disclosed without the student’s consent. The final result of a disciplinary proceeding, however, may be disclosed.
Confirming the accuracy or inaccuracy of information about a student represents a disclosure of information about the student, and so is prohibited by FERPA without the student’s consent. For example, it is a common reporter’s trick to make a statement of unknown accuracy about a subject in order to get a confirmation or a correction.
It is a good idea to have every student (and possibly also the parents) sign a document specifying the circumstances under which the school may disclose information to third parties and specifying what information may be released.
Colleges are able to withhold transcripts from students who owe them money. FERPA just requires that they have access to their records. FERPA does not require you to provide official certified copies of those records in most cases.
It is also a good idea to have all work-study students who have access to educational records in the course of their duties to sign a confidentiality agreement and undergo FERPA training. Some schools limit their access and prohibit them from making any disclosures of confidential information. If they receive a request for this information, ask them to always refer the matter to one of your permanent staff, and have that staff make the disclosure, if it is warranted. Besides allowing for the more seasoned judgment of permanent staff, this also gets a second set of eyes reviewing a request for confidential information.
If the financial aid office receives health records as part of a professional judgment review for medical expenses, it may also have to fulfill the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kassebaum-Kennedy Act. The Department of Health and Human Services (DHHS) has issued privacy regulations for medical records as part of the HIPAA requirements (see the HIPAA Privacy Rule).
Gramm Leach Bliley Act
The Gramm Leach Bliley Act, also known as the Financial Modernization Act of 1999, regulates the disclosure of non-public personal information held by financial institutions.
The Federal Trade Commission (FTC) has ruled that colleges and universities that offer education loans (e.g., Perkins and institutional loans) are subject to the provisions of the Gramm Leach Bliley Act. The FTC agreed in May 2000 to consider colleges and universities to be in compliance with the privacy provisions of the Act if they are in compliance with FERPA. In particular, 16 CFR 313.1 states that “Any institution of higher education that complies with the Federal Educational Rights and Privacy Act (“FERPA”), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution subject to the requirements of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.”. However, the schools remain subject to the provisions of the Act relating to the administrative, technical and physical safeguarding of customer information. For more information, see NACUBO’s report, Colleges and Universities Subject to New FTC Rules Safeguarding Customer Information (January 13, 2003). See also NACUBO’s GLB Act Resource Page.
Each school is required to have a written FERPA policy. Schools are allowed to have an educational records policy that is more stringent than FERPA. For example, even though FERPA allows one parent to see the information submitted by the other parent (e.g., for dependent students with divorced parents), most schools will require consent of the party that provided the information before disclosing it to the other parent or to the student.
In many cases the requirements of FERPA merely permit one to disclose information, but do not require it. For example, one is permitted to disclose directory information (except when the student has opted out), but is not required to disclose it. The main exception is the Solomon Amendment, which trumps FERPA. It is quite common for schools to define directory information to the full extent as specified by FERPA, but then to establish more restrictive institutional policies concerning disclosure of directory information. Using the maximal definition of directory information under FERPA establishes a safety net that protects the school in case an employee accidentally disclosed information that is contrary to the institution’s disclosure policy but which is within the safe harbors provided by FERPA.
Even directory information can cause harm to students, because it reveals that they are students. It is not uncommon for scholarship scams to rent lists of student names and addresses. Often this information is obtained by someone getting a copy of the university’s telephone directory.
The financial aid office may forward a letter to students on behalf of a university department that is not entitled to the student’s educational records (e.g., to notify Pell-eligible students about a new departmental need-based scholarship), so long as the educational records are not disclosed to the department. However, this can create the appearance of a FERPA violation, so the financial aid office should exercise caution before engaging in such a practice, take steps to mitigate the appearance of a violation (i.e., send the notice on financial aid office letterhead instead of forwarding the other department’s letter), and get approval of the school’s FERPA compliance officer before proceeding.
It’s generally a good idea to go beyond the requirements of FERPA. Consider the sensitive nature of the information. You are protecting not just the student’s name and GPA, but also income and asset information. How would you feel if this was your information that was disclosed without your consent? Establishing strong protections for student records is often easy to implement and is just the right thing to do. It avoids future problems, such as the potential for bad publicity associated with questionable disclosures. How would you feel if a student was stalked, raped or murdered because of your disclosure?
Financial aid offices should apply careful scrutiny to any request that is unrelated to eligibility for student aid, the application for student aid, enforcing the terms and conditions of student aid, or the provision of directory information. Be especially wary of any information that can be combined with other information to reveal private information.
Some colleges have created training videotapes to help educate staff about FERPA. These include the following:
Legislative Authority, Regulations and Published Guidance
The Family Educational Rights and Privacy Act of 1974 (FERPA), also known as the Buckley Amendment, appears in 20 USC Ch. 31, Sect. 1232g. Regulations relating to FERPA appear in 34 CFR 99 (alternate).
The US Department of Education has published a set of guidelines to help schools develop policies and procedures relating to FERPA, Protecting the Privacy of Student Records: Guidelines for Education Agencies, US Department of Education, NCES 97-527, July 1997. Please note that this document was published in July 1997, and has not been updated for changes in the law since then. More up-to-date information can be found in the FSA Handbook (Volume 2, Chapter 7 “Consumer Information” and Volume 2, Chapter 8 “Recordkeeping and Disclosure”), which can be found on the IFAP web site. See also Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies, National Forum on Education Statistics, NCES 2004-330, March 2004.
FERPA is managed within the Family Policy Compliance Office of the US Department of Education. They are the definitive source of FERPA regulations and guidance concerning FERPA. For more information, call 1-202-260-3887 (TDD 1-800-877-8339), fax 1-202-260-9001, write to Family Policy Compliance Office, US Department of Education, 400 Maryland Avenue, SW, Washington, DC 20202-5901, or send email to firstname.lastname@example.org.