What are "Education Records" under FERPA?
Generally, the Family Educational Rights and Privacy Act (FERPA) requires written consent from parents or “eligible students” (students who are at least 18 years of age or attending a postsecondary institution) in order to release personally identifiable information (PII) from education records. In the absence of the written consent, FERPA permits an educational agency or institution to disclose PII from an education record of a student if the disclosure meets one or more of the “exemptions” outlined in 20 U.S.C. § 1232g(b) and (h) – (j) and 34 CFR § 99.31. Please see the Department of Education’s Privacy Technical Assistance Center (PTAC) summary of the four most commonly used exceptions to the FERPA written consent requirement. FERPA is a regulation that schools or educational institutions that receive federal funding from the Department of Education must comply with (as opposed to companies).
We can’t provide you any legal advice, nor are we providing legal advice with these FERPA “tips”. Additionally, this isn’t legally binding and nothing in these “tips” guarantees your compliance with FERPA, but we hope it’s a helpful, clear guidepost!
An “education record” (K-12) under FERPA is defined as follows:
Education Records are those records, files, documents, and other materials which (i) contain information directly related to a student; and (ii) are maintained by an educational agency or institution or by a person acting for such agency or institution.
The term "education records" does not include:
(i) records of instructional, supervisory, and administrative personnel and educational personnel ancillary thereto which are in the sole possession of the maker thereof and which are not accessible or revealed to any other person except a substitute;
(ii) records maintained by a law enforcement unit of the educational agency or institution that were created by that law enforcement unit for the purpose of law enforcement;
(iii) in the case of persons who are employed by an educational agency or institution but who are not in attendance at such agency or institution, records made and maintained in the normal course of business which relate exclusively to such person in that person’s capacity as an employee and are not available for use for any other purpose; or
(iv) records on a student who is eighteen years of age or older, or is attending an institution of post-secondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice
NOTE: student information that has been properly de-identified or that is shared under the "directory information" exception, is not protected by FERPA, and thus is not subject to FERPA’s use and re-disclosure limitations.
What is "Directory Information" under FERPA?
Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.
Directory information includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.
Directory information does not include a student's:
Social security number; or
Student identification (ID) number, except as provided in paragraph (c) of this definition.
In accordance with paragraphs (a) and (b) of this definition, directory information includes:
A student ID number, user ID, or other unique personal identifier used by a student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a personal identification number (PIN), password or other factor known or possessed only by the authorized user; and
A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a PIN, password, or other factor known or possessed only by the authorized user.
NOTE: student information that has been shared under the "directory information" exception, is not protected by FERPA, and thus is not subject to FERPA’s use and re-disclosure limitations.
For additional resources on FERPA, please see: