Skip Utility Navigation
Skip Main Navigation

Information Sharing: Family Educational Rights and Privacy Act (FERPA)

What Is FERPA?

FERPA is a federal law that protects the privacy of student education records. The law applies to all educational agencies and institutions that receive funds under any U.S. Department of Education program (termed “institutions”). FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.” The Family Policy Compliance Office at the U. S. Department of Education administers FERPA.

FERPA protects the rights of eligible students to:

For a thorough review of FERPA please see the implementing regulations for FERPA found in Title 34 of the Code of Federal Regulations (CFR), part 99 available at http://www.ecfr.gov

What are “Education Records?”

Different types of records and information may be protected by FERPA if that information constitutes PII from “education records.” Education records are protected by FERPA and are broadly defined as records that are directly related to a student and maintained by an institution, or by a party acting for the institution.

The non-exhaustive chart shows several examples of what types of records generally are and are not considered to be education records.

Education Records Not Education Records
Transcripts Records that are kept in the sole possession of the maker and used only as personal memory aids
Disciplinary records Law enforcement unit records
Immunization and other health records, unless the records meet the exclusion for “treatment records” under FERPA Records made or maintained by a physician or other medical professional used only in connection with treatment of the student (“treatment records”)
Records on services and accommodations provided to students under Section 504 of the Rehabilitation Act of 1973, and Title II and Title III of the ADA Records created or received by an institution after an individual is no longer in attendance and that are not directly related to the individual’s attendance at the institution
Records on a student who is employed as a result of his or her status as a student (i.e.,work-study) Grades on peer-graded papers before they are collected and recorded by an instructor
Information obtained through a school official’s personal knowledge or observation and not from the student’s education records
Employment records (unless the individual is employed as a result of his or her status as a student)

Additionally, records created and maintained by the institution’s law enforcement unit are not likely to fall into the protected definition of “education records.” See the discussion under “Balancing Safety and Privacy” for more detail on law enforcement units under FERPA, what constitutes a law enforcement unit record, and how these records may be used.

Treatment records are also not considered to be education records. The term “treatment records” generally applies to records involving students who are at least 18 years old or who are attending an institution of postsecondary education, and means records that are

Treatment does not include remedial educational activities or activities that are part of the program of instruction at the institution. In a college setting, treatment records typically include those created and maintained at the campus health clinic.

Who May Access FERPA-Protected Education Records?

“School officials with a legitimate educational interest” may access FERPA-protected education records. Institutions determine the criteria for who is considered a school official with a legitimate educational interest under FERPA regulations. In a postsecondary context, there is a wide variety of individuals in different functions at the institution who could meet this definition. For example, faculty, administrators, and support staff, including law enforcement unit personnel, health center personnel, students serving on an official committee, the board of trustees, and others could be considered school officials with a legitimate educational interest.

The term “school official with a legitimate educational interest” may also include contractors, consultants, volunteers, and other parties if those individuals

In addition, institutions must notify eligible students of their rights under FERPA, and must include in this notification the criteria for who constitutes an IHE official and what constitutes a legitimate educational interest. The U.S. Department of Education provides model notification statements on its website at "http://www2.ed.gov/policy/gen/guid/fpco/FERPA/ps-officials.html".11

This means that if an institution wishes to consider non-employee members of its threat assessment team, its contracted counseling, nursing, service, or security staff, campus safety officials, and other non-employees as “school officials” who may have access to education records, the institution must ensure that these individuals meet the criteria in the bullets above and the criteria in the IHE’s annual notification of FERPA rights.

Parents of an eligible student may, in some cases and at the discretion of the institution, access FERPA-protected records. When a student turns 18 years old or enters a postsecondary institution, all rights afforded to parents under FERPA transfer to the student (the “eligible student”). However, institutions may – but are not required to – share information from an eligible student’s records with parents, without the eligible student’s consent, if an exception to the general requirement of consent is applicable, such as

Balancing Safety and Privacy

Postsecondary institution officials must balance safety interests and student privacy interests. FERPA contains exceptions to the general consent requirement, including the “health or safety emergency exception,” and exceptions to the definition of education records, including “law enforcement unit records,” which provide school officials with tools to support this goal.

The Health or Safety Emergency Exception to the Consent Requirement

FERPA generally requires written consent before the IHE may disclose PII from the student’s education records. However, the FERPA regulations permit IHE officials to disclose PII from education records without consent to appropriate parties only when there is an actual, impending, or imminent emergency, such as an articulable and significant threat. Information may be disclosed only to protect the health or safety of students or other individuals. In applying the health and safety exception, note that:

The U.S. Department of Education would not find an institution in violation of FERPA for disclosing FERPA-protected information under the health or safety exception as long as the institution had a rational basis, based on the information available at the time, for making its determination that there was an articulable and significant threat to the health or safety of the student or other individuals.

For more information on the health and safety exception, see Addressing Emergencies on Campus, June 2011, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/emergency-guidance.pdf and see 34 CFR §§ 99.31(a)(10) and 99.36 available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf and http://www.ecfr.gov.

The Law Enforcement Unit Records Exemption to the Definition of Education Records

FERPA defines a “law enforcement unit” as any individual, office, department, division, or other component of an educational agency or institution, such as a unit of commissioned police officers or non-commissioned security guards, that is officially authorized or designated by that agency or institution to

  1. Enforce any local, state, or federal law, or refer to appropriate authorities a matter for enforcement any local, states, or federal law against any individual or organization other than the agency or institution itself; or
  2. Maintain the physical security and safety of the institution.

Significantly, to be considered a “law enforcement unit” under this definition, an individual or component must be officially authorized or designated to carry out the functions listed above by the institution. IHEs may designate a traditional law enforcement entity (such as a campus safety department, campus police officer, or other IHE security personnel), or opt to designate another non-law-enforcement school official to serve as their law enforcement unit, such as a provost or other school official.

FERPA does not prevent institutions from disclosing information from records maintained by the law enforcement unit were created for law enforcement purposes by the law enforcement unit to anyone, subject to state law, including outside law enforcement authorities, without the consent of the eligible student during an emergency or otherwise.

Law enforcement unit records, which are not subject to the FERPA consent requirements, are defined as records that are

Law enforcement unit records do NOT include

In designating a law enforcement unit and using law enforcement unit records, note that

For more information on law enforcement unit records and FERPA, refer to the following sources:

“Addressing Emergencies on Campus,” June 2011, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/emergency-guidance.pdf

The discussion in the preamble to the final rule in the Federal Register published Dec. 9, 2008, starting on page 74,815 addresses law enforcement unit records and starting on page 74,834, discusses FERPA (available at http://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf)

The Family Policy Compliance Office website at http://www.ed.gov/policy/gen/guid/fpco/index.html

The regulatory definition of “Law Enforcement Unit” under FERPA in 34 CFR § 99.8(a) available at "http://www.ecfr.gov.

Common FERPA Misunderstandings

Institutional administrators and their partner organizations must understand FERPA and its implications because misinterpretations of the law and subsequent delays in information sharing can hinder first responders’ efforts to provide necessary assistance in a health or safety emergency.

Sharing Personal Observation or Knowledge

Misinterpreting FERPA can lead institutional administrators to miss opportunities to share crucial information that could prevent an emergency situation. For instance, some institutions incorrectly believe that information obtained from a school official’s personal observations or knowledge is protected by FERPA. In fact, personal observation or knowledge is generally not considered to be part of the student’s education records (see “What Are Education Records” ) and therefore may be disclosed. For example, if a faculty member overhears a student making threatening remarks to other students or is concerned after having a discussion with a student that the student may be violent, the faculty member is not prohibited from sharing that information with appropriate authorities, including the parents of the students who were threatened and the student’s parents. While FERPA would not prohibit the sharing of such information with others, there may be state laws or institutional policies and procedures that would preclude the faculty member from sharing the information.

However, if a school official learns of information about a student through his or her official role in creating or maintaining an education record, then that information would be covered by FERPA. For instance, if an institutional disciplinary panel takes action against a student, then an individual serving on the panel would not be permitted to non-consensually disclose that information because he or she gained personal knowledge of that information in making the disciplinary determination and the determination is maintained in an education record.

The Clery Act’s Timely Warning Requirement and FERPA

The Clery Act requires institutions to, among other things, give timely warnings of crimes that represent a threat to the safety of students or employees . These warnings are intended to enable members of the campus community to protect themselves. While the Clery Act does not specify what information should be included in a timely warning,12 it should include all information that would promote safety and that would aid in the prevention of similar crimes. Institutions often incorrectly believe that FERPA conflicts with this timely warning requirement. It does not. FERPA allows the release of PII from education records in the case of an emergency without consent when needed to protect the health and safety of others. In addition, if institutions utilize the law enforcement unit records of a campus law enforcement unit to issue a timely warning, FERPA is irrelevant as those records are not protected by FERPA. (See Clery Act, 20 U.S.C. §1092(f)13, with implementing regulations at 34 CFR § 668.4614.)

Releasing Directory Information

In some circumstances, institutions may be able to disclose “directory information” to prevent an emergency situation. Directory information means information contained in a student’s education record that would not generally be considered harmful or an invasion of privacy if disclosed. Some examples of directory information include a student’s name, address, telephone number, or e-mail address. Institutions must follow certain requirements in publicly designating “directory information,” and they may not disclose directory information from a student’s education record if the eligible student has opted out of allowing that disclosure. (See 34 CFR §99.37.) For example, an institution could disclose properly designated directory information to first responders for emergency-preparedness exercises if the eligible students have not opted out of the disclosure.

Additional Situations with FERPA Considerations

FERPA has implications in a variety of different situations, and new questions arise as institutions become more creative and innovative in developing their campus safety plans. In many cases, however, it is helpful to review the FERPA basics to help you clearly think through each scenario. Following are some scenarios that may arise.

Incorporating FERPA into Your Emergency Planning Process

There are critical questions and concepts that institutions should discuss with their community partners (e.g., first responders, emergency managers, public and mental health officials) while in the process of developing or revising an emergency management plan. While building partnerships is critical, in gathering information to support these partnerships, institutions must also take steps to balance student privacy with their mission of safety.

What Information is FERPA-Protected, and When May the Institution Share It?

Education records are protected by FERPA, and institutions may generally disclose PII from those records only with written consent from an eligible student, unless a FERPA exception to consent applies. (See “What Are ‘Education Records’”.) The following are examples of how FERPA would apply in a variety of situations.

What Information Is Not FERPA-Protected, and When May the IHE Share It?

Records that are created and maintained by an IHE’s law enforcement unit for law enforcement purposes are not protected by FERPA, and there are no FERPA restrictions on the sharing of information in law enforcement unit records. (See “What Are ‘Education Records’?” and “Balancing Safety and Privacy”.)

Are Processes and Protocols, Including Memoranda of Understanding (MOUs), in Place for Information Sharing and Record Keeping That Comply With FERPA?

It is important for institutions to consider entering into MOUs with law enforcement officials and their other community partners to formalize roles, responsibilities, and protocols. MOUs can be tailored to the needs of the individual campuses in the jurisdiction. Any policies regarding information sharing between the institution and the law enforcement agency, however, must comply with applicable federal, state, and local laws, including FERPA. While information-sharing MOUs should be developed regarding what information can be shared between departments and what information is protected, no provision in an MOU can override an IHE’s obligations under FERPA.

Frequently Asked Questions Pertaining to FERPA

Q: To what entities does FERPA apply?

A: FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This includes virtually all public schools and school districts, and most private and public postsecondary institutions, including medical and other professional institutions.

Q: Does an interagency agreement with partners such as the state or local health department enable an institution to non-consensually disclose education records?

A: No. Interagency agreements do not supersede the consent requirements under FERPA. Although an interagency agreement would be a helpful tool for planning purposes, institutions must comply with FERPA’s requirements regarding the disclosure of PII from students’ education records.

Q: Under the health and safety emergency exception, may an IHE non-consensually disclose PII from education records to the media?

A: No. You generally may not disclose FERPA-protected information to the media, unless the PII disclosed is directory information on eligible students who have not opted out. While the media play a role in alerting the community of a health epidemic or violent incident, they do not generally have a role in protecting the health or safety of individual students or others at the institution.

Q: When would the health or safety exception apply?

A: Under FERPA, an emergency means a situation in which there is an articulable and significant threat to the health or safety of students or other individuals. This determination must be made by the institution.

Q: Do I need to tell eligible students or otherwise document when I have disclosed information from their education records without consent under a health or safety emergency or other exception?

A: When an educational agency or institution makes a disclosure under this exception, an institution must record in the student’s education records the articulable and significant threat that formed the basis for the disclosure, and the parties to whom the information was disclosed. Eligible students have a right to inspect and review the record of disclosure but do not need to be proactively informed that records have been disclosed.

Q: Can members of our TAT have access to student education records?

A: School officials with legitimate educational interests may have access to a student’s education records. Members of a TAT who are not an institution’s employees may be designated as such if they are under the direct control of the institution with respect to the maintenance and use of PII from education records; are subject to the requirements of 34 CFR § 99.33(a) governing the use and redisclosure of PII from education records; and otherwise meet the IHE’s criteria for being school officials with legitimate educational interests.

Members of a TAT who are considered school officials with a legitimate educational interest generally cannot non-consensually redisclose PII from a student’s education records to which he or she was privy as part of the team. However, if a TAT determines that a health or safety emergency exists, as defined under FERPA, members may non-consensually redisclose PII from a student’s education records on behalf of the institution to appropriate officials under the health or safety emergency exception.

For example, a representative from the city police force who serves on an IHE’s TAT generally could not redisclose, without consent, PII from the student’s education records to the city police during the initial discussions about a particular student. However, once the TAT determines that a health or safety emergency exists, as defined under FERPA, the representative may redisclose, without consent, PII from a student’s education records on behalf of the institution to appropriate officials. (See the discussion under “Additional Situations with FERPA Considerations”.)

Q: How does FERPA interact with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

A: The U.S. Department of Education and the U.S. Department of Health and Human Services (HHS) jointly developed guidance on the application of FERPA and HIPAA. This guidance explains that records that are protected by FERPA are exempt from the HIPAA Privacy Rule. Accordingly, school officials must follow the requirements of FERPA with regard to the disclosure of records protected by FERPA. For more information, please see the guidance at http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf.

Q: What are some of the other federal and states laws that are relevant to the access and sharing of information about students that relate to emergency management planning?

A: IHEs may also be subject to federal and state civil rights laws that protect the disclosure of information about students. IHEs and their community partners should review guidance from the U.S. Departments of Education and Justice on any applicable civil rights or other statutes governing privacy and information sharing, and discuss their implications for emergency management and related planning processes. At a minimum, in determining what constitutes an “emergency,” IHEs and their community partners must base their decisions on actual risks and not on assumptions, stereotypes, fears, or myths about people with disabilities (including mental health-related disabilities) or people of a particular race, color, ethnicity, national origin, religion, sex, sexual identity, or gender identification.16,17

Q: Whom should I contact for more information related to FERPA?

A: The U.S. Department of Education’s Family Policy Compliance Office is available to respond to any questions about FERPA. For quick responses to routine questions, please e-mail the U.S. Department of Education at FERPA@ed.gov. For more in-depth technical assistance or a more formal response, you may call the Family Policy Compliance Office at 202-260-3887 or write to them at

Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue SW
Washington, DC 20202-8520

In addition, please see the U.S. Department of Education’s website at http://www2.ed.gov/policy/gen/guid/fpco/index.html for the most recent guidance.

FERPA Guidance and Resources

The Family Policy Compliance Office (FPCO) at the U. S. Department of Education administers FERPA. FPCO has developed, and continues to develop, extensive guidance pertaining to the implementation of FERPA and emergency situations. For more detailed information or additional guidance, please see the FPCO website at www.ed.gov/fpco. In addition, please see the Navigating Information Sharing Toolkit, developed by the National Center for Mental Health Promotion and Youth Violence Prevention, at http://sshs.promoteprevent.org/nis

10Under FERPA, “personally identifiable information” is a term that includes, but is not limited to the student’s name; the name of the student’s parent or other family members; the address of the student or student’s family, a personal identifier, such as the student’s social security number, student number, or biometric record; other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name; other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or information requested by a person who the educational agency reasonably believes knows the identity of the student to whom the education record relates. (See 34 CFR 99.3.)

11 See 34 CFR § 99.7(a)(3)(iii) for further information. Available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=ea1af3867103d06eb14b239518b24822&rgn=div8&view=text&node=34:1.1.1.1.33.1.132.7&idno=34/.

12Beginning in March 2014, the Clery Act will prohibit the release of victims’ names in timely warning notifications and crime logs.

1320. U.S.C. 1092(f)is available at http://www.gpo.gov/fdsys/pkg/USCODE-2011-title20/html/USCODE-2011-title20-chap28-subchapIV-partF-sec1092.htm

1434 CFR § 668.46 is available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=676893907309b77d0c88954dcce41914&rgn=div8&view=text&node=34:3.1.3.1.34.4.39.6&idno=34

15Please note that civil rights laws may apply. For instance, Section 504 of the Rehabilitation Act prohibits pre-admission inquiries about an applicant’s disability. See 34 CFR § 104.42(b)(4) available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=ec9ff20a16040ddc021d2d0b60f6f668&rgn=div8&view=text&node=34:1.2.1.1.3.5.132.2&idno=34.

16See Title 28 of the Code of Federal Regulations, Section 35.139 available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=c6b7e6addf8451d18de7740dffed1706&rgn=div8&view=text&node=28:1.0.1.1.36.2.32.10&idno=28.

17In enacting ADA, Congress relied on School Board of Nassau County, Florida v. Arline, 480 U.S. 273, 284 (1987) to “acknowledge[] that society’s accumulated myths and fears about disability and disease are as handicapping as are the physical limitations that flow from actual impairment.” As explained in the preamble to the U.S. Department of Justice’s 1991 ADA regulation, codification of the Arline standard was deemed essential if the ADA is to achieve its goal of protecting disabled individuals from discrimination based on prejudice, stereotypes, or unfounded fear, while giving appropriate weight to legitimate concerns, such as the need to avoid exposing others to significant health and safety risks. See 28 C.F.R. pt. 36, app. C, sec. 36.208 available at http://www.ecfr.gov This rationale applies with equal force to making determinations based on stereotypes about other characteristics protected by Titles IV and VI of the Civil Rights Act of 1964.