FERPA is a federal law that protects the privacy of student education records. The law applies to all educational agencies and institutions that receive funds under any U.S. Department of Education program (termed “institutions”). FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.” The Family Policy Compliance Office at the U. S. Department of Education administers FERPA.
FERPA protects the rights of eligible students to:
For a thorough review of FERPA please see the implementing regulations for FERPA found in Title 34 of the Code of Federal Regulations (CFR), part 99 available at http://www.ecfr.gov
Different types of records and information may be protected by FERPA if that information constitutes PII from “education records.” Education records are protected by FERPA and are broadly defined as records that are directly related to a student and maintained by an institution, or by a party acting for the institution.
The non-exhaustive chart shows several examples of what types of records generally are and are not considered to be education records.
|Education Records||Not Education Records|
|Transcripts||Records that are kept in the sole possession of the maker and used only as personal memory aids|
|Disciplinary records||Law enforcement unit records|
|Immunization and other health records, unless the records meet the exclusion for “treatment records” under FERPA||Records made or maintained by a physician or other medical professional used only in connection with treatment of the student (“treatment records”)|
|Records on services and accommodations provided to students under Section 504 of the Rehabilitation Act of 1973, and Title II and Title III of the ADA||Records created or received by an institution after an individual is no longer in attendance and that are not directly related to the individual’s attendance at the institution|
|Records on a student who is employed as a result of his or her status as a student (i.e.,work-study)||Grades on peer-graded papers before they are collected and recorded by an instructor|
|Information obtained through a school official’s personal knowledge or observation and not from the student’s education records|
|Employment records (unless the individual is employed as a result of his or her status as a student)|
Additionally, records created and maintained by the institution’s law enforcement unit are not likely to fall into the protected definition of “education records.” See the discussion under “Balancing Safety and Privacy” for more detail on law enforcement units under FERPA, what constitutes a law enforcement unit record, and how these records may be used.
Treatment records are also not considered to be education records. The term “treatment records” generally applies to records involving students who are at least 18 years old or who are attending an institution of postsecondary education, and means records that are
Treatment does not include remedial educational activities or activities that are part of the program of instruction at the institution. In a college setting, treatment records typically include those created and maintained at the campus health clinic.
“School officials with a legitimate educational interest” may access FERPA-protected education records. Institutions determine the criteria for who is considered a school official with a legitimate educational interest under FERPA regulations. In a postsecondary context, there is a wide variety of individuals in different functions at the institution who could meet this definition. For example, faculty, administrators, and support staff, including law enforcement unit personnel, health center personnel, students serving on an official committee, the board of trustees, and others could be considered school officials with a legitimate educational interest.
The term “school official with a legitimate educational interest” may also include contractors, consultants, volunteers, and other parties if those individuals
In addition, institutions must notify eligible students of their rights under FERPA, and must include in this notification the criteria for who constitutes an IHE official and what constitutes a legitimate educational interest. The U.S. Department of Education provides model notification statements on its website at "http://www2.ed.gov/policy/gen/guid/fpco/FERPA/ps-officials.html".11
This means that if an institution wishes to consider non-employee members of its threat assessment team, its contracted counseling, nursing, service, or security staff, campus safety officials, and other non-employees as “school officials” who may have access to education records, the institution must ensure that these individuals meet the criteria in the bullets above and the criteria in the IHE’s annual notification of FERPA rights.
Parents of an eligible student may, in some cases and at the discretion of the institution, access FERPA-protected records. When a student turns 18 years old or enters a postsecondary institution, all rights afforded to parents under FERPA transfer to the student (the “eligible student”). However, institutions may – but are not required to – share information from an eligible student’s records with parents, without the eligible student’s consent, if an exception to the general requirement of consent is applicable, such as
Postsecondary institution officials must balance safety interests and student privacy interests. FERPA contains exceptions to the general consent requirement, including the “health or safety emergency exception,” and exceptions to the definition of education records, including “law enforcement unit records,” which provide school officials with tools to support this goal.
FERPA generally requires written consent before the IHE may disclose PII from the student’s education records. However, the FERPA regulations permit IHE officials to disclose PII from education records without consent to appropriate parties only when there is an actual, impending, or imminent emergency, such as an articulable and significant threat. Information may be disclosed only to protect the health or safety of students or other individuals. In applying the health and safety exception, note that:
The U.S. Department of Education would not find an institution in violation of FERPA for disclosing FERPA-protected information under the health or safety exception as long as the institution had a rational basis, based on the information available at the time, for making its determination that there was an articulable and significant threat to the health or safety of the student or other individuals.
For more information on the health and safety exception, see Addressing Emergencies on Campus, June 2011, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/emergency-guidance.pdf and see 34 CFR §§ 99.31(a)(10) and 99.36 available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/ferparegs.pdf and http://www.ecfr.gov.
FERPA defines a “law enforcement unit” as any individual, office, department, division, or other component of an educational agency or institution, such as a unit of commissioned police officers or non-commissioned security guards, that is officially authorized or designated by that agency or institution to
Significantly, to be considered a “law enforcement unit” under this definition, an individual or component must be officially authorized or designated to carry out the functions listed above by the institution. IHEs may designate a traditional law enforcement entity (such as a campus safety department, campus police officer, or other IHE security personnel), or opt to designate another non-law-enforcement school official to serve as their law enforcement unit, such as a provost or other school official.
FERPA does not prevent institutions from disclosing information from records maintained by the law enforcement unit were created for law enforcement purposes by the law enforcement unit to anyone, subject to state law, including outside law enforcement authorities, without the consent of the eligible student during an emergency or otherwise.
Law enforcement unit records, which are not subject to the FERPA consent requirements, are defined as records that are
Law enforcement unit records do NOT include
In designating a law enforcement unit and using law enforcement unit records, note that
For more information on law enforcement unit records and FERPA, refer to the following sources:
“Addressing Emergencies on Campus,” June 2011, available at http://www2.ed.gov/policy/gen/guid/fpco/pdf/emergency-guidance.pdf
The discussion in the preamble to the final rule in the Federal Register published Dec. 9, 2008, starting on page 74,815 addresses law enforcement unit records and starting on page 74,834, discusses FERPA (available at http://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf)
The Family Policy Compliance Office website at http://www.ed.gov/policy/gen/guid/fpco/index.html
The regulatory definition of “Law Enforcement Unit” under FERPA in 34 CFR § 99.8(a) available at "http://www.ecfr.gov.
Institutional administrators and their partner organizations must understand FERPA and its implications because misinterpretations of the law and subsequent delays in information sharing can hinder first responders’ efforts to provide necessary assistance in a health or safety emergency.
Misinterpreting FERPA can lead institutional administrators to miss opportunities to share crucial information that could prevent an emergency situation. For instance, some institutions incorrectly believe that information obtained from a school official’s personal observations or knowledge is protected by FERPA. In fact, personal observation or knowledge is generally not considered to be part of the student’s education records (see “What Are Education Records” ) and therefore may be disclosed. For example, if a faculty member overhears a student making threatening remarks to other students or is concerned after having a discussion with a student that the student may be violent, the faculty member is not prohibited from sharing that information with appropriate authorities, including the parents of the students who were threatened and the student’s parents. While FERPA would not prohibit the sharing of such information with others, there may be state laws or institutional policies and procedures that would preclude the faculty member from sharing the information.
However, if a school official learns of information about a student through his or her official role in creating or maintaining an education record, then that information would be covered by FERPA. For instance, if an institutional disciplinary panel takes action against a student, then an individual serving on the panel would not be permitted to non-consensually disclose that information because he or she gained personal knowledge of that information in making the disciplinary determination and the determination is maintained in an education record.
The Clery Act requires institutions to, among other things, give timely warnings of crimes that represent a threat to the safety of students or employees . These warnings are intended to enable members of the campus community to protect themselves. While the Clery Act does not specify what information should be included in a timely warning,12 it should include all information that would promote safety and that would aid in the prevention of similar crimes. Institutions often incorrectly believe that FERPA conflicts with this timely warning requirement. It does not. FERPA allows the release of PII from education records in the case of an emergency without consent when needed to protect the health and safety of others. In addition, if institutions utilize the law enforcement unit records of a campus law enforcement unit to issue a timely warning, FERPA is irrelevant as those records are not protected by FERPA. (See Clery Act, 20 U.S.C. §1092(f)13, with implementing regulations at 34 CFR § 668.4614.)
In some circumstances, institutions may be able to disclose “directory information” to prevent an emergency situation. Directory information means information contained in a student’s education record that would not generally be considered harmful or an invasion of privacy if disclosed. Some examples of directory information include a student’s name, address, telephone number, or e-mail address. Institutions must follow certain requirements in publicly designating “directory information,” and they may not disclose directory information from a student’s education record if the eligible student has opted out of allowing that disclosure. (See 34 CFR §99.37.) For example, an institution could disclose properly designated directory information to first responders for emergency-preparedness exercises if the eligible students have not opted out of the disclosure.
FERPA has implications in a variety of different situations, and new questions arise as institutions become more creative and innovative in developing their campus safety plans. In many cases, however, it is helpful to review the FERPA basics to help you clearly think through each scenario. Following are some scenarios that may arise.
Under the health or safety emergency exception, school officials may, without consent, disclose PII from education records to appropriate parties in connection with an emergency. In the case of an influenza outbreak, for instance, if an institution’s officials determine that an emergency exists, they may share immunization records with parties, such as state and local public health officials, whose knowledge of the information is necessary to protect the health or safety of students or others in the campus community. Under this exception, institutions may share information only during the limited period of time connected with the emergency. A blanket release of information is not allowed. You must instead determine what information to disclose on a case-by-case basis depending on the particular threat.
Some institutions may need assistance in determining whether a health or safety emergency exists for purposes of complying with FERPA. Federal agencies encourage institutions to implement a threat assessment program, including the establishment of a multi-disciplinary threat assessment team (TAT) that utilizes the expertise of representatives from mental health service providers, persons familiar with emergency procedures, and law enforcement agencies in the community, as well as from the major areas of the institutions, such as student affairs, academic affairs, the campus security department, and other appropriate professionals.
The TAT must comply with applicable civil rights and other federal and state laws. Under a properly implemented threat assessment program, IHEs can respond to student behavior that raises safety concerns that is not based on assumptions, stereotypes, or myths about people with disabilities (including mental health-related disabilities) and people of a particular race, color, ethnicity, national origin, religion, or sex.
If a TAT member meets the definition of an official of the institution (as a party to whom the IHE has outsourced administrative functions or services) with a legitimate educational interest under FERPA, (see “Who May Access FERPA-Protected Education Records” above), then he or she would be able to access students’ education records in which he or she has legitimate educational interests. A TAT member, however, may not disclose PII from education records to anyone without consent or unless one of the exceptions to consent under FERPA, such as the health or safety emergency exception, applies.
Institutions are increasingly using security cameras as a tool to monitor and improve student safety. Images of students captured on security videotapes that are created and maintained by the IHE’s law enforcement unit for a law enforcement purpose, are not considered education records under FERPA. Accordingly, these videotapes may be shared with outside authorities, such as local law enforcement authorities, as appropriate.
FERPA permits school officials to disclose any and all education records, including disciplinary records, to another institution at which the student seeks or intends to enroll.15 While student consent is not required for transferring education records in this scenario, the institution’s annual FERPA notification should indicate that such disclosures are made. In the absence of information about disclosures in the annual FERPA notification, school officials must make a reasonable attempt to notify the student about the disclosure, unless the student initiates the disclosure. Additionally, upon request, the institution must provide a copy of the information disclosed and an opportunity for a hearing to address information the student believes to be inaccurate, misleading, or in violation of the student’s rights of privacy.
Postsecondary institutions that provide health or medical services to students may disclose an eligible student’s treatment records to health care professionals who are providing treatment to the student, including health care professionals who are not part of or not acting on behalf of the institution (i.e., third-party providers), as long as the information is being disclosed only for the purpose of providing treatment to the student. In addition, an eligible student’s treatment records may be disclosed to a third-party provider when the student has requested that his or her records be reviewed by a physician or other appropriate professional of the student’s choice.
While, by definition, treatment records are not available to anyone other than professionals providing treatment to the student, this does not prevent an institution from disclosing these records for other purposes. However, once such a disclosure is made, the treatment records are no longer excluded from the definition of “education records” and are subject to all of the FERPA requirements as “education records” under FERPA. For example, if the institution chooses to do so, it may make a disclosure to the eligible student’s parents, under one of the exceptions to the general consent requirement. The records may also be disclosed to appropriate parties in connection with a health or safety emergency.
FERPA permits institutions to comply with information requests from the U.S. Department of Homeland Security (DHS), U.S. Immigration and Customs Enforcement (ICE) in order to comply with the requirements of SEVIS. Officials who have specific questions about this and other matters involving international students should contact the U.S. Department of Education’s Family Policy Compliance Office at 400 Maryland Avenue SW, Washington, DC 20202-8520 or by calling 1-800-872-5327 (1-800-USA-LEARN).
While student disciplinary records are protected as education records under FERPA, there are certain circumstances in which specified information contained in disciplinary records may be disclosed without the student’s consent. Under the Clery Act, an IHE must disclose to the accuser and the accused the outcome of an institutional disciplinary proceeding alleging a sex offense. For this purpose, the outcome of a disciplinary hearing means the institution’s final determination with respect to the alleged sex offense and any sanction imposed against the accused. The final results must include the name of the alleged perpetrator, the violation committed, and any sanction imposed by the institution against the alleged perpetrator. An institution may disclose to anyone—not just the victim—the final results of a disciplinary proceeding, if it determines that the student is an alleged perpetrator of a crime of violence or non-forcible sex offense, and with respect to the allegation made against him or her, the student has committed a violation of the institution's rules or policies.
The Clery Act, as amended, requires postsecondary institutions that maintain on-campus student housing facilities to establish, for students who reside in on-campus student housing, a missing student notification policy that includes notifying students that they may register “confidential” contact information for an individual to be contacted if the student is determined to be missing. Although missing student contact information would be considered PII from a student’s education records under FERPA, under the Higher Education Act, only authorized campus officials and law enforcement officers in furtherance of a missing person investigation may have access to this confidential contact information. This means that an institution may not disclose a student’s confidential contact information to a student’s parent or guardian or any other person other than authorized campus officials and law enforcement officers. A student’s identification of a confidential contact is accepted as permission for law enforcement personnel to contact the identified individual if the student is determined to be missing.
There are critical questions and concepts that institutions should discuss with their community partners (e.g., first responders, emergency managers, public and mental health officials) while in the process of developing or revising an emergency management plan. While building partnerships is critical, in gathering information to support these partnerships, institutions must also take steps to balance student privacy with their mission of safety.
Education records are protected by FERPA, and institutions may generally disclose PII from those records only with written consent from an eligible student, unless a FERPA exception to consent applies. (See “What Are ‘Education Records’”.) The following are examples of how FERPA would apply in a variety of situations.
Records that are created and maintained by an IHE’s law enforcement unit for law enforcement purposes are not protected by FERPA, and there are no FERPA restrictions on the sharing of information in law enforcement unit records. (See “What Are ‘Education Records’?” and “Balancing Safety and Privacy”.)
It is important for institutions to consider entering into MOUs with law enforcement officials and their other community partners to formalize roles, responsibilities, and protocols. MOUs can be tailored to the needs of the individual campuses in the jurisdiction. Any policies regarding information sharing between the institution and the law enforcement agency, however, must comply with applicable federal, state, and local laws, including FERPA. While information-sharing MOUs should be developed regarding what information can be shared between departments and what information is protected, no provision in an MOU can override an IHE’s obligations under FERPA.
A: FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This includes virtually all public schools and school districts, and most private and public postsecondary institutions, including medical and other professional institutions.
A: No. Interagency agreements do not supersede the consent requirements under FERPA. Although an interagency agreement would be a helpful tool for planning purposes, institutions must comply with FERPA’s requirements regarding the disclosure of PII from students’ education records.
A: No. You generally may not disclose FERPA-protected information to the media, unless the PII disclosed is directory information on eligible students who have not opted out. While the media play a role in alerting the community of a health epidemic or violent incident, they do not generally have a role in protecting the health or safety of individual students or others at the institution.
A: Under FERPA, an emergency means a situation in which there is an articulable and significant threat to the health or safety of students or other individuals. This determination must be made by the institution.
A: When an educational agency or institution makes a disclosure under this exception, an institution must record in the student’s education records the articulable and significant threat that formed the basis for the disclosure, and the parties to whom the information was disclosed. Eligible students have a right to inspect and review the record of disclosure but do not need to be proactively informed that records have been disclosed.
A: School officials with legitimate educational interests may have access to a student’s education records. Members of a TAT who are not an institution’s employees may be designated as such if they are under the direct control of the institution with respect to the maintenance and use of PII from education records; are subject to the requirements of 34 CFR § 99.33(a) governing the use and redisclosure of PII from education records; and otherwise meet the IHE’s criteria for being school officials with legitimate educational interests.
Members of a TAT who are considered school officials with a legitimate educational interest generally cannot non-consensually redisclose PII from a student’s education records to which he or she was privy as part of the team. However, if a TAT determines that a health or safety emergency exists, as defined under FERPA, members may non-consensually redisclose PII from a student’s education records on behalf of the institution to appropriate officials under the health or safety emergency exception.
For example, a representative from the city police force who serves on an IHE’s TAT generally could not redisclose, without consent, PII from the student’s education records to the city police during the initial discussions about a particular student. However, once the TAT determines that a health or safety emergency exists, as defined under FERPA, the representative may redisclose, without consent, PII from a student’s education records on behalf of the institution to appropriate officials. (See the discussion under “Additional Situations with FERPA Considerations”.)
A: The U.S. Department of Education and the U.S. Department of Health and Human Services (HHS) jointly developed guidance on the application of FERPA and HIPAA. This guidance explains that records that are protected by FERPA are exempt from the HIPAA Privacy Rule. Accordingly, school officials must follow the requirements of FERPA with regard to the disclosure of records protected by FERPA. For more information, please see the guidance at http://www2.ed.gov/policy/gen/guid/fpco/doc/ferpa-hipaa-guidance.pdf.
A: IHEs may also be subject to federal and state civil rights laws that protect the disclosure of information about students. IHEs and their community partners should review guidance from the U.S. Departments of Education and Justice on any applicable civil rights or other statutes governing privacy and information sharing, and discuss their implications for emergency management and related planning processes. At a minimum, in determining what constitutes an “emergency,” IHEs and their community partners must base their decisions on actual risks and not on assumptions, stereotypes, fears, or myths about people with disabilities (including mental health-related disabilities) or people of a particular race, color, ethnicity, national origin, religion, sex, sexual identity, or gender identification.16,17
A: The U.S. Department of Education’s Family Policy Compliance Office is available to respond to any questions about FERPA. For quick responses to routine questions, please e-mail the U.S. Department of Education at FERPA@ed.gov. For more in-depth technical assistance or a more formal response, you may call the Family Policy Compliance Office at 202-260-3887 or write to them at
Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue SW
Washington, DC 20202-8520
In addition, please see the U.S. Department of Education’s website at http://www2.ed.gov/policy/gen/guid/fpco/index.html for the most recent guidance.
The Family Policy Compliance Office (FPCO) at the U. S. Department of Education administers FERPA. FPCO has developed, and continues to develop, extensive guidance pertaining to the implementation of FERPA and emergency situations. For more detailed information or additional guidance, please see the FPCO website at www.ed.gov/fpco. In addition, please see the Navigating Information Sharing Toolkit, developed by the National Center for Mental Health Promotion and Youth Violence Prevention, at http://sshs.promoteprevent.org/nis
10Under FERPA, “personally identifiable information” is a term that includes, but is not limited to the student’s name; the name of the student’s parent or other family members; the address of the student or student’s family, a personal identifier, such as the student’s social security number, student number, or biometric record; other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name; other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or information requested by a person who the educational agency reasonably believes knows the identity of the student to whom the education record relates. (See 34 CFR 99.3.)
11 See 34 CFR § 99.7(a)(3)(iii) for further information. Available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=ea1af3867103d06eb14b239518b24822&rgn=div8&view=text&node=34:188.8.131.52.184.108.40.206&idno=34/.
12Beginning in March 2014, the Clery Act will prohibit the release of victims’ names in timely warning notifications and crime logs.
1320. U.S.C. 1092(f)is available at http://www.gpo.gov/fdsys/pkg/USCODE-2011-title20/html/USCODE-2011-title20-chap28-subchapIV-partF-sec1092.htm1434 CFR § 668.46 is available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=676893907309b77d0c88954dcce41914&rgn=div8&view=text&node=34:220.127.116.11.18.104.22.168&idno=34
15Please note that civil rights laws may apply. For instance, Section 504 of the Rehabilitation Act prohibits pre-admission inquiries about an applicant’s disability. See 34 CFR § 104.42(b)(4) available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=ec9ff20a16040ddc021d2d0b60f6f668&rgn=div8&view=text&node=34:22.214.171.124.126.96.36.199&idno=34.
16See Title 28 of the Code of Federal Regulations, Section 35.139 available at http://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&SID=c6b7e6addf8451d18de7740dffed1706&rgn=div8&view=text&node=28:188.8.131.52.184.108.40.206&idno=28.
17In enacting ADA, Congress relied on School Board of Nassau County, Florida v. Arline, 480 U.S. 273, 284 (1987) to “acknowledge that society’s accumulated myths and fears about disability and disease are as handicapping as are the physical limitations that flow from actual impairment.” As explained in the preamble to the U.S. Department of Justice’s 1991 ADA regulation, codification of the Arline standard was deemed essential if the ADA is to achieve its goal of protecting disabled individuals from discrimination based on prejudice, stereotypes, or unfounded fear, while giving appropriate weight to legitimate concerns, such as the need to avoid exposing others to significant health and safety risks. See 28 C.F.R. pt. 36, app. C, sec. 36.208 available at http://www.ecfr.gov This rationale applies with equal force to making determinations based on stereotypes about other characteristics protected by Titles IV and VI of the Civil Rights Act of 1964.