What is FERPA?
The Family Educational Rights and Privacy Act was created to give students and parents certain privacy rights regarding their educational records. FERPA allows students access to their own educational records along with the right to limit the release of personally identifiable information. All schools that report to the Secretary of Education must comply with FERPA; that is, all primary, secondary, and post-secondary schools that are either publicly or privately funded should comply or risk losing their federal funding. Although FERPA prevents state and local schools from releasing certain educational information of its students, there are exceptions.
Are there exceptions to FERPA?
As with many privacy laws, there are exceptions to FERPA. The U.S. Department of Education recognizes four main FERPA exceptions in which a state or local educational institution may disclose a student’s information. These exceptions mean that an institution can release certain data without the written consent of a student’s parent or a student over 18 years of age.
The four main exceptions to FERPA are:
- Directory Information – A school may disclose a student’s personally identifiable information that’s been properly designated. That information must not be harmful to the student if disclosed, and the policy must state which information has been designated as directory information. The school must allow students or parents access to the information being released in advance and give them a certain period of time to opt out. Directory information typically includes things like names, dates of attendance, and more.
- School Officials – Under this exception, there’s no need for a school to record the release of personal information to school officials. The school must define who is considered a school official and why they have a legitimate interest in the information. That can include third party organizations that are under direct control of the school or perform a service or function to the school. School officials can only receive information that has been determined to have a legitimate educational purpose.
- Studies – Schools may release certain information to institutions conducting educational studies considered a FERPA-permitted entity. Information can be released to studies that create or validate predictive tests, create student aid programs, or improve instructions in the school system. The rules for releasing personally identifiable information under the studies exception include entering a written agreement between the school and study group, the study doesn’t release information identifying individual students or parents, and the information must be destroyed after the study is complete.
- Audit or Evaluation – When a school undergoes an audit or evaluation, it may release certain educational information to the evaluation authority. That authority must be to a state or local authority, a FERPA-permitted entity, or one of its authorized representatives. The information is only allowed to be used for the authorized purpose of the audit or evaluation and must be destroyed at the conclusion of the audit or evaluation. A written agreement must be in place before the audit or evaluation begins.
Navigating FERPA and its exceptions can be complicated. At Atolles Law S.C., our team of lawyers can help your school understand and comply with FERPA to protect student privacy and protect your school from FERPA violations. We are experienced at working with schools across Wisconsin to remain FERPA compliant. Contact us today to learn more about how Atolles Law S.C. can work with your school.