Certified Information Privacy Professional (CIPP): US - Family Educational Rights and Privacy Act, FERPA, Education Records, Directory Information

CIPP/US – Family Educational Rights and Privacy Act (FERPA) – Education Records & Directory Information

What This Is

FERPA is a federal law that protects the privacy of student education records held by schools that receive federal funds. It gives parents (and, once a student turns?18 or attends a post?secondary institution, the student themselves) the right to inspect, amend, and control disclosure of those records. A typical real?world scenario: a university’s marketing office wants to email all alumni about a new graduate?school program. Before sending, the office must verify whether the alumni’s contact information is “directory information” and whether any student has opted out of its public release.

Key Terms & Provisions

• Education Record: Any record directly related to a student that is maintained by an educational institution or a party acting on its behalf (e.g., grades, transcripts, disciplinary files). FERPA?covered records are not limited to paper; electronic files, emails, and cloud?hosted data count.

• Directory Information: Information that schools may disclose without prior consent unless the student has opted out (e.g., name, address, telephone number, email, dates of attendance, major, honors). Schools must publicly announce what they consider directory information and give a reasonable opt?out period.

• Annual Notification Requirement: Each school year, institutions must inform students (or parents) of their FERPA rights and the types of information designated as directory information.

• Right to Inspect & Review: Parents (or eligible students) may inspect education records within 45 days of a request and may request amendment of inaccurate or misleading information.

• Right to Consent to Disclosure: Except for the limited exceptions (e.g., directory information, health?safety emergencies, judicial orders), schools must obtain written consent before releasing personally identifiable information (PII) from education records.

• Transfer of Records: When a student transfers to another school, the originating institution must provide the receiving school with the student’s education records without delay (usually within 10 days). No additional consent is required.

• Health?Safety Emergency Exception: Schools may disclose education records without consent if the information is necessary to protect the health or safety of the student or others. The disclosure must be limited to the information needed and documented.

• FERPA?Compliance Officer (FCO): While not required by law, most institutions appoint a designated official (often the VP of Student Affairs or a privacy officer) to oversee FERPA compliance, manage requests, and maintain the directory?information opt?out list.

• Family Educational Rights and Privacy Act (FERPA) – Jurisdiction: United States federal law (20?U.S.C. §§?1232g). Applies to any educational institution (K?12 or post?secondary) that receives any federal financial assistance.

• FERPA vs. HIPAA: Health?related information that is part of a student’s education record (e.g., school nurse notes) is governed by FERPA, not HIPAA, unless the school is also a HIPAA?covered entity (rare).

Step?by?Step Process Flow (Handling a FERPA Request)

1. Receive the Request – Log the request (written, email, or portal) and note whether it is from a parent or an eligible student.
2. Verify Identity & Authority – Confirm the requester’s relationship (parent of a K?12 student, or the student?turned?adult) using ID and enrollment records.
3. Locate All Relevant Education Records – Search the student information system, learning management system, disciplinary database, and any third?party cloud storage that may contain education records.
4. Determine Scope of Disclosure –
5. If the request is for inspection, prepare copies of the records.
6. If the request is to amend, evaluate the claim, consult the student (or parent), and document the decision.
7. If the request is to restrict disclosure, verify whether a valid exception (e.g., health?safety) applies.
8. Respond Within 45 Days – Provide the records (or a written denial with reasons) to the requester, and if denying, inform the student of the right to a formal appeal to the institution’s FERPA Appeals Committee.
9. Document & Archive – Keep a record of the request, verification steps, and final action for at least three years to demonstrate compliance in case of an audit.

Common Mistakes

• Mistake: Assuming that any “student?generated” email stored on a university server is not an education record.
  Correction: FERPA treats all records maintained by the school (including email archives) that are directly related to a student as education records.

• Mistake: Believing that “publicly posted” directory information can be used for marketing without checking the opt?out list.
  Correction: Even for directory information, schools must honor any opt?out; using the data for unsolicited marketing without checking the list violates FERPA.

• Mistake: Confusing the 45?day inspection deadline with the 30?day amendment deadline (the latter does not exist).
  Correction: FERPA only mandates a 45?day period to provide access; there is no statutory deadline for amending records, though institutions should act promptly.

• Mistake: Treating a health?safety emergency as a blanket justification to share any student data with law enforcement.
  Correction: The emergency exception is narrow—only the minimum necessary information may be disclosed, and the school must document the rationale.

• Mistake: Assuming FERPA does not apply to online?only schools that receive no federal funds.
  Correction: If an online school receives any federal financial assistance (e.g., Title?IV student aid), FERPA applies regardless of delivery mode.

CIPP Exam Insights

• Scope vs. Funding: The exam often asks whether a private tutoring company that receives a federal grant must comply with FERPA. Remember: any federal assistance triggers FERPA.
• Directory Information Opt?Out Timing: Expect a question on the required notice period (typically 30 days after annual notification) for students to opt out.
• Health?Safety vs. Law?Enforcement Exception: Distinguish the health?safety emergency (FERPA) from the law?enforcement subpoena (requires a court order or written request).
• Transfer of Records: A common trap is thinking a student’s consent is needed when moving from one accredited college to another; FERPA actually mandates automatic transfer.

Quick Check Questions

1. Scenario: A university wants to publish a list of graduating seniors on its website, including names, majors, and graduation dates. A student has previously submitted an opt?out for directory information.
   Answer: The university must not publish that student’s information because names, majors, and graduation dates are considered directory information, and the student has opted out.

2. Scenario: A parent of a high?school junior requests a copy of the student’s disciplinary record. The school denies the request, citing a pending criminal investigation.
   Answer: The denial is invalid under FERPA; disciplinary records are education records, and the parent (or eligible student) has a right to inspect them within 45 days, regardless of an investigation.

3. Scenario: A community college receives a subpoena from a state agency demanding the student’s transcript. The college’s counsel advises compliance without a court order.
   Answer: FERPA requires a court order or written request from the agency; a mere subpoena is insufficient, so the college must either obtain a court order or refuse the disclosure.

Last?Minute Cram Sheet (10 One?Liners)

1. FERPA Scope: Applies to any educational institution receiving any federal financial assistance.
2. Education Record Definition: Includes all records (paper, electronic, cloud) directly related to a student.
3. 45?Day Access Rule: Schools must provide requested education records within 45 days of a valid FERPA request.
4. Directory Information Opt?Out: Students may opt out of disclosure; schools must publish the opt?out list annually.
5. Health?Safety Exception: Allows disclosure without consent only when necessary to protect health or safety; must be limited and documented.
6. Transfer Requirement: When a student transfers, the originating school must send the education records to the new school without delay (?10 days).
7. Law?Enforcement Disclosure: Requires a court order or written request from the agency; a subpoena alone is insufficient.
8. FERPA vs. HIPAA: Student health information in school records is governed by FERPA, not HIPAA, unless the school is also a HIPAA?covered entity.
9. Annual Notification: Schools must inform students/parents of FERPA rights each academic year and list what they consider directory information.
10. Exam Trap: FERPA does not require a privacy impact assessment; that concept belongs to GDPR/CCPA, not FERPA.

Use this guide to cement the fundamentals, avoid common pitfalls, and ace the FERPA portion of your CIPP/US (or CIPP/E) exam. Good luck!