FERPA: Educational Records Data Protection

The Family Educational Rights and Privacy Act (FERPA) establishes federal privacy protections for student education records maintained by institutions that receive funding from the U.S. Department of Education. This page covers FERPA's definitional scope, enforcement structure, operational mechanics, common compliance scenarios, and the boundaries that distinguish protected records from non-protected information. For professionals navigating data protection service providers or researchers mapping the regulatory landscape, FERPA represents one of the most operationally consequential sector-specific privacy statutes in U.S. federal law.

Definition and scope

FERPA, codified at 20 U.S.C. § 1232g and implemented through regulations at 34 C.F.R. Part 99, applies to educational agencies and institutions that receive funds administered by the U.S. Department of Education. This captures virtually every public K–12 school district and nearly all colleges and universities in the United States.

The statute protects "education records," defined as records, files, documents, and other materials that contain information directly related to a student and are maintained by an educational agency or institution. The U.S. Department of Education's Student Privacy Policy Office (SPPO) administers FERPA enforcement and issues guidance.

FERPA's definition of education records excludes four categories:

1. Sole possession records — notes made by a school employee and kept only in that individual's possession, not shared with any other person.
2. Law enforcement unit records — records created and maintained by a school's law enforcement unit for law enforcement purposes.
3. Employee records — records relating solely to an individual in their capacity as an employee, not as a student.
4. Treatment records — records made or maintained by a physician, psychiatrist, or psychologist used solely for treatment purposes and not disclosed to anyone other than treatment personnel.

"Provider Network information" — typically including a student's name, address, telephone number, date and birth location, field of study, and enrollment status — occupies a distinct category. Institutions may disclose provider network information without consent unless a student has exercised their right to opt out under 34 C.F.R. § 99.37.

How it works

FERPA confers two primary rights on eligible students (and on parents of students under age 18):

1. Inspection and review — the right to inspect and review education records within 45 days of a request (34 C.F.R. § 99.10).
2. Amendment — the right to request amendment of records believed to be inaccurate or misleading, with a formal hearing process if the institution denies the request (34 C.F.R. § 99.20).

The core operational constraint is the prior written consent requirement: institutions may not disclose personally identifiable information (PII) from education records without written consent from the eligible student or parent, except under enumerated exceptions. The SPPO identifies at least 14 statutory exceptions to the consent requirement, including:

• School officials with legitimate educational interest — institutional employees, contractors, or agents who need the records to perform their professional responsibilities.
• Transfer schools — records may be forwarded to schools where the student seeks or intends to enroll.
• Federal and state authorities — disclosures to federal and state education authorities conducting audits or evaluations of federally supported programs.
• Financial aid — disclosures necessary for a student to receive financial aid.
• Judicial orders and subpoenas — disclosures pursuant to a lawfully issued court order or subpoena, with advance notice requirements.
• Health and safety emergencies — disclosures to appropriate parties when necessary to protect the health or safety of a student or other individuals (34 C.F.R. § 99.36).

Enforcement rests with the SPPO. Confirmed violations can result in the withholding of federal funds, though the Department of Education has historically pursued compliance remediation before funding termination. The situates FERPA alongside HIPAA, COPPA, and state-level frameworks as a sector-specific federal baseline.

Common scenarios

Parental access post-18: Once a student turns 18 or attends a postsecondary institution, FERPA rights transfer from parent to student. Institutions may, but are not required to, disclose records to parents if the student is a dependent under Internal Revenue Code Section 152 (34 C.F.R. § 99.31(a)(8)).

Third-party vendor access: When institutions engage technology vendors who access student data — learning management systems, student information platforms, assessment tools — those vendors must operate as "school officials" under a formal agreement establishing legitimate educational interest and prohibiting secondary use of the data. The SPPO's FERPA and Virtual Learning guidance addresses this configuration specifically.

Research disclosures: Institutions may share de-identified education records for research without consent, provided PII has been removed and a code or other means of re-identification is not disclosed with the de-identified data.

Media and law enforcement requests: Institutions routinely receive requests from journalists and law enforcement agencies. Absent a judicial order or explicit statutory exception, these requests do not override the consent requirement.

Decision boundaries

The critical distinctions that define FERPA's operational edges:

• FERPA vs. HIPAA: Health records created by a school nurse or health clinic and maintained by the school are education records covered by FERPA — not HIPAA — per the HHS HIPAA FAQ on student records. HIPAA applies to the same student's records held by an outside hospital.
• FERPA vs. state law: FERPA establishes a federal floor. State laws such as California's Student Online Personal Information Protection Act (SOPIPA) or New York Education Law § 2-d may impose additional restrictions that coexist with but do not displace FERPA.
• Education records vs. sole possession notes: A teacher's personal grade book shared with a substitute teacher loses sole-possession status and becomes an education record subject to FERPA protections.
• Provider Network information vs. PII: Even provider network information becomes protected once a student opts out; institutions must honor opt-outs in all disclosures, including to military recruiters under the Solomon Amendment.

Professionals working at the intersection of student data governance and vendor contracting should reference the resource overview for this data protection reference network for orientation on how FERPA fits within the broader federal and state data protection framework.