• FERPA Primer: The Basics and Beyond


    The Family Educational Rights and Privacy Act (FERPA) was enacted by Congress in order to protect the privacy of students and their parents. FERPA is designed to ensure that students and parents of students may obtain access to the student’s educational records and challenge the content or release of such records to third parties. This article summarizes the key points of FERPA, highlights how career services practitioners can ensure that their educational institutions are in compliance with FERPA’s requirements, and addresses the recently proposed regulatory changes to FERPA.

    Summary of Existing FERPA Restrictions

    FERPA requires that federally funded institutions, under programs administered by the United States Department of Education, comply with certain procedures with regard to disclosing and maintaining educational records. FERPA was not enacted to preclude the disclosure of educational records simply because the records identify a student by name; rather, it was designed to protect the student’s educational information and status as a student.

    To understand the scope of FERPA, it is first necessary to examine the definition of “student” under the act. According to FERPA, a student is defined as an individual who is enrolled in and actually attends an educational institution. The regulations provide that attendance includes, but is not limited to, attendance in person or by correspondence. Courts have held that individuals who merely audit classes or who are accepted to an educational institution but do not attend any classes are not “students” for purposes of FERPA.

    Based upon the definition of attendance, it is unclear whether it includes students taking online classes provided by an educational institution. As will be discussed more fully below, the Department of Education has proposed amendments to the regulations that would address this issue. The regulations would add attendance by videoconference, satellite, Internet, or other electronic information and telecommunications technologies to the definition of “attendance,” thereby accounting for students who are not physically present in the classroom.

    FERPA prohibits the disclosure of a student’s “protected information” to a third party. This disclosure is prohibited regardless of whether it is made by hand delivery, verbally, fax, mail, or electronic transmission. Disclosure also includes the provision of access to an educational institution’s career service data base of student resumes.

    For purposes of FERPA, a “third party” includes any individual or organization other than the student or the student’s parent. With respect to third parties, even if the initial disclosure of protected information is permissible, FERPA limits the subsequent disclosure of the information by the third party. As such, once an educational institution discloses protected information to a third party, it must ensure that the third party does not itself improperly disclose the information in violation of FERPA.

    FERPA classifies protected information into three categories: (1) educational information; (2) personally identifiable information; and (3) directory information. The limitations imposed by FERPA vary with respect to each category. 

    Although personally identifiable and directory information are often similar or related, FERPA provides different levels of protection for each. In this regard, personally identifiable information can only be disclosed if the educational institution obtains the signature of the parent or student (if over 18 years of age) on a document specifically identifying the information to be disclosed, the reason for the disclosure, and the parties to whom the disclosure will be made. Failure to comply with these requirements will result in a violation of FERPA.

    On the other hand, with respect to directory information, FERPA does not bar disclosure by the educational institution. Directory information, such as a list of students’ names, addresses, and telephone numbers, can be disclosed provided that the educational institution has given public notice of the type of information to be disclosed, the right of every student to forbid disclosure, and the time period within which the student or parent must act to forbid the disclosure.

    With respect to educational information, FERPA precludes the disclosure of this information absent the prior approval of the student or parent. The issue of what constitutes “educational information” has been hotly contested and subject to much litigation since the inception of FERPA. FERPA defines “education records” as “records, files, documents, and other materials” that are “maintained by an educational agency or institution, or by a person acting for such agency or institution.” While it is clear that educational information includes a student’s transcripts, GPA, grades, social security number, and academic evaluations, courts have also included in this category certain psychological evaluations.

    On the other hand, with respect to information such as “peer grading” and crime reports by noncommissioned campus police units, most courts have held this information not to be subject to the disclosure restrictions imposed by FERPA. By way of example, in Owasso Independent School District v. Kristja Falvo, the United States Supreme Court held that peer grading was not educational information for purposes of FERPA. According to the Court, “peer grading,” a practice whereby one student scores/grades the work of another student, is generally not encompassed by FERPA because the information is not created or “maintained” by the educational institution or an agent of the institution. Rather, the information is created and maintained by another student.

    In justifying its conclusion in Owasso, the Court cautioned against creating an overbroad definition of “educational information” for purposes of FERPA. According to the Court, such a broad definition of the term “educational record” could result in homework or other classwork being covered by FERPA. Such a result would impose an unnecessary burden on teachers and educational institutions. As such, the Court reiterated that records that are not “maintained” by an educational institution do not trigger FERPA protections.

    Courts have adopted similar reasoning with respect to teacher evaluations and negative letters of recommendation authored by the teacher but not “maintained” by the educational institution in its files. Courts have been reluctant to find that these records are subject to FERPA because they do not meet the strict definition of an “educational record” pursuant to FERPA. 

    With respect to reference letters and resumes, the critical inquiry is whether these records include or incorporate the student’s “educational information” (i.e., GPA, grades, social security numbers, etc.). If these documents contain “protected” educational information they cannot be disclosed without satisfying FERPA’s pre-disclosure requirements. As such, an educational institution may not provide an employer, headhunter, or other employment agency with a student’s resume or confidential letter of reference that contains protected educational information unless it first obtains approval from the student or the student’s parent.

    Students’ Rights

    FERPA gives students the right to inspect their educational records (excluding information on other students, the financial records of parents, and confidential letters of recommendation if the student has waived the right to access) before giving consent to disclose information. If a student does request the right to inspect, the educational institution must comply within 45 days of the receipt of the request. In many cases, students have seen, or are aware of, the contents of their files. For example, a student knows what courses he or she has taken and/or his or her GPA, both of which are included in the student’s “educational record.” Even if students have waived the right to access their files, the school must provide a list of the file’s contents (including the names of all persons making confidential recommendations) upon student request. If the student file has changed in any way, e.g., a letter of recommendation has been altered or replaced, career services should notify the student that there has been a change before disclosing the file’s contents to a potential employer or graduate school.

    Credential Files

    FERPA does not specify a time period for retaining credential/placement files or reference letters. The law merely provides that an education record may not be destroyed if there is an outstanding student request to inspect the file. The school has the discretion to develop a record retention policy and communicate that policy to its students. The policy should include a deadline by which students/alumni must respond if they do not wish to have their files destroyed. Once the deadline has passed, and there has been no request for retention, the records may be destroyed.

    Recommendations to Ensure FERPA Compliance

    In order to ensure compliance with FERPA, educational institutions should adhere to the following:

    • Advise students annually of their rights under FERPA;
    • Obtain signed, written consent from a student before a school official, administrator, career services staff member, or faculty member releases personally identifiable information to an employer, third-party recruiter, or resume referral data base. In this regard, however, it should be noted that on April 21, 2004, the Department of Education issued regulations implementing flexible standards for institutions that choose to use electronic signatures. Specifically, the regulations provide that signed and dated consent includes a signature in electronic form that identifies and authenticates a person as the source of the consent and indicates that person’s approval of the information contained in the electronic consent;
    • Train and retrain faculty members with respect to the requirements and prohibitions of FERPA;
    • Notify employers, employment agencies, contract recruiters, resume data bases, and other entities that student records are subject to FERPA, and that such entities cannot subsequently disclose these records without student consent. Educational institutions should also notify third parties that improper disclosure will result in future denials of access to such records;
    • Determine, clearly define, and communicate to students what information will be considered directory information prior to disclosure; provide students with a reasonable time to notify the educational institution if they want to restrict access to directory information;
    • Obtain a new consent form if any student information is changed, such as revisions to a letter of recommendation, prior to fulfilling an information request;
    • Note that FERPA does not address the issue of placing amended letters of recommendation into students’ files. Each educational institution is responsible for establishing and consistently enforcing its own policies with respect to this issue; and
    • Advise students with respect to the implications of waiving their right to inspect their files or letters of recommendation.
       

    Penalty for Non-Compliance

    Courts have routinely held that FERPA does not create a private right of action against the educational institution. In other words, FERPA does not provide an aggrieved student a right to sue the educational institution for damages if the institution improperly discloses the student’s protected information. Rather, FERPA is essentially a “carrot and stick” legislation. The carrot, federal funding, is meant to ensure compliance with the FERPA requirements. Educational institutions that fail to comply with FERPA may forfeit the federal funding. Accordingly, while the educational institutions need not fear excessive lawsuits filed by disgruntled students over alleged FERPA violations, actual violations may result in a debilitating loss of federal funding.

    Proposed Regulations

    In response to issues arising from the Virginia Tech tragedy and laws such as the Patriot Act, the U.S. Department of Education proposed new regulations for FERPA on March 24, 2008. While the proposed changes are not earth shattering, they are noteworthy nonetheless.

    Specifically, the proposed regulations seek, in part, to accomplish the following:

    • Provide for an educational institution to release information received about a student registered as a sex offender;
    • Provide for an educational institution to share information about a student to another institution in which the student has enrolled;
    • Provide that “online” students are covered by FERPA;
    • Provide objective standards to determine when an educational institution can disclose information without consent if it has removed all personally identifiable information; and
    • Permit the Department of Education to continue to pursue an alleged violation, even if the complainant withdraws his or her complaint.

    Clearly, FERPA remains an important federally created protection for student privacy. It is imperative that all educational institutions understand the existing restrictions and limitations imposed by FERPA and those set forth in the recently proposed regulations. Failure to do so may prove to be an extremely costly mistake.

     

    Created August 2008. Current 2012.


FERPA Primer: The Basics and Beyond