FERPA

Who's covered

FERPA applies to any educational agency or institution that receives funds under any program administered by the US Department of Education. The list is long — nearly every K-12 public school district, public university, and most private colleges and universities receive federal student aid funds (Title IV) or other Department of Education program funds and are therefore covered.

A few categories at the edges:

• Truly private schools that take zero Department of Education money are not subject to FERPA. Rare in higher ed (almost any institution accepting Pell grants or federal student loans is covered) but more common in K-12.
• Postsecondary institutions have their FERPA obligations attach to the student rather than the parent — once a student turns 18 or enrolls in a postsecondary institution at any age, the FERPA rights transfer from parents to the student. Parents have no FERPA right of access to a college student's records, even when they are paying tuition.
• Educational agencies (state and local) that maintain student-records databases on behalf of schools also fall within FERPA via the schools they serve.
• Vendors and service providers handling education records on behalf of a covered institution are constrained by FERPA through the "school official" disclosure exception (covered below). They aren't directly liable in the way HIPAA business associates are, but the contractual constraints on them are substantive.

What's protected

FERPA protects "education records" — defined as records directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. This is a broad definition that includes grades, transcripts, enrollment records, disciplinary records, financial aid records, health records held by the school's health service (NOT covered by HIPAA when the school holds them), advisor notes that are formally maintained, and increasingly — the digital exhaust of learning management systems.

Specific exclusions matter:

• Sole-possession records: an instructor's personal teaching notes used as a memory aid, not shared with anyone, are not education records.
• Law enforcement unit records: maintained separately by a campus police force for law enforcement purposes are not education records (though they may be subject to other laws).
• Employment records: where employment is not contingent on student status (e.g., a faculty member who is also a graduate student — their employment file as faculty is not a FERPA education record).
• Treatment records: records of an eligible student created by a physician or other recognized professional, used only in connection with treatment, are excluded — but if disclosed to anyone other than the treating professional, they become education records.
• Records created after the student is no longer in attendance (e.g., alumni donation records) are not FERPA-covered.

Directory information

A subset of education records may be disclosed without consent: directory information. Each institution defines its own directory-information list within the categories FERPA allows (name, address, phone, email, photo, date and place of birth, major, dates of attendance, degrees and awards received, most recent previous school attended, athletic team participation, height/weight for athletes). The institution must (a) publish what categories it has designated as directory information, and (b) give each student a meaningful opportunity to opt out of that disclosure.

A student who opts out (often called requesting a "FERPA block" or "privacy flag") essentially disappears from the institution's directory: their name doesn't appear in the commencement program, their athletic stats can't be published, even employment verification calls get a "we cannot confirm or deny" response. Some students opt in to a FERPA block to escape a stalker, an abusive parent, or witness protection arrangements. The block is one of the few completely-customizable disclosure controls FERPA gives students.

Student / parent rights

Disclosure rules · the heart of FERPA

The default rule: no disclosure of personally identifiable information from education records without prior written consent. The signed consent must specify what's being released, to whom, and for what purpose. The student must receive a copy on request.

Twelve enumerated exceptions allow disclosure without consent. The two that come up constantly in security and IT contexts:

• School officials with a legitimate educational interest. The most-used exception. Faculty, staff, and (importantly) third-party contractors performing services or functions for the institution can be designated "school officials" and access education records as needed for their role. The institution must specify in its annual FERPA notice what criteria it uses to determine "legitimate educational interest." This exception is what lets professors access their students' grades, lets advisors see transcripts, and lets the IT helpdesk reset a student's portal password.
• Studies and audits. Disclosure for the purpose of studying the effectiveness of educational programs, or for federal/state audit and evaluation, is permitted under specific conditions including a written agreement and de-identification at the end of the study.

Other notable exceptions include: disclosure to another school where the student seeks or intends to enroll; disclosure in connection with financial aid; disclosure to parents of a dependent student (for tax purposes); disclosure pursuant to a lawfully-issued subpoena or court order (with limited prior-notice requirements); disclosure in a health and safety emergency; and disclosure of disciplinary outcomes to alleged victims of violent crimes.

Records of disclosures must be maintained. For each disclosure of education records (other than to school officials, directory information, or with the student's consent), the institution must record the parties to whom disclosure was made and the legitimate interest in obtaining the information. The student has the right to inspect this record of disclosures.

Vendors and the "school official" designation

Modern educational institutions outsource enormous portions of their student-records handling to third parties: learning management systems (Canvas, Brightspace, Blackboard, Moodle), student information systems (Banner, PeopleSoft, Workday Student), email and collaboration suites (Google Workspace for Education, Microsoft 365), course-evaluation tools, plagiarism detection, proctoring services, financial aid platforms, transcript clearinghouses, alumni records, and dozens of niche ed-tech tools.

FERPA permits this if and only if the vendor is designated as a school official under the legitimate educational interest exception. Department of Education guidance specifies four conditions the vendor must meet:

• Performs an institutional service or function for which the institution would otherwise use its own employees.
• Is under the direct control of the institution with respect to the use and maintenance of education records (typically a contractual requirement).
• Is subject to the same use and re-disclosure requirements as if the institution were processing the records itself.
• Uses the records only for the institutional purpose for which the disclosure was made — not for the vendor's own marketing, product improvement, model training, or any other secondary purpose without separate consent.

This is the basis of every ed-tech vendor contract's FERPA clause. The vendor agrees, in writing, to be a "school official" and accepts those four constraints. Vendors that don't — or that try to retain data-mining rights, advertise to students, sell anonymized analytics, or train AI models on student records — can't lawfully be given education records under this exception. The institution would have to obtain individual student consent instead, which is operationally impossible at scale.

Enforcement and penalties

FERPA enforcement is handled by the Department of Education's Student Privacy Policy Office (SPPO), formerly the Family Policy Compliance Office. The SPPO investigates complaints from students and parents, issues guidance, and works with institutions on corrective action.

There is no private right of action under FERPA — a student cannot sue a school directly under FERPA for violating their rights (the Supreme Court settled this in Gonzaga University v. Doe, 536 U.S. 273 (2002)). The Department of Education is the sole enforcer.

Penalty options:

• Corrective action plan — by far the most common outcome. The SPPO finds a violation, the institution agrees to remediation, and compliance resumes.
• Termination of eligibility for federal education funds — the statutory hammer. Only available for institutions that have failed to comply substantively, after a hearing, with notice and opportunity to correct. Has never been invoked in FERPA's 50-year history.
• State-law tort exposure — while FERPA itself doesn't allow private suits, students can sometimes bring state-law privacy claims (invasion of privacy, negligence, breach of contract) related to FERPA violations. Several recent breach-related class actions have used this theory.
• Reputational consequences — the institution's accreditation, peer relationships, and student-trust posture all take damage from sustained FERPA failures.

The practical lesson: the enforcement mechanism is informal but consistent, and the reputational and state-tort risks are real even if federal monetary penalties are not.

Recent breaches

FERPA itself doesn't impose breach-notification obligations — that's left to state breach-notification laws, which now exist in every US state. But ed-sector breaches have shaped how institutions and vendors handle student data, and they reveal where the FERPA "school official" framework breaks down in practice.

• Blackbaud (2020). The vendor's ransomware incident affected hundreds of educational and non-profit institutions whose donor and alumni records were stored on Blackbaud's hosted CRM platform. Blackbaud paid the ransom and assured customers no data was published; subsequent litigation and breach notifications revealed that significant personal data was exfiltrated. Many universities had to send breach notifications under state law. The case forced institutions to reconsider how thoroughly they vetted their vendor's incident-response and contractual breach-notice obligations.
• Illuminate Education (2022). A K-12 ed-tech vendor used by hundreds of school districts experienced a breach exposing PII of an estimated 2 million students nationwide. Affected districts faced state attorney general investigations and class actions. The Federal Trade Commission later announced an enforcement action against Illuminate for security failures and misrepresentations — an FTC enforcement angle against an ed-tech vendor was novel and signals a broader regulatory interest.
• PowerSchool (2025). The dominant US K-12 student information system experienced a breach affecting tens of millions of students and educators across multiple countries via compromised customer-support credentials. The incident raised concerns about ed-tech vendor consolidation — when a single vendor serves a majority of US K-12 districts, its security posture becomes systemically significant.
• MOVEit / Clop ransomware (2023). The MOVEit Transfer file-transfer software vulnerability exploited by the Clop ransomware group hit a large number of higher-education institutions and ed-tech vendors that used MOVEit to exchange student data. Multiple universities issued breach notifications to current and former students. The pattern: the institution wasn't directly compromised, but its third-party file-transfer vendor was, and education records flowed through.
• National Student Clearinghouse (2023). A non-profit serving 3,600+ colleges and universities was caught up in the MOVEit breach. Education records of millions of students who had requested transcripts or attended NSC-enrolled institutions were affected.

What FERPA means for a security team

Translated into operational reality:

• Inventory education records. They're in the SIS, the LMS, the email system, the file shares where advisors store recommendation letters, the ticketing system the registrar uses, the alumni database, and dozens of niche systems. Map them.
• Access controls aligned to "legitimate educational interest." The institution's annual FERPA notice declares what determines legitimate educational interest. Your access-provisioning process should require attestation matching that standard — documented role, documented need, periodic re-review.
• Vendor management is most of the job. Every ed-tech vendor agreement needs FERPA "school official" language, contractual constraints on use/re-disclosure, breach-notice timelines, audit rights, sub-contractor controls, and data-return/destruction obligations on contract termination. Build a checklist, use it on every new vendor.
• Maintain a record of disclosures. For each non-routine disclosure (subpoenas, health-and-safety emergencies, audit-and-evaluation studies), document who got what and why. Students may ask to see this list.
• Honor FERPA blocks consistently across systems. A student's directory-information opt-out should propagate to every system that publishes student names — not just the directory itself. Lots of FERPA findings start with "she had a FERPA block and they still listed her in the commencement program."
• Treat health-and-safety emergency disclosures conservatively. The exception is real but narrow. The "articulable and significant threat" standard requires documented basis. Routine "concerning student behavior" doesn't qualify.
• Plan for breach notification under state law. FERPA itself doesn't mandate it, but every state's breach-notification law does. Know which states' rules apply (typically: the state where the affected student resides at the time of breach) and build response timelines around the strictest applicable.
• Coordinate with the registrar. The registrar is usually the institution's de facto FERPA expert. They will know things about the institution's specific FERPA posture that aren't in any policy document. Build the relationship before you need it.