FERPA Overview

What Is FERPA?

The Family Educational Rights and Privacy Act (FERPA) is a federal law passed in 1974 that protects the privacy of student education records. It applies to all schools that receive funds from the U.S. Department of Education, which includes virtually every public K-12 district and most private schools that accept federal funding.

In plain terms: FERPA sets the rules for who can see a student's records, what must be kept private, and how families can access and correct information about their children.

Who Is Protected?

FERPA rights belong to parents or legal guardians while a student is under 18. When a student turns 18 or enrolls in a post-secondary institution, these rights transfer to the student directly. These individuals are referred to as "eligible students" under the law.

What Are "Education Records"?

Education records are any records that are directly related to a student and maintained by the school or by a party acting for the school. This is broader than most people realize and includes:

• Grades, transcripts, and class schedules
• Disciplinary records and attendance records
• Individualized Education Programs (IEPs) and 504 plans
• Health and counseling records maintained by the school
• Financial records tied to the student
• Email, notes, or documents that identify a student and are kept by staff

The Four Core Rights

FERPA gives parents and eligible students four key rights:

1. The Right to Inspect and Review

Families can review the student's education records. Schools must respond to a request within 45 days.

2. The Right to Request Amendments

If a record is inaccurate or misleading, families can request that the school correct it. If the school declines, they must offer a formal hearing.

3. The Right to Consent Before Disclosure

Schools generally must obtain written consent before sharing personally identifiable information (PII) from a student's records. There are important exceptions, but consent is the default rule.

4. The Right to File a Complaint

Families who believe a school has violated FERPA can file a complaint with the U.S. Department of Education's Student Privacy Policy Office.

Directory Information: The Big Exception

Schools may designate certain information as "directory information" that can be shared without consent, such as:

• Student name and grade level
• Address and telephone number
• Dates of attendance
• Participation in activities and sports
• Honors and awards received

However, two conditions apply. First, the district must publish an annual notice telling families what categories have been designated as directory information. Second, families must be given a reasonable opportunity to opt out of having that information shared.

When Can Records Be Shared Without Consent?

FERPA includes a set of limited exceptions where schools may disclose records without written consent. The most common include:

• School officials with a legitimate educational interest
• Other schools to which a student is transferring
• Specified officials for audit or evaluation purposes
• Parties in connection with financial aid
• Organizations conducting certain studies for or on behalf of the school
• Accrediting organizations
• Compliance with a judicial order or lawfully issued subpoena
• Appropriate officials in cases of health and safety emergencies

The Risk of Re-identification

Even when names are removed, a student can sometimes still be identified through a combination of details — grade level, school, demographic information, disability status, or program participation. FERPA's definition of "personally identifiable information" includes any information that would allow a reasonable person in the school community to identify a student with reasonable certainty.

This is why aggregate reports, public dashboards, and published data files deserve careful review: a small cell count in a disaggregated table can effectively name the student it describes.

Common Ways FERPA Is Unintentionally Violated

Most FERPA issues in K-12 are not malicious. They happen because student data quietly accumulates across hundreds of pages, documents, and systems. Frequent examples include:

• Board meeting minutes naming students in disciplinary matters
• PDFs with identifying metadata (author, filename, or embedded properties)
• Honor rolls or award lists that reveal additional protected information
• Spreadsheets linked from staff pages that contain student-level data
• Third-party EdTech embeds that expose rosters or grades
• Open Graph tags and social sharing previews that leak photos or names

What Districts Must Do Each Year

At minimum, districts are expected to:

• Publish an annual notification of FERPA rights
• Specify what information is considered directory information and allow opt-outs
• Maintain records of disclosures where consent was required
• Train staff on safeguarding student records
• Monitor the district's public web presence for inadvertent disclosures

Where SchoolScan Fits In

SchoolScan was built to help districts with that last point: continuously monitoring the public web presence for places where student privacy information may have been exposed. Our AI-enhanced scans look for direct PII, re-identification risk, directory information published beyond policy scope, education records, metadata leakage, and vendor exposure. Critical findings are reviewed by our staff of privacy professionals who help your team interpret and remediate them.

SchoolScan is a compliance monitoring tool. It supports your district's privacy program but does not replace legal counsel, staff training, or the district's own FERPA policies and designations.