FERPA - CampusGuard

Protecting Student Information Starts Here

The objective of a CampusGuard FERPA assessment is to determine the gaps in organizational policy, operational processes and procedures, and employee training, as well as a detailed review of the critical cybersecurity requirements for FERPA protected information.

Common FERPA Exceptions

The data is "directory information"

Basic identifying information can be provided without consent. Type of information varies based on the context.

The data is going to another school where the student plans to enroll

In certain situations, you would not need consent to share data with select departments of another school.

Financial aid providers need the data

If this information is needed to determine a student's eligibility for aid, it could potentially be provided.

Is This a Violation?

It is not uncommon for situations to arise that can cause you to question whether or not providing a student’s information would be considered a FERPA violation. The team at CampusGuard is here to answer any questions you have.

Letters of Recommendation
Determining whether or not this would require consent has to do with the letter's sender and intended receiver. One scenario that would not require consent is a letter going from one school to another during a student's transfer.
Health Information
There are times when anonymous records are required (i.e. a student tests positive for COVID-19), but releasing personally identifiable information without the consent of the student and/or their guardian (if the student is a dependent) is determined on a case-by-case base, for example: the student who tested positive for COVID-19 is a close-contact athlete and could therefore put several others at risk.
Copied Emails
If an instructor is sending a specific message to several students at once and is not using a Blind Carbon Copy (BCC), they could be violating FERPA by revealing recipients of that email.
Disclosing an Athlete's Status
If an athlete cannot compete due to their academic standing and that information is shared, it is a FERPA violation.
Law Enforcement
If the authorities are seeking protected information, they must present a court order to obtain it.

FERPA Online Training Course

This course is designed to help your organization and staff safeguard sensitive personal information and prevent potential data breaches. This training course provides an overview of the laws governing the acceptable use and release of student records, discusses individual staff and faculty responsibilities, provides guidance on how to protect students’ right to privacy, and explains the potential consequences of non-compliance.

Modules for our FERPA online training course include:

Family Educational Rights and Privacy Act Overview
Common Scenarios (and how to respond)

Download FERPA Course Overview

Explore Online Training

Why Choose CampusGuard?

At CampusGuard, we specialize in the complexities and diverse environments of campus-based organizations. Our dedicated team prides itself on our expert accreditation, staying updated on the latest trends, and working alongside our clients with a personal approach.

$ 3.86 M

Average cost of a higher education data breach ⁽¹⁾

32 M

Student records have been impacted by a breach since 2005 ⁽²⁾

2507

Average weekly cyber attacks on higher education organizations ⁽³⁾

¹ IBM Cost of a Data Breach

² Comparitech

³ Check Point Research

Related Products and Services

GLBA

Our GLBA Compliance Assessment evaluates key cybersecurity elements of the GLBA Safeguards Rule within your organization.

Explore GLBA

Penetration Testing

Our experienced, certified professionals take to their keyboards like a hacker to identify your vulnerabilities and provide recommendations for remediation.

Explore Penetration Testing

Online Training

Our courses are designed to keep everyone within your organization up-to-date on the latest information in cybersecurity and compliance.

Explore Online Training

IT Security Assessments

We offer a robust assortment of cybersecurity and compliance assessments to meet all of your needs with our comprehensive step-by-step approach.

Explore IT Security Assessments

Phishing

Highly customized phishing exercises designed specifically for your organization.

Explore Phishing Exercises

PCI DSS

Protect your customers' sensitive cardholder data with the help of CampusGuard's suite of PCI DSS Compliance products and services.

Explore PCI DSS

Protect Your Students and Your Organization

Not making security a priority is not only a risk for your students, but for your organization as well. A breach can cost you millions of dollars and a damage reputation, both of which can be detrimental.

Get Started Today

Top FERPA Frequently Asked Questions

FERPA, or the Family Educational Rights and Privacy Act, is a US federal law that protects the privacy of student education records. Under FERPA, students and their parents have the right to access and review their education records, request that any inaccurate or misleading information be corrected, and consent to the disclosure of personally identifiable information in their education records. Schools must have written permission from the student or parent before disclosing any personally identifiable information from the student's education records, except in certain limited circumstances, such as in response to a court order or subpoena. Schools must also have policies and procedures in place to protect the privacy of student education records.

FERPA protects the privacy of "education records," which are defined as any records that are directly related to a student and maintained by an educational institution or by a party acting for the institution. This includes records such as transcripts, grades, enrollment and attendance records, disciplinary records, and financial aid information.

FERPA also protects "personally identifiable information," which is any information that can be used to identify a student, including the student's name, address, Social Security number, or other personal information. This information cannot be disclosed without the written consent of the student or parent, except in limited circumstances such as when the information is needed for the health or safety of the student or others, or when required by law.

Under FERPA, an eligible student is a student who has reached the age of 18 or is attending a postsecondary institution at any age. Once a student becomes an eligible student, the rights that were previously held by the parents with respect to the student's education records transfer to the student.

This means that, with limited exceptions, the educational institution must obtain the written consent of the eligible student before disclosing any personally identifiable information from the student's education records. The eligible student also has the right to review and inspect their education records, request that any inaccurate or misleading information be corrected, and file a complaint with the U.S. Department of Education if they believe their rights under FERPA have been violated.

While FERPA grants certain rights to eligible students, it does not prevent schools from sharing information with parents or legal guardians of a student who is under the age of 18 and is considered a dependent for tax purposes. FERPA does not prevent schools from disclosing information that has been designated as "directory information," such as the student's name, address, phone number, and email address, without the student's written consent. However, schools must give eligible students the opportunity to opt out of the disclosure of directory information.

Article FERPA

10 Key FERPA Best Practices for Educational Institutions

Check out our list of 10 best practices to protect student privacy and maintain FERPA compliance to execute across your institution.

10 FERPA Best Practices

Explore all Insights

Pen Testing Vendor Selection Guide

FERPAFamily Education Rights and Privacy Act