FERPAFamily Education Rights and Privacy Act

Get strategic advice on regulatory applicability, security documentation, and validation of implemented controls


Protecting Student Information Starts Here

The objective of a CampusGuard FERPA assessment is to determine the gaps in organizational policy, operational processes and procedures, and employee training, as well as a detailed review of the critical cybersecurity requirements for FERPA protected information.

Common FERPA Exceptions

The data is "directory information"

Basic identifying information can be provided without consent. Type of information varies based on the context.

The data is going to another school where the student plans to enroll

In certain situations, you would not need consent to share data with select departments of another school.

Financial aid providers need the data

If this information is needed to determine a student's eligibility for aid, it could potentially be provided.

Is This a Violation?

It is not uncommon for situations to arise that can cause you to question whether or not providing a student’s information would be considered a FERPA violation. The team at CampusGuard is here to answer any questions you have.

  • Letters of Recommendation

    Determining whether or not this would require consent has to do with the letter's sender and intended receiver. One scenario that would not require consent is a letter going from one school to another during a student's transfer.
  • Health Information

    There are times when anonymous records are required (i.e. a student tests positive for COVID-19), but releasing personally identifiable information without the consent of the student and/or their guardian (if the student is a dependent) is determined on a case-by-case base, for example: the student who tested positive for COVID-19 is a close-contact athlete and could therefore put several others at risk.
  • Copied Emails

    If an instructor is sending a specific message to several students at once and is not using a Blind Carbon Copy (BCC), they could be violating FERPA by revealing recipients of that email.
  • Disclosing an Athlete's Status

    If an athlete cannot compete due to their academic standing and that information is shared, it is a FERPA violation.
  • Law Enforcement

    If the authorities are seeking protected information, they must present a court order to obtain it.

FERPA Online Training Course

This course is designed to help your organization and staff safeguard sensitive personal information and prevent potential data breaches. This training course provides an overview of the laws governing the acceptable use and release of student records, discusses individual staff and faculty responsibilities, provides guidance on how to protect students’ right to privacy, and explains the potential consequences of non-compliance.

Modules for our FERPA online training course include:

  • Family Educational Rights and Privacy Act Overview
  • Common Scenarios (and how to respond)
Students high five

Why Choose CampusGuard?

At CampusGuard, we specialize in the complexities and diverse environments of campus-based organizations. Our dedicated team prides itself on our expert accreditation, staying updated on the latest trends, and working alongside our clients with a personal approach.

$ 3.86 M

Average cost of a higher education data breach (1)

32 M

Student records have been impacted by a breach since 2005 (2)


Average weekly cyber attacks on higher education organizations (3)

Protect Your Students and Your Organization

Not making security a priority is not only a risk for your students, but for your organization as well. A breach can cost you millions of dollars and a damage reputation, both of which can be detrimental.

Get Started Today

Top FERPA Frequently Asked Questions

FERPA, or the Family Educational Rights and Privacy Act, is a US federal law that protects the privacy of student education records. Under FERPA, students and their parents have the right to access and review their education records, request that any inaccurate or misleading information be corrected, and consent to the disclosure of personally identifiable information in their education records. Schools must have written permission from the student or parent before disclosing any personally identifiable information from the student's education records, except in certain limited circumstances, such as in response to a court order or subpoena. Schools must also have policies and procedures in place to protect the privacy of student education records.

FERPA protects the privacy of "education records," which are defined as any records that are directly related to a student and maintained by an educational institution or by a party acting for the institution. This includes records such as transcripts, grades, enrollment and attendance records, disciplinary records, and financial aid information.

FERPA also protects "personally identifiable information," which is any information that can be used to identify a student, including the student's name, address, Social Security number, or other personal information. This information cannot be disclosed without the written consent of the student or parent, except in limited circumstances such as when the information is needed for the health or safety of the student or others, or when required by law.

Under FERPA, an eligible student is a student who has reached the age of 18 or is attending a postsecondary institution at any age. Once a student becomes an eligible student, the rights that were previously held by the parents with respect to the student's education records transfer to the student.

This means that, with limited exceptions, the educational institution must obtain the written consent of the eligible student before disclosing any personally identifiable information from the student's education records. The eligible student also has the right to review and inspect their education records, request that any inaccurate or misleading information be corrected, and file a complaint with the U.S. Department of Education if they believe their rights under FERPA have been violated.

While FERPA grants certain rights to eligible students, it does not prevent schools from sharing information with parents or legal guardians of a student who is under the age of 18 and is considered a dependent for tax purposes. FERPA does not prevent schools from disclosing information that has been designated as "directory information," such as the student's name, address, phone number, and email address, without the student's written consent. However, schools must give eligible students the opportunity to opt out of the disclosure of directory information.

Article FERPA

10 Essential FERPA Best Practices for Educational Institutions

Check out our list of 10 best practices to protect student privacy and maintain FERPA compliance to execute across your institution.

10 FERPA Best Practices about the 10 Essential FERPA Best Practices for Educational Institutions