Privacy Rights Clearinghouse
As soon as your child enters preschool, information is collected about him or her. The body of information grows throughout the child's academic career.
School records contain highly sensitive information, even information about the family. The contents of student files are likely to have an impact on the overall educational experience of students. That is why it is wise for parents and adult-age students to be informed about laws and policies that govern student information.
Privacy abuses can range from grades bandied about in hallways to the nonconsensual exposure of student information and photos on the Internet. In today’s climate of heightened security, it is more important than ever for parents and adult-age students to be vigilant about who has access to education records.
Federal law, the Family Educational Rights and Privacy Act, protects student records to some extent. FERPA, commonly known as the "Buckley Amendment," is one of the oldest privacy laws on the books, implemented in 1974. Most states have enacted similar laws.
FERPA applies to schools that receive federal funds through a program of the U.S. Department of Education. Most schools fall into this category. Recent federal laws such as the USA Patriot Act and the No Child Left Behind Act of 2001 have somewhat changed the privacy landscape.
Rapid advances in technology have stretched privacy laws to the limit. The Internet, now in use in nearly all U.S. schools, opens the door for instantaneous and widespread dissemination of student information.
Incidents of school violence in recent years have prompted school administrators and parents to debate the issue of privacy versus security. Events such as the 1999 Columbine shootings and the 2007 tragedy at Virginia Tech have resulted in increased security measures in our schools. Metal detectors and surveillance cameras are now a fact of life in many schools. At the same time, institutions have been uncertain about how to balance student privacy against safety interests, especially when information is about students who are over 18 years old.
This guide discusses privacy-related laws in education and covers emerging issues in security and informational privacy. The issues covered here pertain to students in the K-12 grades as well as college-level records. Additional issues specific to post-secondary education are discussed in Part 9.
This fact sheet does not cover drug testing. You can find resources for additional information about education privacy at the end of this guide, Part 11.
If you read nothing else in this guide, be aware of all the ways you can actively monitor and limit the uses of student information. Learn how to safeguard the confidentiality of these records to the extent possible under the law.
1. Read everything that is sent home with your child from school or sent in the mail. Pay attention to the fine print. Look for terms such as “personally identifiable information,” “directory information," and "opt-out." It is easy, especially at the start of a new school year, to feel overwhelmed with paperwork. Take the time to read documents regarding privacy information. They matter.
2. Always question why information about the student is being requested. If you are told that the request is mandated by law or policy, ask for a copy.
3. Find out how your school defines “directory information.” Request the opt-out form if you do not want directory information about your child to be released to third parties. This can include descriptive information such as name, address, telephone number, date of birth, major field of study, school activities, key dates, and more. Schools are required to give parents the right to opt-out of the release of directory information (discussed further in Part 3e). The trend is for schools to expand directory information to include many more types of student data.
4. Ask for a copy of the school or district policy on surveys and third-party access to personal student information. And ask for a copy of survey questionnaires that are given to your child. The school may not give this, but it is worth the effort and signals to the school that you are concerned about this issue.
5. Teach your child to tell you about surveys and questionnaires. Ask how you can "opt-out" of a survey, test, or other process that makes you uncomfortable. You can contact the school and ask:
- Who is conducting the study?
- What is the purpose of the study?
- Is any personally identifiable information required?
- Who is compiling, reviewing, storing the data?
- When is the data destroyed?
- Can I refuse to have my child participate? What are the consequences, if any, if my child does not participate?
- What are my rights under federal and state law?
6. Ask for a copy of the school or district policy regarding requests to access the education record. Always make such requests in writing. Keep a copy for yourself. Send all correspondence certified “return receipt requested” so you can confirm that the school received your letter.
7. Ask for a copy of school or district policy regarding the videotaping and photographing of students. Similarly, ask about its policy regarding the publication of student information and photographs on school-sponsored Internet web sites. If the school has no policy, work with other parents to contact the board and request that such policies be adopted.
9. Request the opt-out form if you do not want your child contacted by military recruiters. Schools are required to inform you of your right to opt-out of recruitment contacts.
10. Review your child's education record periodically. Once a year is recommended, twice is preferable, especially if you have special concerns.
11. Ask to see the access log for the education records of your child at least twice a year, more often if you have special concerns. These logs show who has accessed the records as well as further disclosures made by state or federal authorities.
12. If your child experiences a breach in confidentiality of student records or another kind of privacy abuse, document it carefully in writing. In addition to talking to teachers, staff, and/or administrators about the matter, write a letter to the appropriate administrator and, if necessary, the board. File a complaint with the U.S. Department of Education if it appears that the school has violated federal law (discussed below in Part 3).
13. If a privacy-invasive situation that your child has experienced is widespread or systemic, organize with other parents. Go to the board and work with the school to change the policy
What are the major federal laws that govern the privacy of education records?
- Family Educational Rights and Privacy Act (FERPA) 20 USC 1232g (1974)
- Protection of Pupil's Rights Amendments (PPRA) 20 USC 1232h (1978)
- No Child Left Behind Act of 2001, Pub. L. 107-110, 115 STAT. 1425 (January 2002)
- USA Patriot Act, P.L. 107-56 (October 26, 2001)
- Privacy Act of 1974, 5 USC Part I, Ch. 5, Subch. 11, Sec. 552
- Campus Sex Crimes Prevention Act (Pub. L. 106-386)
FERPA is the best known and most influential of the laws governing student privacy. Oversight and enforcement of FERPA rests with the U.S. Department of Education. FERPA has recently undergone some changes since the enactment of the No Child Left Behind Act and the USA Patriot Act, discussed below.
What are the most important things to know about FERPA?
FERPA gives parents and adult-age students some rights to the privacy of the student education record. Under FERPA, adult-age students are those who have reached the age of 18 or who attend post-secondary school, even though not yet 18 years of age. For example, a 17-year-old who is enrolled in college would be considered “adult-age.”
The law provides:
- The right of parents and adult-age students to inspect and receive a copy of student records.
- The right to deny access to others, specifically those outside the school system, with some exceptions.
- A process to correct errors, including a hearing.
- The right to opt-out of military recruitment.
- The right to opt-out of the disclosure of a student’s directory information.
- A complaint process, handled by the Family Compliance Office of the U.S. Department of Education.
FERPA has some significant shortcomings:
- It does not give individuals the right to sue the school. Only the U.S. Department of Education can sanction schools that have violated FERPA.
- It puts the burden on students and parents to respond to opt-out opportunities, such as disclosure of directory information.
- It does not dictate requirements for safeguarding education records.
What institutions must comply with the requirements of FERPA?
FERPA applies to all schools that receive funds from the U.S. Department of Education. In short, all public elementary and secondary schools are subject to FERPA. In addition, FERPA applies to colleges and universities, whether public or private, whose students receive financial assistance from the federal government. Private educational institutions that receive no federal funds under any applicable program are exempt. These are few and far between.
The Family Compliance Office (FPCO) oversees FERPA. For more information about this law and the mission of this Office, visit the U.S. Department of Education’s Web site at www.ed.gov/policy/gen/guid/fpco/index.html . As part of its oversight duties, FPCO has adopted regulations that supplement FERPA.
The agency’s core regulations as well as major amendments adopted in December 2008 can be found on the office’s Web site at www.ed.gov/policy/gen/guid/fpco/ferpa/index.html . In addition, FPCO’s Web site provides guidance on various aspects of FERPA to students, parents, teachers and school administrators.
Are my child's medical records in school files also covered by HIPAA, the federal medical Privacy Rule?
Generally, medical records maintained by a health care provider or other HIPAA "covered entity" are covered by the HIPAA Privacy Rule. For minors, a parent's written authorization is ordinarily necessary under HIPAA for a doctor, for example, to provide medical information to a school. Once medical information is in school files, that information becomes an "education" record subject to FERPA.
On January 25, 2013, the U.S. Department of Health and Human Services adopted sweeping modifications to the HIPAA Privacy Rule. One revision to the Privacy Rule allows health providers to disclose student immunization records to schools based on a parent's oral agreement.
For further details about the application of FERPA and HIPAA, see the agencies' joint guidance  on this topic.
What exactly are education records?
Under FERPA, education records consist of “anything directly related to a student” that is maintained by an educational agency or institution. According to FERPA, as supplemented by the Department of Education’s regulations, information directly related to a student is “personally identifiable information.” This includes:
- The student's name and address as well as the name and address of parents and family members.
- Personal identifiers such as Social Security number or student number.
- A list of personal characteristics or other information that would make the studentís identity easily traceable.
- Indirect identifiers such as the studentís date or place of birth and motherís maiden name.
Amendments to FERPA regulations effective January 8, 2009, add “biometric record” as a personal identifier. Examples of biometric records include fingerprints, retina and iris patterns, voiceprints, DNA sequences, facial characteristics and handwriting.
The amendments also recognize that a student may be identified even without disclosure of a specific data point. As such, the definition of “personally identifiable information” now includes:
- Information that, alone or in combination, is linked or linkable to a specific student.
- Information requested by a person who the institution believes knows the identity of the student to whom the education record relates
Education records include much more than test scores or class standing. They can include health information, description of physical appearance, family economic circumstances, criminal history, ethnic background, political and religious affiliations, and psychological test results. The information can be a fact such as birth date or a Social Security number. And it can include teachers' opinions of your child. This is not an exhaustive list.
What are not considered education records?
FERPA is very specific in listing what items are not included in the definition of education records. These include:
- Records of teachers and administrators that are kept in their sole possession and not revealed to any other individuals except a substitute teacher. These are “teacher’s notes.”
- Records of a law enforcement unit of the educational institution, such as the campus security office.
- Medical and/or psychological records of a student who is at least 18 years of age or who is attending a post-secondary institution when such records are maintained by health care professionals and are used solely in a professional or paraprofessional capacity for treatment purposes. The adult-age student may offer those records to another physician or professional of his or her choice.
- Personnel records of those individuals employed by the educational institution.
Are records of home-schooled students covered?
Through a quirk of the law, the records of home-schooled students are not protected by FERPA. Currently, report cards and other records of home-schooled children are considered public information if they have been shared with public school districts. Since many states require this sharing of information, such records have not been provided privacy protection under FERPA. Some members of Congress have introduced legislation to amend FERPA to include home-schooled students. (To find bills on this topic, visit the Congressional Web site Thomas and do a “word/phrase” search on the term “home school.” http://thomas.loc.gov/home/thomas.php )
Do parents have a right to see their children’s education records?
Yes. Parents or adult-age students may review their records including medical or psychiatric evaluations. A parent may request and must be provided with a list of the kinds of information being stored and who to contact to retrieve them for review. Keep in mind that records are often kept in more than one school office. Be sure to ask school officials where records are filed and who to contact to retrieve them for review.
The right of access provided under FERPA does not prevent a school from withholding transcripts or other official recognition of completed work until all tuition, fees, and other charges are paid to the school. Many states have laws which allow schools to set up procedural guidelines, including the fulfillment of all financial obligations, before records are released. FERPA does not prevent states from establishing individual procedures for how records are released.
Recent amendments to FERPA regulations specify that parents of adult age children can receive information from education records when the health or safety of the student or another person is threatened. This clarification was prompted at least in part by the April 2007 shootings at Virginia Polytechnic Institute.
The Department of Education’s latest rules make it clear that a health and safety emergency trumps privacy. If the institution identifies an emergency, information may be disclosed to parents regardless of whether the student is a dependent for federal income tax purposes. The Department has signaled that it will not second-guess an institution’s decision to disclose information in an emergency situation.
The right to review does not include the records of a school where one sought admission but was not accepted. Informal notes kept by teachers, as long as that information is made available only to substitute teachers or other school administrators, are also not included.
Many school districts are beginning to offer parents online access to the student's educational information, such as grades, homework assignments, and progress reports. If you are concerned about the security of online records, be sure to discuss this with school personnel. Ask how records are protected from illegitimate access. For example, are records encrypted? Does the school employ audit trails to monitor access? All too often, online security is deficient. Insist that school officials give you specific information about the strategies they employ to keep records secure and accessible only to those with a legitimate right of access.
Unfortunately, FERPA does not include steps institutions must take to safeguard education records.
All too often computer systems, particularly at the college and university level, are a prime target of hackers and identity thieves. For more of safeguarding education records, see Part 10 of this guide.
Who may have access to these records without parental/eligible student consent?
The law is clear on who may access education records without parental consent. But note the word may. A parent could request, for example, that records not be released to another school, and it would then be up to the school to deny or approve the request. Even though a request may fall under one of the exceptions to parental consent, the school could still refuse to release education records to that individual.
Those who can access education records include the following:
- Parents themselves, students 18 or older, or students who attend a school past high school no matter what their age. In other words, a 17-year old who attends college would have the same access as students age 18 and older.
- School officials who have been determined to have legitimate need to view the records. These would include teachers and administrators within the same school. However, in its annual notification of FERPA rights, a school must disclose the criteria it uses to determine who it deems to be a “school official” as well as what constitutes a legitimate educational interest needed to view records.
- Officials of other schools or school systems to which the student is being transferred. In this case, however, the student’s parents must be notified of the transfer and receive a copy if they wish.
- State educational agencies (SEAs) may disclose information about a student’s scores on state assessments to other schools within the state where a student seeks or intends to enroll.
- Contractors, consultants, and other parties to whom a state educational agency has outsourced services or functions provided the state agency has direct control over the outside party.
- Financial aid purposes. This includes government agencies as well as private banks involved in the financial aid process.
- Organizations conducting studies for educational institutions to develop or evaluate tests, student aid programs, or to improve education. Personally identifiable information must not be disclosed to anyone other than representatives of the organization, and such information must be destroyed when no longer needed. A written agreement is required for study disclosures.
- In cases of emergency, appropriate persons, including parents of an adult student, may gain access if the information is needed to protect the health or safety of the student or others.
Government officials who can access student records without parental consent include these:
- The Comptroller General of the United States and the Secretary of the Department of Education. The Comptroller General has certain statutory authority to conduct audits. To date there have been no such audits of education records, but this provision is included in case such a review is necessary. State educational authorities may also have access for purposes of gathering data to audit and evaluate federally-supported education programs.
- Representatives of the U.S. Attorney General for law enforcement purposes. Personally identifiable information is supposed to be destroyed once no longer required.
- State and local officials may access the records if the state enacted a statute before November 19, 1974, that specifically granted this access for juvenile justice system purposes. If the state statute was enacted after November 19,1974, the access must still relate to juvenile justice system needs. But officials must also certify in writing to the school that they will not disclose the information to any third party except as state law allows, without the written consent of the parent.
- In response to a grand jury subpoena, the educational institution may release records. But it may not reveal to anyone the existence or contents of the subpoena or what information was furnished.
- In response to any other subpoena issued for a law enforcement purpose, the educational institution may release records. Again, the existence or contents of the subpoena may not be disclosed to anyone and any information furnished must remain confidential.
Recent amendments to the FERPA regulations include two additional instances that allow disclosure without consent. These are:
- When, under the USA Patriot Act, the United States Attorney, during the course of a terrorism investigation, obtains an ex parte court order, that is an order issued without notice to the subject.
- When, under the Campus Sex Crimes Prevention Act, an institution discloses information about sex offenders or other individuals required to register under the Violent Crime Control and Law Enforcement Act of 1994, commonly called the Wetterling Act.
For more on access to student records, see the Legislative History of Major FERPA Provisions, www.ed.gov/policy/gen/guid/fpco/ferpa/leg-history.html 
Can these individuals or agencies then share the information with third parties?
No. Parents, in most cases, must give written consent before information is divulged to another party. Should information be shared inappropriately, the party who was granted access may be barred from accessing education records for at least five years.
How can I find out who has requested access to my child’s education records?
Each educational agency must maintain a record, typically called an access log. It lists all individuals who requested or were given access to a student’s records. The log must also include the legitimate interest each person had to justify access. The log itself is subject to certain safeguards. Only parents and school officials responsible for custody of school records may view the log.
Can a school or university withhold a transcript until all fees are paid in full?
Yes. The right of access provided under FERPA does not prevent a school from withholding transcripts or other official recognition of completed work until all tuition, fees, and other charges are paid to the school. Many states have laws that allow schools to set up procedural guidelines, including the fulfillment of all financial obligations, before records are released. FERPA does not prevent states from establishing individual procedures for how records are released.
How long is information stored by the school and in what form is it kept?
FERPA does not require that institutions maintain records for a specified period of time unless there is an outstanding request by a parent or adult-age student to inspect the records. But educational institutions must use reasonable methods to ensure that information is protected. This includes protecting the integrity of e-mail files and Internet Web sites, including inhouse Intranet systems. FERPA does not mandate the specific method of achieving this goal. Districts are likely to have their own retention policies.
What if a parent or adult-age student believes an item in the school record is incorrect?
The parent can request in writing that the school amend any information they believe is inaccurate. If the school does not do so within a reasonable period of time, the parent has the right to a hearing.
The request should be made in writing to the proper administrative official, for instance the principal. The hearing must be held within a “reasonable time” after the request is made. FERPA gives parents an opportunity to argue the need for correction. A decision must be given to the parents and the school district in writing within a "reasonable time."
Is my child’s Social Security number (SSN) part of the education record?
Your child’s Social Security number is considered part of the education record, falling under the protection of FERPA. In a 1992 case brought by students against Rutgers University, the court confirmed that the SSN is an education record. It ruled that Rutgers must not list students’ SSNs on class rosters. (Krebs v. Rutgers, 797 F. Supp. 1246 (D.N.J. 1992)), (www.p-o-v-image.com/Krebs_v_Rutgers_opinion.pdf )
Another federal law, the Privacy Act of 1974, also places limitations on uses of the SSN. It states that a government agency cannot “deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his social security account number." It also requires agencies to provide a SSN disclosure notice, stating whether or not disclosure is mandatory or voluntary and what uses will be made of the SSN. (Section 7 of the Privacy Act, 5 U.S.C. § 552a note)
The U.S. Department of Education and Department of Justice interpret the Privacy Act as prohibiting a public school district from requiring a pupil or parent to provide an SSN or denying admittance because a pupil does not provide an SSN.
If you do not want your child's SSN used for identification purposes, you should request that your school allow you to use an alternate number. If you meet with resistance, cite the law and be persistent.
For more information on using Social Security numbers in educational institutions, read:
- Our Fact Sheet 10, www.privacyrights.org/fs/fs10-ssn.htm .
- Educause, “Elimination of Social Security Numbers as Primary Identifiers,” http://www.educause.edu/library/resources/planning-elimination-social-security-numbers-primary-identifiers 
A California law limits the display and disclosure of SSNs, including as student identifiers. The law was phased in between 2002 and 2007. (See California Civil Code 1798.85, and Senate Bill 25 (2003, Bowen), at www.leginfo.ca.gov .) To learn more about laws in other states, visit the Web site for the National Council of State Legislatures, www.ncsl.org 
What is “directory information” and how is it different from education records?
Educational institutions may disclose certain categories of information about a student without parental consent or the consent of the adult-age student. Schools must notify parents and eligible students of the information that may be released and must allow a reasonable amount of time for the parent or adult-age student to request that the information not be disclosed.
Under FERPA, directory information can include:
- Student’s name
- Telephone listing
- Electronic mail address
- Date and place of birth
- Major field of study
- Grade level
- Enrollment status (e.g. undergraduate or graduate, full-time or part-time)
- Participation in officially recognized activities and sports
- Weight and height of members of athletic teams
- Dates of attendance
- Degrees, honors and awards received
- Name of the most recent previous educational agency or institution attended by the student.
The Department of Education has now eliminated the Social Security number as a data bit allowed in directory information. Student identification (ID) numbers have also now been excluded from directory information except when the ID number cannot be used to gain access to education records.
Each educational institution is responsible for giving parents and adult-age students notice of the categories that are considered directory information at that institution. Parents and adult-age students may refuse permission to the school to release this information if they inform the school in writing, in other words, if they “opt-out.”
The law does not define for schools what they must designate as directory information, and the list is growing. Because directory information can be given to third parties unless parents have opted out, you will want to monitor what your school proposes to add to the list. Be sure to raise objections with the school board if you disagree with the school’s expansion of categories considered to be directory information.
What recourse is available should I feel my rights or the rights of my child have been violated under FERPA?
In 2002 the U.S. Supreme Court decision ruled that individuals do not have the right to sue under FERPA. In other words, there is no private right of action. (Gonzaga Univ.v. Doe, 536 U.S. 273) www.law.cornell.edu/supct/html/01-679.ZO.html 
The only option available to parents under FERPA is to file a complaint with the Family Policy Compliance Office of the U.S. Department of Education. They are responsible for investigating, processing, reviewing, and adjudicating violations and complaints. Unfortunately, hearings are only conducted in regional offices. All other functions are performed from the Washington, D.C. office. See the Resources in Part 11 at the end of this fact sheet for contact information.
We recommend that before filing a complaint with the Compliance Office you exhaust your options for redress at the local level. This may mean contacting your school principal or district office in writing. It may also mean attending a board of education meeting to have your issue heard.
Keep in mind that the FERPA office will follow many of these same steps. They will begin their investigation, in most cases, with a letter of notification to school officials. It may save time and minimize distress to contact your school officials directly. The process of achieving a positive outcome from the school district may be shortened by approaching officials first. Once the FERPA Office becomes involved, the school district may not be willing to discuss the issue with you directly. Sometimes the direct, personal approach is all that is needed to resolve the complaint.
What happens if an educational institution is found to be in violation of FERPA?
That institution may be cut off from federal funding. This would be an extreme case and has not yet been implemented in FERPA’s 30-year history. More likely, the FERPA office would require the school district to document and implement a policy and procedure to ensure that similar violations do not occur in the future.
Does the No Child Left Behind Act (NCLB) increase privacy for student records?
NCLB touches on privacy concerns in only two ways. First, regarding military recruiters, as discussed in Part 4 of this guide, NCLB gives the parents the right to opt out to stop disclosures of student information. Second, as discussed in Part 7 of this guide, NCLB Act gives parents the right to review student surveys.
NCLB is not a privacy-focused law. In fact, an October 2009 study by Fordham University concludes that one byproduct of NCLB, states’ reporting requirements, may pose a significant risk to privacy for K-12 age students. Data needed to meet NCLB’s reporting requirements are compiled in what’s called longitudinal databases.
Fordham’s study found that most states collect information in excess of that needed to meet the reporting requirements of NCLB. Most troublesome of the study’s findings is that some state databases include children’s Social Security numbers, mental illnesses, jail sentences and family wealth information. FERPA’s privacy protections for education records do not reach these state compiled databases.
To read the full Fordham University study as well as recommendations to improve on privacy, visit the Fordham Univeristy's web page on Children's Educational Records and Privacy .
On December 1, 2011, the U.S. Department of Education announced new FERPA rules that would allow "authorized representatives" to access private student data for user in statewide longitudinal data systems (SLDS). The rules would allow outside access for such purposes as audits, program effectiveness evaluations, and research. Neither parents nor adult students have a right to object or opt out of this new, widespread use of student data.
In comments submitted to the Department, the PRC expressed concern about the Department's move to expand access to student data beyond the original scope of FERPA. To read the PRC's May 23, 2011 comments, see: https://www.privacyrights.org/ferpa-comments-2011 .
To read the December 1, 2011 press release announcing the final regulation, see: http://www.ed.gov/news/press-releases/us-education-department-announces-new-measures-safeguard-student-privacy .
To read the entire final regulation, see: http://www.federalregister.gov/articles/2011/12/02/2011-30683/family-educational-rights-and-privacy#h-6 .
The No Child Left Behind law (NCLB), signed into law in 2002, requires schools to provide military recruiters with access to secondary school students’ names, addresses, and telephone listings. FERPA also allows access, but the No Child Left Behind law gives it teeth. Schools must comply or risk losing federal funds.
NCLB amends the Elementary and Secondary Education Act (ESEA), the principal federal law affecting education from kindergarten through high school (K-12). Although NCLB deals primarily with issues such as learning standards and testing, it also includes two little-known provisions regarding privacy – military recruitment, which we discuss here, and surveys, covered below. The Department of Education Web site on NCLB is www.ed.gov/nclb/landing.jhtml 
Can I prevent military recruiters from obtaining information about my child?
Yes. Your school must notify parents and secondary school students of the option of withholding that information from military recruiters. Look for this "opt-out" opportunity in notices typically sent by the school at the beginning of the year. Private secondary schools that maintain a religious objection to military service do not have to provide student information to recruiters.
There has been controversy regarding the provision since its inception. The boundaries and effects of this law have yet to be tested. To read a variety of viewpoints on the NCLB's military recruitment provision, use a search engine and search on the words "military recruitment no child left behind." (Do not include quotation marks in the search.)
Even if parents opt out, recruiters may still gain access to student data. FERPA’s opt out provision does not apply when students take the Armed Services Vocational Aptitude Battery (ASVAB) examination. When it comes to ASVAB, student privacy protections, if any, come from schools and not FERPA or NCLB.
ASVAB, mandatory in many school districts for high school juniors, tests a student’s abilities in a wide range of disciplines. Students taking ASVAB are asked to sign a privacy statement giving permission for their information to be used by military recruiters.
Schools often routinely forward ASVAB test results along with student contact information directly to military recruiters. At least one state, Hawaii, stopped giving student contact information and scores after a Navy investigation found that an aggressive recruiter misled high students. Hawaii’s public schools will no longer give information to recruiters unless students go to an off-campus recruiting station and sign a form specifically requesting that their information be given to a recruiter.
In April 2010, Maryland became the first state to pass a law prohibiting public schools from automatically releasing ASVAB results. Now, test results can only be disclosed by students or their parents during visits to a military recruiting station.
The military supplements the contact lists it receives from schools with its own program. So even if your child has chosen to be removed from the lists shared with recruiters by the school, the military obtains contact information about 11th- and 12th-graders from driver's license applications, the Selective Service System and commercial vendors. To opt-out, send a letter with the student's full name, street address, city, state, ZIP code, telephone number and date of birth to:
Market Research and Studies
Attention: Opt Out
4040 N. Fairfax Drive, Suite 200
Arlington, VA 22203-1613
Can my child be videotaped or photographed at school without my permission?
FERPA does not have a provision regarding videotaping of students. However, once a videotape or photo is created and kept by the school, it becomes part of the student's education record and is protected under FERPA. In addition, depending on who is conducting the taping or photography and for what purpose, other protections may be granted under the Protection of Human Subject federal “common rule,” discussed further in Part 7 on surveys below. (45 CFR Part 46)
For more on Protection of Human Subjects, see the Department of Education Web site: www.ed.gov/about/offices/list/ocfo/humansub.html 
Each school or district should have a policy regarding videotaping and photographing that includes a consent provision. The policy should contain provisions regarding videotaping and photographing students who participate in non-school activities that take place on or in their facilities. Ask for a copy of the policy. If the school has none, contact the administration and board in writing and suggest that they develop such a policy.
Can images or information on my child be posted on the school’s Web site without consent?
It depends. Publication on the Internet is considered a "disclosure" of information from the education record and must comply with FERPA. Information in the aggregate can be posted if students are not identified. However, directory information may be posted (released) without parental consent and in compliance with FERPA. That is why it is important to request, in writing, that the school not release directory information about the student.
Does the use of cloud-based services pose a privacy risk for student data?
Possibly. Many school districts use cloud services to manage school activities such as student performance, assignments, transportation and payments. A December 13, 2013 study released by Fordham University’s Center on Law and Information  found that although 95% of school districts use cloud services most vendor contracts lack even fundamental privacy protections.
The Fordham study  notes various shortcomings in the vendor contracts examined. For example, according to the study, few agreements specify the purpose of disclosures and most fail to restrict a vendor’s ability to sell or market student information. Lack of notice to parents, inadequate data security, and unspecified data retention periods were among other findings. Schools also failed to maintain control of student data even though FERPA requires school districts to maintain direct control of student data shared with outside service providers.
To read the full study, along with Fordham’s recommendations for improving privacy, see: Privacy and Cloud Computing in Public Schools 
My child is often given questionnaires or surveys in school. How can I protect my child from inappropriate questioning or improper use of private information?
The Protection of Pupil Rights Amendment (PPRA) and the No Child Left Behind Act of 2001 govern surveys in publicly funded schools. The rules are designed to control the use, dissemination, and protection of the data. (20 USC §1232h; 34 CFR Part 98)
The PPRA requires that parents provide written consent before students are given a survey conducted by the U.S. Department of Education and supported by federal funds. The law governs surveys, analyses, and evaluations that include questions on these topics:
- Political affiliations
- Mental and psychological problems that are potentially embarrassing
- Sex behavior and attitudes
- Illegal, anti-social, self-incriminating, and demeaning behavior
- Critical appraisals of family members
- Legally recognized privileged relationships, such as those of lawyers, physicians, and priests
- Religious practices, affiliations or beliefs
- Income other than that required by law to determine eligibility for financial assistance.
For additional information about PPRA, visit the U.S. Department of Education Web site at www.ed.gov/policy/gen/guid/fpco/ppra/index.html .
How has the No Child Left Behind Act of 2001 changed my rights under FERPA?
The No Child Left Behind Act was signed into law by President Bush in January of 2002. The Act requires school districts to meet new educational standards to continue receiving federal aid. In addition, school districts are required to develop policies and procedures to protect the personal information of children from marketing groups and testing companies. (www.ed.gov/nclb/landing.jhtml )
The law applies to companies that provide school districts with information technology systems or Internet service as well as the more traditional written surveys. School districts must provide annual notices to parents about any plans for commercial surveys. Parents must be given an opportunity to review the survey and can veto their child’s participation. In addition, the Act prohibits the development of a nationwide database containing personally identifiable information on individuals who participate in surveys or other data-gathering processes.
With the passage of the No Child Left Behind Act, schools and organizations that administer the surveys must also make instructional material available for inspection by parents if that material will be used in connection with an Education Department-funded survey, analysis, or evaluation.
When a survey is funded by an organization other than the U.S. Department of Education, new policies must be adopted to protect student privacy. Parents may inspect a survey created by a third party before it is administered. Arrangements must be made to protect student privacy when surveys are conducted that contain questions on topics covered in the PPRA (listed above).
The school must adopt policies on the administration of physical examinations and health screenings as well as the collection of personal information for marketing. Parents also have the right to inspect any instructional material used as part of the curriculum.
The educational institution must notify parents of these policies at least once a year. Ask for a copy of the school or district policy on when and how parents are notified of surveys and screenings in which students participate. Learn how to take advantage of the opt-out options available to you.
The law requires schools to offer parents the opportunity to opt-out of the following:
- Activities involving the collection, disclosure, or use of personal information collected from students for marketing purposes.
- The administration of any non-Department of Education funded survey that contains one of the eight items listed above in the section on the PPRA.
- Any non-emergency, invasive physical examination or health screening that is required as a condition of attendance or is not necessary to protect the immediate health and safety of the student or other students.
Be aware, however, that certain surveys are exempt from this provision. Surveys or other techniques that are used to develop educational items, book clubs, and the like do not face the same restrictions as other surveys for commercial purposes because of their perceived benefit to the educational process.
If your child is asked to participate in an ongoing study, additional privacy protection is granted under the federal “common rule entitled” Protection of Human Subject. (45 CFR Part 46) This provision is called a federal common rule because seventeen federal agencies subscribe to it, and so it is "common" to those agencies.
In addition to violating federal education laws, private survey companies that engage in deceptive practices are also subject to the Federal Trade Commission Act. To read about the Federal Trade Commission’s actions against student survey companies, see: www.ftc.gov/opa/2003/01/ecra.shtm .
State attorneys general have also filed lawsuits against private survey companies, both for deceptive practices and for failing to disclose how students can opt out.
Can my child’s school place surveillance cameras throughout the halls and classrooms?
Yes. Since the Columbine school shootings in 1999, many schools have installed surveillance cameras in an effort to keep schools safe. Cameras may be placed in areas except those where individuals would have a "reasonable expectation of privacy," such as restrooms. Many schools are now installing cameras in the classrooms as well as hallways and common areas.
There are many unanswered questions about the effectiveness and long-term impacts of video surveillance. Do cameras deter crime, or do they just move it to other areas? Does pervasive surveillance have harmful impacts on students and teachers? While some praise the cameras, others criticize video surveillance for promoting an atmosphere of mistrust and suspicion. We are not aware of conclusive statistics that prove whether or not cameras are effective in curtailing violence and other criminal behavior.
If cameras are installed, we recommend that the school adopt a privacy and security policy that covers the rights and responsibilities of students, teachers, and other school personnel. The policy should include the purposes of video surveillance, who will have access to the stored files, how long the files will be stored, destruction of digital files, and to what uses the files will be put. Students and teachers should be advised if files will be used to judge performance.
Ask for a copy of the school or district policy on the use of surveillance cameras. If the school has no such policy, or if you feel its policy does not properly spell out the school’s practices regarding purpose, access, storage, retention, destruction, and related matters, raise your concerns in writing with the administrators and the board.
FERPA applies to any post-secondary institutions that receive funds from the U.S. Department of Education.
Are college disciplinary proceedings protected by FERPA?
There is a distinction between disciplinary actions for violations of rules and violent offenses.
Violations of school policies become part of the education record and are protected under FERPA.
The Student Right to Know and Campus Security Act of 1990 created exceptions for violent crimes and sexual assault. A victim of a crime of violence or a sex offense may be informed of the final results of any disciplinary proceeding against the accused. If the accused is found to have committed the acts, the public may be informed of the result as well.
This law states final results of any disciplinary proceeding can only include the name of the student, the violation committed, and any sanction imposed by the institution on that student. The name of the victim or any witnesses can only be included with their written consent.
Can a student request copies of letters of recommendation sent to a college?
Students may request and receive copies of letters of recommendation dated after January 1, 1975, unless they sign a waiver relinquishing that right of access. Even after signing a waiver, a student may request the names of the persons furnishing recommendations. If a letter is used for any purpose other than as a recommendation, any waivers become invalid and the student may receive copies.
A school may not require that a student sign a waiver in order to be accepted at the school or to receive financial aid or any other services from the school.
Can adult-age students review their medical or psychiatric records stored by the school?
Under FERPA, medical and/or psychological records of an adult-age student or a student who attends a post-secondary institution that receives public funds, are not considered education records. This is only the case, however, if those records are maintained by health care professionals and are used only for treatment purposes. A student may request that the health care professional release records to another health care provider at any time.
Many schools are now choosing to include these records as part of a student's education record, thus allowing the student access at any time.
The HIPAA Privacy Rule, implemented in April 2003, does not override this provision. For more information on this medical privacy rule, read our guide, “HIPAA Basics: Medical Privacy in the Electronic Age,” www.privacyrights.org/fs/fs8a-hipaa.htm .
Can adult-age students review financial records of their parents placed in their educational files?
No. Financial records of parents are not released to adult-age students attending post-secondary institutions. (31 USC 1232g(a)(1)(C)(i))
What are the impacts of the terrorist attacks of 9/11 on foreign students?
The USA Patriot Act was passed into law just weeks after the terrorist attacks of September 11, 2001. The Act expands the powers of agencies like the FBI and the CIA. Those expanded powers include tracking communications on the Internet, telephone, and computer wiretapping, and easier access to personal information such as medical, financial, and education records. (P.L. 107-56 October 26, 2001)
How has the USA Patriot Act altered how colleges and universities collect and disseminate information regarding their international students?
The Student and Exchange Visitor Information System (SEVIS) is a foreign student tracking database mandated by the USA Patriot Act. The database is to be used to track and monitor international students, numbering over 500,000 by some estimates.
The information is shared with the U.S. Immigration and Customs Enforcement (ICE), an agency within the Department of Homeland Security. Information collected includes the amount and sources of funding, arrests, disciplinary action, off campus employment, changes in address, and enrollment data.
Schools are electronically notified when a student has entered the United States. If that student does not register within 30 days of that date, the college must notify ICE. A college or university not utilizing the SEVIS database may not accept foreign students.
All universities and colleges that are hosts to international students must use SEVIS to report certain biographical information to the federal authorities. This information is recorded for nonimmigrant students (F and M visa) and exchange visitors (J visa), and their dependents (F-2, M-2, and J-2). As of August 1, 2003, all international students, except those holding diplomatic passports, must be recorded.
For additional information on SEVIS, visit the ICE Web site, www.ice.gov/sevis/students/ . Additional information can be found on the U.S. Department of State Web site. http://j1visa.state.gov/sponsors/current/sevis/ 
May school officials disclose information about registered sex offenders?
Yes. The Campus Sex Crimes Prevention Act allows campus officials to make such information available to the school community. This includes information provided to the institution under State sex offender registration and community notification programs.
Make no mistake. Data kept in school files is every bit as sensitive as that kept by banks and health care providers. In fact, education records often include some of the same information found at your bank or medical facility. Personal information such as name, address, birth dates, Social Security number and more are necessarily a part of education records. Add to that credit and debit card information, tax returns, bank account numbers and personal identification numbers (PINs).
With all this personal data housed in one place, it is little wonder that education records are at high risk for identity theft. According to the Department of Education, “[c]omputer systems at colleges and universities have become favored targets because they hold many of the same records as banks but are much easier to access.” (73 Fed Register 74806, 74843 (December 9, 2008)
Indeed, postsecondary institutions have seen a significant number of data security breaches in recent years. For example, in the most recent amendments to FERPA, the Department references a Privacy Rights Clearinghouse report that found 93 documented computer breaches of electronic files between February 15, 2005, and November 19, 2005. For more on the Department’s statement and general discussion about safeguarding education records, see pages 74843-74844 of the latest regulations: www.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf 
Does FERPA require schools to adopt safeguarding procedures?
No. In this regard, FERPA has not kept pace with other privacy laws such asof the federal Gramm-Leach-Bliley Act (GLB), 15 U.S.C.§§ 6801-6810), and the Department of Health and Human Services rules adopted under the Health Insurance Portability and Accountability Act (HIPAA).
To learn more about safeguarding requirements for financial records required by GLB, see PRC Fact Sheet 24(e), Is Your Financial Information Safe?, www.privacyrights.org/fs/fs24e-FinInfo.htm 
For more on the safeguarding requirements of HIPAA, see PRC Fact Sheet 8(a), HIPAA Basics: Medical Privacy in the Electronic Age, www.privacyrights.org/fs/fs8a-hipaa.htm 
Does FERPA require the school have to notify me if there has been a data security breach?
No. FERPA only requires that the school record the disclosure. To learn about such a breach, parents or adult students would have make a request to inspect the student’s records. Although FERPA does not mandate disclosure of a data security breach, most states have adopted laws that would require such notice. To find out about data breach laws in your state, visit http://www.perkinscoie.com/statebreachchart/ 
Filing Complaints under FERPA
- Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202-4605
Phone: (800) 872-5920
Fax: (202) 260-9001
Questions and Complaints: http://familypolicy.ed.gov/contact_support 
For advice on how to file an effective complaint, read the Department of Education’s Web page on “FERPA General Guidance for Parents,” www.ed.gov/policy/gen/guid/fpco/ferpa/parents.html 
To find a U.S. Department of Education office in your state, see www.ed.gov/about/contacts/gen/regions.html 
For information about state education departments and contacts, see: www.ed.gov/about/contacts/state/index.html?src=ln 
To read the December 2008 Department of Education Final Rule for FERPA, see: www.ed.gov/policy/gen/guid/fpco/ferpa/index.html 
Specifically, www.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf 
- Joint Guidance  on the Applicability of the Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to Student Health Records, November 2008
Other U.S. Department of Education Web Sites
- No Child Left Behind Act
Telephone: (888) 814-6252
TTY: (800) 437-0833
Web: www.ed.gov/nclb/landing.jhtml 
Also visit https://answers.ed.gov/  and click on “No Child Left Behind” 
- Protection of Human Subjects Information
- Protection of Pupil Rights Amendment
Additional Resources for Parents
- Drug Policy Alliance
“Safety First: Parents, Teens and Drugs”
- Electronic Privacy Information Center
Student privacy page, www.epic.org/privacy/student/ 
- Education departments in the 50 states
- Federal laws, Web site of Cornell Law School
- World Privacy Forum, Student Privacy 101: Health Privacy in Schools –What law applies? 
Digging Deeper: Related Reports on Privacy and Education
- Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities. Published by CAUSE, the Association for Managing and Using Information Resources in Higher Education. 1997. Task force members: Susan Ferencz, Laurence Alvarez, Glair Goldsmith, Kathleen Kimball, Robert Morley, Trang Pham, Robert Ellis Smith, Steven Worona, and Virginia Rezmierski. http://net.educause.edu/ir/library/pdf/pub3102.pdf 
- Guidelines for Postsecondary Institutions for Implementation of the Family Educational Rights and Privacy Act of 1974 as Amended. 1995. Prepared by Committee for AACRAO. American Association of Collegiate Registrars and Admissions Officers (202) 293-9161.
- Children’s Educational Records And Privacy: A Study Of Elementary And Secondary School State Reporting Systems, October 28, 2009, Fordham University Center On Law And Information Policy. Available at . http://law.fordham.edu/assets/CLIP/CLIP_Report_Childrens_Privacy_Final.pdf 
- Protecting Student Privacy While Using Online Educational Services:
Requirements and Best Practices, U.S. Department of Education Privacy Technical Assistance Center. http://ptac.ed.gov/sites/default/files/Student%20Privacy%20and%20Online%20Educational%20Services%20%28February%202014%29.pdf 
- Framing the Law & Policy Picture: A Snapshot of K-12 Cloud-Based Ed Tech & Student Privacy in Early 2014, Berkman Center for Internet & Society (June 2014). http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2442432 
This guide has been developed with funding from
the Judith and Alfred A. Rosenberg Family Foundation.