What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) of 1974, also known as the Buckley Amendment, is a Federal privacy law that protects the privacy of student education records. 

“Education records” directly relate to a student and are maintained by an educational institution or by a party on their behalf. Records can include transcripts, grades, course schedules, class lists, health records, financial records, discipline files, and more. The information featured in these records may be recorded in various ways, such as print, handwriting, computer media, audiotape, videotape, film, microfilm, microfiche, and e-mail.

FERPA laws encompass three types of information: educational information, personally-identifiable information (PII) and directory information. 

The Act is relevant to any public or private elementary, secondary, or post-secondary school and any state or local education agency that receives federal funds under an applicable program of the US Department of Education.

FERPA was last amended in 2011.

What are the requirements for FERPA?

According to FERPA, an academic institution must annually notify parents or eligible students (18+ years old) of their rights under FERPA. It must also inform them of the school’s definitions of the terms “school official” and “legitimate educational interest.” 

FERPA grants four specific rights to students regarding educational records:

  1. The right to access educational records kept by the institution
  2. The right to demand disclosures only with student consent unless a FERPA exception applies
  3. The right to seek amendment of educational records
  4. The right to file a complaint against the school for disclosures in violation of FERPA

In order to remain compliant, your security program should include the right storage, authentication, and overall data management policies and procedures. In other words, if your hosting and storage providers are equipped to keep you compliant, you’re on the right track.

Under FERPA, institutions are not mandated to adopt specific security controls. It does require, however, the use of “reasonable methods” to protect student records. Despite this requirement, universities are repeatedly falling victim to massive data breaches. Besides potentially violating FERPA, disclosures can expose students to a host of negative consequences such as identity theft, fraud, and extortion.

In order to help schools best protect themselves, the U.S. Department of Education has published the Integrated Data Systems and Student Privacy guide. The guide presents several best practices for governance and information security controls that IT teams can follow to ensure compliance with FERPA. The Student Privacy Policy Office (SPPO), at the US Department of Education is responsible for implementing FERPA, including establishing policies and investigating complaints under FERPA.

FERPA goes hand in hand with the Protection of Pupil Rights Amendment (PPRA) which affords parents of students certain rights.

Why should you be FERPA compliant?

FERPA compliance ensures that your institution protects the privacy of parents and students, including personally identifiable data, information, and records collected or maintained.

Failing to comply with FERPA can cause serious consequences. A parent or eligible student (18+ years old) has the right to file a complaint regarding an alleged violation of his or her rights under FERPA. If the complaint gives reasonable cause to believe that a school has violated FERPA, an administrative investigation may be initiated into the allegation in accordance with procedures outlined in the FERPA regulations.

Additional complications may include:

  • An educational institution that fails in FERPA compliance may forfeit its federal funding. What’s more, several states impose a monetary penalty on the institution for the disclosure of the private information
  • Given the fact that over 30% of security breaches in colleges are caused by unintended disclosure, the overlook of student privacy may result in serious information leakage that will potentially cause great financial loss and lawsuits
  • Failure in FERPA compliance can also have a negative influence on the reputation of the institute, which could further result in a loss of alumni donations and even reduction in the number of students applying to or attending the institution

How to achieve compliance?

Academic institutions must be able to automate administrative procedures and maintain a comprehensive real-time view of all their regulatory requirements, including FERPA compliance, while equipping their teams with the right tools to prepare for all their privacy challenges.
Centraleyes enables universities to take necessary actions to meet their FERPA requirements, in a simple and automated way with smart questionnaires and customized compliance scoring.

Use Centraleyes’s cutting-edge dashboard to effortlessly manage your FERPA compliance. With Centraleyes, your privacy team can reduce their workload by over 50%. Centraleyes has mapped FERPA back to its control inventory, sharing data across multiple frameworks, which creates time savings, money savings and more accurate data. Through the Centraleyes platform, organizations can gain full visibility to their FERPA compliance. 

Read more:

Family Educational Rights and Privacy Act (FERPA) (20 USC § 1232g; 34 CFR Part

FERPA | Protecting Student Privacy

Integrated Data Systems and Student Privacy

PPRA | Protecting Student Privacy

Related Content


What is the CCPA Act? The California Consumer Privacy Act (CCPA) is a state-wide data privacy…


What is the GDPR? The General Data Protection Regulation (GDPR) is a European Union law that…


What is the NY SHIELD Act? On March 21, 2020, the data security provisions of New…