We assess and document compliance to:

  1. H.I.P.A.A.

  2. Sarbanes-Oxley (SoX)

  3. Gramm-Leach-Bliley Act (GLBA)

  4. Payment Card Industry (PCI) Data Security Standard

  5. N.I.S.T SP 800-30

  6. I.S.O. 27001/I.S.O. 17799

  7. SAS 70

  8. FERPA

  9. FISMA

  10. NERC

  11. Safe Harbor Act



The Family Education Rights and Privacy Act of 1974, commonly known as FERPA, is a federal law that protects the privacy of student education records. Students have specific, protected rights regarding the release of such records and FERPA requires that institutions adhere strictly to these guidelines. Therefore, it is imperative that the faculty and staff have a working knowledge of FERPA guidelines before releasing educational records.

Educational Records

FERPA gives students the following rights regarding educational records:

  • The right to access educational records kept by the school;
  • The right to demand educational records be disclosed only with student consent;
  • The right to amend educational records;
  • The right to file complaints against the school for disclosing educational records in violation of FERPA.

Students have a right to know about the purpose, content, and location of information kept as a part of their educational records. They also have a right to expect that information in their educational records will be kept confidential unless they give permission to the school to disclose such information. Therefore, it is important to understand how educational records are defined under FERPA. Educational records are defined by FERPA as:

Records that directly relate to a student and that are maintained by an educational agency or institution or by a party acting for the agency or institution.


Educational records are directly related to the student and are either maintained by the school or by a party or organization acting on behalf of the school. Such records may include:

  • Written documents; (including student advising folders)
  • Computer media;
  • Microfilm and microfiche;
  • Video or audio tapes or CDs;
  • Film;
  • Photographs.


Any record that contains personally identifiable information that is directly related to the student is an educational record under FERPA. This information can also include records kept by the school in the form of student files, student system databases kept in storage devices such as servers, or recordings or broadcasts which may include student projects.

Records Not Considered As Educational Records

The following items are not considered educational records under FERPA:

  • Private notes of individual staff or faculty; (NOT kept in student advising folders)
  • Campus police records;
  • Medical records;
  • Statistical data compilations that contain no mention of personally identifiable information about any specific student.


Faculty notes, data compilation, and administrative records kept exclusively by the maker of the records that are not accessible or revealed to anyone else are not considered educational records and, therefore, fall outside of the FERPA disclosure guidelines. However, these records may be protected under other state or federal laws such as the doctor/patient privilege. As an attorney, I recommend that you check to make sure that you fully comply with these disclosure guidelines before disseminating any of this information .

Two Types of Educational Records

There are two types of educational records as defined under FERPA. Each type of educational record is afforded different disclosure protections. Therefore, it is important for faculty and staff to know the type of educational record that is being considered for disclosure.

Directory Information

Some information in a student's educational record is defined as directory information under FERPA. Under a strict reading of FERPA, the school may disclose this type of information without the written consent of the student. However, the student can exercise the option to restrict the release of directory information by submitting a formal request to the school to limit disclosure. Directory information may include:

  • Name;
  • Address;
  • Phone number and email address;
  • Dates of attendance;
  • Degree(s) awarded;
  • Enrollment status;
  • Major field of study.


Though it is not specifically required by FERPA, institutions should always disclose to the student that such information is considered by the school to be directory information and, as such, may be disclosed to a third party upon request. institutions should err on the side of caution and request, in writing, that the student allow the school to disclose directory information to third parties.

Non-directory Information

Non-directory information is any educational record not considered directory information. Non-directory information must not be released to anyone, including parents of the student, without the prior written consent of the student. Further, faculty and staff can access non-directory information only if they have a legitimate academic need to do so. Non-directory information may include:

  • Social security numbers;
  • Student identification number;
  • Race, ethnicity, and/or nationality;
  • Gender
  • Transcripts; grade reports


Transcripts are non-directory information and, therefore, are protected educational records under FERPA. Students have a right to privacy regarding transcripts held by the school where third parties seek transcript copies. institutions should require that students first submit a written request to have transcripts sent to any third party as the privilege of privacy of this information is held by the student under FERPA. As an attorney, I would advise that schools should never fax transcripts because this process cannot guarantee a completely secure transmission of the student's grades to third parties.

Prior Written Consent

In general, a student's prior written consent is always required before institutions can legitimately disclose non-directory information. institutions may tailor a consent form to meet their unique academic needs. However, prior written consent must include the following elements:

  • Specify the records to be disclosed;
  • State the purpose of the disclosure;
  • Identify the party or class of parties to whom the disclosure is to be made;
  • The date;
  • The signature of the student whose record is to be disclosed;
  • The signature of the custodian of the educational record.


Prior written consent is not required when disclosure is made directly to the student or to other school officials within the same institution where there is a legitimate educational interest. A legitimate educational interest may include enrollment or transfer matters, financial aid issues, or information requested by regional accrediting organizations.

Institutions do not need prior written consent to disclose non-directory information where the health and safety of the student is at issue, when complying with a judicial order or subpoena, or where, as a result of a crime of violence, a disciplinary hearing was conducted by the school, a final decision was recorded, and the alleged victim seeks disclosure. In order for institutions to be able to disseminate non-directory information in these instances FERPA requires that institutions annually publish the policies and procedures that the institutions will follow in order to meet FERPA guidelines.

FERPA has strict guidelines regarding disclosing the educational records of dependent students. Though FERPA allows such disclosure, the act mandates that the institution first publish clearly delineated policies and procedures for the disclosure of these records. The institution must publish these guidelines annually in a format that is easily accessible to interested parties. As an attorney, I would recommend that both the dependent student and parents sign written disclosure agreements stating, at minimum, the following:
  • The dependent student understands and allows parental access to these educational records;
  • The dependent student and his/her parents have been given a copy of the institution's policies and procedures for the disclosure of students' records.
Most institutions charge their registrar's office with the responsibility to determine how their institutions will comply with FERPA disclosure requirements. Registrars commonly work with legal council in fashioning and publishing these guidelines. As advisors, it is advisable to check with your registrar's office if you have any questions or concerns before disclosing any student information to third parties.



The Family Education and Privacy Act was enacted by Congress to protect the privacy of student educational records. This privacy right is a right vested in the student. Generally:

  • Institutions must have written permission from the student in order to release any information from a student's educational record.
  • Institutions may disclose directory information in the student's educational record without the student's consent.
  • It is good policy for the institution to notify the student about such disclosure and to seek the written permission of the student to allow disclosure of any educational records including directory information.
  • Institutions should give the student ample opportunity to submit a written request that the school refrain from disclosing directory information about them.
  • Institutions must not disclose non-directory information about students without their written consent except in very limited circumstances.
  • institutions should notify students about their rights under FERPA through annual publications.
  • When in doubt, it is always advisable to err on the side of caution and to not release student educational records without first fully notifying the student about the disclosure.

Finally, the school should always seek a written consent from the student before disseminating educational records to third parties.

Note: An new interpretation of FERPA as it applies to mental health and campus safety was issued by the US Department of Education in December, 2008.  The following articles address this topic:



Federal Register, (Thursday, July 26, 2001). 34 CFR Part 99, Part V, Family Education   Rights and Privacy, Final Rule. Retrieved October 17, 2004 from http://asja.tamu.edu/ferpa.htm .


Office of Family Policy Compliance, Family Education Rights and Privacy Act   (FERPA). Retrieved October 17, 2004 from http://www.ed.gov/print/policy/gen/guid/fpco/ferpa/index.html .


Ramirez, Clifford A. (2004). FERPA: What You Can and Can't Disclose, An LRP Publications Audio Conference.


University of Connecticut, Office of the Registrar, Guidelines for Faculty Relating to Educational Records. Retrieved October 16, 2004 from   http://www.registrar.uconn.edu/ferpguid.html .


University of Illinois at Urbana-Champaign, Office of Admissions and Records  (OAR), FERPA Tutorial. Retrieved October 15, 2004 from  http://www.oar.uiuc.edu/staff/systems/ferpa_trng/Ferpa_pg2.html .



Please submit your payment of $999.00 for a complete Regulatory Compliance Assessment for one applicable regulation.

Business Name:
Contact Information:
Email Address:
URL or IP address:

Other members of our business group:
Cloud-Security.us | US-scada.com

COPYRIGHT (C) 2000 - 2013 InfoSecPro.com ALL RIGHTS RESERVED