10 FERPA violation examples (From a former FERPA administrator)

10 FERPA violation examples (From a former FERPA administrator)

The Family Educational Rights and Privacy Act protects student data at schools that receive funding from the U.S. Department of Education (ED). That funding covers about 8 percent of the budget for U.S. elementary, middle, and high schools, and contributes heavily to college and university operations through student aid programs like the Federal Pell Grant. Because unaddressed FERPA violations can result in the ED withholding funds, school administrators at every level work hard to comply with this privacy law.

So what does FERPA require? Generally speaking, it requires just two things, says LeRoy Rooker, senior fellow at the American Association of Collegiate Registrars and Admissions Officers (AACRAO) and director of the Family Policy Compliance Office at the U.S. Department of Education from 1988 to 2009.

“The first is that institutions have to protect the privacy of their students’ education records,” Rooker says. “The second piece is that institutions have to give students access to those records upon request.”

Many school employees run the risk of violating FERPA’s privacy protections. Protected student information can slip out in all sorts of seemingly innocent ways. Taking a closer look at specific scenarios can help administrators avoid similar mistakes. Here are a few FERPA violation examples, culled from Rooker’s 21 years of administering the law. (Note: This article is not intended as legal advice.)  

Just so you know

Need a secure way to collect student information online? Explore Jotform’s free education forms! Visit our blog to learn more about how to keep your forms FERPA compliant.

1. Sharing protected student information in a recommendation letter

Letters of recommendation typically qualify as student records. In order to send a letter from a teacher at one school to the registrar at another, you might expect that schools would need signed consent from parents (if students are under 18) or students themselves (if 18 or older) to comply with FERPA. 

But under section 34 CFR § 99.31 of the Act, there’s an exception for this sort of record sharing. During potential transfers, educational institutions don’t need consent to send letters of recommendation to the destination school. 

This exception, however, doesn’t apply to sharing letters of recommendation outside of the educational system. “If [a school official] were sending a letter of recommendation to a potential employer, that official would need consent,” Rooker says. “There’s not an exception that lets [school staff] provide information from the student’s record to a potential employer.” 

2. Posting student grades in a public or shared space

Posting grades where they can be viewed by others is probably one of the most obvious FERPA violations. Fortunately, it’s also one of the easiest to avoid. The old-school approach of posting grades on a classroom wall or hallway bulletin board is long gone. But sharing a class’s grades in an unsecured online folder or displaying them in a learning platform could result in a violation.

FERPA and online learning go hand in hand. With that in mind, your faculty must be especially cautious when engaging with hybrid or online learners, as there is a high risk of accidentally sharing information with the wrong person. Sending grades or feedback to the wrong student is a simple mistake that can result in a violation.

Warn your staff about flawed work-arounds, like replacing names with student ID numbers, as that is also a violation. If someone other than the authorized persons can determine who earned which grade, it can lead to complaints under FERPA provisions. Don’t risk it. 

3. Sending student records to the wrong email recipient

Email is a convenient communication tool — and a major source of FERPA violations. Here are some items that teachers commonly share via email that can result in a violation if sent to the wrong person:

  • Transcripts
  • Accommodation letters
  • Disciplinary records
  • Academic evaluations

These mistakes are often unintentional, but they still constitute a violation. For example, a teacher with two male students with the last name Smith may accidentally send a transcript to the wrong student. Once they hit “Send,” the violation has already occurred.

Avoiding this issue comes down to training and individual diligence. Educate your employees about the importance of FERPA compliance and encourage them to carefully confirm that they have the right recipients anytime they are sending data that is protected under FERPA. 

4. Discussing a student’s academic performance without authorization

Teachers and faculty members talk about their work. That’s perfectly normal and can be a good thing. However, informal conversations can also create serious FERPA risks. Faculty members should use caution whenever discussing a student’s grades, attendance issues, or learning accommodations.

Even if a teacher does not explicitly name a student, they may share too much identifying information, which could lead to a violation. For example, a faculty member who references “the only student who failed the midterm” or “our top running back” could give away the person’s identity without ever saying their name.

A well-meaning teacher could commit these types of violations if they seek advice from a coworker in the wrong setting. Therefore, faculty members must be cautious when conversing with fellow staff.

5. Exposing student information in a group email

The blind carbon copy (BCC) feature sends a single email to a group without the recipient email addresses being visible. It’s easy to forget to use the BCC field or to misuse this technology, which can quickly lead to a teacher inadvertently sharing protected information among multiple students. 

“There could be a case in which an instructor sends an email to students who are in danger of failing the class,” Rooker says. “But instead of sending an email to each individual, it’s a distribution that goes to all the names [on the list of failing students]. [If the instructor doesn’t BCC,] everyone who got that same email knows everyone else who’s failing.”

This is a clear violation of FERPA’s protections. 

6. Allowing unauthorized access to student records

FERPA is all about limiting the unauthorized sharing and access of information. Allowing individuals to view student records without a legitimate educational interest can violate FERPA, even if no information is disclosed.

A school’s administrators are responsible for preventing this issue by ensuring that teachers only have the necessary amount of access. Giving broad access to systems that contain student information is a recipe for disaster, as substitutes or volunteers may also gain access without proper authorization.

FERPA requires establishing careful control over who can view student data. Before you grant someone access, ask yourself why they need it and if that use case aligns with federal regulations. Periodically audit permissions so that you can identify users who no longer need access.

7. Sharing login credentials for systems containing student data

Faculty members should never share usernames or passwords for systems that store student information. Doing so is a major compliance issue, and it also increases an institution’s exposure to potential cyber threats.

When employees share credentials, it becomes impossible to track who accessed which records. Individuals could gain unauthorized access to protected data. Even if the person receiving the login is another staff member, FERPA requires access to be role-based and individualized.

When your employees are under a time crunch, they may share credentials for convenience. However, doing so is a major concern that you must address through education and corrective action. Verify that your organization has strict policies in place to prohibit password sharing, and stress the dangers of this behavior from both a compliance and cybersecurity perspective.

Publishing any student work online can violate FERPA if the work is identifiable and shared without proper consent. Examples include:

  • Assignments
  • Projects
  • Videos
  • Presentations

Teachers sometimes assume that students and their parents are proud to show off high-quality work. While this is likely true in many cases, educators must still go through the proper channels to obtain informed consent before publishing any student work on a digital platform.

A student’s work is part of the education record when it is maintained by the school and linked to an identifiable person. While anonymization can reduce risk, obtaining consent is by far the safest approach. That way, students and parents have an opportunity to express any concerns before the work is shared publicly.

9. Using student data for noneducational purposes

FERPA limits not only how your employees can use student data but also who can access it. Educational records must be used for purposes directly related to education. A school that uses this information for noneducational purposes, such as marketing or fundraising, could be violating FERPA if it has not obtained proper consent first. 

For instance, using student contact information to promote third-party services or unrelated programs is going to create compliance concerns. Even internal uses may be problematic if they fall outside the rule of legitimate educational interests.

Outline what constitutes acceptable uses so that faculty members know what information they can use and for what purposes.

10. Sharing a student-athlete’s academic information publicly

Often, school employees who violate FERPA do so through unintentional, even casual, information sharing. Imagine the case of “the coach who discloses that a star quarterback is not eligible to play because of academic failing,” Rooker says.

The student-athlete’s academic standing is protected information. By telling other students that their classmate is on probation — or suspended from extracurriculars due to a declining grade point average — this well-meaning coach violates FERPA.

How to comply with FERPA and avoid violations

According to Rooker, the best way to avoid becoming a FERPA violation example like those outlined above is to provide intensive training to all relevant school staff. That training would likely include registrars and administrators, but it should also include frontline teaching staff and IT personnel.  
“Even with the folks who are the best informed and have the best understanding [of the law], there are a lot of gray areas with FERPA,” Rooker says. “So training is such a key thing.” Find AACRAO’s FERPA training programs here, or check out the ED’s online training modules here to provide staff with the information they need to provide full FERPA compliance. 

Pro Tip

Learn how Jotform and FERPA regulations work together to create a safe, secure environment for sharing student data with authorized parties.

FAQs about FERPA violations

FERPA, or the Family Educational Rights and Privacy Act, protects the privacy of students and their educational records. This act specifically applies to schools and other educational institutions that receive federal funding. Educational records can include grades, transcripts, class schedules, disciplinary records, financial aid information, and any other data directly related to a student and used for educational purposes.

The act also gives eligible students and parents certain rights. For example, they can request a records review and ask the educational institution to correct any errors they may uncover. However, not all student-related information is protected. Directory information may be shared if the educational institution receives proper notice.

If you have specific questions regarding a FERPA disclosure, consult with legal counsel.

A FERPA violation occurs when a teacher, faculty member, or other school employee shares protected student information without proper consent. For example, posting a student’s grades publicly or emailing protected records to the wrong recipient can constitute violations that result in fines or other penalties.

While violations can occur intentionally, many are accidents. But accidental violations can still cause harm to the student and their family members. They can also result in severe consequences for the violator and the school. Your educational institution is responsible for informing staff about their responsibilities under FERPA and for implementing safeguards to prevent the scenarios outlined in this article. 

FERPA does not grant you the right to sue a school as an individual. You will need to submit a complaint to the US Department of Education’s Student Privacy Policy Office, which may then investigate on your behalf and require corrective action. In some situations, egregious violations may open the door for a private suit on different grounds, but that depends on many factors outside FERPA itself. If you are considering taking legal action against an educational institution, consult with an attorney in your jurisdiction. They can inform you about potential next steps as well as your rights under state and federal law.

FERPA does not require that a teacher be fired for a violation, but schools or district officials may impose disciplinary actions, which could include termination. This decision will be based on the severity of the violation, its impact on the student, and the school’s own internal policies.

Many violations require retraining or corrective measures, but termination is typically reserved for the most egregious offenses. If you are a school employee who is facing a FERPA violation allegation, consult with your union and a professional license defense attorney.

Jotform is equipped with the latest security features designed to support FERPA-compliant data collection when used correctly. Jotform even provides a FERPA form, and our solution allows you to securely store data and share it with approved parties.

However, you must train your team on FERPA regulations so that they know what information they are allowed to share and with whom. Jotform is an excellent addition to your information-gathering toolkit, equipping you with valuable resources to help you connect with students, parents, and faculty.

AUTHOR
A journalist and digital consultant, John Boitnott has worked for TV, newspapers, radio, and Internet companies for 25 years. He’s written for Inc.com, Fast Company, NBC, Entrepreneur, USA Today, and Business Insider, among others.

Send Comment:

Jotform Avatar
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Comments: