The Family Educational Rights and Privacy Act protects student data at schools that receive funding from the U.S. Department of Education (ED). That funding covers about 8 percent of the budget for U.S. elementary, middle, and high schools, and contributes heavily to college and university operations through student aid programs like the Federal Pell Grant. Because unaddressed FERPA violations can result in the ED withholding funds, school administrators at every level work hard to comply with this privacy law.
So what does FERPA require? Generally speaking, it requires just two things, says LeRoy Rooker, senior fellow at the American Association of Collegiate Registrars and Admissions Officers (AACRAO) and director of the Family Policy Compliance Office at the U.S. Department of Education from 1988 to 2009.
“The first is that institutions have to protect the privacy of their students’ education records,” Rooker says. “The second piece is that institutions have to give students access to those records upon request.”
Many school employees run the risk of violating FERPA’s privacy protections. Protected student information can slip out in all sorts of seemingly innocent ways. Taking a closer look at specific scenarios can help administrators avoid similar mistakes. Here are a few FERPA violation examples, culled from Rooker’s 21 years of administering the law. (Note: This article is not intended as legal advice.)
Just so you know
Need a secure way to collect student information online? Explore Jotform’s free education forms! Visit our blog to learn more about how to keep your forms FERPA compliant.
1. Sharing protected student information in a recommendation letter
Letters of recommendation typically qualify as student records. In order to send a letter from a teacher at one school to the registrar at another, you might expect that schools would need signed consent from parents (if students are under 18) or students themselves (if 18 or older) to comply with FERPA.
But under section 34 CFR § 99.31 of the Act, there’s an exception for this sort of record sharing. During potential transfers, educational institutions don’t need consent to send letters of recommendation to the destination school.
This exception, however, doesn’t apply to sharing letters of recommendation outside of the educational system. “If [a school official] were sending a letter of recommendation to a potential employer, that official would need consent,” Rooker says. “There’s not an exception that lets [school staff] provide information from the student’s record to a potential employer.”
2. Posting student grades in a public or shared space
Posting grades where they can be viewed by others is probably one of the most obvious FERPA violations. Fortunately, it’s also one of the easiest to avoid. The old-school approach of posting grades on a classroom wall or hallway bulletin board is long gone. But sharing a class’s grades in an unsecured online folder or displaying them in a learning platform could result in a violation.
FERPA and online learning go hand in hand. With that in mind, your faculty must be especially cautious when engaging with hybrid or online learners, as there is a high risk of accidentally sharing information with the wrong person. Sending grades or feedback to the wrong student is a simple mistake that can result in a violation.
Warn your staff about flawed work-arounds, like replacing names with student ID numbers, as that is also a violation. If someone other than the authorized persons can determine who earned which grade, it can lead to complaints under FERPA provisions. Don’t risk it.
3. Sending student records to the wrong email recipient
Email is a convenient communication tool — and a major source of FERPA violations. Here are some items that teachers commonly share via email that can result in a violation if sent to the wrong person:
- Transcripts
- Accommodation letters
- Disciplinary records
- Academic evaluations
These mistakes are often unintentional, but they still constitute a violation. For example, a teacher with two male students with the last name Smith may accidentally send a transcript to the wrong student. Once they hit “Send,” the violation has already occurred.
Avoiding this issue comes down to training and individual diligence. Educate your employees about the importance of FERPA compliance and encourage them to carefully confirm that they have the right recipients anytime they are sending data that is protected under FERPA.
4. Discussing a student’s academic performance without authorization
Teachers and faculty members talk about their work. That’s perfectly normal and can be a good thing. However, informal conversations can also create serious FERPA risks. Faculty members should use caution whenever discussing a student’s grades, attendance issues, or learning accommodations.
Even if a teacher does not explicitly name a student, they may share too much identifying information, which could lead to a violation. For example, a faculty member who references “the only student who failed the midterm” or “our top running back” could give away the person’s identity without ever saying their name.
A well-meaning teacher could commit these types of violations if they seek advice from a coworker in the wrong setting. Therefore, faculty members must be cautious when conversing with fellow staff.
5. Exposing student information in a group email
The blind carbon copy (BCC) feature sends a single email to a group without the recipient email addresses being visible. It’s easy to forget to use the BCC field or to misuse this technology, which can quickly lead to a teacher inadvertently sharing protected information among multiple students.
“There could be a case in which an instructor sends an email to students who are in danger of failing the class,” Rooker says. “But instead of sending an email to each individual, it’s a distribution that goes to all the names [on the list of failing students]. [If the instructor doesn’t BCC,] everyone who got that same email knows everyone else who’s failing.”
This is a clear violation of FERPA’s protections.
6. Allowing unauthorized access to student records
FERPA is all about limiting the unauthorized sharing and access of information. Allowing individuals to view student records without a legitimate educational interest can violate FERPA, even if no information is disclosed.
A school’s administrators are responsible for preventing this issue by ensuring that teachers only have the necessary amount of access. Giving broad access to systems that contain student information is a recipe for disaster, as substitutes or volunteers may also gain access without proper authorization.
FERPA requires establishing careful control over who can view student data. Before you grant someone access, ask yourself why they need it and if that use case aligns with federal regulations. Periodically audit permissions so that you can identify users who no longer need access.
7. Sharing login credentials for systems containing student data
Faculty members should never share usernames or passwords for systems that store student information. Doing so is a major compliance issue, and it also increases an institution’s exposure to potential cyber threats.
When employees share credentials, it becomes impossible to track who accessed which records. Individuals could gain unauthorized access to protected data. Even if the person receiving the login is another staff member, FERPA requires access to be role-based and individualized.
When your employees are under a time crunch, they may share credentials for convenience. However, doing so is a major concern that you must address through education and corrective action. Verify that your organization has strict policies in place to prohibit password sharing, and stress the dangers of this behavior from both a compliance and cybersecurity perspective.
8. Publishing student work online without consent
Publishing any student work online can violate FERPA if the work is identifiable and shared without proper consent. Examples include:
- Assignments
- Projects
- Videos
- Presentations
Teachers sometimes assume that students and their parents are proud to show off high-quality work. While this is likely true in many cases, educators must still go through the proper channels to obtain informed consent before publishing any student work on a digital platform.
A student’s work is part of the education record when it is maintained by the school and linked to an identifiable person. While anonymization can reduce risk, obtaining consent is by far the safest approach. That way, students and parents have an opportunity to express any concerns before the work is shared publicly.
9. Using student data for noneducational purposes
FERPA limits not only how your employees can use student data but also who can access it. Educational records must be used for purposes directly related to education. A school that uses this information for noneducational purposes, such as marketing or fundraising, could be violating FERPA if it has not obtained proper consent first.
For instance, using student contact information to promote third-party services or unrelated programs is going to create compliance concerns. Even internal uses may be problematic if they fall outside the rule of legitimate educational interests.
Outline what constitutes acceptable uses so that faculty members know what information they can use and for what purposes.
10. Sharing a student-athlete’s academic information publicly
Often, school employees who violate FERPA do so through unintentional, even casual, information sharing. Imagine the case of “the coach who discloses that a star quarterback is not eligible to play because of academic failing,” Rooker says.
The student-athlete’s academic standing is protected information. By telling other students that their classmate is on probation — or suspended from extracurriculars due to a declining grade point average — this well-meaning coach violates FERPA.
How to comply with FERPA and avoid violations
According to Rooker, the best way to avoid becoming a FERPA violation example like those outlined above is to provide intensive training to all relevant school staff. That training would likely include registrars and administrators, but it should also include frontline teaching staff and IT personnel.
“Even with the folks who are the best informed and have the best understanding [of the law], there are a lot of gray areas with FERPA,” Rooker says. “So training is such a key thing.” Find AACRAO’s FERPA training programs here, or check out the ED’s online training modules here to provide staff with the information they need to provide full FERPA compliance.
Pro Tip
Learn how Jotform and FERPA regulations work together to create a safe, secure environment for sharing student data with authorized parties.
FAQs about FERPA violations
A FERPA violation occurs when a teacher, faculty member, or other school employee shares protected student information without proper consent. For example, posting a student’s grades publicly or emailing protected records to the wrong recipient can constitute violations that result in fines or other penalties.
While violations can occur intentionally, many are accidents. But accidental violations can still cause harm to the student and their family members. They can also result in severe consequences for the violator and the school. Your educational institution is responsible for informing staff about their responsibilities under FERPA and for implementing safeguards to prevent the scenarios outlined in this article.
FERPA does not grant you the right to sue a school as an individual. You will need to submit a complaint to the US Department of Education’s Student Privacy Policy Office, which may then investigate on your behalf and require corrective action. In some situations, egregious violations may open the door for a private suit on different grounds, but that depends on many factors outside FERPA itself. If you are considering taking legal action against an educational institution, consult with an attorney in your jurisdiction. They can inform you about potential next steps as well as your rights under state and federal law.
FERPA does not require that a teacher be fired for a violation, but schools or district officials may impose disciplinary actions, which could include termination. This decision will be based on the severity of the violation, its impact on the student, and the school’s own internal policies.
Many violations require retraining or corrective measures, but termination is typically reserved for the most egregious offenses. If you are a school employee who is facing a FERPA violation allegation, consult with your union and a professional license defense attorney.
Jotform is equipped with the latest security features designed to support FERPA-compliant data collection when used correctly. Jotform even provides a FERPA form, and our solution allows you to securely store data and share it with approved parties.
However, you must train your team on FERPA regulations so that they know what information they are allowed to share and with whom. Jotform is an excellent addition to your information-gathering toolkit, equipping you with valuable resources to help you connect with students, parents, and faculty.
Send Comment:
13 Comments:
July 28, 2024
Is accidentally leaving a document on the printer face down (white side facing up with no visible information) a FERPA violation?
January 16, 2024
Is it a FERPA violation if a nondistrict employee, asked my son for his transcript, twice?
May 30, 2023
If the school were to post a list of student names on the inside classroom door asking the listed students to see financial aid or the school director, is that a violation of FERPA?
April 29, 2023
Is it a violation to withhold witness statements against a student when requested in disciplinary suspension .
April 29, 2023
Is it a violation for a behavioral specialist to complain to her grown son about a student's conduct in school?
So much so that the son threatened the family of harm.
April 12, 2023
Is it a violation of FERPA to have a student serve on the NHS faculty council on election of chapter officers?
December 11, 2022
Is it a FERPA violation for a University to outsource it's Admissions Department (so making Admission Decisions with all the student info) overseas to India?
June 25, 2022
Is it a violation of FERPA if the superintendent sends a students cheer scores certified mail to another parent during a grievance process?
June 22, 2022
Good afternoon,
Is it a violation of FERPA to list a CVID diagnosis in attendance records for JK-8 students?
Thank you.
May 10, 2022
recently a teacher pulled each student one by one out of the classroom to ask the student if they had noticed 2 students cheating on a test. She listed both of the students names to each of the students she questioned. Is this a violation of FERPA. She did not talk to the 2 students accused of cheating before talking about them to the other students.
December 11, 2021
@Mark Weber I believe so, yes. Especially if the administrator shared information about your academic standing in public. If the student who overheard the coaches got information about your academic standing or other protected information, then yes. I'd recommend asking for legal assistance from a specialized professional first before making any decisions.
January 21, 2021
Recently I was written up by my administrator. Today a student reported to me that the coaches who are friends of my principal were discussing my reprimand. Can I file a violation of my rights (ferpa)
October 2, 2020
I’m looking for information about whether or not the Clip Classroom Management System violates FERPA. I believe it does because student conduct is posted in the classroom for everyone to see. Students have to physically move their clips in front of the class. The daily chart information is recorded and then used to determine conduct grades which become part of the report card and then eventually get recorded in the permanent records just like a test score and class average. To me this seems like it should be considered confidential student information which is protected by FERPA.
Can anyone help me with information to support my idea?
Thanks