The Family Educational Rights and Privacy Act protects student data at schools that receive funding from the U.S. Department of Education (DoE). That funding covers about 8 percent of the budget for U.S. elementary, middle, and high schools, and contributes heavily to college and university operations through student aid programs like the Federal Pell Grant. Because unaddressed FERPA violations can result in the DoE withholding funds, school administrators at every level work hard to comply with this privacy law.
So what does FERPA require? Generally speaking, it requires just two things, says LeRoy Rooker, senior fellow at the American Association of Collegiate Registrars and Admissions Officers (AACRAO) and director of the Family Policy Compliance Office at the U.S. Department of Education from 1988 to 2009.
“The first is that institutions have to protect the privacy of their students’ education records,” Rooker says. “The second piece is that institutions have to give students access to those records upon request.”
Many school employees run the risk of violating FERPA’s privacy protections. Protected student information can slip out in all sorts of seemingly innocent ways. Taking a closer look at specific scenarios can help administrators avoid similar mistakes. Here are a few FERPA violation examples, culled from Rooker’s 21 years of administering the law. (Note: This article is not intended as legal advice.)
FERPA violation example no. 1: The letter of recommendation from a professor to a student’s potential employer
Letters of recommendation typically qualify as student records. In order to send a letter from a teacher at one school to the registrar at another, you might expect that schools would need signed consent from parents (if students are under 18) or students themselves (if 18 or older) to comply with FERPA.
But under section 34 CFR § 99.31 of the Act, there’s an exception for this sort of record sharing. During potential transfers, educational institutions don’t need consent to send letters of recommendation to the destination school.
This exception, however, doesn’t apply to sharing letters of recommendation outside of the educational system. “If [a school official] were sending a letter of recommendation to a potential employer, that official would need consent,” Rooker says. “There’s not an exception that lets [school staff] provide information from the student’s record to a potential employer.”
Violation no. 2: The group email from a teacher to multiple students
The blind carbon copy (BCC) feature sends a single email to a group without the recipient email addresses being visible. It’s easy to forget to use the BCC field or to misuse this technology, which can quickly lead to a teacher inadvertently sharing protected information among multiple students.
“There could be a case in which an instructor sends an email to students who are in danger of failing the class,” Rooker says. “But instead of sending an email to each individual, it’s a distribution that goes to all the names [on the list of failing students]. [If the instructor doesn’t BCC,] everyone who got that same email knows everyone else who’s failing.”
This is a clear violation of FERPA’s protections.
Violation no. 3: The coach who explains why the star quarterback won’t be returning this season
Often, school employees who violate FERPA do so through unintentional, even casual, information sharing. Imagine the case of “the coach who discloses that a star quarterback is not eligible to play because of academic failing,” Rooker says.
The student-athlete’s academic standing is protected information. By telling other students that their classmate is on probation — or suspended from extracurriculars due to a declining grade point average — this well-meaning coach violates FERPA.
How to comply with FERPA and avoid violations
According to Rooker, the best way to avoid becoming a FERPA violation example like those outlined above is to provide intensive training to all relevant school staff. That training would likely include registrars and administrators, but it should also include frontline teaching staff and IT personnel.
“Even with the folks who are the best informed and have the best understanding [of the law], there are a lot of gray areas with FERPA,” Rooker says. “So training is such a key thing.” Find AACRAO’s FERPA training programs here, or check out the DoE’s online training modules here to provide staff with the information they need to provide full FERPA compliance.