FERPA Services

FERPA Services

Advisory services to establish a credible FERPA compliance program.

Know how to handle records and aware on responsibilities.

Identify clear policies about who has the right to access records.

Addressing FERPA mandates with the application of cybersecurity.

Comprehensive assessment to identify FERPA compliance gaps.

Development of tailored FERPA security procedures.

FERPA Fast Facts

  • Family Educational Rights and Privacy Act (FERPA) of 1974.
  • Applies to all school that receive funding from the Department of Education (DoE).
  • Protects privacy of students educational records and allows students to access their records.
  • FERPA obligates faculty/staff to follow certain rules about protecting student information.
  • Children’s educational records may not be released without parent’s written consent.
  • DoE is responsible for enforcing FERPA.

An Executive Summary

  • U.S. Federal Law (20 U.S.C. § 1232g; 34 CFR Part 99).
  • Grants parents the right to inspect and review student records until their children are 18.
  • Once children turns 18, or attend post-secondary institutions, these rights revert to the child.
  • Educational institutions needs to meet FERPA requirements when engaging in online or connected services.
  • School must inform parents and students to obtain appropriate consent.

Who May have Access to Student Education Records and PII?

DoE must have written permission from the parent, guardian or eligible student in order to disclose PII or information from a student's education record to non-DoE personnel.


[rtbs name="ferpa"]

FERPA Penalties

  • Students may file complaints with the DoE.
  • The Family Policy Compliance Office (FPCO) is authorized by the DoE to investigate, process, and review complaints and violations under FERPA.
  • If a complaint is found to be valid, the institution may lose DoE funds, and dismiss employees who violate the Act.

FERPA Violation

  • Violation of FERPA that is submitted to FPCO within 180 days of the date of the alleged violation or of the date that the parent or eligible student knew or reasonably should have known of the alleged violation.
  • A parent or eligible student may file a written complaint with the DoE regarding an alleged violation under the Act.

Privacy Rights of Parents and Eligible Students under FERPA

  • Right to inspect and review education records.
  • Right to seek to amend education records.
  • Right to confidentiality of information in education records except as specified by statute.
  • Right to consent to disclosure of education records (with exceptions).
  • Right to file a complaint with the DoE.

FERPA Limitations

Under FERPA, school can release records without parent’s permission to certain types of parties, including:

  • School officials with a “legitimate educational interest” (for example, an academic advisor who needs to review what courses a student has completed in order to give advice).
  • School to which a student is transferring.
  • Organizations conducting certain studies for or on behalf of the school.
  • Accrediting organizations.
  • Appropriate officials in health and safety emergencies.
  • Juvenile justice system authorities.

Directory and Non-Directory Information

Directory Information (Public) Non-Directory Information (Never Share)
Name Social Security Number
Address Student ID Number
Phone Numbers Grades/Exam Scores
Email Address Grade Point Average (GPA)
Date of Birth Test Scores (SAT, GRE, etc.)
Program of Study Class Schedule
Dates of Attendance Race/Ethnicity
Degrees and Awards Received Citizenship/Nationality
Class Level Gender
Enrolment Status (Full/Part time) Religious Affiliation
Appropriate Personal Aesthetic Statistical Data
Participation in Sports and Activities

In the News

Decoding CUI: A Highly Valued Data Type and CMMC, ISACA, Ali Pabrai, April 2022


CMMC and CUI: Rocket Fuel, Pabrai Podcast

Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.