BreachExpress

Cybersecurity, explained for the rest of us.

Family & Kids Online

FERPA and your child's school records: what parents need to know

Margot 'Magic' Thorne@magicthorneJune 16, 202611 min read
Parent reviewing school documents at a desk with a laptop showing digital records interface

Your child's school collects more data than you might expect. Grades and attendance are obvious. But schools also maintain health records, behavioral observations, special education evaluations, standardized test scores, and in some cases, biometric data from cafeteria scanners or building access systems. All of this sits in a file somewhere, physical or digital, with your child's name attached.

FERPA , the Family Educational Rights and Privacy Act , is the federal law that governs who sees those records and under what conditions. Passed in 1974, FERPA gives parents specific rights to inspect, challenge, and control disclosure of education records for children under 18. After a student turns 18 or enrolls in postsecondary education, those rights transfer to the student.

This article explains how FERPA works, what it protects, where the boundaries are, and what you can actually do when something goes wrong.

What FERPA actually covers

FERPA applies to any school that receives federal funding through the U.S. Department of Education. That includes nearly all public K-12 schools, most private schools, and all colleges and universities that participate in federal student aid programs. If a school takes federal money, FERPA applies.

The law defines education records broadly: any record maintained by the school or a party acting for the school that contains information directly related to a student. That includes:

  • Academic transcripts and report cards
  • Attendance records
  • Disciplinary records (suspensions, expulsions, behavioral incident reports)
  • Health records maintained by the school nurse
  • Special education files (IEPs, 504 plans, evaluations)
  • Standardized test scores
  • Counseling notes if maintained as part of the student's official file
  • Financial aid records (for college students)
  • Emails and digital communications about the student stored in official systems

FERPA excludes a few categories. Personal notes kept by a teacher for their own use and not shared with others are not education records. Law enforcement records maintained by school police or security are excluded. Records created and maintained by a physician, psychiatrist, or psychologist solely for treatment purposes fall outside FERPA if they're not shared with non-medical school staff.

Directory information is a special category. Schools can designate certain data as directory information and disclose it without consent unless a parent opts out. Directory information typically includes name, address, phone number, email, date and place of birth, participation in school activities, sports statistics, dates of attendance, degrees received, and awards. Schools must notify parents annually about what qualifies as directory information and provide an opt-out mechanism. If you don't opt out, the school can release this information to anyone who asks , including military recruiters, college admissions offices, and commercial entities.

What rights FERPA gives you

FERPA grants parents two core rights: the right to inspect and review records, and the right to request corrections.

The inspection right is straightforward. You can request to see any education record the school maintains about your child. The school must comply within 45 days, though in practice most schools respond within a week or two. You can request copies, though schools can charge a reasonable fee for duplication. You can bring someone with you to review the records , an advocate, attorney, or specialist who helps you understand what you're looking at.

If you believe a record is inaccurate, misleading, or violates your child's privacy, you can request a correction. The school must respond within a reasonable time. If the school agrees, they amend the record. If they refuse, you have the right to a formal hearing. The hearing is conducted by someone who doesn't have a direct interest in the outcome. If the hearing officer sides with the school, you can place a statement in the record explaining your position. That statement becomes part of the permanent record and must be disclosed whenever the disputed information is disclosed.

The third right is consent over disclosure. Schools cannot release education records to third parties without written parental consent, with specific exceptions I'll cover in the next section. Consent must be specific: you agree to release records to a named recipient for a stated purpose. Blanket consent doesn't satisfy FERPA.

Where FERPA's boundaries are

FERPA allows schools to disclose records without consent in specific situations. These exceptions are where the law's practical limits become visible.

Schools can share records with other schools where the student seeks to enroll or is already enrolled. If your child transfers from one district to another, the new school can request records directly from the old school without asking you first. Schools must make a reasonable attempt to notify you, but they don't need your signature. This exception exists to ensure continuity of services, particularly for students with special education needs.

School officials with a legitimate educational interest can access records without consent. This includes teachers, administrators, counselors, and support staff who need the information to fulfill their professional responsibilities. The school must define "legitimate educational interest" in its annual FERPA notice, but the definition is usually broad. A teacher reviewing a student's IEP before the school year starts has legitimate interest. A secretary accessing grades out of curiosity does not.

Schools can disclose records in response to a court order or lawfully issued subpoena. If a judge orders the school to produce records in a custody dispute or criminal investigation, the school must comply. FERPA requires the school to make a reasonable effort to notify the parent before complying, unless the court specifically orders the school not to disclose the existence of the subpoena.

Health and safety emergencies create another exception. If school officials determine that disclosure is necessary to protect the health or safety of the student or others, they can share information without consent. This exception is narrow and applies only to actual emergencies, not speculative risks. A school can share information with police if a student makes a credible threat of violence. A school cannot share information with a parent's employer because the parent mentioned the child has been acting out at home.

Organizations conducting studies for or on behalf of the school can access records without consent, provided the study is designed to improve instruction, administer student aid, or develop assessments. The organization must sign an agreement protecting the data and must destroy it when the study concludes. This exception allows schools to work with researchers and testing companies, but it also creates a disclosure pathway parents might not expect.

Accrediting organizations and government agencies conducting audits or evaluations can access records without consent. When a state education department reviews a district's special education compliance, they can examine student files without asking every parent. When a college applies for reaccreditation, the accrediting body can review student records as part of the process.

What schools actually do with the data

Schools collect education records to fulfill their core function: educating students. Teachers use grades and attendance to monitor progress. Counselors review disciplinary records and academic performance when making placement decisions. Special education staff rely on IEPs and evaluations to design services.

But schools also share data in ways that extend beyond the classroom. State education departments collect aggregate and sometimes individual-level data to track performance, allocate funding, and comply with federal reporting requirements. Under the Every Student Succeeds Act, states must report test scores, graduation rates, and demographic breakdowns. Some states collect individual student identifiers that follow a student from kindergarten through college.

Schools share data with third-party vendors who provide educational technology, student information systems, learning management platforms, and online assessment tools. These vendors are not school officials under FERPA unless the school designates them as such and ensures they use data only for authorized purposes. In practice, many schools enter into agreements that allow vendors to access student data under the "school official" exception, provided the vendor agrees not to use the data for other purposes like targeted advertising.

Directory information disclosures happen routinely. Schools publish honor rolls, athletic rosters, and yearbook photos. They share student names and contact information with parent-teacher organizations, booster clubs, and scholarship programs. Military recruiters receive names and contact information for high school juniors and seniors unless parents opt out. Colleges receive directory information when students take the SAT or ACT and authorize score sharing.

Some schools use biometric data for cafeteria payments or building access. A student scans a fingerprint or palm to charge lunch to their account. FERPA does not directly regulate biometric data, but if the school links the biometric identifier to the student's education record, it becomes part of that record and subject to FERPA protections. State laws on biometric data in schools vary. Illinois, Texas, and Washington have specific statutes requiring parental consent before collecting biometric information from students.

How to actually exercise your rights

Start by understanding what your child's school collects. Most schools publish an annual FERPA notice explaining their policies, what qualifies as directory information, and how to opt out. This notice is often buried in a back-to-school packet or posted on the district website. Read it. If the school doesn't publish a notice, ask for one. FERPA requires schools to notify parents annually.

If you want to opt out of directory information disclosures, submit a written request to the school. The request should specify that you are opting out under FERPA and list the categories of directory information you want withheld. Some schools allow partial opt-outs , you can permit the school to publish your child's name in the honor roll but prohibit sharing contact information with outside organizations. Other schools require an all-or-nothing choice. Opting out has consequences: your child's name won't appear in the yearbook, on athletic rosters, or in graduation programs. Weigh those tradeoffs.

To inspect your child's records, submit a written request to the school principal or the district's records custodian. Include your child's name, date of birth, and the specific records you want to review. The school must respond within 45 days. When you review the records, take notes. If you see something inaccurate, document it. If you don't understand something, ask for an explanation.

To request a correction, submit a written request identifying the specific record and explaining why it's inaccurate or misleading. If the school agrees, they'll amend the record and notify you. If they refuse, they must inform you of your right to a hearing. The hearing is your opportunity to present evidence and argue your case. If you lose, you can add a statement to the record. That statement stays with the record permanently.

If you believe the school violated FERPA, you can file a complaint with the U.S. Department of Education's Family Policy Compliance Office. Complaints must be submitted in writing within 180 days of the alleged violation. Include your name, contact information, the school's name, a description of the violation, and any supporting documentation. The office investigates and can require the school to change its practices, but FERPA does not provide a private right of action. You cannot sue a school for a FERPA violation. The only enforcement mechanism is the federal government's authority to withhold funding, which has never happened.

What FERPA doesn't cover

FERPA does not regulate how schools use data internally. If a teacher shares a student's grades with another teacher in the same school, that's not a FERPA violation as long as the second teacher has a legitimate educational interest. If an administrator reviews disciplinary records to identify patterns, that's permitted. FERPA governs disclosure to third parties, not internal access.

FERPA does not create a general privacy right. It protects education records, not all information about students. If a teacher mentions in conversation that a student struggled on a test, that's not a FERPA violation unless the teacher disclosed information from an official record to someone without legitimate interest. If a student posts their own grades on social media, FERPA doesn't apply. The law protects records maintained by the school, not information students choose to share.

FERPA does not regulate data security. The law requires schools to protect records from unauthorized disclosure, but it doesn't specify how. A school that stores records in an unlocked filing cabinet or an unsecured cloud system might violate FERPA if unauthorized access occurs, but the law doesn't mandate encryption, access controls, or breach notification. Some states have separate laws requiring schools to implement specific security measures, but FERPA itself is silent on the technical details.

FERPA does not apply to private schools that don't receive federal funding. A completely private institution with no federal grants, no federal student aid, and no participation in federal programs operates outside FERPA's scope. Those schools may have their own policies, and state laws may impose some privacy requirements, but FERPA doesn't bind them.

FERPA does not cover records created after a student leaves the school. If a former student requests a transcript, the school must comply with FERPA. But if a school creates a new record about a former student , say, a letter responding to a reference check , that new record is not an education record under FERPA. It's a business record subject to other laws.

The practical limits of control

FERPA gives you rights, but exercising those rights requires effort. Schools are not required to notify you every time they disclose a record under an exception. If your child transfers schools, the new school can request records without asking you. You might not know the transfer happened until you receive a notification after the fact, if you receive one at all.

Directory information opt-outs are only as effective as the school's record-keeping. If you opt out in September but the school's yearbook vendor pulls data in August using last year's roster, your child's photo might appear anyway. If the school shares directory information with a booster club before processing your opt-out, the information is already out. Schools are required to honor opt-outs prospectively, not retroactively.

Third-party vendors present a gray area. When a school contracts with a learning management system, an online assessment platform, or a student information system, the vendor often gains access to extensive student data. Schools typically classify these vendors as "school officials" under FERPA, which allows data sharing without consent. But once the data leaves the school's direct control, your ability to monitor how it's used diminishes. Vendor agreements may include privacy protections, but you don't see those agreements unless you request them, and even then, the school may redact portions as proprietary.

The hearing process for challenging records is cumbersome. Schools are not required to provide an attorney or advocate. The hearing officer is chosen by the school, creating a structural bias even if the individual is fair-minded. The standard for overturning a school's decision is high: you must prove the record is inaccurate or misleading, not just unfavorable. A disciplinary record stating your child was suspended for fighting is accurate if the suspension happened, even if you believe the school's investigation was flawed. FERPA protects accuracy, not fairness.

Enforcement is weak. The Department of Education's Family Policy Compliance Office investigates complaints and can require corrective action, but the process is slow. Schools know that the ultimate penalty , loss of federal funding , is a nuclear option the government has never deployed. Most violations result in a letter requiring the school to revise its policies, not meaningful consequences.

When FERPA intersects with other laws

FERPA is not the only law governing student data. The Individuals with Disabilities Education Act (IDEA) includes its own privacy protections for special education records, which largely mirror FERPA but add specific requirements around evaluations and IEPs. The Health Insurance Portability and Accountability Act (HIPAA) applies to health records maintained by covered entities like hospitals and private physicians, but not to health records maintained by school nurses. If your child sees a school nurse, those records are governed by FERPA. If your child sees a private doctor, those records are governed by HIPAA.

State laws add another layer. Some states grant parents broader rights than FERPA requires. California's student privacy laws impose restrictions on how schools and vendors can use student data. Illinois requires parental consent before collecting biometric information. New York mandates that schools publish detailed data security policies. These state laws can provide protections FERPA doesn't, but they also create a patchwork where rights vary depending on where you live.

The Children's Online Privacy Protection Act (COPPA) applies when schools use online services that collect personal information from children under 13. COPPA requires verifiable parental consent before collecting data, but schools can provide consent on behalf of parents if the service is used for educational purposes. This creates a loophole where a school can authorize a vendor to collect data from young children without directly asking you. The FTC has clarified that schools must use data only for educational purposes and cannot allow vendors to use it for commercial purposes, but oversight is limited.

The cultural reference that fits

In The Good Place, the characters discover that the points system determining their fate is based on unintended consequences. Every action cascades in ways the original actor couldn't predict. Buying a tomato supports exploitative labor practices. Sending a text generates environmental costs from server farms. The system tracks everything, but no one can see the full picture or control the outcomes.

FERPA operates on a similar principle. Schools collect data for legitimate reasons , tracking progress, identifying needs, complying with regulations. But once that data exists, it flows through systems you don't control. It moves to state databases, third-party vendors, researchers, and future schools. You can opt out of directory information, request corrections, and file complaints, but you can't see every disclosure or stop every unintended use. The law gives you rights at specific decision points, but it doesn't give you visibility into the full lifecycle of your child's data.

That doesn't mean FERPA is useless. It creates a baseline. It requires schools to maintain records responsibly, notify parents of their rights, and respond to requests. It prevents schools from casually handing over records to anyone who asks. But it's not a privacy law in the modern sense. It's a transparency law from 1974, designed for a world of filing cabinets and paper transcripts, now applied to cloud-based student information systems and algorithmic assessment tools.

What you can do

Read your school's annual FERPA notice. It's boring, but it tells you what the school considers directory information, what data it collects, and how it defines legitimate educational interest. If the notice is vague or missing, ask the principal for a copy.

Decide whether to opt out of directory information. Opting out has real tradeoffs. Your child's name won't appear in public contexts, which might matter for sports, honors, or social events. Weigh that against your comfort with the school sharing contact information with outside organizations.

Request to see your child's records at least once. You don't need a reason. Submit a written request and review what's there. Look for inaccuracies, outdated information, or records you didn't know existed. If you find something wrong, request a correction.

Ask about third-party vendors. Schools use dozens of digital tools , Google Classroom, Canvas, Zoom, assessment platforms, behavior tracking apps. Ask the school which vendors have access to student data and under what terms. You won't get vendor contracts without a formal records request, but you can ask whether the school has reviewed the vendor's privacy policies.

If your child has an IEP or 504 plan, pay extra attention. Special education records contain sensitive information about disabilities, evaluations, and services. Schools share these records with new schools during transfers, but you can request to review what's being sent and ensure it's accurate.

If you believe the school violated FERPA, document it. Note the date, the records involved, who disclosed them, and to whom. File a complaint with the Family Policy Compliance Office if the violation is serious. The process is slow, but it creates a record and can force the school to change its practices.

Understand that FERPA is not comprehensive privacy protection. It's a disclosure control mechanism. It gives you rights at specific junctures, but it doesn't stop schools from collecting data, doesn't regulate how they use it internally, and doesn't prevent them from sharing it under the law's many exceptions. If you want stronger protections, look to state laws, advocate for better policies at the district level, and stay informed about what data your child's school collects and why.

Classroom filing cabinet with privacy lock symbol overlaid on student folders
→ Filed under
FERPAschool recordsstudent privacyparent rightseducation dataschool data
ShareXLinkedInFacebook

Frequently asked questions

FERPA is a federal law that gives parents control over their child's education records until the child turns 18. After that, the rights transfer to the student.
Schools can share directory information and records with other schools during transfers without consent. They can also share with school officials who have legitimate educational interest.
Education records include grades, transcripts, disciplinary records, health records maintained by the school, and special education evaluations. Personal notes kept by a teacher and law enforcement records are excluded.
Submit a written request to your child's school principal or records office. The school must provide access within 45 days, though many schools respond faster.
Yes. If you believe a record is inaccurate or misleading, you can request a correction. If the school refuses, you have the right to a formal hearing and can add a statement to the record.

You might also like

Parent and teenager looking at phone screen together, conversation about social media safety
Family & Kids Online

Is TikTok Safe for Kids? The Mechanism Behind Social Media Risk

TikTok, Instagram, and Snapchat expose kids to algorithmic manipulation, data harvesting, and predatory contact. Here's how the platforms work and what parents can control.

12 min · Margot 'Magic' Thorne · May 20

Parent and child looking at phone screen together in conversation
Family & Kids Online

Group chat moderation for kids' phones: Step-by-step setup and what you can actually control

Configure monitoring, set boundaries, and establish check-in routines for kids' group chats. Here's what works, what doesn't, and how to balance safety with trust.

11 min · Margot 'Magic' Thorne · Jun 1

Parent and child looking at a tablet together in a living room, having a calm conversation
Family & Kids Online

How to Talk to Kids About Online Safety: Age-Appropriate Conversations That Actually Work

Start online safety conversations early, adapt them as kids grow, and keep them ongoing. Here's what to say at each age and how to make it stick.

11 min · Margot 'Magic' Thorne · May 9