Understanding Privacy Rules for School Records
A practical guide to how federal and state laws protect the confidentiality of student records and what rights families have.
Schools collect a wide range of information about students, from grades and attendance to health details and discipline records. Protecting this information is not just a matter of good practice; it is required by a network of federal and state laws designed to safeguard student privacy and give families meaningful rights over how records are used and shared.
This article explains how student records are defined, what privacy protections apply, how parents and eligible students can exercise their rights, and how state laws build on the core federal framework. It also addresses common situations, such as requests from law enforcement, health emergencies, and the use of educational technology.
What Counts as a Student Education Record?
The starting point for any discussion of privacy is understanding what qualifies as a education record. Under federal law, education records are generally documents and data that are:
- Directly related to a student; and
- Maintained by a school, district, or other education agency, or by a party acting on its behalf.
These records can exist in many forms, including paper files, digital databases, video or audio recordings, and information stored in learning management systems.
Typical Examples of Education Records
- Report cards and transcripts
- Attendance and enrollment records
- Standardized test scores and progress monitoring data
- Special education evaluations and individualized education programs (IEPs)
- Disciplinary records and incident reports
- Health and counseling notes when maintained by the school as part of the student file
Personal notes kept exclusively by an individual employee, and not shared or maintained by the institution, usually fall outside the definition of education records. By contrast, once information is incorporated into official student files or a school database, it is generally covered.
Understanding Intellectual Property Theft >
Key Federal Law: FERPA and Its Core Protections
The primary federal statute governing education records is the Family Educational Rights and Privacy Act (FERPA). FERPA applies to most public schools and many private institutions that receive federal education funds.
FERPA serves two main functions:
- It grants parents and eligible students specific rights related to access and amendment of records.
- It limits when schools may disclose personally identifiable information from education records without consent.
Rights of Parents and Eligible Students Under FERPA
Until a student reaches age 18 or attends a postsecondary institution, FERPA rights are held by the student’s parent or guardian. After that point, rights transfer to the student, who becomes an eligible student.
FERPA guarantees several core rights:
- Right to Inspect and Review: Parents and eligible students can request to see the student’s education records. Schools must provide access within a reasonable time, often within 45 days of the request.
- Right to Request Corrections: If information in the record is believed to be inaccurate, misleading, or infringing on privacy, a parent or eligible student has the right to ask the school to correct it.
- Right to a Hearing: When a school denies a request to amend a record, the parent or student is entitled to a formal hearing to present evidence.
- Right to Add a Statement: If, after a hearing, the school still refuses to change the record, the parent or student can add a written statement to the file explaining their position.
- Right to Control Disclosure: Schools generally must obtain written, signed, and dated consent before sharing personally identifiable information from education records, with certain exceptions.
- Right to File a Complaint: Individuals may submit complaints to the U.S. Department of Education’s Student Privacy Policy Office if they believe a school has violated FERPA.
When Consent Is Required – and When It Is Not
As a rule, schools must obtain written consent from a parent or eligible student before releasing personally identifiable information from education records to third parties.
Valid consent must:
- Identify the specific records to be disclosed,
- State the purpose of the disclosure, and
- Name the party or type of parties receiving the information.
However, FERPA allows disclosure without consent in defined situations, including:
- School officials with legitimate educational interests, such as teachers or administrators who need the information to fulfill their professional responsibilities.
- Transfers to another school in which the student seeks or intends to enroll.
- Compliance with a court order or subpoena, after the school makes a reasonable effort to notify the parent or student, unless the order prohibits such notice.
- Health or safety emergencies, when sharing information is necessary to protect the student or others.
- Certain audits, evaluations, or research conducted for or on behalf of the school or education authorities.
Directory Information and Opt-Out Rights
FERPA treats some categories of information as directory information, which schools may disclose without prior consent unless a parent or eligible student opts out. Common examples include a student’s name, address, phone number, email, dates of attendance, and participation in officially recognized activities.
Important safeguards apply:
- Schools must publicly define what they consider directory information.
- They must notify families of their right to opt out of directory information being shared.
- Opt-out requests generally remain in effect unless revoked.
Other Federal Privacy Rules Affecting School Records
Although FERPA is the central statute, several other federal laws may intersect with student record privacy, especially where health and social programs are involved.
Health Information and HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) normally protects individual health information held by health care providers. However, HIPAA’s Privacy Rule specifically excludes health information contained in education records that are already covered by FERPA.
In practice, this means:
- Health information maintained by a school as part of a student’s education record is governed by FERPA, not HIPAA.
- Health records held by external medical providers who are not acting as part of the school may be protected under HIPAA.
Nutrition Programs and Confidentiality
The National School Lunch Act includes stricter privacy provisions for information about participation in free and reduced-price meal programs. Even when FERPA might permit certain disclosures, access to meal eligibility data is further limited:
- Only individuals with specific program-related responsibilities may see eligibility information.
- Family income and eligibility status are treated as highly sensitive and are shielded from broader release.
Surveys and Online Services: PPRA and COPPA
The Protection of Pupil Rights Amendment (PPRA) and the Children’s Online Privacy Protection Act (COPPA) supplement FERPA by focusing on data collection rather than existing records.
- PPRA gives parents rights related to surveys that touch on sensitive topics, ensuring notice and, in many cases, the opportunity to opt out.
- COPPA requires parental consent before online services directed to children under 13 collect personal information, though schools may sometimes provide consent on behalf of parents when using educational tools.
How State Laws Build on Federal Protections
While FERPA sets a national baseline, states have increasingly adopted their own student privacy laws to address modern data practices and clarify local requirements.
State laws may:
- Define additional parent and student rights beyond FERPA, such as more specific opt-out options for data sharing.
- Set retention and destruction rules for student records, dictating when and how records must be archived or deleted.
- Impose obligations on education technology vendors that handle student data on behalf of schools.
Common Themes in State Student Privacy Laws
Although details vary, many state statutes include similar elements:
- Consent Requirements: Some states reinforce the need for written parental consent before third parties can access pupil records, clearly specifying what must be included in the consent notice.
- Limits on Reuse and Disclosure: Authorized recipients are often prohibited from redisclosing student information unless another consent is obtained.
- De-identification Standards: States may permit release of statistical or aggregated data only when individual students cannot be identified.
- Record Management Rules: Regulations may govern how schools establish, maintain, and eventually destroy records, including retention schedules and procedures for handling contested information.
Illustrative Comparison of Federal and State Requirements
| Topic | FERPA (Federal) | Typical State Law Additions |
|---|---|---|
| Access to records | Parents and eligible students have the right to inspect and review education records. | States may set specific time frames, procedures, or forms for access requests. |
| Consent for disclosure | Written, signed, dated consent required, subject to exceptions. | Some states specify required language or mandate permanent retention of consent forms with the record. |
| Data sharing with vendors | Covered when vendors act as school officials with legitimate interests. | Extra limits on advertising, profiling, and reuse of student data by vendors. |
| Record destruction | FERPA does not set detailed retention schedules. | States often establish timelines and prohibit destruction of records under certain conditions. |
Practical Guidance for Parents and Students
Understanding legal rights is more useful when paired with practical steps. Families can take several actions to manage student record privacy effectively.
How to Request Access to Records
- Submit a written request to the school or district office specifying which records you want to review.
- Keep a copy of the request and note the date it was delivered.
- Follow up if you do not receive a response within the typical timeframe, often 45 days.
Challenging Inaccurate or Unfair Information
- Identify the specific entries you believe are inaccurate, misleading, or violate privacy rights.
- Provide documentation supporting your position, such as emails, prior reports, or official letters.
- Ask for a formal review or hearing if the school declines your initial correction request.
- Consider adding a written statement to the record to preserve your perspective, even if the school does not change the underlying entry.
Managing Directory Information and Public Releases
- Review annual notices from the school that define directory information and explain opt-out procedures.
- Decide whether you are comfortable with your child’s information being used in yearbooks, websites, or news releases.
- Submit opt-out forms by the stated deadline if you prefer more restrictive sharing.
Common Scenarios: Law Enforcement, Emergencies, and Technology
Several recurring situations test the boundaries of student record privacy.
Requests from Law Enforcement
Routine requests from police or other law enforcement agencies do not automatically override FERPA protections. In general:
- Schools cannot disclose non-directory information to law enforcement without consent, a qualifying exception, or a court order.
- Subpoenas and court orders must be honored, but schools should make reasonable efforts to notify affected parents or students unless the order bars notice.
Health or Safety Emergencies
In a genuine emergency, such as a serious threat of harm or a public health crisis, FERPA allows schools to share necessary information with appropriate parties, including medical professionals and public safety officials. The disclosure must be limited to information needed to protect health or safety, and schools are expected to document the rationale for the disclosure.
Educational Technology and Data Sharing
Digital learning tools, online platforms, and data dashboards often rely on cloud services that store student information. Under FERPA, vendors can receive education records when they operate as school officials with legitimate educational interests, and when contracts or agreements limit their use of data.
State laws increasingly require:
- Prohibitions on using student data for targeted advertising or creating non-educational profiles.
- Security safeguards and breach notification duties.
- Restrictions on selling or redisclosing student information except as permitted by law.
Frequently Asked Questions
Do I have to pay to see my child’s education records?
Schools must allow parents and eligible students to inspect and review education records, but they may charge a reasonable fee for copies if you request them, unless the cost effectively denies access.
Can a school share my child’s grades with other parents?
Grades and other performance information are typically considered non-directory, personally identifiable information. They cannot be shared with other parents or unrelated parties without consent or a FERPA exception.
What happens when my child turns 18?
Once a student turns 18 or enrolls in a postsecondary institution, FERPA rights transfer from the parent to the student. Parents may still access records in specific circumstances, for example if the student is a dependent for tax purposes, but the default control rests with the student.
Can I see notes from my child’s counselor?
If counseling notes are maintained as part of the official education record, they are governed by FERPA and subject to access rights. If they are kept solely as personal notes for the counselor, not shared or maintained by the school, they may fall outside FERPA’s definition.
How do I know what my state requires beyond FERPA?
Many state departments of education publish guidance on student privacy and data use. Reviewing state regulations, district policies, and any student data privacy statutes can help you understand additional protections and procedures in your state.
References
- FERPA General Guidance — U.S. Department of Education, Student Privacy Policy Office. 2024-01-01. https://studentprivacy.ed.gov/ferpa
- Family Educational Rights and Privacy Act (FERPA) — Electronic Privacy Information Center. 2023-05-01. https://epic.org/family-educational-rights-and-privacy-act-ferpa/
- Policy 9050 Implementation Procedures – Student Records — Howard County Public School System. 2023-02-01. https://policy.hcpss.org/9000/9050/implementation/
- Data Privacy and Policy — North Carolina Department of Public Instruction. 2022-09-15. https://www.dpi.nc.gov/data-reports/data-reporting-and-program-monitoring/data-privacy-and-policy
- Other Federal Laws Affecting Information Privacy in Schools — University of Arizona, FERPA Office. 2021-06-01. https://ferpa.education.arizona.edu/summary-key-federal-laws/summary-key
- State Student Privacy Law Compendium — Center for Democracy & Technology. 2016-10-01. https://cdt.org/wp-content/uploads/2016/10/CDT-Stu-Priv-Compendium-FNL.pdf
- FERPA, PPRA and COPPA — Parent Coalition for Student Privacy. 2020-04-01. https://studentprivacymatters.org/ferpa_ppra_coppa/
Read full bio of Sneha Tete





