Information Sharing: Family Educational Rights and Privacy Act (FERPA)

What Is FERPA?

FERPA is a federal law that protects the privacy of student education records. The law applies to all educational agencies and institutions that receive funds under any U.S. Department of Education program. FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are “eligible students.” The Student Privacy Policy Office at the U.S. Department of Education administers FERPA.

FERPA protects the rights of parents or eligible students to

• Inspect and review education records;
• Seek to amend education records; and
• Consent to the disclosure of personally identifiable information (PII) from education records, except as specified by law.

For a thorough review of FERPA, in addition to what is provided, please see the implementing regulations for FERPA, found in Title 34 of the Code of Federal Regulations (CFR), part 99, and the resources and guidance documents listed.

What Are “Education Records?”

Different types of records and information may be protected by FERPA if determined to be “education records.” Education records are protected by FERPA and are broadly defined as records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution.

The non-exhaustive chart shows several examples of what types of records generally are and are not considered to be education records.

Education Records	Not Education Records
Transcripts	Records that are kept in the sole possession of the maker and used only as personal memory aids
Disciplinary records	Law enforcement unit records
Standardized test results	Grades on peer-graded papers before they are collected and recorded by a teacher
Health (including mental health) and family history records	Records created or received by a school after an individual is no longer in attendance and that are not directly related to the individual’s attendance at the school
Records on services provided to students under the Individuals with Disabilities Education Act (IDEA)	Employee records that relate exclusively to an individual in that individual’s capacity as an employee
Records on services and accommodations provided to students under Section 504 of the Rehabilitation Act of 1973 and Title II of the ADA5	Information obtained through a school official’s personal knowledge or observation and not from the student’s education records

See the discussion under “Balancing Safety and Privacy” for more detail on law enforcement units under FERPA, what constitutes a law enforcement unit record, and how these records may be used.

Who May Access FERPA-Protected Education Records?

“School officials with a legitimate educational interest” may access FERPA-protected education records. Schools determine the criteria for who is considered a school official with a legitimate educational interest under FERPA regulations, and it generally includes teachers, counselors, school administrators, and other school staff.

The term “school official with a legitimate educational interest” may also include contractors, consultants, volunteers, and other parties if those individuals

• Perform an institutional service or function for which the agency or institution would otherwise use employees;
• Are under the direct control of the agency or institution with respect to the use and maintenance of education records; and
• Are subject to the requirements of 34 CFR § 99.33(a), which specifies that individuals who receive information from education records may use the information only for the purposes for which the disclosure was made and which generally prohibits the redisclosure of PII from education records to any other party without the prior consent of the parent or eligible student. There are, however, exceptions to this prohibition.

In addition, schools must annually notify parents and eligible students of their rights under FERPA, and must include in this notification the criteria for who constitutes a school official and what constitutes a legitimate educational interest.

This means that if a school wishes to consider non-employee members of its threat assessment team (TAT), its contracted counseling, nursing, service, or security staff, its school resource officers (SROs), and other non-employees as “school officials” who may have access to education records, the school must ensure that these individuals meet the criteria in the bullets above and the criteria in the school’s annual notification of FERPA rights. Schools are encouraged to train all school officials who may have access to education records, including contractors, on FERPA as well as other applicable laws.

Balancing Safety and Privacy

School officials must balance safety interests and student privacy interests. FERPA contains exceptions to the general consent requirement, including the “health or safety emergency exception,” and exceptions to the definition of education records, including “law enforcement unit records,” which provide school officials with tools to support this goal.

The Health or Safety Emergency Exception to the Consent Requirement

FERPA generally requires written consent before disclosing PII from a student’s education records to individuals other than his or her parents. However, the FERPA regulations permit school officials to disclose PII from education records without consent to appropriate parties only when there is an actual, impending, or imminent emergency, such as an articulable and significant threat. Information may be disclosed only to protect the health or safety of students or other individuals. In applying the health and safety exception, note that:

Schools have discretion to determine what constitutes a health or safety emergency.

“Appropriate parties” typically include law enforcement officials, first responders, public health officials, trained medical personnel, and parents. This FERPA exception is temporally limited to the period of the emergency and does not allow for a blanket release of PII. It does not allow disclosures to address emergencies that might occur, such as would be the case in emergency preparedness activities.

• The information that may be disclosed is limited to only PII from an education record that is needed based on the type of emergency.
• Disclosures based on this exception must be documented in the student’s education records to memorialize the
• Emergency that formed the basis for the disclosure; and
• Parties with whom the school shared the PII.

The U.S. Department of Education would not find a school in violation of FERPA for disclosing FERPA-protected information under the health or safety exception as long as the school had a rational basis, based on the information available at the time, for making its determination that there was an articulable and significant threat to the health or safety of the student or other individuals.

For more information on the health or safety exception, see “Addressing Emergencies on Campus,” June 2011, available at emergency-guidance.pdf and 34 CFR §§ 99.31(a)(10) and 99.36.

The Law Enforcement Unit Record Exemption to the Definition of Education Records

FERPA defines a “law enforcement unit” as any individual, office, department, division, or other component of an educational agency or institution, such as a unit of commissioned police officers or non-commissioned security guards, that is officially authorized or designated by that agency or institution to

(i) Enforce any local, state, or federal law, or refer to appropriate authorities a matter for enforcement of any local, state, or federal law against any individual or organization other than the agency or institution itself; or

(ii) Maintain the physical security and safety of the agency or institution.

Significantly, to be considered a “law enforcement unit” under this definition, an individual or component must be officially authorized or designated to carry out the functions listed above by the school. Schools may designate a traditional law enforcement entity (such as school security staff, school resource officers [SROs], school safety officers, school police, or other school security personnel) as a law enforcement unit, or opt to designate another non-law enforcement school official to serve as their law enforcement unit, such as a vice principal or another school official.

FERPA does not prevent schools from disclosing information from records maintained by law enforcement that were created for law enforcement purposes by the law enforcement unit to anyone, subject to state law, including outside law enforcement authorities, without the consent of the parent or eligible student during an emergency or otherwise.

Law enforcement unit records, which are not subject to the FERPA consent requirements, are defined as records that are

• Created by a law enforcement unit;
• Created for a law enforcement purpose; and
• Maintained by the law enforcement unit.

Law enforcement unit records do not include

• Records created by a law enforcement unit for a law enforcement purpose that are maintained by a component of the school other than the law enforcement unit, such as a principal or guidance counselor;
• Health records or PII collected about or related to the disability of a student, including information about providing an accommodation; and
• Records created and maintained by a law enforcement unit exclusively for a non-law enforcement purpose, such as a school disciplinary action or proceeding.

In designating a law enforcement unit and using law enforcement unit records, note that

• To be given access to PII from a student’s education records, law enforcement unit officials who are employed by the school must meet the criteria set forth in the school’s FERPA notification for school officials with a legitimate educational interest. While law enforcement unit officials are not required to be school officials under FERPA, many schools have found that it is useful for them to be school officials so that they may access education records that may be necessary to ensure school safety. For instance, if a student has been suspended for a period of time (a fact that would be recorded in the student’s education records), the law enforcement unit could need to know this in case the student attempts to enter the building when not permitted to do so.
• A school’s law enforcement unit officials must protect the privacy of education records they receive and may disclose them only in compliance with FERPA. For that reason, we recommend that law enforcement unit records be maintained separately from education records.

For more information on law enforcement unit records and FERPA, refer to the following sources:

• “Addressing Emergencies on Campus,” June 2011 emergency-guidance.pdf
• The discussion in the preamble to the final rule in the Federal Register published Dec. 9, 2008, starting on page 74836 http://www2.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf.
• Student Privacy Policy Office website https://studentprivacy.ed.gov/
• The regulatory definition of “Law Enforcement Unit” under FERPA in 34 CFR § 99.8(a) available at https://www.ecfr.gov/current/title-34/subtitle-A/part-99/subpart-A/section-99.8

Common FERPA Misunderstandings

School administrators and their partner organizations must understand FERPA and its implications, because misinterpretations of the law and subsequent delays in information-sharing can hinder first responders’ efforts to provide necessary assistance in a health or safety emergency.

Sharing Personal Observation or Knowledge

Misinterpreting FERPA can lead school administrators to miss opportunities to share crucial information that could prevent an emergency situation. For instance, some schools incorrectly believe that information obtained from a school official’s personal observations or knowledge is protected by FERPA. In fact, personal observation or knowledge is generally not considered to be part of the student’s education records (see “What Are ‘Education Records’”) and therefore may be disclosed. For example, if a teacher overhears a student making threatening remarks to other students, the teacher is not prohibited from sharing that information with appropriate authorities, including the parents of the students who were threatened.

However, if a school official learns of information about a student through his or her official role in creating or maintaining an education record, then that information would be covered by FERPA. For instance, if a principal suspends a student, the principal would not be permitted to non-consensually disclose that information (unless the disclosure met one of the exceptions in FERPA to consent) because he or she gained personal knowledge of that information in making that disciplinary determination.

Releasing Directory Information

In some circumstances, schools may be able to disclose “directory information” to prevent an emergency situation. Directory information means information contained in a student’s education record that would not generally be considered harmful or an invasion of privacy if disclosed. Some examples of directory information include a student’s name, address, telephone number, or e-mail address. Schools must follow certain requirements in publicly designating “directory information,” and they may not disclose directory information from a student’s education record if the parent or eligible student has opted out of allowing that disclosure. For example, assuming that the parents’ cell phone numbers have been properly designated as “directory information,” what if the parents have not opted out of the disclosure of such “directory information,” and a flood displaced families from their homes and these children are brought to a shelter? The school may disclose those parents’ cell phone numbers to an emergency management agency that is trying to locate the parents.

Additional Situations With FERPA Considerations

FERPA has implications in a variety of different situations, and new questions arise as schools become more creative and innovative in developing their campus safety plans. In many cases, however, it is helpful to review the FERPA basics to help you clearly think through each scenario. The following are some scenarios that may arise.

Under the health or safety emergency exception, school officials may, without consent, disclose PII from education records to appropriate parties in connection with an emergency. In the case of an influenza outbreak, for instance, if school officials determine that an emergency exists, they may share immunization records with parties such as state and local public health officials whose knowledge of the information is necessary to protect the health or safety of students or others in the school community. Under this exception, schools may share information only during the limited period of time connected with the emergency. A blanket release of information is not allowed. You must instead determine what information to disclose on a case-by-case basis depending on the particular threat.

Some educational agencies and institutions may need assistance in determining whether a health or safety emergency exists for purposes of complying with FERPA. Federal agencies encourage schools to implement a threat assessment program, including the establishment of a multidisciplinary threat assessment team that utilizes the expertise of representatives from mental health service providers, persons familiar with emergency procedures, and law enforcement agencies in the community.

The threat assessment team must comply with applicable civil rights and other federal and state laws. Under a properly implemented threat assessment program, schools can respond to student behavior that raises safety concerns that are not based on assumptions, stereotypes, or myths about people with disabilities (including mental health-related disabilities) or people of a particular race, color, ethnicity, national origin, religion, or sex.

If a threat assessment team member meets the definition of a school official (as a party to whom the school has outsourced administrative functions or services) with a legitimate educational interest under FERPA, (see “Who May Access FERPA-Protected Education Records”), then he or she would be able to access students’ education records in which he or she has legitimate educational interests. A threat assessment team member who is appropriately designated as a school official, however, may not disclose PII from education records to anyone without consent or unless one of the exceptions to consent under FERPA, such as the health or safety emergency exception, applies.

Schools are increasingly using security cameras as a tool to monitor and improve student safety. Images of students captured on security videotapes that are created and maintained by the school's law enforcement unit for a law enforcement purpose are not considered education records under FERPA. Accordingly, these videotapes may be shared with parents of students whose images are on the video and with outside law enforcement authorities, as appropriate.

• Infectious Disease
• Threat Assessment Teams
• Security Videos

Incorporating FERPA Into Your Emergency Planning Process

Schools and districts should discuss critical questions and concepts with their community partners while in the process of developing or revising an emergency management plan. While building partnerships is critical, in gathering information to support these partnerships, schools and districts must also take steps to consider student privacy and civil rights and other laws as well as their mission of safety. Be sure to review any concepts with which you are unfamiliar.

What Information Is FERPA-Protected, and When May the School Share It?

Education records are protected by FERPA, and schools may generally only PII from those records only with written consent from a parent or eligible student, unless a FERPA exception to consent applies. The following are examples of such exceptions.

Example: At the start of flu season, your local public health agency requests the names of those students showing influenza-like symptoms, as well as their parents’ contact information. You know that you may not disclose PII from a student’s education records without consent if there is not a health or safety emergency or another exception to consent under FERPA that applies. So, to facilitate this sharing of information, you opt to develop a consent form that identifies students’ names and parent contact information as specific PII from student education records. And you would like to share the form with the local public health agency, as well as the purpose of the disclosure. The form gives parents and eligible students the option to allow or to not allow this sharing of information. After collecting the signed and dated consent forms, for the students for whom you received consent you begin to share with the local health agency the names of students who are showing influenza-like symptoms and their parents’ contact information. Your purpose of this sharing of PII is to help so the health agency is able to conduct real-time surveillance to prevent the spread of the illness. (See “What Is FERPA”.)

Example: Your school’s threat assessment team includes representatives from your community partners, and you have properly designated them as “school officials with a legitimate educational interest.” (See “Who May Access FERPA-Protected Records” above.) The local law enforcement representative on your team does not share with his police chief or other law enforcement official the PII that he obtains from a student’s education records in his capacity as a threat assessment team member while working to identify possible threats because he knows that this is not permitted. Several months after the threat assessment team initially convened to review a collection of behaviors and communications concerning a particular student and determined that there was not sufficient information demonstrating that the student posed a threat, the team learns that the student has now communicated his intent to harm the school principal. At this juncture, the law enforcement representative (and other members of the threat assessment team) shares pertinent PII from education records with appropriate parties so they can take steps, such as consulting with a police agency, to protect the health or safety of the principal (in this case). (See also the discussion of threat assessment teams under “ Additional Situations with FERPA Considerations”)

Example: At the beginning of the school year, your school notified parents and eligible students that you had designated students’ names, phone numbers, and e-mail addresses as “directory information,” explaining to them that you would disclose this information upon request to anyone contacting the school. In your notice, you explained how and by when they could opt out. When a reporter contacts your institution requesting the directory information about a student who is under 18, you check to see whether the student’s parents opted out of the disclosure of directory information. Because the student’s parents did not opt out of the school’s directory information policy, you provide that directory information to the reporter. (See “Common FERPA Misunderstandings”.)

Example: A student has a severe allergic reaction to peanuts during lunch. The school nurse administers epinephrine and then calls an ambulance in accordance with applicable federal and state laws. When the emergency medical technicians (EMTs) arrive, the nurse discloses PII from the student’s education record to the EMTs without obtaining parental consent under the health or safety emergency exception. (See “Balancing Safety and Privacy”.)

What Information Is Not FERPA-Protected and When May the School Share It?

Records that are created and maintained by a school’s law enforcement unit for a law enforcement purpose are not protected by FERPA, and there are no FERPA restrictions on the sharing of information in law enforcement unit records. (See “What Are ‘Education Records and "Balancing Safety and Privacy.)

Example: Your school contracts with the law enforcement agency in your county to bring in an SRO and you properly designate the officer as a “school official with a legitimate educational interest.” (See “Who May Access FERPA-Protected Records?”) You also properly designate the SRO as your school’s law enforcement unit. (See “Balancing Safety and Privacy”.) The SRO knows that she may not redisclose to her home agency PII that she obtains from a student’s education records while serving in her SRO capacity, unless there is a health or safety emergency or another FERPA exception to consent that would apply. However, she shares her law enforcement unit records about a student who was arrested for smoking marijuana on campus with other law enforcement officials because she knows that law enforcement unit records are not protected by FERPA.

Are Processes and Protocols, Including Memoranda of Understanding (MOUs), in Place for Information Sharing and Record Keeping That Comply With FERPA?

It is important for schools to consider entering into MOUs with law enforcement and their other community partners to formalize roles, responsibilities, and protocols. MOUs can be tailored to the needs of the individual schools in the jurisdiction. Any policies regarding information sharing between the school and the law enforcement agency, however, must comply with applicable federal, state, and local laws, including FERPA. While information-sharing MOUs should be developed regarding what information can be shared between departments and what information is protected, no provision in an MOU can override a school’s obligations under FERPA.

Frequently Asked Questions Pertaining to FERPA

Q: To what entities does FERPA apply?

A: FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education. This includes virtually all public schools and school districts, and most private and public postsecondary institutions, including medical and other professional schools.

Private and religious schools at the elementary and secondary school levels generally do not receive funds from the U.S. Department of Education and, therefore, are not subject to FERPA.

Q: Does an interagency agreement with partners such as the state or local health department enable a school to non-consensually disclose education records?

A: No. Interagency agreements do not supersede the consent requirements under FERPA. Although an interagency agreement would be a helpful tool for planning purposes, schools must comply with FERPA’s requirements regarding the disclosure of PII from students’ education records.

Q: Under the health or safety emergency exception, may a school non-consensually disclose PII from a student’s education records to the media?

A: No, you generally may not disclose FERPA-protected information to the media. While the media play a role in alerting the community of a health epidemic or a violent incident outbreak, they generally do not have a role in protecting the health or safety of individual students or others at the school.

Q: When would the health or safety exception apply?

A: Under FERPA, an emergency means a situation in which there is an articulable and significant threat to the health or safety of students or other individuals. This determination must be made by the school.

Q: Do I need to tell parents and eligible students or otherwise document when I have disclosed PII from their education records without consent under a health or safety emergency?

A: Within a reasonable period of time after a disclosure is made under the health or safety exception, a school must record in the student’s education records the articulable and significant threat that formed the basis for the disclosure, and the parties to whom the information was disclosed. Parents and eligible students have a right to inspect and review the record of disclosure, but do not need to be proactively informed that records have been disclosed.

Q: Can members of our threat assessment team have access to student education records?

A: School officials with legitimate educational interests may have access to a student’s education records. Members of a threat assessment team who are not school employees may be designated as such if they are under the direct control of the school with respect to the maintenance and use of PII from education records; are subject to the requirements of 34 CFR § 99.33(a) governing the use and redisclosure of PII from education records; and otherwise meet the school’s criteria for being school officials with legitimate educational interests.

Members of a threat assessment team who are considered school officials with a legitimate educational interest generally cannot non-consensually redisclose PII from a student’s education records to which he or she was privy as part of the team. However, if a threat assessment team determines that a health or safety emergency exists, members may non-consensually redisclose PII from a student’s education records on behalf of the school to appropriate officials under the health or safety emergency exception.

For example, a representative from the city police who serves on a school’s threat assessment team generally could not redisclose, without consent, PII from a student’s education records to the city police during the initial discussions about a particular student. However, once the threat assessment team determines that a health or safety emergency exists, as defined under FERPA, the representative may redisclose, without consent, PII from a student’s education records on behalf of the school to appropriate officials. (See the discussion under “Additional Situations with FERPA Considerations”.)

Q: How does FERPA interact with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

A: The U.S. Department of Education and the U.S. Department of Health and Human Services jointly developed guidance on the application of FERPA and HIPAA. This guidance explains that records that are protected by FERPA are exempt from the HIPAA Privacy Rule. Accordingly, school officials must follow the requirements of FERPA with regard to the disclosure of records protected by FERPA. Please see the guidance at ferpa-hipaa-guidance.pdf for more information, as well as HIPAA content guidance.

Q: Who should I contact for more information related to FERPA?

A: The U.S. Department of Education’s Student Privacy Policy Office is available to respond to any questions about FERPA. For quick responses to routine questions, please submit a question using the following form https://studentprivacy.ed.gov/contact. For more in-depth technical assistance or a more formal response, you may call the Student Privacy Policy Office at 1-855-249-3072 or write to them at

Student Privacy Policy Office

U.S. Department of Education

400 Maryland Ave. SW

Washington, DC 20202-8520

Q: What are some of the other federal and state laws relating to emergency management planning that are relevant to access to and sharing of information about students?

A: Schools and districts may also be subject to federal and state civil rights laws that protect the disclosure of information about students. Schools and their community partners should review guidance from the U.S. Departments of Education and Justice on any applicable civil rights or other statutes governing privacy and information sharing and discuss their implications for emergency management and related planning processes. At a minimum, in determining what constitutes an “emergency,” schools and their partners must base their decisions on actual risks and not on assumptions, stereotypes, fears, or myths about people with disabilities (including mental health-related disabilities) or people of a particular race, color, ethnicity, national origin, religion, or sex.^7,8

FERPA Guidance and Resources

The Student Privacy Policy Office at the U.S. Department of Education administers FERPA. SPPO has developed, and continues to develop, extensive guidance pertaining to the implementation of FERPA and emergency situations. For more detailed information or additional guidance, please see the referenced documents and the SPPO website at https://studentprivacy.ed.gov/.