The term "directory information" is used for the portion of the education record that, if disclosed, would not generally be considered harmful or an invasion of privacy (34 CFR part 99.3). This may include the student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance.
Under FERPA, school systems have flexibility in deciding what information will be considered directory information. A list of the types of data that may be designated and disclosed as directory information is listed under the definition of "directory information" in the Code of Federal Regulations (34 CFR part 99.3).
While school systems designate varying types of information as directory information, most include a student's name, family members' names, home address, and school activities. The height and weight of athletes may also be included.
School systems should give careful consideration to designating data as "directory information" because once this designation is given, school officials may distribute the information to anyone who requests it in or outside the school. School systems that disclose directory information must give "public notice" of this policy and explain what is included in such information. The notice must also indicate that parents may refuse to allow the school to designate any, or all, of their child's record as directory information.
Several ways public notice can be given include: a notice in the registration package sent home to parents, a notice in the local newspaper, a notice in the school handbook distributed each year, or a posting on the school system's website. FERPA requires the notice to specify how much time parents have to tell the school or school system what, if any, directory information they do not wish released.
Disclosure of Student Information
Generally, schools must have written parent (or eligible student) permission to release any information from a student's education records. However, in addition to properly designated "directory information," FERPA allows disclosure, without consent, to the following parties or under the following conditions (except as noted, conditions are listed in 34 CFR part 99.31):
- A legitimate educational interest
School officials with a "legitimate educational interest" may access student records under FERPA. Generally, this refers to individuals in the school district who need to know information in the student's education record in order to perform their professional responsibility. Interest in students that "fit" a profile or category is not a legitimate educational interest. The school's criteria for appropriate "school officials" and valid "legitimate educational interest" must be included in the annual notification to parents of their FERPA rights. A sample notice of rights, including suggested language can be found at the Family Policy Compliance Office's website: http://www.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html.
- Other schools into which a student is transferring or enrolling
Schools that submit a records request or in which a student has enrolled are eligible to receive information from that student's education records. This includes postsecondary institutions to which the student are applying. A parent (or eligible student) may also request a records transfer.
- Specified officials for audit or evaluation purposes
This category exception refers to federal, state, and local education agencies that must collect data or student information to audit, evaluate, or enforce educational programs. State agencies other than those responsible for education are not included. This exception is commonly used by state education agencies to justify state-level student records systems.
- Appropriate parties in connection with financial aid
Information required to determine student eligibility for financial aid, the amount of aid to award, and the conditions under which aid is to be granted may be disclosed under this category; access to information needed to enforce those terms and conditions is also allowed. This exception typically applies to postsecondary institutions.
- Organizations conducting certain studies for, or on behalf of, the school
The purpose of the study conducted for, or on behalf of, a school has to be to: develop, validate, or administer predictive tests; administer student aid programs; or improve instruction. Even if these conditions are met, the school may only disclose information if: the study methodology does not permit the personal identification of parents and students by anyone other than the researchers and their representatives; the information is not used for any purpose other than to complete the study; and the information is destroyed when it is no longer needed for the stated purposes of the study.
- Accrediting organizations
Disclosure of personal information is permitted to an accrediting organization if it is needed to carry out the accreditation.
- Judicial orders or lawfully issued subpoenas
Schools must release information requested by a judicial order or legal subpoena. However, the school must make a reasonable effort to notify the parent (or eligible student) in advance of compliance, unless the court or other issuing agency has ordered that the contents of the subpoena not be disclosed, or that the protected education records not be included. [34 CFR part 99.31 paragraph (a)(9)(1)]
- Health and safety emergencies
Disclosure to appropriate officials is valid if the information contained in the education record is necessary to protect the health or safety of the student or other individuals (34 CFR part 99.36).
- State and local authorities, within a juvenile justice system, pursuant to specific state law
If state law permits, schools may release information to state and local juvenile justice authorities after receiving written certification that the information will not be disclosed to any other agency, organization, or third party without the parent's permission, except as allowed in state law.
In all of the above cases, education agencies or institutions disclosing personally identifiable information from an education record must do so on the condition that the party receiving the information will use it only for the purpose for which it was disclosed, and will not disclose the information to another, third party without prior consent. An exception is allowed if the disclosure is made on behalf of the education agency or institution under the permitted disclosures in FERPA. (34 CFR part 99.33)
Data Requests and FERPA Information requests from the press, researchers, and the general public are fairly common in most school systems and state education agencies. In this regard, the FERPA statute provides that an education agency or institution may not have a policy of disclosing education records or personally identifiable information from education records, without prior consent from the parent or eligible student, unless it is considered directory information or falls under one of the other consent exceptions contained in the law [20 U.S.C. §1232(g)(b)(1)]. (For exceptions to consent guidelines, see Disclosure of Student Information.) Agencies should determine whether requests for data meet these exceptions on a case-by-case basis.
Nothing in FERPA prohibits a school from disclosing information in aggregate, or in another form that is not personally identifiable. Personally identifiable information includes:
- the student's name;
- the name of the student's parent or other family member;
- the address of the student or student's family;
- a personal identifier, such as the student's social security number or student number;
- a list of personal characteristics that would make the student's identity easily traceable; or
- other information that would make the student's identity easily traceable.
In circumstances that may lead to the identification of an individual, the disclosing education agency or institution must ensure that student-level information is not personally identifiable by removing the student's name and ID number, as well as any "personal characteristics" and "other information that would make the student's identity easily traceable." This includes, but is not limited to, such factors as physical description (race, sex, appearance, etc.); date and place of birth; religion and national origin; participation in sports, clubs, and other activities; academic performance; employment; and disciplinary actions or criminal proceedings. "Other information that would make the student's identity easily traceable" may also exist in the form of small cell sizes in aggregated or statistical information from education records.
In cases where personal information cannot be removed, school officials must secure written parental consent before disclosing the data to outside organizations. The 8 Forum Guide to the Privacy of Student Information required consent form should specify:
- the records that may be disclosed;
- the purpose of the disclosure; and
- the identity of the party or class of parties to whom the disclosure may be made. [34 CFR part 99.30(b)]
The No Child Left Behind Act of 2001 (NCLB) and the National Defense Authorization Act for Fiscal Year 2002 both require high schools to provide military recruiters with access to directory-type information on secondary school students. Upon request, and after notifying parents, schools must release to military recruiters the name, address, and telephone numbers of high school juniors and seniors. (The disclosed information is used only for armed services recruiting and to inform high school students of scholarship opportunities.)
To minimize their administrative burden, some schools notify parents of the military recruiters' right to student data by utilizing the same notice they use to inform parents of directory information disclosure. A sample directory information notice with reference to disclosures to military recruiters can be found on the Family Policy Compliance Office's (FPCO) website: http://www.ed.gov/policy/gen/guid/fpco/hottopics/ht-10-09-02a.html.
Schools that normally do not disclose directory information and, therefore, may not have a directory-information disclosure policy under FERPA, must nevertheless release to military recruiters the student information listed above unless parents (or eligible students) disallow disclosure.
Confidentiality and Privacy Concerns
Until recently, the main concern regarding confidentiality and privacy of education records centered on individuals hacking into central computer systems or otherwise illegally accessing records through other security breaches. With technology increasingly used to ensure the availability of timely and accurate information, however, the scope of this issue has expanded to include portable storage devices (flash drives), handheld computers, electronic information transfers (e-mail), and other tools and devices used to store or transfer data.
Today's information portability makes performing many school-related tasks more convenient; however, it also increases the risk of unauthorized access to protected information. As school administrators, teachers, and support staff find new ways to store and access student records, they must still ensure the information's confidentiality and privacy.
For example, if an administrator misplaces a handheld computer, any personally identifiable information it contains becomes potentially accessible to anyone who finds the device. Teachers carrying grade files home on a flash drive or storing other personally identifiable student information on home computers create the risk of unauthorized access to protected education records. Likewise, education records transferred through electronic mail could potentially be intercepted by unauthorized "Confidentiality" is a person's obligation to not disclose or transmit information to unauthorized parties. "Privacy" is a uniquely personal right that reflects an individual's freedom from intrusion. Forum Guide to the Privacy of Student Information 9 individuals. Since such situations occur daily in schools across the country, local education agencies must take precautions to guard against the unintentional release or unauthorized disclosure of education records.
Each education institution subject to FERPA should consider establishing policies, procedures, and best practices to address the following questions:
- What are the current legal restrictions for disclosure and nondisclosure?
- Does the potential risk to the confidentiality and security of education records outweigh the benefit of using certain electronic devices poses?
- Does the teacher or staff member have a legitimate educational interest in the information that meets the exception rule for prior consent (see Disclosure of Student Information)?
- Is prior consent required since the ability to carry education records off school premises changes the physical context in which the education records were originally used?
- What jobs or roles include responsibility for the safety and maintenance of education records?
- What is the ethical and legal responsibility of staff in terms of preventing unauthorized use or disclosure of information?
- What is appropriate and inappropriate use of data, and how can information be protected against unauthorized access?
- What type of training will individuals who access and/or use the information require?
- Do individuals with access to personally identifiable information take an oath of nondisclosure?
Establishing policies, procedures, and best practices is not a cure-all, but it sets the foundation for ensuring a deliberate effort to safeguard the confidentiality and privacy of education records. Updated resources can be found on the FERPA page of the Forum website: http://nces.ed.gov/forum/ferpa_links.asp.
Safeguarding the confidentiality of individual student information is the responsibility of any and all organizations and individuals who collect, maintain, access, transfer, or use education records. This guide reviews federal privacy laws, defines related terms and concepts, summarizes organizational and individual responsibilities, and describes appropriate responses to privacy-related concerns that commonly arise in a school or district setting.
This document is meant to serve as a resource for schools and school districts, but is not a substitute for the detailed direction provided in local and state privacy laws, regulations, and procedures. For a more in-depth review of privacy laws and professional practices that apply to information collected for, and maintained in, student records, see the Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies (NCES 2004). Additional resources about FERPA and other privacy issues can be found in the online document, "FERPA Facts for School Staff," available at http://nces.ed.gov/forum/ferpa_links.asp. Schools and districts should also consult all local and state privacy laws, regulations, and procedures to which they are subject.