Are you handling students' education records or personally identifiable information (PII)? If so, it's crucial that you're familiar with what student privacy laws such as the Family Educational Rights and Privacy Act (FERPA) have to say. In this article, we'll go over what educators and administrators need to know about FERPA and student data privacy.

Table of Contents

What is Student Data?

Federal laws such as the Family Educational Rights and Privacy Act define which type of student information is "student data." The two categories of student data are:

Educational records: such as a student's GPA, report cards, grades, transcripts, and/or courses taken. In most cases, a student's disciplinary records are also educational records.

Personally identifiable information: i.e. information that someone could use to identify an individual student and that is not an educational record. Some examples of student PII include a student's social security number, family contact information, ID photos, and biometric data such as fingerprints and handwriting.

Other types of information may not qualify as student data. For example, FERPA does not apply to "directory information", i.e. information that does not violate student privacy if disclosed to a third party. Directory information is info that is okay to publish in a student directory. Directory information may include:

  • A student's name, mailing address, telephone number, date and place of birth, and student ID number (unless someone could use this ID number to access education records)
  • Extracurricular activities
  • Honors and awards
  • Dates of attendance or enrollment

Schools and universities can reveal a student's directory information to a third party without violating FERPA, even without the student's permission, as long as the student is aware of the potential for such disclosure and has not explicitly restricted it. For example, a university might confirm to a news outlet that a former student had attended the university between two specific dates.

In addition, schools and universities can disclose non-directory information to third parties in limited cases, without the student's consent, to third parties such as:

  • School officials with legitimate educational purposes
  • Other school systems, school districts, or educational agencies to which a student is transferring
  • Parties handling a student's financial aid
  • A student's parents or officials in the event of a health or safety emergency
  • Law enforcement, following a judicial order or subpoena

Finally, FERPA generally does not apply to the privacy of student data for minors under the age of 18, unless they are attending a postsecondary educational institution such as a college or university. This means that FERPA is less relevant for high schools and K-12 schools that mainly enroll minor students. However, schools can release minor student records with parental consent. Students who require FERPA data protection are "eligible students."

Student Data Privacy with FERPA

So far, we've answered the question "What is student data?" — but why should student data privacy laws such as FERPA be such an important concern?

First, there's the issue of compliance. FERPA controls the use of student and education data by any private or public schools that receive funds from the U.S. Department of Education. Any institution or organization that carries out student data collection, processing, or storage must proactively secure the students' data.

Noncompliance with FERPA could mean your institution loses federal funding and experiences an increase in potential risks of reputational damage and expensive lawsuits. Without following commonsense security practices regarding your use of educational technology, you'll be significantly more likely to suffer costly and embarrassing data breaches.

In 2016, for example, graduates of the University of Central Florida sued the school after a 63,000-person data breach exposed their social security numbers; UCF eventually settled the lawsuit, agreeing to spend an additional $1 million per year to shore up data security.

Need help bringing your organization into compliance with FERPA regulations? The U.S. Department of Education operates the Privacy Technical Assistance Center (PTAC), which provides answers to many common questions about privacy, security, and confidentiality for educational institutions. Another good third-party resource for educators and policymakers is the Student Privacy Compass, (formerly known as FERPA|Sherpa).

Beyond FERPA, educational institutions should also be aware of several other laws governing how they can collect, store and process students' private information:

The Children's Online Privacy Protection Act (COPPA) requires the Federal Trade Commission (FTC) to enforce regulations for children's privacy when using online service providers, commercial websites, and mobile applications. These services must publicly announce what information they collect from children and get parental consent for collecting this information. COPPA may be especially relevant for institutions' use of third-party edtech software tools, e.g. for remote learning.

The Protection of Pupil Rights Amendment (PPRA) requires educational institutions to obtain the consent of a parent or guardian before surveying minor students for certain types of personal information. Protected categories under PPRA include surveys about a student's political affiliation, psychological issues, income, and religion.

Finally, educational institutions should also know of any state laws regarding student data privacy that may place further limits on the collection, storage, and processing of educational records and PII. For example, while the California Consumer Privacy Act (CCPA) does not directly apply to educational institutions, it does apply to third-party companies that help institutions store and process student data.

How Can Help with Student Data Privacy

FERPA and other student data privacy laws require you to take data security seriously — but what does this look like in practice? Choosing an ETL tool such as is one of the best ways to protect sensitive and confidential information during your data processing workflows. is a powerful, feature-rich yet user-friendly ETL and data integration platform — and security is our utmost priority. We use SSL/TLS encryption on all of our websites and microservices to protect your data both in transit and at rest, and we follow best practices regarding physical security, cloud security, and network security. 

Want to learn how can help improve your IT security posture? Get in touch with our team today for a chat about your business needs and objectives, or to start your 14-day pilot of the platform.