FERPA is governed by the Department of Education and applies to all schools who receive funds from applicable programs of the U.S. Department of Education. You must comply by keeping information directly related to a student private and confidential.

FERPA transfers the rights to education records to the student when they reach age 18 or when they enter a postsecondary institution at any age. Students are then referred to as “eligible students.”

Eligible students have the right to inspect and review their education records maintained by the postsecondary institution. Schools are not required to provide copies of records unless it is impossible for eligible students to review the records (i.e. residing outside of the local area) and schools may charge a fee for copies.

Eligible students have the right to request a school correct records that they believe to be inaccurate or misleading. If the school decides not to amend the record, the eligible student has a right to a formal hearing. If the school still decides not to amend the record, the student has the right to place a statement into the permanent record noting their view.

Schools must have written permission from the eligible student in order to release or disclose any information from their education record, even to parents. The easiest way to make sure you are sharing information with the right people is to include a disclosure statement with orientation so a student can tell you who they will allow you to speak with, such as mom or dad.

However FERPA allows schools to disclose record information, without consent, to school officials having legitimate education interests, if the student is seeking enrollment in another school or to state or federal auditors enforcing laws related to school programs. They can also disclose information in order to determine or obtain financial aid, when a lawfully issued court order or subpoena is issued or information they designate as “directory.”

Directory information is standard name, address, telephone number, date of birth, honors, awards and dates of attendance. It is NOT grades, nationality, financial information, SSN’s or identifying numbers.

Schools must inform a student annually, through school handbooks or other general means, of FERPA policies, what they consider directory and allow a student to request that the school not disclose any or all of their information.

Should a student file a complaint, it is done through the Family Policy Compliance Office who will follow-up with the school and student to determine if FERPA is being followed and rights have been violated.

Violations can result in a school losing their participation in federal funding programs and program payments being terminated. Worse case scenario is that the school must cease and desist operations.

A related law, governed by the Federal Trade Commission, is the Gramm-Leach Bliley Act (GLB). This law applies to any entity having access to consumer’s personal and financial information. A postsecondary institution also falls under this category and therefore must comply with both FERPA and GLB.

GLB sets standards for developing, implementing and maintaining reasonable safeguards to protect the security, confidentiality and integrity of customer information. By following FERPA guidelines, your institution is meeting many of the GLB guidelines.

Notices of how you keep student’s information private are required annually (ie FERPA compliance notice in handbooks). Confidentiality notices should be included on all faxes and emails sent from the institution. Security programs should be coordinated on campus that identifies risks and assesses safeguards in place to control risks.

Safeguard rules identify 3 areas that are particularly important to information security: employee management and training, information systems and managing system failures.
Such items can be addressed by having a privacy policy in place, reviewing it with employees annually and having a signed compliance statement on file—even with work study students. Everyone should be aware that information they have access to is private. Shred paper information, use passwords, wear identification badges, adjust computers so views are private, lock file cabinets and impose a clean desk policy so others can’t walk in and read information left on desks.

FERPA and GLB were designed to assist against identity theft, the fastest growing crime in America, and a postsecondary institution must be sure they are protecting themselves and their school by complying with privacy programs. All postsecondary institution employees should be trained and practice these policies—from Facilities to the Dean.

If you’d like a more detailed FERPA/GLB presentation for your staff and associated departments, please don’t hesitate to contact Darwin Morency, your Tri State Chase Education Finance representative (darwin.g.morency@chase.com), to help you comply. FERPA/GLB is the law, it helps avoid lawsuits, identity theft and families, who are receiving privacy statements from other entities, will expect it. Remember, “when in doubt, don’t give it out.”

Calendar of Events

HBCUs : A Snapshot