Data Privacy and FERPA Compliance in Education Services

The Family Educational Rights and Privacy Act governs how educational institutions handle student records — and the penalties for getting it wrong ripple well beyond the registrar's office. FERPA applies to any school that receives federal funding administered by the U.S. Department of Education, which means virtually every public school district and most colleges in the country. For training providers and education services navigating this landscape, understanding where the rules apply — and where they stop — is one of the more consequential administrative questions they'll face.

Definition and scope

FERPA, codified at 20 U.S.C. § 1232g and implemented through regulations at 34 C.F.R. Part 99, grants students (and parents of minors) the right to inspect their own education records, request corrections, and control disclosure to third parties. The law covers "education records" broadly — any records, files, documents, or other materials that contain information directly related to a student and are maintained by an educational agency or institution.

That last phrase carries real weight. A counselor's personal notes kept solely in their own possession aren't covered. An official transcript absolutely is. The U.S. Department of Education's FERPA guidance page draws this distinction clearly, noting that the definition is intentionally wide to prevent institutions from routing sensitive data through informal channels as a workaround.

Institutions that violate FERPA risk losing federal funding — a consequence significant enough that the Department of Education has used the threat of fund termination to compel compliance, even when direct financial penalties aren't assessed per incident.

How it works

FERPA compliance operates through a structured set of permissions and prohibitions. The core mechanism works like this:

  1. Default protection — Education records may not be disclosed to outside parties without written consent from the eligible student (or parent, if the student is under 18).
  2. Provider Network information exception — Schools may designate certain data (name, enrollment status, field of study) as "provider network information" and disclose it publicly, but only after providing students an annual notice and a genuine opt-out opportunity.
  3. Legitimate educational interest exception — School officials with a documented need to review records as part of their professional duties may access them without separate consent.
  4. Federal and state authority exception — Authorized federal and state education authorities conducting audits or evaluations may access records under strict conditions.
  5. Health and safety emergency exception — Records can be disclosed to address an imminent threat to the student or others, but this exception is narrow and must be documented.

For compliance training administrators building internal programs, the distinction between these exception categories is where most confusion concentrates. Assuming that a "school official" designation automatically covers all staff is a common and costly misread.

Common scenarios

Three situations come up repeatedly in the education services context.

Third-party vendors and learning platforms. When an institution contracts with an online training program or learning management system vendor, FERPA's "school official" exception can apply — but only if the vendor performs a service the school would otherwise handle itself, operates under direct control regarding record use, and is subject to the same FERPA conditions as actual school employees (34 C.F.R. § 99.31(a)(1)(i)(B)). A vendor that collects student data and monetizes it independently falls outside this protection.

Employer-sponsored training and transcripts. In workforce training arrangements — where an employer funds employee education — the employer does not automatically gain access to the employee-student's records. Even a tuition-reimbursement agreement doesn't override FERPA consent requirements. The student must provide explicit written authorization before the institution shares any grade or completion data with the sponsoring organization.

Subpoenas and law enforcement requests. FERPA permits disclosure in response to a lawfully issued subpoena, but the institution is generally required to notify the student in advance so they can seek protective action — unless the subpoena itself prohibits notification (as grand jury subpoenas often do).

Decision boundaries

The hardest judgment calls in FERPA compliance tend to cluster around three fault lines.

FERPA vs. HIPAA. When a school operates a health clinic, records generated in that clinical context can fall under HIPAA instead of — or in addition to — FERPA. The Department of Education and HHS issued joint guidance clarifying that HIPAA's Privacy Rule generally does not apply to education records covered by FERPA, but treatment records of students 18 and older at postsecondary institutions are a specific exception where the boundary blurs.

Postsecondary vs. K-12 rights. At the postsecondary level, rights transfer entirely to the student at age 18 or upon enrollment. A parent cannot call a university registrar and request their adult child's grades — not without the student's written consent. This contrast with K-12, where parents hold primary rights, is one of the more predictable points of friction in training for career advancement programs that blend secondary and adult learners in the same cohort.

De-identified data. Data from which all personally identifiable information has been removed falls outside FERPA's scope. The regulation at 34 C.F.R. § 99.3 defines "personally identifiable information" to include not just direct identifiers but indirect ones — any information that would make a student's identity "easily traceable." Institutions using student data for training program evaluation or outcomes research need a formal de-identification protocol, not just a removed name field, before treating records as outside the regulatory boundary.

The Student Privacy Policy Office (SPPO), housed within the Department of Education, publishes technical assistance documents and maintains a dedicated resource hub that remains the most authoritative operational reference for institutions working through these distinctions.

 ·   · 

References

Read Next

Compliance Training: Meeting Regulatory Requirements ANA › Life Services Authority › National Trai Ning Compliance Training: Meeting Regulatory Requirements Regulatory compliance training... Online Training Programs: Learning in the Digital Age ANA › Life Services Authority › National Trai Ning Online Training Programs: Learning in the Digital Age Online training programs have... Workforce Training: Building Job-Ready Skills ANA › Life Services Authority › National Trai Ning Workforce Training: Building Job-Ready Skills Workforce training sits at the...