Compliance Regulatory Overview: FERPA

This lesson is part four of a seven-part series on IT regulatory compliance. Part four deals with the Family Educational Rights and Privacy Act (FERPA): who it affects, what failure to comply could mean to your organization, and best practices for complying.

Lesson 4 of 7

The Family Educational Rights and Privacy Act (FERPA) was enacted in August of 1974 to protect student education records and pertains to any school, either K-12 or higher education, public, or private, that receives funds under any program from the U.S. Department of Education.

Most public and private U.S. schools fall under FERPA and IT staff who work for these institutions must understand FERPA's provisions to ensure compliance.

To get a handle on FERPA requirements, here are 10 things you should know:

  • FERPA covers private and public schools, colleges, and universities.
  • Regulations were set before the information age and as a result must be carefully interpreted.
  • Directory information, which can be shared without the consent of a student, must be used carefully.
  • Records of a student's use of a school network require stringent protection.
  • "Do not share" requests must be honored.
  • Do not use "last four" recording of a student's social security number.
  • Appropriate access rights must be maintained.
  • Privacy rights of students and parents' need to fulfill financial responsibilities could conflict.
  • The information age has changed the way you need to comply with FERPA regulations.
  • Consult a lawyer for advice on compliance issues.

For details, download Ten things you should know about the Family Educational Rights and Privacy Act (FERPA).

Weekly tips in your inbox
For weekly information on a variety of subjects related to IT compliance, including regulations outlined by Sarbanes-Oxley, HIPAA, and e-mail, sign up for TechRepublic's free Compliance Issues newsletter.
Automatically sign up today!

What are the steps to compliance?

According to the University of North Texas, there are two basic strategies institutions should take: Notify current students annually in writing of their rights under FERPA, and grant access by students or parents, if applicable, to education records. For details, and the answers to other questions such as what are and are not considered educational records, see FERPA Training Q&A.

For a comprehensive list of FERPA resources, including free downloads, see page two.

FERPA resources

White papers


  • DocFinity (Optical Image Technology)
  • IBM (Rational Software Development Platform)
  • Hewlett-Packard (OpenView Compliance Manager)
  • Xerox (FERPA Compliance Services)

Course list

Sign up for the Compliance Regulatory Overview series

If you haven't subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.

We want your feedback

Lesson 4 on the Family Educational Rights and Privacy Act (FERPA) was:

 Very helplful
 Somewhat helpful
 Not helpful