Family Educational Rights and Privacy Act (FERPA)

Read the information below and then take the FERPA self-assessment quiz.

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

While FERPA gives parents certain rights with respect to their children’s education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."

  • Generally, postsecondary institutions must have written permission from the eligible student in order to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions (34 CFR § 99.31):
    • School officials with legitimate educational interest;
    • Other schools to which a student is transferring;
    • Specified officials for audit or evaluation purposes;
    • Appropriate parties in connection with financial aid to a student;
    • Organizations conducting certain studies for or on behalf of the school;
    • Accrediting organizations;
    • To comply with a judicial order or lawfully issued subpoena;
    • Appropriate officials in cases of health and safety emergencies; and
    • State and local authorities, within a juvenile justice system, pursuant to specific State law.

The term "education records" is broadly defined as all records, files, documents and other materials which: contain information directly related to a student; and are maintained by the educational agency or institution or by a person acting for such agency or institution.

The ACT states that each educational agency or institution shall maintain a record, kept with the education records of each student, which will indicate all individuals [except for those defined by the institution to have a “legitimate educational interest”], agencies, or organizations which have requested or obtained access to a student’s educationalrecords maintained by such educational agency or institution, and which will indicate specifically the legitimate interest that each such person, agency, or organization has in obtaining this information.


Institutions are allowed to publish “directory information,” so long as public notice is given of the categories of information which it has so designated to be such information with respect to each student attending the institution. Institutions must also allow a reasonable period of time after such notice has been given for the eligible student to inform them that any or all of the information designated should not be released without their prior consent.

For the purposes of this section, the ACT indicates that the term “directory information” relating to a student may include the following: the student’s name, address, telephone listing, date and place of birth, major field of study, participation in officially recognized activities and sports, weight and height of members of athletic teams, dates of attendance, degrees and awards received, and the most recent previous educational agency or institution attended by the student.

Auburn University publishes its list of “Directory Information” at the following web page:

Students may restrict release of specific pieces of this “directory information” under the PLUS/OASIS system. Under Banner, they will either restrict all or none of said information.


Release of ALL other “Educational Records” (except for the exclusions listed in 34 CFR § 99.31) is dependent upon the student authorizing such release. The only exception would be the case of a dependent parent who can have access to a student’s records under provisions outlined on this same Auburn web page:

Parents of students termed as "dependent" for income tax purposes may have access to the student’s education records. A request for the specific records desired along with a copy of the parent’s most recent federal income tax return, on which the parents declared the student as dependent, must be submitted to the Registrar's Office to document "dependency." The student will be notified of the request made by the parent and allowed adequate time (10 days) to question the request.

The Office of Student Financial Services provides the ability for students to add a parent or other individual to their “e-bill” account. Students may also fill out an information release form (available on OASIS web) authorizing certain other individuals to access financial information. Such a form eliminates the necessity for the parents to prove financial dependency as well as the requirement that the student to be notified each and every time an authorized parent requests financial information from Student Financial Services.

Release of any “educational records,” through any other venues to third parties (including parents) should be handled according Auburn University’s posted guidelines.


  • It can be very difficult to ascertain the true identity of an individual who is making a telephone call seeking information. Procedures to release information to authorized agents (including the student and their authorized parents) should be stringent enough to all but ensure that the person on the phone is who they say they are. The following web site: offers the following advice:

Be careful about disclosing information over the telephone or email. Unless you’ve clearly authenticated the student’s identity (e.g., via a prearranged PIN or password), you have no way of knowing that you’re talking to the student. If it is merely someone pretending to be the student (e.g., a roommate, significant other, or relative), you’ve disclosed personally identifiable information without consent. Keep in mind that these individuals may know many of the identifiers you might ordinarily use to authenticate identity, such as date of birth, social security number, and mother’s maiden name, so those identifiers are insufficient to guarantee the privacy of the student’s information.

Even caller ID cannot be trusted, since it is relatively easy to spoof the caller ID. (The caller ID information provided to businesses in connection with a toll free number uses a different system that is much more difficult to spoof.) If you are going to disclose information over the telephone, only do so after you’ve called back the individual at a telephone number you have on file for them.

The informal nature of a telephone call makes it very easy to accidentally disclose information. Private investigators routinely use pretexting (pretending to be someone that they aren’t) and other techniques to extract information. For example, getting someone to correct an error is often used. They ask you "when did so and so graduate" and when you say "they haven’t graduated yet", you just disclosed that they are a student.

  • Access to student records, does not constitute authority to release such information to a third-party, even with proper authorization from the eligible student. Employees with access to student information will encounter people who are not authorized to receive student data, but who might make a convincing argument as to why such information should be released to them. Such people include, parents or other relatives, spouses (and ex-spouses), employers (or potential employers), law enforcement agents (even those with what appear to be valid subpoenas), and attorneys. In general, unless an employee’s job duties specifically include the release of educational records (including “directory information”) and they have been trained in FERPA regulations, ALL such requests should be forwarded to the Registrar's or his designee.
  • Finally, access to student records, also does not legitimize access to such information simply to satisfy one’s curiosity, or to conduct informal research about a particular student or group of students. Research utilizing data residing in a student’s ‘Educational Record’ should be approved by IRB ( Institutional Review Board for Protection of Human Subjects in Research )

Take a FERPA knowledge self-assessment quiz


Last Updated: January 24, 2011

Internal Auditing | Auburn, Alabama 36849 | (334) 844-4389 |
Website Feedback | Privacy | Copyright ©