What is FERPA?

FERPA protects personally identifiable student information and prohibits its disclosure to third parties. Find out how to make your school’s record management solutions compliant.

Educational institutions need to understand and comply with FERPA’s requirements to protect their students’ privacy and deter child identity theft. Let Access help.


The Family Educational Rights Privacy Act (FERPA) requires any school receiving federal funding to create and maintain compliant retention, disclosure and destruction policies for records containing the personally identifiable information (PII) of their students. In addition to protecting the privacy of student records, the law gives parents of underage children, and students over the age of 18, the right to opt-out of sharing directory information with third parties. The law applies to public schools, whether elementary or secondary, local educational agencies (LEAs) and postsecondary institutions, such as universities and colleges.

What does this have to do with child identity theft?

Everything. Many routine school forms require that parents and students supply sensitive information. When not retained and destroyed correctly, these files can become easily accessible to potential identity thieves, who take advantage of the clean credit histories and lack of monitoring associated with young children’s credit reports.

In fact, child identity theft has grown exponentially over the last few years, with upwards of 500,000 children becoming victims every year.

FERPA was created to safeguard this personal information, and schools must adhere to its requirements in order to receive their federal funding.

How do I ensure compliance with FERPA regulations?

In relation to the management of sensitive student records, educational facilities need to ensure they store records securely, disclose information carefully and destroy files correctly.

What FERPA Doesn't Do

While FERPA establishes requirements for the protection and disclosure of student records, it does not dictate the methods or duration of the records’ storage. Nor does it specify destruction procedures once records can be safely destroyed. As a matter of fact, the law only stipulates that education records cannot be destroyed if there is an outstanding request from a student or guardian to inspect the files. Schools are left to develop retention and destruction policies on their own, which they must then communicate to students and alumni.

In addition, revisions have been made to the law throughout the years that have expanded the disclosure rules. Schools must remain vigilant about these changes, as well as the potential for future consent and disclosure modifications.

What Access Does

We provide the highest levels of security concerning PII and other confidential information.

We closely follow applicable regulatory developments in order to quickly update our procedures and assure our clients’ continued compliance.

We maintain facilities with NAID AAA Certifications for the onsite and mobile destruction of physical documents, computer hardware and all forms of digital media.

Applicable school records can include, but are not limited to:

  • Social Security Numbers (SSNs)
  • Grades and GPAs
  • Transcripts
  • Academic Evaluations
  • Class Lists and Course Schedules
  • Disciplinary Files and Certain Psychological Evaluations
  • Health Records (at the K-12 level)
  • Student Financial Information (at the collegiate level)

The requirements apply to PII stored in any physical or digital format, such as handwritten documents, printed records, computer media, videotapes, audiotapes, microfilm/microfiche and e-mails.