What Are Educational Records According to FERPA?

A FERPA Compliance Flowchart

What Are Educational Records According to FERPA?

What Are Educational Records According to FERPA?
A Discussion and Flowchart

by Daniel J. Solove

Educational records according to FERPA are “those records, files, docu­ments, and other materials which contain information directly related to a stu­dent; and are maintained by an educational agency or institution.” FERPA, 20 U.S.C. § 1232g(a)(4)(A).

The scope of coverage of the Family Educational Rights and Privacy Act (FERPA) of 1974, 20 U.S.C. § 1232g, is a challenging issue. It does not cover all information about students.  Nor does it cover all information about people that a school maintains.

This is a very broad definition. It encompasses paper and electronic files, grades, video recordings, audio recordings, and other data. The personal knowledge and observations of educators that are not part of the record are not covered by FERPA.

FERPA applies to currently-enrolled students. Applicants, alumni, donors, employees, and others do not have FERPA rights.  FERPA rights continue after a student graduates for the information in records while the student was enrolled. But if data is collected about an alumnus post-graduation, it is not part of the education record.

What Is Not Considered Educational Records According to FERPA

The following types of records are not considered “education records” under FERPA and are not regulated under FERPA:

(1) Law Enforcement Records.  Records maintained by a separate law enforcement unit of a school are not considered “education records” and are not subject to FERPA protections.

(2) Treatment Records. Treatment records are the medical or psychological records of students 18 years or older who are being treated by a physician, psychiatrist, psychologist, or other related professional.  They are not considered “education records.”

(3) Sole Possession Notes.  “Sole possession notes” are notes that are (a) used only as a memory aid; (b) kept only by an employee for his or her own use; and (c) not shared with anyone.

It is important to note, though, that the types of records above can become education records in a number of circumstances.   When used or disclosed in certain ways, they can be deemed education records and become FERPA-regulated.

Educational Records According to FERPA Flowchart

Below is a flow chart I made to help make it easier to walk through the process of determining what is an “education record.”  Please note that the flowchart is designed to focus on the main points and doesn’t delve into everything.  It is designed to be a handy “cheat sheet” not to be serve as definitive legal advice.

Educational records according to FERPA Flowchart

The Family Educational Rights and Privacy Act (FERPA) defines educational records in 20 U.S.C. § 1232g(a)(4)(A) as materials that 1) contain information directly related to a student and 2) are maintained by an educational institution or its agent. This broad definition encompasses both physical and digital formats, including:

  • Academic records (transcripts, class schedules, grades)

  • Disciplinary reports

  • Student financial aid documents

  • Email communications containing personally identifiable information (PII)

  • Learning management system (LMS) data (assignment submissions, discussion posts)

For example, a professor’s notes about a student’s participation in class discussions become educational records if shared with administrators or stored in institutional systems. However, records kept solely by an individual (e.g., private advising notes not shared with others) may qualify for the “sole possession records” exception.

 

Campus police records created for law enforcement purposes are excluded from FERPA protections. However, if these records are shared with non-law enforcement school officials and used for disciplinary actions, they may convert into educational records.

Medical or psychological records maintained by healthcare professionals solely for treatment purposes are excluded. These become educational records if disclosed to school administrators without student consent.

Faculty/staff personal notes are sole possession records and must meet strict criteria:

  • Used only as memory aids

  • Not accessible to others

  • Not shared in any form (verbally, digitally, or physically)

For instance, a professor’s handwritten observations about a student’s behavior during office hours would qualify unless emailed to a department chair.

 

FERPA applies equally to digital records, including:

  1. :
    Course analytics in platforms like Canvas or Blackboard that track login frequency or assignment completion times are protected if they contain PII.

  2. :
    Lecture recordings become educational records if students are identifiable. During the COVID-19 pandemic, the Department of Education clarified that Zoom class recordings fall under FERPA.

  3. :
    Institutions must ensure edtech vendors handling student data comply with FERPA through written agreements.

  • : Students may request access within 45 days.

  • : Students can challenge inaccurate records.

  • : Institutions must obtain written consent before sharing PII with third parties, except for directory information or legitimate educational interests.

Parents retain FERPA rights until students turn 18 or enroll in postsecondary education. Exceptions apply for dependent students claimed on tax returns.

 

  1. :
    Disclose FERPA rights to students via email, student portals, and orientation materials.

  2. :
    Collect only necessary PII. For example, course evaluations should avoid identifiers unless required.

  3. :

    • Encrypt digital records containing PII

    • Conduct annual audits of third-party vendors

    • Implement role-based access controls for staff

  4. :
    Require FERPA certification for all staff handling student data, with refresher courses every two years.

:
A department secretary emails a student’s GPA to a scholarship committee without consent. This violates FERPA because:

  • The GPA is directly related to the student

  • The email is maintained by institutional servers

  • No applicable exceptions exist

: Are group project submissions educational records?
A: Yes, if individual contributions are identifiable. Redact peer names before sharing externally.

: How long must institutions retain records?
A: FERPA doesn’t specify retention periods, but states may impose requirements (e.g., California mandates 5 years for disciplinary records).

: Can alumni access their educational records?
A: Yes, FERPA rights persist indefinitely, though institutions may charge retrieval fees.

The Department of Education fined the university $85,000 after staff emailed unprotected spreadsheets containing 15,000 student IDs and GPAs to an unauthorized contractor.

Implemented a FERPA chatbot in 2023 that screens record requests using natural language processing, reducing improper disclosures by 62%.

  • Audit all digital storage systems for unencrypted PII

  • Update FERPA consent forms to include AI tool disclosures

  • Train faculty on sole possession note criteria

Divider 02

 Our FERPA Training + Other Education Privacy and Security Training

We have a training course on the Family Educational Rights and Privacy Act (FERPA) that is designed for administrators, faculty, and staff.

Our course (~15 minutes) provides a basic introduction to FERPA and practical guidance about how to comply. The course is taught by Professor Daniel Solove, who has taught in higher education for more than 15 years. Professor Solove teaches in a highly-engaging way that is ideally suited for the higher education context.  The course is visually stimulating, interactive, and filled with concrete examples.

The course module is SCORM-compliant and works on most learning management systems.

In addition to FERPA training, we have short training courses on:

FERPA Compliance• cloud computing
• cyberbullying
• online gossip and self-exposure
• data security awareness
• phishing
• social engineering
• encryption
• portable electronic devices
• GLBA
• PCI payment card data
• FTC Red Flags Rule
• HIPAA
• research involving health data

Click here for a listing of our education privacy training courses.
Click here for a listing of all our information security awareness training courses.
Click here for a listing of our financial privacy topics.
Click here for our catalog.

Divider 02

About Professor Solove and TeachPrivacy

Daniel Solove Data Security TrainingThis resource page was written by Professor Daniel J. Solove. Professor Solove is a law professor at George Washington University Law School and the leading expert on privacy and data security law. He has taught for 15 years, has published 10 books and more than 50 articles, including the leading textbook on information privacy law and a short guidebook on the subject. His LinkedIn blog has more than 900,000 followers. Click here for more information about Professor Solove.

TeachPrivacy provides privacy awareness training, information security awareness training, phishing training, HIPAA training, FERPA training, PCI training, as well as training on many other privacy and security topics. TeachPrivacy was founded by Professor Solove, who is deeply involved in the creation of all training programs because he believes that training works best when made by subject-matter experts and by people with extensive teaching experience.

Divider 02

Please Contact Us If You Are Interested In Privacy and Data Security Training

We can provide you with a login so you can evaluate the programs. Click here for our catalog.

    First Name

    Last Name

    Organization

    Title

    E-mail

    Phone No.

    Address

    Please tell us about your training needs

    PROFESSOR SOLOVE'S NEWSLETTER
    Professor Solove’s newsletter covers his latest writings, events, and training. It is sent weekly.
    You can unsubscribe at any time. Click to see a sample issue.
    Would you be interested in subscribing?
    YesNoAlready Subscribed