skip to main content


Family Educational Rights and Privacy Act (FERPA) Update

January 16, 2009

Authors: Anne H. Littlefield, Julie C. Fay

On December 9, 2008, the United States Department of Education issued new regulations for the Family Educational Rights and Privacy Act (“FERPA”), the Federal law that protects the confidentiality of student education records. These regulations went into effect January 8, 2009.

These regulations made several notable clarifications to existing requirements regarding the confidentiality and disclosure of student information under FERPA. In particular, the changes clarify the existing right of parents to access information about eligible students; the scope of individuals who may qualify as a “school official” to whom a disclosure may be made without prior written consent; and permissible redisclosures of student information by third parties. In addition, the new regulations expand the scope of information traditionally covered under the law to include “biometric information,” which includes such things as fingerprints, retina and iris patterns, DNA sequences and so forth. The changes further protect the confidentiality of student identifiers by prohibiting the disclosure of a student’s social security number and other student identifiers, except in very limited circumstances.

In response to issues raised in the wake of the Virginia Tech tragedy in April 2007, the regulations were revised to provide greater flexibility for institutions to disclose private student information to various parties in certain health and safety emergency situations. While districts were previously permitted to disclose confidential student information without consent if necessary to protect the health and safety of the student or other individuals, prior regulations stated that this exception must be “strictly construed.” This language has been removed and the new regulations permit districts to make such disclosures, “if there is an articulable and significant threat to the health or safety of a student or other individuals.” However, under these new regulations, school districts who rely upon the health and safety exception to justify the disclosure of student information must now also record the articulable and significant threat that formed the basis for the disclosure as well as the identity of the parties to whom the disclosure was made.

Another significant change to the regulations was the revision of the definition of what information qualifies as “personally identifiable information,” which is protected from disclosure. Under FERPA, school districts are required to maintain the confidentiality of any personally identifiable student information and may only disclose such information without consent if there is an applicable exception. Therefore, absent consent, districts must remove any personally identifiable information, or “de-identify” the records, prior to disclosure. Prior regulations defined personally identifiable information to include any information “that would make the student’s identity easily traceable.” The new definition removes this language and provides a more objective standard for determining when information is properly “de-identified.” Under the new definition, personally identifiable information is “other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty.” The regulations further clarify that when responding to “targeted” requests for information, a district may not release information from a student’s educational records if the district has reason to believe that the person requesting the information knows the identity of the student to whom the record relates. These changes were made to provide districts with greater clarity in responding to requests related to identifiable students or requests made in the wake of highly publicized incidents within the school environment.

Finally, the new regulations expand the scope of the FERPA enforcement procedures, a change that could potentially increase the administrative burden on institutions covered under the law. In particular, the regulations broaden the scope of materials that the Family Policy Compliance Office (FPCO), the Federal body authorized by the Secretary of Education to conduct FERPA investigations, can require an educational institution to provide during the course of an investigation.

In response to these recent changes to FERPA, we recommend that districts review the new regulations in conjunction with their existing student records policies to ensure that school policies and practices reflect updated requirements for maintaining and disclosing student information.

A complete copy of the final FERPA regulations can be found at
If you have questions about this alert, please contact Julie Fay at or (860) 251-5009.

Related File(s)

Practice Areas

Industries & Featured Services

© Shipman & Goodwin LLP, 2019. All Rights Reserved.