10 Common FERPA Violation Examples and How to Avoid Them

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records in the United States.

Educational institutions, especially those receiving federal funding, are required to comply with FERPA. Unintentional violations can still occur, often due to misunderstandings or lapses in implementing appropriate safeguards.

In this article, we’ll explore:

• The basics of FERPA
• 10 FERPA violation examples
• The potential consequences of these breaches
• 5 Steps you can take to avoid them

And if you’re here just for a quick list of FERPA violation examples, here are the 10 most common ones:

• Unauthorized disclosure of grades
• Letters of recommendation containing PII
• Group emails to multiple recipients
• Discussing a student’s information publicly
• Explaining a student’s absence without consent
• Mishandling records on digital platforms
• Improper release of directory information
• Leaving student records unsecured
• Failure to provide access to student records
• Improper disposal of records

What Is FERPA?

FERPA is a federal law that protects the confidentiality of student education records and grants certain rights to parents and eligible students (those over 18 years old or attending post-secondary institutions).

It applies to all educational institutions that receive funding from the U.S. Department of Education.

This includes public K-12 schools, school districts, community colleges, and state-funded universities. However, private schools and universities are generally exempt from FERPA unless they receive federal funding. For instance, many Ivy League universities, though privately funded, must comply with FERPA because they participate in federal financial aid programs, such as Pell Grants or federal student loans. As a result, FERPA regulations typically apply to these institutions.

On the other hand, a privately funded university that does not accept federal funding would not be subject to FERPA. Nonetheless, such institutions may still adhere to other privacy laws or internal policies designed to protect student records.

Key rights under FERPA include:

• The right to access and review education records.
• The right to request corrections of inaccuracies.
• The right to consent before the disclosure of personally identifiable information (PII), with certain exceptions.

This legislation is seemingly straightforward since its two core aspects focus on the protection of student data privacy and giving parents and eligible students control over their personal information. FERPA violations occur when these rights are disregarded, often unintentionally, leading to the unauthorized disclosure of student information.

The reason for this is that FERPA contains ambiguous definitions, multiple exceptions, and broad interpretations of key terms like “personally identifiable information” and “legitimate educational interest.”

This complexity, combined with the increasing reliance on digital tools and third-party vendors, creates confusion and increases the likelihood of unintentional violations.

What Student Records Are Protected Under FERPA?

FERPA protects education records, defined as any records directly related to a student and maintained by an educational institution or a party acting on its behalf. These records can exist in any format, including paper, digital, audio, or video.

Examples of protected student records include:

• Academic information — Grades, test scores, transcripts, class schedules, and enrollment status.
• Disciplinary records — Documentation of behavioral issues, suspensions, or expulsions.
• Health and counseling records — Records maintained by the school nurse, counselor, or mental health services, unless governed by other laws like HIPAA.
• Financial records — Information related to scholarships, loans, and other forms of financial assistance.
• Contact information — Names, addresses, phone numbers, and email addresses.
• Other Personally Identifiable Information (PII) — Social Security numbers, student ID numbers, and biometric data such as fingerprints or facial recognition records.

FERPA also protects “indirect identifiers” that could be combined with other data to identify a student, such as birthdates, places of birth, or mother’s maiden name.

Schools must ensure that these records are kept secure and not disclosed without appropriate consent, except in specific situations permitted by law, such as emergencies or compliance with subpoenas.

What Student Records Are Not Protected Under FERPA?

While FERPA safeguards the privacy of most student education records, certain types of records are not protected.

These exceptions include records that fall outside the definition of “education records” or are covered by other laws.

Below are the main categories of records that FERPA does not protect:

Personal notes (Sole Possession Records)

FERPA does not apply to records kept in the sole possession of the creator, such as teachers or school staff, as long as they are:

• Used only as a memory aid.
• Not shared with anyone except a temporary substitute for the creator.

Examples:

• A teacher’s personal notes about classroom observations that are not shared with administrators or other staff.
• A counselor’s private notes intended for personal reference only.

Condition: Once these notes are shared or included in a student’s file, they become subject to FERPA.

Law enforcement unit records

Records created and maintained by a school’s law enforcement unit for law enforcement purposes are not considered education records under FERPA.

Examples:

• Incident reports documenting criminal activity on school grounds.
• Surveillance footage maintained exclusively by campus police or security personnel for safety purposes.

Condition: If these records are shared with school administrators or added to a student’s education file, they become FERPA-protected.

Employment records

FERPA does not protect records related to an individual’s employment by the educational institution, provided the employment is unrelated to the individual’s status as a student.

Examples:

• Job performance evaluations of school employees who are not students.
• Payroll information for staff members.

Condition: If a student is employed by the institution (e.g., through work-study programs), their employment records are protected under FERPA.

Medical and health records governed by HIPAA

FERPA does not apply to medical records maintained by institutions subject to the Health Insurance Portability and Accountability Act (HIPAA). However, health records maintained by a school (e.g., by a school nurse) are FERPA-protected.

Examples:

• Records from an external healthcare provider.
• Health records for students receiving care outside the school.

Condition: Records created by school health personnel are FERPA-protected unless shared with third-party healthcare providers.

Alumni records

Once a student graduates or permanently leaves the institution, FERPA protections no longer apply to records about their post-enrollment activities.

Examples:

• Alumni records documenting fundraising activities or post-graduation career achievements.

Condition: Education records created while the student was enrolled remain protected under FERPA.

Aggregate or de-identified data

Data that is stripped of personally identifiable information and cannot reasonably be traced back to an individual student is not covered under FERPA.

Examples:

• Reports on overall school performance (e.g., average test scores for a grade level).
• Anonymous survey responses from students.

Condition: Schools must ensure that de-identification is thorough enough to prevent re-identification of individual students.

The Challenges of Avoiding FERPA Violations

Staying FERPA compliant has become increasingly challenging for educational institutions due to the growing complexity of student data management and the ambiguous nature of the law itself.

A key issue lies in determining what constitutes Personally Identifiable Information and when it can be disclosed without consent. FERPA’s definition of PII is broad, including not only names and student IDs but also “other information that, alone or in combination, is linkable to a student,” leaving room for interpretation and potential errors.

Further complicating compliance are the law’s numerous exceptions for disclosing PII without consent, such as the “directory information” rule, health or safety emergencies, and disclosures for legitimate educational interests.

The directory information exception, for instance, varies by institution, and improperly managing opt-outs can result in violations. Similarly, vague definitions of “legitimate educational interest” make it difficult to determine who should have access to student records and under what circumstances.

Modern challenges, such as the widespread use of digital learning tools, third-party vendors, and cloud-based platforms, add another layer of risk as they’re not always built to be FERPA-compliant.

Schools also need to safeguard against cybersecurity threats and data breaches, which can expose PII and violate privacy laws.

Limited resources, insufficient staff training, and overlapping legal requirements only make the problem worse.

10 Common FERPA Violation Examples

Below are some of the most common scenarios where FERPA violations occur. Some are accidental, and others imply negligence on the part of the teacher or institution.

Unauthorized disclosure of grades

Sharing a student’s grades without consent, whether by posting them publicly with identifiable information or sharing with individuals not authorized to access the records, violates FERPA.

For example, this can happen when a professor posts a list of student grades on a bulletin board using names or ID numbers. Even partial identifiers that can be linked to specific students constitute a violation.

💡 Prevention tip: Use password-protected systems to share grades securely and ensure that only the student can access their information.

Letters of recommendation containing PII

While letters of recommendation are a common part of education, including specific details about a student’s grades, GPA, or other protected information without explicit consent from the student is a violation.

This means that if a teacher writes a letter of recommendation for a student applying to college and includes the student’s GPA and academic ranking without obtaining prior written consent, they are in breach of FERPA regulations. The inclusion of such details constitutes the disclosure of personally identifiable information (PII) from the student’s education record, which requires explicit written consent from the student before being shared with third parties like colleges or universities.

💡 Prevention tip: Before writing a letter of recommendation, obtain the student’s written consent to include any education record details and keep the consent on file.

Group emails to multiple recipients

Sending group emails where students’ email addresses are visible to others can result in an unintended FERPA violation by disclosing protected contact information.

When a teacher emails a group of students about an assignment and includes all email addresses in the “To” or “CC” field, they inadvertently expose these addresses to other recipients.

💡 Prevention tip: Always use the “BCC” (Blind Carbon Copy) field for group emails to prevent recipients from seeing each other’s email addresses.

Discussing a student’s information publicly

Conversations about a student’s performance, behavior, or personal circumstances in public spaces can result in a breach of privacy.

Therefore, if a teacher discusses a student’s failing grades or disciplinary issues in the teacher’s lounge or hallway, where others might overhear, it constitutes an act of negligence and a violation of FERPA. Such discussions expose confidential student information to unauthorized individuals, even if the disclosure is unintentional, and can undermine the student’s right to privacy as guaranteed by the legislation.

💡 Prevention tip: Keep discussions about student records private and limit them to authorized personnel who have a legitimate educational interest.

Explaining a student’s absence without consent

Sharing the reason for a student’s absence, especially if it involves medical or personal details, is a violation unless the parent or eligible student has provided consent.

For example, it would be a FERPA violation for an administrator to inform another parent that a student is absent due to a family emergency or a medical condition without the explicit consent of the student or their family. Similarly, a sports coach explaining that a team member won’t participate in the upcoming season due to academic performance issues or disciplinary actions would also violate FERPA if prior consent has not been obtained.

💡 Prevention tip: Avoid discussing the reasons for a student’s absence unless authorized to do so. Instead, use neutral language like “The student is unavailable.”

Mishandling records on digital platforms

Improper use of technology, such as emailing sensitive student information without encryption or failing to secure digital systems, can lead to FERPA violations.

One such example would be an administrator sending a student’s transcript to an incorrect email address. If the recipient is unauthorized, this is a breach of FERPA.

💡 Prevention tip: Adopt secure email systems, verify recipient details, and use encryption when transmitting sensitive student records electronically.

Improper release of directory information

FERPA allows schools to disclose “directory information” (e.g., name, address, phone number, honors) without prior consent if parents and students are given a chance to opt out. Violations occur when opt-outs are not honored, or the information is improperly shared.

If a school publishes a list of students who made the honor roll, including those who opted out of directory information sharing, it constitutes a FERPA violation.

💡 Prevention tip: Maintain a current record of opt-outs and cross-check before disclosing any directory information.

Leaving student records unsecured

Physical or digital records containing sensitive student information must be properly secured. Failing to do so can lead to FERPA violations.

A teacher leaves a folder with student grades and disciplinary records on their desk, accessible to unauthorized individuals. Similarly, student information stored on an unlocked computer without password protection can lead to a breach.

💡 Prevention tip: Always store physical records in locked cabinets and password-protect digital files. Use secure logins for computers and file management systems.

Failure to provide access to student records

As already mentioned, FERPA grants parents and eligible students the right to access and review education records. Refusing or failing to provide access within a reasonable timeframe is a violation.

An example of this would be when a parent requests access to their child’s records, but the school delays or denies the request without valid reasoning, violating FERPA’s timeline requirement (45 days).

💡 Prevention tip: Establish clear procedures for handling requests for education records and ensure compliance with the required timeline.

Improper disposal of records

Failure to securely dispose of records containing PII can lead to FERPA breaches as it allows unauthorized individuals to access sensitive student information.

For example, discarding old grade sheets, disciplinary records, or other education documents in a standard trash bin instead of shredding or securely disposing of them can expose personally identifiable information to unintended parties, violating FERPA regulations.

💡 Prevention tip: Use shredding services or secure digital data destruction methods for proper disposal of student records.

What Are the Consequences of FERPA Violations?

Violating FERPA can lead to significant consequences that affect not only the institution’s operations but also its financial stability and reputation.

Loss of federal funding

FERPA violations can jeopardize an institution’s access to federal financial assistance, including Title I and other critical funding programs.

Since most public schools and universities rely heavily on federal aid, losing this funding could severely disrupt operations, forcing budget cuts and affecting educational resources, teacher salaries, and student services

Legal repercussions

Although FERPA does not allow for private lawsuits, violations can lead to legal action under state privacy laws or data breach statutes.

Schools may face lawsuits alleging negligence or mishandling of private information, resulting in costly settlements, court judgments, or reputational harm. Additionally, institutions may be subject to penalties from regulatory bodies for non-compliance.

However, so far the Department of Education has never imposed a financial penalty on any institution for violating FERPA.

Reputational damage

FERPA violations can significantly damage the trust that parents, students, and the broader community place in an institution.

Publicized breaches, especially involving sensitive student data, can lead to a loss of credibility, reduced enrollment, and negative media attention. For higher education institutions, this may also affect alumni support, donations, and partnerships.

5 Steps to Avoid FERPA Violations

Preventing FERPA violations requires a proactive approach to managing student information. Schools and institutions can reduce risks by implementing robust policies, training staff, and adopting secure technologies.

Develop clear data retention and archiving policies

Having a well-defined data retention policy is essential to avoid mishandling student records. FERPA does not mandate specific retention timelines, so institutions must create their own policies to determine how long records should be kept and when they should be securely disposed of.

Here are the most important steps to take:

• Implement a data archiving solution like Jatheon to securely store education records, ensuring they are accessible only to authorized personnel.
• Regularly review archived records and dispose of outdated or unnecessary data securely (e.g., shredding physical records or using certified digital deletion methods).
• Ensure archived records are stored in compliance with FERPA, FOIA, and state-specific laws.

Provide regular staff training

Ensure that all employees who handle student records understand FERPA regulations and the institution’s data privacy policies.

Educate them on:

• The proper handling and storage of sensitive data.
• Identifying exceptions where data can be disclosed without consent.
• Secure use of digital platforms and email communication.

Limit access with role-based permissions

Restrict access to education records to only those employees with a legitimate educational interest. Use role-based access controls to ensure that sensitive information is not accessible to unauthorized individuals.

Best practices include implementing password protection, encryption, and multi-factor authentication (MFA) for digital systems, as well as conducting regular audits to review access logs and ensure compliance.

Use FERPA-compliant technology

Adopt tools and platforms designed to meet FERPA compliance requirements, such as secure learning management systems (LMS) and communication software.

Features to look for should include:

• Encryption for data in transit and at rest.
• Role-based access and audit trails to track data activity.
• Secure sharing features for student records.

Maintain accurate opt-out records

FERPA allows the disclosure of “directory information” unless parents or eligible students opt out. To avoid violations, keep an updated record of opt-out requests and cross-check records before sharing any directory information.

Summary of the Main Points

• FERPA is a federal law that protects the privacy of student education records, granting parents and eligible students rights to access, amend, and control the disclosure of these records. It applies to all federally funded educational institutions, including K-12 schools and colleges.
• Protected records include grades, disciplinary records, health and counseling data, financial information, contact details, and PII such as Social Security numbers and biometric data, which must be secured unless specific exceptions apply.
• Certain records are not protected, such as personal notes not shared with others, law enforcement records, employment records unrelated to student status, alumni records, medical records governed by HIPAA, and de-identified data.
• Common FERPA violation examples include unauthorized grade disclosures, sharing PII in recommendation letters without consent, using group emails with visible recipients, discussing student information publicly, mishandling digital records, improperly releasing directory information, leaving records unsecured, failing to provide timely access to records, and improperly disposing of PII.
• Non-compliance can result in the loss of federal funding, legal repercussions under state laws, reputational damage, and increased operational costs due to audits, corrective actions, and compliance measures.
• To avoid violations, schools should implement clear data retention and archiving policies, regularly train staff on FERPA, use role-based access controls, adopt FERPA-compliant technologies, and maintain accurate opt-out records to ensure compliance and protect student privacy.

About the Author

Natasa Djalovic

Natasa Djalovic is a senior content writer with over 8 years of experience creating content for SaaS, B2B, and marketing companies. When she’s not crafting blog posts about compliance and data archiving, she enjoys building LEGO sets, watching documentaries, and hanging out with friends.