It’s the Law: Confidentiality and Access of Student Records

What is FERPA?

The Family Educational Rights and Privacy Act (FERPA) protects the confidentiality of student records and provides rights to parents and students to access those records.

Under the Individuals with Disabilities Education Act (IDEA) there are additional confidentiality and access protections. (Check out the U.S. Department of Education’s document “IDEA and FERPA Confidentiality Provisions” for more information comparing the two.)


After you submit a FERPA request (“How to Submit a FERPA Request“) your school division has 45 days (less time if the request is before an IEP meeting or hearing) to respond to your request and provide access to the documents requested. However, sometimes they stall or don’t provide access period.

If the records you requested end up lost in a school closet for over a year (as happened to a friend of mine)—or are provided late or not at all, you’ll want to bring your school division’s attention to Sec. 300.613 of IDEA, which states:

(a) Each participating agency must permit parents to inspect and review any education records relating to their children that are collected, maintained, or used by the agency under this part. The agency must comply with a request without unnecessary delay and before any meeting regarding an IEP, or any hearing pursuant to §300.507 or §§300.530 through 300.532, or resolution session pursuant to §300.510, and in no case more than 45 days after the request has been made.

(b) The right to inspect and review education records under this section includes—(1) The right to a response from the participating agency to reasonable requests for explanations and interpretations of the records;(2) The right to request that the agency provide copies of the records containing the information if failure to provide those copies would effectively prevent the parent from exercising the right to inspect and review the records; and(3) The right to have a representative of the parent inspect and review the records.(c) An agency may presume that the parent has authority to inspect and review records relating to his or her child unless the agency has been advised that the parent does not have the authority under applicable State law governing such matters as guardianship, separation, and divorce.

There are school divisions that prevent parents from accessing records. Listed below are a few well-traveled routes to blocking access.

Change Personal Identifiers:

Per Sec. 300.32 of IDEA, personally identifiable means:

information that contains—
(a) The name of the child, the child’s parent, or other family member;
(b) The address of the child;
(c) A personal identifier, such as the child’s social security number or student number; or
(d) A list of personal characteristics or other information that would make it possible to identify the child with reasonable certainty.

When personal identifiers are changed, documents requested by parents won’t come up in FERPA requests.

For example, one of my kids was referred to as “our good buddy” and “my select student” and by his initials in different emails, so the emails didn’t come up in a response to a FERPA request. I obtained them when the LEA responded to a complaint I submitted to the state. The emails were included as part of their evidence to indicate that they took a specific action. However, the emails indicated, too, that the school intentionally changed personal identifiers. The “select student” email stated that if the teachers being emailed didn’t know who the select student was, they were to call the author of the email, not email her.

If you find that personal identifiers were changed, you might receive the following response, which Dawn Schaefer of Fairfax County Public Schools (FCPS) in Virginia provided me:

Every effort has been made to identify and provide documents related to your multiple Freedom of Information Act (FOIA) and Family Educational Rights and Privacy Act (FERPA) requests. Documents that do not have a direct identifier may or may not be readily available for staff members to pull utilizing an electronic email search. 

The FERPA states that the term personally identifiable information (PII) includes, but is not limited to (a) the student’s name; (b) the name of the student’s parent or other family members; (c) the address of the student of the student’s family; (d) a personal identifier, such as the student’s social security number, student number, or biometric record; or other indirect identifiers (e.g., the student’s date of birth, place of birth, and mother’s maiden name); (f) other information that, alone or in combination, is linked to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty” [emphasis added]; (g) information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to who the educational record relates. 

Therefore, communications without direct identifiers, including communications that when read cannot be reasonably linked to a specific student, would not be considered part of the student scholastic record, and would not be provided under FERPA.

I pointed out that, if FCPS was able to pull these emails for a complaint response, even though they had absolutely no personal identifiers, then it was common knowledge within FCPS that “our good buddy” and “my select student” were personal actually personal identifiers for my child. I requested all records with those identifiers.

Don’t Leave a Trail:

In addition to changing personal identifiers, you might run into schools that try to prevent the creation of documents.

For example, Silverbrook Elementary School Principal Melaney Mackin put the following in an email to a staff member:

“I suggest that you do not email your reply to her questions (no paper/email trail)”.

Ironic that in response to a FERPA request, I received an email from a principal who created the very trail she advised her staff member not to create.

Confidentiality Breach:

Imagine you did a FERPA request and see that your son’s English teacher bcc’d her husband on emails related to your son.

Or, maybe your daughter’s Geometry teacher forwarded your emails to her teachers’ union because she wasn’t happy with your communications with her (the ones in which you point our her repeated failure to implement accommodations) and wanted the union to get involved.

Or maybe, another parent did a FERPA request and your school provided her 76 pages of information unrelated to her daughter, 12 of which are about your child.

These are all examples of confidentiality breaches that have occurred.

If you identify a breach, you’ll want to cite Sec 300.623 of IDEA:

(a) Each participating agency must protect the confidentiality of personally identifiable information at collection, storage, disclosure, and destruction stages.(b) One official at each participating agency must assume responsibility for ensuring the confidentiality of any personally identifiable information.(c) All persons collecting or using personally identifiable information must receive training or instruction regarding the State’s policies and procedures under §300.123 and 34 CFR part 99.(d) Each participating agency must maintain, for public inspection, a current listing of the names and positions of those employees within the agency who may have access to personally identifiable information.

A record must be kept, too, to track those who have accessed your child’s records.

Remember, this includes electronic records.

For example, say your school division uses an online database, which cuts down on the need for a paper file to travel from meeting to meeting and/or transferred to different individuals as needed. In the database, the division keeps files of evaluations, grades, progress reports, IEPs, and so on, for easy access at any location division-wide.

Any time any person accesses that online database, a record of access should be maintained. But . . . What if the school turns of that portion of the program because it is unwieldy, or for any other reason? Maybe it is easier to log into the program when the access tracking function is off. Well . . . In that case (and if you find out about it), you’ll want to bring Sec. 300.614 to their attention:

Each participating agency must keep a record of parties obtaining access to education records collected, maintained, or used under Part B of the Act (except access by parents and authorized employees of the participating agency), including the name of the party, the date access was given, and the purpose for which the party is authorized to use the records.

Those Pesky Fees:

If your school division tries to charge a fee, please bring their attention to Sec. 300.617 of IDEA:

(a) Each participating agency may charge a fee for copies of records that are made for parents under this part if the fee does not effectively prevent the parents from exercising their right to inspect and review those records.(b) A participating agency may not charge a fee to search for or to retrieve information under this part.

If they try to charge a fee of $800 a page for copying, that’s an issue, too. Price gauging isn’t acceptable.