Skip Navigation
Forum Guide to Protecting the Privacy of Student Information: State and Local Education Agencies

2.A. Privacy-Related Laws That Apply to Agencies and Schools

Types of organizations required to adhere to federal education privacy laws

Education agencies and institutions that receive funds from the U.S. Department of Education must adhere to federal privacy laws pertaining to education records of students. These generally include public elementary and secondary schools, school districts, intermediate education agencies, and state education agencies or their representatives. Most private and public colleges and universities are also subject to federal privacy laws because they receive federal funds from the U.S. Department of Education. However, because few private elementary and secondary schools receive federal funds directly, they are rarely subject to these privacy restrictions.

State or local education agencies that conduct programs administered by other federal agencies—the U.S. Departments of Agriculture, Health and Human Services, or Labor, for example—may also be required to meet confidentiality provisions of applicable statutes.

Federal laws that directly affect data collected and maintained by education agencies

A number of federal laws govern data collections by schools, districts, and state education agencies, and two of those laws apply most broadly: the Family Educational Rights and Privacy Act (FERPA) and the Protection of Pupil Rights Amendment (PPRA). Exhibits 2–1 and 2–2 contain fact sheets describing FERPA and PPRA. Together, the two laws have far-reaching legal implications for state and local policies and procedures that guide the following three aspects of education agencies’ data collection activities:

  • rights of a parent to review education records maintained by state or local education agencies or their representatives;
  • procedures by which education records can be released and protected; and
  • rights of parents to review and, under some circumstances, provide consent for their child’s participation in surveys, analyses, or evaluations that are administered by state or local education agencies or their representatives.

Privacy protection under FERPA is generally incorporated into laws authorizing federal education programs. Thus, FERPA and PPRA requirements apply to programs such as Title I, Migrant Education, Safe and Drug-Free Schools and Communities, Carl D. Perkins Vocational and Applied Technical Education Act, Education of Neglected and Delinquent Youth, Even Start, and Even Start Family Literacy. Similarly, most states include the core privacy protection of FERPA in their education legislation; in many cases, they extend and strengthen this protection.

In addition to FERPA and PPRA, other federal laws affect school, district, or state education agency data collection, maintenance, and disclosure procedures. Among them are:

  • The Individuals with Disabilities Education Act (IDEA), which applies to the education records covered by this law. However, IDEA release and disclosure requirements are substantially identical to those in FERPA.
  • The federal Drug and Alcohol Patient Records Confidentiality Law (42 CFR), which applies to the services and treatment of records belonging to students who receive assistance from programs administered by the Substance Abuse and Mental Health Services Administration.
  • The Richard B. Russell National School Lunch Act (NSLA), which restricts the release of eligibility and services information about students and families who participate in the federal free and reduced-price lunch program.
  • The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which provides privacy regulations to protect patients by limiting the ways that health plans, pharmacies, hospitals, and other covered entities can use patients’ personal medical information. The Privacy Rule of the law, however, provides a broad exemption for personal health information maintained in education records, which is protected under FERPA.
  • The Paperwork Reduction Acts of 1980 and 1995, which include rules that restrict what the federal government can ask state and local agencies to collect for the federal government.

Three other federal laws—the Freedom of Information Act (FOIA) of 1966, the Privacy Act of 1974, and the Computer Matching and Privacy Protection Act of 1 988—do not apply to the education records maintained by schools, districts, or state education agencies because these federal laws pertain only to data the federal government collects. However, many states have passed their own open records laws or other privacy laws very much like the federal statutes that may apply to the information schools collect. When agencies or schools establish data policies and procedures, they should consult state statutes on these matters, as well as the federal requirements. Many state open records laws indicate that each agency make available for public inspection and duplication copies of all records, regardless of form or format, that have been released to any person and that because of their subject matter content have become the subject of request for substantially the same record. However, state open records laws do not supersede FERPA, and educational agencies and institutions subject to FERPA should seek advice from the Family Policy Compliance Office (FPCO) if any conflicts are evident. (See section 2F for contact information.)

The federal Policy for the Protection of Human Subjects, administered by 16 federal departments and agencies, establishes procedures for protecting the rights of individuals—including students and families—who participate in federally sponsored research activities and programs. This statute establishes the preliminary rules researchers must follow when they conduct studies sponsored by federal agencies. Although these regulations may apply to data collections by schools, FERPA establishes additional basic disclosure restrictions that guide the treatment of any information collected in schools if the information either derives from education records or is maintained in those records for any period of time. These restrictions apply to activities sponsored by an education or other agency or an individual.

The No Child Left Behind (NCLB) Act of 2001 includes amendments to PPRA that give parents more rights with regard to the inclusion of minor students as survey respondents, the collection of information from students for marketing purposes, and certain nonemergency medical examinations. See section C, “U.S. Department of Education-Funded Surveys and Studies,” for detailed discussion.

In addition, the Patriot Act of 2001 allows the U.S. Attorney General or his or her deputy to apply for an ex parte court order requiring an education agency or institution to allow the Attorney General or his designee to collect and use education records relevant to investigations and prosecutions of specified crimes or acts of terrorism (domestic or international). The Attorney General must certify that there are specific facts giving reason to believe that the records contain the required information. An education agency or institution that in good faith releases records in accordance with the court’s order is not liable to any person for releasing the records subject to confidentiality procedures developed in consultation with the Secretary of Education.