Skip Navigation
Forum Guide to the Privacy of Student Information
NCES 2006-805
July 2006

Confidentiality and Privacy Concerns

"Confidentiality" is a person's obligation to not disclose or transmit information to unauthorized parties.

"Privacy" is a uniquely personal right that reflects an individual's freedom from intrusion.

Until recently, the main concern regarding confidentiality and privacy of education records centered on individuals hacking into central computer systems or otherwise illegally accessing records through other security breaches. With technology increasingly used to ensure the availability of timely and accurate information, however, the scope of this issue has expanded to include portable storage devices (flash drives), handheld computers, electronic information transfers (e-mail), and other tools and devices used to store or transfer data.

Today's information portability makes performing many school-related tasks more convenient; however, it also increases the risk of unauthorized access to protected information. As school administrators, teachers, and support staff find new ways to store and access student records, they must still ensure the information's confidentiality and privacy.

For example, if an administrator misplaces a handheld computer, any personally identifiable information it contains becomes potentially available to anyone who finds the device. Teachers carrying grade files home on a flash drive or storing other personally identifiable student information on home computers, create the risk of unauthorized access to protected education records. Likewise, education records transferred through electronic mail could potentially be intercepted by unauthorized individuals. Since such situations occur daily in schools across the country, local education agencies must take precautions to guard against the unintentional release or unauthorized disclosure of education records.

Each education institution subject to FERPA should consider establishing policies, procedures, and best practices to address the following questions:

  • What are the current legal restrictions for disclosure and nondisclosure?
  • Does the potential risk to the confidentiality and security of education records outweigh the benefit of using certain electronic devices poses?
  • Does the teacher or staff member have a legitimate educational interest in the information that meets the exception rule for prior consent (see Disclosure of Student Information)?
  • Is prior consent required since the ability to carry education records off school premises changes the physical context in which the education records were originally used?
  • What jobs or roles include responsibility for the safety and maintenance of education records.
  • What is the ethical and legal responsibility of staff in terms of preventing unauthorized use or disclosure of information?
  • What is appropriate and inappropriate use of data, and how can they be protected against unauthorized access?
  • What type of training will individuals who access and/or use the information require?
  • Do individuals with access to personally identifiable information take an oath of nondisclosure?

Establishing policies, procedures, and best practices is not a cure-all, but it sets the foundation for ensuring a deliberate effort to safeguard the confidentiality and privacy of education records.

Updated resources can be found on the FERPA page of the Forum website.