Skip Navigation
Protecting the Privacy of Student Records, Section 1 full text
Section 1:
A Primer for Privacy 
Principles and Concepts
A. Principles Underlying Privacy Protections
B. Key Concepts of Privacy Laws and Confidentiality Policies
C. Important Terms

Suggested Audiences:


Students and their parents entrust schools with their personal information with the expectation that this information will be used by the schools to serve the needs of the students effectively and efficiently. School districts maintain and use personal information for a variety of educational purposes while students are in school. To protect the privacy of the students and their families, agency and school staff are legally and ethically responsible for safeguarding student information.

Many federal and state laws and regulations, which must be followed, relate to maintaining and releasing student information. However, education agencies need additional policies and procedures to guide their everyday operations to maintain the information. Since agencies vary in how they collect and maintain information about students, the types of policies and procedures needed also will vary. This document provides examples of policies and procedures as well as guidelines for deciding what is needed to ensure the privacy of student information.

Section 1 presents an overview of the principles related to the privacy of student records, explains key concepts, defines important terms, and describes the uses and organization of this document.


A. Principles Underlying Privacy Protections

To protect the privacy of families whose children are in school, states and the federal government have established strong legal statutes to keep private the information in education records that schools maintain on students. These laws frame data collection procedures, restrict information disclosure, and safeguard the quality of the information that school systems routinely collect and maintain. All education records about students, whether handwritten or computerized, are protected by the same privacy regulations. Education personnel are responsible for protecting the integrity and accuracy of the information they gather and maintain. Therefore, data managers, their staff, and other agency and school personnel, must become familiar with the laws that ensure the confidentiality of the records as well as the legal conceptsunderlying those laws.

Education records contain the administrative reports of students' educational progress, along with any information about past or current use of schoolrelated services, such as special education, social work services, or other supplementary educational support. The Family Educational Rights and Privacy Act (FERPA), a federal law, limits who can see an education record without the consent of the student's parent, and it provides for a parent's right to see what is kept in the records. These two basic features have broad implications for the treatment of information about students by teachers, administrators, and researchers.

In addition, schools that participate in a federally assisted school nutrition program have personal information about students' eligibility for free and reduced-price school meals or free milk. These programs have regulations that are more restrictive than FERPA's regarding the disclosure and use of this information. In cases of emergency, school officials can obtain data in education records to help students or their families get the assistance or care they need.

In addition to the everyday use of student information by teachers and administrators, education records are a source of basic data used for administrative purposes and policymaking. Statistical information summarized from education records can be an important resource for monitoring programs and for evaluating the success or failure of education policies. Administrative use of computerized records means that education records are used increasingly farther from their point of origin. As a result, it has become more complicated but no less essential for school officials to be vigilant about protecting the confidentiality of records. Those who work with education records have legal and ethical obligations to observe rigorous procedures for protecting the privacy of the original information and the individuals whose records are involved.

The Information Infrastructure Task Force of the National Information Infrastructure (NII) recently developed a set of principles for providing and using personal information. These principles, summarized in Exhibit 1-1, provide guidance for those who are drafting laws and regulations or creating codes of fair information practices and implementation procedures. The principles apply to both the private and public sectors. The guidelines presented throughout this document are consistent with the NII principles.

B. Key Concepts of Privacy Laws and Confidentiality Policies

Privacy laws lead to establishing regulations that education agencies and schools must follow so that information about children is available only to officials who are authorized to know such information. The laws were passed by the U.S. Congress to ensure parents the right of access to information about their children, while allowing education officials the flexibility they need to use the information in making decisions that serve children well.

Federal and state privacy statutes pertaining to students in elementary and secondary schools build on concepts of common law and privacy guarantees found in the U.S. Constitution. Fundamental to the government's rulemaking about data collection, privacy, and appropriate use are three concepts--notification, disclosure, and informed consent.

Notification (according to FERPA) refers to an agency's responsibility to inform parents, guardians, or students who are over eighteen of the legal basis for compiling data and the limited circumstances under which records can be released or disclosed. When school officials collect information about families or students, they must explain the rationale--or "give public notice"--of the reasons the data are being collected.

Disclosure refers to access, release, or transfer of personal information about individuals. Privacy laws define appropriate or inappropriate information disclosures or releases. According to FERPA, data about students may be disclosed without parental consent only to school and other education officials who use it to provide educational services or to carry out legally specified administrative and statistical activities. Any instance in which unauthorized individuals see or use private information about students is an inappropriate and often illegal disclosure, unless the parent or the student gives consent or the law makes such access legal.

Informed consent involves providing a written account of why personal information is requested and how it will be used. In general, parents should have the option, without penalty, of agreeing or declining to provide the information an education agency or school requests. Certain information, however, is required by schools, and parents must provide the information in order for their children to be enrolled. Parents' agreement must be based on an understandable explanation of how the information will be used. Once a parent's informed consent is given for a particular purpose or set of purposes, the information cannot be "redisclosed"--used by a third party--except as originally indicated. FERPA regulations require that prior consent be given by parents for the disclosure of information to persons other than school officials.

C. Important Terms

Education Record

An education record is a compilation of records, files, documents, and other materials that contain information directly related to a student and maintained by education agencies or institutions, or by individuals acting on behalf of the agencies. According to FERPA, a record means any information recorded in any way, including, but not limited to, handwriting, print, computer media, video or audio tape, film, microfilm, and microfiche. An education record, sometimes referred to as a student record, may include a variety of details about a student such as the date of birth, date of enrollment, bus route, immunization history, achievement test scores and grades, enrollment and attendance, awards, degrees achieved, and special education plans and evaluations. Personal notes by teachers or other staff that are not meant to be shared are not part of an education record. A record of a student may be maintained in more than one location within an agency or school (e.g., enrollment record in the school's administrative office and health information in the school health clinic).

Information included in an education record is collected primarily from the student (or family members), teachers, and other school staff. It may also be collected from other sources outside the school, such as health care providers or testing companies. Personal information about students is a vital resource for teachers and school staff in planning responsive education programs and services--designing individual education plans; scheduling students into appropriate classes; planning school bus routes; and completing reports for local, state, and federal authorities. In emergencies, the information is readily available to school officials to assist students and their families. A limited amount of this information, as defined by the school district or the state, makes up a student's permanent records or transcripts.


Confidentiality refers to your obligation not to disclose or transmit information to unauthorized parties. Confidentiality extends to information about either individuals or organizations. In schools, districts, or state education agencies, that usually means establishing procedures that limit access to information about students or their families. This access extends to the school officials who work directly with the students, agency representatives who serve as evaluators or auditors, or individuals who act on behalf of authorized education officials.


Privacy is a uniquely personal right that reflects an individual's freedom from intrusion. Protecting privacy means ensuring that information about individuals is not disclosed without their consent. A student's right of privacy is violated when personal information is disclosed to others without consent, or when he or she is being asked for personal information by others who have no legal basis to do so. While confidentiality, defined above, refers to restricting disclosure of information to authorized individuals only, privacy refers to protection from personal intrusion.


Security refers to technical procedures that ensure only the authorized and intended parties have access to data.

Disclosure (or Release)

Disclosure includes permitting access to, revealing, releasing, transferring, disseminating, or otherwise communicating all or any part of any individual record orally, in writing, or by electronic or any other means to any person or entity. The terms disclosure and release are used interchangeably in this document. Throughout this document, the information being disclosed or released pertains to students and/or their families.

Parent or Eligible Student

FERPA grants parents the rights to review, request amendment to, and release education records. A parent means a natural or adoptive parent, a legal guardian, or an individual acting as a parent in the absence of the parent or guardian. These rights transfer to eligible students when they reach eighteen or when they attend a postsecondary education institution. However, parents can still have access if the eligible student is a dependent for tax purposes. When used in thisdocument, the term parent refers to the person who is given the rights described in FERPA.

Agency or School

Throughout this document, agency or school refers to the entity that collects, maintains, uses, and releases information from education records. This entity may be a state education agency, school district, public or private school or institution, intermediate education unit, or an institution to which funds have been available to administer an educational program for students with disabilities or schooltowork programs administered on behalf of an education agency.


Information Infrastructure Task Force. 1995. Privacy and the national information infrastructure: principles for providing and using personal information.

National Forum on Education Statistics. 1994. Education data confidentiality: two studies. Washington, DC: Government Printing Office.

Russell, D., and Gangemi, G.T. Sr. 1991. Computer security basics. Sebastopol, CA: O'Reilly & Associates, Inc. 

Top of PageHome page of this documentTable of ContentsThe previous page in this publicationThe next page in this publication
For questions about the content of this product, please contact Lee M. Hoffman.