Skip Navigation
Protecting the Privacy of Student Records, Section 4 full text
Section 4:
Securing the Privacy of Data Maintained
and Used within an Agency 
Commonly Asked Questions
A. Management Responsibilities
B. Defining "Legitimate Educational Interests"
C. Training Agency Staff
D. Professional Ethical Standards
E. Research Use within an Agency

Suggested Audiences:


Many school administrators have nightmares about break-downs in the security of their records systems. One administrator might agonize about the file cabinet key stolen from the school secretary's desk when he or she is at lunch. Another might worry about students breaking into the automated management information system to change their grades. Still another might cringe at the thought of certain student information being released to the media.

Maintaining the privacy of personally identifiable data about students requires clear policies to restrict who has access to data and how the data are used. This section describes some of the considerations in deciding who can review and use student data, what are legitimate uses of data, and what security will be needed to protect against inappropriate access.


Q. If a student's record is corrected at the district level, must the district inform other holders of that record?

A. Yes. This is a major part of the importance of a written policy regarding what data are maintained and where they are kept. Also see Section 5 for changes made to education records as requested by parents.

Q. What should I do when elected officials or others with authority over me want to see individual education records?

A. Unless authorized by law, the same rules of access apply to elected officials as to anyoneelse outside an agency. When you establish policies and procedures on access, the records manager or designated official would have the authority to deny unauthorized access. You can instruct all other staff members to refer requests to the designated official or records manager. See Section 4, Guidelines A, B, and E.

Q. If some student data are protected and others are not, must I keep separate sets of records on students?

A. No, you are not required to keep separate sets. However, it is a good practice and would facilitate monitoring access to the records.

Q. Does everyone in an agency have access rights to student records?

A. No. See Section 4, Guidelines B for specific guidance.

Q. Do contractors or vendors for an agency have access rights to student records?

A. Contractors or vendors acting on behalf of the agency or school to perform specified duties may be allowed access to those records they need to perform such duties. You should consider this kind of access case-by-case. Staff from organizations who have access to individual data should be trained in their responsibilities to keep the data confidential. See Section 4, Guidelines B and E.

Q. Who can do filing, typing, and data entry of education records?

A. Agencies or schools may assign these duties to qualified staff members. However, it is important to provide training as soon as you hire both permanent and temporary staff. The training should include the access rights as well as the responsibilities for safeguarding the confidentiality of data to which they have access. See Section 4, Guidelines C.

Q. What policies should a school district, regional office, and state education agency have in effect?

A. In addition to the policies required by federal or state laws, you should also establish policies that cover how and what data to collect; how, where, and how long data are maintained; on what criteria individuals within and outside the agency may be given access to these data; and how students and parents may review and request amendment to the education records. See Sections 3, 4, 5, and 6.


A. Management Responsibilities

Staff responsible for student data must protect the privacy of the data by ensuring that procedures for maintaining the data are secure enough to prohibit access to anyone other than the appropriate persons (those with a need-to-know) and that these procedures are followed. Responsible staff may be the principal of a school, a school secretary, computer technicians, a guidance counselor, a school or district registrar, the superintendent, or other appointed staff members. These staff members should ensure that education records are kept in a locked, fire-proof (preferably), and secure location where they cannot be inappropriately read, stolen, or changed. Schools, districts, or state education agencies with individual education records maintained in computer files may have a data division with a manager and staff who are responsible for maintaining the security and privacy of education records.

No matter what the position, a person with responsibility for the confidentiality of education records (e.g., the records manager) has serious responsibilities for ensuring that all who work with the data will help him or her in guarding the privacy of education records. In addition, the records manager should ensure that the equipment and procedures used will protect the security of the records. You should develop a written policy that describes what data are maintained and what procedures are in place to ensure that access to personally identifiable data is restricted only to those persons with a legitimate educational interest as defined by the system.

To carry out these management responsibilities, the records manager must know who is authorized to see personally identifiable student data. A written policy can define the appropriate school officials and what constitutes a legitimate educational interest. This policy should state who is allowed to change data and what procedures are needed to ensure that all records are updated when changes are made.

Management has a responsibility to inform staff members of their rights and responsibilities with regard to student data. One commonly used procedure is to have persons granted access to personally identifiable data sign an oath of non-disclosure. This agreement should list all types of information that must be kept confidential and forbid staff from discussing security aspects of the data system, whether a locked filing cabinet or a computer, with unauthorized individuals. Specific penalties required by law or regulations should be included in this oath. While this may seem extreme, it can help to ensure that staff know exactly what the requirements and their responsibilities are.

The selection of equipment and the location for the equipment used to maintain student records are important management responsibilities. Lockable filing cabinets are important for paper documents, but maintaining these documents in a safe and monitorable location is also essential. You should develop procedures for having the files unlocked and available when needed by staff, as well as for securing them when not needed.

For computerized student data, select equipment that has the appropriate mechanical configuration, provides access to authorized users, and has software that allows the restriction of access to authorized persons only. Among the procedures used to ensure the privacy and security of computer records are password applications that restrict access to data elements and files only to those with authorization, frequent password changes to guard against break-ins, and the use of encryption. Monitoring access to the secured files is also desirable. Computers can record which users enter into secured files.

The location of computer equipment should guard against threats from intruders as well as physical disasters and other unforeseen problems. Computer equipment should be kept in lockable rooms with appropriate electrical connections and sufficient space to maintain it. In addition, the equipment should not be located near water pipes or other sources of potential disasters. Exhibit 4-1 contains additional information about securing automated records.

B. Defining "Legitimate Educational Interests"

The Family Educational Rights and Privacy Act (FERPA) makes it clear that "school officials with legitimate educational interests" may be given access to personally identifiable information about students. However the law does not say who those persons are, nor does it stipulate how to determine the limits of a legitimate educational interest. Agencies or schools maintaining personally identifiable data about students should have written criteria for determining which school officials have a legitimate educational interest in specific education records because this must be included in the annual notification to parents, as specified in FERPA. The intent to follow this practice should be stated in the school's or agency's written policy.

In determining the school officials who might need access to education records, it may be more practical to establish broad position criteria than to list exactly who, or what individual positions, qualify. General criteria such as these might be useful:

Identifying a person as a school official does not automatically grant him or her unlimited access to education records. The existence of a legitimate educational interest may need to be determined case-by-case. A sample policy statement of what constitutes legitimate educational interest might include wording such as the following:

A school official is determined to have legitimate educational interest if the information requested is (1) necessary for that official to perform appropriate tasks that are specified in his or her position description or by a contract agreement; (2) used within the context of official agency or school business and not for purposes extraneous to the official's areas of responsibility or to the agency or school; (3) relevant to the accomplishment of some task or to a determination about the student; and (4) consistent with the purposes for which the data are maintained.

School officials should be informed that having access to education records or the information within the records does not constitute authority to share this information with anyone not given access through the written policy. This is particularly critical if the data are to be used away from the agency or school by contractors or consultants. See Section 6 for more information on releasing information outside an agency.

After the policy defines school officials with a legitimate educational interest, a list of authorized positions or persons and records or specific data elements to which they may have access should be created. This is particularly important if the system is automated. Section 3 describes some of the staff members who might have a legitimate educational interest.

If you have any questions about whether a requestor has a legitimate educational interest, ask the records manager not to disclose the information without prior approval from the parents or other appropriate officials.

The records manager must decide the legitimacy of each request for information. If there is any doubt or question regarding the request or the legitimate educational interest, the records manager should not disclose the information without the approval or concurrence of appropriate agency or school officials or written permission from the student or parent.

C. Training Agency Staff

Training all agency staff, even those who do not have access to individual education records, is important to ensure that education records are handled correctly. Staff members should beinformed about what is considered appropriate and inappropriate access to the data and use of the information within the records. For instance, a staff member may have a legitimate access right to a student's education record for making placement decisions. That same staff member may not have a right to view the records of other students for whom he or she does not have responsibilities. Persons who are not authorized to see personally identifiable data should be informed why they are denied access if they are in positions where they must work with students.

Plan to train new staff members as soon as possible after they are hired. Training should cover the requirements and restrictions under FERPA and other relevant federal and state laws regarding confidential information (e.g., public health code), and relevant professional standards of practice.

Training should cover any special requirements related to specific data collection documents or procedures. Staff should be trained how to ask questions, what to do if the person being asked cannot understand English, how to handle problems when there are misunderstandings, exactly what is expected in each data collection document, and any other important procedural details. Training should cover the responsibility to protect information while it is being collected or used. For instance, staff should not leave education record files opened on their desks or showing on their computers when they step away from their desks.

D. Professional Ethical Standards

The use and misuse of student data are covered to some extent by professional ethical standards. Several documents should be reviewed and considered in this area. Two particularly relevant sets of ethical standards are the Ethical Standards for School Counselors and Ethics and Law for School Psychologists. Another document is the Standards for Educational and Psychological Tests, produced jointly by the American Educational Research Association, American Psychological Association, and National Council on Measurement in Education. This document specifically addresses the use of test results. Also, a good resource is The Program Evaluation Standards, published by The Joint Committee on Standards for Educational Evaluation. These standards describe ethics related to respecting and protecting the rights and welfare of human subjects. See the references at the end of this section.

E. Research Use within an Agency

Sometimes the records manager will receive requests for research using education records, such as comparisons of the test scores of students in different programs. District policy or procedures should specify the steps in making and acting on such requests. The records manager may elect to have staff complete the analysis or contract with consultants to do the analysis. If a staff member conducts the analysis, it is important to determine if he or she is authorized to have access to personally identifiable student data. If not, the records manager may create a file containing the needed data without the students' identifying information. This is a good way to protect confidentiality while allowing data to be used by contractors or outside researchers as well. We describe the release of student data in more detail in Section 6.


American Psychological Association. 1992. American psychologist. Vol. 47, No. 12. Washington, DC: American Psychological Association.

American Psychological Association. 1987. Casebook on ethical principles of psychologists. Washington, DC: American Psychological Association.

American School Counselor Association. 1992. Ethical standards for school counselors. Alexandria, VA.

JacobTimm, S., and Hartshorne, T. 1994. Ethics and law for school psychologists. (2nd edition) Brandon, VT: Clinical Psychology Publishing Co., Inc.

Joint Committee of the American Psychological Association, American Educational Research Association, and National Council on Measurement in Education. 1974. Standards for educational and psychological tests. Washington, DC: American Psychological Association, Inc.

The Joint Committee on Standards for Educational Evaluation. 1994. The program evaluation standards: how to assess evaluations of educational programs. 2nd Ed. Thousand Oaks, CA: Sage Publications, Inc.

Mason, R.O., Mason, F.M.,and Culnan, M.J. 1995. Ethics of information management. Thousand Oaks, CA: Sage Publications, Inc.

National Center for Education Statistics. 1991. Standards for education data collection and reporting. Washington, DC: National Center for Education Statistics. 

Top of PageHome page of this documentTable of ContentsPrevious sectionThe next page in this publication
For questions about the content of this product, please contact Lee M. Hoffman.