13 FERPA Violation Examples You Need to Know and Avoid

FERPA is a federal law that protects student privacy. It gives students control over their educational records and restricts how schools handle personal data.

Any school that receives federal funding, public or private, must follow FERPA rules. Ignoring these rules can lead to serious consequences, including losing that funding.

This blog breaks down 13 real-world examples of FERPA violations, explains what went wrong, and shows you how to avoid making the same mistakes.

13 FERPA Violation Examples

Let’s look at the most common FERPA violations, the main reasons behind them, and how to prevent them:

1. Sharing Student Information Without Consent

Example:

A teacher emails a list of students’ grades to all parents in the class. Another coach mentions a student-athlete’s academic eligibility status in a conversation with an unauthorized parent. A school office staff member prints a class roster that includes Social Security numbers and leaves it unattended on the counter.

Why This Violates FERPA:

Any disclosure of a student’s educational records without written consent, unless covered under an exception, is a clear violation.

How to Prevent It:

• Always confirm the recipient is authorized.
• Never share personal or academic details without consent.
• Use secure portals for grade or performance updates.

2. Posting Grades Publicly with Identifiable Information

Example:
A professor tapes a list of grades outside their office, with student names or ID numbers visible.

Why This Violates FERPA:

Even if ID numbers are used, if they can be linked back to individual students, it’s considered a disclosure of PII (personally identifiable information).

How to Prevent It:

• Use unique identifiers only known to the student.
• Post grades in secure systems, not public spaces.

3. Leaving Student Records Unsecured

Example:

Student files are left on an unlocked desk overnight. Digital records are stored on a shared drive without password protection. A thumb drive containing IEPs is lost by a staff member.

Why This Violates FERPA:

FERPA requires schools to protect records from unauthorized access. Leaving them exposed, physically or digitally, counts as non-compliance.

How to Prevent It:

• Use locked file cabinets and password-protected systems.
• Implement Clean Desk and Clean Screen policies.
• Train staff on handling sensitive data.

4. Using Unsecured Email or Communication Channels

Example:

A staff member sends a bulk email with students’ academic warnings using CC instead of BCC. Another teacher discusses a student’s progress in a group chat on a non-approved messaging app.

Why This Violates FERPA:

Non-directory student information shared over unsecured or public channels risks unauthorized access.

How to Prevent It:

• Only use FERPA-compliant platforms.
• Use encryption when needed.
• Train staff on proper communication tools.

5. Denying Parents or Students Access to Records

Example:

A school takes months to respond to a parent’s request to review their child’s disciplinary file. The school refuses to provide access to a student’s transcript without justification.

Why This Violates FERPA:

FERPA gives parents (and eligible students) the right to inspect and review their records within 45 days.

How to Prevent It:

• Create a formal request and response procedure.
• Document and track all access requests.
• Train front-line staff to escalate these promptly.

6. Mishandling Opt-Out Requests for Directory Information

Example:

A school shares a student’s name and address with a yearbook company even though the student opted out of directory information sharing.

Why This Violates FERPA:

If a student opts out, directory information must not be disclosed. Ignoring opt-out preferences is a violation.

How to Prevent It:

• Keep updated lists of opt-out students.
• Share those lists with all relevant departments.
  Review opt-out policies with staff each term.

7. Improper Disposal of Records

Example:

Staff toss student documents into a recycling bin instead of shredding them. Old USB drives with academic records are thrown out without being wiped.

Why This Violates FERPA:

Failure to securely destroy records exposes sensitive data to unauthorized access, which breaches FERPA obligations.

How to Prevent It:

• Shred all physical documents.
• Wipe or physically destroy devices storing student data.
• Follow a strict disposal policy for all media types.

8. Discussing Student Records in Public Spaces

Example:

Teachers chat in a school hallway about a student’s disciplinary issues. A counselor discusses a student’s mental health in the teacher’s lounge with staff not involved in the student’s support.

Why This Violates FERPA:

Even verbal disclosures of personally identifiable information to unauthorized individuals breach FERPA protections.

How to Prevent It:

• Only discuss student information in private, secure settings.
• Limit conversations to staff with legitimate educational interest.
• Remind staff regularly about confidentiality boundaries.

9. Sharing Login Credentials or System Access

Example:

A school staff member shares their SIS (Student Information System) login with a substitute. Another teacher leaves their computer unlocked with a student’s profile open.

Why This Violates FERPA:

Providing unauthorized individuals with access to student data, directly or indirectly, violates data protection responsibilities.

How to Prevent It:

• Never share login details.
• Enforce automatic timeouts and screen locks.
• Train staff on protecting digital access.

10. Using Student Work Without Consent

Example:

A teacher publishes a student’s essay or project online without removing the student’s name or obtaining consent. A classroom project with full student names and photos is uploaded to YouTube.

Why This Violates FERPA:

Student work can be considered an education record if it includes identifying information.

How to Prevent It:

• Get written consent before sharing student work publicly.
• Anonymize work before using it for display or instructional purposes.

11. Improper Handling of Surveillance Footage

Example:

A principal shows security footage involving a student fight to a parent of another student who was not involved. Staff members casually watch hallway footage during breaks.

Why This Violates FERPA:

Video footage that includes identifiable students and is used for disciplinary purposes is an education record under FERPA.

How to Prevent It:

• Treat security footage as confidential when students are identifiable.
• Only allow access to those with legitimate educational interest.
• Log all requests to view such records.

12. Forwarding Student Info During Staff Transitions

Example:

A departing teacher emails all student education records to their personal account to finish grading later. Another staff member forwards confidential student information to a new hire before formal onboarding begins.

Why This Violates FERPA:
Sending records to personal or unapproved systems exposes sensitive student information to unauthorized access, which can violate FERPA. These actions bypass institutional safeguards meant to protect student data and compromise FERPA compliance. Even if done with good intent, such actions are considered common FERPA violations.

How to Prevent It:

• Block file transfers to personal email accounts or unverified platforms.
• Require that all education records be shared only through secure, institution-approved systems.
• Train school employees on how to handle student records securely during role changes and onboarding.
• Reinforce the importance of protecting student privacy and adhering to federal law when accessing or transferring student information.

13. Using Student Information for Non-Educational Purposes

Example:

A coach uses student contact information from the school’s database to promote their private sports training business. A teacher shares student emails to encourage participation in a religious group.

Why This Violates FERPA:

Under federal law, student data collected by educational institutions must be used strictly for educational purposes. Using such information for personal, commercial, or religious outreach directly violates FERPA compliance guidelines. Sharing confidential student information without prior written consent from the parent or eligible student is also a breach.

How to Prevent It:

• Use student data only for authorized school-related purposes tied to legitimate educational interests.
• Ensure all staff, including school employees, understand the consequences of misuse under FERPA violation consequences.
• Monitor and restrict access to student data based on specific job responsibilities.
• Include this scenario in regular FERPA training to reduce the risk of future common FERPA violations.

What are the four main FERPA exceptions?

The four main FERPA exceptions that allow disclosure of student education records without prior written consent are the following:

1. School Officials with Legitimate Educational InterestsSchool employees, contractors, or officials can access education records if they need the information to do their job. This includes teaching, advising, or handling administrative duties.
2. Directory Information DisclosureSchools may release directory information like a student’s name, grade level, or participation in sports unless the parent or eligible student has opted out. Schools must notify families each year and give them the chance to opt out.
3. Transfer or Enrollment in Another SchoolSchools can share education records with another educational institution where a student is enrolling or transferring. The disclosure must relate to the student’s enrollment and doesn’t require consent.
4. Health or Safety EmergenciesIn the event of a health or safety emergency, schools can share personally identifiable information with parties who need it to protect the student or others. This includes law enforcement, medical staff, or parents.

Do Private or Independent Schools Have to Share Student Education Records With Military Recruiters?

No. Private and independent schools are not required to share student education records with military recruiters under FERPA.

Why:

The federal law that mandates schools provide access to military recruiters, the Every Student Succeeds Act (ESSA), only applies to public schools that receive federal funding. Private schools that don’t receive such funding are exempt from this requirement under the privacy act and family educational rights regulations.

However:

If a private school does receive funding, even indirectly, it may be subject to this provision. In such cases, school administrators must ensure that disclosures do not violate FERPA protections, especially when student’s social security numbers or other sensitive student information are involved. It’s also critical to inform parents about their rights and the school’s disclosure practices under FERPA and other federal guidelines.

Does FERPA Apply to Videos?

Yes. FERPA applies to videos if a student is personally identifiable in the footage and the video is maintained by the school.

When It Applies
If a video is used for disciplinary purposes, includes a student’s face, voice, name tag, or other identifying info, and is stored by the school, it becomes part of the student’s education record under FERPA.

When It Doesn’t
If the video doesn’t clearly identify any student or isn’t maintained by the school, FERPA doesn’t apply.

Important Note
Even if only one student is clearly visible in the video, schools must treat it as that student’s education record and give access to the parent or eligible student upon request.

What Should Schools Include in an Education Record?

Schools should include any records that are directly related to a student and maintained by the school or someone acting for the school. These records can exist in any format: paper, digital, audio, or video.

Examples of what to include

• Grades and transcripts
• Class schedules
• Disciplinary records
• Attendance records
• Special education documents (like IEPs)
• Health and immunization records maintained by the school
• Student work that is graded or stored
• Emails that reference the student and are kept by the school
• Counseling and psychological evaluations
• Records of school activities or awards

What not to include

• Personal notes kept by teachers (that are not shared)
• Campus police or law enforcement unit records
• Employment records for student workers (unless the job is part of an educational program)
• Alumni records after graduation

If it identifies the student and the school maintains it, it likely qualifies as part of the education record under FERPA.

Can School Officials Share Personal Knowledge or Observations?

Yes. School officials can share personal knowledge or observations about a student as long as the information is not part of the student’s education record.

Allowed
A teacher can talk about their own observations, like a student’s behavior in class or participation, if that info hasn’t been documented in an education record. This distinction is essential to maintaining FERPA compliance while supporting day-to-day interactions among school officials.

Not Allowed
If the observation has been written down or added to a file, such as a disciplinary record or behavior report, it becomes part of the student education records and is protected under FERPA. Sharing such information without written consent from the parent or eligible student may violate FERPA and compromise student privacy. This includes notes involving medical records, child’s education records, or sensitive issues tied to health records.

Bottom line
Personal observations = okay to share
Recorded information = protected under FERPA

FAQ

What is not a FERPA violation?

Sharing personal observations that haven’t been documented in a student’s education record is not a FERPA violation. For example, a teacher casually mentioning a student’s behavior to a colleague isn’t restricted unless it’s written down and becomes part of the record. Also, law enforcement records maintained by a school’s law enforcement unit are not protected under FERPA.

What Is a FERPA-Eligible Student?

A FERPA-eligible student is one who is 18 years old or attending a postsecondary institution. At that point, the rights under FERPA transfer from the parents to the student. Eligible students gain full control over access to their educational records, including the right to provide or withhold written consent for disclosures.

What Are the Two Types of Educational Records According to FERPA?

1. Directory Information: Includes basic details like name, address, and grade level. Schools can release this unless a parent or eligible student opts out.
2. Non-Directory Information: Covers all other student education records, including disciplinary records, grades, medical records, and anything that could be used to access sensitive student information.

How Does FERPA Apply to K-12?

FERPA gives parents and eligible students the right to review education records, request corrections, and control most disclosures. In K-12, the rights stay with the parents until the student turns 18 or enters higher education institutions. Schools must also follow rules around directory information, financial aid, and disciplinary actions.

Does FERPA Apply to K12?

Yes. FERPA applies fully to all K-12 educational institutions that receive federal funding. These schools must protect student data, maintain proper consent procedures, and uphold the educational rights and privacy of students and their families.

Does FERPA Apply to Private and Independent Schools?

Only if they receive federal funding. FERPA doesn’t apply to private or religious schools that operate without such funding. However, if a school does receive funding, even through programs like financial aid, then FERPA regulations kick in, including protections around student’s social security numbers and confidential student information.

A student has opted out of directory information and wants to be anonymous in an online course. Are we required to allow the student to take the course anonymously?

No. Opting out of directory information doesn’t give students the right to anonymity in class settings. Schools may still display the student’s name or email address in course-related platforms. However, staff should still avoid disclosing personally identifiable information unrelated to class participation.

An eligible student that opted out of directory information has left the school. Now that the student is no longer in attendance, may the school disclose that student’s directory information?

No. The opt-out request stays in effect even after the student leaves, unless the eligible student formally rescinds it. Schools must continue to protect that student’s education record to remain in compliance with FERPA and avoid FERPA violation consequences.

Are educational agencies and institutions required to notify parents and eligible students of their rights under FERPA?

Yes. Schools must provide an annual notice of FERPA rights to parents and eligible students. The notice should explain how to access records, request corrections, and control disclosures. This requirement applies to any school or agency that wants to receive federal funding from the Department of Education.

Are law enforcement records protected under FERPA?

No. Records created and maintained by a school’s law enforcement unit are not considered education records under FERPA. These fall outside the scope of FERPA protections and are governed by different laws. Still, schools must be careful not to mix these with actual student records.

Still have questions about FERPA? The U.S. Department of Education answers the most frequently asked on