The Catholic University of America

Summary of Federal Laws


Miscellaneous Laws Affecting Students  

The Family Educational Rights and Privacy Act of 1974 (FERPA) (also known as the Buckley Amendment)

 20 U.S.C. § 1232g; 34 C.F.R. § 99.1 et seq.

Regulates the keeping and dissemination of *education records* at all institutions that receive federal funds or who have students receiving federal funds. Procedures must be in place to allow a student access to education records. Consent must be obtained to release education records to a third party, with certain exceptions contained in the law. Directory information may be released without permission of the student unless the student has specifically requested that said information not be released. Types of information that may be disclosed as directory information include: student's name, degrees and awards received, address, most recent previous institution attended, participation in officially recognized sports, activities, dates of attendance, major fields of study, e-mail address, class schedule, full- or part-time status, and photograph. Information which may not be released as directory information includes social security number, race/ethnicity or gender.

Students must be informed of their rights under this law. For a model notification policy for postsecondary schools see the Model Notification of Rights under FERPA for Postsecondary Institutions. Students must be granted a hearing to challenge information in a record they believe is incorrect.

College officials with a legitimate educational interest in the record may have access to it. Records of disclosures and requests for disclosure must be kept, as well as indicate specifically the legitimate interest that each such person has in obtaining the information. Records need not be kept when the request was from the student or accompanied by written consent from the student, from a faculty or school official who was granted access, a subpoena prohibiting disclosure to the student, or for directory information.

Final Rule, 82 Fed. Reg. 6252, Jan. 19, 2017, Family Educational Rights and Privacy Act

Amending term *Family Policy Compliance Office* to Office of the Chief Privacy Officer*, effective Feb. 18, 2017. 

 Notice of an altered system of records, 78 Fed. Reg. 38963, June 28, 2013.

The Chief Operating Officer for Federal Student Aid (FSA) of the Department of Education (Department) published this notice proposing to revise the system of records entitled ``National Student Loan Data System (NSLDS)". Not technically an amendment to FERPA, but related to privacy issues and student record ID debate. For summary of issues, see ACE July 29, 2013 Comments on the NSLDS proposed revisions. Also note the notice issued in June is contrary to the decision in the Association of Private Sector Colleges and Universities v. Duncan, which noted that 20 USC 1015c prohibits the Department from collecting information for its National Student Loan Data System on students who do not receive and have not applied for either federal grants or federal loans.

Electronic Privacy Information Center et al  v. US Department of Education, *Case filed in US District Court for District of Columbia alleging violation of the Administrative Procedure Act in promulgation of FERPA regulations released Dec. 1, 2011. The amendments modified the definitions of the terms “authorized representative”, “directory information”, and “education program” as used in the statute and the litigation claims DOE exceeded its statutory authority in promulgating the regulations. See the EPIC press release on case.


FERPA Final Rule, 76 Fed. Reg. 75604, Dec. 2, 2011.
This 253 page document includes a number of changes to FERPA.  See the shorter summary for Parents and Students and the Overview for SEAS and LEASThe regulations are effective Jan. 3, 2012. The introduction to the regulations notes as follows: "These amendments also reduce barriers that have inhibited the effective use of SLDS as envisioned in the America Competes Act and the ARRA."


The Campus Sex Crimes Prevention Act and FERPA 

FERPA is amended (§ 1232g(b)(7)(A)) by the Campus Sex Crimes Prevention Act (Pub. L. No. 106-386; 42 U.S.C. § 14071) to make it clear that FERPA does not prohibit release of data on registered sex offenders under this law. The Campus Sex Crimes Prevention Act requires sex offenders who must register under state law to provide notice of enrollment or employment at any institution of higher education (IHE) in that state where the offender resides, as well as notice of each change of enrollment or employment status at the IHE. In turn, this information will be made available by the state authorities to the local law enforcement agency that has jurisdiction where the IHE is located. As of October 27, 2002, the IHE must issue a statement (under the reporting requirements in 20 U.S.C. § 1092(f)(1)) advising the campus community as to where information concerning registered sex offenders can be obtained. FERPA is amended to make it clear that FERPA does not prohibit release of data on registered sex offenders under this law. 

See the guidance entitled Disclosure of Education Records Concerning Registered Sex Offenders. The guidance states in relevant part: 

Thus, nothing in FERPA prevents an educational institution from disclosing information provided to the institution under the Wetterling Act concerning registered sex offenders, including personally identifiable, non-directory information from education records that is disclosed without prior written consent or other consent from the person. The authority of educational institutions to make such disclosures extends both to information about registered sex offenders made available by a State in carrying out the specific requirements of the CSCPA (42 U.S.C. § 14071(j)), and information about registered sex offenders that may otherwise become available to educational institutions through the operation of State sex offender registration and community notification programs. 

Selected Case Law Under FERPA


Best Practices for Data Destruction: Issued by the Privacy Technical Assistance Center

While FERPA is silent on specific technical requirements governing data destruction, methods
discussed in this document should be viewed as best practice recommendations for educational
agencies and institutions to consider adopting when establishing record retention and data governance policies to follow internally, and also for inclusion in any written agreements and contracts they make with third parties to whom they are disclosing PII. 

Improving the Effectiveness and Efficiency of FERPA Enforcement: Significant but non-binding Guidance: USDOE, Dec. 20, 2018. This document lays out a new, more efficient path for reviewing FERPA complaints. Not all complaints require a formal resolution process. Instead, the Department will triage complaints to determine the best mechanism for resolving the situation. Sometimes the process will be FPCO acting as intermediary, and some complaints will be referred to the Privacy Technical Assistance Center for Guidance. 

ACCRAO Guidance on Transcript Disciplinary Notations, June 2017

It is a common practice of registrar professionals to place notations on transcripts when a student has a required separation from, and is deemed ineligible to enroll in, an institution for not meeting minimum academic standards. This Guidance recommends that this same practice be followed when there is a required student separation from an institution for behavioral or other reasons. This includes providing notice of serious misconduct to insitutions to which the student may wish to transfer. Includes guidance on what to do when a disciplinary matter is pending. 

Dear Colleague Letter on Privacy of Student Medical Records August 2016
A review of protections to student medical records, centering specifically on situations involving litigation holds. DOE encourages schools to inform students of the privcay of their medical records per federal and state law and school policy. The letter also addresses when medical records or counseling records can be shared with threat assessment teams under the school official exception.

June 8, 2015 letter from DOE Chief Privacy Officer Kathleen Styles on FERPA and its relation to treatment records.

NACUANOTES Vol. 11, No. 9: The Revised FERPA Regulations and Increased Access to Personally Identifiable Information (April 5, 2013)

Emergencies on Campus: Department of Education guidance on FERPA, June 2011

FPCO Letters from 2002 through June 2007: This page indexes and contains links to technical assistance letters issued by the Family Policy Compliance Office. The letters were obtained by a Freedom of Information request made by the Office of General Counsel at the Catholic University of America. 

Guidelines to Responding to Compulsory Legal Requests for Information: By Steven McDonald and Andrea Nixon
Includes information on responding to subpoenas, search warrants, court orders, National Security Letters, and Public Records Requests.

The Department of Education's Office of the Chief Privacy Officer. School officials who have routine questions regarding FERPA may contact the Family Compliance Office via e-mail at

Students who wish to contact the office may call (202) 260-3887 or write to:
Office of Chief Privacy Officer 
U.S. Department of Education
400 Maryland Avenue, SW
Washington, DC 20202-4605

 Legislative History of Major FERPA Provisions


updated 4-25-19