Checklist Legal/Compliance FERPA

FERPA Compliance Checklist for Higher Education

This checklist ensures institutional compliance with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g, and its implementing regulations at 34 CFR Part 99. FERPA establishes requirements for institutional handling of student education records, parental access rights, and disclosure limitations. Use this checklist to verify policies, procedures, and documentation are aligned with federal requirements and institutional obligations.

  • Access Request Procedures (34 CFR § 99.3, § 99.37): Verify written procedures exist enabling eligible students and parents to request and inspect education records within 45 calendar days, including documentation of all requests received and responses provided.
  • Definition of Education Records (34 CFR § 99.3): Confirm institutional records inventory distinguishes between education records subject to FERPA and records excluded (personal notes, law enforcement records, employment records, medical records created by healthcare providers).
  • Directory Information Designations (34 CFR § 99.3, § 99.37): Maintain current written list of directory information categories designated by the institution; document annual notification to all students of their right to restrict directory information release and maintain opt-out records.
  • Parental Access Rights (34 CFR § 99.3, § 99.5): Establish procedures determining dependent status for parental access claims; maintain documentation of dependency verification determinations and corresponding access grants or denials.
  • Disclosure Consent Requirements (34 CFR § 99.3, § 99.37): Verify written consent forms exist for all non-emergency disclosures to third parties, including specifications of records to be disclosed, purpose, and recipient identification; retain executed consents for institutional records.
  • FERPA Exceptions Documentation (34 CFR § 99.31): Create audit trail documenting all disclosures made under permitted exceptions (school officials with legitimate educational interest, health/safety emergencies, judicial order, financial aid administration, state education authority); maintain records identifying discloser, recipient, date, and justifying exception.
  • Record Amendment Procedures (34 CFR § 99.20, § 99.21): Document procedures for eligible students to request record amendments; maintain records of all amendment requests, institutional responses, and appeal outcomes.
  • Legitimate Educational Interest Definitions (34 CFR § 99.3): Establish and maintain written policies defining which institutional employees qualify as having legitimate educational interest for access to education records without consent; verify access logs align with these definitions.
  • FERPA Notice Requirements (34 CFR § 99.7): Confirm annual FERPA notification provided to all students includes student rights, institutional procedures, definitions, exceptions, and complaint procedures; verify notification method and documentation of distribution.
  • Data Security and Storage Controls (34 CFR § 99.3): Implement and document controls limiting access to education records through physical security (locked storage), electronic security (access controls, encryption), and staff training; maintain records of access incidents and remediation.
  • Third-Party Service Provider Agreements (34 CFR § 99.31(a)(1)(i)): Verify all contracts with vendors/service providers accessing education records include FERPA confidentiality obligations, prohibited use restrictions, and return/destruction of records requirements; maintain executed agreements.
  • Subpoena and Judicial Order Response (34 CFR § 99.3, § 99.31(a)(9)): Document procedures for responding to subpoenas and court orders; verify institutional legal counsel reviews such requests before disclosure and maintains records of approvals, disclosures made, and notice to student (except where prohibited by order).
  • Student Record Destruction Procedures (34 CFR § 99.3): Establish and document institutional policies for education record retention and destruction schedules; maintain audit trail of destroyed records including date, content, and destruction method.
  • Complaint Procedures and Documentation (34 CFR § 99.63, § 99.64, § 99.65): Maintain written procedures for receiving and investigating FERPA complaints; document all complaints received, investigations conducted, findings, and any corrective actions taken; retain correspondence with complainants and U.S. Department of Education.
  • Staff Training and Certification (34 CFR § 99.37): Verify all personnel handling education records receive FERPA training before access; maintain training records including dates, attendees, curriculum, and certification of understanding; implement refresher training schedule.
  • Redisclosure and Use Restrictions (34 CFR § 99.33): Document institutional policies prohibiting recipients of education records from redisclosing information without consent; verify agreements with third parties include redisclosure restrictions and consequences.
  • Transgender/Name Change Records (34 CFR § 99.3, § 99.37): Establish procedures allowing eligible students to request education record name/gender marker updates; maintain documentation of requests, institutional responses, and updated records to ensure consistency across institutional systems.
  • Technology and System Access Logs (34 CFR § 99.3): Implement and audit electronic access logs for education record management systems; verify logs capture user identity, access date/time, records accessed, and action taken; maintain logs for minimum required retention period.
  • Policy Communication and Acknowledgment (34 CFR § 99.37): Document institutional delivery of FERPA policies to all students, parents (for dependents), and staff; maintain signed acknowledgments or alternative verification of receipt and understanding.