FERPA — Disclosure Without Consent: School Official Exception
Enforced by: US Dept. of Education
Current as of August 21, 1974
Plain Language Summary
Cloud vendors can access student data WITHOUT consent if they perform a school function, are under direct control, and are bound by FERPA. The DPA must explicitly require FERPA compliance.
An educational agency or institution may disclose personally identifiable information from an education record without consent if the disclosure is to school officials, including contractors and consultants, whom the agency has determined to have legitimate educational interests. Outside parties must: perform an institutional service or function the agency would otherwise use employees for; be under the direct control of the agency with respect to the use and maintenance of education records; and be subject to the requirements governing the use and re-disclosure of personally identifiable information.