FERPA Compliance & OpenEduCat
Family Educational Rights and Privacy Act
FERPA is a US federal law that governs access to student education records. It requires that institutions protect student records from unauthorized disclosure, give students the right to access and correct their records, and obtain consent before sharing records with third parties. OpenEduCat provides the technical infrastructure to support these requirements, role-based access control, immutable audit logs, consent workflows, and the option to deploy entirely on your own servers.
What FERPA Requires, and How OpenEduCat Responds
Access to education records
What FERPA Requires
Students (and parents of minors) have the right to inspect and review their education records within 45 days of request.
OpenEduCat Response
The student portal provides access to grades, attendance, fee history, and transcript. Data export on student request is supported. Parent portal provides access to minor student records.
Records correction rights
What FERPA Requires
Students can request correction of inaccurate or misleading records. Institutions must respond with a decision.
OpenEduCat Response
Grade correction workflows route requests through the teacher and academic registrar. The audit log records the original grade, the correction request, and the final decision with approver identity.
Consent for disclosure
What FERPA Requires
Institutions must obtain written consent before disclosing records to third parties, with specific exceptions (school officials with legitimate interest, health/safety emergencies).
OpenEduCat Response
Student consent records can be stored in the student profile. Third-party data sharing can be restricted to consent-verified records only. School official access is controlled by role configuration.
School officials with legitimate educational interest
What FERPA Requires
Faculty and staff may access records they need to perform their job, not all records, only those relevant to their role.
OpenEduCat Response
Role-based access control limits teachers to gradebooks for their assigned courses only. Advisors see their advisee records. Administrators have configurable access scopes. Access is not all-or-nothing, it is role-defined.
Annual notification
What FERPA Requires
Institutions must notify students annually of their FERPA rights.
OpenEduCat Response
The student portal can display institutional FERPA notices. Notification delivery and archiving is an institutional process, OpenEduCat stores records; the annual notice workflow is managed by your registrar.
Technical Controls for FERPA
Six specific mechanisms built into OpenEduCat that support FERPA compliance.
Role-Based Access Control (RBAC)
Every user in OpenEduCat has a defined role, student, teacher, department admin, registrar, IT admin, parent. Each role has a scoped set of permissions. A teacher can view and grade students enrolled in their courses; they cannot access records for courses they do not teach. A parent with a child who is a minor student sees that child's records only. Role definitions are configurable by your IT admin without code changes.
Grade Access and Modification Audit Log
Every access to a student grade record (view, edit, or export) is logged with the user identity, timestamp, IP address, and the action taken. If a grade is modified, the log records the original value, the new value, who made the change, and when. This audit trail is immutable, it cannot be deleted by users with standard admin access. FERPA audit requirements are satisfied by this log.
Student Consent Workflows
When a student requests that their records be shared with a third party (an employer, a graduate school, a scholarship organisation) the system records the consent with the student's identity, the recipient, the scope of disclosure, and the date. Disclosures that occur without consent (e.g., health/safety emergencies, judicial orders) are recorded separately with the exception category.
Parent Portal Access Controls
For students under 18, FERPA rights transfer to the parent or guardian. The parent portal provides access to minor student records, grades, attendance, fee status, timetable. When a student turns 18, parental access must be removed. OpenEduCat supports a configurable age-of-majority cutoff that automatically shifts record ownership and portal access at the configured date.
Data Export on Student Request
Students can export their own academic records (transcript, attendance history, fee statements) from the student portal. Export events are logged in the audit trail. The exported data is in standard formats (PDF, CSV) that the student can provide to third parties as an alternative to institution-to-institution disclosure.
On-Premise Deployment
For institutions with the strictest data residency requirements, OpenEduCat can be deployed entirely on-premise on your own servers. Student data never leaves your network. This is particularly relevant for institutions serving K-12 students (where COPPA considerations layer on top of FERPA) or institutions with specific government or DOD data handling requirements.
US GPA 4-Point Scale
Standard US letter grade scale. Academic standing thresholds: Dean's List (CGPA ≥ 3.5), Academic Warning (CGPA < 2.0), Probation (CGPA < 1.5).
| Grade | Mark Band | GPA Points |
|---|---|---|
| A | 90–100% | 4.0 |
| A- | 87–89% | 3.7 |
| B+ | 83–86% | 3.3 |
| B | 80–82% | 3.0 |
| B- | 77–79% | 2.7 |
| C+ | 73–76% | 2.3 |
| C | 70–72% | 2.0 |
| C- | 67–69% | 1.7 |
| D+ | 63–66% | 1.3 |
| D | 60–62% | 1.0 |
| F | Below 60% | 0.0 |
FERPA vs GDPR, Handling Both
International institutions often need to satisfy both. OpenEduCat's controls address both frameworks.
| Dimension | FERPA | GDPR |
|---|---|---|
| Jurisdiction | US federal law (applies to institutions receiving federal funding | EU regulation) applies to any organization processing EU resident data |
| Data subject rights | Students and parents of minors | All individuals whose personal data is processed |
| Access request timeline | 45 days maximum | 30 days maximum (extendable by 2 months) |
| Consent for disclosure | Required for third-party disclosures outside defined exceptions | Consent is one of six lawful bases; not always required |
| Audit requirements | Records of disclosures must be maintained | Records of processing activities (ROPA) required |
| OpenEduCat approach | RBAC + audit log + consent records + on-prem option | Same RBAC + audit log + ROPA exports + data residency controls |
Full US Gradebook Documentation
US GPA scale details, academic standing thresholds (Dean's List, Academic Warning, Probation, Dismissal), grade forgiveness policy, and US transcript format.
US Gradebook Details →Frequently Asked Questions, FERPA & OpenEduCat
Questions from US university registrars, IT administrators, and compliance officers.
Ready to Transform Your FERPA Compliance?
See how OpenEduCat frees up time so every student gets the attention they deserve.
Try it free for 15 days. No credit card required.