glossaryPage.heroH1

glossaryPage.heroSubtitle

glossaryPage.definitionTitle

FERPA compliance is adherence to the Family Educational Rights and Privacy Act, a US federal law that protects the privacy of student education records. It applies to schools and post-secondary institutions that receive US Department of Education funds, granting parents (or eligible students 18+) rights to access, amend, and control disclosure of those records.

glossaryPage.howItWorksTitle

FERPA gives parents — and students once they turn 18 or enroll in higher education — three core rights: (1) the right to inspect and review the student's education records held by the school, (2) the right to request corrections to records they believe are inaccurate or misleading, and (3) the right to control disclosure of personally identifiable information from those records. Schools must obtain written consent before releasing records to most third parties, with narrow exceptions (school officials with legitimate educational interest, transfer requests, financial aid, accreditors, court orders). Schools must maintain a public annual notice of FERPA rights, designate "directory information" categories that may be released without consent unless a parent opts out, and log every disclosure of records. Technically, schools achieve compliance through role-based access controls, audit logs of every record view and edit, encrypted storage, secure transmission, and clear data-retention and disposal policies. Software platforms used by schools are generally treated as "school officials" under FERPA exception, provided they sign a contract that binds them to FERPA-equivalent privacy obligations.

glossaryPage.whySchoolsTitle

FERPA compliance is not optional for US schools that receive federal funding — non-compliance can ultimately result in withdrawal of federal funds, which makes it existential. Beyond the legal mandate, compliance protects students from improper disclosure (e.g., a teacher posting grades publicly with names attached), gives parents meaningful control over their children's data, and signals to college admissions, transfer institutions, and employers that the records they receive came from an institution following due process. Schools that operationalize FERPA via good software architecture — role-based access, audit logs, encrypted storage, contractual data-processing agreements with vendors — find that the same controls also satisfy state student-privacy laws (California SOPIPA, New York Education Law 2-d, Colorado Student Data Transparency and Security Act) which often impose stricter rules than federal FERPA.

glossaryPage.keyFeaturesTitle

Role-based access controls limiting who can see which student records
Immutable audit log of every record view, edit, and disclosure
Encrypted data at rest and in transit (AES-256, TLS 1.2+)
Configurable directory-information opt-out per student (parent-controlled)
Data-processing agreements with software vendors binding them to FERPA-equivalent obligations
Secure deletion and retention policies aligned with state and federal record-keeping rules

glossaryPage.faqTitle

Who has to comply with FERPA?

Any educational agency or institution that receives funds under any program administered by the US Department of Education — which is essentially every US public school district, public college and university, and most private colleges that receive federal student aid. Private K-12 schools that do not receive federal funds are not bound by FERPA but typically follow it voluntarily as best practice and because state laws often mirror its requirements. Software vendors serving these schools are bound contractually under the "school official" exception. For the official text, see the US Department of Education's Student Privacy Policy Office (studentprivacy.ed.gov).

What counts as an "education record" under FERPA?

Any record (paper, electronic, video, audio) maintained by the school that contains information directly related to a student. This includes transcripts, grades, attendance records, disciplinary records, health records held by the school, financial-aid records, and recordings of student work. Records kept solely in the personal possession of a teacher (sole-possession notes) are not education records, nor are law-enforcement records held separately by a school police unit. The line gets blurry around things like classroom video recordings — schools typically treat them as education records.

How does FERPA apply to cloud-hosted school software?

A cloud software vendor (SIS, LMS, gradebook) is treated as a "school official with legitimate educational interest" — a FERPA disclosure exception — provided the school enters a contract that (a) limits the vendor to using student data only for the contracted educational purpose, (b) prohibits redisclosure without consent, (c) gives the school direct control over the data's maintenance and use, and (d) requires deletion or return of data when the contract ends. Schools should ask vendors for a FERPA-aligned Data Processing Agreement (DPA). Self-hosted deployments (the school controls the cloud or on-premise server) simplify the picture because the data never leaves the school's technical control.

How does OpenEduCat support FERPA-aligned deployments?

OpenEduCat ships with FERPA-aligned defaults: role-based access control on every module, immutable audit logging of record views and edits, AES-256 encryption at rest, TLS 1.2+ for transit, configurable directory-information opt-out per student, and data-deletion workflows aligned to state retention rules. Because it is open-source and self-hostable, US districts can deploy on infrastructure they control (district data center, AWS GovCloud, district-managed cloud), keeping student PII inside their chosen jurisdiction — which simplifies FERPA compliance and makes state-law overlays (California SOPIPA, New York Ed Law 2-d) easier to satisfy. The Enterprise tier ships a FERPA Data Processing Agreement template. We do not provide legal advice; consult your district counsel and the US Department of Education's guidance at studentprivacy.ed.gov.

Student Information System (SIS)School Management System Education ERP

Prêt à transformer votre Établissement ?

Découvrez comment OpenEduCat libère du temps pour que chaque étudiant reçoive l'attention qu'il mérite.

Voir comment ça fonctionne Parler à un conseiller

Essayez gratuitement pendant 15 jours. Aucune carte bancaire requise.