FERPA compliance checklist
The Family Educational Rights and Privacy Act (FERPA) is not just another piece of US education legislation - it is the cornerstone of how schools, districts, and higher education institutions protect student data. Yet for all its importance, it remains one of the more misunderstood frameworks in practice. Administrators often focus narrowly on parental access rights or directory information, overlooking the broader technical and operational measures needed to remain compliant. And that’s where most institutions run into trouble: the law doesn’t simply set rules, it demands an entire system of accountability.
A checklist, then, isn’t just a convenience. It’s a way of translating dense legal language into a usable framework - something an institution can actively work through and test against its own practices. FERPA compliance isn’t achieved by declaring intent; it requires constant scrutiny of how data is collected, shared, secured, and destroyed.
What does FERPA require?
At its core, FERPA governs access and disclosure of student education records. That phrase - “education records” - carries more weight than people often realise. It doesn’t stop at grades or transcripts. It includes disciplinary records, health information kept by the school, communications between parents and teachers, even digital identifiers that can reasonably trace back to an individual student.
The law grants parents (and later, students themselves once they turn 18) the right to inspect and request amendments to those records. Schools, meanwhile, are restricted in how they share this information. Without written consent, disclosure is severely limited, with a few exceptions: subpoenas, certain audits, or in cases where health and safety are at immediate risk.
But it’s one thing to understand the rights and prohibitions, and quite another to operationalise them. This is where institutions often fall into grey areas.
Redact faces and IDs in school videos to keep your FERPA compliance airtight.
Why a checklist matters
Not only is FERPA broad in scope, but its practical application touches almost every corner of a school’s operations. A teacher saving student grades on a personal laptop, a registrar emailing transcripts without encryption, an administrator publishing “directory information” too broadly - each of these can amount to a compliance risk.
A checklist doesn’t solve the underlying cultural challenge of data privacy, but it ensures critical areas aren’t overlooked. It forces a deliberate pause: have we trained our staff, updated our systems, reviewed our policies? Without that systematic review, compliance becomes piecemeal and fragile.
Key areas for institutions to review
Any credible checklist needs to address both policy and practice. Some areas are obvious, others less so. A few of the most pressing include:
Access control: Who has permission to view, edit, or transmit student data, and how are those permissions monitored?
Data storage: Are records stored securely, whether physically in filing cabinets or digitally in cloud systems?
Third-party vendors: Do contracts explicitly require compliance with FERPA, and are those vendors vetted for security?
Staff training: Is every employee who touches student data aware of their obligations, and do they undergo regular refreshers?
Redaction and sharing: Are FERPA-compliant redaction tools like Secure Redact in place to handle documents that must be partially disclosed while protecting sensitive identifiers?
These aren’t optional considerations. They form the baseline of operational compliance, without which an institution risks both legal liability and erosion of trust among families.
How technology intersects with FERPA
Technology complicates the compliance landscape. Online learning platforms, student information systems, and even classroom apps collect and transmit sensitive data. Schools may not always be aware of what information these tools capture, let alone how vendors handle it.
Encryption, audit logs, and strong access controls are no longer “nice-to-have” features; they’re essential safeguards. But here’s the tension: even the best technology doesn’t guarantee compliance if people misuse it. A secure platform won’t help if a teacher downloads files to an unsecured USB stick. Conversely, well-trained staff can’t fully mitigate risks if the systems themselves are riddled with vulnerabilities.
This dual dependency - human behaviour and technological infrastructure - is precisely why a structured checklist matters. It keeps attention on both fronts.
The grey zones institutions overlook
There’s a recurring problem in how compliance is handled: administrators often assume FERPA is only about records in the registrar’s office. In reality, it applies far more widely. A classroom recording of a student presentation, for instance, may count as an education record if stored and shared. A nurse’s note, depending on how it’s catalogued, may fall under FERPA rather than HIPAA.
And that raises another thorny issue: understanding the difference between PHI and PII. Schools frequently confuse these categories, misapplying the rules of one framework to the other. FERPA doesn’t regulate health information in the same way HIPAA does, but when that health information is maintained by a school as part of the student’s record, it squarely falls under FERPA’s jurisdiction.
These distinctions are not trivial. Misinterpretation can lead to wrongful disclosure - or excessive restriction that hinders operations unnecessarily.
Building a living checklist
A one-off compliance review is insufficient. FERPA obligations evolve as technology, policy, and institutional practices shift. A checklist must function as a living document, revisited and refined each year. That means:
Reviewing contracts with new vendors.
Updating staff training to reflect emerging threats.
Testing redaction processes and verifying they actually conceal all identifiers.
Auditing who has access to sensitive records and whether permissions align with role requirements.
It’s easy to fall into a “set and forget” mindset, but that approach leaves gaps. FERPA compliance requires vigilance, not just initial alignment.
Final thoughts
FERPA compliance is both a legal requirement and a matter of institutional credibility. Parents trust schools with the most intimate details of their children’s lives; failing to secure that trust risks reputational damage beyond any statutory fine.
A structured checklist helps cut through ambiguity. It doesn’t eliminate complexity - schools still need policies, training, and secure technologies - but it offers a framework to ensure nothing critical slips through. Whether it’s controlling access, clarifying responsibilities, or implementing FERPA-compliant redaction tools, institutions that adopt a systematic approach are far better positioned to meet their obligations.
Compliance, in the end, is less about ticking boxes than about building a culture of respect for student privacy. And that culture begins with consistent, repeatable practices anchored by a living checklist.