Handling FOIA request: A guide for educational institutions
Freedom of Information Act requests and FERPA operate on a collision course that educational institutions navigate more often than is commonly acknowledged. FOIA, at the federal level and in its state equivalents, creates a presumption of openness: government records are public unless an exemption applies. FERPA creates a presumption of privacy: student educational records are protected unless disclosure is authorized. When a FOIA request arrives at a school district or public university, both frameworks apply simultaneously, and the institution must work out, record by record, which one governs.
Getting this wrong carries consequences in both directions. Withholding records that are legitimately public exposes an institution to legal challenge and reputational damage. Releasing records that contain protected student information is a FERPA violation, regardless of whether that release happened in response to a lawful FOIA request.
What records are actually subject to FOIA at educational institutions?
Public schools and universities are government entities, which means the records they create and maintain in their administrative capacity are generally subject to disclosure under applicable state sunshine laws. Budget documents, board meeting minutes, procurement contracts, personnel records (with certain exemptions), and policy documents are all fair game. The fact that an institution is educational does not insulate its administrative operations from the transparency obligations that apply to any public body.
Student records are a different matter. FERPA's exemption is recognized under federal FOIA law and has been incorporated into most state equivalents. A FOIA request cannot be used to obtain a student's transcript, disciplinary file, or any other record that meets FERPA's definition of an educational record. The exemption is not a technicality; it is the mechanism through which two otherwise conflicting federal mandates are reconciled.
The complication arises with records that are neither purely administrative nor purely educational. A report documenting an incident on campus might contain information about the institutional response, which is disclosable, alongside information about the students involved, which is not. Releasing the document in full would violate FERPA. Withholding it entirely would likely misapply the FOIA exemption. The correct response is to disclose the record with protected student information redacted.
Protect student privacy by redacting records before responding to FOIA requests.
What is the process for responding to a FOIA request correctly?
Timeliness is a legal obligation, not a courtesy. Most state equivalents set firm deadlines, typically between five and twenty business days, for acknowledging a request and indicating whether records will be produced. Institutions that allow requests to stall, whether due to understaffing, unclear internal routing, or simple inattention, create legal exposure that compounds over time.
Once a request is received, the institution must identify which records are responsive, assess each against applicable exemptions, and redact protected information before disclosure. That sequence sounds straightforward. In practice, responsive records often span multiple departments, exist in multiple formats, and contain information about individuals across several protected categories simultaneously. A single request about a campus safety incident might pull in security footage, incident reports, emails between administrators, and student conduct files, each of which requires different handling.
Understanding why redaction is essential in document workflows is not an abstract compliance question for institutions managing requests of this complexity; it is an operational necessity. The alternative, reviewing every document manually and making ad hoc judgments about what to redact, is neither efficient nor consistent.
How does redaction work in practice for mixed-content records?
Redaction, done correctly, removes protected information in a way that is permanent and cannot be reversed by the recipient. This rules out simple visual obstructions applied in word processors, where text can often be recovered by copying and pasting from the underlying document. For PDFs and scanned records, proper redaction requires tools that remove the underlying data, not merely obscure it.
For video records, which are increasingly relevant as schools expand their use of CCTV and body-worn cameras, redaction must handle faces, identifying clothing, and audio that could identify protected individuals. A school that releases security footage in response to a FOIA request without redacting student faces is not in compliance with FERPA, regardless of the FOIA obligation to disclose. The two are reconciled by releasing the footage with student identifiers removed.
Pimloc's automated document redaction for educational institutions handles this across file types, processing documents, images, and video to identify and permanently remove protected content before disclosure. For institutions receiving multiple FOIA requests simultaneously, or dealing with requests that implicate large volumes of records, automated redaction is the only approach that scales without proportionally increasing staff time and error risk.
What should institutions have in place before a request arrives?
A reactive posture is the wrong one. Institutions that build their FOIA response process around individual requests, rather than establishing a standing workflow, consistently perform worse than those with defined protocols. The components of a functional process are not complicated: a designated coordinator or office responsible for receiving and routing requests, clear internal guidance on which exemptions apply to which record types, and technology infrastructure capable of producing redacted copies reliably and quickly.
Training matters. Staff who handle records need to understand that FERPA's protections do not dissolve in the face of a FOIA request, and that the correct response to a request implicating student records is disclosure with redaction, not a blanket refusal. That distinction, consistently applied, is what keeps an institution compliant with both frameworks simultaneously.
The bottom line
The volume of FOIA requests directed at educational institutions has increased steadily as public interest in school administration, safety records, and policy decisions has grown. Institutions that are not prepared for that volume will find themselves in legal and reputational difficulty. Those that have built the right infrastructure will find compliance manageable. The difference, in most cases, comes down to whether the right systems were put in place before the pressure arrived.