Sharing Data Without Violating FERPA

Ask eAIR invites questions from AIR members about the work of institutional research, careers in the field, and other broad topics that resonate with a large cross-section of readers. If you are interested in writing an eAIR article, or have an interesting topic, please contact  

This month’s question is answered by Steve Graunke, Director of Institutional Research and Assessment, IUPUI.

The ideas, opinions, and perspectives expressed are those of the author, and not necessarily AIR. Subscribers are invited to join the discussion by commenting at the end of the article

SG2.jpgDear Steve: What are the best practices for sharing data at your institution while not violating FERPA? Several of us at my institution have been discussing this topic, and we all have very different thoughts on the matter.

This is a topic many of us in the Office of Institutional Research and Decision Support (IRDS) at IUPUI have been thinking about as well. Generally speaking, the Federal Education Rights and Privacy Act of 1974 (otherwise known as FERPA) prohibits the disclosure of individually identifiable student education records without first obtaining the consent of the student or (if the student is under 18 or below the college level) their parent. Aggregate information is usually permissible to release. However, someone may have the ability to view individually identifiable information if there is a “legitimate educational interest” for viewing student records. For example, if an IUPUI math professor wanted to know student grades in a prior IUPUI math course to identify students that might need additional tutoring, that release of individual information would be permissible. However, if that same math professor wanted to find the math grade of a neighbor just because they were curious how the student was doing, that would not be a permissible disclosure. It is therefore important to consider who the data requestor is, what information they are looking for, and how the data requestor is planning to use the information before deciding whether releasing the information is permissible or not.

A few things to consider as you develop policies on sharing information:

  • The focus of FERPA is on education records, which generally refer to personally identifiable information maintained by an institution. Most data maintained and used by IR offices would be considered education records. However, some data maintained by the institution, such as law enforcement records from campus police or medical records maintained by a health center would be covered under different legal statutes. Data on faculty and staff would also not be covered under FERPA unless being a student is a requirement for the position (such as Graduate Assistants). If your responsibilities include handling of data not covered by FERPA, it’s important that you familiarize yourself with the assorted rules and regulations pertaining to these data as well.

  • FERPA also distinguishes between “directory” information, such as name or dates the student attended, and other educational records. Directory information can be released without student consent as long as the student is notified beforehand (this can be done in a student handbook or mass email. Policies vary between campuses). This information is generally seen as less harmful if revealed, as opposed to more personal information. For example, if a reporter calls asking for information about a student who is running for local office, you can confirm that the student attended, what their major was, and whether they received a degree. However, GPA, grades, or disciplinary records could not be released to the reported without consent.

  • Others outside your institution may wish to request individual information about students as well. Under certain conditions, FERPA allows you to disclose individual student records without consent to accreditors, financial aid providers, external auditors, or researchers conducting a study on behalf of your institution. A vendor who would need individual records to establish an “early warning” system for identifying at-risk students might be able to receive that information without student consent, depending on your university’s policies. However, a private organization wanting to establish a database of college students in your state for their own research purposes would likely need to get student consent before records are released.

  • Many individuals on your campus may have day-to-day responsibilities that involve monitoring compliance with FERPA standards. Our office has been fortunate to develop a strong working relationship with the registrar’s office, and we’ve invited the university registrar to our staff meetings to discuss how FERPA applies to our everyday work. Indiana University, and by extension IUPUI, also offers comprehensive training and a variety of online resources to help all staff with data management responsibilities better understand their obligations under FERPA. In fact, we at IRDS do not release any individually identifiable student data unless that individual has completed Indiana University’s online FERPA tutorial and understands the importance of keeping data secure. Establishing strong relationships with your university registrar, university council, or others who are familiar with all the requirements of FERPA is critical for ensuring that any release of data is compliant with FERPA standards. 

  • Finally, it is important to note that just because data is legal to release under FERPA doesn’t mean that there may be other considerations. Individual state laws and university policies may place greater restrictions on releasing certain data than are currently outlined in FERPA. The AIR Code of Ethics does not explicitly mention FERPA, but does ask IR professionals to maintain security of any information deemed as confidential. AIR's Statement of Aspirational Practice encourages IR professionals to be effective data stewards and strengthen the data literacy of faculty and staff across campus. Part of that responsibility would include being involved in discussions of data security policies. These discussions would consider FERPA as well as local, state, and federal laws on data security, not to mention the best interests of students.

 In short, the best practices for sharing information while not violating FERPA would include:

  1. Gaining a firm understanding of FERPA requirements as well as additional relevant laws and university policies when they apply,

  2. Working with data requesters to understand who they are, what data they are looking for, whether aggregate data will be sufficient, and what they plan to do with the information you provide.

  3. Developing a strong network across campus to make sure that users of IR data are also aware of the requirements of FERPA and other relevant policies, and

  4. Consulting with other staff members who have an intimate knowledge of FERPA whenever you have questions.

I hope this answers your question!



To add a comment, Sign In
Total Comments: 1
Bill posted on 11/16/2017 3:41 PM
Excellent guidance; thanks for sharing. Gee, Ball State IR certificate grads are bright.

-Bill Knight