Family Educational Rights and Privacy Act (FERPA)
Frequently Asked Questions
What is FERPA?
The Family Educational Rights and Privacy Act (FERPA) is a federal law that applies to all educational institutions (primary, secondary, and postsecondary schools) receiving funds under any applicable program of the DOEd. FERPA was put in place to protect the privacy of student education records, which are records that are:
- Directly related to the student, and
- Maintained by an educational agency or institution, or by a party acting for the agency or institution.
For minors, FERPA gives parents rights with respect to their children’s education records. These rights are automatically transferred to the student once the student:
- Turns 18, or
- Attends a postsecondary educational institution (i.e. beyond high school). The student assumes responsibility for the record once a Statement of Intent to Register is submitted to the postsecondary educational institution.
Non-minor students and those who attend postsecondary educational institutions are considered “eligible students” who have full rights under FERPA with respect to their education records.
How does FERPA affect researchers?
With some exception, FERPA prevents schools from releasing identifiable student education records to third parties without prior written consent of the eligible student. (For non-eligible students, student education records cannot be released without prior written permission of parents/guardians.) Therefore, any researcher who intends to access or obtain identifiable student education records at or from an educational institution receiving funding from the DOEd must obtain prior written consent from the eligible students or, if non-eligible, from their parent/guardian.
What are the FERPA exceptions that might apply to my research?
An educational agency or institution may disclose personally identifiable information from an education record of a student without consent if the disclosure meets one or more of the following conditions:
- The disclosure is to other school officials, including teachers, within the agency or institution whom the agency or institution has determined to have legitimate educational interests.
A contractor, consultant, volunteer, or other party to whom an
agency or institution has outsourced institutional services or
functions may be considered a school official provided that the
- Performs an institutional service or function for which the agency or institution would otherwise use employees;
- Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and
- Is subject to the requirements of § 99.33(a) governing the use and redisclosure of personally identifiable information from education records.
An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement referenced in 1 above.
The disclosure is to organizations conducting studies for, or on
behalf of, educational agencies or institutions to:
- Develop, validate, or administer predictive tests;
- Administer student aid programs; or
- Improve instruction.
An educational agency or institution may disclose personally identifiable information under 3 above, only if:
- The study is conducted in a manner that does not permit personal identification of parents and students by individuals other than representatives of the organization that have legitimate interests in the information;
- The information is destroyed when no longer needed for the purposes for which the study was conducted; and
The educational agency or institution enters into a written
agreement with the organization that:
- Specifies the purpose, scope, and duration of the study or studies and the information to be disclosed;
- Requires the organization to use personally identifiable information from education records only to meet the purpose or purposes of the study as stated in the written agreement;
- Requires the organization to conduct the study in a manner that does not permit personal identification of parents and students, as defined in this part, by anyone other than representatives of the organization with legitimate interests; and
- Requires the organization to destroy all personally identifiable information when the information is no longer needed for the purposes for which the study was conducted and specifies the time period in which the information must be destroyed.
Does obtaining IRB (CPHS) review and approval give me permission to access FERPA-regulated data?
No. The CPHS/OPHS will help researchers navigate FERPA’s requirements, but IRB approval does not give researchers permission to access FERPA-regulated data. Educational records at UC Berkeley are managed by the University Registrar, who will make the final determination regarding whether FERPA-regulated data held by UC Berkeley may be released and used for research purposes, either with student consent or per one of the above-referenced exceptions. In some situations, as explained below, health information is subject to FERPA, in which case the associated health clinic is responsible for determining whether to release data to researchers.
What are my FERPA responsibilities when accessing FERPA-covered data from an outside entity?
It is generally the data holder’s (educational institution’s) responsibility to ensure that it complies with FERPA when releasing FERPA-covered data. However, if applying the FERPA exception detailed in 3 above, researchers should make certain that the associated Data Use Agreement (DUA) meets the requirements outlined in FERPA regulations i-iv above.
How does FERPA apply to Secondary Use of Student Health Records at Postsecondary Institutions?
Whenever UC Berkeley researchers plan to conduct secondary research involving use of protected health information (PHI) from medical records at a covered entity (CE), researchers must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) with regard to accessing or obtaining the data.
However, researchers should be aware that student health records at postsecondary institutions receiving funding from the U.S. Department of Education (DOEd) are considered “education records” under FERPA (see above, under What is FERPA?) and thus, are not subject to HIPAA. Any researcher who wishes to access identifiable student health records at a postsecondary institution where FERPA applies, must be knowledgeable of and comply with FERPA.
Of note, many postsecondary educational institutions have clinics that also provide health services to non-student patients, such as faculty and staff. Non-student health records at these clinics, if they are covered entities, are subject to HIPAA. For example, UC Berkeley’s covered entities are the University Health Services (including health care services on behalf of Intercollegiate Athletics), and the Optometry Clinic. At these sites, student records are subject to FERPA (because UC Berkeley receives DOEd funding), while non-student records are subject to HIPAA.
Examples, when prior consent is required when obtaining health records for research:
SCENARIO 1: A UCB researcher would like to obtain identifiable data from undergraduate student health records at UC Berkeley’s Tang Center. Because FERPA applies, the researcher must obtain written consent from the students prior to accessing their data. The researcher must submit a non-Exempt application to CPHS/OPHS for review and approval prior to consenting subjects and obtaining the data. Note that the IRB cannot approve a consent waiver for access to FERPA-protected data.
SCENARIO 2: A UCB researcher would like to obtain identifiable student and non-student data (adults) from health records at the UC Berkeley Optometry Clinic. For student records protected by FERPA, the researcher must obtain prior written consent to obtain the data. For non-student records protected under HIPAA, the researcher must either obtain written consent via a HIPAA Authorization form, or request a Waiver/Alteration of HIPAA Authorization prior to obtaining the data. The researcher must submit a non-Exempt application to CPHS/OPHS for review and approval prior to consenting subjects and obtaining the data.
Example, when prior consent may not be required when obtaining health records for research:
SCENARIO 1: A UCB researcher plans to receive de-identified health information from UC Berkeley’s University Health Services. When data are de-identified prior to research use, neither FERPA nor HIPAA apply. The researcher must contact OPHS (email@example.com) to confirm that data are de-identified, prior to obtaining the data.
NOTE: Limited data sets under HIPAA are considered PHI. Please review the CPHS Guidelines on HIPAA and Human Subjects Research for guidance on research involving limited data sets. If the limited data set includes student data (subject to FERPA), the researcher must contact OPHS to determine whether student data included in the limited data set are de-identified.