The Family Education Rights and Privacy Act (FERPA) is a federal act that gives parents certain rights with respect to their children’s education records in the United States. The rights transfer to the student, or former student, who has reached the age of 18 or is attending any school beyond the high school level. Note that this includes education records at Duke University.
Generally, schools must have written permission from the parent or eligible student before releasing any information from a student’s record. Information in school records may include religious affiliation, citizenship, disciplinary status, attendance, gender, ethnicity, grades/exam scores, test scores, such as the SAT or End of Grade scores, and progress reports.
However, if a school district or state department of public education initiates a study, schools can disclose records without consent to the parties conducting those studies.
Furthermore, schools may disclose, without consent, directory information, which FERPA defines as a student's name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students that directory information may be disclosed and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Some schools will not, even though they may, disclose directory information.
Requesting FERPA Protected Data
Written permission must be obtained for the specific records the researcher wants to receive.
This description should also specify the time intervals for which the researcher wants the records, for example, “end-of-grade scores in all subjects for the 2011 and 2012 school years.”
Additionally, the request should let parents or eligible students know that their approval is required before a school can release the records, for example, “federal laws state that you must give written permission for researchers to access your child’s school records.”
Requests for FERPA protected data can be included in a study consent form. FERPA regulation does not include any options for waiving documentation of the release of protected data.
Protecting FERPA Data
According to the Duke University Data Classification Standard, identifiable FERPA data are considered sensitive and must be protected accordingly. It is not sufficient to put identifiable FERPA-protected data in a locked cabinet. See Developing Data Protection Plans, developed by the Information Technology Security Office (ITSO) and the Campus IRB.
Please note that Duke University considers any research data connected to directly (names, contact information) or indirectly (demographics) identifiable information about Duke students to meet the university's "sensitive" data classification. Protocols that include the collection or receipt of sensitive data undergo review by ITSO before the Campus IRB will issue the protocol approval.
Of special concern is the transportation of data from a school to a researcher’s office. FERPA-protected data should not be transported in identifiable format in a researchers’ car. It would be acceptable if records were transported with ID numbers instead of identifiers. However, the key should not be transported with the records without being protected, for example, with an encryption.
Recommended Guides and Policies to Read