Student Privacy Concerns When Educational Institutions Outsource: The FERPA "School Official" Regulations

Privacy & Cybersecurity Newsletter
Fall 2021

Schools, colleges and universities often will outsource to third parties any number of functions or services, such as the operation of campus bookstores and dining facilities, campus security, management of campus parking, payment arrangements for tuition and fees, information technology services, and so on.

Performing these services often requires access to various records, and/or the creation of new records, which contain personally identifying information about students. If the educational institution receives federal funding through the Department of Education – true for essentially all public educational institutions and nearly all private postsecondary institutions – both the institution and the service provider must comply with the “school official” provisions of FERPA, the Family Educational Rights and Privacy Act.

FERPA applies to all “education records,” a broadly defined term. Subject to a few exceptions, it includes any record, in any form, which contains information “directly related” to a student and is “maintained” by the institution or an organization acting on its behalf.

FERPA creates a right of privacy with respect to “education records.” Subject to certain exceptions, the institution may not disclose the record, or any information contained in the record, to anyone without the advance, written consent of the student or their parent. The student’s consent is required if the student either has reached the age of 18 or is attending a postsecondary institution. Otherwise, the parent’s consent is required.

Relevant to outsourcing, one exception to the general prohibition against disclosure without consent is disclosure to “school officials.” FERPA permits disclosure of education record information to “school officials” who have a legitimate educational interest in the information – i.e., they need the information in order to do their job. The term “school official” can include not just school employees but also outside parties, but only if all three of these conditions are met: (1) the outside party is performing an institutional service or function for which the school otherwise would use employees; (2) the school exercises “direct control” of the outside party with respect to the use and maintenance of education records; and (3) the outside party complies with FERPA’s requirements with respect to the use and re-disclosure of student record information – i.e., the provider uses the information only to perform the institutional service or function and it does not re-disclose the information except as FERPA specifically allows (with the consent of the student or parent or pursuant to one of FERPA’s other exceptions).

Too often, in our experience, institutions and their outsource providers pay scant attention to FERPA and the “school official” regulations. It is not enough to simply provide in the outsourcing agreement that the provider “will comply with FERPA” or “with all applicable laws and regulations,” or words to that effect.

As noted above, the regulations require that the institution exercise “direct control” of the outside party with respect to the use and maintenance of education records. Thus, the outsourcing agreement should specify, with appropriate particularity, what student record information will be shared with or created by the provider; for what institutional purposes that information may be used; that the information may not be used for any other purpose; that the information will be securely maintained; that the provider may allow access only to those of its employees who need it in order to do their jobs; and that the provider will not re-disclose the information to anyone else – including the student or their parent – except at the direction of the institution.

While FERPA permits disclosure to the student or parent in many circumstances, there can be important nuances here as well. As a result, and consistent with the requirement that the school exercise “direct control” of the outside party in relation to the use and maintenance of education records, it best practice for the school itself, not the provider, to determine whether student record information is disclosed to anyone, including a student or their parent.

For the same reasons, the outsourcing agreement should provide that upon receipt of any third- party request for disclosure of the records or information from the records, including a subpoena or court order, the service provider must promptly notify and take direction from the school in relation to compliance (or not) with the request. In the case of a subpoena or court order, for example, FERPA requires that prior to production of education records, the educational institution must undertake to notify the student whose records would be disclosed (or their parent), so that the student (or parent) may decide whether to seek to quash or modify the subpoena or order. Both the institution and the vendor want the institution, not the vendor, to manage this process – again, consistent with the regulation’s requirement that the institution exercise “direct control” of the outsource provider in relation to the use and maintenance of education record information.

The FERPA “school official” regulations are an important aspect of any outsourcing arrangement that involves education record information. Both parties should be well-familiar with the regulations – both what they permit and what they require – and consult with knowledgeable counsel as appropriate.