Ask the FERPA Professor

May 31, 2022
  • Data Stewardship
  • FERPA Professor
cartoon figure reminiscent of Einstein stands in front of a chalkboard with the board "FERPA" written on it

Dear FERPA Professor,

I need your assistance; an Admissions file was inadvertently posted to a server where students could access the file. Directory information along with the students' admissions evaluation could be retrieved. Some of those listed students are currently enrolled and are aware that this file got out.

I believe that any student currently enrolled should be notified of the breach and the school's actions to ensure the information is no longer accessible. Could you please provide me with your professional opinion?

Thank you in advance,

Ms. Take


Dear Ms. Take

Contacting the students whose education records were disclosed and the actions the institution took in response to the posting is the appropriate thing to do, although not required by FERPA. Such an action will be helpful in the event one or more of the students files a FERPA complaint with the U.S. Department of Education's Student Privacy Policy Office. However, § 99.32(a) of the FERPA regulations does require that the institution record the disclosure in the education record of each student whose records were disclosed. You can find the above-cited language on page 163 of the 2012 AACRAO FERPA Guide.

I hope this is helpful in answering your questions.

The FERPA Professor