aacrao-logo_transparent

Ask the FERPA Professors

April 21, 2026
  • FERPA
  • Registration & Records
  • Family Educational Rights and Privacy Act
  • FERPA
  • FERPA Professor
  • privacy

Dear FERPA Professors,

As we work to ensure full compliance, we would appreciate your clarification on the following points:

Would it constitute a FERPA violation if a school official had access to student data that falls outside the scope of their departmental responsibilities? Currently, our reporting system does not support user-specific data restrictions, meaning any user with report access can view all student data. For instance, an academic dean in one college may be able to access data for students in another college.

Would conducting an audit of access permissions be necessary or advisable to ensure compliance with FERPA regulations?

We sincerely appreciate your time and guidance as we work to address these issues appropriately.

Reg U. Lation

Dear Reg U. Lation,

The exception to signed consent found at § 99.31(a)(1) of the FERPA regulations permits institutions to allow access to those school officials at the institution who are deemed to have a "legitimate educational interest" in a student's education records.  The terms "school official" and "legitimate educational interest" must be defined in the institution's annual notice of FERPA rights as outlined in § 99.7(a)(3)(iii) of the regulations.  Thus, it is the institution's responsibility to manage this access based on those definitions. (See § 99.31(a)(1)(i)(B)(ii).) 

Allowing access to school officials who do not have such a legitimate educational interest in a student's education records would not generally be permitted under FERPA.  If an institution does not use technology controls to limit school officials' access to student education records, but instead uses administrative policy for controlling access, that administrative policy must ensure that it remains in compliance with the legitimate educational interest requirement in § 99.31(a)(1)(i)(A).  Conducting an audit of access permissions would generally be deemed reasonable in enforcing the limitation requirements for school official access.

I hope this is helpful in answering your questions.  You can find the above-cited regulations on pages 159 and 155 of the 2012 AACRAO FERPA Guide.

Respectfully,

The FERPA Professor

 

Want the Professor to come to your campus? Visit our FERPA compliance training page.

AACRAO members, send your questions to the FERPA Professor at communications@aacrao.org.

Related Content

Learn how to sell your institution in 30 seconds flat in the AACRAO Course "Admissions Counselor/Recruiter 101 - Section 1," which begins April 27.

Join the "Preparing for the Midterms: Updates on Voting & Campaign-Related Activities on Campus - NACUA, NASPA & AACRAO Joint Webinar" on April 28, 2026, 12:00-12:30 p.m. (ET).

Visit AACRAO's Bookstore to shop for publications covering a variety of topics, including FERPA, SEM, Transfer, Admissions, Registrar, and more.

Subscribe

AACRAO's bi-weekly professional development e-newsletter is open to members and non-members alike.