top of page

FERPA, a Brief Overview for School Organizations

Updated: May 26, 2023

With millions more students relying on online tools for virtual education, we must be extra diligent in maintaining students’ data privacy. As a PTA or PTO leader, you play a large role. Did you know that even the title of the photos the parent-teacher association posts on FB could be subject to data privacy laws? The federal law in this area is the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. Here is a brief overview of FERPA, based on a recent episode of The Multipurpose Room, so you can spot any issues and create policies to keep you within FERPA.

Large library

Source (FERPA)

FERPA – The Basics

FERPA, or the Family Educational Rights and Privacy Act, is a law that was passed in 1974 aimed at protecting student privacy. It must be kept top of mind for elementary, middle, and high schools as it can also affect school funding received from the U.S. Department of Education.

Who Needs to Worry about FERPA?

In short, the educational leaders should be aware of FERPA: the school administrators, teachers, and PTA and PTO leaders. In addition, parents also need to be in the loop.

We can look at each of these and their role in FERPA in more detail:


FERPA gives parents access to their child's records, with jurisdiction to view and edit them. These records typically include the child’s name, address, date of birth, contact details, assessments, grades, and pictures. It can even include handwriting, but of course, the most important components are any details that could help identify the child, as these need to be the most well-protected.

School Administrators

A lot of the work that school administrators do about FERPA is with the parents. They are responsible for informing parents of the existence of FERPA annually, usually through formal notices. Administrators must also guide parents about their directory policy (using information related to students) and their release policy (using the student’s name and photographs in regular school events). Parents have the option of having their child opt out of any or both of these policies and so it is essential that school administrators take this permission.

Additionally, school administrators also have to oversee contracts that the school has with any organizations that may have access to student records. In 2020, with the shift to virtual education, this has come up with new technology providers now supporting schools. While FERPA demands prior written consent before any student information is shared, it does carry an exception where a third party is offering an extension of the school’s educational services. However, schools should ensure any providers meet the exception criteria before contracting. In addition, in those contracts, the school should ensure there are clauses covering the confidentiality of protected information and the safe disposal of said information upon termination of the agreement.

PTA and PTO Leaders

The first thing that PTA and PTO leaders need to be aware of is that the school’s directory policy impacts them. This means that parents who have decided to opt out of the directory cannot be contacted by the PTA or PTO. PTAs and PTOs should always publicize how parents can sign up to receive the PTA information directly so that parents who have opted out of the directory can “opt-in” to receive PTO information. In addition, PTA and PTO leaders should look at ways parents can receive this information in other ways. For example, keeping their website updated or having a Facebook group can ensure all stay informed.

Concerning PTA or PTO actions that FERPA may cover, social media posting is the most common. PTAs and PTOs should have a social media policy compliant with FERPA. For example, posting photos of children and classrooms with children’s work are allowed only if parents have signed a photo release with the school. In addition, any tags that include children’s names or even the metadata of a photo that includes a child’s name may be covered. So, things such as pictures, videos, names, and handwriting should all be avoided unless they’ve been authorized by the parent in the form of written consent. In addition, there should be a mechanism by which the social media administrator receives photo release information from the school.

Although not an onerous law, it is key to be aware of it. Some great guides from the US Department of Education include an FAQ and a position statement by the National PTA. When in doubt, connect with your school district, as they are well-versed in this law and can help.


bottom of page