FERPA Compliance: How Schools and Universities Redact Student Records

The Family Educational Rights and Privacy Act (FERPA) is the federal law governing the privacy of student education records. Every school that receives federal funding — from elementary schools to major research universities — must comply with FERPA when sharing, releasing, or transferring student records.

Redaction is central to FERPA compliance. When education records must be shared for legitimate purposes — legal proceedings, audits, research, inter-agency coordination, or public records requests — student-identifying information often must be removed first.

This guide covers what FERPA requires, what information must be redacted, and how schools can handle redaction efficiently.

What Is FERPA?

FERPA (20 U.S.C. § 1232g) protects the privacy of student education records. It applies to all educational agencies and institutions that receive funding under any program administered by the U.S. Department of Education — which includes virtually every public school and most private institutions.

Under FERPA, schools generally cannot disclose personally identifiable information (PII) from education records without the written consent of the parent (for students under 18) or the eligible student (students 18 and older).

There are exceptions — situations where records can be shared without consent — but even under these exceptions, schools must often redact identifying information to limit disclosure to what is necessary.

FERPA Penalties

FERPA is enforced by the U.S. Department of Education's Family Policy Compliance Office. Violations can result in:

Loss of federal funding eligibility
Formal complaints and investigations
Corrective action requirements
Public reporting of violations

While FERPA does not provide a private right of action (students and parents cannot sue directly for violations), schools face significant institutional risk from non-compliance.

What Information Does FERPA Protect?

Education Records

FERPA protects "education records" — records that are directly related to a student and maintained by an educational agency or institution. This includes:

Transcripts and grade reports
Student disciplinary files
Financial aid records
Enrollment and attendance records
Special education records (IEPs, evaluations)
Counseling records (when part of the education record)
Student health records maintained by the school
Admissions records
Class schedules
Student ID numbers

Personally Identifiable Information in Education Records

When redaction is required, FERPA defines personally identifiable information to include:

Student name
Parent or family member names
Student address
Personal identifiers such as Social Security number or student ID number
Indirect identifiers such as date of birth, place of birth, or mother's maiden name
Other information that, alone or in combination, is linked or linkable to a specific student and would allow identification
Information requested by a person who the school reasonably believes knows the identity of the student

This last category is important — even information that seems non-identifying can be PII under FERPA if combined with other available information it could identify a specific student.

Directory Information Exception

Schools may designate certain information as "directory information" that can be disclosed without consent — typically the student's name, address, phone number, email, dates of attendance, degrees received, and participation in activities. However, parents and eligible students must be given the opportunity to opt out of directory information disclosure.

When a student has opted out, even their name becomes protected PII requiring redaction.

When Schools Need to Redact Records

Subpoenas and Court Orders

Schools may be required to produce education records in response to subpoenas or court orders. Under FERPA's judicial order exception (34 CFR § 99.31(a)(9)), schools can comply but must:

Make a reasonable effort to notify the parent or eligible student before disclosure (unless the court order specifically prohibits notification)
Redact information about other students that appears in the requested records

For example, if a court orders production of a classroom incident report, information about other students involved in the incident must be redacted.

Auditing and Evaluation

State and federal auditors, evaluators, and researchers may access education records under FERPA exceptions. However, the disclosure is limited to what is necessary for the audit or evaluation purpose. Records shared for auditing must have information about non-relevant students redacted.

Research

FERPA permits disclosure of education records for research purposes under specific conditions, including studies conducted on behalf of the school to improve instruction. However, PII must be redacted unless the research agreement includes specific data security requirements and the study cannot be conducted with de-identified data.

Public Records Requests

Public schools are subject to state public records laws (state FOIA equivalents). When education records are responsive to a public records request, FERPA-protected PII must be redacted before release. This creates a frequent tension — the public records law requires disclosure, while FERPA requires privacy — resolved by redacting student-identifying information from the released documents.

Transfer of Records Between Schools

When students transfer, FERPA allows schools to share education records with the receiving institution without consent. However, if the transferred records contain information about other students (such as group incident reports or collaborative assignment records), that information must be redacted.

Parental and Student Requests

Parents and eligible students have the right to inspect and obtain copies of education records. When a requested record contains information about other students, that information must be redacted before the record is provided.

What to Redact for FERPA Compliance

When preparing education records for disclosure, redact:

Always Redact (Unless Consent Obtained)

Student full names (of non-relevant students)
Social Security numbers
Student ID numbers
Dates of birth
Home addresses
Parent/guardian names and contact information
Photos that identify students

Redact When Combined Information Could Identify

Gender (when class size is small)
Race/ethnicity (when class size is small)
Grade level combined with other identifiers
Disability status or special education classification
Disciplinary actions when combined with other identifying details

Context-Dependent Redaction

Course grades (when the record format could identify the student)
Attendance records (when individually identifiable)
Financial aid amounts (when individually identifiable)
Behavioral incident details that could identify students

The key question is always: could this information, alone or in combination with other reasonably available information, identify a specific student?

How to Redact Student Records Efficiently

The Challenge of Volume

Schools generate enormous volumes of records. A mid-size school district might handle dozens of records requests per month, each involving hundreds of pages. Manual redaction at this scale is impractical — a single records request could consume days of staff time.

AI-Powered Redaction for Education

AI-powered tools like AI-Redact dramatically reduce the time required:

Upload the education records (PDF format)
AI detection automatically identifies student names, SSNs, dates of birth, addresses, ID numbers, and other PII
Review the detections — confirm which items to redact based on the specific FERPA exception being applied
Apply permanent redaction
Download the FERPA-compliant redacted records

What takes hours manually takes minutes with AI-powered detection. The AI catches instances that human reviewers miss — a student name mentioned in a footnote, a parent's phone number in a header, a student ID embedded in a table.

For more on how AI detection works, see our AI redaction explainer.

Batch Processing for Large Requests

When a records request involves dozens or hundreds of documents, batch processing lets you upload and process all documents in a single workflow rather than handling them one at a time. AI-Redact's Pro tier includes batch processing for exactly this scenario.

Maintaining an Audit Trail

FERPA compliance requires schools to maintain a record of each disclosure from a student's education record — who received the information, their legitimate interest, and the date. Redaction software that generates audit trails supports this requirement automatically.

Best Practices for FERPA Redaction

Create Written Redaction Guidelines

Develop a written guide for your institution that specifies:

What information is always redacted (SSNs, student IDs)
What information is redacted based on context (names, when directory info opt-out applies)
Who is authorized to make redaction decisions
What QC process is followed before documents are released

Written guidelines ensure consistency across staff members and create a defensible record of your compliance approach.

Use Proper Redaction Software

Never use black boxes, white-out tools, or text color changes to hide student information. These methods do not actually remove the data from the document — anyone can extract the hidden text. Use dedicated redaction software that permanently removes information from the file structure.

Verify Before Releasing

After applying redaction, verify the result:

Try selecting text in redacted areas (nothing should be selectable)
Search for known student names (nothing should be found)
Check document metadata for student information

For detailed verification steps, see our guide on how to redact documents.

Train Your Staff

Records custodians, registrars, and administrative staff who handle records requests need training on:

What constitutes PII under FERPA
How to use the redaction tools
How to verify redacted documents
How to maintain disclosure records

Implement a Consistent Workflow

Standardize your process:

Receive request → determine FERPA exception → identify responsive records
Review records → identify PII requiring redaction
Apply redaction using approved tools
QC review → verify redaction
Release → log disclosure

FERPA vs. Other Privacy Laws

FERPA vs. HIPAA

Student health records maintained by a school are generally covered by FERPA, not HIPAA. However, records created by a school's health clinic that also serves non-students may be subject to both. When HIPAA applies, the more restrictive requirement governs.

For HIPAA-specific redaction guidance, see our HIPAA redaction guide.

FERPA vs. State Privacy Laws

Many states have education privacy laws that impose additional requirements beyond FERPA. California's Student Online Personal Information Protection Act (SOPIPA), New York's Education Law § 2-d, and similar state laws may require additional protections. Schools must comply with both federal and state requirements.

FERPA and Special Education (IDEA)

The Individuals with Disabilities Education Act (IDEA) adds confidentiality requirements for special education records. When redacting records that include IEPs, evaluations, or related services documentation, additional sensitivity is required around disability-related information.

Frequently Asked Questions

What student information must be redacted under FERPA?

Any personally identifiable information from education records must be redacted when sharing records outside permitted exceptions. This includes student names, SSNs, student IDs, dates of birth, addresses, parent names, and any information that could identify a specific student alone or in combination.

Can schools use AI tools to redact student records?

Yes. AI-powered redaction tools that meet appropriate security standards can be used for FERPA redaction. Look for SOC 2 certification and zero data retention policies. AI-Redact meets these requirements and detects the PII categories relevant to education records.

How long does FERPA redaction take?

Manual redaction of education records can take 30-60 minutes per document. AI-powered tools reduce this to 3-5 minutes per document through automated detection of student PII.

Do private schools need to comply with FERPA?

FERPA applies to schools that receive federal funding. Most private K-12 schools do not receive direct federal funding and are therefore not subject to FERPA, though private universities typically are (through federal financial aid programs).

What happens if a school violates FERPA?

The U.S. Department of Education can investigate complaints and require corrective action. Repeated or severe violations can result in loss of federal funding eligibility.