FERPA and Confidentiality

What every paraprofessional needs to know about student records, privacy, and what NOT to share

Why this brief

Paraprofessionals are simultaneously among the most-trusted and most-tested adults in a school for confidentiality. You know things — IEPs, BIPs, family situations, medical conditions, disciplinary history — that other staff and most outsiders don't know. You also have casual conversations all day with colleagues who don't work with the same students, with families at drop-off, with neighbors who happen to be parents at your school. The risk of accidental disclosure is real and constant.

This brief covers what FERPA actually says, what counts as a student record, what "need to know" means in practice, the most common mistakes paras make, and what to do when you're unsure.

| |

| :-: |

| The general rule of thumbIf a parent of a different student were standing next to you, would you say what you're about to say? If no, don't say it. That intuitive test catches most everyday confidentiality risks. The rest of this brief is the framework behind why. |

1\. What FERPA is

The Family Educational Rights and Privacy Act of 1974 is the federal law governing the privacy of student education records. It applies to every school that receives federal funding (which is virtually all public schools and many private ones). Three core ideas:

Parents have the right to inspect and review their child's education records. (Once the student turns 18 or enrolls in postsecondary, the rights transfer to the student.)

Schools must obtain written parent consent before disclosing personally identifiable information (PII) from education records, with limited exceptions.

"School officials with legitimate educational interest" is one of the major exceptions — staff members can access records they need to do their work without separate consent.

Two more anchors that matter for paras:

FERPA is a federal floor. State laws often add layers (more restrictive disclosure rules, longer retention requirements, special protections for student health information).

FERPA is enforced by the U.S. Department of Education. Violations can result in withdrawal of federal funding for the district. They can also become legal claims against individual staff members in some cases.

2\. What counts as a student record

FERPA's definition of "education records" is broad: any record maintained by the school or someone acting for the school that contains information directly related to a student. That includes more than transcripts.

| Yes — protected | Often confused |

| :-: | :-: |

| Grades, transcripts, report cards. | Personal observations not written down (technically not records, but disclosure is still ethically governed). |

| IEPs, 504 plans, BIPs, FBAs. | What you remember about the student (still confidential by professional standards). |

| Health records held by the school. | Medical records held by an outside provider (not a school record but generally confidential). |

| Disciplinary records. | Information overheard but not formally recorded. |

| Attendance records. | Public observations in shared spaces. |

| Counseling notes maintained by the school. | Sole-possession notes by a counselor for personal use only (a narrow FERPA exception). |

| Emails about a student saved by the school. | Personal emails between family members. |

| Photos and video of students taken in school context. | Photos a family voluntarily posts to social media. |

| Standardized test results. | |

| Special education evaluations and assessments. | |

Sole-possession notes — kept solely by an individual maker, not shared with anyone, used only as a personal memory aid — are a narrow FERPA exception. Once you share the note with anyone (including your supervising teacher), it likely becomes a record. Most paras' notes will be records.

3\. School officials with legitimate educational interest

This is the exception that lets you read what you need. FERPA permits the school to disclose education records to school officials with legitimate educational interest in those records, without parent consent. The district has to define both terms in its annual FERPA notice.

3.1 Who is a "school official"

Teachers, including special education teachers.

Paraprofessionals, instructional aides, classroom assistants.

Administrators.

Counselors, psychologists, social workers.

Related service providers (SLP, OT, PT) — including those contracted to the district.

School nurses.

Substitute teachers and paras.

In some districts, volunteers and student teachers performing school work.

3.2 What is "legitimate educational interest"

The information needs to be necessary to perform the school official's responsibilities. A para working with a specific student has legitimate interest in that student's IEP, BIP, and relevant educational records. The same para does not have legitimate interest in records for students they do not support, even if those students are in adjacent classrooms.

| |

| :-: |

| If you don't have access to records you needThe school is supposed to give you access to records that are necessary for your work. If your supervising teacher hasn't shared an IEP for a student you're supporting, ask. Most paras get told "you don't need to know" because of inertia or misunderstanding of FERPA, not because the law actually prohibits sharing. Ask explicitly: "For the students I'm working with this period, can I see the relevant parts of their IEPs?" |

4\. Sharing inside the school

FERPA permits sharing among school officials with legitimate educational interest. Practically, that means you can talk to:

The supervising teacher about a student you both support.

Other teachers who work directly with the student.

Related service providers on the student's team.

Administrators in the chain of supervision.

School nurse for health-related matters.

It does not mean you can talk to:

Other paras who don't work with that student.

Teachers in other grades or classrooms who don't have a role.

Cafeteria, custodial, or office staff in passing about a student's specifics — even though they may also be school officials, the legitimate educational interest test still has to be met.

Volunteers, parent helpers, or visitors.

Bus drivers, unless they need specific information to do their work safely (e.g., medical alerts).

4.1 The "need to know" question in practice

If you're in the staff lounge and a colleague who doesn't work with your student asks how that student is doing, the answer is "things are going," not "well, his BIP isn't really catching the morning escalations." The colleague does not have legitimate educational interest. Their curiosity does not satisfy FERPA.

5\. Sharing outside the school

Outside of staff with legitimate educational interest, the default is that personally identifiable information from education records cannot be disclosed without prior written parental consent. Some narrowly defined exceptions exist (school transfer, court order, emergency, financial aid, etc.) — those are managed by administration and the records office, not by paras. From your perspective, the rule is: don't share.

5.1 Common exposure points

| Setting | Risk |

| :-: | :-: |

| Drop-off and pickup conversations | Easy to drift from "good day" into specifics. Stay general; route substantive concerns to the supervising teacher. |

| Phone calls home | Use district communication channels. Don't call from personal phones; don't text from personal phones. |

| Outside the school building | Avoid talking about students in public places — restaurants, coffee shops, gyms, neighborhood. Even without names, identifying details can stack up. |

| Social media | Never post about specific students, even with names removed. Photos of students in your classroom posted to personal accounts are a clear FERPA violation. |

| Family conversations | Don't debrief at the kitchen table with names attached. "A kid I work with" can drift into identifiable detail quickly. |

| Friends who are also parents at your school | Particularly fraught. Friends ask, "What's going on with the X family?" The answer is "I can't talk about students." That sentence is the entire script. |

| Mutual professional contacts | If a private therapist or outside provider calls about your student, route them to the supervising teacher or case manager. Don't share without confirmation that consent is on file. |

5.2 When a parent calls or stops you

Parents of students you work with can ask you about their own child. Even there, deeper IEP-level questions belong to the supervising teacher or case manager. Day-of "how was she today" is fine. "Why didn't her speech minutes happen this week?" goes to the supervising teacher.

A parent of a different student is not entitled to information about your student. "How's that boy I always see in your hallway?" — "I'm not able to talk about other students. I hope your day is going well."

6\. Digital records and devices

6.1 Use district systems for student information

District email for student-related correspondence.

District grade book, IEP platform, behavior tracking system.

District-approved messaging tools for family communication.

6.2 Don't use personal accounts and devices for school records

Don't email student information to your personal email.

Don't take photos of student work or behavior on a personal phone.

Don't store IEPs, BIPs, or data sheets in personal cloud accounts.

Don't use personal social media to communicate about students or families.

Don't use personal text or DM with families.

| |

| :-: |

| "Just this once" doesn't existMany paras have texted a family from a personal phone in a moment of necessity — sometimes with the supervising teacher's blessing. The risk is real even when nothing bad happens, because a personal phone is not under the district's control, isn't subject to records retention, and creates a parallel communication channel that the rest of the team doesn't see. Even when a one-time exception happens, document and route forward. |

7\. What absolutely doesn't get shared

The fact that a student has an IEP. (Yes — even existence of an IEP is protected.)

Specific eligibility category.

Behavior plan content.

Disciplinary history.

Health conditions or medical history.

Family situation, custody arrangements, foster care status.

Counseling or psychological evaluation content.

Names of other students involved in incidents.

Test scores, especially with names attached.

Photos identifying a student in a school context, posted to anyone outside the team.

8\. When confidentiality is overridden

There are situations where the duty to protect a student overrides the duty to keep information confidential. The big ones for paras:

8.1 Mandated reporting

If you have reasonable suspicion of child abuse or neglect, you must report — and that obligation overrides FERPA. The CPS interview, the reporting process, the documentation are all permitted. (See brief 13.02 for full mandated reporting protocol.)

8.2 Imminent safety

If a student is in imminent danger or threatening serious harm, FERPA permits disclosure to appropriate parties (911, parents, others who can intervene). FERPA's emergency exception is narrow but real.

8.3 Court order or subpoena

If you receive a subpoena or court order regarding a student, do not respond personally — route to the district's legal counsel. They handle these.

8.4 Suicide and self-harm risk

If a student discloses suicidal ideation or self-harm intent, the safety override applies. Notify the school counselor, supervising teacher, and (per district protocol) family. Don't keep the disclosure secret because the student asked you to. (See brief 05.17.)

| |

| :-: |

| "I won't tell anyone" is not a promise to makeBefore a student starts to disclose, if you can sense the topic is heavy: "I'm someone whose job is to keep you safe. I might need to talk to other people whose job is also to keep you safe. I won't talk to anyone who doesn't need to know." That gives the student honest information about how confidentiality works in your role and avoids the worse outcome of breaking a promise. |

9\. What happens when FERPA is violated

FERPA enforcement is at the institutional level — most often the consequence is a corrective action plan, training requirements for staff, and sometimes the threat of withdrawal of federal funding. Individual staff members are typically not personally fined, but FERPA violations can:

Lead to district disciplinary action against the individual.

Become evidence in civil suits brought by families.

Damage trust between the team and the family for years.

Get covered in local press, especially when high-profile.

In practice, the most common consequences for paras who violate FERPA are: a serious conversation with the supervising teacher and admin, mandatory retraining, and a note in the personnel file. Repeat or egregious violations can lead to termination. The bigger risk is usually the family relationship — once trust is broken, it's hard to rebuild.

10\. Common scenarios — what to do

| Situation | Response |

| :-: | :-: |

| A colleague who doesn't work with your student asks how the student is doing. | "Things are going." Move the conversation. If they press, "I really can't talk about students outside the team." |

| A parent at pickup mentions another student by name and asks if they're "the one with the issues." | "I can't talk about other students. How was your day?" |

| A family member texts your personal phone with a question about their child. | Reply once: "Hi\! I'd like to keep school communication on our school channels. Can we move this to email or the parent portal?" Document the contact. Bring it to the supervising teacher. |

| A neighbor who turns out to be a parent at your school strikes up a conversation about your day. | Talk about anything except students. "It was a busy day, lots going on." Don't volunteer school stories. |

| A teacher in a different grade asks for tips on a student they'll have next year. | Refer them to the supervising teacher or case manager — "You should talk to Ms. Allen about him." Sharing during the transition is appropriate; you're not the right person to be the channel. |

| You witness another staff member sharing student information inappropriately. | If it's a one-time slip, a quiet word might be enough. If it's a pattern, raise it with the supervising teacher or admin. (See brief 13.05.) |

| A family asks you not to share something with the supervising teacher. | "I work as part of a team, and Ms. Allen needs to know things that affect your child's day. Anything you tell me, I'll need to be able to share with the team if it's relevant." |

| A student tells you something about another student. | Listen, don't interrogate, route forward to the supervising teacher and counselor as appropriate. Don't share student-to-student gossip. |

11\. Common pitfalls

Treating private conversations with another teacher as automatically permitted. Other teachers are school officials, but legitimate educational interest is the test.

Using personal devices for school business.

Posting photos of students on personal social media — even without names.

"Venting" at home with names attached.

Acknowledging information you have to people who don't have a right to it ("I shouldn't say, but…").

Sharing in a public space (restaurant, coffee shop, gym, parking lot).

Talking with a parent about what other students are doing in the room.

Promising confidentiality to a student before knowing what's being disclosed.

Storing student data in personal accounts "because it's easier."

Forwarding district email containing PII to a personal email.

Not raising a concern up the chain because "it's not really my business."

12\. Resources

U.S. Department of Education — Student Privacy Policy Office — studentprivacy.ed.gov — Federal FERPA resource hub.

FERPA — Protecting Student Privacy — ed.gov FERPA — Plain-language overview.

FERPA Frequently Asked Questions — studentprivacy.ed.gov/faq — Practical Q\&A for educators.

Privacy Technical Assistance Center — studentprivacy.ed.gov/training — Free training modules and webinars.

WIN — WAVES SmartStart: FERPA Essentials for Paraprofessionals — wyominginstructionalnetwork.com — Para-specific FERPA primer (Wyoming, generalizable).

Brief 13.02 — Mandated Reporting — this library — When safety overrides confidentiality.

Brief 13.03 — Dual Relationships and Social Media — this library — Boundary-setting around digital exposure.

Page of