The Family Educational Rights and Privacy Act (FERPA) is the federal law governing student education records. For teachers adopting classroom technology, understanding FERPA isn't optional — it shapes what tools you can use, what data can go where, and what you need from vendors.
This isn't legal advice. It's a practical primer for classroom decision-making.
What FERPA actually protects
FERPA covers "education records" — any record maintained by a school that contains personally identifiable information about a student. This includes:
- Grades and test scores
- Attendance records
- Disciplinary records
- Disability or accommodation status
- Contact information when linked to the above
FERPA does not protect:
- A teacher's personal observations not shared with anyone else
- Information that's truly anonymous (no way to identify the student)
- Directory information that the school has designated publicly shareable (names, grade level) — unless a parent has opted out
The "school official" exception
FERPA prohibits sharing education records without parental consent, but has an important exception: sharing with a "school official with legitimate educational interest."
Software vendors can qualify as school officials under this exception if they:
- Perform a service the school would otherwise perform
- Are under the school's direct control regarding record use
- Use the records only for the authorized purpose
- Don't re-disclose the records to others
This is how any education technology — LMS, gradebook, assessment platform — can process student data at all. The vendor acts as an extension of the school.
What this means for choosing tools
Before adopting a classroom tool that touches student data, check:
1. Does the vendor sign a Data Privacy Agreement (DPA)? Most districts have a standard DPA that codifies the school official relationship. The vendor must be willing to sign it.
2. Does the vendor comply with FERPA? Look for explicit FERPA-compliance statements in their privacy documentation. PaperScorer, for example, publicly states FERPA readiness.
3. What data is collected? Minimize: a tool should collect the least data needed to function. A grading tool needs student identifiers and scores; it probably doesn't need home addresses or parent phone numbers.
4. Who else can access the data? The vendor's subprocessors (cloud hosting, email providers, analytics) must also be bound to appropriate privacy terms.
5. Where is data stored? Some districts have requirements about domestic data storage (US-only). Verify this if applicable to your district.
6. How is data deleted? Schools can request deletion of student records when a student leaves. Vendors should have a clear process for this.
The sign-up trap
Never sign up for a new classroom tool using a personal or student email and then load real student data into it. This sidesteps district procurement and often violates both FERPA and district acceptable use policies. Use the tool with dummy data until it's formally approved, or route the procurement through your district.
What gets teachers in trouble
Common FERPA missteps:
- Sharing grade data in a Google Sheet that other teachers can access without authorization
- Discussing student performance by name in a professional learning community or with non-teaching staff who don't have educational interest
- Using personal email to forward student data to colleagues
- Using unvetted apps that require student account creation, especially with minimum-age concerns (COPPA for under-13)
- Posting student work publicly (even celebratory) without parental consent
Most of these are inadvertent. None of them are harmless.
Parental rights under FERPA
Parents (and students 18+) have the right to:
- Inspect their student's education records
- Request corrections of inaccurate information
- Consent to disclosure beyond the permitted exceptions
- File a complaint with the Department of Education's Student Privacy Policy Office
When parents make a records request, schools have 45 days to respond. For a classroom tool, this might mean the vendor needs to export the student's data on request.
Practical checklist for classroom tools
Before adopting a new tool
- Does the tool require student accounts? If so, is it age-appropriate (COPPA if under 13)?
- Does the vendor sign a district Data Privacy Agreement?
- Is FERPA compliance publicly stated?
- Can you export or delete student data on request?
- Is the data encrypted in transit and at rest?
- Where is student data stored (US / EU / globally)?
- What are the vendor's subprocessors, and are they also bound to the same privacy terms?
- Has district IT or legal reviewed this tool?
What to look for in privacy documentation
A serious vendor has a dedicated privacy page covering:
- FERPA and COPPA compliance statements
- Data retention and deletion policies
- Encryption practices (in transit + at rest)
- Audit and certification status (SOC 2 is common; ISO 27001 for larger deployments)
- Subprocessor list
- Breach notification commitment
If a vendor can't produce this, that's a signal.
The FERPA-ready answer
For PaperScorer specifically: SOC 2 compliant, FERPA ready, encrypted data, US hosting (Linode/AWS), clear deletion policy, signs district DPAs. This is the standard you should expect of any assessment vendor — if a tool falls short on these, either ask for upgrades or use a different tool.
When in doubt
If you're uncertain whether a specific tool or practice is FERPA-compliant, ask your district's legal or data privacy officer. Every district has someone. That person's job is to give you a clear answer — better to ask than to find out via a privacy incident.
