FERPA is considered to be the underpinning law for educational institutions. FERPA is a federal privacy law that aims to protect the privacy of
student education records, to provide students with rights to inspect and contest their records, and to provide guidelines for dealing with inaccurate data by means of formal and informal hearings. The law is applicable to any institution that receives funds under the U.S. Department of Education.
Students and/or parents have the right to inspect their educational records and to request correction of data reflected in the educational records. Moreover, educational institutions are prohibited from disclosing information about students without written permission. FERPA defines a student record as any record relating to the student maintained by the organization. Non-directory information like birth date, religion, citizenship, gender, GPA, student ID, marital status, and grades are protected under FERPA. Conversely, directory information such as - name, address, email address,
telephone number, major, dates of attendance, degrees and awards achieved – is excluded from protection granted by FERPA. Directory information is defined by FERPA as information contained in the education records that would not be considered harmful or as an invasion of privacy if disclosed. This vague definition should be narrowed down or more precisely defined by the academic institution’s policies. With the given definition, a student’s email address could be given out to an malicious inquirer, who in turn might send spam or junk mail to the students. A local education agency “may, but does not have to, include all the information listed” above. (U.S. Department of Education). With this in mind it is important for policy makers to consider what kind of student directory information to provide to the public. While directory information is not protected under FERPA, the act could potentially be interpreted to impose liability on an academic institution that neglected to effectively protect student records (non-directory information) from unauthorized access.