(Gary Weingarden, Privacy Officer & Director IT Security Compliance | Published April 2025)

You probably aren’t interested in this, but the Family Educational Rights and Privacy Act (FERPA) was part of a legislative response to what the public saw as a “records prison”—data about your past tends to define you—which also generated a “dossier consciousness,” which had them focusing less on “what [they] are” than “what the record makes [them] out to be.” In other words, people were concerned about how much data various agencies and companies were gathering about them and how that data could be combined if shared among agencies. The databases and their owners were becoming a threat.

The result? The government hired Alan Westin to study the matter, which generated the Fair Information Practice Principles that he explained in a report called “Records, Computers, and the Rights of Citizens.” The following year, Congress passed privacy laws, including the Privacy Act and FERPA. Why should you care about this? The history probably doesn’t matter. But if you’re a student or work in education, you should know some things about FERPA.

What is FERPA and how does it work?

FERPA is a federal student privacy statute. It applies to “educational agencies” (er. . . schools) that receive federal funds. It works administratively. The government can order compliance, intercept payments, or disqualify violators from receiving future funding.

What rights do students have under FERPA?

Technically, FERPA gives rights to students and parents, but most of the rights shift to the student at age 18. FERPA gives students the right to:

1. Opt-out of disclosure of their information under the directory information exception to consent (I’ll explain this below).
2. Inspect their education records.
3. Amend information in their education records
4. Get an accounting of certain disclosures of their education records.

Let’s take a look.

What is “directory information” and what does an opt out do?

Let me back up for some context. FERPA starts by forbidding disclosure of student information without consent, subject to 16 exceptions. Consent isn’t required if the disclosure is made under one of the exceptions. And one of those exceptions is directory information.

Directory information, the law explains, is information “that would not generally be considered harmful or an invasion of privacy if disclosed.” The list includes some items for which attitudes may have shifted (photographs, date and place of birth, and address, for example). As the name suggests, directory information was meant to allow schools to publish directories of their students, unless they opt-out. Of course, things have changed since printed directories—schools have websites, sporting events are webcast, directories are now searchable databases. Directory information lets schools disclose information to support these features.

Attitudes about disclosing personal information have always varied, which is why FERPA allows students to opt out of having “any or all” of the categories of information about the student designated as directory information. What does that mean?

Remember, directory information is one of 16 exceptions to FERPA’s consent requirement. Opt-outs only apply to disclosures under the directory information exception—they don’t affect the other disclosures, which include things like disclosures to service providers and disclosures to government agencies. In other words, the impact of an opt-out is that your information won’t be disclosed in a directory or elsewhere under the directory information exception.

Inspection of Records

Students have the right to review their records and have them explained. There are some limitations, but this is a pretty broad right.

Amendment of Records

The right to inspect records enables another right: Students have the right to request the school to amend records that are inaccurate, misleading, or in violation of the student's rights of privacy. If the request is denied, students can ask for a hearing. If the result of the hearing is unfavorable, the student can add a statement to their record that explains why they think the record isn’t right. 

Accounting

Subject to multiple exceptions, school must record requests for, and disclosures of, student records. The exceptions are fairly broad, which limits the value of these accountings

What Tufts Does to Protect Your Privacy

At Tufts, opting out will have minimal impact because Tufts includes minimal information in the student directory, and the directory isn’t publicly available. You need to login to search it. Directory entries include name, username, college, major, class, and Tufts email address. By opting out, you’ll erase that entry, which will mean that Tufts students, faculty, and staff, won’t be able to view those details. The public can’t see the details to begin with. As one of my colleagues put it: You don’t have to opt-in for Tufts to care about your privacy.

Here are some additional details about how Tufts protects your privacy:

• We designed and continuously improve our security and privacy program with the best interests of our community to appropriately protect as well enable appropriate university functions.
•  We have information stewardship and acceptable use policies that set expectations on data handling, technology security, minimal access based on clear job or function purpose, and need to know, and we update them to as needed to comply with US and international laws.
• Have dedicated resources focusing on security, compliance and privacy Privacy Officer (Gary Weingarden, hey that’s me!), Chief Compliance Officer (Terra Dubois), Office of  Information Security (OIS) lead by Lorna Koppel.