FERPA Compliance for After-School Programs: A Practical Checklist

The Family Educational Rights and Privacy Act (FERPA) applies to all educational agencies and institutions that receive federal funding, including after-school programs operated by or on behalf of schools. Under FERPA, after-school programs must protect the confidentiality of student education records, obtain written consent before disclosing personally identifiable information (PII), and grant parents the right to inspect and review their child's records. Programs that fail to comply risk losing federal funding and face potential legal liability.

For after-school program administrators, FERPA compliance comes down to three core obligations: know what data you collect, control who can access it, and document your policies in writing. This guide provides a practical, step-by-step approach to meeting each of these requirements.

What Is FERPA and Does It Apply to Your Program?

FERPA is a federal law enacted in 1974 (codified at 20 U.S.C. § 1232g, with implementing regulations at 34 CFR Part 99) that protects the privacy of student education records. The law applies to any educational agency or institution that receives funds under any program administered by the U.S. Department of Education. This includes public school districts, charter schools, and — critically for this guide — programs that operate under the authority of these institutions.

If your after-school program is operated by a school district, housed within a school building, or receives student data from a school under a formal agreement, FERPA almost certainly applies to you. The key question is not whether your program directly receives federal funds, but whether you handle education records that originate from an institution that does. A community-based organization running an after-school enrichment program in a public school, using student rosters provided by the school, is handling FERPA-protected data even if the organization itself receives no federal education funding.

Programs that are entirely independent of any school district — for example, a private tutoring company that enrolls students directly through parents without accessing school records — are generally not subject to FERPA. However, the moment that company enters into an agreement with a district and begins receiving student data, FERPA obligations attach. It is also important to note that even programs not covered by FERPA may be subject to state student privacy laws, which in many states impose requirements that are equal to or more stringent than FERPA.

The School Official Exception — When You Can Share Data Without Consent

FERPA generally requires prior written consent from a parent or eligible student before an educational institution discloses personally identifiable information from education records. However, one of the most important exceptions for after-school programs is the "school official" exception under 34 CFR § 99.31(a)(1). This provision allows a school to disclose education records without consent to school officials — including contractors, consultants, and volunteers — who have a legitimate educational interest in the information.

To qualify for this exception, your program must meet specific conditions. First, the school or district must have designated your program's staff as "school officials" in its annual FERPA notification to parents. Second, there must be a written agreement or contract between your program and the school that specifies the services you provide and the data you need to provide them. Third, your access to student data must be limited to what is necessary for the legitimate educational interest — you cannot access the full academic record of every student in the school if you only serve 40 students in an after-school math program.

The school official exception does not eliminate your obligations. It simply means that the school can share records with you without obtaining individual consent from each parent. Once you receive those records, you are bound by the same confidentiality requirements as the school itself. You cannot re-disclose the information to third parties without consent, and you must implement appropriate safeguards to protect the data. If your staff member mentions a student's grades to the student's neighbor at a community event, that is a FERPA violation regardless of how your program originally obtained the grade information.

What Data Is Protected Under FERPA?

FERPA protects "education records," defined as records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution. This definition is broader than many administrators realize. It encompasses not just report cards and transcripts, but any record containing information that can be used to identify a student — either directly or through combination with other information.

For after-school programs, protected data typically includes: student names and contact information, parent or guardian names and contact information, dates of birth, student ID numbers, attendance records, behavioral incident reports, academic performance data shared by the school, health and allergy information, special education or accommodation status, free and reduced lunch eligibility, photographs and videos of identifiable students, and any notes or observations about individual students maintained by program staff. Even a sign-in sheet that lists student names and the times they arrived constitutes an education record if maintained by or on behalf of the school.

There is one important carve-out: "directory information." Schools may designate certain categories of student information as directory information (such as name, address, phone number, and grade level), which can be disclosed without consent unless a parent has opted out. However, your program should not assume that directory information is freely shareable. The school's directory information policy — including which categories are designated and which parents have opted out — must be verified before relying on this exception. In practice, the safest approach is to treat all student information as protected unless you have confirmed otherwise with the school.

Parental Rights Under FERPA

FERPA grants parents (and eligible students who are 18 or older) three fundamental rights regarding education records. First, the right to inspect and review their child's education records within 45 days of making a request. Second, the right to request amendment of records they believe are inaccurate, misleading, or in violation of the student's privacy rights. Third, the right to consent to disclosures of personally identifiable information, except in cases where FERPA authorizes disclosure without consent.

As an after-school program administrator, you must be prepared to fulfill these rights for any records your program maintains. When a parent requests to see their child's attendance records, behavioral reports, or any other documentation your program has created or received, you must provide access within 45 days. You are not required to provide copies automatically — but you must do so if circumstances (such as distance) would effectively prevent the parent from exercising their right to inspect the records. You may charge a reasonable fee for copies, but you may not charge a fee for searching for or retrieving the records.

If a parent requests an amendment to a record and you decline, FERPA requires that you inform the parent of their right to a hearing. This process can feel unfamiliar for after-school programs, but it is a legal obligation. Establish a simple, documented process for handling amendment requests before one arrives. Note that the right to request amendment does not extend to grades or other evaluative judgments — a parent cannot use FERPA to challenge a grade, only to correct factual inaccuracies such as a misspelled name or incorrect date.

In cases of divorce or separation, FERPA rights belong to both parents unless a court order, state statute, or legally binding document specifically revokes one parent's rights. Your program should collect and retain copies of any relevant custody documents and train staff to handle requests from non-custodial parents appropriately. When in doubt, consult with the school district's FERPA officer before denying a parent access to records.

FERPA Compliance Checklist for After-School Programs

The following checklist covers the six essential areas of FERPA compliance for after-school programs. Use this as both a planning tool and an audit framework. Each item represents a specific, verifiable action your program should complete and document.

1. Written Data Governance Policy

A written data governance policy is the foundation of FERPA compliance. This document should define what student data your program collects, why it is collected, who is authorized to access it, how it is stored, and when it is destroyed. The policy should be reviewed and updated at least annually, and a copy should be available to parents upon request.

2. Access Controls and Authentication

FERPA requires that access to education records be limited to individuals with a legitimate educational interest. This means your program must implement both physical and digital access controls. Paper records should be stored in locked cabinets in areas not accessible to unauthorized individuals. Digital records require authenticated access with role-based permissions so that staff members can only view the data they need for their specific responsibilities.

3. Staff Training

The most common cause of FERPA violations in after-school programs is not a system failure — it is a staff member who does not understand what they can and cannot share. Every individual who has access to student education records must receive FERPA training before they begin accessing records, and refresher training at least annually thereafter. Training should be practical and scenario-based, not a lecture on legal definitions.

4. Vendor and Technology Agreements

Any third-party software, platform, or service that your program uses to store, process, or transmit student data is subject to FERPA requirements. This includes attendance tracking systems, communication platforms, cloud storage providers, and even email services if they contain student information. Each vendor must have a written agreement that addresses FERPA obligations — verbal assurances and privacy policy links on a website are not sufficient.

5. Incident Response Plan

A data breach involving student records requires a swift, organized response. While FERPA itself does not prescribe specific breach notification timelines (unlike HIPAA or many state data breach laws), many states have enacted student data breach notification requirements that do impose deadlines. Regardless of your state's requirements, having a documented incident response plan demonstrates due diligence and helps you contain the damage quickly.

6. Annual Parent Notification

FERPA requires that schools provide annual notification to parents regarding their rights under the law. If your program is operated by or on behalf of a school district, this notification obligation may be fulfilled by the district. However, it is a best practice — and increasingly a requirement under state laws — for after-school programs to provide their own notification that specifically addresses the program's data practices. This transparency builds trust with families and reduces the risk of complaints.

Common FERPA Mistakes in After-School Programs

Understanding what not to do is often as valuable as knowing what to do. The following mistakes are the ones most frequently encountered in after-school programs, and each has resulted in real FERPA complaints or findings of non-compliance.

Sharing student information in group communications. Sending an email to all parents that lists which students were absent, had behavioral issues, or received academic support discloses protected information to unauthorized recipients. Communications about individual students must go only to that student's parent or guardian. Similarly, posting a list of students who achieved a goal on a bulletin board visible to visitors may constitute an unauthorized disclosure if academic performance data is involved.

Using personal devices and consumer apps for student data. When staff members photograph students on personal phones, text attendance updates through consumer messaging apps, or store student lists in personal cloud accounts, the program loses control of FERPA-protected data. These practices create records in locations that the program cannot monitor, secure, or delete. Establish clear policies that require all student data to be stored and transmitted through program-approved systems only.

Failing to execute written agreements with the school. Many after-school programs operate under informal arrangements with schools, receiving student rosters and grade information without a written agreement specifying the terms of data sharing. Without this agreement, the school lacks the legal basis to share records with your program under the school official exception, and your program lacks documentation of its authority to possess the data. This is one of the most common compliance gaps and one of the easiest to close — but it requires proactive action on the part of the program administrator.

Retaining data indefinitely. Programs that never delete student records accumulate risk over time. Every record you retain is a record that could be breached, improperly accessed, or subject to a parent records request. Define clear retention periods aligned with your operational needs and your district's policies, and enforce them consistently. When a student leaves your program and the retention period expires, delete their records — including backups and copies in vendor systems.

Technology and FERPA: Choosing Compliant Software

The software your program uses to manage student data is not a neutral tool — it is a critical component of your FERPA compliance posture. Choosing the wrong platform can expose your program to liability even if your policies and training are otherwise excellent. When evaluating software for your after-school program, FERPA compliance should be a threshold requirement, not a nice-to-have feature.

At a minimum, any software that handles student data should provide: encrypted data storage and transmission, role-based access controls that limit each user to the data they need, audit logging that records who accessed what data and when, the ability to export and delete data upon request, and a signed data processing agreement that addresses FERPA obligations. The vendor should be willing to explain in plain terms where your data is stored, who at the vendor company can access it, and what happens to your data if you terminate the relationship.

Be wary of free consumer tools. Products like free email services, free file sharing platforms, and social media tools may mine user data for advertising purposes — a practice that is incompatible with FERPA when the data in question belongs to students. The convenience and cost savings of free tools do not outweigh the compliance risk. Purpose-built education technology platforms are more likely to offer the controls and agreements you need, though you should still verify rather than assume compliance.

Finally, remember that compliance is not a one-time evaluation. Software vendors update their products, change their terms of service, and occasionally get acquired by other companies. Review your vendor agreements annually and whenever you receive notice of changes to a vendor's terms. If a vendor will not provide a written FERPA compliance commitment, that is a clear signal to look elsewhere.

Frequently Asked Questions