Dear FERPA Professor,
I need your assistance; an Admissions file was inadvertently posted to a server where students could access the file. Directory information along with the students' admissions evaluation could be retrieved. Some of those listed students are currently enrolled and are aware that this file got out.
I believe that any student currently enrolled should be notified of the breach and the school's actions to ensure the information is no longer accessible. Could you please provide me with your professional opinion?
Thank you in advance,
Ms. Take
Dear Ms. Take
Contacting the students whose education records were disclosed and the actions the institution took in response to the posting is the appropriate thing to do, although not required by FERPA. Such an action will be helpful in the event one or
more of the students files a FERPA complaint with the U.S. Department of Education's Student Privacy Policy Office. However, § 99.32(a) of the FERPA regulations does require that the institution record the disclosure in the education record
of each student whose records were disclosed. You can find the above-cited language on page 163 of the 2012 AACRAO FERPA Guide.
I hope this is helpful in answering your questions.
The FERPA Professor