Q: Does FERPA apply to cloud-hosted student information systems?

A: Yes. Any system that stores education records on behalf of the district is subject to FERPA, regardless of where it is hosted. The district remains responsible for ensuring the vendor meets FERPA requirements through a proper data privacy agreement.

Q: Can parents request to see all digital records a school has about their child?

A: Yes. FERPA gives parents (and eligible students over 18) the right to inspect and review all education records. This includes data stored in digital systems. Districts must be able to produce these records upon request.

Q: What happens if a school district violates FERPA?

A: The U.S. Department of Education can investigate complaints and ultimately withhold federal funding. In practice, most enforcement involves corrective action plans rather than immediate funding loss, but the reputational and operational impact of an investigation is significant.

Q: Are school health records covered by HIPAA or FERPA?

A: Health records maintained by the school as part of the student's education record are covered by FERPA, not HIPAA. This is a common point of confusion. HIPAA IT requirements apply to healthcare providers, not to school-maintained health records.

Q: How often should we review vendor data privacy agreements?

A: At least annually, and whenever a vendor changes its terms of service, is acquired, or modifies how it handles data. Many Washington districts build vendor review into their annual technology planning cycle.

What FERPA Compliance Means for School District IT in Washington

FERPA (the Family Educational Rights and Privacy Act) requires Washington state school districts to protect the privacy of student education records, control who can access those records, and ensure that all technology vendors handling student data meet specific contractual and security obligations. For IT teams and administrators, this means implementing access controls, encrypting student data, vetting every edtech vendor, and maintaining audit-ready documentation — or facing loss of federal funding.

What Is FERPA and Who Does It Apply To?

FERPA is a federal law that protects the privacy of student education records. It applies to every educational institution that receives funding from the U.S. Department of Education — which includes every public school district in Washington state and most private institutions.

FERPA governs “education records,” defined as records directly related to a student that are maintained by the school or by a party acting on the school’s behalf. This includes:

Student grades, transcripts, and attendance records
Disciplinary records
Special education and IEP documentation
Health records maintained by the school (note: school health records fall under FERPA, not HIPAA)
Data stored in student information systems (SIS), learning management systems (LMS), and edtech platforms

The scope is broader than most administrators realize. Any digital system that stores information linked to an identifiable student is likely covered.

What Are the Core IT Requirements Under FERPA?

FERPA does not prescribe specific technical controls the way HIPAA does. Instead, it requires schools to use “reasonable methods” to protect education records. In practice, this means your IT environment must demonstrate:

Access Controls

Role-based access ensuring that staff can only access student records they need for their legitimate educational purpose
Unique user accounts for every staff member — no shared logins to the SIS or LMS
Prompt access revocation when staff leave the district or change roles (the same offboarding discipline required under other frameworks)
Directory information opt-out mechanisms that are technically enforced, not just documented

Data Protection

Encryption of student data at rest and in transit, particularly for cloud-hosted systems and portable devices
Secure backup and recovery procedures for all systems containing education records
Data minimization — collecting and retaining only the student data necessary for educational purposes
Secure disposal of education records when retention periods expire

Monitoring and Logging

Audit logs that track who accessed student records, when, and what they did
Breach detection capabilities to identify unauthorized access to student data
Incident response procedures specific to student data breaches

How Does Washington State Law Expand on FERPA?

Washington state adds requirements beyond federal FERPA through the Student User Privacy in Education Rights Act (SUPER Act, RCW 28A.604) and related state policies:

Operator obligations. Technology providers that collect student data through school-directed use are prohibited from using that data for non-educational purposes, including targeted advertising.
Transparency requirements. School districts must maintain a publicly accessible list of the digital tools and platforms they use that collect student data.
Data governance policies. Washington’s Office of Superintendent of Public Instruction (OSPI) requires districts to adopt data governance policies that address collection, use, storage, and destruction of student data.
The Student Data Privacy Consortium agreements. Many Washington districts use the National Student Data Privacy Agreement (SDPA) to standardize vendor contracts, ensuring consistent FERPA-aligned data protection terms.

What Are the Biggest IT Compliance Risks for Washington School Districts?

Based on our experience working with school districts in Western Washington, these are the most common compliance risks:

Unvetted Edtech Tools

Teachers adopt free or freemium tools without IT or procurement review. Each of these tools potentially collects student data without a proper data privacy agreement in place. A single teacher signing up for a classroom app with student names and email addresses can create a FERPA exposure.

Mitigation: Implement an edtech vetting and approval process. No tool that collects student data should be used without a signed data privacy agreement and IT security review.

Inadequate Vendor Management

Districts sign contracts with technology vendors that lack FERPA-required provisions. Vendors that access student data must contractually agree to:

Use data only for the purposes specified by the district
Not disclose data to third parties without authorization
Return or destroy data when the contract ends
Maintain reasonable security measures

Staff Access That Outlives Their Role

Substitute teachers, student teachers, volunteers, and departing staff frequently retain access to systems containing student records longer than they should. Quarterly access reviews and automated provisioning tied to HR records reduce this risk significantly.

Personal Devices Without Controls

Staff accessing student information systems from personal devices without mobile device management (MDM) or at minimum enforced multi-factor authentication create data exposure risks that FERPA’s “reasonable methods” standard does not protect.

How Should School Districts Approach FERPA IT Compliance?

A practical FERPA IT compliance program for Washington school districts should include:

Maintain a complete data inventory. Know every system that stores student data, who has access, and what vendor agreements are in place.
Implement role-based access controls across all student information systems, with quarterly reviews.
Require signed data privacy agreements for every vendor and edtech tool that touches student data.
Encrypt student data at rest and in transit across all systems and devices.
Train staff annually on FERPA obligations, including what constitutes an education record and how to handle parent requests.
Establish an incident response plan specific to student data breaches, including notification procedures required under both FERPA and Washington state law.
Document everything. Policies, access reviews, vendor agreements, training records, and incident reports must be maintained and accessible for audits.

For districts without dedicated IT security staff, working with a compliance-aware managed IT provider ensures these controls are implemented, monitored, and documented consistently.

ROI Technology Inc. provides FERPA-aligned IT management for school districts across Western Washington. Contact us to assess your student data protection posture.