Student Data Compliance in Alabama: The FERPA Playbook Every School Must Follow to Avoid Breaches and Legal Risk
Subtitle: A practical FERPA + Alabama playbook to protect student data, answer parent requests fast, govern vendors, and handle incidents with confidence.
You collect grades, attendance, discipline notes, special-service plans, and mountains of app-generated data. Parents ask for copies. Vendors want access. Staff need quick guidance. This playbook translates FERPA and Alabama-specific expectations into clear steps you can plug into your daily workflow—so you protect students, reduce risk, and keep learning moving.
What FERPA covers—and how Alabama schools fit
FERPA (Family Educational Rights and Privacy Act) protects “education records”—personally identifiable information (PII) maintained by a school/district or a party acting for it. In K-12, rights belong to the parent/guardian until the student becomes an eligible student (turns 18 or enters postsecondary education). Alabama public schools and districts must follow FERPA, and they also operate under state privacy expectations issued by the Alabama State Department of Education (ALSDE) and local board policies, including rules for data governance, vendor oversight, cybersecurity, and breach response.
- Access & amendment: Parents/eligible students can inspect records and seek correction of inaccurate or misleading information.
- Consent default: School generally needs written consent to disclose PII, unless a FERPA exception applies.
- Directory information: Certain items (e.g., name, grade level) may be disclosed without consent if the district publishes a notice and offers an opt-out.
- Exceptions to consent: School officials with legitimate educational interest, transfer schools, financial aid, audits/evaluations, studies, health/safety emergency, court orders, etc.
Alabama overlay: what to keep in view
Alabama districts typically adopt board policies and ALSDE guidance that require: (1) a written data governance program, (2) vendor contracts with strict student-data terms, (3) clear security controls (access, encryption, training), and (4) incident procedures aligned with state breach-notification expectations. Many districts also maintain directory-information catalogs and model parent notices approved by counsel. Treat these as your “local law of the land.”
- Exports from SIS/LMS (CSV, PDF) sent by email
- App integrations with third-party ed-tech vendors
- Notes or attachments inside discipline and counseling systems
- Unstructured shares in Google/Microsoft drives
Use your own ticketing data to prioritize staffing and automation.
Deep dive: FERPA rules, Alabama practices, and gray areas
Directory information (DI)
DI might include name, address, telephone, email, photograph, participation in activities, and similar items. A district must publish its DI list, explain intended uses, and give a reasonable opt-out window. In Alabama, districts commonly provide DI notices at registration and post them online; coaches/yearbook staffs rely on DI to publish rosters and highlights. If a family opts out, DI cannot be released except under another FERPA exception.
School officials & legitimate educational interest
Teachers, counselors, principals, IT staff, SROs, and contractors performing institutional services may access PII if their duties require it. Districts should define “school official” in policy and ensure vendors only receive the minimum necessary to support the contract’s stated purpose.
Studies & audit/evaluation exceptions
FERPA allows sharing PII without consent to organizations conducting studies for the school (improve instruction, validate predictive tests) or to authorized representatives for audits/evaluations. Both exceptions require written agreements that limit use, prohibit re-disclosure, and demand destruction at project end.
Health/safety emergency
Disclosures are permitted when knowledge of the information is necessary to protect the health or safety of the student or others. Document what was shared, with whom, when, and why. Alabama districts typically route these decisions through the superintendent, principal, or designee using a short incident form.
HIPAA vs. FERPA
School health records maintained by a school (or a party acting for the school) are usually FERPA records, not HIPAA “covered entity” records. If a school-based clinic is run by an external health provider, HIPAA may govern the provider’s records—but FERPA covers the education record copy kept by the school.
- Ed-tech clickwraps: Students/teachers should not “accept” terms that transfer student data rights; IT/legal must approve.
- AI tools: Prohibit training on student PII and require no data retention unless your DPA expressly permits it.
- School resource officers: Clarify their status as “school officials” under policy and limit access to what’s necessary.
- Transcripts & dual enrollment: Coordinate between K-12 and postsecondary on FERPA roles and consent flows.
From policy to practice: a step-by-step operational playbook
1) Governance & inventory
- Create a data map of SIS, LMS, assessment platforms, counseling, transportation, cafeteria, special services, and app add-ons.
- Tag systems with FERPA roles (controller/processor analogy), record data elements, and document who can access what.
- Publish a Parent Rights Notice covering access, amendment, directory information, and complaint channels.
2) Vendor intake & contracts
- Run a privacy review (data elements, purpose, retention, re-disclosure, sub-processors, hosting location, de-identification).
- Use a Data Processing Addendum (DPA) that: limits use to educational purposes; bans targeted advertising; prohibits selling student data; requires breach notice; mandates secure deletion at term end; and allows audits.
- Keep a public vendor registry so families know who handles student data.
3) Access control & security
- MFA for staff; SSO for students; least-privilege roles with quarterly reviews.
- Encrypt at rest and in transit; block external sharing by default in drives; log downloads/exports.
- Train staff annually on phishing, sharing rules, directory opt-outs, and incident reporting.
4) Parent/eligible-student requests
- Provide access within a reasonable period (e.g., ≤ 45 days) and before any relevant meeting/hearing.
- Verify identity; avoid emailing full records unencrypted; offer secure portal pickup or in-person review.
- For amendment requests, log the claim, review accuracy, and if denied, offer a hearing per policy.
5) Transfers & special cases
- When a student moves, send records to the new school under the transfer exception; notify parents if your policy requires.
- For subpoenas/court orders, consult counsel; disclose only what’s ordered; document and, where permitted, notify the parent.
6) Incidents & breach response
- Define “incident” (loss, unauthorized access, misdirected email, compromised account).
- Contain, investigate, and perform a risk assessment (what data, whose data, whether actually accessed).
- Follow district/ALSDE guidance for notifications and law-enforcement coordination; obtain vendor reports and deletion attestations.
| Task | Owner | Evidence | Frequency |
|---|---|---|---|
| Directory-information notice & opt-out | Registrar/Comms | Posted notice; opt-out list | Annual |
| Vendor DPA & privacy review | IT + Legal | Signed DPA; risk memo | Onboarding/renewal |
| Access review (staff & SROs) | HR + IT | Role matrix; tickets | Quarterly |
| Incident drill & response review | Security + Comms | Drill log; after-action | Semiannual |
Examples & quick templates
Parent access acknowledgement
We received your request to inspect education records for {Student}.
Please bring ID on {Date/Time}. You may review records in {Location}.
If copies are needed, the cost is {Amount} per page unless the fee prevents access.
Directory-information notice (excerpt)
Our district may disclose "directory information" (e.g., name, grade, activities, awards)
without prior consent for school publications and media.
If you do not want your student’s directory information released, return the opt-out form by {Date}.
Vendor DPA clause (excerpt)
Vendor will use Student PII solely to provide services to the District;
will not sell or use for targeted advertising; will implement industry-standard security;
will notify District of any incident within {X} hours; and will delete/return all Student PII
within {Y} days of contract termination, certifying destruction.
Common mistakes to avoid
- Assuming apps with “school” branding are automatically FERPA-compliant without a DPA.
- Publishing photos or rosters after a family filed a directory-information opt-out.
- Emailing full reports with PII to personal addresses or unencrypted recipients.
- Letting vendors retain student data after contract end—no deletion certificate.
- Ignoring eligible student status at age 18/postsecondary entry.
- Confusing HIPAA with FERPA in nurse or counseling workflows.
Conclusion
Protecting student data in Alabama means mastering FERPA’s core rules and operationalizing your state/district practices. Publish a clear directory-information program, tighten vendor contracts, train staff on consent and exceptions, and rehearse incidents before they happen. With the checklists and templates above, you can answer requests quickly, support instruction, and keep families’ trust while minimizing legal risk.
Quick guide
- Scope: FERPA protects student education records (PII maintained by a school/district or its agent). Parents hold rights until the student turns 18 or enters postsecondary.
- Default rule: Written consent is required to disclose PII unless a FERPA exception applies (school officials, transfer, studies, audit/evaluation, health/safety emergency, court order, etc.).
- Directory Information (DI): May be released without consent only if the district publishes a DI list/notice and offers an opt-out.
- Alabama overlay: Follow ALSDE/local board policies on data governance, vendor DPAs, breach procedures, access controls, and staff training.
- Vendors: Treat ed-tech providers as “school officials” by contract with limits on use, re-disclosure, security, and deletion.
- Security: Role-based access, MFA, encryption, restricted sharing, and retention/deletion schedules for records and exports.
- Parent requests: Provide access within a reasonable time (≤45 days typical), verify identity, log what was provided, and offer amendment/hearing if disputed.
FAQ
What counts as an “education record” under FERPA?
Any record directly related to a student and maintained by the school/district or a party acting for it (SIS, LMS, assessments, counseling notes kept in the system, etc.).
Who can access records without parent consent?
“School officials” with legitimate educational interest, including contractors under a compliant agreement limiting use and re-disclosure.
How do we use Directory Information in Alabama?
Publish a DI list/notice annually and provide an opt-out window. If a family opts out, do not release DI except via another FERPA exception.
Are nurse and counseling records FERPA or HIPAA?
Records maintained by the school are generally FERPA records. External clinic providers may be HIPAA-covered, but the school’s copy remains FERPA-governed.
What if a parent requests copies of all records?
Verify identity; provide inspection within the timeframe; supply copies if failure to do so would effectively deny access; redact other students’ PII.
When can we disclose in an emergency?
When necessary to protect the health/safety of the student or others. Share only what is needed and document who, what, when, and why.
What must Alabama districts put in vendor contracts?
Purpose limitation, prohibition on selling/ads, security controls, breach notice, sub-processor controls, data-minimization, and certified deletion at end of term.
Legal reference base
- FERPA statute: 20 U.S.C. § 1232g (Family Educational Rights and Privacy Act).
- FERPA regulations: 34 C.F.R. Part 99 (definitions, consent exceptions, DI, complaint process).
- Studies & audit/evaluation exceptions: 34 C.F.R. §§ 99.31(a)(6), 99.31(a)(3); written agreements required with use, re-disclosure, and destruction limits.
- Health/safety emergency: 34 C.F.R. § 99.36; document rationale and recipients.
- Alabama practice: Follow ALSDE/local board policies on student data governance, vendor DPAs, incident response, and record management.
Final considerations
A strong Alabama playbook marries FERPA’s rules with your district policies. Publish your DI notice and opt-out, map systems and vendors, limit access by role, encrypt data and exports, and rehearse incidents. Build templates for parent requests and vendor DPAs so responses are fast, consistent, and well-documented.
This content is educational and not legal advice. Policies and facts vary—consult your district counsel or ALSDE guidance for decisions on specific requests, disclosures, or incidents.