FERPA Compliant File Sharing for Schools and Universities

The Family Educational Rights and Privacy Act protects student education records with teeth: schools that violate FERPA risk losing all federal funding. Yet every day, teachers email spreadsheets of student grades, administrators share discipline records through consumer file sharing apps, and counselors send sensitive documents through platforms that were never designed for educational data. This guide explains what FERPA requires, where schools commonly fail, and how to build a compliant file sharing workflow without destroying productivity.

FERPA Basics for IT Administrators

FERPA (20 U.S.C. 1232g) applies to all educational institutions that receive federal funding, which includes virtually every public K-12 school and most colleges and universities. The law gives parents (and students over 18) control over who can access education records, and it imposes strict requirements on how schools handle, store, and share those records.

For IT administrators, the key FERPA provisions are:

• Consent requirement: Schools generally cannot disclose personally identifiable information (PII) from education records without written consent from the parent or eligible student, with specific exceptions for school officials with legitimate educational interest.
• School official exception: Schools can share records with school officials (including teachers, administrators, and contractors) who have a "legitimate educational interest" without consent. However, the school must define who qualifies as a school official and what constitutes legitimate interest in its annual FERPA notification.
• Vendor exception: Third-party vendors can access student data if they perform an institutional function, are under the school's direct control regarding data use, and are subject to the same FERPA restrictions as school employees. This is why vendor agreements (DPAs) matter.
• Security safeguard requirement: While FERPA does not prescribe specific technical controls (unlike HIPAA), it requires schools to "use reasonable methods" to ensure that school officials access only records in which they have legitimate educational interest.

The enforcement mechanism is what makes FERPA serious: the U.S. Department of Education can terminate all federal funding to an institution that has a "policy or practice" of violating FERPA. For a typical school district, federal funding represents 8-15% of total revenue. For universities, the loss of Title IV (Pell Grants, student loans) would be existential.

What Counts as Protected Student Data

FERPA protects "education records," defined as records directly related to a student that are maintained by the school or a party acting for the school. In the context of file sharing, this includes:

• Academic records: Grades, transcripts, class schedules, GPA calculations, academic probation status, honor roll lists
• Enrollment information: Student ID numbers, enrollment status, dates of attendance, degree programs
• Financial records: Financial aid applications, scholarship awards, tuition payment records, account balances
• Discipline records: Behavioral reports, suspension and expulsion records, incident reports
• Special education records: IEP (Individualized Education Program) documents, 504 plans, evaluation reports, related service records
• Health records: When maintained by the school (rather than a healthcare provider), immunization records, nurse visit logs, and health screenings
• Personally identifiable information: Student name combined with any other identifying information like address, date of birth, parent names, Social Security number, or student ID

A critical nuance: directory information (name, address, phone number, dates of attendance, degrees received) can be disclosed without consent unless the student has opted out. However, this exception does not apply to file sharing of academic or discipline records. And even directory information requires the school to give families the opportunity to restrict disclosure.

Common FERPA Violations in File Sharing

These are the file sharing practices that most frequently result in FERPA complaints and Department of Education investigations:

1. Emailing Spreadsheets with Student Data

The most common violation is the simplest: a teacher or administrator emails a spreadsheet containing student names, grades, or other PII. Once that email is sent, the data exists in the sender's outbox, the recipient's inbox, any email server backup, the email provider's systems, and potentially in forwarded copies the sender cannot track. If the recipient is not a school official with legitimate educational interest, this is a FERPA violation. Even if the recipient is authorized, unencrypted email transmission of student data violates the "reasonable methods" safeguard requirement in most interpretations.

2. Using Consumer Cloud Storage

Teachers uploading student data to personal Dropbox, Google Drive (consumer version), or iCloud accounts is a FERPA violation. These consumer services are not covered by the school's data processing agreements. The data is stored on servers controlled by a third party with no contractual obligation to protect it under FERPA. Even if the teacher intends to keep the data private, sharing settings can be misconfigured, accounts can be compromised, and consumer services can use the data for advertising or analytics.

3. Sharing Links with "Anyone with the Link" Access

Google Drive and similar platforms default to restricted sharing, but many users change the sharing setting to "Anyone with the link" for convenience. A single document containing student grades, shared with "anyone with the link," is technically accessible to anyone on the internet who discovers or guesses the URL. Search engine indexing, link preview crawlers, and URL shortener analytics can all expose these links.

4. Posting Grades Publicly

Posting grades by student name, student ID, or Social Security number in a publicly visible location (physical bulletin board, course website, LMS public page) is a straightforward FERPA violation. Even posting grades by the last four digits of a Social Security number is prohibited because the SSN is personally identifiable information. Some institutions have been investigated for posting grades by student ID when the institution also uses the student ID in other public contexts.

5. Inadequate Vendor Agreements

Using a file sharing tool without a signed Data Processing Agreement (DPA) or similar contract that addresses FERPA requirements is a violation. The vendor must contractually agree to use data only for the purposes the school authorizes, protect data with appropriate safeguards, return or destroy data when the relationship ends, and not re-disclose data to third parties.

Approved File Sharing Methods for Education

Not every file sharing method is appropriate for student data. Here is what works and what does not:

Learning Management Systems (LMS)

Canvas, Blackboard, Moodle, and Schoology are designed for educational data and typically include FERPA-compliant configurations. Grades should be shared through the LMS gradebook, not via email or file attachments. Most LMS platforms offer FERPA-compliant assignment submission, grade distribution, and course messaging. Ensure your LMS vendor has signed a DPA and that the platform is configured to restrict data access to authorized users only.

Student Information Systems (SIS)

PowerSchool, Infinite Campus, Skyward, and similar SIS platforms are purpose-built for managing student records with role-based access controls. These systems maintain audit trails of who accessed what data and when, which is essential for FERPA compliance. Use the SIS as the system of record for student data, and resist the temptation to export data to spreadsheets for "convenience."

Enterprise File Sharing with DPA

Google Workspace for Education, Microsoft 365 Education, and Box for Education all offer FERPA-compliant configurations with signed DPAs. The key requirements are: use the Education edition (not consumer), sign the vendor's DPA, configure sharing defaults to restrict external access, disable third-party app access to files containing student data, and train staff on proper sharing practices.

Encrypted Ephemeral Sharing

For ad-hoc sharing that does not fit the LMS or SIS workflow (such as sharing a student record with a therapist, a transfer school, or a legal representative), encrypted ephemeral sharing provides a FERPA-compatible option. The data is encrypted before it leaves the sender's device, the link expires after viewing, and no persistent copy remains on the sharing platform. This eliminates the two primary FERPA risks in file sharing: unauthorized access and indefinite data retention.

Vendor Evaluation Checklist

Before adopting any file sharing tool for student data, evaluate it against these criteria:

1. Data Processing Agreement: Will the vendor sign a DPA that addresses FERPA requirements? Does it specify that data is used only for the school's purposes?
2. Data location: Where is the data stored? Is it within the United States? Some state laws (California, New York, Illinois) have additional student data privacy requirements that limit international data transfer.
3. Encryption: Is data encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent)? Does the vendor offer zero-knowledge encryption where they cannot access the plaintext data?
4. Access controls: Does the platform support role-based access? Can you restrict access to specific users or groups? Can you set file-level permissions?
5. Audit logging: Does the platform log who accessed what data and when? Can you export these logs for compliance reporting? How long are logs retained?
6. Data retention and deletion: What is the vendor's data retention policy? Can you delete data on demand? Is deletion verified (not just soft-deleted)?
7. Breach notification: Does the vendor commit to notifying the school within a specific timeframe (48-72 hours) if a breach occurs?
8. Subprocessors: Does the vendor use subprocessors (sub-contractors) who may access student data? Are those subprocessors disclosed and subject to the same restrictions?
9. Data portability: Can you export all data in a standard format when the contract ends?
10. Insurance: Does the vendor carry cyber liability insurance sufficient to cover breach notification costs?

The Student Data Privacy Consortium (SDPC) maintains the National Data Privacy Agreement (NDPA), a standardized DPA template adopted by most states. Check whether your vendor has signed the NDPA for your state before drafting a custom agreement.

Free vs Paid Solutions Compared

Schools operate on tight budgets, and the temptation to use free tools is strong. Here is how free and paid options compare for FERPA compliance:

Free Options

• Google Workspace for Education Fundamentals: Free, FERPA-eligible with signed DPA. Includes Drive, Docs, Gmail, and Classroom. Adequate for most K-12 sharing needs. Limitation: 15 GB storage per user, limited admin controls compared to paid editions.
• Microsoft 365 Education A1: Free, includes Teams, OneDrive, SharePoint, and Office Online. Microsoft signs a DPA for education customers. Limitation: web-only Office apps, 1 TB OneDrive storage.
• SecureBin (free tier): Zero-knowledge encrypted sharing with self-destructing links. No vendor access to data. Useful for ad-hoc secure sharing when LMS/SIS channels are not appropriate. No DPA needed because no student data is stored (zero-knowledge, auto-expiring).

Paid Options

• Google Workspace for Education Plus ($5/student/year): Adds advanced security features, security investigation tool, enhanced audit logging, and data loss prevention (DLP) rules that can detect and block sharing of sensitive data patterns like SSNs.
• Microsoft 365 A3/A5 ($2.50-6/user/month): Adds Information Rights Management (IRM), sensitivity labels, DLP policies, and advanced audit. A5 includes Compliance Manager for tracking FERPA controls.
• Box for Education ($5/user/month): Purpose-built secure file sharing with granular permissions, watermarking, download tracking, and FERPA-compliant DPA. Strong admin controls and external sharing restrictions.
• Tresorit for Education ($12/user/month): Zero-knowledge encryption, end-to-end encrypted file sharing, Swiss data protection. Highest security but most expensive.

For most school districts, Google Workspace for Education Fundamentals or Microsoft 365 A1 provides adequate FERPA-compliant file sharing at no cost. The paid tiers add DLP (which helps prevent accidental data leaks) and advanced audit logging (which simplifies compliance reporting), but they are not strictly necessary for FERPA compliance.

Building a FERPA Compliance Plan

Technical tools alone do not achieve FERPA compliance. You need a comprehensive plan that addresses people, processes, and technology:

Step 1: Data Inventory

Catalog every system that contains student data. This includes your SIS, LMS, email system, file sharing platforms, assessment tools, library systems, and any third-party apps teachers use. For each system, document what student data it contains, who has access, and whether a DPA is in place. This inventory is your baseline.

Step 2: Access Review

Audit who has access to student data and whether that access is justified by legitimate educational interest. In practice, you will find that former employees still have access, teachers have access to students they no longer teach, and administrative staff have broader access than their role requires. Tighten permissions to the minimum necessary.

Step 3: Approved Tools Policy

Publish a clear policy that specifies which tools are approved for student data and which are explicitly prohibited. Be specific: "Student grades may be shared through Canvas Gradebook or PowerSchool. Student grades must not be shared via email, text message, personal Google Drive, Dropbox, Slack, or any platform not on the approved list." Make the approved path easier than the prohibited path, or people will find workarounds.

Step 4: Training

Train all staff who handle student data at least annually. Training should cover: what constitutes an education record, what the consent requirements are, which tools are approved, how to handle requests for student data, and how to report a potential FERPA breach. Make the training specific and practical, not generic compliance videos that nobody remembers.

Step 5: Incident Response

Define what happens when student data is shared improperly. Your incident response plan should include: who to notify (FERPA Officer, IT security, legal counsel), how to contain the exposure (revoke sharing links, delete forwarded emails, disable compromised accounts), how to assess the scope of the breach, and how to notify affected families if required. While FERPA does not require breach notification (unlike HIPAA), many state student privacy laws do, and notification is considered best practice regardless.

Step 6: Ongoing Monitoring

Use your platforms' audit logs to monitor for risky sharing behavior. Set up alerts for: files containing student data shared externally, bulk downloads of student records, access from unusual locations or devices, and changes to sharing permissions on files containing protected data. If your budget allows, a Cloud Access Security Broker (CASB) can automate this monitoring across multiple platforms.

Frequently Asked Questions

Is Google Drive FERPA compliant for schools?

Google Workspace for Education can be FERPA compliant, but only if your school has signed Google's Data Processing Amendment (DPA). The free consumer version of Google Drive is NOT FERPA compliant. Schools must use the Education edition, configure sharing settings to restrict external access, disable third-party app access to Drive files, and train staff on proper sharing practices. Google will sign a FERPA-compliant agreement, but the school remains responsible for how staff and students use the platform.

What are the penalties for FERPA violations?

FERPA violations can result in the loss of all federal funding, which for most schools represents 8-15% of their total budget. The Department of Education's Family Policy Compliance Office (FPCO) investigates complaints and can issue findings against institutions. While there is no direct monetary fine per violation, the threat of losing Title I, Title IV, IDEA, and Pell Grant funding makes FERPA one of the highest-stakes compliance requirements for educational institutions. Individual employees are not personally fined under FERPA, but institutions may face state-level lawsuits from affected families under state student privacy laws.

Can teachers share student grades via email?

Emailing student grades to parents or guardians is permitted under FERPA if the school verifies the recipient's identity and the email is sent only to the parent or eligible student. However, emailing grades to other students, posting them publicly, or sending them to the wrong recipient constitutes a FERPA violation. Best practice is to use a secure student information system (SIS) or learning management system (LMS) where parents log in to view grades, rather than transmitting grades via email where they persist indefinitely and can be forwarded. If email is unavoidable, consider using encrypted text that expires after viewing.

Related Articles

Continue reading: HIPAA Compliant File Sharing, SOC 2 Secret Management Requirements, Enterprise Password Sharing Solutions, Zero Trust Credential Sharing.