Student Data Analytics: What’s the FERPA Position?

Student Data Analytics: What’s the FERPA Position?

Jeffrey C. Sun
University of Louisville


May colleges and universities use student data to enhance educational programming and student achievement?  Generally speaking, the answer is yes.

Let us start with a basic refresher on the legal definition of the Family Educational Rights and Privacy Act (FERPA).  FERPA is a federal privacy law protecting student education records.  The law requires postsecondary institutions to provide college students access to their education records and mandates privacy protections of such records.  In particular, the education records of concern are those deemed as personally identifiable information such as a student’s social security number, biometric information (e.g., fingerprints, voice prints, retina and iris patterns), and other identifying information.  The law, while aimed at protecting student privacy, is not as restrictive as some might assert (Sun, 2014).

Recently, FERPA has undergone some regulatory changes.  In 2008 and 2011, the modified regulations made it possible for several uses of student data without student consent.  These permissible uses are intended to enhance educational programming and student achievement.  In this article, I present two instructive examples of these uses: adaptive learning technologies and state longitudinal data systems.

Adaptive Learning Technologies

FERPA allows colleges and universities to use personally identifiable student information without student consent when the university or state system office is using education records for certain educational programming and operational support reasons such as adaptive learning, predictive tests, student aid programs, or instructional improvements.[i]   As more postsecondary institutions engage in efforts of creating learning technologies for instruction and educational support, the questions of privacy become heightened.

Here’s a quick overview of adaptive learning technology.  Adaptive learning technology is typically a software-based tool in which a student undergoes a series of learning modules.  The learning modules cater to the student’s response.  For instance, if an adaptive learning technology is used for math, the program conducts a diagnostic through each lesson and identifies questions or concepts that present barriers for the student to comprehend.  Based on that information, the program presents reinforcement modules or new instructional presentations to address the challenging area.  The technology is a form of artificial intelligence.  Basically, the program adapts to the individual or mediates the learning with a somewhat personalized set of educational modules.

In higher education, adaptive learning technology is a growing learning and intervention tool.  It has been applied in a variety of ways including remedial education, supplemental education, and traditional educational learning settings.  For instance, at Arizona State University, a student who enrolls in an adaptive learning class must master a set of concepts, where the student accumulates and earns badges.  An established number of badges qualify the student to sit through the final exam to demonstrate course proficiency.  As Selingo et al. (2013) report, Arizona State University plans to integrate both an adaptive learning feature and an active learning classroom approach to general education courses.  Much of the traditional lecture portion can be captured through adaptive learning technology along with reinforcement activities.  Further, the active learning classroom supports the integration with problem solving activities.  The legal issue is that the adaptive learning technology is based on a partnership with two for-profit companies, Pearson and Knewton.  These companies serve as third party vendors of Arizona State and include uses of personally identifiable information from education records.

Based on the modifications in 2008 and 2011, FERPA allows this use.  The law, however, is clear that colleges and universities (and any of their approved contractors) must comply with certain requirements on how the data will be used, protected, and eventually destroyed.  Practically speaking, it requires Arizona State University and its vendor to have a clearly written agreement addressing these terms.

State Longitudinal Data Systems (SLDS)

FERPA also permits colleges and universities to use personally identifiable student information without student consent when the university or state system office is using education records to establish its State Longitudinal Data System (SLDS).  Most states have moved forward on building SLDS as these data systems offer great opportunity for policymakers and educators to link information through a statewide source from a P20W perspective.  The “P20” refers to education from early childhood through graduate school, and the “W” is including the workforce.  Thus, states are moving forward to link data of its citizens from cradle to career.

For some, SLDS presents a serious concern about privacy.  Lawsuits and other challenges from groups such as the Electronic Privacy Information Center (EPIC) have questioned the permissibility of these large datasets – particularly questioning the compliance to FERPA (Roternberg & Barnes, 2013).  Yet, FERPA does allow the data usage for SLDS because the law permits authorized governmental representatives to access education records without student consent when such use is for an audit or evaluation of a federal or state program and for the purposes of federal compliance.[ii]   Nonetheless, in many states, the SLDS is being administered by a state agency that is independent of the higher education and public education systems.  That arrangement presents an interesting problem for some institutions.  For instance, Maryland requires all institutions of higher education that operate in Maryland to report personally identifiable information from education records to the Maryland Longitudinal Data System Center, an agency independent of the state educational institutions and systems.  The University of Massachusetts, through online education, was uncertain whether it should disclose the education records of its students in Maryland.  The U.S. Department of Education’s Family Policy Compliance Office explained that the University of Massachusetts may disclose those education records so long as Maryland has mechanisms in place to allow this independent agency to receive the personally identifiable information from education records.  These mechanisms rest largely with the presence of an agreement between the Maryland Higher Education Commission and the Maryland Longitudinal Data System Center.  The agreement is very similar (though not identical) to the provisions discussed above when giving education records to third party vendors for adaptive learning technologies (e.g., how the data will be used, protected, and eventually destroyed).


In conclusion, FERPA is not necessarily a stifling compliance that is archaic and unworkable.  It factors emerging uses of education records such as the growing uses of student data for predictive modeling, adaptive learning technologies, and other system-wide analyses.  For more information about FERPA, please consult the Family Policy Compliance Office.

Finally, I encourage you to read a new book on big data, Building a Smarter University: Big Data, Innovation, and Ingenuity (Lane, 2014).  The book describes and analyzes the transformative use of big data in higher education.

Discussion Questions

  1. How does your institution use education records to enhance educational programming and student achievement?  Does the institution use data from the learning management system (e.g., Blackboard or Desire2Learn)?  In what ways is your institution using that data to track patterns and academically productive behaviors?  Have the data been employed for student learning assessment?
  2. How does your institution ensure privacy of education records?  While FERPA permits uses of education records without expressed consent of students, what steps or protocols are in place to ensure anonymity?  For instance, what are your institution’s disclosure avoidance techniques?  Does your institution discuss efforts of data anonymization, psuedonymization, or data sharing? How can your unit engage in these discussions with your Information Technology Division?
  3. What steps or professional growth opportunities has your institution, particularly the Division of Student Affairs, engaged in to envision how programming data (which is also an education record) and uses of technology may support the institution’s mission and comply with the law?


1.  20 U.S.C. § 1232g(b)(1)(F) (2014); 34 C.F.R. § 99.31(a)(6)(i) (2014).

2.  20 U.S.C. § 1232g(b)(1)(C), 20 U.S.C. § 1232g (b)(3) (2014); 34 C.F.R. § 99.31(a)(3), 34 C.F.R. § 99.35 (2014).


King, D. (2013, Nov. 22). [Letter to Dawna McIntyre]. Retrieved from

Lane, J. E. (Ed.). (2014). Building a smarter university: Big data, innovation, and ingenuity. Albany, NY: SUNY Press.

Rotenberg, M., & Barnes, K. (2013). Amassing student data and dissipating privacy rights. Educause Review, 48(1). Retrieved from

Selingo, J., Carey, K., Pennington, H., Fishman, R., & Palmer, I. (2013). The next generation university. Retrieved from

Sun, J. C. (2014).  Legal issues associated with big data in higher education: Ethical considerations and cautionary tales.  In J. E. Lane (Ed.), Building a smarter university: Big data, innovation, and ingenuity. Albany, NY: SUNY Press.

About the Author

Jeffrey C. Sun, J.D., Ph.D. is a Professor of Higher Education at the University of Louisville.  He teaches and writes about legal issues pertaining to higher education. 

Please email inquiries to Jeffrey C. Sun.


The ideas expressed in this article are not necessarily those of the Developments editorial board or those of ACPA members or the ACPA Governing Board, Leadership, or International Office Staff.

Leave a Reply

Your email address will not be published.