To understand the scope of FERPA, it is necessary to define “student.” According to FERPA, a student is an individual who is enrolled in and actually attends an educational institution. The regulations provide that attendance includes, but is not limited to, attendance in person or by correspondence. Courts have held that individuals who merely audit classes or who are accepted to an educational institution but do not attend any classes are not “students” for purposes of FERPA. Individuals who “attend” classes but are not physically located on a campus are also students, thus including those who attend classes by videoconference, satellite, Internet, or other electronic information and telecommunications technologies.

FERPA prohibits the disclosure of a student’s “protected information” to a third party. This disclosure is prohibited whether it is made by hand delivery, verbally, fax, mail, or electronic transmission. Disclosure also includes the provision of access to the educational institution’s career center database of student resumes.

For purposes of FERPA, a “third party” includes any individual or organization other than the student or the student’s parent(s). With respect to third parties, even if the initial disclosure of protected information is permissible, FERPA limits the subsequent disclosure of the information by the third party. As such, once an educational institution discloses protected information to a third party, it must ensure that the third party does not itself improperly disclose the information in violation of FERPA.