FERPA SOP Documentation: How Schools and Edtech Teams Protect Student Data

FERPA (the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g) protects the privacy of student education records at institutions that receive federal funding. Unlike PCI-DSS or HIPAA, FERPA doesn't publish a prescriptive list of required SOPs — but the Department of Education expects institutions to have written procedures governing record access, disclosure, breach response, and retention. This guide covers what those procedures need to say, where student data most often appears in workflow documentation, and how to document educational workflows safely.

What FERPA Requires in Writing

FERPA's written requirements are less explicit than HIPAA's, but three categories consistently come up in Department of Education guidance and investigation findings:

• →Annual notification of rights. Institutions must annually notify students (or parents of minor students) of their FERPA rights. The procedure for drafting, distributing, and documenting that notification needs to be written down.
• →Directory information policy. If the institution designates directory information, there must be a written procedure for the opt-out process — how students opt out, how opt-outs are recorded in the student information system, and how disclosures are screened against opt-out lists.
• →Legitimate educational interest definition. Before disclosing records to school officials, the institution must define what constitutes legitimate educational interest. This definition must be in the annual notification and must be consistently applied.

The Six FERPA SOPs Every Institution Should Have

• →Annual rights notification. Who drafts it, what channels it's distributed through, and how distribution is documented each year.
• →Directory information designation and opt-out. The step-by-step process for a student to opt out of directory information disclosure, how the opt-out is recorded in the SIS, and the 45-day response window.
• →Third-party disclosure request handling. How staff evaluate a request to disclose education records — which exceptions apply (subpoena, health and safety emergency, school official exception), who has authority to approve, and how the disclosure is logged.
• →Records access request procedure. FERPA gives students the right to inspect their records within 45 days. The SOP must cover how requests are received, verified, fulfilled, and logged.
• →Breach and unauthorized disclosure response. What counts as a FERPA violation, who is notified, and how remediation is documented. FERPA doesn't have a mandatory breach notification window, but the Department of Education can investigate complaints.
• →Records retention and destruction. How long each category of education record is retained, and the procedure for secure destruction when the retention period expires.

Where Student Data Appears in Workflow Documentation

Registrar offices, financial aid teams, and edtech administrators frequently need to document workflows in systems like Banner, PeopleSoft, Canvas, or Blackboard. These workflows are some of the most important SOPs an institution can have — onboarding new staff, cross-training during turnover, and ensuring consistent application of policies all depend on clear, accurate procedure documentation.

The risk: these systems display student names, ID numbers, grades, enrollment status, and financial aid details. Any screen recording that captures these details produces a document containing education records — which is itself subject to FERPA protections. The SOP becomes a FERPA-covered record that must be access-controlled, retained according to the institution's records schedule, and potentially disclosed if a student requests their records.

Most edtech teams don't think of their SOP documentation as education records. But if the document contains individually identifiable student information, FERPA covers it.

Safe Workflow Documentation for Edtech and Registrar Teams

The solution is to document workflows using test accounts with synthetic data, or to use a recorder that automatically redacts student-identifiable information before it's stored. For FERPA-compliant SOP documentation, look for:

• →Local-only storage. If the recording tool transmits workflow data to a third-party server, that server's vendor becomes a party with access to education records — requiring evaluation as a "school official" under FERPA or a separate data agreement.
• →Field-level redaction. Sensitive field patterns (SSNs, numeric IDs in certain formats) should be caught before storage.
• →Configurable retention. The institution should be able to set auto-deletion schedules for recorded workflows that align with the institution's records retention policy.

Claudia stores all recordings locally on the device. No workflow or recording data leaves the device. (License activation sends a device identifier and license key to Claudia's server, but this is separate from any recorded workflow content.) Explicit consent is obtained before every session, and configurable auto-deletion (30 to 365 days) lets institutions align recording retention with their own schedules. Because no data is transmitted externally, Claudia does not need to be evaluated as a third-party processor of education records.

FERPA and Third-Party Edtech Vendors

Under FERPA's school official exception (34 CFR 99.31(a)(1)), an institution can disclose education records to a third-party vendor without student consent if the vendor performs a service that the institution would otherwise perform itself, is under the institution's direct control with respect to use and maintenance of education records, and is subject to FERPA's requirements. Most institutions satisfy this through a Data Processing Agreement (DPA) that specifies permitted uses, security requirements, and data deletion obligations. Any documentation tool that receives student data should be evaluated under this framework. Tools where no student data leaves the device bypass the need for this evaluation entirely.

This article is for informational purposes only and does not constitute legal advice. Consult your compliance team or legal counsel to evaluate how Claudia fits within your organization's specific regulatory obligations.

Related: HIPAA SOP Documentation  ·  GDPR SOP Documentation  ·  CCPA SOP Compliance