Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a US federal law that protects the privacy of students’ education records, including personally identifiable and directory information. FERPA was enacted to ensure that parents and students age 18 and older can access those records, request changes to them, and control the disclosure of information, except in specific and limited cases where FERPA allows for disclosure without consent.

The law applies to schools, school districts, and any other institution that receives funding from the US Department of Education—that is, virtually all public K–12 schools and school districts, as well as most post-secondary institutions, both public and private.

Security is central to compliance with FERPA, which requires the protection of student information from unauthorized disclosures. Educational institutions that use cloud computing need contractual reassurances that a technology vendor will manage sensitive student data appropriately.

FERPA does not require or recognize audits or other certifications, so any academic institution that is subject to FERPA must assess for itself whether and how its use of a cloud service affects its ability to comply with FERPA requirements. However, Microsoft has made the following contractual commitments that attest to its compliance:

  • In its Online Services Terms, Microsoft agrees to be designated as a “school official” with “legitimate educational interests” in customer data as defined under FERPA. (Customer data would include any student records provided through a school’s use of Microsoft cloud services.) When handling student education records, Microsoft agrees to abide by the limitations and requirements imposed by 34 CFR 99.33(a) just as school officials do.
  • Furthermore, Microsoft commits to using customer data only to provide organizations with its cloud services and compatible purposes (such as improving malware detection), and does not mine customer data for advertising.
  • Microsoft also contractually commits not to disclose customer data except as the educational institution directs, as described in the contract, or as required by law. Schools that provide education records to Microsoft through their use of a Microsoft cloud service can thus be assured that those records are subject to stringent contractual restrictions regarding their use and disclosure.

As a result of these contractual commitments, customers that are subject to FERPA—both educational institutions and third parties to whom they give access to sensitive student data—can confidently use in-scope Microsoft business cloud services to process, store, and transmit that data.

Frequently asked questions

Expand all

This US federal law mandates the protection of the privacy of students’ education records. It also gives parents and eligible students access to those records and the ability to correct them, as well as certain rights related to the release of records to third parties.

Audit cycle and certification

FERPA does not require or recognize audits or certifications.

Microsoft in-scope cloud services

Expand all

Services for which Microsoft agrees to be designated as a “school official” with “legitimate educational interests” in customer data include:

Azure Active Directory, API Management, App Services (API Apps, Mobile Apps, Web Apps), Automation, Backup, Batch, BizTalk Services, Cloud Services, Azure Cosmos DB, Event Hubs, Express Route, HDInsight, Key Vault, Load Balancer, Machine Learning, Management Portal, Media Services, Multi-Factor Authentication, Notification Hub, Operational Insights, Redis Cache, RemoteApp, Rights Management Service, Scheduler, Service Bus, Site Recovery, SQL Database, Storage, StorSimple, Stream Analytics, Traffic Manager, Virtual Machines, Virtual Network, Visual Studio Team Services, and Workflow Manager

  • Dynamics 365 detailed list
  • Office 365, Office 365 U.S. Government, and Office 365 U.S. Government Defense detailed list
  • Power BI cloud service either as a standalone service or as included in an Office 365 branded plan or suite
  • Visual Studio Team Services
  • Windows Defender ATP

Contact Trust Center

Need help evaluating our products? Can’t find the information you need?

Looking for general technical support?

Contact Microsoft support