Access to Education Records for Research Purposes
The University of Iowa (UI) Office of the Registrar FERPA Team and Human Subjects Office collaborate to respond to research requests seeking the use of or access to student academic data. Investigators are required to comply with FERPA, human subject protection regulations (IRB requirements), and UI policy when accessing education records.
The FERPA Team will provide an approval/agreement memo to researchers to submit in tandem with the IRB application if the research proposal is FERPA compliant.
FERPA-Compliant Research Planning
Before initiating a research project involving student data, investigators should consult with the FERPA Team and the Human Subjects Office to ensure compliance with university policies and federal regulations. Early collaboration can help identify:
- Whether consent is required.
- What data can be accessed.
- How to structure the IRB application.
- Whether data de-identification is necessary.
This proactive approach helps streamline the approval process and ensures ethical handling of student records.
Obtaining Consent to Access Records for Research Purposes
Researchers have met FERPA requirements when they supply a consent form, and a student signs it, thereby agreeing to participate in the research study and to release their education records for research purposes.
FERPA regulations specify that a student must provide signed and dated written consent in accordance with § 99.30 before personally identifiable information from education records can be disclosed unless the disclosure falls within the exceptions set forth in § 99.31.
FERPA's consent provisions require specification of 1) the records that may be disclosed; 2) the purpose of the disclosure; and 3) the identity of the party or class of parties to whom the records may be disclosed.
Access to Records for Research Purposes Without Obtaining Consent
FERPA allows educational agencies or institutions to disclose personally identifiable information from a student’s education record without consent if the receiving organizations are conducting studies for, or on behalf of, educational agencies or institutions to:
- Develop, validate, or administer predictive tests.
- Administer student aid programs.
- Improve instruction [34 CFR § 99.31].
Education records may be released for research without consent under FERPA if all personally identifiable information has been removed, including:
- Student name and/or other direct personal identifiers such as university ID number, Hawk ID, and name.
- Undirect identifiers, such as parent or family member names, addresses, personal characteristics, and/or other information that could allow the student’s identity to be traceable, date and place of birth, and mother’s maiden name.
- Biometric records, including one or more measurable biological or behavioral characteristics that could be used for automated recognition of an individual, including physical image, voice, facial characteristics, and handwriting.
- Other information, alone or in combination, that is linked or linkable to a specific student and could allow a reasonable person in the campus community who does not have personal knowledge of the relevant circumstances to identify the student with reasonable certainty.
Examples of working with FERPA-protected data at the University of Iowa
Example Scenario 1
A professor is interested in researching how first-year college students perceive campus safety. To recruit participants, the researcher asks First-Year Seminar instructors for a list of student email addresses to distribute recruitment flyers.
However, this approach would violate FERPA regulations. Class rosters and student schedules are considered part of a student’s education record and cannot be shared with third parties. By providing a list of student emails, the instructor would effectively be disclosing a course roster.
In this case, the researchers are not evaluating instructional methods, curricula, or classroom management—criteria that might otherwise permit access to student records under FERPA’s research exceptions. Therefore, they are not eligible to access student records for this study.
A compliant alternative would be for the instructors to send the recruitment email on behalf of the researchers. Interested students could then choose to contact the researchers directly for more information.
Example Scenario 2
A graduate student is conducting a study on academic performance trends among undergraduate students in STEM majors. They request access to GPA data, course grades, and demographic information for all students enrolled in biology and chemistry courses over the past five years.
This request involves personally identifiable information from education records and would require either:
- Documented student consent, or
- A valid research purpose that meets FERPA’s exceptions (e.g., improving instruction or administering student aid programs).
If the researcher cannot demonstrate that the study is being conducted on behalf of the institution for one of these purposes, and if no consent is obtained, the data must be fully de-identified before it can be shared. This includes removing all direct and indirect identifiers that could reasonably be used to identify a student.
An appropriate alternative would be to work with the Office of the Registrar to obtain an aggregated or anonymized dataset that meets the research needs without compromising student privacy.