What Is FERPA?

FERPA (the Family Educational Rights and Privacy Act) is a federal law that protects the privacy of student education records. It applies to all schools that receive funding from the U.S. Department of Education, which includes virtually every public and private college and university in the United States.

Under FERPA, students have the right to inspect their education records, request corrections, and control who can access their information. Institutions that violate FERPA risk losing federal funding. For disability services offices, FERPA governs how accommodation records, diagnostic documentation, and support plans are stored, shared, and disclosed.

What Does FERPA Protect?

FERPA covers “education records” — any records directly related to a student that are maintained by the institution or a party acting on its behalf. In the context of disability services and ADHD support, this includes:

• Diagnostic documentation and clinical evaluations submitted to the disability services office
• Accommodation letters and the specific accommodations granted
• Records of meetings between students and disability services staff
• Progress tracking data in any tool the institution provides or endorses
• Communication logs between the student and institutional support staff

FERPA does not cover personal notes held by a single staff member that are not shared with anyone else (sometimes called “sole possession records”), or records created and maintained by campus law enforcement for law enforcement purposes.

Who Must Comply with FERPA?

Every institution receiving federal education funding must comply — from large public research universities to small private colleges. Within the institution, compliance responsibilities extend to:

• Disability services offices that collect, store, and share accommodation records
• Student affairs teams that access student engagement or retention data
• IT and procurement departments that evaluate and deploy third-party edtech tools handling student records
• Faculty and advisors who receive accommodation notifications about students in their courses
• Third-party vendors that process student data under a contract with the institution

How Does FERPA Apply to Disability Services?

Disability services offices handle some of the most sensitive student records on campus. A student's ADHD diagnosis, the accommodations they receive, and their engagement with support tools are all protected under FERPA. Key principles for disability services teams:

• Minimum necessary disclosure. When notifying faculty about accommodations, share only what the faculty member needs to implement the accommodation — never the diagnosis itself.
• Written consent before sharing. Before sharing a student's accommodation status with advisors, coaches, or third-party tools, obtain the student's written consent. Verbal agreements are not sufficient.
• Legitimate educational interest. Staff may access student records without consent only if they have a legitimate educational interest and are listed in the institution's annual FERPA notification.
• Vendor contracts. Any third-party tool that receives student data must be under a written agreement that specifies permissible data use, storage, and destruction requirements. See the IT & Procurement guide for evaluation criteria.

Only 37% of students with disabilities report to their college's disability services office (NCES). For the students who do register, protecting the confidentiality of their records is essential to maintaining trust and encouraging continued engagement with support services.

FERPA Compliance Checklist for Universities

Use this checklist as a starting point for auditing your institution's FERPA compliance posture, particularly as it relates to disability services and student affairs operations.

1. Designate a FERPA compliance officer responsible for disability services data handling.
2. Maintain a current directory of all education records containing disability or accommodation information and where they are stored.
3. Ensure written consent from each student before sharing accommodation details with faculty, advisors, or third-party tools.
4. Limit faculty notification to the accommodation itself (e.g., extended test time) — never disclose the underlying diagnosis.
5. Audit access controls on any digital system storing student disability records at least once per academic term.
6. Train all staff who interact with student records — including student workers — on FERPA obligations annually.
7. Establish a documented process for students to inspect and request amendments to their disability services records.
8. Evaluate third-party vendor agreements for FERPA-compliant data handling before onboarding any edtech tool.
9. Maintain retention and destruction schedules for accommodation records consistent with institutional policy and state law.
10. Log and review all third-party data access requests involving student disability information.

How OVR IT Handles FERPA

OVR IT is designed with FERPA-conscious data handling from the ground up. When institutions evaluate OVR IT for campus deployment, the following safeguards apply:

• Row-level access controls. Student data is scoped to individual accounts. No student can see another student's records, and institutional staff see only aggregated or consent-gated views.
• Consent-gated advisor access. The advisor portal requires explicit student consent before any individual-level data becomes visible to institutional staff.
• PII stripping for AI features. When student data is sent to AI model providers for features like Smart Study Schedule or Assignment Decoder, personally identifiable information is stripped from prompts before transmission.
• No diagnostic data collection. OVR IT does not collect, store, or process ADHD diagnoses, clinical evaluations, or accommodation letters. The app operates on academic data (syllabi, deadlines, grades) — not medical records.

For detailed data handling information, see the privacy policy. For procurement-specific questions, visit the IT & Procurement page or request a demo.

Who Owns the Student Data?

The student does. OVR IT does not claim ownership of any student-generated content, academic data, or usage records. Students can export or delete their data at any time. Institutional deployments include a Data Processing Agreement (DPA) that formalizes this relationship.

Request a Data Processing Agreement or Security Review

IT procurement teams evaluating OVR IT for campus deployment can request a DPA, a security questionnaire completion, or a technical review meeting. Visit the IT & Procurement page for details, or request a university demo to start the conversation.