HR & Hiring
FERPA and Education Verification: What Employers Can Legally Ask
FERPA protects student records — but it doesn't stop employers from verifying degrees. Understanding the boundary between protected records and releasable directory information is the difference between a compliant verification and a legal liability.
Key Takeaways
- • FERPA applies only to schools that receive federal funding — nearly all U.S. colleges and K-12 schools
- • Directory information (name, degree, dates attended, major, enrollment status) can be released without student consent unless the student has opted out
- • Grades, GPA, SSN, and transcripts are protected — employers cannot get these without signed student consent
- • FCRA requires a standalone disclosure and written consent before running education checks through a third-party background screener — this consent also satisfies FERPA
- • If a student has a "no release" flag on file, schools will often confirm nothing — not even whether the student attended
What Is FERPA?
The Family Educational Rights and Privacy Act (FERPA), enacted in 1974, gives students (and parents of minor students) the right to access and control their own education records. It applies to any educational institution that receives funds from the U.S. Department of Education — which covers virtually every public school, community college, and university in the country.
FERPA does not apply to private schools below the college level that don't receive federal funding, though most private K-12 schools choose to follow similar privacy principles.
Crucially, FERPA is about restricting institutional disclosure — it doesn't prevent students from sharing their own records with anyone they choose. An applicant can always authorize release of their own records by signing a consent form.
Directory Information vs. Protected Records
FERPA distinguishes between two categories of student information. Understanding this split is the core of FERPA compliance for HR teams.
Directory Information (Generally Releasable)
- ✓ Student's name
- ✓ Dates of attendance
- ✓ Degree awarded and date conferred
- ✓ Major field of study
- ✓ Enrollment status (full-time, part-time)
- ✓ Degrees, honors, awards received
- ✓ Most recent institution attended
Protected Records (Consent Required)
- ✗ Grades and GPA
- ✗ Full transcripts
- ✗ Social Security Number
- ✗ Financial aid records
- ✗ Disciplinary records
- ✗ Medical and counseling records
- ✗ Class schedules and course content
The practical implication: an employer can confirm that Jane Smith earned a Bachelor of Science in Computer Science from MIT in May 2022. The employer cannot find out what Jane's GPA was or what grades she received without Jane's explicit written consent.
The "No Release" Opt-Out: When Verification Gets Complicated
FERPA allows students to request that their institution withhold all directory information — including their name, enrollment status, and degree. This is called a "no release" flag, a "privacy hold," or a "directory information opt-out" depending on the institution.
When a no-release flag is active, most schools will not confirm any information about the student — not even whether the student attended. This can make degree verification extremely difficult.
What to do when a school won't confirm a degree
- Request that the candidate sign a FERPA release form directly to the institution
- Ask the candidate to provide an official sealed transcript
- Contact the school's registrar to ask specifically whether a student opt-out is preventing disclosure (they can usually confirm this much)
- Use the National Student Clearinghouse — many institutions share data with NSC separately from FERPA opt-out status
The National Student Clearinghouse (NSC) is worth noting here: it operates under a data agreement with institutions, not under FERPA directly. Some schools share data with NSC even when a student has a privacy hold, though NSC itself has privacy protections built into its DegreeVerify product.
How FCRA Interacts with FERPA
If you're using a third-party background screening company to run education verification, FCRA (the Fair Credit Reporting Act) adds another layer of requirements.
FCRA requires:
- A standalone disclosure document notifying the applicant that a background check will be run (this must be a separate document — not buried in an employment application)
- Written authorization from the applicant before the report is ordered
- Specific adverse action procedures if you intend to reject a candidate based on background check results
The good news: FCRA consent covers FERPA. When a candidate signs a FCRA-compliant authorization that includes educational records, schools can release directory information (and, with a proper release, protected records) to the screener.
Practical note for HR teams
If you're verifying education yourself (not through a screener), FCRA doesn't apply — but FERPA still does. You can contact a registrar directly and request directory information. If the school confirms the degree, no consent is needed for that basic confirmation. Consent is required only if you want GPA, transcripts, or other protected records.
FERPA-Compliant Education Verification Workflow
Here's a practical workflow that keeps you compliant with both FERPA and FCRA:
Collect candidate-provided information
Get the institution name, degree type, major, and graduation year on the application. This is what you'll verify — don't accept vague claims like "studied at Harvard."
Obtain FCRA authorization (if using a screener)
Provide a standalone FCRA disclosure document and get written authorization before ordering the background check. This authorization simultaneously satisfies FERPA consent for directory information.
Check the National Student Clearinghouse first
NSC's DegreeVerify covers 97% of U.S. higher ed enrollment. For most degrees, this is the fastest and most authoritative check. Results in minutes, not days.
Contact the registrar directly if NSC can't confirm
Call or submit a request through the institution's official registrar portal. Ask to confirm degree, dates of attendance, and major — all directory information. Do not ask for GPA without additional signed consent from the candidate.
If the school won't confirm: escalate appropriately
Request a signed FERPA release from the candidate, or ask for an official sealed transcript. An unexplained refusal to provide basic confirmation is itself a red flag worth noting in your hiring decision.
Document your process
Keep records of what you verified, how, and when. If you took adverse action based on an education discrepancy, follow FCRA adverse action procedures (pre-adverse action notice, copy of report, summary of rights).
Common FERPA Misconceptions in HR
"FERPA prevents employers from verifying degrees"
False. Directory information — including degree awarded, major, and dates of attendance — can be released without consent. FERPA restricts grades, transcripts, and sensitive records, not basic credential confirmation.
"The school said they can't confirm anything — they must be protecting a privacy hold"
Possibly, but not necessarily. Schools sometimes decline to respond for administrative reasons (outdated contact info, non-standard requests). Ask the registrar specifically whether a privacy hold is preventing disclosure — they can usually confirm this without violating FERPA.
"We need the candidate's transcript to verify their degree"
Not always. To confirm degree completion, you only need confirmation from the registrar or NSC — no transcript required. Transcripts are needed when you need course-level detail (e.g., verifying specific prerequisites or GPA requirements for a role).
"FERPA applies internationally"
No. FERPA is U.S. law and applies only to U.S. institutions that receive federal funding. Verifying degrees from foreign institutions requires different processes — typically working through credential evaluation agencies or contacting the institution directly under local data laws.
"We can ask for GPA as long as the candidate signed our general consent form"
Not quite. The consent must specifically authorize release of protected education records. A general employment authorization form is usually insufficient. To get GPA from the registrar, the candidate should sign a FERPA release form issued by the school itself, or provide an official transcript directly.
Quick Reference: What Employers Can and Can't Verify
| What You Want to Verify | Consent Required? | How to Get It |
|---|---|---|
| Degree awarded (yes/no) | No (directory info) | NSC DegreeVerify or registrar call |
| Dates of attendance | No (directory info) | NSC or registrar |
| Major / field of study | No (directory info) | NSC or registrar |
| Enrollment status (full/part-time) | No (directory info) | NSC EnrollmentVerify or registrar |
| GPA / grades | Yes (protected) | Candidate provides official transcript |
| Full transcript | Yes (protected) | Candidate signs FERPA release form |
| Disciplinary history | Yes (protected) | Candidate signs FERPA release; most schools won't disclose even then |
| Financial aid records | Yes (protected) | Only available to authorized parties; rarely relevant for employment |
Verify Credentials Without the Legal Guesswork
VerifyED cross-references 184,000+ institutions to confirm accreditation status and institutional legitimacy — the first step before you even contact a registrar. Identify diploma mills and unaccredited schools before they become a hiring problem.
Search VerifyED →Related Reading
- Education Verification for Employers: A Practical Guide — end-to-end HR workflow
- Background Check vs. Education Verification: What's the Difference? — when basic isn't enough
- How to Use the National Student Clearinghouse — DegreeVerify, EnrollmentVerify, pricing
- How to Verify a College Degree — 5-step verification process
- What Happens If You Use a Fake Transcript — legal consequences and detection rates