Valid Consent and Identity Verification
Valid FERPA consent must be signed, dated, and written, identifying the records, the purpose, and the recipient. When relying on a statutory exception, only one exception need apply, but schools must use reasonable methods to verify the recipient's identity.
Valid student consent to disclosure must be signed (by hand or electronically), dated, and written. It must identify the record(s) to be disclosed, the purpose of the disclosure, and to whom the disclosure is being made.
To disclose PII without consent, an educational institution need meet only one statutory exception. But it must use reasonable methods to verify identity - PINs, passwords, personal security questions, smart cards and tokens, biometric indicators, and other factors known or possessed only by the user.