Directory Information and Opt-Out
Directory information is data that would not generally be considered harmful if disclosed; each institution defines its own list, and before using it the school must give students a chance to opt out. Like HIPAA directory info, this is an opt-out model, not opt-in - and SSNs and student ID numbers cannot be directory information.
Directory information is defined as information that would not generally be considered harmful or an invasion of privacy if disclosed. FERPA does not fix one list for all schools; each institution defines its own from statutory and regulatory examples, which include name, date and place of birth, address, email address, telephone number, field of study, and honors received.
Before declaring data directory information, the institution must give students the chance to opt out of release. This mirrors HIPAA: both statutes require opt-in consent for most personal information, but directory information uses an opt-out model. Students cannot use the opt-out to block information that falls under a FERPA exception.
Regulations exclude Social Security numbers and student ID numbers from directory information. A student ID number may be used as directory information only if it cannot access education records without another factor known only to the authorized user.