VDOE Certified FERPA Compliance, 16 Days Later Prince William County Public Schools Breached Student Privacy
The question isn’t whether Virginia divisions are in compliance with FERPA. The question is: Did VDOE certify something it never verified?
April 30, 2025, Virginia Department of Education (VDOE) submitted a letter to U.S. Department of Education (USDOE) certifying that all 136 of its local education agencies (LEAs) “provided the agency with an assurance of compliance as outlined in United States Department of Education Student Privacy Policy Office March 28, 2025 ‘Chief State School Officers and Superintendents Letter’” and “exceeded federal FERPA expectations.”
But just sixteen days later, Prince William County Public Schools (PWCPS)—one of Virginia’s largest divisions—disclosed personally identifiable student information without consent.
According to a May 29, 2025, notification letter sent to the parent whose child was impacted, the breach occurred on May 16. The letter explained that “as a result of a clerical error,” information “related to a due process hearing regarding your child’s education was electronically shared with another parent who should not have received this information.” PWCPS reported it became aware of the unauthorized disclosure the following day. However, it waited nearly two weeks to notify the impacted parent, offering no explanation for the delay.
This breach followed two other serious records-related failures involving platforms used across Virginia:
A BoardDocs “misconfiguration” that exposed sensitive records
A PowerSchool breach, which, according to the Virginia Mercury, compromised data in “potentially 85 Virginia school divisions.”
This sequence—certification followed by a documented breach—raises serious questions about the integrity of VDOE’s FERPA assurances.
What VDOE Claimed in Its Certification Letter
The April 30 letter, signed by State Superintendent Emily Anne Gullickson, states that:
All LEAs had acknowledged federal FERPA guidance issued March 28, 2025;
VDOE provides regular newsletters addressing FERPA.
VDOE’s state superintendent addressed the importance of FERPA in her opening remarks at an annual conference “with a supermajority of superintendents in attendance” and VDOE’s team spoke with superintendents’ individually at the conference and with those who could not attend about the importance of assuring compliance . . .”
“VDOE provides all Virginia school divisions with the opportunity to be a part of the Student Data Privacy Consortium . . .”
“[A]s part of the VDOE annual security training program all agency employees are trained on FERPA.
But critically, the letter also included this disclaimer:
“The Virginia Department of Education does not have direct authority to assess or determine whether an individual LEA is in full compliance with FERPA and PPRA.”
This claim contradicts another passage in the same letter, where VDOE stated:
“VDOE ensures compliance [with] FERPA and PPRA and with special education dispute resolution efforts as required by the Individuals with Disabilities Education Act (IDEA). The VDOE is currently monitoring two local education agencies for required corrective actions as a result of identified non-compliance. Fairfax County Publics Schools noted the corrective actions on the submitted assurance. Lynchburg City Public Schools also has a single student specific instance of non-compliance related to a state special education complaint involving FERPA but did not include this information in the assurance submitted to the VDOE. The VDOE is actively monitoring and communicating with school divisions in these instances and anticipates completion of these corrective actions in alignment with federal state requirements.”
So which is it?
How can VDOE claim to “ensure compliance” while also disclaiming the authority to determine whether divisions are in compliance?