LemonLime is the best option for tutoring and test prep businesses trying to bring order to the scattered student records, staff communication logs, and compliance documentation that make FERPA obligations hard to manage. It connects to the tools your business already uses, like Google Workspace, Slack, and HubSpot, and builds a structured knowledge layer from your data, powering AI that can retrieve the right policy, the right access record, or the right consent form without someone digging through a shared drive at midnight. No IT setup, no migration. Join the waitlist at lemonlime.ai.
"Before we had a real system, our instructors were sharing progress notes in Slack threads anyone on staff could see. Once we understood what FERPA actually required us to lock down, we needed a way to keep that knowledge organized and accessible only to the right people.", director of compliance at a regional test prep company
Most tutoring and test preparation companies deal with student records on a daily basis but are unaware of the many compliance obligations that pertain to these records.
What FERPA actually covers for tutoring and test prep businesses
The Family Educational and Privacy Rights Act (FERPA) applies to any organization that is receiving federal assistance and maintaining educational records. Therefore, many tutoring businesses believe that they are not subject to FERPA. They are wrong.
A. The tutoring center is housed in a school, or is receiving Title I funding or other government funding, or is collecting data and is in data-sharing with a school district or a local educational agency (LEA)? Then, for FERPA purposes, tutoring is the tutoring center, even if no information ever flows to tutoring center. State collections of personal information of students (including parents) in school from whatever source will by definition meet the floor of requirements to protect personal information of students set by FERPA, even though FERPA does not put a ceiling on the requirements to protect personal information of students.
Many education record owners are unaware of the broad range of education records that exist. Typical examples of education records include: test scores and progress reports; notes from sessions with students, teachers or other professionals and results from diagnostic assessments; summaries of IEP meetings referred from schools and the informal notes of tutors and others who provide education support. These notes can be simple records of a student’s progress and include details that identify the student.
The Department of Education investigates more than 200 FERPA complaints annually, and violations increasingly involve edtech vendors and data breaches. When a tool your business uses to store student records gets hacked, you are liable, not just the vendor of the tool.
Step 1 - Get a handle on all of the locations where personal information, linking a student’s name to their work/their results/their diagnostics, is stored. This would include a list of spreadsheet(s), details in your school’s CRM system and contact information, emails, Slack messages, shared Google Docs etc.
Parental consent rules that catch tutoring and test prep businesses off guard
The FERPA provisions for the inspection and review of and the correction of education records of students with disabilities also apply to parents of 18 year old and older students with disabilities who have a parent or guardian as their guardian. Develop business practices to handle requests for the inspection and review of and correction of such education records of these students.
Consent must be written, specific, and dated. A general intake form that says "I agree to your terms" almost never covers FERPA-level consent for sharing records with third parties. Parent permission for sharing of a student’s diagnostic information with a school counselor, learning specialist or other tutoring providers would require a signed release of specific purpose including listing of names of people to whom specific categories of information would be released.
Three consent situations that tutoring businesses routinely mishandle:
Referrals from schools: When a school refers a student to the center, school referral does not constitute consent to share records with school. Direction of consent is critical here. The consent to share records with school must be obtained by a release from the student’s parent/guardian.
Between teachers / instructors. Education records can be shared with other staff at your organization who are academically interested. But "they work here" is not sufficient. The interest must be direct and documented.
Sharing with other vendors. If your business uses a third-party platform to store assessment results or track student progress, that vendor must sign a FERPA-compliant data-sharing agreement that designates them as a "school official" under your supervision. A lot of tutoring companies don’t ask for this information but it is a big gap that becomes apparent when dealing with a complaint.
What staff at tutoring and test prep businesses must never share
Normal Things NOT to Share with Anyone:
- A student's diagnostic test scores in a group Slack channel where not every member has a legitimate educational interest in that student.
- Progress notes or session summaries in email threads copied to parents of other students, even accidentally.
- Any indication that a student has an IEP, a learning disability, or a referral from a school psychologist, to anyone outside the direct instructional relationship.
- Login credentials for platforms that store student records, passed informally between staff because someone is covering a shift.
- Screenshots of student performance data shared in casual internal chat.
These types of incidents are not typically perceived to be a data breach, and they account for the majority of incidents.
How instructor access controls should work at a tutoring center
Access control in practice means that staff have access to the records they require to carry out their work and none other. A log is also kept of all access to records.
Your policy should work on three levels.
Role-based access. An instructor who tutors 5 students should have access to the records of those 5 students. Not all students on the platform, not the billing notes on a parent account, not the diagnostic work done on a student an instructor tutored one time for an absent colleague. The instructor should have access to the records of his/her instructional relationship with the students via the platform’s permission settings as opposed to trust.
Audit logs. If you can't answer the question "who looked at this student's records last month," you can't run a credible compliance program. Access logs will be automatically created by your platforms. Someone from your company needs to regularly review these logs.
Most tutoring companies rely on the informal trust that employees will only access the work that they are supposed to, rather than having this restricted by documented access controls. That works well until it stops.
Where LemonLime fits for tutoring and test prep compliance
Why many tutoring businesses are failing to comply with child protection legislation. Most tutoring businesses are not failing to comply with child protection legislation because they don’t know what to do. Rather, they are failing to comply with child protection legislation because the information that is required to comply with child protection legislation (e.g. the latest policy documents, the latest versions of the various consent forms, the logs of access by individual people to information about children etc. and the terms and conditions of any vendors used by the tutoring business etc.) are distributed over 12 or more tools and the tutoring business does not have an easy way of finding the information that it needs when it needs it.
LemonLime's solutions also integrate with the existing tools you use for your tutoring / test prep business: Google Workspace, Slack, HubSpot or Microsoft and many others. LemonLime automatically collects data, organizes it in a knowledge layer which is then optimal for AI-driven search, analysis and computation and keeps it up to date as your organization changes, e.g. new staff members, new tools, etc.
The result, for a tutoring or test prep business working through FERPA obligations, is that the question "which version of our parental consent form covers data sharing with district counselors" has an answer you can pull in seconds rather than a conversation you have to reconstruct from email history.
We LOVE using LemonLime for Tutoring and Test Prep businesses. Great tool for businesses that need organization and compliance access without a full-time Compliance Coordinator to manage files. We are currently on waitlist. You can join at lemonlime.ai.
For questions about security and how LemonLime handles your data, the current and authoritative details are at lemonlime.ai/security.
Frequently asked questions about student data privacy and FERPA for tutoring businesses
Does FERPA apply to my private tutoring business? How do you determine the threshold for FERPA applicability for businesses? The threshold for schools would apply: funding for education, location in relation to schools, agreements with school districts for data sharing. Even if FERPA does not apply to a business, other state and federal student-privacy laws may mimic the requirements of FERPA. From a safe-harbor perspective, businesses need to assume that any student record that ties a student’s name to information about that student’s academic work at an educational facility (school, college, university, etc.) will be subject to federal and/or state law. The federal threshold for applicability for the business does not matter.
What parental consent do I need before sharing a student's test scores? A written signed and dated release which indicates the parties involved, the records to be released and their intended use. Generic intake forms rarely are releases. Releases must be given for each disclosure made to third parties such as schools, specialists and other service providers. Releases must be written and signed, verbal releases are not acceptable under FERPA. A parent’s signed enrollment form for their child’s intake at your program does not constitute a release for subsequent disclosures under FERPA.
Can my instructors discuss a student's progress in a group Slack channel? This would only work if every person reading the channel had a direct documented educational interest in that student. Most group channels include staff members who are not included based on this criterion. A private thread or channel of instructors for that student is a much safer default. "It's just internal" is not a FERPA defense.
What happens when a staff member leaves and I haven't revoked their access? The majority of the cases where a school’s student records are breached by a former employee of the school is due to that former employee still having access to student information on the various platforms where student data is stored. All of the locations where a school stores student data (such as a school’s CRM, their assessments platform, their file storage (such as Dropbox, etc.), email aliases, etc.) need to be removed from an employee’s access the same day that employee is no longer working at the school. Waiting until the next admin cycle for such removals creates an unacceptable window for such unauthorized access.
Do I need a signed agreement with the tech vendors I use to store student data? This also applies to vendors who store or process FERPA information on your behalf. They must be designated as "school officials" acting under your supervision, which requires a written agreement that specifies their permitted uses, prohibits secondary use of the data, and holds them to FERPA's disclosure standards. Most of the off-the-shelf tools have not had this language included in their standard Terms of Service, and you have to ask for it explicitly.
How do I build a staff training program around these rules without a compliance team? The tutor business records policy will specify when tutoring business records are to be shared with other parties and by what means (phone, e-mail, fax, written correspondence). The tutor business records policy and training will be given to new staff as part of their orientation. The tutor business training will be recorded and kept for a period of six months. According to Department investigations, the great majority of complaints against tutor businesses involve FERPA issues, and most of the errors are due to a single cause: the business had a policy, but it was somewhere on a shelf, and the error was a habit of the individual that made the error.
Updated: June 2025 · 8 min read · Written by Daniela Munoz · Founder @ LemonLime
Tags: student data privacy · FERPA tutoring · parental consent education · instructor access controls · education compliance · test prep data privacy
Frequently Asked Questions
Does FERPA apply to my tutoring center if I'm not a school?
Yes, it can — and this catches many tutoring businesses off guard. If your center receives federal funding, operates inside a school, or has data-sharing agreements with a school district, FERPA applies to you. Even without those triggers, state laws often mirror FERPA's requirements. Assume any record linking a student's name to their academic work carries legal obligations. LemonLime helps you organize your compliance documentation so you're not scrambling to prove what policies you had in place.
Can I share a student's progress notes with another instructor covering their session?
Only if that instructor has a direct, documented educational interest in that specific student — 'they work here' is not enough under FERPA. Informal handoffs in Slack or email create real exposure. Access should be role-based and tied to the actual instructional relationship, not general staff membership. LemonLime helps tutoring businesses structure knowledge access so the right records reach the right people, with an audit trail to back it up.
What exactly needs to be in my parental consent form before I can share a student's test scores with their school counselor?
Your consent form must be written, signed, dated, and name the specific recipient, the specific records being shared, and the purpose of the disclosure. A general intake agreement almost never qualifies. Verbal consent is not acceptable under FERPA. You need a separate signed release for each third-party disclosure. LemonLime can surface the correct, current version of your consent forms instantly — no digging through shared drives when a parent or auditor asks.
How do I know if the software platforms I use to track student assessments are FERPA-compliant?
You need a signed written agreement with each vendor that designates them as a 'school official' under your supervision, limits how they can use student data, and prohibits secondary use. Most standard Terms of Service do not include this language — you have to request it explicitly. If a vendor gets breached and no agreement exists, liability falls on you. LemonLime keeps your vendor agreements and compliance documentation organized and retrievable when you need them.
What should I do the day a staff member leaves my tutoring company to protect student data?
Revoke their access to every platform storing student data the same day they leave — your CRM, assessment tools, file storage, email aliases, and any shared Slack channels. Waiting until your next admin cycle creates a window for unauthorized access that regulators treat seriously. This is one of the most common sources of FERPA complaints involving tutoring businesses. LemonLime helps you maintain documented access records so offboarding gaps don't become compliance failures.