← Back to Blog

FERPA COMPLIANCE

FERPA Device Disposal Requirements: How Schools Must Handle End-of-Life Electronics

School districts across the country are managing more devices per student than ever before. The average K-12 district now maintains nearly one device per student, and many operate true 1:1 programs where every student is assigned a Chromebook, laptop, or tablet. When these devices reach the end of their useful life -- typically every three to five years -- districts face a compliance challenge that many IT directors are unprepared for.

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records, and that protection does not expire when a device is powered off. Student data on retired devices remains protected under federal law, and improper disposal can expose the district to complaints, loss of federal funding, and public trust failures that are difficult to recover from.

What Does FERPA Protect on School Devices?

FERPA, codified at 20 U.S.C. Section 1232g and implemented through regulations at 34 CFR Part 99, protects education records -- defined as records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution.

On school-issued devices, FERPA-protected data includes:

  • Student information system data: Grades, attendance records, disciplinary records, enrollment information, and demographic data that may be cached locally or stored in browser data.
  • Email and communications: Student email accounts often contain personally identifiable information including names, student ID numbers, and communications with teachers about academic performance.
  • Google Workspace or Microsoft 365 data: Documents, spreadsheets, presentations, and files created by students and stored locally or in offline sync folders.
  • Learning management system content: Assignments, grades, feedback, and assessment results cached by applications like Canvas, Schoology, or Google Classroom.
  • Special education records: IEP documents, behavioral intervention plans, and related service records are among the most sensitive data types and carry additional protections.
  • Browser history and cached credentials: Login information, site history, and cached pages from education platforms that contain student data.
  • Photos and media: Student-created content including photos, videos, and audio recordings stored on device storage.

Which Devices in Schools Contain FERPA Data?

Districts need to account for every device type that touches student data, not just student-assigned devices:

Student-Assigned Devices

  • Chromebooks: The most common student device in K-12. While Chrome OS is designed to be cloud-centric, Chromebooks still store local data including offline files, cached credentials, browsing data, and downloaded content. Retired Chromebooks that have reached their Auto Update Expiration (AUE) date are the largest volume of school e-waste.
  • iPads and tablets: Used heavily in elementary grades, these devices store app data, photos, cached content, and login credentials locally.
  • Windows and Mac laptops: Used in specialized programs (media production, computer science, career and technical education), these devices have full local storage and typically contain more locally-stored data than Chromebooks.

Staff and Administrative Devices

  • Teacher laptops: Contain gradebooks, student communications, IEP documents, parent contact information, and assessment data. Teacher devices often hold more sensitive student data than student devices themselves.
  • Administrative workstations: Front office computers with access to the student information system, enrollment records, health records, and discipline files.
  • Counselor computers: Academic plans, college application materials, mental health referrals, and highly sensitive student records.

Infrastructure

  • Servers: On-premises SIS servers, file servers, print servers, and backup systems contain the highest concentration of student records.
  • Network equipment: Firewalls and content filters maintain logs that can include student-identifiable browsing activity.
  • Printers and copiers: Devices in school offices frequently process documents containing student records and retain copies on internal storage.

District Obligations Under 34 CFR Part 99

FERPA does not include a specific disposal standard equivalent to the HIPAA device disposal requirement. However, the Department of Education's Student Privacy Policy Office (SPPO) has consistently taken the position that the duty to protect education records extends to their disposal. Several provisions of 34 CFR Part 99 are directly relevant:

  • 34 CFR 99.31: Limits the conditions under which education records may be disclosed without consent. Allowing student data to leave the district on unsanitized devices constitutes an unauthorized disclosure.
  • 34 CFR 99.33: Requires that parties receiving education records not re-disclose them. A disposal vendor receiving devices with student data must be held to this standard.
  • 34 CFR 99.35: Addresses conditions for disclosure to authorized representatives. Disposal vendors do not qualify under any disclosure exception, making data sanitization before transfer essential.

Additionally, many districts receive federal funds under programs like Title I, IDEA, and E-Rate, which can impose their own data handling requirements. Loss of federal funding eligibility is the primary enforcement mechanism under FERPA, making compliance a direct financial concern for districts.

Handling 1:1 Device Programs at End of Life

The scale of 1:1 device disposal creates unique logistical challenges. A mid-sized district with 10,000 students cycling devices every four years needs to process 2,500 devices annually. Here is a structured approach:

Step 1: Collection and Inventory

Establish a centralized collection process. Every device must be accounted for with asset tag, serial number, last assigned student (for audit purposes), and condition assessment. Districts using asset management systems like WASP, Asset Panda, or Google Admin Console should export and archive this data before deprovisioning.

Step 2: Deprovisioning

For Chromebooks, deprovision devices from Google Admin Console to release the Chrome Enterprise license. For Windows devices, remove them from Active Directory and any MDM platform. For iPads, remove them from Apple School Manager and MDM. This step removes the device from remote management but does not sanitize local data.

Step 3: Data Sanitization

Perform a full data wipe that meets NIST 800-88 Clear or Purge standards depending on the sensitivity of the data. For Chromebooks, a Powerwash combined with deprovisioning is generally accepted as adequate for the type of cached data present. For Windows and Mac devices, a full-disk overwrite using tools like DBAN, Blancco, or manufacturer Secure Erase is required. For devices with damaged or non-functional storage, physical destruction is the only option.

Step 4: Documentation

Generate certificates of data destruction for every device, linked to asset tags and serial numbers. These records must be retained according to your state's records retention schedule -- in Washington state, that means six years for most school records.

Step 5: Disposition

Sanitized devices can then be sold for resale value, donated, or recycled. Working with a bulk electronics pickup service that handles both sanitization and disposition simplifies the process and maintains a single chain of custody.

Summer Refresh Best Practices

Most districts time their device lifecycle replacements during summer break. Here are best practices for making the summer refresh both efficient and compliant:

  • Start planning in February or March: Identify which devices will be retired, confirm budget for replacements, and engage your disposition vendor early. Summer schedules fill quickly.
  • Collect devices before the last day of school: Students returning devices during the final week creates a bottleneck. Start collection two to three weeks before the end of the school year for non-testing grades.
  • Stage by building: Have each school's tech coordinator collect, inventory, and stage devices for central pickup rather than transporting individually.
  • Process in batches: Sanitize and document devices in manageable batches rather than trying to process the entire fleet at once. This improves accuracy and reduces the risk of devices slipping through without proper sanitization.
  • Separate functional from non-functional: Functional devices have resale value that can offset the cost of new purchases. Non-functional devices need physical destruction. Mixing them together wastes time and money.
  • Complete documentation before the new school year: Finalize all certificates of destruction and archive disposition records before fall so that the process is closed and auditable.

Documentation for Audits

Districts face audits from multiple sources -- state auditors, federal program reviews, and internal reviews. Having proper documentation for device disposal protects the district in all of these contexts:

  • Asset disposal policy: A board-approved policy describing the district's procedures for disposing of technology equipment, including data sanitization requirements and responsible parties.
  • Asset inventory with full lifecycle tracking: Records showing each device from purchase through disposition, including procurement date, assigned location/user, decommission date, and final disposition method.
  • Certificates of data destruction: Per-device records showing date, method, NIST standard achieved, serial number, and performing party.
  • Vendor agreements: Contracts with disposal vendors that include data protection clauses, liability provisions, and compliance commitments. While FERPA does not have a BAA equivalent like HIPAA, contractual data protection requirements are essential.
  • Board approval records: Many states require board approval for disposition of district assets above certain value thresholds.
  • Revenue records: If devices are sold, documentation of proceeds and their deposit into appropriate district funds.

Working with Disposal Vendors

When selecting a vendor for school device disposition, districts should evaluate:

  • Experience with K-12: The vendor should understand the volume, device types (especially Chromebooks), and compliance requirements specific to education.
  • Data destruction capabilities: Verify they can provide NIST 800-88 compliant sanitization with serial-number-level documentation.
  • Certifications: R2, e-Stewards, or NAID AAA certification demonstrates audited data security practices.
  • Transparent pricing: Many vendors pay the district for functional devices while charging for recycling non-functional units. The net cost should be clear.
  • Logistics support: Can they handle bulk pickup from multiple school sites? Do they provide pallets, boxes, or other packaging?
  • References from other districts: Ask for references from school districts of similar size and device mix.

State-Specific Considerations for Washington Schools

Washington state school districts face additional requirements beyond FERPA. The Washington Student Data Privacy Act and the state's student records retention schedule impose specific obligations. Districts should also be aware that Washington's e-waste recycling law (RCW 70A.500) applies to school electronics and provides free recycling options for qualifying devices through the E-Cycle Washington program.

However, free recycling programs typically do not provide the serial-number-level data destruction documentation that districts need for FERPA compliance. For that level of documentation, working with a dedicated electronics disposition vendor is the more reliable path.

Getting Started

If your district is planning a device refresh and needs compliant disposition for retired school electronics, we work with K-12 districts throughout Washington state. Our process includes certified data destruction with per-device documentation, bulk pickup from school sites, and fair market value payment for functional devices that offsets replacement costs.

Request a quote or call 833-96-CYCLE to discuss your upcoming refresh schedule.

Planning a School Device Refresh?

We help K-12 districts dispose of retired Chromebooks, laptops, and tablets with FERPA-compliant data destruction and per-device documentation. Bulk pickup available across Washington state.

Get a Free Quote Call 833-96-CYCLE