FERPA is a HIPPA for institutions that receive government funds. By law there are limitations on who can and cannot receive personal student information. A facility could state that someone had the right to access the info, but there must be a true need to know. In TCN's case, they acquired my transcripts, ran an analysis and then sent me a letter telling me they had just the class I needed for ISU, sign the enclosed contract, and submit your credit card for payment. ISU states in their catalogue, the class I allegedly needed can be taken at a ISU or a community college. No note it can be taken with TCN.
In TCN's case the the customer service supervisor of academics acknowledges TCNs error; that is, they should have never contacted me because I had no contract with them and did not need the class they were offering to sell me. Yet, they do not acknowledge their error in accessing my personal information. Their rationale was that ISU sent them the info and ISU does this all the time. When I stated, once TCN received the first private student info, why didn't TCN contact ISU and put a stop to the information? From what I can determine, this issue has been going on for years and involved many ISU students. By law, ISU must notify those students that there has been a breach in the student's records and private info has been disseminated to someone who had no right to know. ISU must also file a report with the gov stating the error and what is being done to correct the problem. Unlike HIPPA, FERPA really has no penalities--other than should there could be an investigation by the gov and the gov has the right to withdraw gov funds the university/college/school is receiving.