In some ways FERPA is similar to HIPAA. The student information should be protected and you should only have access on a need to know basis. If you are making personal notes about a student, then make them factual with personal comments or that show a bias. This way if a student requests to review their records, there are no surprises.
When it comes to phone calls and giving out information, it is like is stated, you really do not know who is on the phone. Social media is another area where the rules may need to be updated to… >>>