Family Educational Rights and Privacy Act (FERPA)
“PROTECT OUR STUDENTS”
“PROTECT THE UNIVERSITY”
Welcome to FERPA:
Take a look around your work area. What information do you have which may need to be handled in a secure way? For example:
- A university telephone directory
- Student registration forms
- Graded papers and advising packets
- Personal information and enrollment records
- Student’s schedule of classes
- Student-related information displayed on a computer screen
- A computer printout in your office
- A class list on your desktop
We now have more access to restricted information than ever before with the Student Information System integrated databases. The consequences of how we handle or mishandle student information are significant. What are the rights of students, what is non-directory information, what is directory information, what information can be disclosed without consent, and what constitutes an education record under the Family Educational Rights and Privacy Act (FERPA)?
This FERPA Information Guide and tutorial will help you answer these questions.
The Family Educational Rights and Privacy Act (FERPA) is a federal law that sets forth requirements regarding the privacy of student records. FERPA governs the release of these records (known as education records) maintained by an educational institution and access to these records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student. The FERPA statute is found at 20 U.S.C § 1232g and the FERPA regulations are found at 34 CFR Part 99. http://www.ed.gov/policy/gen/guid/fpco/faq.html.
An education record is any record that contains information directly related to a student that is maintained by the institution. This includes, but is not limited to, grade information, disciplinary documentation, billing, financial aid data, and medical records.
The Family Educational Rights and Privacy Act protects the privacy of student education records. It gives students the right to inspect and review their education records; the right to request the amendment of their education records that students believe are inaccurate or misleading; the right to consent to disclosure of personally identifiable information contained in the education records, except to the extent that FERPA authorizes disclosure without consent; and the right to file a complaint with the U.S. Department of Education concerning alleged failures by the university to comply with the requirements of FERPA. Ultimately, an institution’s failure to comply with FERPA can mean the withdrawal of federal funds by the Department of Education.
Records not considered part of an education record include, but are not limited to, records of the law enforcement unit of an education institution, and records that only contain information about an individual after he or she is no longer a student at the institution.
There are several exceptions to FERPA’s general prior consent rule that are set for in the statute and the regulations. See § 99.31 of the FERPA regulations. One exception is the disclosure of “directory information” as set forth in FERPA guidelines. (34 CFR § 99.31(a) (11).)
FERPA defines “directory information” as information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Northwestern State University defines directory information as the following: student’s name; mailing address; e-mail address; photograph; telephone number; dates of attendance; enrollment status (e.g., undergraduate or graduate, full-time, or part-time); major field of study; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors and awards received, including naming to honor rolls; and the most recent educational agency or institution attended.
Students may choose to have their directory information marked confidential at any time by printing the form, completing, signing, dating, and mailing or faxing the form to the University Registrar’s Office. Form: “Request to Prevent Disclosure of Directory Information”
Students can print the “STUDENT INFORMATION RELEASE AUTHORIZATION” form, complete, sign, date, and mail or fax the form to the University Registrar’s Office.
No. Students can print the “STUDENT INFORMATION RELEASE AUTHORIZATION” form, complete, sign, date, and mail or fax the form to the University Registrar’s Office.
Consent will remain in effect until a student submits a notification in writing revoking their consent.
Students can print the “STUDENT INFORMATION RELEASE AUTHORIZATION” form, complete, (including the revocation section), sign, date, and mail or fax the form to the University Registrar’s Office.
As noted above, the rights under FERPA transfer from the parent to the student once the student turns 18 years old or enters a postsecondary institution at any age. Parents or guardians may have access to their student’s education record if the student has completed, signed, dated, and submitted the “STUDENT INFORMATION RELEASE AUTHORIZATION” form as described above. It does not make a difference if the parent/guardian is paying the tuition.
As indicated above, if a student is attending a postsecondary institution – at any age – the rights under FERPA have transferred to the student.
Yes, if the student is under the age of 21 at the time of the disclosure, FERPA was amended in 1998 to allow such disclosures. See § 99.31(a) 15 of the FERPA regulations.
Yes. The new regulations allow disclosure without consent of any information concerning registered offenders provided to an educational agency or institution under 42 U.S. C. 14071 and applicable Federal guidelines.
Yes. In some situations, a school may determine that it is necessary to disclose non-directory information to appropriate parties in order to address a disaster or other health or safety emergency. FERPA permits school officials to disclose, without consent, education records, or personally identifiable information from education records, to appropriate parties in connection with an emergency, if knowledge of that information is necessary to protect the health or safety of the student or other individuals. See 34 CFR §§ 99.31(a)(10) and 99.36. This exception to FERPA’s general consent requirement is temporally limited to the period of the emergency and generally does not allow for a blanket release of personally identifiable information from the student’s education records.
Under this health or safety emergency provision, an educational agency or institution is responsible for making a determination whether to make a disclosure of personally identifiable information on a case-by-case basis, taking into account the totality of the circumstances pertaining to a threat to the health or safety of the student or others. If the school district or school determines that there is an articulable and significant threat to the health or safety of the student or other individuals and that a party needs personally identifiable information from education records to protect the health or safety of the student or other individuals, it may disclose that information to such appropriate party without consent. 34 CFR § 99.36. This is a flexible standard under which the Department defers to school administrators so that they may bring appropriate resources to bear on the situation, provided that there is a rational basis for the educational agency’s or institution’s decisions about the nature of the emergency and the appropriate parties to whom information should be disclosed. Within a reasonable period of time after a disclosure is made under this exception, an educational agency or institution must record in the student’s education records the articulable and significant threat that formed the basis for the disclosure and the parties to whom information was disclosed. 34 CFR § 99.32(a)(5).
No. A student’s social security and campus wide identifications numbers are, by definition, “personally identifiable information” under FERPA and may not be disclosed without consent in any form.
Yes. By signing the “STUDENT INFORMATION RELEASE AUTHORIZATION” form, students give universities the authority to share information contained in their educational record to their parent or guardian. FERPA does not allow for information to be released on the assumption that if the student is in the room, the student has given their consent.
Yes. It is O.K. for faculty and staff members to share the student’s academic progress in courses, account balances, medical, financial aid, and admission information with students via their official NSU e-mail addresses but not with a third party. In other words, all communications that you would normally send via the student’s mailing address can also be sent to the student’s official NSU e-mail address.
The education records of student athletes are covered by FERPA. Without a signed consent form, personally identifiable information may not be disclosed from the education records of student athletes nor may they appear on the published team roster.
Yes. Records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution are “education records” under FERPA. 34 CFR § 99.3.
On campus, please contact Barbara Prescott, University Registrar, at 318-357-6171.
Coverage begins at NSU when a student submits an application for admission. The coverage of FERPA is effective until death for records concerning the individual’s status as a student of the institution. FERPA does not cover other individual records maintained by Northwestern, such as personnel or alumni records.
Third party requests for a schedule are not honored unless the request falls within an emergency exception to FERPA, and then refer requestor to the Office of University Police.
Requests to locate a student are referred to the Office of University Police. That office will get a message to the student.
Advise students to obtain a copy of their schedule of classes from the NSUConnect system.
Statements made from the recommender’s personal observation or knowledge of the student does not require a written consent.
If personally identifiable information obtained from the student’s education records is included, such as grades, GPA, etc., the writer is required to obtain a signed release from the student. The release should specify the records to be disclosed, the purpose of the disclosure, and to whom the records may be disclosed.
The law requires faculty and staff to treat student’s education records in a legally specified manner.
Grades: Students’ scores or grades should not be displayed publicly. Even with names obscured, numeric student identifiers are considered personally identifiable information and must not be used. Grades, transcripts, or degree audits reviewed for purposes of advisement should not be placed in plain view in open mail boxes located in public places.
Athletes: The education records of student athletes are covered by FERPA. Without a signed consent form, personally identifiable information may not be disclosed from the education records of student athletes, nor may they appear on the published team roster.
Class Rosters/Grade Sheets: These and other reports should be handled in a confidential manner and the information contained on them should not be redisclosed to third parties.
Records (INB)/NSUConnect: Faculty are deemed to be “school officials”and can access data in the Records (INB)/NSUConnect if they have a “legitimate educational interest.” A legitimate educational interest exists if the faculty member needs to view the education record in order to fulfill his or her professional responsibility.
Disclosing or confirming directory information: An institution may not disclose or confirm directory information without meeting the written consent requirements in §99.37 if a student’s Social Security Number/CWID or other non-directory information is used alone or combined with other data elements to identify or help identify the student or the student’s records.
Good practice by faculty and staff members requires that they maintain, use, and report student data in compliance with the requirements of FERPA and the University’s Policy. The following statements provide practical guidelines to follow:
Do refer requests for student record information to the Registrar.
Do check a student’s directory restriction on SPAIDEN before answering any questions.
Do keep only those individual student records necessary for the fulfillment of your teaching or advising responsibilities.
Do keep any personal records relating to individual students separate from their educational records. Private notes of a professor/staff member concerning a student that are intended for professor’s/staff member’s own use are not part of the student’s educational record.
Do ask for only the last four digits of the CWID on exams and other documents, if needed, to identify different students with the same name.
Do maintain a record of all requests for access to Personally Identifiable Information, whether those requests are honored or not.
Do properly dispose of (shred) all papers and documents that contain the CWID/SSN.
Do not release non-directory information such as: SSN/CWID, GPA, academic standing, date of birth, religious preference, gender, race, ethnicity, grades, residency status, billing, or financial aid data via the telephone.
Do not disclose, confirm, or verify directory information by asking for non-directory information, including, but not limited to, student’s SSN, CWID, place of birth, date of birth, gender, race, residency status, class schedule, etc.
Do not include the CWID in the subject line of an email message. In no case should the students’ full Social Security Number be provided.
Do not include the CWID on documents mailed by surface mail where the CWID is visible on the outer document or in a window envelope.
Do not display student scores or grades publicly in association with the student name, CWID, social security number, or other personal identifier.
Do not put paper or lab reports containing student names and grades in publicly accessible places. Students may not have access to the scores or grades of others in the class.
Do not request information from the educational record custodian without a legitimate educational interest and the appropriate authority to do so.
Do not share student educational record information with other faculty or staff members of the University unless their official responsibilities provide for a legitimate educational interest.
Do not ask for the SSN/CWID on any document that will be viewed by anyone other than a University employee with an educational need to know.
· On exams, homework assignments, and attendance rosters – if other students may view these documents.
· On questionnaires, surveys, and other documents soliciting additional personal information.
· On checks payable to the University or to the student.
· On non-academic documents or an appointment sign-in sheet.
Do not leave graded tests in a stack for students to pick up by sorting through the papers of all students.
Do not circulate printed class lists with student name and SSN/CWID or grades as an attendance roster.
Do not discuss the progress of any student with anyone other than the student (including parents) without the consent of the student.
Do not provide anyone with lists of students enrolled in your classes for any purpose.
Where can I get general information about FERPA?
General information about student privacy rights can be found above in the “General Information” section of the FERPA FAQ’s.
Important Note: The above information is intended to give general information about FERPA and to acquaint faculty and staff with some of the privacy issues surrounding students’ education records. It is not intended as, nor is it a substitute for, legal advice on any particular issue.
Note: This is not a comprehensive list.
- In compliance with a judicial order or subpoena (contact Registrar’s Office).
- Health or safety emergency (contact Health Services and University Police).
(May be disclosed, unless student requests otherwise; check the Records (INB) database – SPAIDEN):
- Student’s name
- Mailing address
- E-mail address
- Telephone number
- Dates of attendance
- Enrollment status (e.g. undergraduate or graduate; full-time or part-time)
- Major field of study
- Participation in officially recognized activities and sports
- Weight and height of members of athletic teams
- Degrees, honors, and awards received, including naming to Honor rolls
- Most recent educational agency or institution attended
(Personally Identifiable Information – any other data that can be linked to a specific student’s identity):
Including, but not limited to:
- Academic standing (academic probation or suspension)
- Campus wide ID
- Date of birth
- Religious preference
- Residency status
- Student’s class schedule
- Student social security number
- Test scores
- Billing information (account balances)
- Financial aid information (financial awarded)
FOR MORE INFORMATION
Northwestern State University Registrar’s Office
Student Services Center – Suite 308
Natchitoches, LA 71497
Fax# (318) 357-5823