You may not disclose personally identifiable information from education records to
persons other than the student in question and a University official who has a legitimate
educational interest.
Examples of appropriate use/ legitimate educational interests are:
performing a task that is related to the student’s education;
providing a service or benefit relating to the student or student’s family, such as housing, health care, counseling, job placement, or financial aid;
performing a task related to the discipline of a student;
maintaining the safety and security of the campus; or
performing a task related to the effective functioning of the University.
As a general principle, you may not disclose student information in oral, written,
or electronic form to anyone except Ƶ staff and faculty who need the information
to perform their university functions.
You have a legal responsibility under FERPA to protect the privacy of the student
education records in your possession, classified as confidential information under. You may not access education records for personal reasons.
Under FERPA, education records are defined as any personally identifiable information that is directly related to a student and maintained by an educational agency, institution, or party acting for the agency or institution. Education records can exist in any medium, including, but not limited to, typewritten, hand-written, computer generated, videotape, audiotape, film, microfilm, microfiche, and email.
Education records do not include:
Sole possession records, i.e., records/notes in sole possession of the maker, used
only as a personal memory aid and not revealed or accessible to any other person except
a temporary substitute for the maker of the record.
Medical treatment records that include, but are not limited to, records maintained
by physicians, psychiatrists, and psychologists.
Employment records, unless employment is based on student status, i.e. a graduate
teaching assistant or work-study student.
Law enforcement records created and maintained by a law enforcement unit.
Post-attendance records, i.e., information about a person that was obtained when the
person was no longer a student (alumni records) and not related to the person as a
student.
Basic Rules
Student education records are considered confidential and should not be released to any person without the written consent of the student, unless the disclosure meets one of the exceptions to signed consent found in FERPA. University officials are granted access to student information only for “legitimate educational interest” -- completion of job responsibilities. They have a responsibility to protect the confidentiality of education records in their possession, regardless of the medium in which the records are stored or presented. A school official is a person employed by the University in an administrative, supervisory, academic or research, or support staff position (including law enforcement unit personnel and health staff); a person or company with whom the University has contracted as its agent to provide a service instead of using University employees or officials (such as an attorney, auditor, or collection agent); a person serving on the Board of Trustees; or a student serving on an official committee, or assisting another school official in performing his or her tasks (teaching assistant, research assistant, graduate assistant, workstudy). Unauthorized release of student record data without written consent of the student may trigger legal sanctions.
At Ƶ, examples of student record information that generally should not be disclosed
without prior written consent of the student are:
Social Security Number/Ƶ Student ID Number
Ƶ Student Email address
Grades, Credits hours (attempted or earned)
Grade Point Averages
Personal Email Addresses
Residency Status
Tuition and Fee Payment Records
Financial Aid Records
Marital status
Race
Gender
Citizenship
Parent’s Name and Address
Current Class Schedule
Disciplinary Actions
Academic Actions
Employees may not disclose information contained in education records without the student’s consent, except under certain limited conditions. For example, the University may disclose what is considered to be “directory” information unless the student has restricted disclosure of such information. Institutions are not required by FERPA to disclose directory information. When in doubt, do not release information.
If a student has restricted the disclosure of directory information, the word “CONFIDENTIAL” will appear in Banner and Owl Express.
Student with Consent vs. Without Consent
You cannot disclose information contained in education records without the student’s consent, except under certain limited conditions. For example, Ƶ can release “directory information”, unless the student restricts disclosure of such information. FERPA does not require you to disclose any information. When in doubt, do not release information!
If a student restricts the disclosure of directory information, the word “CONFIDENTIAL” appears in Banner Administrative Pages (Figure 1) and the Advising Guide in Owl Express (Figure 2)
Starting in Fall 2019, the Student Consent to Disclosure Form in Owl Express offers
students a new way to grant parents/guests access to their education records. Completed
Student Consent to Disclosure forms can be viewed by Advisors, Faculty and Staff in
Owl Express as well. Please see theStudent Consent to Disclosurepage for more information.
Parent or Legal Guardian Requesting Information
When a student begins attending a post secondary institution, regardless of age, FERPA rights transfer to the student. Concerns such as progress in a course, deficiencies in a subject area, scores and grades on papers, exams, etc. are all examples of personally identifiable information that constitute part of the student's education record. Post secondary schools (such as Ƶ) are not required by FERPA to release or provide access to this information to a student’s parent or legal guardian and, in fact, may not do so except under the following conditions.
A student provides written authorization to the Registrar’s Office that specifically identifies what information may be released to the parent(s). The Student Consent to Disclosure Form helps facilitate this request. The student will complete the form through Owl Express, and access can be viewed by the faculty/staff member. More information can be found on the Student Consent to Disclosure form website. In the event the student no longer has access to Owl Express (ex. Alumni), there is a One-Time authorization form available.
The parent(s) establish that the student is a dependent according to the Internal Revenue Code of 1986, Section 152. Parents should be directed to the Office of the Regsitrar to submit supporting tax documents.
Post of Grades/Return of Assessments
The public posting of grades by the student's name, Social Security Number or Ƶ Student ID number is a violation of FERPA. This includes the posting of grades to a class/institutional website and applies to any public posting of grades for students taking distance education courses. Even without the name, using a Ƶ Student I.D. number or any part of a Social Security Number violates FERPA, as the information may be personally identifiable to the student. Faculty can use code words or randomly assigned numbers that only the instructor and individual student know. Even then, the posting of grades should not be in alphabetical order.
Students should be directed to Owl Express to view final course grades. Final course grades posted via Owl Express will appear immediately on the student’s Advising Guide.
Assignments and papers that contain "personally identifiable" information should not be distributed to the student in a way that would allow other students to view the information. Graded papers should not be left unattended in an office or classroom for students to sort through or returned to students via another student. Both of these examples are a violation of FERPA. A possible solution would be to leave the exams, quizzes, etc. with an assistant or secretary who requests proper identification prior to distributing the information to the student.
Note: An inadvertent and unauthorized release of grades to someone other than the
student is a violation of FERPA.
Recommendation Letters
As an employee, you may be asked to write a letter of recommendation for students seeking admission to programs or in support of a job application. Statements made by a person making a recommendation that are made from that person’s personal observation or knowledge do not require a written release from the student who is the subject of the recommendation. However, if personal identifiable information obtained from a student’s educational record is included in a letter of recommendation (courses taken, grades, GPA and other non-directory information) the writer is required to obtain a signed release from the student, unless the letter is released to the student for distribution. The signed release must specify the records to be disclosed, the purpose of the disclosure and the party to whom the disclosure can be made. If the letter of recommendation is kept on file by the person writing the recommendation, then it becomes part of the student’s education record and the student has the right to read it unless he/she has specifically waived that right of access.
Do and Don't
DO keep only those individual student records necessary for the fulfillment of your job responsibilities. Private notes of a faculty/staff member concerning a student and intended for a faculty/staff member’s own use are not part of the student’s education record. However, emails from one school official to another concerning a student are considered education records, if either official maintains them.
DO forward all judicial orders, subpoenas or other written requests for data access to the Office of Legal Affairs, immediately upon receipt.
DO direct all student information requests in the case of an emergency to Public Safety at 470.578.6666.
DO help prevent the unauthorized use of Ƶ student email addresses. Ƶ has not designated student email addresses as “directory information”. When using any email utility to send email messages to students, always use the “BC” (Blind Copy) option.
DO encrypt any computer files stored or any device containing any personally identifiable information that directly relates to a student.
DO properly discard any reports/computer files containing student personal identifiable information.
DO refer student education record requests to the appropriate record custodian. Only the record custodian may release a student’s education record information to a third party. Below is a list of Ƶ records/custodians.
RECORD
CUSTODIAN
Admissions Records
Academic Records
Financial Aid Records
Financial (Fee Payment, Billing) Records
Housing Records
Placement Credentials Records
Student Disciplinary Records
DON'Tlink a student’s name with his/her social security number, Ƶ ID number, or any portion of these numbers, in any manner.
DON'Tuse a portion of or the entire Social Security Number or Ƶ Student ID number in
any public manner.
DON'Tshare information from student education records (including grades, grade point averages,
class rosters) with individuals outside the university.
DON'Tprovide student schedules or assist anyone other than university employees in finding
a student on campus. Refer such inquiries to Campus Police.
DON'Tshare your user id and password to Owl Express or Banner Administrative Pages with
anyone.
DON'Tstore student’s personal identifiable information on your desktop computer or in portable electronic devices. If storage of personal identifiable information is required, ensure proper security measures (file encryption and disposal) are in place to protect access by third parties.
DON'Tdisclose information to a student or university official before authenticating the
identity of the person.
DON'Tsend confidential information, such as grades, with a non-Ƶ email account.This can
only occur to and from Ƶ email accounts.
DON'Tpermit students to sort through stacks of graded tests/papers in order to retrieve their own paper. This is in violation of other student’s FERPA rights.
DON'Tinclude confidential information such as grades or GPA in a recommendation without
the written consent of the student.
DON'Tdiscuss the progress of any student with anyone other than the student or the student’s advisor without the consent of the student.
DON'Taccess the records of any student for personal reasons.
Examples/Scenarios
Scenario 1: Johnny Appleseed has a full schedule and cannot see the Dance Department Chair, Dr. Chapman, during normal office hours. Johnny emails the chair of the department and says, “Please talk to my dad, Nate. Here is his email”. Dr. Chapman is willing to talk with the parent and informs Johnny that he needs to submit the Student Consent for Disclosure form to the Office of the Registrar. Dr. Chapman schedules an appointment with Nate. The day of the appointment Dr. Chapman confirms the Office of the Registrar has a Student Consent for Disclosure form on file granting permission to discuss with Johnny’s father, Nate, academic records and housing information. After authenticating the identity of Nate, Dr. Chapman feels comfortable to speak with Nate about Johnny’s academic progress.
In this scenario, Dr. Chapman did everything he could to protect Johnny’s FERPA rights and he could safely discuss Johnny’s education records. Remember, when in doubt, contact the Office of the Registrar or do not discuss.
Scenario 2: George Cohen wants to appeal a course grade and he wishes to talk with the Department Chair, Dr. Tobias. He schedules an appointment and decides to bring his mother, Irene, to the meeting. Since the student is present, Dr. Tobias knows he can discuss George’s concern in front of Irene. However, he prefers that there is a Student Consent for Disclosure form on file. He asks George to sign the form, verifies the IDs of George and Irene, and continues with the meeting. Afterwards, Dr. Tobias forwards the form to the Office of the Registrar to be added into the student’s file.
FERPA governs what may be released, but does not require that any information be released. In addition, FERPA provides guidelines in order to safeguard the student’s information and your release of such information. You have the right to not disclose information or speak with anyone that is not the student.
Scenario 3: Dr. O’Brien receives a request from a former student, Ralph, to write a letter of recommendation for graduate school. Dr. O’Brien vividly remembers this student’s work ethic and potential in his class. When drafting the letter he realizes that he should add Ralph’s course grades and his GPA.
Statements made from personal observation or knowledge do not require written consent
from the student.
If personally identifiable information is included in the letter of recommendation
(e.g. attempted courses, grades earned, GPA and other non-directory information),
and the letter is not released directly to the student for distribution, the writer
is required to obtain written consent from the student specifying:
personally identifiable information may be disclosed;
the purpose of the disclosure;
to whom the disclosure may be made
NOTE: If the person writing the recommendation keeps the letter of recommendation on file, then it becomes part of the student’s education record and the student has the right to read it, unless he/she has specifically waived that right of access.
Best Practices
FERPA rights for Ƶ students begin once they are enrolled in any courses offered
by Ƶ, at any location or through any method of delivery (i.e., campus/on-site, hybrid,
partially online and fully online) are covered by FERPA. Ƶ considers an admitted
student to be in attendance upon enrollment/registration for classes.
You cannot discuss any specific student information through email, even if there is
a Student Consent to Disclosure form on file for the parent/third party.
View the Student Consent to Disclosure Admin View in Owl Express or contact the Office of the Registrar to verify if a student has submitted consent for a parent or third party to discuss certain education records.
In the event that the student and parent/third party is in a Department Chair’s office, the student can complete the Student Consent to Disclosure. It is at the discretion of the Department Chair to continue the conversation with or without the student present.
Prior to speaking with a parent/third party via phone or visual electronic methods
(Webex video, Skype video, FaceTime video, etc.), you must confirm consent is provided
by viewing theStudent Consent to DisclosureAdmin View in Owl Express and authenticate the identity of the parent/third party.
In an attempt to discuss education records of a son/daughter, should a parent submit tax documents in lieu of the Student Consent for Disclosure form, please direct them to the Office of the Registrar.
Student information must not be stored on laptops or home computers, unless encrypted.
Mobile Devices (including tablets and phones) used to access confidential data must
be configured to lock and require a passcode/biometric ID to unlock.
Do not release lists or files containing student information to any third party outside
your college or departmental unit.
Student information should not be stored on laptops or home computers, unless encrypted. Personal digital assistants used to read confidential data should be password protected.
Dispose student information in paper format by shredding or placing in a locked disposal
bin.
Any Open Records requests must be forwarded immediately upon receipt to the for initial response on behalf of the University.
Ƶ FERPA Review of Violation and Notification Process
Below is the process when a potential FERPA violation is reported:
When a concern is reported either to UITS, and/or the Office of the Registrar, the
following individuals are immediately notified: Stephen Gay (Cybersecurity, CISO),
Nwakaego Walker, (VP, Chief Legal Affairs Officer), Paul Parker (Executive Director
and Registrar), AVP of Enrollment Services or his/her designee.
The Cybersecurity Team will begin an investigation if the incident deals with cybersecurity issues related to a data breach via an employee’s computer and/or one of Ƶ’s software systems that houses student data.
If the incident deals with an improper release of student data without the student’s written consent, the Registrar will contact the employee’s supervisor to begin the investigation into the incident.
In some cases, the incident may be turned over to Internal Audit and Legal Affairs
to complete the investigation. This is determined via a discussion with Mrs. Walker
(Legal Affairs) and Paul Parker, (Registrar).
Once there is a determination that there is a FERPA violation, Mrs. Walker, Mr. Gay,
and the AVP for Enrollment Services are notified of the decision.
When Internal Audit, Legal Affairs, Registrar and/or Cybersecurity have completed
their investigations, they will provide a written report and/or email to the Registrar
detailing the facts of the incident, the students involved and the data that was released
and/or accessed.
The Registrar will send a notification to the employee providing the employee an opportunity
to respond to the allegations.
The employee will have five days to respond. If the employee doesn’t provide information that changes the outcome of the investigation, the Registrar will then issue the employee a letter of admonishment and provide additional training materials related to FERPA. As part of the letter of admonishment, the employee is required to complete the FERPA Training Module within two weeks. The employee’s supervisor, VP/Dean/AVP, Legal Affairs, Human Resources and Cybersecurity are all copied on the email and letter to the employee.
With the assistance of the Cybersecurity Team, a list of students with their names,
Ƶ ID# and email addresses are provided to the Registrar.
The Registrar will send an email to each of the students whose data was comprised or released without the student’s written consent. The email is placed in the student's record in OnBase.
Once the employee sends the certificate of completion for the FERPA Training, the
Registrar places the certificate into the folder on the OneDrive for the employee
and closes the incident