FERPA For Faculty And Staff
On This Page
Understanding FERPA and Student Privacy
Penalties for Violating FERPA Regulations
Education Records
Directory Information
Obligation to Release Directory Information
Access to Student Records – “Legitimate Educational Interest”
Release of Student Information
Exceptions to Releasing Student Information
Letters of Recommendation
Posting of Grades
Emailing Grades
Sole Possession and Student Notes
Health or Safety Emergency
Safeguarding Confidential Data
FERPA Compliance Training
Additional Resources
Maintaining confidentiality of student records is everyone’s responsibility whether you are faculty, staff or student. As a general principle, you may not disclose student information in oral, written, or electronic form to anyone except CHSU staff and faculty who have “legitimate educational interest” to perform their University functions.
Understanding FERPA and Student Privacy
The Family Educational Rights and Privacy Act of 1974 (FERPA), as amended (also referred to as the Buckley Amendment), is a federal law that protects the privacy of student education records. FERPA regulates the disclosure of education records maintained by an educational institution and access to these records. The Act affords basic rights to students that include: annual notification of FERPA rights, inspect and review their education records, amend an incorrect education record, consent to disclosure of education records, and to file a complaint with the Family Policy Compliance Office in the U.S. Department of Education.
Penalties for Violating FERPA Regulations
The Family Policy Compliance Office reviews and investigates specific alleged instances of violations of FERPA. If the Office finds that there has been a failure to comply with FERPA, it will notify the institution about the corrections that need to be made to bring the institution into compliance. The Office will establish a reasonable period of time for the institution to voluntarily accomplish the specified changes. If the Secretary of Education finds, after this reasonable period of time, that the institution has failed to comply with FERPA and determines that compliance cannot be secured by any means, the Secretary can, among other options, direct that the Department of Education withhold payments or terminate the eligibility for the institution to receive federal funding.
Education Records
FERPA defines education records as records directly related to a student and maintained by an educational institution or by a party acting for the institution. These records include, but are not limited to transcripts, enrollment records, student exams or papers, grades, class lists, student course schedules, health records, student financial information, and student disciplinary records.
Education records do not pertain to:
- Records in the sole possession of the maker (e.g., private advising notes).
- Law enforcement records created and maintained by the security office for law enforcement for physical security and safety purposes of the institution.
- Employment records (except where the employment is based on student status – e.g., work-study, graduate teaching assistants).
- Medical/psychological treatment records from a health or counseling center.
- Alumni records which are created after the student graduates or leaves the institution.
Directory Information
Directory information is information contained in an education record of a student which would not generally be considered harmful or invasion of privacy if disclosed.
FERPA permits disclosure of directory information without consent unless the student has filed a Request to OPT-OUT of Directory Information form. The following items are designated as directory information at CHSU: student’s name, CHSU e-mail address, address, telephone number, photo, field of study, level, enrollment status (full/part-time), dates of attendance, club and/or organization memberships, degrees, honors, and awards, and most recent institution attended.
All requests for Directory Information are to be referred to the Office of the Registrar for review.
Obligation to Release Directory Information
An institution is not obligated to release directory information to anyone. FERPA only says that an institution MAY release information, but there is no obligation to do so. When in doubt, do not release information.
Access to Student Records – “Legitimate Educational Interest”
In accordance with FERPA, a school official has a “legitimate educational interest” if the official requires access to a student record to fulfill their professional responsibility. This includes:
- Performing appropriate tasks that are specific in their job description or by a contract agreement.
- Performing a task related to a student’s education.
- Performing a task related to the discipline of a student.
- Providing a service or benefit relating to the student or student’s family, such as health care, counseling, job placement, or financial aid.
Faculty members and Teaching Assistants (TAs) are normally considered “school officials.” But, the faculty member/TA will have to demonstrate “a legitimate educational interest” in their request to access student records. However, faculty and TAs do not have access to student academic records unless their job duties specifically require access.
Release of Student Information
Departments may not release non-directory or personally identifiable information (PII) about a student to a third party (parents included) without the student’s written authorization. Currently enrolled students must submit a Consent to Release Student Information and identify specific CHSU education record(s) to be released, the recipient(s) of the records, and the purpose of the release, sign and date the consent form. Once the form has been received by the Office of the Registrar, the department will be notified to release the requested information.
Exceptions to Releasing Student Information
There are certain exceptions where the University is permitted to release personally identifiable information (PII) to third parties without the student’s consent. Those exceptions are:
- Appropriate officials in connection with a health or safety emergency
- Federal officers as prescribed by law
- As required by state law
- Officials of other institutions at which a student seeks to enroll
- Persons or organizations providing financial aid to students
- Accrediting agencies carrying out their functions.
Letters of Recommendation
Written permission from the student is required for a letter of recommendation if any information included in the recommendation is part of the “education record” (grades, GPA, and other non-directory information). If personally identifiable information obtained from a student’s educational record is included in the letter of recommendation, the student must submit a signed Letter of Recommendation Request Form to the writer that includes the following:
- specifies the records that may be disclosed,
- states the purpose of the disclosure, and
- identifies the party or class of parties to whom the disclosure can be made.
Letters of recommendation are considered part of a student’s education record, the student has the right to read it, unless she/he has waived that right of access.
Please verify the education record information to be disclosed with the Office of the Registrar prior to submitting the letter of recommendation to the intended recipient.
Posting of Grades
The public posting of grades either by the student’s name, institutional student identification number or social security number, without the student’s written permission, is a violation of FERPA. Even with names obscured, numeric student identifier numbers are considered personally identifiable information that violates FERPA. Instructors can use randomly assigned numbers that only the instructor and individual student know. However, the order of the posting must not be alphabetic.
Emailing Grades
Notification of grades via email is permissible (only to CHSU email address accounts), but not recommended since there is no guarantee of confidentiality. An unauthorized release of grades to someone who is not a school official is a violation of FERPA. If an unauthorized third party gained access to a student’s educational record via any electronic transmission method, the institution would be held responsible.
Sole Possession and Student Notes
According to FERPA, all notes made about a student that an institution maintains and shares with school officials are included in the definition of education records. This includes all notes produced and maintained in electronic as well as paper format and includes all email correspondence. These notes are considered part of the education record and are subject to disclosure under FERPA. If a student request access to their education record, all notes would need to be made available to the student.
Sole possession notes are an exception to FERPA. According to FERPA:
Sole possession notes are made by one person and serves as a personal memory aid to help in the recollection of a student and are kept in the sole possession of the maker. Sole possession notes are not subject to FERPA regulations. However, sharing the notes with another person, or placing them where they can be viewed by others makes them “education records” and subject to FERPA.
Health or Safety Emergency
If non-directory information is needed to resolve a crisis or emergency situation, an education institution may release that information if the institution determines that the information is “necessary to protect the health or safety of the student or other individuals.”
Factors to be considered in making the decision to release such information are:
- the severity of the threat to the health or safety of those involved,
- the need for the information,
- the time required to deal with the emergency, and
- the ability of the parties to whom the information will be given to deal with the emergency.
Crisis or emergency situations should be directed to the CHSU Director of Security at: (559) 701-2131.
Safeguarding Confidential Data
Confidential electronic data must be stored on CHSU’s cloud-based platforms and not kept on personal devices, external hard-drives or other devices or platforms that are not back up by CHSU platforms. Electronic records must be password protected and accessible only to authorized users. Confidential records in paper format must be stored in locked, fireproof file cabinets in a secure room and shredded at the end of the required retention period.
FERPA Compliance Training
Training on FERPA compliance will be offered every other year to all CHSU faculty and staff. The Office of Human Resources shall maintain records of such training. CHSU will send FERPA reminders and information through a variety of distribution methods.