Student Privacy & FERPA FAQ
The Family Educational Rights and Privacy Act (FERPA) is a federal law regarding the privacy of student records and the obligations of the institution, primarily in the areas of release of the records and the access provided to these records. Any educational institution that receives funds under any program administered by the U.S. Secretary of Education is bound by FERPA requirements. Institutions that fail to comply with FERPA may have funds administered by the Secretary of Education withheld.
This FAQ contains answers to the most common FERPA questions directed to the Office of the Registrar.
What is FERPA?
The Family Educational Rights & Privacy Act (FERPA), also known as the Buckley Amendment, was passed in 1974. Generally, it is: "A federal law designed to protect the privacy of education records, to establish the right of students to inspect and review their education records, and to provide guidelines for the correction of inaccurate and misleading data through informal and formal hearings."
Two key components of the law include:
- College students must be permitted to inspect their own education records
- School officials may not disclose personally identifiable information about students, nor permit inspection of their records, without written permission unless such action is covered by exceptions permitted by the Act. A notable exception is disclosing information to school officials determined by the institution to have a legitimate educational interest.
See our publication FERPA Basics for more information.
What is the difference between student directory information and private information?
Directory information is information not generally considered harmful or an invasion of privacy if disclosed. Generally, student directory information can be released to the public unless the student has filed a restriction on such release (see section below). At IU- Bloomington, directory information includes:
- University email address
- Campus, School, College or Division
- Class Standing
- Major Field of Study
- Dates of Attendance
- Admission or Enrollment Status
- Degrees and Awards
- Sports and Athletic Information
Private or Confidential information cannot be released to the public and has some limitations on release within the University. The information is generally considered to be sensitive or an invasion of privacy if disclosed. At IU, private information includes:
- Social Security Numbers and Student ID Numbers
- Date of birth
- Grades, GPA
- Parent information
- Classes in which a student is enrolled
What is an education record?
Education Records are directly related to a student and maintained by an institution or its agent, for example:
- Electronic record accessible in SIS
- A paper that has been graded
- Blue book exams
- Documents in a student’s file (e.g., advising history notes)
- Documents stored that pertain to a conversation with the student
Education Records are NOT:
- sole possession (lap drawer)
- law enforcement unit records
- employment records (unless employment is based on student status)
- medical records
- alumni records
How do I know if a student has filed a restriction to not release his/her directory information?
A student may file a formal restriction on the release of all or some of his/her directory information at any time. Once a restriction is filed, the affected directory information becomes confidential.
If you have online access to the Student Information System (SIS), you will notice a privacy shade icon associated with their account. When you see this icon on any page, it indicates that the student has filed a restriction on the release of specific information to third parties. In order to find out what information is releasable, click on the privacy shade icon.
If you have any questions regarding this restriction, you may contact the Office of the Registrar at firstname.lastname@example.org or (812) 855-9349.
For individuals looking at paper documents where restrictions are not clearly designated, err on the side of caution and consider the information not releasable. You may contact the Office of the Registrar to inquire about specific cases.
Is the University ID (UID) a FERPA protected element?
Yes, we consider the UID confidential information since it is the key to a student’s educational record that is maintained in SIS and other IU systems. The SSN used to be the key to the record but use of the SSN has decreased or been eliminated because of identity theft concerns. While the UID is not as sensitive as the SSN (regarding identify theft), it is still confidential especially when paired with other student identifiers such as name.
According to IU University Counsel, the display of the UID in the subject line of an email should be avoided.If you have a list of students to be transmitted via email, you should use slashtmp.iu.edu. Only use the combination of name and UID in the body of the email when absolutely necessary. Information about the slashtmp.iu.edu can be found at: https://slashtmp.iu.edu .
Can I provide parents with their son/daughter’s grades or attendance information?
No, unless the student has signed a written consent authorizing release of the information to the parents this information cannot be released. You may direct the parents to talk with their son or daughter about a Third Party Pin which gives them access to Self Service. See the Third Party Access article in the IU Knowledge Base for more information.
Should I store student records (i.e., grade information) on my computer?
No, you should never store student records or any confidential information on your desktop or the hard drive (typically, C:\) of your system. All student confidential information must be saved to a secure server.
Should I store personal records about a student in the student’s file folder?
Yes, you may. But you should realize that once information is stored in a file related to the student, it becomes part of that student’s educational record even if it is a personal note for your viewing only. And since it is part of the educational record, the student can request to inspect the file.
May I request (SIS) online access for a student employee in my area?
Yes, a student employee can be considered a school official with a legitimate need to access the information as long as the student needs the access to perform his/her job. To request access to student records information, please contact your Access Coordinator. If you don't know who your department's Access Coordinator is, see the University Student Services and Systems (USSS)Access Administration and Security page.
May I provide a class roster of students registered in my class?
No, class rosters and a student’s schedule are considered confidential information and therefore, should not to be given to third parties.
May I post grades by University Identification Number (UID) or Social Security Number (SSN)?
No, grades should not be posted in a public area by SSN or UID. In addition, a breach of information including SSN can result in personal criminal charges according to Indiana Law. See the article The SSN Disclosure Law at protect.iu.edu for more information.
May I post a picture of a student on our department website without a written release?
No, pictures are not considered directory information at IU. You should obtain a written release before posting pictures on a website unless the student is unidentifiable.
May I post non-directory information on Canvas for my class to view (i.e., attendance records, grades, etc.)?
No, you may not post confidential information on Canvas for all students to view. When handling confidential information such as grades and attendance records, you must post this type of information to each student individually.
May I provide the class location of a student in the case of an emergency (i.e., a parent or relative trying to reach a student)?
If I need to obtain written consent from a student, what should the consent form contain?
The consent for should specify:
- what records may be disclosed (e.g., admission status, grades)
- the purpose of the disclosure (e.g., supporting job searches)
- the identity of the party or class of parties to whom the disclosure may be made (e.g., parents)
- the time period or event in which consent applies (e.g., while the student is a University Division student)
- the signature of the student and date
If you have any questions regarding written consent forms, please contact the Office of the Registrar or consult with University Counsel.
What information can be included when writing a letter of recommendation?
Statements made from personal observation or knowledge do not require signed release. However, specific information concerning academic performance, grades or ranking in class does require a release. As part of the education record, a student has the right to access the recommendation letter, unless the student waived this right in writing.
Who should I contact if I have a FERPA related question?
You should contact the Office of the Registrar in person at 408 N. Union St., by email at email@example.com, or by telephone at (812) 855-9349.
In addition, please see our publication FERPA Basics for more information.