FERPA Information for Faculty and Staff

Understanding FERPA and Student Privacy

What is FERPA?
FERPA is the Family Educational Rights and Privacy Act passed by Congress in 1974. Also known as the Buckley Amendment, FERPA is designed to protect the privacy of students by limiting third party access to student education records. Maintaining confidentiality of student records is everyone's responsibility whether you are faculty, staff or student. As a general principle, you may not disclose student information in oral, written, or electronic form to anyone except USF staff and faculty who need the information to perform their University functions.

Penalties for Violating FERPA Regulations
The Family Policy Compliance Office of the Department of Education reviews and investigates complaints of violations of FERPA. If the Office finds that there has been a failure to comply with FERPA, it will notify the institution about the corrections that need to be made to bring the institution into compliance. The Office will establish a reasonable period of time for the institution to voluntarily accomplish the specified changes. If the Secretary of Education finds that, after this reasonable period of time, an institution has failed to comply with FERPA and determines that compliance cannot be secured by any means, he can, among other options direct that no federal funds under his administrative control (financial aid, education grants, etc.) be made available to that institution.

What is an education record? 
FERPA defines education records as records that are directly related to a student; are maintained, in whatever format or medium, by an educational institution or by a party acting for the institution; and contain information that is personally identifiable to a student.

  • Examples: Class rosters, grade reports, student schedule, transcripts, most disciplinary records

Education records do not pertain to:

  • Records in the sole possession of the maker (e.g. private advising notes).
  • Law enforcement records created and maintained by the public safety office for law enforcement or public safety purposes.
  • Employment records (except where the employment is based on student status – e.g. work-study, wages, graduate teaching assistants).
  • Medical/psychological treatment records from a health or counseling center.
  • Alumni records which are created after the student graduates or leaves the institution.

What is Directory Information?
“Directory information [is] information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.” (FERPA Regulations, Code of Federal Regulations, Title 34, Part 99.3)

FERPA permits disclosure of directory information without consent unless the student has filed a Request for Non-Disclosure of Directory Information (online instructions). Directory information at the University of San Francisco includes: student's name, USF email address, school of enrollment, credit hour load (full-time, part time), periods of enrollment, degree(s) awarded and date(s) of conferral, honors, participation in athletic activities, weight and height of athletic participants, major and minor fields, and dean's list.

Directory information does not include:

  • ethnicity or race
  • gender
  • nationality
  • social security number
  • student identification number
  • religious affiliation
  • grades or GPA
  • course enrollment or schedule

Additionally, FERPA allows colleges and universities to be more restrictive about the types of directory information that are not released. As such, USF also does not release student and/or parental address information to third parties.

Under what conditions is prior consent not required to disclose information?
Information may be released to the following people under the following circumstances:

  • To school officials with legitimate educational interests
  • To schools in which a student seeks or intends to enroll
  • To federal, state, and local authorities conducting an audit, evaluation, or enforcement of education programs
  • A party, such as the Department of Veteran’s Affairs or an employer, providing financial aid to the student
  • To organizations conducting studies on behalf of educational institutions
  • To accrediting organizations
  • To comply with a judicial order or subpoena
  • In a health or safety emergency
  • For directory information
  • To the student
  • Results of a disciplinary hearing to an alleged victim of a crime of violence
  • Results of a disciplinary hearing concerning a student who is an alleged perpetrator of a crime of violence and who is found to have committed a violation of the institution's rules or policies
  • To a parent of a student under the age of 21 if the institution determines that the student has committed a violation of its drug or alcohol rules or policies

What is Legitimate Educational Interest?
Under FERPA, a school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his/her university responsibility. This includes such purposes as:

  • performing appropriate tasks that are specified in her/his job description or by a contract agreement
  • performing a task related to a student's education
  • performing a task related to the discipline of a student
  • providing services for the student or the student's family, such as health care, counseling, job placement, or financial aid

What is NOT "legitimate educational interest"? 
Legitimate educational interest does not convey inherent rights to any and all student information. The law distinguishes between educational interest, and personal or private interest; educational records are not to be accessed or used for personal reasons. Educational interest does not constitute authority to disclose information to a third party without the student's written permission.

What should I do if I’m concerned about a student’s health or safety, or the health or safety of those around the student?
You should call Public Safety at 415-422-4201. Public Safety staff are trained to deal with health and safety concerns. FERPA permits disclosures of information in a health or safety emergency, if in light of the circumstances and information available at the time, that information is necessary to protect the health or safety of a student or other individuals. Your personal observations of a student’s behavior or condition are not educational records and thus are not regulated by FERPA. Federal and state rules limit what may be disclosed from a student’s health or counseling records but these rules also contain exceptions for community health and safety emergencies. So, if you have a concern about a student, first and foremost, report it.

What if someone needs to reach the student because of an emergency?
All such inquirers should be directed to Public Safety at (415)422-4201.

Posting of Grades by Faculty
USF provides a secure web application by which faculty submit their grades to the registrar. Students are able to view their academic record, including grades, via a secure web application in myUSF.

The public posting of grades either by the student’s name or social security number or university ID is a violation of FERPA. This includes the posting of grades to a class web site and applies to any public posting of grades for students taking distance education courses.

Notification of grades via a postcard violates a student’s privacy rights.

Notification of grades via e-mail is not recommended. There is minimal guarantee of confidentiality on e-mail. The institution would be held responsible if an unauthorized third party gained access, in any manner, to a student’s educational record through any electronic transmission method.

Letters of Recommendation
Statements made by a person making a recommendation that are made from that person’s personal observation or knowledge do not require a written release from the student. However, if personally identifiable information obtained from a student’s educational record is included in the letter of recommendation (grades, GPA, etc.), the writer is required to obtain a signed release from the student which:

  1. specifies the records that may be disclosed
  2. states the purpose of the disclosure
  3. identifies the party or class of parties to whom the disclosure can be made

If this letter is kept on file by the person writing the recommendation, it would be part of the student’s education record and the student has the right to read it unless he or she has waived that right to access.

Sample letter of recommendation –

I give permission to Prof. Smith to write a letter of recommendation to:

Eveready Insurance
123 Sure Way
Somewhere, CA 94117

Prof. Smith has my permission to include my GPA and grades.

I waive (or do not waive) my right to review a copy of this letter at any time in the future.


Special "DON’TS" for Faculty
To avoid violations of FERPA rules, DO NOT:

  • publically post your grades
  • ever link the name of a student with that student's social security number in any public manner
  • leave graded tests in a stack for students to pick up by sorting through the papers of all students
  • circulate a printed class list with student name and social security number, university ID or grades as an attendance roster
  • discuss the progress of any student with anyone other than the student (including parents) without the consent of the student
  • provide anyone with lists of students enrolled in your classes for any commercial purpose
  • provide anyone with student schedules or assist anyone other than university employees in finding a student on campus

Parental and Third Party Access to Student’s Educational Record
When a student reaches the age of 18 or begins attending a postsecondary institution, regardless of age, FERPA rights transfer from the parent to the student. However, FERPA provides for the release of records under the following circumstances:

  1. Through signed and dated written consent of the student.
  2. Students may also grant permission to release academic, financial aid and student financial account information to thirds parties, including parents, by submitting a "Student Consent to Release Information" form online.

For access to a student's disciplinary file, a separate consent form must be submitted by the student to the Office of Student Conduct, Rights and Responsibilities (OSCRR). That form is available for students to download on the OSCRR website.

The Media
Nothing in FERPA allows an institution to discuss a student’s educational record publicly — even if a lawsuit has made the information a matter of public record. A school official may not assume that a student’s public discussion of a matter constitutes implied consent for the school official to disclose anything other than directory information in reply. Additionally, University employees should follow USF’s policy regarding the release of information to the media. The official spokesperson for USF is Kellie Samson (ksamson@usfca.edu).

What does it mean to say a record is "protected" by FERPA?
A protected record under FERPA is one which contains personally identifiable information about a student – see ’What is an education record’ above. Unless personally identifiable information from a student's education record falls under a specified exception (see below), the information cannot be released to third parties (including parents) without signed and dated written consent from the student. Always check with the Registrar’s office if unsure.

What type of information is and is not protected by FERPA?

  1. Protected information is not releasable:
  2. Personally identifiable information (i.e. everything not defined as directory information).
  3. Directory information the student has directed the University not to release.
  4. Information not protected by FERPA is releasable:
  5. Generally, directory information is releasable unless the student has filed a Request for Non-Disclosure of Directory Information.

Safeguarding Confidential Data
Confidential data should not be stored on laptops or home computers unless it is encrypted. Personal digital assistants used to read confidential data should be password protected.
Confidential data in paper format must be shredded before disposal or placed in a locked disposal bin.

Family Policy Compliance Office
U.S. Department of Education
400 Maryland Avenue, SW
Washington, D.C. 20202-4650
(202) 263-0282
(202) 260-9002 fax
Fogcutter Student Handbook

Adapted in part from Boston College and Loyola University New Orleans