Published: Feb. 8, 2016

Dear CU-Boulder faculty and staff,

With spring semester underway, please be mindful of your responsibility to secure and protect the confidentiality of student data. The Family Education Rights and Privacy Act (FERPA) of 1974 and University of Colorado Boulder set forth guidelines related to the disclosure of and access to student education records maintained by the university.

FERPA affords students the following rights with respect to their education records, and violations of these rights may lead to lawsuits and/or withholding of federal funds to the university:

  • to inspect and review their education records;
  • to request amendment of their education records;
  • to consent to disclosure of personally identifiable information in their education records; and
  • to file a complaint with the U.S. Department of Education concerning alleged failure by the institution to comply with the requirements of FERPA.​

Education records are any records that directly relate to a student and are maintained by the institution, and may be in any storage medium. Education records include two types of information:

1. Directory information may generally be disclosed to a third party without the written consent of a student. It typically is not considered harmful or an invasion of privacy if released. However, a student may restrict the release of directory information by submitting a nondisclosure form for full or limited privacy.

For faculty and staff who use the Campus Solutions student information system, a red "PRIVATE" message appears for students who have restricted release of directory information. This privacy status also may be checked using the window-shade icon on select screens. If asked information about a student with a full-privacy indicator on record, simply reply, "I have no information about this person."

2. Non-directory information is personally identifiable information that may not be disclosed to anyone, including parents, without written student consent. It includes sensitive information such as SSNs, grades and financial information. Students may authorize release of non-directory information to third parties by completing a FERPA Consent to Release. School officials, including faculty and staff, may access non-directory information only with a legitimate educational need based on their role at CU-Boulder.

FERPA allows for the reporting of health or safety emergencies to appropriate parties (law enforcement officials, health/medical personnel and/or parents). Reports of students of concern also should be made to appropriate campus personnel, such as Division of Student Affairs, Counseling and Psychiatric Services, Wardenburg Health Center or CUPD.

Be FERPA Savvy. The following tips can help faculty and staff remain FERPA compliant:

  • never use student name, SSN, student ID, photo or other personally identifiable information when posting class or grade rosters, regardless of medium;
  • do not maintain student grades with personally identifiable information on public computers, websites or personal laptops (questions about appropriate storage and technologies may be directed to IT Security at 303-735-HELP or to the Office of the Registrar);
  • ensure learning management and other systems do not display sensitive information to others;
  • unless you know the student, always verify that you are providing non-directory information appropriately by asking for a photo ID (you may also verify using the security passphrase or ID photo in MyCUInfo);
  • ensure a student has not restricted release of directory information before disclosing it;
  • never leave student papers, exams or files on desks/desktops when away from the office;
  • securely dispose of documents and files containing sensitive information;
  • never provide class schedules to unauthorized third parties for purposes of locating a student; and
  • try to answer parent/third-party questions by referencing university policy and procedures that apply to all students BEFORE disclosing information from a student's record.

The disclosure of information from a student education record applies to any non-directory information (e.g., class performance, grades, abilities, background) conveyed in writing, in person or over the telephone to third parties, including in letters of recommendation or reference calls.

The protection of student privacy is everyone's responsibility. Student data privacy training should be incorporated into all new faculty, staff and student employee training. Completion of online training is required to obtain access to CU-SIS and other sensitive student data.

Don't hesitate to contact me with FERPA questions or requests for training in your department. Additional FERPA information is available online from the Office of the Registrar or from the U.S. Department of Education.

Thank you for your efforts to keep our campus FERPA compliant.


Kristi Wold-McCormick, Ph.D.

University of Colorado Boulder
20 UCB
Boulder, CO 80309
Phone: 303-492-6970
Fax: 303-492-8748
Map: Regent Administrative Center Room 101
Follow us @CUBoulder