Dear CU-Boulder faculty and staff,
With spring semester underway, please be mindful of your responsibility to secure and protect the confidentiality of student data. The Family Education Rights and Privacy Act (FERPA) of 1974 and University of Colorado Boulder set forth guidelines related to the disclosure of and access to student education records maintained by the university.
FERPA affords students the following rights with respect to their education records, and violations of these rights may lead to lawsuits and/or withholding of federal funds to the university:
Education records are any records that directly relate to a student and are maintained by the institution, and may be in any storage medium. Education records include two types of information:
1. Directory information may generally be disclosed to a third party without the written consent of a student. It typically is not considered harmful or an invasion of privacy if released. However, a student may restrict the release of directory information by submitting a nondisclosure form for full or limited privacy.
For faculty and staff who use the Campus Solutions student information system, a red "PRIVATE" message appears for students who have restricted release of directory information. This privacy status also may be checked using the window-shade icon on select screens. If asked information about a student with a full-privacy indicator on record, simply reply, "I have no information about this person."
2. Non-directory information is personally identifiable information that may not be disclosed to anyone, including parents, without written student consent. It includes sensitive information such as SSNs, grades and financial information. Students may authorize release of non-directory information to third parties by completing a FERPA Consent to Release. School officials, including faculty and staff, may access non-directory information only with a legitimate educational need based on their role at CU-Boulder.
FERPA allows for the reporting of health or safety emergencies to appropriate parties (law enforcement officials, health/medical personnel and/or parents). Reports of students of concern also should be made to appropriate campus personnel, such as Division of Student Affairs, Counseling and Psychiatric Services, Wardenburg Health Center or CUPD.
Be FERPA Savvy. The following tips can help faculty and staff remain FERPA compliant:
The disclosure of information from a student education record applies to any non-directory information (e.g., class performance, grades, abilities, background) conveyed in writing, in person or over the telephone to third parties, including in letters of recommendation or reference calls.
The protection of student privacy is everyone's responsibility. Student data privacy training should be incorporated into all new faculty, staff and student employee training. Completion of online training is required to obtain access to CU-SIS and other sensitive student data.
Don't hesitate to contact me with FERPA questions or requests for training in your department. Additional FERPA information is available online from the Office of the Registrar or from the U.S. Department of Education.
Thank you for your efforts to keep our campus FERPA compliant.
Kristi Wold-McCormick, Ph.D.