Student data privacy is everyone's responsibility. The Family Education Rights and Privacy Act (FERPA) and the University of Colorado Boulder have set forth guidelines related to the disclosure of and access to student education records maintained by the university.
FERPA protections go into effect for incoming Fall 2020 students on Monday, Aug. 24, and remain in effect for continuing and returning students.
Any record that directly relates to a student and is maintained by CU (regardless of medium) is classified as an education record. Education records include:
- Directory information, which may generally be disclosed to a third party without the written consent of the student, as long as the student hasn't established full privacy. This includes items such as student name, major(s) and minor(s), and participation in officially recognized activities or sports (see Directory Information for a complete list).
- Nondirectory information, which is personally identifiable information that may not be disclosed to anyone, including parents, without documented student consent. School officials, including faculty and staff, may only access nondirectory information if they have a legitimate educational interest. This includes sensitive data, such as SSNs, grades and financial information, and class recordings (see below).
Remote & Online Classes
Recordings of lectures or class meetings are considered education records if students' names or likenesses are displayed or disclosed. You may share these recordings with the class, but not with others without documented consent from each student identified in the recording.
When offering classes through Zoom, plan a secure meeting by requiring authentication and setting a meeting password. Before sharing your screen in class, close all documents or systems displaying personally identifiable information. Accidental sharing of such information is a violation of FERPA.
Students on full privacy (see below) are not treated differently than other students within the physical or virtual classroom. Their name, image and email address may appear on screen and in your learning management system, and you may call on them by name.
Letters of Recommendation
Any disclosure of nondirectory student information (e.g., class performance, grades, abilities, background) to a third party in letters of recommendation or reference calls requires prior documented consent from the student. For full details and a student release form, see Release of Student Recommendations.
Student Privacy Options & University Business Practices
Security Passphrase: Required for verifying the identity of a student who cannot present a photo ID or who is contacting the university by phone. See Confirming a Student's Identity.
FERPA Consent to Release: The online process to authorize release of nondirectory education records to a third party. See FERPA Consent to Release.
CU Guest Access: Allows students to grant read-only online access to select third parties. If a student has established CU Guest Access for a third party, but not FERPA Consent to Release, you cannot release any FERPA-protected information. See CU Guest Access.
Full Privacy: An option for students to restrict release of their directory information. These students are identified in Campus Solutions with a red "private" label. If asked for information about a student on full privacy, school officials must tell the requester, "I have no information on that person."
Don't hesitate to contact the Office of the Registrar with questions or requests for departmental FERPA training. Additional FERPA information is available in Skillsoft and on the Office of the Registrar and U.S. Department of Education websites.