FERPA: What You as Faculty and Staff Need to Know

It’s the Law

The Family Educational Rights and Privacy Act (FERPA), also known as the Buckley Amendment, was passed by Congress in 1974. It grants four specific rights to a postsecondary student:

  • To see the information that the institution is keeping on the student.
  • To seek amendment to those records and, in certain cases, append a statement to the record.
  • To consent to disclosure of records.
  • To file a complaint with the FERPA Office in Washington.

FERPA applies to all educational agencies or institutions, including ISU, which receive funds under any program administered by the Secretary of Education. FERPA governs what may be released, but it does not require that any information be released.

It’s Your Responsibility

As a faculty or staff member, you have a legal responsibility under FERPA to protect the confidentiality of student education records in your possession. You have access to student information only for legitimate use in the completion of your responsibilities as a university employee. Need to know is the basic principle. Your access to student information, including online directory and public information, is based on your faculty or staff role within the university. You may not release lists or files with student information to any third party outside your college or departmental unit. Student education records (other than online directory or public information) are considered confidential and may not be released without written consent of the student. Student information stored in electronic format must be secure and available only to those entitled to access that information. If you’re in doubt about a request for student information, contact the Office of the Registrar via email (registrar@iastate.edu) or phone (515-294-1840).

Directory and Public Information vs. Confidential Information

Directory and Public Information: FERPA defines this as “…information contained in an education record of a student which would not generally be considered harmful or an invasion of privacy if disclosed” (FERPA Regulations, 34CFR, Part 99.3).

Confidential Information: With the exception of the aforementioned information, all student records are considered to be confidential and may not be released. Individuals may request to suppress their information from the Online Directory or from Public Information Releases through their student portal.

Data Storage and Access: Faculty and staff accessing and storing confidential information in unsecure locations (e.g., flash drives, public or home computers, etc.) create the risk of unauthorized access to protected education records.

ISU Online Directory Information for Verified Users

Those accessing the Online Directory from an on- campus server or via ISU’s virtual private network (VPN) or other authenticated means.

  • Name
  • Major
  • Classification
  • ISU Email Address
ISU Online Directory Information for Guest Users

Those who are external, unauthenticated individuals. Guest users have the ability to send an email to students via a WebForm.

  • Name
  • Major
  • Classification
Other Public Information:
  • Hometown
  • Dates of Attendance at ISU
  • Expected Date of Graduation
  • College
  • Awards & Academic Honors
  • ISU Degree(s) and Date(s) Awarded
  • Previous Educational Institutions Attended, Degrees Received, and Dates-of-Attendance
  • Full- or Part-Time Status
  • Participation in Official Recognized Activities and Sports
  • Weight and Height of Members of Athletic Teams
Online Directory and Public Information can NEVER Include:
  • Social Security Number (full or partial)
  • University ID (UID) Number
  • Student Schedules
  • Race
  • Ethnicity
  • Nationality
  • Sex and Gender
  • UID Pictures
Student Education Records

Includes information directly related to the student and maintained by ISU. For example:

  • Personal Information
  • Enrollment Records
  • Students’ Exams or Papers
  • Grades
  • Disciplinary Files
  • Financial Aid Information
  • Student Employment Records

Frequently Asked Questions

Education records are directly related to a student and are maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution. These records include but are not limited to: Grades, transcripts, class lists, course schedules, financial information, and discipline files. The information may be recorded in any medium (e.g., print, handwritten, email, video or audio tape, etc.). Exempted from the definition of education records are sole possession records/notes. These records are made by one person as an individual observation or recollection, are kept in the possession of the maker of the record, and only shared with a temporary substitute. Sharing with another person, or placing the records in an area where they can be viewed by others makes them subject to FERPA. Best advice: If you do not want it reviewed, do not write it down.

No. Before releasing any information, check for a “No Information Release” or other restriction. If the student has requested that Online Directory Information be withheld, no information can be released. If the student does not have a restriction on the release, Directory or Public Information may be released (Note. FERPA does not require that such information be released).

No. FERPA permits an educational agency or institution to disclose, without consent, personally identifiable information from students’ education records only to school officials within the educational agency or institution that the educational agency or institution has determined to have legitimate educational interests in the information. Generally, a school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his/her/zir professional responsibility.

Many instructors ask whether it is permissible to review their students’ educational history, as they want to ensure they provide the necessary support and content in their classes to help students be successful; however, at Iowa State University, it has been determined that this is not a “legitimate educational interest” under FERPA, as it is not necessary to know this kind of information in order to effectively deliver course content. Therefore, this is not permitted.

FERPA generally prohibits disclosure of information from education records, except in certain specified circumstances. One of these exceptions permits the nonconsensual disclosure of information to a student's parent if the student is a dependent student. If a student is claimed as a dependent by either parent for tax purposes, then either parent may have access under this provision; however, disclosure is not required, and you should speak with the Office of the Registrar prior to making such a disclosure. Spouses of eligible students have no rights under FERPA. Before disclosing information from a student’s education records to a spouse, the student would have to provide written consent.

Students may choose to allow the release of their education records to a specified third party by completing a Consent for Disclosure of Education Records form. Such a form must: (1) Specify the records that may be disclosed; (2) State the purpose of the disclosure; and (3) Identify the party or class of parties to whom the disclosure may be made. Iowa State University has determined that the form may remain on file for the specific request outlined on the form, assuming the student provided authorization for on-going use. While this form may authorize the school official to release the student’s records, it does not obligate the school official to do so; Iowa State reserves the right to review and respond to requests for release of education records on a case-by-case basis.

It’s Important to Remember…

  • Do not use the University ID number of a student in a public posting of grades or any other information.
  • Do not link the name of a student with that student’s University ID number in any public manner.
  • Do not leave graded materials for students to pick up in a stack that requires sorting through the papers of other students.
  • Do not hand graded information back to the group once it has been graded if it is a group grading situation.
  • Do not share the progress of a student with anyone other than the student without the student’s written consent.
  • Do not provide anyone with lists or files of students enrolled in your classes for any commercial purpose.
  • Do not provide course schedules or assist anyone - other than university employees - in finding a student on campus.
  • Do not access the records of any student for personal reason.
  • Do not store confidential information on any computer, unless that information is required and secure from intrusion.
  • Do not include student’s grades, GPA, classes, etc. in a letter of recommendation without written consent of the student.

  • FERPA Training

    Iowa State employees with access to student information are required to complete online FERPA training every three years. The training will take approximately 15 minutes to complete.

    This quick reference guide shows how to access courses in Workday Learning.

    If you have any issues with the training, please contact FERPA@iastate.edu