FERPA Guide
FERPA Guide
FERPA (Family Educational Rights and Privacy Act) is a federal law in the United States that governs the privacy and security of student education records. Under FERPA, personally identifiable information may not be released from a student’s education records without his or her prior written consent. If you’re a faculty or staff member at UNC Chapel Hill, it’s important to be aware of the following policies and procedures regarding FERPA compliance to protect the privacy and rights of students.
Information that contains the name of a student; the student’s parent or other family member’s name; the address of the student, parent, or family member; a personal identifier, such as their social security number; other information which would make the student’s identity easily traceable. This term also includes indirect identifiers such as date or place of birth, mother’s maiden name, and other information that is linked or linkable to a specific student in a way that would allow an ordinary member of the University community to identify the student with reasonable certainty.
FERPA provides the university the ability to designate certain student information as “directory information.” Directory information may be made available to any person without the student’s consent unless the student gives notice to restrict. UNC Chapel Hill has designated the following as directory information: the student’s name, addresses, telephone number, email address, date/place of birth, major field of study, class (e.g., sophomore, senior), enrollment status, person identification number (PID), anticipated graduation date, participation in officially recognized activities and sports, weight and height (members of athletic teams only), dates of attendance, degrees and awards received, the most recent previous educational agency or institution attended by the student, and the county, state, and/or U.S. territory from which the student entered the University.
- University officials may access records if they have a legitimate educational interest, defined as the necessity of information for the fulfillment of their assigned duties or contractual obligations to the University.
- Student information may be disclosed to officials of another educational institution for enrollment or transfer purposes.
- Information may be disclosed to government agencies for audits, evaluations, or enforcement of legal requirements related to federally or state-supported education programs.
- Disclosure in connection with Financial Aid for which a student has applied or received.
- Disclosure to organizations conducting studies for, or on behalf of, the University to: (a) develop, validate, or administer predictive tests; (b) administer student aid programs; or (c) improve instruction.
- Disclosure to a student’s parent(s), if the student is their dependent for federal income tax purposes.
- Disclosure pursuant to a judicial order or lawfully issued subpoena.
- Personally Identifiable Information may be disclosed in emergencies to protect the student’s or others’ health and safety.
- Disclosure of “directory information”.
- Final results of campus disciplinary proceedings may be disclosed to the victim of alleged crimes of violence or non-forcible sex offenses.
- Information about violations of alcohol or controlled substance policies may be disclosed to the student’s parent or guardian if the student is under 21 at the time of disclosure.
Education records are directly related to a student and maintained by the institution. These records can exist in any medium including email, computer files, computer screen display, paper documents, printouts, tapes, disks, film, and microfilm/microfiche, among others. They can also include graded papers, exams, transcripts, notes from a conversation with or about a student that are placed in a student’s file for others in the department to reference.
- Notes kept by individual faculty/staff that are not accessible to any other person.
- Alumni records that contain information gathered after the student is no longer in attendance.
- Employment records unless employment is contingent upon student status (such as work-study or GA/TA assignments)
- UNC Public Safety records that are maintained solely for law enforcement purposes and are revealed only to law enforcement agencies.
- Student medical records created by a healthcare professional and disclosed only to other healthcare professionals for the medical/health treatment of the student.
Accessing student education records must be related to professional responsibilities in support of the University’s educational mission. Legitimate educational interest is limited to the specific record(s) needed to carry out assigned duties or contractual obligations to the University. Access to education records does not authorize unrestricted use.
Students are not required to grant parental access to their education records. However, if a student chooses to set up authorization for their parent(s), there are two options available for providing consent. First, the student can invite their parent to register a proxy account to view education record information directly through ConnectCarolina. Second, the student can create a 4-digit PIN for their parent to use as authorization when speaking to a University official over phone and email. More information on proxy access can be found on How to Give Someone Else Access to Your Information.
If the parent(s) claim the student as a dependent on their federal income tax return, they may have access to the student’s UNC-Chapel Hill education records without the student’s prior written consent. Requests should be submitted via mail to the University Registrar’s Office for processing.
FERPA rights of education records lapse or expire upon the death of the student.
In alignment with these FERPA policies and procedures, the following dos and don’ts can be utilized to support compliance when sharing student information.
Dos:
- Understand FERPA: Familiarize yourself with the key provisions of FERPA and the University’s specific policies and procedures related to FERPA compliance. Recognize what constitutes directory information and only disclose it if the student has not opted out of having it shared. If you have any doubts, confirm with the Office of the University Registrar before sharing directory information.
- Access Control: Only access student records when you have a legitimate educational interest.
- Secure Data: Ensure that any student records in your possession are stored securely and not accessible to unauthorized individuals. This includes keeping physical records in locked cabinets and using secure, password-protected digital systems on your laptop or mobile devices.
- Training: Complete required FERPA training offered by the University Registrar’s Office through Sakai. Become informed about updates to FERPA law and University policies as they come.
- Redact Personally Identifiable Information (PII): When sharing information, redact or withhold personally identifiable information, such as social security numbers or student ID numbers, to protect students’ identities. Examples may include trainings involving student records and posting grade distributions of course exams.
- Obtain Written Consent: Students can provide written consent using their UNC email for specific records or time frames. Ensure you have consent from the student authorizing release of specific information before disclosing their education records (I.e. grades, assignments, etc.) outside of specific exceptions provided by FERPA.
- Use Secure Communication: When discussing student records via digital communication, ensure that you are using secure channels, such as UNC email, and avoid exposing sensitive information.
- “Need-to-Know” Basis: Share information about students on a “need-to-know” basis. Information can be disclosed to instructors, officials, employees, contractors, and other individuals of UNC-Chapel Hill with a legitimate educational interest in the information, but only when necessary for official University duties or the student’s educational interests.
- Request a FERPA PIN: before discussing student records over non-secure channels, including phone or non-UNC email, confirm the correct 4-digit FERPA PIN for the student or authorized proxy. If one does not exist, you may direct them to review resources regarding creating a PIN.
- Address Health or Safety Emergencies: Contact the Office of the Dean of Students promptly if you believe there is a health or safety emergency involving a student.
Don’ts:
- Don’t Share Information Without Authorization: Do not share education records with unauthorized individuals, such as family members, friends, or colleagues, without proper written consent from the student.
- Do Not Respond to Subpoenas or Court Orders: If you receive a subpoena or court order regarding a student, contact the Office of University Counsel immediately for guidance.
- Do Not Handle Media Requests: Redirect requests from media outlets about current and former students to University Communications at mediarelations@unc.edu
- Don’t Post Grades Publicly: Never post grades or other personal student information in a public or easily accessible location, like on a bulletin board or website, without proper protection or anonymization. Individual grades nor performance issues should ever be disclosed to other students.
- Don’t Discuss Student Records Openly: Avoid discussing a student’s educational records or personal information in a public or non-secure area where it could be overheard by an unauthorized individual.
- Don’t Use Unsecured Systems: Do not store or transmit student records using unsecured digital systems or public communication channels.
- Don’t Keep Records Beyond Necessity: Don’t retain student records longer than necessary. Once the legitimate educational interest has passed, ensure records are properly disposed of or archived securely. Review the Records Retention and Disposition Schedule for details.
- Don’t Assume Consent: Do not assume consent for disclosure of student information. Always obtain written consent from the student specifying the information they permit to be shared when required.
- Don’t Use Social Security Numbers as Identifiers: Avoid using social security numbers as identifiers in any public or widely accessible documents.
Following these dos and don’ts will help ensure compliance with FERPA regulations and protect the privacy of students’ education records at UNC Chapel Hill. If you have any questions about FERPA compliance, please contact the Office of the University Registrar for assistance.
*More information can be found on Policies and Procedures Under FERPA.