Faculty/Staff - FERPA & Privacy
FERPA guidelines for faculty and staff.
The University of Kentucky’s Office of the Registrar, in compliance with the Family Educational Rights and Privacy Act (FERPA), is responsible for monitoring access to and release of information from student education records. The information provided on these pages is provided as a tool to answer general questions; it is not intended to include all academic policies and procedures.
Faculty and staff with access to student education records are legally responsible for protecting the privacy of the student by using information only for legitimate educational purposes to instruct, advise, or otherwise assist students.
Unless your position involves the release of information and you have been trained in that function, any requests for disclosure of information, especially from outside UK, should be referred to the Registrar's Office.
Discussing a student's record with any person who does not have a legitimate educational interest (including, but not limited to parents, spouses, and employers) is a violation of FERPA. This pertains to all conversations and communications.
Faculty/Staff Training Presentation
Frequently Asked Questions
What is FERPA?
The Family Educational Rights and Privacy Act is a Federal Law that helps protect the privacy of student education records. The Act provides students the right to inspect and review education records, the right to seek to amend those records, and the right to limit disclosure of information from the records. The intent of the legislation is to protect the rights of students and to ensure the privacy and accuracy of education records. The Act applies to all institutions that are recipients of federal aid administered by the Secretary of Education
When do FERPA rights begin?
FERPA governs and protects students’ rights to their individual educational records. Students’ FERPA rights begin at the age of 18 years or when they enroll in an institution of higher education, whichever is earlier.
What is a student's education record?
An education record is a record that is (a) directly related to a student and (b) maintained by an education institution/University.
What is Directory Information at the University of Kentucky?
Directory information is information contained in an education record of a student that generally would not be considered harmful or an invasion of privacy if disclosed.
The University of Kentucky has established the following as directory information and it may be released to those requesting it unless the student specifically requests otherwise by submitting written notification to the Office of the University Registrar and subsequently has a privacy/FERPA flag on her/his record.
- Telephone number(s)
- E-mail address(es)
- Major field of study
- Dates of attendance
- Enrollment status
- Degrees and awards received by student
- Most recent previous educational institution attended by the student
- Participation in officially recognized activities and sports
- Weight and height of members of athletic teams
The University of Kentucky will not disclose any other information without written consent from the student. Students have the right to refuse the disclosure of personally identifiable information, as well as directory information, subject to other overriding provisions of law. To withhold directory information, students must fill out the Request to Prevent Disclosure of Information form located in the Office of the University Registrar, 10 Funkhouser.
If a student has chosen to restrict the release of directory information, NO information can be released without further written permission of the student. Should someone inquire about an individual who has restricted the release of his/her directory information, the appropriate faculty/staff response is, ““I have no record of such an individual.”
If students have restricted the release of directory information, you will see a special notification on the screen when you access their records in myUK and SAP.
What information about students may be released to persons within the University?
All other personally identifiable information in a student's educational record is confidential and may only be disclosed to University officials who have a legitimate need to know the information contained in the student's education record.
What are the University's guidelines for determining who is a University official under FERPA?
A school official is a:
- person employed by the University in an administrative, supervisory, academic or research, or support staff position, including health or medical staff;
- person who is employed by the University Police Department;
- student serving on an official committee, such as a disciplinary or grievance committee, or who is assisting another University official in performing her or his tasks; or
- contractor, consultant, volunteer or other third parties provided that the outside party:
- performs an institutional service which would otherwise be provided by employees of the University;
- has been determined to meet the criteria set forth for being a "school official with a legitimate interest" in the education records;
- is under the direct control of the University with respect to the use and maintenance of education records; and
- uses education records only for authorized purposes and may not re-disclose personally identifiable information from education records to other parties, under third party has specific authorization from the University to do so and such use is otherwise permitted by FERPA.
What are the University's guidelines for determining when a University official has a legitimate educational interest in a student's record?
A University official has a legitimate educational interest if the official requires the information for the purpose of fulfilling her or his official duties, including but not limited to:
- performing a task that is specified in her or his position description or contract agreement or within the scope of assigned professional responsibilities;
- performing a task related to a student's education;
- performing a task related to the discipline of a student;
- providing a service or benefit relating to the student or student's family, such as health care, counseling, job placement or financial aid;
- maintaining the safety and security of the campus; or
- participating in or conducting studies, evaluations, or assessment of educational programs.
Do I have to release information from a student’s educations record?
FERPA regulations state that you MAY release directory information about a student, but FERPA does not require or compel the institution to do so.
What do I do about subpoenas?
If you receive a subpoena regarding a student’s education record, please contact, the Office of General Counsel, before you respond. There are FERPA regulations that the University must comply with before responding to subpoenas or court orders.
May I release confidential information to officially registered student groups?
Student groups do NOT have legitimate educational interest and consequently may not be given confidential information about a student or students without each student’s express, written permission.
May I access confidential information about students?
Access to personally identifiable information contained in educational records may be given to appropriate University administrators, faculty members, or staff members who require this access to perform their legitimate educational duties. Faculty members do not require knowledge of student academic records unless their normal job duties specifically require access. This type of access is termed “legitimate educational interest.”
How does FERPA affect letters of recommendation?
Writing a letter of recommendation may require express, written permission from the student to allow you 1) to access the student’s educational records and, 2) to disclose confidential information about the student to a third party. A faculty member may access a student’s educational records without the student’s express written permission only if specific job duties, such as the duties of an academic advisor, require access to those records. However, a faculty member, or any other appropriate University official, may not disclose confidential information from a student’s educational records to a third party without express, written permission from the student. Personal observations about a student may be disclosed without the student’s consent.
What information about students may I disclose to parents?
Without the express, written permission of the student, parents, like all other third parties, including designees, may have access only to the student’s directory information. If a student has restricted his or her directory information, then the directory information is considered confidential and you should respond to any inquiries by saying “I have no record of such an individual.” Confidential information may be released to parents/guardians only with the expressed, written permission of the student.
Please refer parents/guardians seeking information from their students’ education records to the Office of the University Registrar.
Does FERPA affect the return of assignments?
Personally identifiable information about a student may not be disclosed without the student’s express, written permission. Therefore, extreme care should be used to protect such information (e.g., student ID numbers, SS#s) when returning assignments, term papers and exams to students.
Does FERPA affect the posting of grades?
University policy prohibits the disclosure of any confidential student information in a personally identifiable manner without the student’s written consent. Faculty members may use student-specific, password-protected systems (such as University approved email addresses, myUK and BlackBoard) to communicate academic work, grades or other confidential information to students on an individual basis.
How do I properly dispose of confidential information?
Dispose of all material containing confidential information (such as tests, papers, class rosters) by shredding or by placing them in a university approved and secure receptacle intended for the collection of material to be disposed of in a secure manner.
Do's and Don'ts of FERPA
The Family Educational Rights and Privacy Act (FERPA) affords students certain rights with respect to their education records. Faculty and staff should keep the following guidelines in mind when dealing with student records:
DO refer to the Registrar's Office when you are
uncertain how to respond to a records information request.
"When In Doubt, Don't Give Out "
For the full law, please visit the U.S. Dept. of Education website.
For questions or additional information, please contact the Office of the Registrar (859.257.7157; 10 Funkhouser Bldg.)
- When in doubt, DO NOT release information to others. Consult the Registrar's Office first (859.257.7157 ).
- DO pay attention to any privacy warning indicators in SAP and myUK. Consult the Office of the Registrar for assistance determining the items for which the student has requested nondisclosure before releasing any information about the student.
- DO NOT save student data on unapproved drives, disks, etc. Utilize password protection and encryption methods to ensure data security.
- ALWAYS lock your computer and office upon departure, even for a brief period of time.
- ALWAYS confirm the identity of the person in question. Request photo ID or confirm photo in myUK advising hub.
- Be aware of publicly visible computer screens (i.e. through windows, open doors, etc.).
- DO NOT display student scores or grades publicly in association with names, social security numbers (in whole or in part), UK student ID number, student user adID or other personally identifiable information. If scores or grades are posted, use only a coding method agreed upon mutually by the entire class, a method which does not include personally identifiable information and is randomly generated and assigned. Only the student and instructor should know the identification code provided for each student. The list should be randomly generated, i.e., displayed in such a way that it does not appear in alphabetical order. Please click here for opinions issued by UK's Office of General Counsel.
- DO NOT leave stacked graded papers, assignments or exams for students to pick up--not even in sealed envelopes (unless you have the student's permission to do so). Instead, return assignments and exams in class.
- DO NOT request from any party a student’s grade(s) for another class(es) to assist in grading for your class. This does not constitute a legitimate educational interest.
- DO NOT circulate a printed class list for attendance purposes if it shows names and social security numbers or ID numbers.
- DO NOT release a student's class schedule to anyone. For security purposes, this information must be kept confidential.
- DO NOT share non-directory information from a student’s education records, such as grades or class schedules, with parents or guardians unless the student is present or if the student has voluntarily provided written permission for you to discuss the specific records with the individual. You may refer parents to the Office of the Registrar for FERPA information or explanation.
- DO NOT provide non-directory information to third parties such as prospective employers, associations, honorary organizations, etc., without the student’s written consent.
- DO understand that only the appropriate educational record custodian may release information about a student’s educational record to a third party outside the University.
- DO refer requests for information from the education record of a student to the proper educational record custodian (e.g., Registrar, Financial Aid, Student Account Services, Student Health Center, etc.).
- DO NOT provide copies to students of their transcripts from other institutions. If you release copies of transcripts, you are acting as a third party testifying as to the accuracy of the information on the transcripts.
- DO NOT request information from the educational record custodian, or access a student’s record in SAP or myUK unless you have a legitimate educational interest with respect to that student and that record.
- DO follow the confidentiality principles of FERPA by not sharing education records information with your colleagues or co-workers unless a legitimate educational interest exists.
- DO keep only those individual student records necessary for the fulfillment of your teaching or advising responsibilities. Private notes of a professor/staff member concerning a student and intended for a professor/staff member’s own use are not a part of and should be kept separate from the student’s education record.
- DO NOT leave your workstation or computer unattended while logged in to SAP or myUK, and DO NOT give your password to another employee or student. You are responsible for maintaining the security of your university account and computer. This includes all transactions that occur under your username and password.
- DO be aware of your computer display and documents on and around your workstation that may be visible to others.
- DO shred or place in a receptacle intended for the confidential collection of material to be disposed of in a secure manner all unneeded documents that include personal student information (i.e. social security number, grades, etc.). Placing records in the trash is a violation of FERPA.