FERPA Information for Faculty & Staff
The following information constitutes official public notice of the University’s compliance with the Family Educational Rights and Privacy Act.
The following information constitutes official public notice of the University’s compliance with the Family Educational Rights and Privacy Act.
The Family Education Rights and Privacy Act (FERPA) is a federal law passed in 1974. As amended, the law protects the privacy of student records and sets requirements for the release of student information. It applies to K-12 schools and post-secondary institutions (colleges/universities).
FERPA governs the disclosure of education records maintained by an education institution, as well as access to these records. FERPA rights belong to the student at a postsecondary institution regardless of the student’s age. FERPA applies to all students, including continuing education students, students auditing a class, distance education students, former students and alumni.
Education records under FERPA are defined as records directly related to a student, which are maintained by an educational agency or institution, or by a party acting for the agency or institution, if certain conditions are met.
Students have four primary rights under FERPA:
The right to inspect and review their education records
The right to have some control over the disclosure of information from their education records (including, but not limited to personally identifiable information)
The right to seek an amendment of their education records
The right to file a complaint with the U.S. Department of Education concerning alleged failures by the University to comply with the requirements of FERPA.
Visit our FERPA Information for Students page for more information about these four primary rights.
FERPA forbids the disclosure to third parties of student personally identifiable information (PII) and information related to a student’s education record without the student’s written consent.
A third party may include, but is not limited to:
fellow students, classmates and friends of the student in question
parents, guardians and family members
unofficial guest instructors or teaching assistants that are not officially assigned to the schedule of classes
third-party providers (such as Dropbox, Weebly, etc.) when there is no campus contract for the service with the provider
UAlbany employees should be aware of FERPA’s strong, binding restrictions and take care not to reveal information about students, either directly or indirectly, to third parties. If you have questions about privacy law or disclosures, please contact [email protected].
Note: Communication methods that are not supported by the University should not be used, as they are not secure. This includes social media, personal email accounts, text messaging, Slack, etc.
Some faculty members post grades at a convenient location to provide students with timely information about the results of their assignments, papers and exams. However, it is a violation of FERPA to post exam results or grades in a manner that allows any third party to infer a specific student’s grade.
For example, you violate a student’s FERPA rights if you leave graded papers in a public hallway, share grades via an email distribution list, or permit students to examine faculty evaluations of other students’ work. Posting grades by using a full or partial student ID number, a full or partial Social Security number, or a name is also prohibited.
An acceptable way to comply with the law is to post grades using a unique identifier known only to the instructor and the student. The identifier cannot include personally identifiable information (such as a birth date or phone number) and the list cannot be in alphabetical or seating order.
If all grades in a course are the same, those grades should not be posted.
Review ITS’ guidance for uploading grades from the Test Scanning Service. ITS' Instructional Technology and Design team is also available to assist you directly.
Visit our Grading Information for Instructors page for additional guidance on grade rosters, entering grades and uploading grades.
Faculty and staff can use photos for the limited purposes of student identification on class rosters, class seating, examinations and academic advising.
These specific uses enrich the classroom and advising discourse between faculty or staff members and students, protect the integrity of the examination process and, overall, enhance students’ educational experience and retention.
However, posting and/or distributing student photos violates students’ FERPA rights and is prohibited.
For more information, please refer to UAlbany’s Policy on the Use of Student Photos by Faculty and Staff in Classrooms and Academic Advisement.
A photo or a video of a student is an education record when the file is directly related to a student and maintained by an educational agency/institution or by a party acting for the agency/institution.
Always take care when exchanging students’ personally identifiable information via email. Before you send an email, evaluate the risk associated with sending any student information included in your email or email attachments.
Personally identifiable information (PII) — such as names in combination with Social Security numbers, state driver's license numbers and/or bank account information — should never be transmitted via plain text email.
Best practices for email communications include:
Always verify that your email recipients are the intended recipients before sending or forwarding an email. You can right click on the recipients’ names to check that they are the correct email addresses and departments. There are often multiple students with the same name and students with the same name as an employee.
Check your email attachments before sending or forwarding an email to ensure it’s appropriate to share those files with the recipients and that they are the correct files. Opening attachments before sending an email is good practice.
Emails between albany.edu email addresses are encrypted in transit. However, personally identifiable information should be sent as encrypted attachments to prevent exposure in the event a recipient has their albany.edu emails forwarded to a non-University account.
A safer way to exchange data within a department is to place the data in a network shared drive, Teams site or OneDrive and to tell colleagues via email where to retrieve the data. Review ITS’ guidance on using OneDrive to share files.
Communication methods that are not supported by the University should not be used, as they are not secure. This includes social media, personal email accounts, text messaging, Slack, Google Forms, etc.
Faculty and staff can protect student privacy rights and ensure FERPA compliance by properly using the tools and resources supported and licensed by the University.
Technology platforms that are not licensed by the University should not be used, as we cannot guarantee their security, even if the student has provided consent. This includes social media, Google products, Moodle, websites, etc.
Researchers are required to adhere to FERPA regulations when student education records are involved. The UAlbany Institutional Review Board (IRB) does not have the authority to waive any part of these requirements.
School officials may not disclose a student’s education records or permit inspection of those records without the student’s written permission — unless the action is covered by exceptions permitted by FERPA.
A notable exception is disclosing information to school officials who UAlbany has determined to have a “legitimate educational interest.” In this case, UAlbany restricts school officials’ access, where practical, so the officials may only inspect the portion of the student’s records that they need to discharge their assigned duties. (Please see below for additional information.)
For example, an instructor has access to the class rosters and grades from courses they teach but they do not have access to their students’ academic transcripts, financial aid or disciplinary records. However, access to student records for teaching purposes does not imply access for research purposes.
This section provides guidance for anyone who needs to access student education records for the purpose of research, not evaluation or quality improvement.
FERPA allows University employees (called “school officials” for these purposes) to have access to student education records without the prior written consent of the student if the school official has a “legitimate educational interest” in those records.
A school official has a legitimate educational interest if they need to review an education record to fulfill their professional responsibilities for the University at Albany and/or the State University of New York (SUNY).
However, it’s important to note:
Curiosity is not a legitimate educational interest. This means having access to student education records does not equate to license to access them out of curiosity.
Employment by the University at Albany does not constitute a legitimate educational interest. Accessing student education records must be related to your job responsibilities in support of the university's educational mission.
Legitimate educational interest is limited to the specific record(s) you need to access to carry out your job duties. Access to education records does not authorize unrestricted use.
Many instructors who are also researchers are surprised to find that the student records they personally hold (such as tests, journals, written assignments, etc.) are considered part of their students’ official educational records.
This means that researchers may not have a legitimate educational interest in the records they handle daily as an instructor. They cannot access those records as a researcher without prior written consent from the affected students. Please see the accordion below (“Accessing Student Records using Signed Releases”) for more information.
FERPA does permit schools to disclose “directory information” without students’ consent. In accordance with the law, UAlbany has designated the following information about students as public, or “directory,” information:
Address (local and permanent)
Academic status (undergraduate, graduate, general studies, full-time, part-time, etc.)
Dates of attendance
Program of study
Honors and awards
Note: Students can request the University withhold their directory information. Visit the FERPA Information for Students page for more information.
Researchers who want to access educational records beyond directory information are generally limited to three options:
The researcher can obtain prior written consent from each student whose records would be accessed for research purposes. Please see the accordion below (“Accessing Student Records using Signed Releases”) for detailed instructions.
A school official who is not a member of the research team and who does have legitimate educational interest in the records (such as the Registrar’s Office or the Office of Institutional Research, Planning, and Effectiveness (IRPE)) can strip the records of any identifying information and provide the data to the researcher.
The holder of the record can work with the Registrar's Office to determine if the circumstances warrant an exception under FERPA.
Researchers who are not granted access to student records because they do not have a legitimate educational interest must obtain signed and dated permission from the student for the release of their records.
That written release must do the following:
Specify the records that may be disclosed
State the purpose of the disclosure
Identify the party (or class of parties) to whom the disclosure may be made
Signed permission may be obtained electronically if the signature page is located behind UAlbany authentication.
These rules may require a researcher to obtain signatures from subjects in instances where human subject research regulations would normally not require signatures. In these cases, researchers must comply with the more restrictive FERPA regulations. The UAlbany Institutional Review Board (IRB) does not have the authority to waive any part of this requirement.
When signed releases are obtained from students to access their individual student records, the releases should be stored indefinitely by the individuals conducting research. You’ll also need to share these signed releases with the Registrar’s Office to gain access to the records.
Note: If the researcher requesting the records is the relevant students’ instructor, they may be required to make these requests after final grading, so students do not feel coerced to participate in the research. (During the semester or term, instructors should only be communicating with students regarding class information.)
Researchers should also apply for IRB approval through the Office of Regulatory and Research Compliance, as appropriate.
However, even if a researcher gets approval from the IRB for a study that involves student records, that does not mean that the Registrar's Office has the obligation or the resources to provide the data.
Similarly, UAlbany employees who have access to student records as part of their job duties may not provide data to researchers.
Only the Registrar’s Office has the authority to make FERPA determinations. However, the Registrar’s Office may consult with or involve other offices to help a researcher gain access to data once their request is approved.
You must agree to the following to be approved to use student educational record data in your research:
You must use the information only for the purposes of your approved research project. Any new use of the information requires new approval.
You must adequately protect the information to ensure it’s not compromised or subject to unauthorized access.
You must ensure that only research team members who have a legitimate educational interest can access student records without the student’s signed permission.
You must ensure that no one besides the research team members who are specifically approved to access the student records has access to personally identifiable information.
You must ensure all data shared in aggregate form is properly de-identified to avoid unauthorized disclosure to third parties.
You must ensure the physical destruction or removal of personal identifiers immediately after the data is no longer needed for the purposes for which it was provided.