Does FERPA affect me?
Everyone who has access to student records in some form is covered by the FERPA legislation. All types of files are included (whether electronic, paper, imaged or microfiche).

Why is it important for me to know about FERPA?
Many faculty and staff have access to confidential student information. It is crucial that this information is restricted and accessed by as few people as possible to protect the student's privacy. Educational records are not considered the property of the school but of the student - we are only the custodians.

If you are a faculty member, you might have access to a student's student number, a student's academic status and much more. Administration and clerical staff might have access to transcripts, appeals, financial information, class schedules, or other non-directory information. All this is confidential information and must be used only in fulfilling your professional responsibilities.

All staff must ensure that confidential information is properly maintained and disposed of in a secure manner (i.e. shredded) when no longer required.

Important terms
The FERPA legislation uses some common terms in a very specific way. It is important that you understand how they apply under FERPA. A brief description is given below.

• Dates of attendance - the period of time during which a student attends or attended UAB, e.g. the academic year of 2005-06. It does not refer to daily records of a student's attendance.

• Directory information - public information such as name, telephone number, address, date of birth, major field of study. Unless the student has a privacy code on his/her account, this information may be released and does not require permission. You are under no obligation to release this information.

• Education records - records directly related to the student and maintained by UAB or a party acting for UAB. This does not include medical records, campus police records, sole possesion notes, employment records or alumni information.

• Legitimate educational interest - a demonstrated "need to know" by school officials acting in the student's educational interest, including faculty, administrative, clerical and professional employees.

• Personally identifiable information - information which includes the name of student/family members, student's address, personal identifier such as social security number or student number, or a list of personal characteristics which would make the student's identity easily traceable.

• Privacy code - a student may request that no directory information is released without written permission. Always check to see if such a code exists before releasing any information about a student.
  In Banner, a pop-up box will warn you when first accessing a record with the privacy flag and the word "Confidential" will remain above the BannerID in the key block on every form after that.
  In BlazerNET, the privacy code field is highlighted in red with the word “YES” in the General Student Information block.

• School officials - UAB classifies the following as School Officials: a person employed by the University in an administrative, supervisory, academic or research, or support staff position (including law enforcement personnel and health staff); a person or company with whom the University has contracted (such as an attorney, auditor, or collection agent); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. Other agents may include National Student Clearinghouse, commencement photographers, etc.

• Sole possession notes - Privately kept records of one person used as a memory aid, which are not created or maintained in the presence of anyone else. (This excludes notes taken during a meeting with a student, but includes notes taken after the meeting.) Sole possession notes are not part of the educational record and students are not entitled to see them.

Are there special considerations for storing student data on computers?
The majority of student educational records are now stored electronically, either through a program like Banner and STARS or the archive system. To enable staff to access these files, most of the data is available over a Local Area Network. Under these circumstances, student data could be at risk from unauthorized users who gain access to computers where it is stored. Data may also be kept on departmental file servers, or personal computers, where the person who compiled and stored the student data might not necessarily know who else has access to that network location. These situations require that special precautions be taken when storing student data on a computer.

Below are some "best practices" in electronic security. Please read them and check your own practices against these suggestions.

• Do not let the computer save your password - enter it every time.
• Do not write your password on a sticky note and leave it on your monitor/under your keyboard/in your desk drawer. If you must write your password down, keep it somewhere safe.
• Do not store sensitive data on portable devices such as laptops, PDAs, or USB sticks. Instead, have your support personnel instruct you on how to securely use remote access to your centralized file share.
• Use centralized file services rather than storing sensitive data on your local drive. Consult with your computer support personnel to ensure that shared areas are restricted to only authorized users.
• Do not leave portable devices (e.g. PDA, laptops) or media (e.g. USB drives, CDs, floppy disks) unattended.
• Do not email sensitive data in the course of business, especially SSNs. Instead, use the UAB Dropbox (https://dropbox.dpo.uab.edu/dropbox/) to share data.
• Never install any type of "peer to peer" file sharing software on your computer such as Kazaa, BitTorrent, or Limewire.
• Ensure your computer support personnel keep your computer software and antivirus up to date.
• Consult with your local computer support staff to ensure that the location where student data is stored is secure, and that access to that location is controlled and tracked.
• Ensure that your computer support personnel configures a firewall to protect your data.
• Some “free” software or screensavers actually can present security risks, particularly free entertainment or utility software. Check with your computer support personnel before installing any such software.

How can I get Banner access?
To request access to Banner, or to change your existing access, you must email Terry, Cynthia.

A summary of FERPA's key concepts
UAB is required to notify students each year of their rights under FERPA. Currently the annual notification is available on the UAB website.

• Written (and signed) permission is required for disclosure of a student's education record. There are 3 possible exceptions:
  • if a parent claims a student as a dependent on the most recent tax return
  • if a lawful subpoena or court order is received
  • if the health or safety of the student or other individuals is at risk
• Students have a right to access their educational records, and access must be granted within 45 days of the request
• Parents do not have an automatic right to any information about their child's attendance, grades, financial obligations or schedule
• Only school officials with a legitimate educational interest are permitted to access confidential student records

What about final course grades?
Upon written request, a final class (or course section) grade distribution (for example, total number of As, Bs, Cs) will be made available for any class or course section with a final enrollment of eight or more students. However, grade distribution data must not be made available in any instance in which it would be possible to identify individual grade recipients.

Can students see everything in their educational records?
Students have the right to see everything except:

• Information relating to other students
• Financial records of their parents (unless written permission is granted by the parents)

Confidential letters of recommendation may also be excluded, if the student waived their right of access at admission.

What information is specifically restricted?
A number of items are never considered directory information and should only be released with written (and signed) permission from the student.

• Social security number or student number
• Student PIN
• Grades
• GPA
• Class schedule (this includes confirming whether a student is registered in a certain class)
• Citizenship or nationality
• Gender

You cannot write a letter of recommendation for a student which includes grades or GPA unless you have the student's permission in writing to release this information. A verbal request is not sufficient.

What if someone asks me for restricted information?
If you are presented with a third-party request for restricted information, you may reply that you are not authorized to release that information. To find out if there is a privacy hold on a student's record:

• In STARS, if the student had a privacy code, you will see an N under Demographic Information. This was the privacy code meaning no information should be released, directory or otherwise, to anyone other than the student. The default code was Y meaning only directory information could be released without written permission.
• In Banner, the privacy code is set by checking the Confidential box on the Biographical tab from SPAIDEN. Upon first accessing a student's record where the privacy flag has been set, you will see a pop-up box warning that this student's record is confidential. The word "Confidential" will appear above the BannerID in the keyblock on every form.

If the N appeared on the student's account in STARS, or the Confidential flag is set in Banner, you cannot even confirm that the student attends UAB.

The appropriate response in this case would be: "There is no information available on that person."

In general, if you receive queries for student information you should refer people to the Registrar's Office (934-8222, 1605 Building) whenever possible.

How may I release restricted information to an authorized party?
Non-directory information, or any information where the student has a privacy hold on his or her account, must not be released over the phone, by email or by fax.
You may only release restricted information in writing, and only in response to a written request.

Are there special FERPA considerations for faculty?
Yes. Here are some special "don’ts" for faculty to avoid violations of FERPA rules.

DO NOT:

• at any time use the entire social security number of a student in a public posting of grades. In fact, it is preferable not to use any portion of the SSN or student number.
• publicly post or in any way make publicly available a list of grades for any work in classes with fewer than eight students.
• ever link the name of a student with that student’s SSN in any public manner.
• leave graded tests in a stack for students to pick up by sorting through the papers of all students, even if they're all in sealed envelopes.
• circulate a printed class list with student name and SSN or grades as an attendance roster.
• discuss the progress of any student with anyone other than the student (including parents) without the written consent of the student unless that person’s official responsibilities identify his/her legitimate educational interest in that information for that student.
• provide anyone with lists of students enrolled in your classes for any commercial purpose, even if it might be of benefit to the students.
• provide anyone with student schedules or assist anyone other than university employees in finding a student on campus.
• include confidential information (i.e. grades, GPA, number of credits) in a letter of recommendation without the written consent of the student.

Is there anything else I should be aware of?
Yes. Whenever you leave your desk you should ensure that you have either locked the screen (press the Windows key and L simultaneously) or cleared all student data and logged out of student record systems to ensure that no unauthorized person may access or view student information.
You are responsible for all data accessed under your logon.

How can I learn more?
We have eight short example scenarios to demonstrate practical applications of FERPA. What would you do in each situation?
To learn more about FERPA, take the short online FERPA course. (This is a required course for everyone in Student Affairs, and highly recommended for all other faculty and staff.)

Who can I contact about FERPA?
Email any FERPA comments, questions or suggestions to FERPA@uab.edu.
Please do not include any confidential information such as SSN or student number in the email.