FERPA and Requests for Volume Data
The Information Resources Operations Service Request (OSR) is used when a unit is requesting data for multiple students for operational use.
The use of any provided student data is governed by Federal Law and policy (Family Educational Rights and Privacy Act of 1974 [FERPA]). Recipients of data are responsible for compliance with federal law and policy, which govern the use and dissemination of educations records. More details are available on the SUNY Cortland website: http://www2.cortland.edu/ferpa.
According to FERPA, SUNY Cortland must maintain a record of all requests for, and/or disclosures of, information from a student's education records for as long as those records are maintained. The record will indicate the name of the party making the request, any additional party to whom it may be re-disclosed, and the legitimate interest the party had in requesting the information. While FERPA indicates that record keeping is not required if disclosure is to the student, to a school official with a legitimate educational interest, to a third party with written consent from the student, to a federal grand jury or law enforcement agency pursuant to a subpoena, SUNY Cortland policy an state law and policy requires record keeping in most instances.
Other Data Sources / Institutional Research Projects
Safeguarding Student Data
- Data provided to you must be secured or in your possession at all times, and may only be accessible by college officials requiring the data to complete tasks for legitimate college educational interests, as defined by SUNY Cortland’s FERPA policy.
- Data may only be securely shared with providers and third parties. SUNY Cortland cannot email files with student data. A secure method such as secure FTP, Cortland's ShareFile or other secure service must be used.
- Data distributions to advertisers or third parties that do not have contractual agreements or support the mission of the College must use the external request processes (FOIL/FOIA) managed by Public Relations.
- Limit any additional collection or storage of sensitive student data. Sensitive student data should only be stored on a college-managed device or a college-approved information system (including systems from approved vendors and third parties defined as college officials under SUNY Cortland’s FERPA policy).
- When managing hard copy (paper) data:
- Never leave sensitive student data unattended and/or unsecured.
- Physically secure paper documents (e.g., in a locked drawer, cabinet, desk, or safe) when not in use or not otherwise under the control of an authorized college official. Student data may also be stored in a space where access control measures are employed to prevent unauthorized access (e.g., a space with locked doors or supervised).
- Protect against “shoulder surfing” or eavesdropping and be aware of your surroundings when processing or discussing student information.
- Obtain proper authorization before removing documents containing sensitive student data from your office.
- Do not take student data home or to any non-approved worksite, in either paper or electronic format.
- When the documents are no longer required, destroy the documents using secure means to render it safe for disposal or recycle using the college-provided secured shredding bins. Destruction should be undertaken as soon as the data is no longer in use, and/or in accord with NYS data destruction policies.
- Limit the production of hard copy data which can be accessed and stored securely using Banner, a college-approved information system. Consider whether paper copies are necessary and if a secured electronic method exists.
During the academic year, the Registrar’s Office meets with departments to assist them in developing and obtaining secure electronic access approaches. If you wish to make an appointment to discuss securing student data, please contact the Registrar’s Office at 607-753-4702 or firstname.lastname@example.org.
Requesting Data for External Use, Third Parties, Software, or Mailing
Please note that additional review may be required whenever data is transmitted off-campus, or will be by used a third party. If additional information is required, it will be forwarded to receive any required approvals. You may be contacted if additional clarification is needed. The following will likely require additional review:
- Mailing Lists or Mailing Labels
- Document Creation or Publications
- Software Systems, Including Off-Campus Hosted Systems, Web Services and Applications
- Third Party Technical Servicers, or Third-Party Supported Systems
- Third Party Vendors, Delivery Services, or Contractors
- External Research or Reporting
- Survey Services
In accord with Department of Education guidance on third party use of student data, there are limits on the use of student data for advertising and marketing. Any PII from students’ education records that a third party receives under FERPA’s school official exception may only be used for the specific purpose for which it was disclosed (i.e., to perform the outsourced institutional service or function). Under FERPA’s school official exception a third party may not share (or sell) FERPA-protected information, or re-use it for any other purposes except as directed by the school and as permitted under FERPA. Requesting protected data for use in advertising or marketing can only be approved under a school official exception if it complies with the definitions/categories provided in FERPA policies and the annual disclosure, and if they are performing a specific institutional service (see also Safeguarding Student Data above).
Using the Operations Service Request (OSR)
To use the Operations Service Request (OSR) (faculty and staff):
- Log into myRedDragon
- Click the Tech Help tab.
- Select Operations Service Request in the Information Resources channel.
- Complete the required information on the form.