FERPA and Record Security Resources

Securing Education Records

Student data and student educational record data must be properly secured and safeguarded. The following provides resources and procedures regarding the maintenance and confidentiality of student records and the circumstances under which the institution may release information in student records in accord with all applicable state and federal laws and SUNY policy. 

Record Storage and Access

SUNY Cortland has categorized data elements and records into specific classes. The purpose of the policy is to establish a framework for identifying institutional data based on its level of sensitivity, value and criticality to the college. Classification of data will aid in determining baseline security controls for the protection of data in how the College will access, save, send and store data.

Official Record Storage

SUNY Cortland manages student records through our centralized student information system. In addition, the College maintains a secure document management system to retain student records and forms as document images. Both of these systems are secured via user authentication and established security classes. To receive access to the student information system, its online self service components, and connected third party systems, users must make a request via Information Resources. Area data stewards and custodians will review the request and either grant or deny access to tools and information based on role and business process.

Academic Department Record Storage

Academic departments routinely keep and manage additional student records related to students in their majors and programs. When managing student records in your department, please adhere to the following guidelines:

  1. Maintain data in a secure file cabinet or, if electronic, in a secure PC file.
    • Encrypt any portable drives or disks (learn how).
    • Use your Cortland-provided U-drive or OneDrive instead of thumb drives or portable drives/disks (learn how).
  2. Lock and secure your desk, cabinets and PC when they are not attended, per the Information Security policy.
  3. Abide by security and information release requirements and observe the confidential flags / directory exclusion flags.
  4. Never release data to third parties or represent extracts or departments-generated data as official College data unless part of an approved College business process or accreditation process.
  5. Only use the data for legitimate educational purposes.
  6. Dispose of data and records in accord with the NYS destruction standards.

About FERPA

FERPA flyer

The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords student the right to have access to their education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information. When a student turns 18 years old, or enters a postsecondary institution (such as SUNY Cortland) at any age, the rights under FERPA transfer to the student (“eligible student”). 

Each year, the President's Office provides a required annual notice to the campus community regarding FERPA requirements, student rights, and faculty and staff responsibilities. Faculty and staff shall review the campus FERPA Policies as part of this annual notice.

General FERPA Guidance for Faculty/Staff

The guidelines below provide general guidance for common FERPA issues and concerns. This list is by no means exhaustive, and additional details may be needed to make proper determinations. If any faculty or staff member has a question about College FERPA policies, or the Federal Act, they are invited to contact the Registrar's Office for assistance.

  • College officials, as defined in the Act, may access and utilize student records that pertain to their roles at the College, and only for official College purposes. 

  • Generally, FERPA requires written consent from parents or eligible students (students who are 18 years of age or greater or attending a postsecondary institution) in order to release PII from education records.
    • Personally Identifiable Information (PII) is protected information, that should not be released to third parties except with specific consent or under certain FERPA exceptions provided for in the Act.
    • Directory Information is information that may be released to third parties without explicit consent. The College is permitted, but is not obligated, to provide directory information to third parties.

  • DO NOT discuss or disclose a student record with anyone who does not have a legitimate educational interest.

  • DO NOT release a student’s academic record, personal information, class schedule or residential information to third parties, parents, relatives, guardians or non-Cortland employees unless the student has provided the College with a FERPA Release or waiver to discuss their records. Consult first with the Registrar's Office to determine if a waiver is on file.

Protecting Student Data in Classes

  • DO NOT post student IDs (in whole or in part), SSNs (in whole or in part), academic information or grades in any public location even if the list only contains a student name and/or other general identifier.  Publicly posting this information is a FERPA violation. Students should be directed to their instructor, myRedDragon or Blackboard to obtain grades.

  • DO NOT leave or collect documents, assignments or exams in unattended locations. This includes collecting assignments to be graded, and distributing graded assignments. 

  • DO NOT circulate a printed attendance list that displays any part of a student Cortland ID or ask students to provide any part of their Cortland ID on a sheet of paper.  

Letters of Reference and Recommendations

Because Personally Identifiable Information (PII) is protected under the Family Education Rights and Privacy Act, faculty and staff must obtain written permission from a student to include any information in a letter of reference that is not directory information or a general statement. This includes courses a student is enrolled in or courses a student has completed, grades for courses, and GPA.  Faculty and staff are encouraged to use the FERPA Release form to obtain written permission.  Students have the right under FERPA to inspect their academic records in their entirety, including letters of reference. Students may waive that right for letters of recommendation.

Legal Requests and Subpoenas

If your program or department receives a legal request or subpoena, please provide it to the Registrar's Office.  The Registrar's Office will determine if it is a lawfully executed subpoena in concert with legal counsel. If you are called or questioned in a legal matter pertaining to the College, contact the Registrar's Office immediately for assistance.

Data Breach or Security Incidents

A data breach is any instance in which there is an unauthorized release or access of PII or other information not suitable for public release. Breaches resulting in unauthorized access to PII can be especially serious. Information gained via leaked information can be used by criminals to obtain loans and lines of credit, make purchases, or to commit identity theft.  SUNY Cortland has special obligations under the Breach Notification Act, which requires the College to disclose any breach of data to NY residents and non-residents (as a State institution).

Any user of student data that experiences or discovers a data breach or other data security incident should immediately report it to Information Resources via the Help Center. 

  • Report anything unusual. If it sets off a warning in your mind, it just may be a problem. Do not ignore it.

  • Immediately report suspected security incidents and breaches to your supervisor and The Help Center. Be sure to indicate whether sensitive information may be at risk.

  • If you think your computer has been compromised, or someone might be accessing your computer remotely, it is best if you can unplug the network cable (and turn your wireless off, if you have it) and leave the computer on until help arrives.

Emergencies

FERPA permits an educational agency or institution to disclose PII from an education record of a student if the disclosure meets one or more of the conditions outlined in the Act. FERPA permits school officials to disclose education records, or personally identifiable information from education records, to appropriate parties in connection with an emergency, if knowledge of that information is necessary to protect the health or safety of the student or other individuals. In general, you should refer emergency personnel to University Police. However, faculty and staff may cooperate with police and official emergency personnel if there is an "articulable and significant threat to the health or safety of the student or other individuals and that a party needs personally identifiable information from education records to protect the health or safety of the student or other individuals". (Department of Education Policy)

COVID-19 and FERPA

In general, the College can share directory information with public health agencies when it is required, but sharing PII will require an evaluation of the need.  FERPA only permits nonconsensual disclosures of PII from education records under the health or safety emergency exception to "appropriate parties" (such as public health officials) whose knowledge of the information is necessary to protect the health or safety of students or other individuals.  Faculty or staff with questions about managing COVID-19 concerns are encouraged to review the campus COVID-19 guidance.

Training Sessions and Knowledge-Sharing

The Registrar's Office Training Sessions

The Registrar's Office participates in new faculty orientation and provides annual retreats for academic staff. In addition to FERPA guidance provided annually in these sessions, our staff maintains FERPA training courses that can be provided for faculty and staff meetings, retreats and training sessions. You may sign up for FERPA sessions using the links below:

  • FERPA 101: Discusses the basics of FERPA, student rights, faculty/staff responsibilities, FERPA 'exceptions' and campus policies for directory information and PII.

  • FERPA for Faculty: Discusses best practices for student information management, sharing information with students, security options and solutions, grade posting, letters of reference, and general record-keeping.

  • FERPA Brown Bag: An interactive and discussion-based training session based on assessing and discussing case studies. Performed generally as a brown-bag luncheon presentation.

  • Managing Student Data: Provides an overview of managing academic department data, NYS destruction standards and information security best practices.

FERPA Awareness Materials

Download, post and share the following materials to help secure student records. The Registrar's Office has limited paper copies available as well. 

FERPA Online Training

Faculty, staff, and community members may access the online Department of Education FERPA 101 Electronic Course by clicking below. The online training course was developed by the Department of Education as an introduction to FERPA and requirements relating to the privacy and security of Personally Identifiable Information (PII).  The course addresses FERPA basics, explores requirements for the protection of student records for Colleges, Universities and other postsecondary institutions, addresses who may and may not access student records, when those records may be shared, and discusses several of the applicable exceptions to the FERPA requirement for consent. The training takes roughly 30 minutes to complete. 

Start Training Module