Student data and student educational record data must be properly secured and safeguarded. The following provides resources and procedures regarding the maintenance and confidentiality of student records and the circumstances under which the institution may release information in student records in accord with all applicable state and federal laws and SUNY policy.
SUNY Cortland manages student records through our centralized student information system. In addition, the College maintains a secure document management system to retain student records and forms as document images. Both of these systems are secured via user authentication and established security classes. To receive access to the student information system, its online self service components, and connected third party systems, users must must make a request via Information Resources. Area data stewards and custodians will review the request and either grant or deny access to tools and information based on role and business process.
Academic departments routinely keep and manage additional student records related to students in their majors and programs. When managing student records in your department, please adhere to the following guidelines:
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords student the right to have access to their education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information. When a student turns 18 years old, or enters a postsecondary institution (such as SUNY Cortland) at any age, the rights under FERPA transfer to the student (“eligible student”).
Each year, the President's Office provides a required annual notice to the campus community regarding FERPA requirements, student rights, and faculty and staff responsibilities. Faculty and staff shall review the campus FERPA Policies as part of this annual notice.
The guidelines below provide general guidance for common FERPA issues and concerns. This list is by no means exhaustive, and additional details may be needed to make proper determinations. If any faculty or staff member has a question about College FERPA policies, or the Federal Act, they are invited to contact Student Registration and Record Services for assistance.
Because Personally Identifiable Information (PII) is protected under the Family Education Rights and Privacy Act, faculty and staff must obtain written permission from a student to include any information in a letter of reference that is not directory information or a general statement. This includes courses a student is enrolled in or courses a student has completed, grades for courses, and GPA. Faculty and staff are encouraged to use the FERPA Release form to obtain written permission. Students have the right under FERPA to inspect their academic records in their entirety, including letters of reference. Students may waive that right for letters of recommendation.
If your program or department receives a legal request or subpoena, please provide it to Student Registration and Record Services. Student Registration and Record Services will determine if it is a lawfully executed subpoena in concert with legal counsel. If you are called or questioned in a legal matter pertaining to the College, contact the SRRS Office immediately for assistance.
A data breach is any instance in which there is an unauthorized release or access of PII or other information not suitable for public release. Breaches resulting in unauthorized access to PII can be especially serious. Information gained via leaked information can be used by criminals to obtain loans and lines of credit, make purchases, or to commit identity theft. SUNY Cortland has special obligations under the Breach Notification Act, which requires the College to disclose any breach of data to NY residents and non-residents (as a State institution).
Any user of student data that experiences or discovers a data breach or other data security incident should immediately report it to Information Resources via the Help Center.
FERPA permits an educational agency or institution to disclose PII from an education record of a student if the disclosure meets one or more of the conditions outlined in the Act. FERPA permits school officials to disclose education records, or personally identifiable information from education records, to appropriate parties in connection with an emergency, if knowledge of that information is necessary to protect the health or safety of the student or other individuals. In general, you should refer emergency personnel to University Police. However, faculty and staff may cooperate with police and official emergency personnel if there is an "articulable and significant threat to the health or safety of the student or other individuals and that a party needs personally identifiable information from education records to protect the health or safety of the student or other individuals". (Department of Education Policy)
In general, the College can share directory information with public health agencies when it is required, but sharing PII will require an evaluation of the need. FERPA only permits nonconsensual disclosures of PII from education records under the health or safety emergency exception to "appropriate parties" (such as public health officials) whose knowledge of the information is necessary to protect the health or safety of students or other individuals. Faculty or staff with questions about managing COVID-19 concerns are encouraged to review the campus COVID-19 guidance.
Student Registration and Record Services participates in new faculty orientation and provides annual retreats for academic staff. In addition to FERPA guidance provided annually in these sessions, our staff maintains FERPA training courses that can be provided for faculty and staff meetings, retreats and training sessions. You may sign up for FERPA sessions using the links below:
Download, post and share the following materials to help secure student records. Student Registration and Record Services has limited paper copies available as well.
Faculty, staff, and community members may access the online Department of Education FERPA 101 Electronic Course by clicking below. The online training course was developed by the Department of Education as an introduction to FERPA and requirements relating to the privacy and security of Personally Identifiable Information (PII). The course addresses FERPA basics, explores requirements for the protection of student records for Colleges, Universities and other postsecondary institutions, addresses who may and may not access student records, when those records may be shared, and discusses several of the applicable exceptions to the FERPA requirement for consent. The training takes roughly 30 minutes to complete.