Skip to main content

FERPA FAQ

What is FERPA (Family Education Rights and Privacy Act)?

Why should I care about FERPA?

What are education records?

Are my admission application materials considered education records?

What is personally identifiable information?

Are there exceptions to the disclosure requirements of FERPA?

What constitutes “legitimate educational interest”?

What is directory or public information?

How can release of directory information be restricted?

Is Vanderbilt required to release a student’s directory information?

What is the annual notification to students?

When do students’ FERPA rights begin?

Is it okay to send FERPA-protected information via email?

Is it okay to use Box or other cloud services to store and transmit FERPA-protected information?

What is FERPA (Family Education Rights and Privacy Act)?

The Family Educational Rights and Privacy Act is a federal law regarding the privacy of student records and the obligations of the institution, primarily in the areas of release of the records and the access provided to these records. Any educational institution that receives funds under any program administered by the U.S. Secretary of Education is bound by FERPA requirements. Institutions that fail to comply with FERPA may have funds administered by the Secretary of Education withheld.

Why should I care about FERPA?

If you are an employee of Vanderbilt University with access to student education records, you are obligated to comply with FERPA and to protect those records according to the law.

What are education records?

Education records are directly related to a student and maintained by an institution or its agent or by a party acting for the institution or agency. Education records can exist in any medium including email, computer files, computer screen display, paper documents, printouts, tapes, disks, film, and microfilm/microfiche, among others. Education records include such things as graded papers, exams, transcripts, notes from a conversation with or about a student that are placed in a student’s file for others in the department to reference. Education records DO NOT INCLUDE such things as:

  • sole possession records, i.e., records/notes in sole possession of the maker, used only as a personal memory aid and not revealed or accessible to any other person
  • peer-graded papers before the instructor has collected them
  • medical treatment records that include--but are not limited to--records maintained by physicians, psychiatrists, and psychologists
  • employment records unless employment is based on student status
  • law enforcement unit records
  • alumni records

Are my admission application materials considered education records?

FERPA affords admitted students who matriculate at the university the right to access their education records. Persons who apply to the university and are not admitted are not covered by FERPA. Persons who are admitted to the university but do not matriculate are not covered by FERPA. Undergraduate students who are admitted and matriculate at the university will have the following information from the admission application process as part of their education records:

  • Application for admission (does not include letters of recommendation)
  • Official transcript(s)
  • Standardized test scores

Generally, the following items from the admission application process are maintained for graduate and professional students who are admitted and matriculate at the university:

  • Application for admission
  • Official transcript(s)
  • Statement of Purpose
  • Creative Statement
  • Resume/Curriculum Vitae
  • Admission Letter
  • Standardized test scores

Please note that some graduate and professional schools may have different additional requirements for maintaining documents. Students with questions should contact the Office of the University Registrar.

What is personally identifiable information?

According to FERPA, personally identifiable information in an education record may not be released without prior written consent from the student. Some examples of information that MAY NOT BE RELEASED without prior written consent of the student include:

  • Social Security number
  • grades/exam scores
  • Grade Point Average (GPA)
  • current class schedule
  • parent name and address
  • race/ethnicity
  • gender
  • country of citizenship
  • religious affiliation
  • disciplinary status
  • marital status
  • test scores (e.g., SAT, GRE, etc.)

The university will not release personally identifiable information from a student's education record without the student's prior written consent. Even parents are not permitted access to their son or daughter's education records unless the student has provided written authorization. Exceptions are noted in the university's annual notification of FERPA rights.

Are there exceptions to the disclosure requirements of FERPA?

Yes. These exceptions include, but are not limited to, the following examples:

  • Disclosure to school officials with legitimate educational interests. A “school official” is a person employed by the university in an administrative, supervisory, academic, research, or support staff position (including university law enforcement personnel and health staff); contractors, consultants, and other outside service providers with whom the university has contracted; a member of the Board of Trust; or a student serving on an official university committee, such as the Honor Council, Student Conduct Council, or a grievance committee, or assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility.
  • To parents if the student is a dependent for tax purposes.
  • To appropriate individuals (e.g., parents/guardians, spouses, housing staff, health care personnel, police, etc.) where disclosure is in connection with a health or safety emergency and knowledge of such information is necessary to protect the health or safety of the student or other individuals.
  • Information to a parent or legal guardian of a student regarding the student’s violation of any federal, state, or local law, or of any rule or policy of the institution, governing the use or possession of alcohol or a controlled substance if the university has determined that the student has committed a disciplinary violation with respect to the use or possession and the student is under the age of twenty-one at the time of the disclosure to the parent/guardian.
  • Disclosure to comply with a judicial order or lawfully issued subpoena.
  • Disclosure to various authorized representatives of government entities (audits or evaluation of programs; compliance with SEVIS, Solomon Amendment, etc.).

What constitutes “legitimate educational interest”?

FERPA permits university employees to have access to student education records in which they have a “legitimate educational interest.” Such access does not require prior written consent of the student. Legitimate educational interest is considered necessary for employees to carry out their job responsibilities in support of Vanderbilt’s educational mission. Important points pertaining to “legitimate educational interest:”

  • Curiosity is not legitimate educational interest. Having access to student education records does not equate to license to access them out of curiosity.
  • Employment by Vanderbilt University does not constitute legitimate educational interest. Accessing student education records must be related to your job responsibilities in support of the university's educational mission.
  • Legitimate educational interest is limited to the specific record(s) you need to access to carry out your job duties. Access to education records does not authorize unrestricted use.

What is directory or public information?

FERPA provides the university the ability to designate certain student information as “directory information.” Directory information may be made available to any person without the student’s consent unless the student gives notice as provided for below. Vanderbilt has designated the following as directory information: the student’s name, addresses, telephone number, email address, student ID photos, major field of study, school, classification, participation in officially recognized activities and sports, weights and heights of members of athletic teams, dates of attendance, degrees and awards received, the most recent previous educational agency or institution attended by the student, and other information that would not generally be considered harmful or an invasion of privacy if disclosed.

How can release of directory information be restricted?

Any newly entering or currently enrolled student who does not wish disclosure of directory information should notify the University Registrar in writing. No element of directory information as defined above is released for students who request nondisclosure except in situations allowed by law. The request to withhold directory information will remain in effect until the student files a written request with the University Registrar to discontinue the withholding.

Is Vanderbilt required to release a student’s directory information?

No. The only required disclosure of education records is to the student. All other disclosures, including those with student consent and disclosures of directory information, are at the discretion of the institution.

What is the annual notification to students?

Vanderbilt University provides the Annual Notification of Student Rights under FERPA to all enrolled students to inform them of their rights to:

  • inspect and review their education records (within 45 days of a request);
  • request an amendment to their education records;
  • request a hearing if the request for an amendment is unsatisfactory;
  • request that the institution not disclose their directory information;
  • file a complaint with the U.S. Department of Education.

When do students’ FERPA rights begin?

At Vanderbilt, a student is defined as someone currently or previously enrolled in an academic offering of the university. This does not include prospective students or applicants to any academic program of the university. For those students who are newly admitted to Vanderbilt, FERPA becomes effective on the first day of classes for students who have enrolled in at least one course.

Is it okay to send FERPA-protected data via email?

FERPA-protected data should never be sent via email, as this is not a secure method of transmitting sensitive data. Restricted information such as grades, GPA, or personally identifiable information such as Social Security number should never be sent through email. Please take care not to forward or reply to emails which are sent to you containing sensitive data without removing such data prior to transmission. Consider using OneDrive if you need to transmit student education records electronically. An explanation of permissions by data type and detailed user guides are available through Vanderbilt University Information Technology. 

Is it okay to use Box or other cloud services to store and transmit FERPA-protected information?

It is permissible to transfer or store FERPA-protected data on Box for Vanderbilt. However, Social Security numbers should never be transferred or stored on Box for Vanderbilt. To ensure secure data transfer, faculty and staff should only use the Box web interface (http://vanderbilt.box.com) or official Box apps to transfer data to Box for Vanderbilt. An explanation of permissions by data type and detailed user guides are available through Vanderbilt University Information Technology. The Office of the University Registrar also offers a document sharing user guide.