FERPA

At Texas A&M University, protecting the privacy of our students is a top priority. A key federal law guiding this is the Family Educational Rights and Privacy Act of 1974, commonly known as FERPA. FERPA gives students rights regarding their education records and sets rules for who can access and view this information. At Texas A&M, the Registrar is the final authority on the correct handling of FERPA-protected information.

FERPA protects information found in a student's education record. This is broadly defined as any record maintained by Texas A&M (or someone acting on its behalf) that is directly related to a student and from which a student can be personally identified. These records can be in any format: handwritten, printed, digital, email, etc.

Some information is allowed to be released without prior consent by the student; this is called directory information. Texas A&M has designated a limited set of data as directory information, like name, UIN, email, program of study, and classification, among others. Currently enrolled students can request to restrict the release of their directory information through the Howdy portal. This restriction remains in effect until the student removes it.

Education records are classified as University-Confidential under the university’s data classification framework. This has several implications for how this data is handled, and how we manage devices that store or transmit FERPA data (like a faculty-assigned laptop, for example).

• Encryption. Data classified as University-Confidential must be encrypted at all times. This means that most devices issued to teaching faculty must have disk encryption enabled.
• No Email. Email is not a secure platform by itself, and should not be used to transmit FERPA data. Use a secure, encrypted tool like FileX for document transfer, or restrict all communication about grades and coursework to a platform like Canvas,
• No Personal Websites. To avoid the risk of unauthorized access, only approved, secure web sites like howdy.tamu.edu or Canvas should be used for accessing grade information.

All university employees have a responsibility to protect student privacy under FERPA. In general, this means ensuring that student records are only accessed for legitimate educational purposes, and never releasing non-directory information without student consent or a valid exception.

If you have questions about FERPA or need guidance, please contact the Office of the Registrar at registrar@tamu.edu. If you witness or are involved in a potential FERPA violation, it should be reported to the Office of the Registrar FERPA Incident Team (ferpa@tamu.edu) for review and appropriate action.

If you have questions about how to best secure or manage information resources in order to comply with FERPA requirements, please contact the IT Risk Management team at it-security@tamu.edu.