Skip to content Skip to navigation

Frequently Asked Questions - FERPA for Faculty and Staff

  1. What does FERPA really mean for me as a university faculty or staff member?
  2. I am the faculty/staff sponsor for the local chapter of an honorary organization that is an officially registered campus group. May I send student lists with GPAs to the national chapter?
  3. What is the best way to dispose of sensitive materials?
  4. My car was just stolen along with my briefcase in which I had student personal information. What should I do?
  5. What do I do when I receive a request for information about a student who has directed the university not to release any information?
  6. I have been told that I can release directory information. Does that mean the university online directory or the alumni directory?
  7. A student complained that I left my grade book open on my desk, and he could see grades for the whole class. Isn't that picky?
  8. My department maintains a separate database of all students in our major. Is there any reason to safeguard these records?
  9. What do I do if a student tells me that he believes a colleague has inappropriately disclosed his student information?
  10. FERPA-protected class information was placed on the web. There are no links to the information, but anyone can find it through an Internet search. What should I do?
  11. Some of my students want to be advised either by mail or by email. Are there issues involved with exchanging information?
  12. What about writing letters of recommendation, for either future employment or admission to an advanced degree program?
  13. Parents often inquire about their student's performance. What rights do they have in terms of access to student information?
  14. What is the right way for me to respond to a subpoena, court order or request from a law enforcement professional for records?
  15. Former students frequently use my name as a reference. Are there any liabilities that I should be aware of?
  16. I've been told I may not include information about top-notch students in the department's annual report. Is this correct?
  17. At the start of the term, I pass a class roster around during my class, so students can check their info. Is this bad practice?
  18. I left a stack of graded papers in a box outside my office so students could pick them up at their convenience. Is this okay?
  19. I think the photo rosters would be a great way to promote class interaction in my class by speeding up the process by which students recognize and learn each other's names. May I share the roster with them?
  20. Why can't I post lists of students and their grades on the department bulletin board or on my website?
  21. Is my parent's My ASU Guest access account linked to the Verification Requests Document account?

You share the responsibility for protecting the privacy rights of ASU students and their records. You should become familiar with the various requirements of FERPA, a synopsis of which is available here. University policy regarding the management of student records is based on this federal legislation. The penalty for inappropriate disclosure is the withdrawal of federal funding of essentially all types. The staff in the University Registrar Services is available to provide guidance for any situation.

Additional information is available at these websites:

SSM 107-01 Release of Student Information:
SSM 107-02 Lost, Stolen, or Inappropriately Disclosed Student Records Information:

I am the faculty/staff sponsor for the local chapter of an honorary organization that is an officially registered campus group. The national chapter has asked me for a list of candidates so they can send membership invitations, but one of the criteria is a certain GPA. May I send them the list?

No, it would be inappropriate to provide any information that has been sorted by GPA or any other piece of non-directory information. What you may do is send the invitation mailing from here without providing your national office the list. This gives students the opportunity to self-select by responding or not responding to the invitation and keeps ASU compliant with FERPA. Note that it is also inappropriate to permit any student members to have access to candidate information, if it is prepared using any non-directory information. Developing a list of potential candidates is not accomplished centrally. Your department or college has staff with ASU data and reporting tools access who can prepare this list for you. If you have any questions about this procedure, please consult with a member of the administrative staff in University Registrar Services.

After confirming that you are following the appropriate retention schedule, shredding is the preferred method.

ASU has a policy and procedure that must be followed when information is lost, stolen or inappropriately disclosed. Please go to this webpage for instructions: The staff in the University Registrar Services administrative office is available to provide assistance as needed.

This can be very awkward. If the student has told us not to release any information, university employees may not even acknowledge that the person is or has ever been a student here. You might say, "I have no releasable information." If the caller questions that statement, you may reiterate what you have already said; or, of course, you may refer them to University Registrar Services at 480-965-3124.

Not necessarily. ASU permits release of "directory information" as defined by FERPA, unless a student directs us not to release such information. Referring a requestor to University Registrar Services is always appropriate in this situation. Otherwise, please go to the policy at to view ASU's definition of directory information, and make your decision based on that.

No, actually, it's not. Everyone who deals with protected student information needs to be cautious about "passive" and unintended releases of information. This includes leaving information visible on your desk or walking away from a computer screen that displays student information. We even need to be alert to where monitors are placed, so that they are not visible through a window or doorway.

Yes! All student records that are created and/or maintained by anyone in the university are protected by FERPA in exactly the same way. This includes derived databases in academic departments, colleges, business offices, etc.

It is recommended you refer the student to a member of the University Registrar Services administrative staff at 480-965-7302 to discuss the applicability of the Lost, Stolen, or Inappropriately Disclosed Student Records Information Policy at

This should be reported to your department chair, so that the protected information can be removed from public access immediately and the necessary steps of the Lost, Stolen, or Inappropriately Disclosed Student Records Information Policy at can be followed immediately. Experience has shown that when this occurs, it is generally unintentional. Many people have the mistaken notion that if they do not provide a link to their Web space, it is private. With the powerful search engines that are available today, everyone must ensure that they are using appropriate security measures when placing sensitive information on the Web.
ASU employees who inappropriately post student information to publicly accessible Web space risk losing access to their own ASU Web space.

The biggest difference is that when a student comes to your office, you will ask for picture identification, and you are unable to do that through the mail or email. It is always appropriate to communicate with a student by mail, provided that you use the student's address of record with ASU, which you may find in the student information system. Email is another situation entirely. So much of our work has been improved by the use of technology, and both the ease and the speed of email make it a very appealing communication choice. However, users should exercise extreme caution in using email to communicate confidential or sensitive matters and should not assume that email is private and confidential. It is especially important that users are careful to send messages only to the intended recipient(s). If a student prefers to use email, you may want to obtain his/her advance, signed, written authorization to exchange information by email. The document should include their understanding that they assume all risk assumed with any possible inappropriate interception of an email transmission. If you do follow this approach, be certain to retain the signed authorization document. Also, you should correspond only to the student's official email address.

Again, it is required that you have written authorization from the student, if you are going to discuss anything about his orher performance, which is likely what the recipient of your letter will be looking for. In addition, if you are writing a letter of recommendation for admission to a graduate program, you may also be shown a copy of a form the student has signed waiving his or her right to view your letter. It is good practice to copy that form and retain it for your own records, along with the student's written authorization document.

This can be an extremely frustrating area for parents of traditionally aged students, particularly if the parents are paying the bills. Nonetheless, all FERPA rights transfer from the parent to the student when the student either reaches the age of eighteen or moves into postsecondary education, regardless of age. This means that you may not discuss anything about a student with a parent or spouse, unless you have advance written consent from the student, or can confirm that a formal consent for access or affidavit of dependency is on file and noted in the student information system (Peoplesoft).

Students can authorize their parents and others to view FERPA protected information in My ASU by granting them My ASU Parent Guest Access. If your position does not require that you have access to the student information system, please contact University Registrar Services to determine if the information can be disclosed. For students who have directed the university not to release their directory information, you may not even acknowledge that the student is present at ASU. There may be an occasional exception in the case of a legitimate emergency, but in that case law enforcement personnel will be involved, and they will work through the University Registrar Services office.

All requests for student information, whether by subpoena, court order or authorization, should be sent to the University Registrar Services administrative office for review and processing. If the request calls for more information than is available directly from University Registrar Services, those materials will be gathered together under the direction of the Office of General Counsel and submitted as a package in response to the request. Do not be intimidated by a badge. Refer all inquiries to University Registrar Services.

While we would prefer that students follow generally accepted protocol and ask permission in advance of using your name as a reference, you may still be able to provide assistance. First, if this is a frequent occurrence, you may wish to notify your current and future students that they need to discuss this with you in advance. Second, you should require written permission from each student who wishes to use you as a reference. For you to discuss the student and his/her performance freely, the permission needs to be worded very broadly. If the authorization is worded narrowly, be certain that you only discuss those areas which you have been given permission to disclose.

The answer is perhaps. It would be a FERPA violation to include information about any student who has directed the university not to release his/her information. Additionally, without advance written consent, it would be a violation to disclose grades or performance indicators for any student. If you obtain written permission from each student, it would be permissible to include the information. The department would need to retain the written permission as documentation about the release.

While there is an expectation that students may learn each other's names through the course of regular class activities during the term, official class rosters include student names and ID numbers, which may not be disclosed without the advance written consent of each individual student. A better approach would be to encourage your students to go to My ASU to confirm their registration. If they have individual questions or concerns, they should contact any registration location.

No, this is a problem. Although it may seem like a good service to your students to provide quick return of materials in this way, there is nothing to prevent anyone from inappropriately sifting through all of the papers to learn grades other than his own and possibly to obtain other students' identifying information, all of which is protected.

No, this would be a FERPA violation, unless you obtain the specific written consent of each student in advance. Class rosters contain personally indentifiable information, e.g., photo and ID number, which is protected from disclosure to third parties, even classmates, by FERPA. Such rosters are intended for instructor use only.

FERPA does not permit the public disclosure of personally identifiable student information. Posting grades in the manner you have described would be a violation. It is, however, permissible to post student grades if you use the methods approved by the university. For example, you may use the Posting-ID that is provided on your class rosters. Additional information is available in the Academic Affairs Policy Manual, ACD 304-03.

No, the accounts are not linked. If you wish to provide your parent My ASU Guest Access, a separate account would be required. Find out more about Guest Access.