Privacy, Confidentiality, & FERPA

Because student information is protected under the Family Educational Rights and Privacy Act of 1974 (FERPA), it is of particular importance that information that constitutes a student’s educational record be treated with utmost confidentiality.

For information on student’s rights under FERPA, see the Academic Handbook .

To help employees better understand their responsibilities, there is a mandatory online FERPA training that all employees must complete.  Additionally, all employees are required to sign a FERPA Confidentiality of Records Agreement.

Education Records

An education record is any record which contains information that is personally identifiable to a student and is maintained by the university or by a party or organization acting on behalf of the university. Under FERPA, students have the right to view any and all education records upon request. Therefore, any education records created and maintained by employees should assume student access and be appropriate for the student to view.  If you don’t want the student to view the record, then make it sole possession or delete it. 

Education records may include, but are not limited to Google “G Suite” records (Gmail, Contacts, Calendar, Drive, Sites, Hangouts, etc.), FoxTALE/Moodle records, MyGeorgeFox records, Fox360 records, Handshake records, TaskStream records, written, printed, and projected documents, voicemail messages, social media, video or audio recordings (including Zoom recordings), transcripts (any school), student employment records, student licensure records.

Items excluded from the education record include law enforcement or campus security records, medical records, alumni records, and sole possession records. Sole possession records are made by one person as an individual observation or recollection and are kept in the possession of the maker.

The best practice is to always keep comments about students professional and appropriate.  If it’s not a sole possession record, the student has a right to see it.

For more information, see the Employee Handbook Section 5.6

Directory information

At its discretion, the university may provide “directory information” in accordance with the provisions of FERPA. Directory information is defined as that information which would not generally be considered harmful or an invasion of privacy if disclosed. The law states that directory information may be released, not that it must be released, therefore employees are empowered to use utmost discretion.

Students have the right to restrict the release of any directory information, and may have done so through the Registrar’s Office.  Therefore, all requests for any student education records, both directory and non-directory, should be referred to the Registrar’s Office.  Failure of any employee to comply with these policies may result in disciplinary action, up to and including termination.

The university considers the following information to be “directory information”: and which therefore may be open to the public unless the student has asked for an information restriction status in the Registrar’s Office:

Non-directory information (anything that is an education record but is not directory information) should not be shared with anyone without the student's written consent, including to other university employees, student employees, or other students, unless they have a legitimate educational interest; meaning that they need the information in order to fulfill their professional responsibilities for George Fox University.

When a student requests that you complete a letter of recommendation or a reference for them, whether for graduate school applications, job applications, or any other request; if any non-directory information will be provided as part of that recommendation or reference, the Release Form for Recommendations must be completed by the student.

If a student’s parents, spouse, friends, or others inquire about a student’s location, enrollment, class schedule, academic performance, grades, student employment or wages, status of financial aid or student account, religion, or other non-directory information, that information can be disclosed only if the student has signed a consent statement giving permission to provide the information.  Questions about release of academic information should be directed to the Registrar’s Office.  Questions about release of financial aid information should be directed to the Office of Financial Aid.  Questions about release of student account information should be directed to the Office of Student Accounts.  Questions about release of disciplinary information should be directed to Student Life.

If non-directory information is needed to resolve a crisis or emergency situation, an education institution may release that information if the institution determines that the information is "necessary to protect the health or safety of the student or other individuals." In the case of an emergency, contact the appropriate individuals (e.g., George Fox Security Services, Registrar’s Office, Dean of Students, the Office of the Provost, or Health and Counseling Services) and describe the situation that led you to make the call. Once the situation is resolved, document the details of the situation (what, where, when, who), those involved in the response, and the resolution of the situation.  Once resolved, contact the Registrar to debrief the scenario and provide your documentation.

An important distinction in FERPA is “must” vs. “may”.  In the case of “must” it is incumbent on the institution and all of its officials to comply.  In the case of “may” an individual’s discretion may be employed, and therefore two employees may handle a situation differently.

Examples of key “musts” under FERPA:

Examples of key “mays” under FERPA:

Legitimate Educational Interest

Non-directory student information should not be shared or discussed with any employee who does not have a legitimate need to know the information in order to perform their job duties and functions.  Faculty acting as academic advisors do have a legitimate educational interest in a student’s class schedule or their performance in courses.  However, a faculty member who is writing a book or doing research not directly related to their employment does not have a legitimate educational interest in FERPA protected student information, though aggregate student data may be provided in certain situations.

George Fox University is a small, close-knit community and one’s students may also be colleagues or related to colleagues, therefore discretion must be exercised.

If an employee is not certain if it is appropriate to release information, he or she should check with the Registrar’s office.

When Releasing Information to the Student

When sharing protected information with a student, pertaining to their record, it’s important to verify their identity.

In person: if you know the student by sight no further verification is needed. If you don’t know the student, you can request to see their GFU ID card.

Reference Letters & Recommendations

Before writing a reference or giving a recommendation for a student, especially if it will include FERPA protected education records, get a signed release . Submit the release to the Registrar’s Office to be filed.


It is a significant change for parents to no longer have access to their student’s education record.  However, they have no rights under FERPA.

Verifying parents’ identity

Government Officials

It is not unusual for government officials to come to campus requesting information about a student or alumni, especially regarding an application to work for a branch of the government, like the FBI.

Typically, they will come directly to the Registrar’s Office with their request.  In the rare likelihood that a government official was to come directly to your classroom or office, bear the following in mind:

Security Best practices

By applying a few simple security practices you can easily avoid releasing protected information accidentally or unknowingly.



Each class syllabus should clearly outline expectations for students to post course work, or to interact, on any social media platform or other public forum.  For some students, there may be a legitimate privacy or safety concern about making their work public, and FERPA requires that we protect the student’s privacy.  If a student is not willing or able to engage in public forums as part of their course participation, and has made that clear to the instructor, then other arrangements should be made for them to complete course requirements.  FoxTALE is considered a private forum that is restricted to students enrolled in a given class and, according to FERPA, students cannot insist on remaining anonymous in a private class forum.

Syllabi should also make clear if any class meetings or discussions will be recorded in any manner, and for what purpose those recordings will be used.  Bear in mind that each student’s class enrollment is not directory information and therefore any use of class recordings that would make a student’s enrollment public information requires the student’s signed release.

Peer Evaluation

Utilizing peer evaluation is allowable under FERPA if it is considered pedagogically necessary.


Employees are not allowed to copy any university-owned software without the prior approval of Institutional Technology. This policy also prohibits copying software to install on other university-owned equipment or for an employee’s personal use.

Employees should not utilize any free or open-source software not specifically sanctioned by Institutional Technology to ensure privacy of FERPA protected education records.  See the IT Teaching and Learning resources page for more information.


Before connecting a device to a projector, be sure to close any windows with personal information that should not be viewed by students, including e-mail inbox, etc.  Never make notes about student work or behavior on a device that is currently connected to a projector.

FERPA Resources