Skip Navigation

FERPA Best Practices

FERPA Best Practices

Long, crimson divider

Accessing Information

Before accessing or collecting information from a student’s educational record, consider:

  • Why do I want this information?
  • Do I need it to carry out my job duties?
  • Can I fulfill my job duties without it?
  • What is my plan for protecting the information once I access it?

Retaining Information

If you need to retain information from a student’s educational record, consider:

  • Is it absolutely necessary for me to retain a local copy of the information?
  • Does the university store the same information elsewhere?
  • Can you access the information from the university’s storage location rather than creating a local copy requiring additional protection?

Storing Information

If you need to store the information you collected, consider:

  • Is the information in an electronic format, properly secured?
    • NEVER store information on personal storage areas such as personal flash drives, home computers, external email, or external online storage services.
  • Are you using a secure file server?
  • Do you log off or lock your workstation when you step away?

Sharing Information

Before you share information from a student’s educational record, consider:  

  • Is it directory information? If yes, does the student have a directory hold?  

  • If it is not directory person or the student has a directory hold, do you have the student’s express, written permission to share the information, or is there a release on file with Academic Records?  

  • Did you verify the identity of the person you’re sharing information with, even if you think it’s the student?  

  • If you’re sending an email including education information, are you sending it from your OU email account? Have you double-checked that the persons you’re sending the information to are the persons you intend to email?  

Additionally, when electronically transmitting information from a student’s educational record, remember: 

  • Never send FERPA-protected data via non-encrypted email, text, or instant message. 

  • Do not forward or reply to emails including information from a student’s educational record without removing the information prior to transmission. 

  • Do not include the student’s ID number on the subject line of the email. 

See OU Information Technology's article for further information on sending encrypted emails.