Privacy and Security

1)  Do students have a right to see faculty e-mails regarding themselves?

Students may see any materials related to themselves, including e-mails. However, chairs and faculty should be careful not to include information on another student in any e-mail or other documents provided to the student requesting the information.

2) What restrictions does FERPA (Family Educational Rights and Privacy Act) impose on the release of student information and documents?

All University faculty are considered school officials and are required by law to maintain the confidentiality of student records.

Any school official who maintains specific records is considered a record custodian. At UF, the Office of the University Registrar (OUR) is the official custodian for academic records.

The release of any non-directory information about a student to any person - including the student’s family members - outside the university community or to any university personnel without a legitimate educational interest violates federal and state law, as well as university regulations.

FERPA and student records privacy and specific issues for faculty are outlined on the Registrar’s Office website:  http://www.registrar.ufl.edu/staff/ferpafaculty.html and training for FERPA is available through the Privacy Office: http://privacy.ufl.edu/

3) What are “directory information” and “nondirectory information”?

Directory information is the information available about a student that is not considered harmful or an invasion of privacy if disclosed. While FERPA and state law protect the privacy of educational records, directory information is not treated as confidential and may be disclosed by the University without student consent unless the student requests a privacy hold. At UF, the following has been designated as directory information: Student name, local/permanent addresses and email address, telephone number(s), class and college, major, enrollment status (e.g., undergraduate or graduate level; full time or part time), dates of attendance at UF, degrees and awards received at UF, most recent previous educational institution attended, weight and height of university athletes, publication titles (dissertations), nature and place of employment at UF.

Nondirectory information refers to information that generally cannot be released without the student's consent. This includes: birth date, religion, citizenship, disciplinary status, ethnicity, gender, grade point average, marital status, UFID or social security number, grades/exam scores, standardized test scores, and actual number of hours enrolled.

Note: Nondirectory information may not appear in letters of recommendation provided for students, unless the student provides permission in writing for the information to be used. References to specific grades or GPA, for example, would be inappropriate without written permission.

4) Can a parent or relative who pays student tuition and fees see the student's academic records?

Yes, but only under some circumstances. Under a very specific set of IRS regulations, there may be times when some academic information can be shared with parents or legal guardians. It is best to check with the Office of University Registrar and/or the UF Privacy Office BEFORE releasing any such information.

The more common options that may allow access are:

• The student may request that a transcript be mailed to the parent or relative.

• The parent may provide appropriate documentation to the Office of the University Registrar that indicates the student is their dependent.

Privacy information regarding the rights of parents of students may be found on the Registrar’s Office website:  http://www.registrar.ufl.edu/parents/ferpaparents.html

5) Can a faculty member post grades using UFIDs as identifiers?

No. If a faculty member posts grades, a unique and confidential identifier (e.g., 4-digit number) should be used.

This unique identifier cannot be part of the student's name, UFID, or social security number. The grade lists must be arranged in random, not alphabetical, order.

6)  What are the chair’s responsibilities for data security?

The chair should be familiar with UF policies on information technology and data security. The UF Office of Information Security and Compliance (UF IT Security) issues guidelines and maintains policies related to email, virus protection for computers, copyright standards, laptop security, acceptable use of IT, and other areas of security vulnerability: http://it.ufl.edu/policies . UF IT Security provides a variety of informational resources that summarize best practices and expectations in this area:  https://security.ufl.edu/learn-information-security/protect-yourself/data/. Chairs and directors should immediately notify UF IT Security at security@ufl.edu or ufirt@ufl.edu if you believe IT security has been breached. If you believe faculty, staff, student, or research data has been compromised, you should contact the UF Privacy Office at privacy@ufl.edu.