FERPA Privacy Checklist for Online Course Hosting



The Family Educational Rights and Privacy Act (FERPA) is a federal law that requires universities to (1) give students access to their education records, and (2) keep personally identifiable education records confidential with respect to third parties.


Because an online environment creates a record of student activity, it is subject to FERPA privacy rights, unlike verbal exchanges in a physical classroom.


Activities That May Trigger FERPA Duty


  1. If students submit information electronically, is the information accessible to anyone other than the student who submits it and NC State employees who need to know the information to carry out their job duties (typically, the instructor and computer system administrators)?


[ Example:  an off-campus vendor uses its servers to automatically grade electronic student assignments and send the grades back to the instructor on campus. ]

2.     Do you send information about a student to anyone other than (1) the student or (2) NC State employees who need to know the info to carry out their job duties?


[ Examples:  the instructor posts student work for other students in the class to review, or a person or computer at the university makes student information available  to a vendor who provides online supplemental services for course management software or for textbook materials. ]



Possible Ways to Fulfill FERPA Duty


  1. First Option  —  Student Consent


If “yes,” to either of the two prior questions, then one way to comply with FERPA is to obtain the written, signed, dated consent of each student for the release of his/her information.  This consent must be completely voluntary; that is, students who decline to provide the consent must not be denied any academic opportunity or privilege or suffer any adverse consequences.  A generic consent form is at http://www.ncsu.edu/legal/legal_topics/ferpa/ferpaonlineforms.php




  1. Second Option  —  Student Comments Only Available to Other Students in the Course


For communications and posting of student work for electronic discussion among students in a class, the express written consent of students is NOT required, provided that


  1. electronic postings of student work do not contain grades or evaluative comments of the professor,
  2. the students perform the posting rather than the professor,

iii.      students are notified prior to or at the time of enrollment that posting of their work is a course requirement, and

  1. the posted work is available only to members of the class.




  1. Third Option  —  Outside Parties Under Contract to the University


Where an outside party, such as a vendor, receives student information (e.g., for grading, or access to online supplemental materials provided by a textbook publisher), the third party recipient should be bound by contract to preserve confidentiality, if at all possible.  Please contact the Office of General Counsel for assistance with drafting a contract appropriate for your needs.



Special Exception


Do you require students to send a letter to the editor, or post to a non-university blog, or post to a social networking site not affiliated with faculty, or comparable activity?


In such cases the activity may not be FERPA-protected because it has not been received and therefore is not in the custody of the university, at least until the student submission is copied or possibly just reviewed by the faculty member.  However, the privacy principle behind FERPA can be a concern in this situation.  Therefore…


This type of student submission should be assigned only if it can be done without the student being identified as an NC State student, and without indicating that the submission is part of academic endeavor.




Please note that FERPA was written before the Internet existed, it is an awkward fit to modern teaching, and concerns about the workability or usefulness of FERPA are better addressed to the U.S. Department of Education.