Skip to main content

Cornell University

Information Protected by FERPA

On This Page

What is Covered by FERPA 

The following table is a guide to the categories of information FERPA covers. Remember that this is about preventing harm to a student if the information is disclosed outside of legitimate use or stolen by someone with malicious intent. The risk depends on the specific student’s situation, the information involved, who obtains access to the information, and what they intend to do with it. 

If you have questions about a specific situation, contact the Office of the University Registrar.

Information Category

Risk of Harm from Unauthorized Disclosure

Education Records are information directly related to a student and maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution. These include, but are not limited to, grades, graded materials, class lists, etc.

IMPORTANT: The risk depends on the type of information and ranges from Moderate to High. 

Contextual: It depends on the sensitivity of the record. Moderate Risk at minimum. 

Student Financial Information, not limited to Financial Aid applications and records, the student’s Bursar account, work-study record, cost of attendance, and satisfactory academic progress.  (The Gramm-Leach-Bliley Act or GLBA also covers financial information).

High Risk

High-Risk Personally Identifiable Information (PII): FERPA doesn’t explicitly describe this, but high-risk in Cornell’s classification of regulated data includes SSN, Payment Cards, Driver’s License, Visa or Passport, Bank Account numbers, and any official government ID in conjunction with the person’s legal name or other identifying information.

High Risk

Combined Personally Identifiable Information: Refers to situations when combined, otherwise low-risk information positively identifies a student with their educational record.  An example might be some combination of NetID + Student’s Full Name + Home Address + a Parent’s Full Name + Phone Number + Date of Birth. If these were present in a Cornell Health record (also protected by HIPAA) or disciplinary context, it would be High Risk.

Contextual: It depends on the sensitivity of the record.

Moderate Risk at minimum

Directory Information  would not generally be considered harmful or an invasion of privacy if disclosed alone (not with an education record). Directory Information is defined for the institution by the University Registrar. Although this information is considered a moderate risk, the Registrar makes every effort to protect it. Do not release it outside the institution; refer all requests to the Office of the University Registrar

Moderate Risk

Suppressed Directory Information is directory information for a student who has requested that their information not be shared. Students who request this may face increased risk due to unauthorized disclosure. 

High Risk 

Sole Possession Records: Sole possession records are records kept only by the maker (the author) for their personal use. For instance, notes about a student’s behavior in class. The Department of Education lists them as “exempt.” However, sharing them is restricted to the maker or their temporary substitute.  Sharing beyond the maker or a substitute, even internally, would cause them to lose their exempt status.

It depends on what is in the notes.

Moderate Risk

Exempt Records describes information not covered by FERPA. That does not mean this is not sensitive information and may be covered under other regulations like HIPAA or university policy. 

Varies based on the type.

Moderate Risk at minimum

Definition of Education Record

An education record is information related to a student and maintained by an educational agency or institution or a party acting for or on behalf of the agency or institution. It includes but is not limited to:

  • grades
  • graded course materials (homework, exams, etc.)
  • transcripts
  • class lists
  • audio and video with identifiable student participants
  • transcripts of conversations
  • student course schedules 
  • student financial information 
  • student discipline files 
  • personal identifiers associated with an educational record

For more detail, see the table above.

Records may be retained in any format including, but not limited to, handwriting, print, computer media, videotape, audiotape, film, microfilm, microfiche, and email. Source: 34 CFR § 99.2

Definition of Directory Information

According to the U.S. Department of Education, Directory Information is information in an educational record that would generally not be considered harmful or an invasion of privacy if disclosed. Directory Information is not just contact information as found in the online directory. The University Registrar defines what information is included on the University Registrar’s FERPA page and shares it with students via the Annual Privacy Notification Under FERPA in the catalog. 

Students can request that the institution suppress their Directory Information so it is not shared without explicit permission; however, this does not extend to preventing legitimate use in the classroom.

FERPA applies to disclosing personally identifiable Information (PII) from the school’s education records.  Therefore, FERPA does not prohibit a school official from releasing information about a student obtained through the school official’s knowledge or observation unless that knowledge is obtained through their official role. For example, under FERPA, a school official who acted to suspend a student may not disclose that information absent consent or an exception under § 99.31 that permits the disclosure. Refer all questions to the Office of the University Registrar.

Whether suppressed or not, the University Registrar protects all Directory Information. Do not release it outside the institution, and refer all requests to the Office of the University Registrar.  

Photos and Videos of Students

Information regarding sharing images, videos, and audio recordings involving students or their education records can be found in the U.S. Department of Education FAQ. After review, if you have additional questions, contact the Office of the University Registrar.

Questions and Suggestions

For FERPA questions or requests, such as for any disclosure of information outside the institution, please contact the University Registrar

For questions or suggestions about these documents, please submit them using this Service Desk form

For federal government resources, see the Department of Education website Protecting Student Privacy.


To share feedback about this page or request support, log in with your NetID

At Cornell we value your privacy. To view
our university's privacy practices, including
information use and third parties, visit University Privacy.