Manage Personally Identifiable Information

First, check the Regulated Data Chart to see if the tool is approved for Personally Identifiable Information (PII, also see What is Covered by FERPA).

Productivity software such as Microsoft 365 (previously Office 365), Box, Google Docs, and their associated products, while approved for FERPA, are not approved for high-risk personal identifiers, even though PII is covered under FERPA. 

However, combined directory information that identifies a student is approved in these systems. For instance, you may have a student’s name, email address (including the NetID), phone number, or other contact information, along with their class group assignments. Except for FERPA-suppressed PII, never store high-risk information in these systems (see What is Covered by FERPA), and store the minimum you need for class purposes. Where FERPA-suppressed PII has been included in a file, the entire file should be regarded as High-Risk, and appropriate care must be taken when storing and sharing High-Risk data.

Cybersecurity criminals accumulate data about individuals from multiple sources. The more information they have about a person, the more likely they are to identify a person and be able to act on that information. Therefore, everyone is responsible for minimizing the number of copies of High-Risk data and ensuring necessary occurrences are appropriately protected. The only approved place for long-term storage of high-risk PII is Cornell student systems of record, like PeopleSoft. (Also see When and How to Share Information.)

Minimum security standards must be applied when storing FERPA data on Cornell or personally owned devices, including laptops, desktops, smartphones, tablets, etc. (see Can I store any FERPA data on my computer or smartphone?). Cornell Secure File Transfer (SFT) is the only approved service if High-Risk or other highly sensitive data must be available to another Cornell official outside an approved system. With SFT, a file is usually uploaded and downloaded to a personal device; these should be secured according to Cornell’s minimum security standards (see Can I store any FERPA data on my computer or smartphone?). These files should be removed from the device as soon as the data is stored in an approved system of record like PeopleSoft.

When and How to Share Grades and Contact Information

Can I make directory information, such as name and NetID, available to students in a class for things like forming groups or finding study buddies?

Yes - if forming groups is necessary to fulfill course requirements, then it falls within a course instructor’s professional responsibilities, and sharing the information is allowed. 

While students can request that their directory information be suppressed (so it is not displayed, searchable, or shareable), a student may not use the right to opt out of directory information disclosures to prevent school officials from identifying the student by name or disclosing the student’s electronic identifier or institutional email address in class. As long as a student is enrolled in a class, the requirements for classroom participation supersede any data restrictions placed by the student with the institution. 

If a student emails me and asks for their grade, can I reply with actual exam or course grades?

Yes. You can respond to student grade inquiries if the request is made directly from a student’s Cornell email address. The best practice is to refer the student to a system of record, such as a Learning Management System like Canvas or the student information system, PeopleSoft. However, disclosing grades via Cornell email is okay when a student seeks clarification or needs additional information. Grades should only be emailed to the student directly and never to third parties. Other than in the student-initiated communication above, never forward or reply to emails containing sensitive data without removing such data before transmission.

If a student communicates with you from a non-Cornell email address, the email and any attachments will be processed or hosted by systems not subject to Cornell’s FERPA and security contract language and cybersecurity protections, thus increasing the risk.

Consider including guidance in your class introduction, discussion with TAs, and syllabus about the risks of using email, the institution’s legal obligation to protect students’ privacy and sensitive information like grades, the secure locations where grades will be posted, and preferred ways to discuss grades. 

Can TAs email me grade or attendance spreadsheets?

No. Student grade rosters and attendance sheets should not be sent via email.

How To Share Class Grade Books and Attendance Sheets

To collaborate on class education records, we recommend setting up a Cornell-approved, cloud-based file library where TAs can post files in a folder for their section. The course instructor can then be granted access to the folder(s). You can use Box, Microsoft 365 (OneDrive, SharePoint, and Teams), or Google Suite (Google Docs, Drive, and Sites).  

The recommended choices are:

1. A Cornell-approved File Service if collaboration is essential.
2. Cornell’s Secure File Transfer Service for one-off transfers.

Can I store any FERPA data on my computer or smartphone?

1. Yes, on a Certified Desktop device for Moderate Risk FERPA records. These can be stored on a Cornell-owned Windows or Apple desktop or laptop with approved software and configuration to protect your computer from unauthorized access. You can check your device’s status using the Cornell Certified Desktop Self-check App.
2. Yes, on a Fully Encrypted Smartphone or Tablet: While not encouraged, a fully encrypted, personally owned smartphone or tablet used only by you and never shared (say, with a family member) can be used for temporarily storing institutional data (e.g., reviewing attachments, etc.).  If the device is protected by any authentication method (PIN, Password, Fingerprint, or Face recognition) for any device running IOS 7 (released in 2014) and later or Android 6 Marshmallow (released in 2015) and later, then it is automatically encrypted.

3. No, for all other non-Cornell-owned computers or devices, devices with non-official (not phone vendor supported and updated) versions of the Android OS or rooted devices. Be aware that vendors limit the years of security updates they provide.  Risk can increase significantly if your device no longer receives security updates. 

Never store High-Risk Personally Identifiable Information. (See Information Protected by FERPA) Grades and other educational records for class use can be stored but transferred to PeopleSoft and then deleted. Storing other records, such as graded electronic papers and email exchanges with students, is also acceptable. In any case, record retention rules apply. (See Data Retention Rules.)

I want to use an online tool or application for my course. However, I am worried that it is a violation of FERPA. What should I do?

If it is existing, supported software, it will be listed on the Regulated Data Chart, which shows which data can be stored in the software, and in most cases, you can sign in with your NetID email address (NetID@cornell.edu). Please note this only applies to the instance of the software managed by Cornell as it is legally subject to Cornell’s contract provisions and security controls. 

New acquisitions or renewals of software (free or purchased) must go through the Cornell IT Governance and Procurement process to ensure software agreements include Cornell’s approved FERPA language, which describes the vendor’s legal obligations under FERPA. 

Caution about click-through agreements: Click-through software license agreements presented by a vendor during online purchases are bound to the person clicking it and not to the institution unless there’s a contract that overrides it. Such agreements, even if purchased by a Cornell payment method such as a P-Card, can hold you personally liable for the agreement. The Procurement Office will guide you through the purchase process or contact the Division of Financial Affairs Shared Service Center for more information.

Data Retention Rules

Educational records must not be retained beyond the retention period defined in Data Retention Policy 4.7. As of October 1, 2023, Policy 4.7 sets:

• Gradebook retention period to five years 
• Graded course material (homework, exams, etc.) to one year after a course ends. 

At the end of the retention period, these materials must be disposed of appropriately. 

Sole Possession Records

Sole Possession records are notes on class activities or observations you keep for your use only. 

Sharing is restricted despite being listed as exempt information by the Department of Education. They may only be shared with a temporary substitute for the record maker. Sharing beyond the maker or a substitute, even internally, would cause them to lose their exempt status.

The criteria that must be met for notes to be considered sole possession are:

1. a memory aid
2. private, created solely by and for the individual possessing them
3. observations and professional opinions only

Questions and Suggestions

For FERPA questions or requests, such as for any disclosure of information outside the institution, please contact the University Registrar. 

For questions or suggestions about these documents, please submit them using this Service Desk form. 

For federal government resources, see the Department of Education website Protecting Student Privacy.