FERPA – Employees



Summary of the Guidelines within the webpage


The policy can be accessed from the Policy Library.


FERPA training is required to be completed within the first month of employment, and annually, thereafter. The AACRAO FERPA training can be accessed within Skillsoft (via Trailhead). 

How to handle FERPA violations

FERPA, 20 U.S.C. § 1232g, generally prohibits the disclosure of education records other than directory information, without the student’s permission. FERPA does not require prior consent in certain circumstances, the most common being to school officials (or party acting on Mines behalf) in the process of carrying out their specifically assigned educational and administrative responsibilities. 

If the Mines’ policy has not been followed or student data has been provide to an unauthorized individual without consent, please contact the Privacy Office at privacy@mines.edu or call 303-384-2504 for assistance with corrective actions. The lost data may need to be identified and an assessment completed concerning official notification requirements for the purposes of FERPA and other necessary compliance with federal or state laws. The Privacy Office will work with the Registrar’s Office, ITS, and Office of the General Counsel, as needed.

In the event the violation relates to a stolen computer where private student data has been stored on a local (non network) drive, the user is required to immediately contact ITS in order to report the stolen data. 


Retention and disposal of education records must be completed in accordance with the Mines’ retention policy. Any document containing personally identifiable information must be securely disposed of in accordance with University guidelines.

Education records cannot be disposed of, even after the retention period has passed, when there is an open request for that education record. 

Maintenance and Storage
  • All Student Data taken from Banner/ODS via COGNOS and put into local spreadsheets, documents, or databases must be maintained on Mines campus computing networks made available to campus employees for work purposes that are protected by passwords and campus firewalls.
  • Student Data may not be stored on local (C:) drives of work or personal laptops or desktop computers or unencrypted jump drives.

See the U.S. Department of Educations FAQ’s located here.



Disclosure means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means to any party except the party identified as the part that provided or created the record.

Personally identifiable information includes, but is not limited to,

  • The students name;
  • The name of the students parent or other family member;
  • The address of the student or student’s family;
  • A personal identifier, such as the student’s social security number, student number (CWID), or biometric record;
  • Other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name;
  • Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
  • Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.  

Mines may release and disclose education records to school officials who Mines has determined to have legitimate educational interests in the education record. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibilities.

To ensure student data reported to outside agencies, third parties, and vendors is in compliance with FERPA laws and policies, appropriate approval, must be obtained prior to sending, transferring, or disclosing the student data. Refer to the Procedures for necessary approvals.


FERPA allows the institution the right to disclose student records or identifiable information without the student’s consent under the following circumstances:

  • To authorized representatives for audit of Federal or State supported programs.
  • To university employees who are in the process of carrying out their specifically assigned educational or administrative responsibilities acting in the student’s educational interest.
  • Veteran’s Administration officials.
  • Officials of other institutions in which a student seeks or intends to enroll on the condition that the issuing institution makes a reasonable attempt to inform the student of the disclosure unless the student initiates the transfer.
  • Persons or organizations providing financial aid to students.
  • Organizations conducting studies for, or on behalf of, educational agencies or institutions to develop, validate, and administer predictive tests, to administer student aid programs or to improve instruction, provided that individual identity of students is not made.
  • Accrediting organizations carrying out their accrediting functions.
  • Parents of a student who have established that student’s status as a dependent according to Internal Revenue Code of 1954, Section 152.
  • Persons in compliance with a judicial order or a lawfully issued subpoena, provided that the institution makes a reasonable attempt to notify the student in advance of compliance. NOTE: The institution is not required to notify the student if a federal grand jury subpoena, or any other subpoena issued for a law enforcement purpose, orders the institution not to disclose the existence or contents of the subpoena.
  • Persons in an emergency, if the knowledge of information, in fact, is necessary to protect the health or safety of students or other persons.
  • An alleged victim of any crime of violence of the results of any institutional disciplinary proceeding against the alleged perpetrator. The information may only be given in respect to the crime committed.
  • Schools may disclose personally identifiable information from education records to an outside contractor without prior written student consent if the outside contractor is a “party acting for” the institution and is performing a service which the institution would otherwise have to perform for itself (as in the case of the National Student Loan Clearinghouse for loan verification).
  • Representatives of the Department of Homeland Security or Immigration and Customs Enforcement, for purposes of the coordinated interagency partnership regulating the Student and Exchange Visitor Information System (SEVIS).
  • FERPA has been amended to permit educational agencies and institutions to disclose personally identifiable information from the student’s records to the Attorney General of the United States or to his designee in response to an ex parte order in connection with the investigation or prosecution of terrorism crimes.

If you are contacted by a member of the print or visual media, refer the requestor to Public Relations. Do not answer any questions about any student. Please use the word person when referring them to Public Relations.


Employment records are excluded from ‘education records’ under FERPA, unless being a student is part of the job description and requirements (e.g., a work-study or graduate teaching assistant/graduate research assistant position), in which case any employment records concerning the student who holds that position are education records and subject to FERPA. 

If student status is irrelevant to the job description and position, then those records would be considered employment records and would fall outside of FERPA.


Student data used in human subjects research is subject to both FERPA regulations as well as human subjects regulations. Use of student data within research is not considered a legitimate educational interest under FERPA and therefore, cannot be used without written consent.

Any use of student data within human subjects research must follow the Mines’ human subjects procedures, and be approved in advance prior to use in research.

CORA Requests

FERPA supercedes the Colorado Open Records Act (CORA) regarding release of student records. CORA requests are handled through the Office of the General Counsel



The public posting of grades either by the student’s name, institutional student identification number, or complete or partial social security number is a violation of FERPA, whether done via paper source or via electronic means including the web.

Instructors and others who post grades should use a system that ensures FERPA requirements are met. This can be done by using code words or randomly assigned numbers that only the instructor and individual students know.

In addition, academic papers may not be left in common areas where students may look at other students’ papers.

If it is necessary for a faculty member to use a student record as an example in a public University meeting, all identifying information (including name, address, CWID, etc.) must be removed from the documentation before dissemination.

Notification of grades via email is not recommended. There is minimal guarantee of confidentiality.


FERPA’s prohibition on disclosure of personally identifiable information from an education record of a student applies to any kind of non-directory information (e.g., performance in class, grades, attitude, motivation, abilities, background) conveyed in writing, in person, or over the telephone to third parties.

Although such information is usually conveyed by faculty members at the informal request of the student and is usually positive, the better practice is to request a written consent form, meeting the FERPA requirements, before providing the information. (See the Student Release Form)


Are you wondering if you can use free or demo software in your classroom? 

Software to be used in the classroom, especially when student coursework or grades will be captured in the software, regardless of the cost, needs to go through Mines’ software acquisition process. This is to ensure that technology, security, and privacy concerns are addressed upfront. To initiate this process, please submit a ticket to the ITS Helpdesk


Dissemination of information to students must adhere to the Email Lists Rules and Guidelines. Even though access to email addresses may be provided, only approved emails may be sent directly to students.


No. All Mines employees that handle student education records have a responsibility under FERPA to protect the privacy of those records. When you are teaching students in a course setting, you have an interest in accessing student education records (coursework, papers, grades, etc.) as needed to meet your responsibilities as an educator and to perform tasks related to the student’s education (assessment/improvement of the course).  However, this authorization does not extend to the use of the education records for individual research.  Students have a right to know how their education records will be used and disclosures of education records for faculty research use must be authorized by the student.  See the Human Subjects Research website for more details. 


Privacy Compliance Office
1600 Jackson St., Suite 240
Golden, CO 80401


Registrar’s Office
Student Center E280
1200 16th Street
Golden, CO 80401