The Catholic University of America



Best Practices

Protecting Student Privacy While Using Online Educational Services: Model Terms of Service**
Issued by Privacy Technical Assistance Center Feb. 2015

Data Breach Response Training Kit, Issued by Privacy Technical Assistance Center

Campus Safety

Emergencies on Campus: Department of Education guidance on FERPA, June 2011

FERPA and Campus Safety: June 19, 2009 NACUANOTES by Steve McDonald and Nancy Tribbensee Volume 7, No. 8



Responsibilities of Third-Party Service Providers Under FERPA, issued August 2015 by the Privacy Technical Assistance Center

Data Security Terms for a Contract with an Outside Party: Suggestions for meeting the Direct Control Standard in the Dec. 2008 FERPA regulations  

Outsourcing and Cloud Computing for Higher Education: By Tracy Mitrano, Updated January 11, 2010. Includes a section on Legal and Policy Contractual Considerations, as well as a chart at Appendix B by Steve McDonald on Legal and Quasi Legal Issues.

This NACUANOTE covers some of the key legal issues involved in contracting with a commercial entity providing outsourced campus e-mail.


Nov. 22, 2013 FPCO Guidance Letter to U. Mass clarifying written agreement needed when disclosing education records to state longitudinal data system. See page 3 of letter for what should be in place prior to disclosure.

Data Breach Response Checklist (Privacy Technical Assistance Center-U.S. Dept. of Education)

Guidelines to Responding to Compulsory Legal Requests for Information: By Steven McDonald and Andrea Nixon
Includes information on responding to subpoenas, search warrants, court orders, National Security Letters, and Public Records Requests.

Reference Chart on Release of Student Records


Student Authorization to Release Records to Third Party 

Student Employee Confidentiality Agreement

FPCO Model Form For Disclosure to Parents of Dependent Students and Consent Form for Disclosure to Parents

FERPA Notification of Rights


Questions and Answers

Definition of Education Record

Disclosure to the Student pursuant to the Student's Request

Disclosure to a Third Party with the Student's Consent

Disclosure Without Consent to a Third Party

Legitimate Educational Interest

Directory Information

Pursuant to Judicial Order

Release to Parents Without a Student's Consent

Corrections to the Record

Digital Issues


Summary of Law

The Fundamentals of Fundamental FERPA (by Steven J. McDonald, General Counsel, RISD) on the Compliance Alliance web page

FERPA: A Legal Overview, by Congressional Research Service, May 1, 2013

CUA FERPA Awareness Training Modules

FPCO Online Library Page

FPCO Letters from 2002-2007
This page includes FPCO technical assistance letters from 2002-2007 that are relevant to IHEs.

Family Policy Compliance Office

CUA student Records Policy

FTC Fair Information Practice Principles: Delineates five core principles:of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.

Family Policy Compliance Office Guidance letter dated Oct. 7, 2005 to Tazewell County on electronic student database systems and FERPA. This letter has implications for many "standard" student record systems and how they are configured in terms of access.

Catholic University Ferpa Awareness Training



updated CCR 9/17/14