The Catholic University of America



Best Practices

Protecting Student Privacy While Using Online Educational Services: Model Terms of Service**
Issued by Privacy Technical Assistance Center Feb. 2015

Data Breach Response Training Kit, Issued by Privacy Technical Assistance Center

 ACCRAO Guidance on Transcript Disciplinary Notations, June 2017

It is a common practice of registrar professionals to place notations on transcripts when a student has a required separation from, and is deemed ineligible to enroll in, an institution for not meeting minimum academic standards. This Guidance recommends that this same practice be followed when there is a required student separation from an institution for behavioral or other reasons. This includes providing notice of serious misconduct to insitutions to which the student may wish to transfer. Includes guidance on what to do when a disciplinary matter is pending. 

Campus Safety

Emergencies on Campus: Department of Education guidance on FERPA, June 2011

FERPA and Campus Safety: June 19, 2009 NACUANOTES by Steve McDonald and Nancy Tribbensee Volume 7, No. 8

Privacy and Safety on Campus: A Legal Framework: SUNY Guidance on Information Sharing for Faculty, Staff and Law Enforcement. 


Responsibilities of Third-Party Service Providers Under FERPA, issued August 2015 by the Privacy Technical Assistance Center

Data Security Terms for a Contract with an Outside Party: Suggestions for meeting the Direct Control Standard in the Dec. 2008 FERPA regulations  

Outsourcing and Cloud Computing for Higher Education: By Tracy Mitrano, Updated January 11, 2010. Includes a section on Legal and Policy Contractual Considerations, as well as a chart at Appendix B by Steve McDonald on Legal and Quasi Legal Issues.

This NACUANOTE covers some of the key legal issues involved in contracting with a commercial entity providing outsourced campus e-mail.



NACUANOTE: FERPA v. Public Record Laws, June 6, 2016 

Nov. 22, 2013 FPCO Guidance Letter to U. Mass clarifying written agreement needed when disclosing education records to state longitudinal data system. See page 3 of letter for what should be in place prior to disclosure.

Data Breach Response Checklist (Privacy Technical Assistance Center-U.S. Dept. of Education)

Guidelines to Responding to Compulsory Legal Requests for Information: By Steven McDonald and Andrea Nixon
Includes information on responding to subpoenas, search warrants, court orders, National Security Letters, and Public Records Requests.

Reference Chart on Release of Student Records


Student Authorization to Release Records to Third Party 

Student Employee Confidentiality Agreement

FPCO Model Form For Disclosure to Parents of Dependent Students and Consent Form for Disclosure to Parents

FERPA Notification of Rights


Questions and Answers

Definition of Education Record

Disclosure to the Student pursuant to the Student's Request

Disclosure to a Third Party with the Student's Consent

Disclosure Without Consent to a Third Party

Legitimate Educational Interest

Directory Information

Pursuant to Judicial Order

Release to Parents Without a Student's Consent

Corrections to the Record

Digital Issues


Summary of Law

FPCO Nov. 2, 2017 letter to Agora School District. The Department found that Agora violated FERPA when it required parents, as a condition for their children receiving educational services, to agree to the "Terms of Use" and "Privacy Policy" of its third-party vendors (K12 Inc., Sapphire, and Blackboard Inc.).

The Fundamentals of Fundamental FERPA (by Steven J. McDonald, General Counsel, RISD) on the Compliance Alliance web page

FERPA: A Legal Overview, by Congressional Research Service, May 1, 2013

CUA FERPA Awareness Training Modules

FPCO Online Library Page

FPCO Letters from 2002-2007
This page includes FPCO technical assistance letters from 2002-2007 that are relevant to IHEs.

Family Policy Compliance Office

CUA student Records Policy

FTC Fair Information Practice Principles: Delineates five core principles:of privacy protection: (1) Notice/Awareness; (2) Choice/Consent; (3) Access/Participation; (4) Integrity/Security; and (5) Enforcement/Redress.

Family Policy Compliance Office Guidance letter dated Oct. 7, 2005 to Tazewell County on electronic student database systems and FERPA. This letter has implications for many "standard" student record systems and how they are configured in terms of access.

Catholic University Ferpa Awareness Training

 FPCO Letter dated 12-7-17 on disclosure of video including multiple students to affected parties. Disclosure allowed even though identity could not be blurred. This was in a disciplinary situation. 


updated 3-5-18