Student Data Policies for University Employees and Third-Party Contractors


The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. A school official with a legitimate educational interest is permitted access to an education record.

What is an education record? An education record contains information that directly relates to a student and is maintained by an educational institution or a party acting on its behalf. Common examples include transcripts, class schedules, conduct files, official notes, financial records, and application materials (for attending students only).

Who is a school official? A school official is a person employed or contracted by the university in an administrative, counseling, supervisory, academic, student support, or research position.

What is a legitimate educational interest? An official has a legitimate educational interest when they require access to an education record in order to perform their professional responsibility.

University employees and approved third-party contractors are required to comply with FERPA as well as state and federal privacy laws when accessing and handling student data. This includes only accessing private information about students for whom he or she has a legitimate educational interest.

Directory Information

Directory information is information that can be released to third parties without the prior consent of the student, unless the student specifically requests otherwise in accordance with the Office of the University Registrar’s procedures. Although directory information may be released unless the student has notified the Office of the University Registrar otherwise, Northeastern considers each request on an individual basis.

Northeastern treats the following as directory information (the office listed has the most accurate and up-to-date information):

Office of the University Registrar

  • Student name
  • Home address (city, state, country only)
  • Major field of study
  • College
  • Class year
  • Enrollment status (e.g., undergraduate or graduate, full-time or part-time)
  • Dates of attendance
  • Degrees, honors, and awards received
  • Most recent educational agency or institution attended

Department of Athletics

  • Sports activity participation, showing weight/height of members of athletic teams

Center for Student Involvement

  • Participation in officially recognized activities

For the most up-to-date information, please refer to the Northeastern FERPA policy.

Additional FERPA Guidelines for Faculty, Staff, Administration, and Approved Third-Party Contractors

Only access a student’s record if you have a legitimate educational interest for that specific student. View only what is necessary for your professional responsibility. For example, if you are a faculty member, you should only review a student’s grades in a class for which you are the instructor.

Nondirectory information may not be released without written consent from a student. When in doubt, get written consent.

Maintain the privacy of all student academic work (paper and electronic) at all times, including at work, at home, and in transit. Keep in mind when working with student records that not only grades are protected. A simple request of one student’s class schedule by another student, if provided, would be a violation of FERPA. Any disclosure of nondirectory information requires a written release from the student.

While FERPA protects a student’s privacy and educational records, it does not bar university officials from sharing critical information about troubled students with appropriate parties. University officials, including faculty and instructional staff, are permitted and encouraged to share information about a student who is or might be considered a risk to him or herself or others. Additionally, faculty and staff with information relating to an occurrence of sexual harassment or sexual violence toward a student must immediately report such information to the Office for Gender Equity and Compliance or NUPD in accordance with Northeastern’s Policy on Rights and Responsibilities under Title IX.

Routinely review university-provided FERPA materials. Participate in any university-sponsored trainings to ensure you are up-to-date on any changes in the law or university policy.

Access to Student Data

Northeastern has two systems that are the source for the majority of student data: the Operational Data Store (ODS) and Banner. Data is then fed from these two systems into other systems. While other systems may be useful for specific college and department needs, other systems should only be used for operational reporting. If you are a system owner of a system that contains student data, you have additional responsibility to ensure the protection and proper use of any data fed into your system to ensure compliance with FERPA and university policy.

University Practices for Student Data for Faculty, Staff, Administration, and Approved Third-Party Contractors

  • Do not use personal information—including student name, ID, and SSN, or a portion of any ID/SSN numbers—for the public posting of grades. Never allow students to pick up their work by sorting through stacks of graded materials that include classmates’ work.
  • Never provide a report, spreadsheet, or other list of student data to an outside agency without specific prior approval. Institutional Research and Marketing and Communications are charged with this to ensure security and consistency. In addition, student data supplied to or pulled by you should only be used within your college.
  • Only use data for the specific reason it was requested.
  • Students should not be given data on other students directly. Student groups must work with an advisor or university department as a sponsor in the event they need access to specific data.
  • No student data should be used in human subject research studies without the approval of the Institutional Review Board.
  • Student data will only be sent to official Northeastern email accounts. Data will not be sent to a Northeastern email account that is forwarded to a personal email address.
  • The Office of the University Registrar provides data for university faculty, staff, administration, and approved third-party contractors as appropriate. The office is not able to provide data for student projects.
  • The Office of the University Registrar does not provide lists of student emails for research purposes.
  • The Office of the University Registrar reviews all requests for directory information on an individual basis. Release of information is at the discretion of the responder. Student address (city, state, country) will not be released as part of general requests.

For further questions on FERPA or student data access, please contact [email protected].