Policy Library Section Header

Page title

HOP 4.1.3 Confidentiality and Security of Education Records Subject to the Family Educational Rights and Privacy Act (FERPA)

Main page content

Sec. 1 Purpose

The Board of Regents of the University of Texas System (UT System) and offices of The University of Texas System Administration (System Administration) require access to Education Records maintained by UT System institutions to fulfill their duties to supervise, plan, coordinate, advise on, audit or evaluate the provision of services and programs by System institutions. In addition, UT System institutions rely upon services provided by System Administration Offices which require those offices to have access to the institutions' Education Records without student consent. The purpose of this Policy is ensure that each System Administration Office has specific procedures in place to ensure that any Education Record accessed by that Office is in compliance with the Family Educational Rights and Privacy Act (FERPA); and that any Education Record maintained by or for that Office is accessed, used or disclosed in compliance with FERPA, and maintained in compliance with applicable state confidentiality and security laws and System policies, at all times.

Sec. 2 Policy Statement

It is the Policy of System Administration to ensure the privacy and records access rights of current and former students of UT System institutions by complying with the requirements of FERPA at all times, as well as to ensure that all Education Records accessed and maintained by System Administration are maintained confidentially and securely.

Sec. 3 Applicability

This Policy applies to all offices and departments within UT System and Individuals that access or use System records obtained through or on behalf of System Administration.

Sec. 4 Procedures

4.1 Identification. Each Office, the Office of Institutional Research and Analysis, the Office of the Chancellor, and the Office of the Board of Regents (collectively "Offices") shall identify: i) the categories of all Education Records maintained by that Office; ii) the specific purpose for which the records were received by the Office; iii); and, the applicable exception under FERPA authorizing the Office to access such records absent student consent. The System Administration Privacy Officer will assist each Office in identifying the applicable FERPA exception(s) for specific categories or sets of Education Records.

4.2 Maintenance.

a) Each Office shall maintain Education Records securely in accordance with UT System information security requirements related to confidential data.

b) Education Records in electronic form stored or otherwise maintained on portable devices of any kind must be encrypted according to System specifications. Education Records shall not be stored, or otherwise maintained, on personally owned devices.

c) An Office that outsources Education Records for any reason, including storage, is responsible for ensuring that an appropriate written agreement is in place to ensure that the Office and the third party to whom the records are entrusted remain at all times in compliance with FERPA and applicable UT System information security requirements.

4.3 Access. Each Office shall ensure that Individuals access and use Education Records maintained by that Office only to fulfill the UT System duties or responsibilities of the engagement requiring the access.

4.4 Record Requests. Each Office shall have a specific process that addresses how the Office ensures that an Education Record request made through that Office to a UT System institution or another Office is permitted by an applicable exception under FERPA and related to the requesting Individual's official UT System duties or responsibilities.

4.5 Re-disclosure. Education Records, including copies in any format, may not be re-disclosed by an Individual unless the re-disclosure is for a purpose permitted by FERPA. Any re-disclosure, other than a disclosure to another Individual so that Individual can fulfill his or her duties or responsibilities on behalf of UT System, must be documented along with the purpose for the re-disclosure and such documentation shall be retained by the Office. For purposes of this policy, "re-disclosure" includes emailing Education Records or copies of the contents of Education Records.

4.6 Retention, Secure Destruction. Each Office shall ensure that Education Records maintained by or for the Office are securely destroyed once they are no longer required for the purpose for which they were obtained. This includes the responsibility to ensure that Education Records are properly classified under the Office's record retention schedule.

4.7 Compliance Review.  Offices will work closely with the System Administration Privacy Officer to ensure that proper compliance with FERPA is maintained throughout the entirety of the retention period for any FERPA records maintained by the Office.

Sec. 5 Training

The Privacy Officer shall provide training as needed on FERPA and this Policy for System Administration employees and shall assist the Office of the Board of Regents in the development of training on FERPA and this Policy to the members of the Board of Regents.

Sec. 6 Duty to Report 

6.1 Instances of Non-Compliance.  Failure to comply with this Policy by an Individual must be reported to the Office of Systemwide Compliance, so that all appropriate actions can be taken the ensure that System Administration remains in compliance with FERPA and other applicable privacy and security laws.


Education Record- any record that is directly related to a Student; and created and/or maintained by or for a UT System institution, as well as Personally Identifiable Information about a Student derived from an Education Record.

Family Education Rights & Privacy Act; 20 U.S.C. 1232g and 34 CFR Part 99.

Individual – all employees of UT System Administration, including contract employees; third party contractors; volunteers; and, members of the Board of Regents.

Personally Identifiable Information- any information derived from an Education Record which can be used alone, or in combination with, other information known to a requestor or the university community, to identify a student. It includes, but is not limited to: the student's name; the name of the student's parent or other family members; the address of the student or student's family; a personal identifier, such as the student's social security number, student number, or biometric record;

Student- any person who is or was enrolled at a UT System institution and any other person who is included within a UT System's institution's FERPA policy's definition of a Student.