Protecting Confidential Information

In this Article

What information is confidential?

Confidential information must be protected from unauthorized disclosure or public release based on state or federal law. Examples of confidential information include but are not limited to the following:

  • Social Security numbers (SSNs)
  • Some Research Data 
  • Credit card numbers
  • Financial account numbers
  • Student education records (including schedules)
  • Medical Records
  • Passwords

Federal laws that require the confidentiality of information include:

Directory Information

Directory information refers to items of information contained in the educational record which may be released without the student's prior, written consent. Texas A&M University defines the following items as directory information:

  • Name
  • Universal Identification Number (UIN)
  • Address (Local)
  • Address (Permanent)
  • Telephone number (Local)
  • Telephone number (Permanent)
  • Email address
  • Program of study (college, major, campus)
  • Dates of attendance
  • Previous educational agencies/institutions attended
  • Participation in officially recognized activities and sports
  • Degrees, honors, and awards received
  • Classification

However, students may place a directory hold on any or all of this information at Once the student has placed a hold on his or her directory information, this information may not be released without the prior, written consent of the student.

How can I make sure my internet settings are secure when accessing confidential information?

When accessing confidential information such as bank statements and credit card data, you should always use a Virtual Private Network (VPN) that encrypts all data sent to and from your computer.

You can also ensure a link is secure by:

  • Looking for the padlock symbol in the URL browser box that appears when you log in.
  • Only accessing sites with a web address that begins with “https://”. (The ‘s’ stands for secure.)

These two measures indicate that a digital certificate has been issued by a trusted third party, and the information transmitted from the website has been encrypted.

What are the rules about storing and transferring confidential information?

Storing Confidential Information - University SAP 29.01.03.M1.16, Portable Devices requires encryption of Texas A&M related confidential information that resides on portable computing devices. It is recommended that all confidential data be encrypted even if it resides on stationary systems.

Transferring Confidential Information - Security Control SC-13 Cryptographic Protection requires encryption of confidential information when it is transmitted through email or to an off-campus site or when it is accessed from a remote location.

Credit Cards - University SAP 21.01.02.M0.03 Credit Card Collections defines the very stringent requirements for accepting credit card payments. See Credit Card Procedures and Policies for details.

Quick Checklist for Protecting FERPA Data

  • Post grades using secure technology (for help contact Instructional Technology Services at or 979.862.3977, or visit
  • Encrypt all confidential information.
  • Use UINs instead of Social Security numbers. Take the appropriate steps when Social Security Numbers are ABSOLUTELY necessary.
  • DO NOT allow students to see other students grades, even by sorting through a stack of papers to pick up their graded work.
  • DO NOT discuss the progress of any student with anyone other than the student (including parents/guardians) without the consent of the student.
  • DO NOT provide anyone with lists of students enrolled in classes for any commercial purpose.
  • DO NOT provide anyone with student schedules or assist anyone other than professional university employees in finding a student on campus.
How can I safely transfer confidential information?


Do NOT send confidential information through email. Use Filex instead. 

Filex is an easy tool for transferring confidential information. Upload files to the Filex server and add email addresses for recipients. For files containing confidential or controlled information, Filex includes an encryption option. Filex sends a link via email to download the file, which the recipients click to obtain the file directly from the Filex server. If you selected the encryption option, Filex provides a key for you to send to your recipients to unlock the encrypted file. For step-by-step instructions, see Using the Filex file distribution system.

Safe File Transfer Tools

If you need to transfer confidential information between two systems that you manage, use secure protocols like SCP or SFTP. WinSCP is an easy-to-use, Windows tool for SCP and SFTP.

How can I safely store confidential information?

Encrypt Files

By encrypting files, you ensure that unauthorized people can't view data even if they can physically access it. When you use encryption, it is important to have a recovery plan in case you forget your key.

For details, see Security Control SC-13 Cryptographic Protection.

Individual File Encryption

You can encrypt individual files using Pretty Good Privacy (PGP) tools, which can also protect folders and emails. More information and free tools at

Whole Disk Encryption

To better protect your data, consider whole disk encryption. It prevents a thief from even starting your computer without a passphrase. Windows includes BitLocker for internal drives and BitLocker To Go for removable drives. FileVault is a built-in tool for Mac computers. For additional information, visit the Knowledge Base.

How can I safely post grades?

FERPA requires that student grades be accessible only to individual students and other authorized personnel. Posting grades in a secure course management system (such as eCampus) is the preferred method for distributing grades online at Texas A&M University. Instructional Technology Services (ITS) can provide help in using instructional technologies.

If you do not use a Learning Management System, give students their grades individually.

What should I do if I know confidential information has been disclosed?

Report disclosures of confidential information as soon as you realize they have occurred by emailing For additional details about reporting disclosure of sensitive personal information, see SAP 29.01.03.M1.24.

Additional Resources

Visit the following web sites for information on confidential information:

If you have any questions about FERPA, please contact the Office of the Registrar, Records Section at 979.845.1003 or