Congress enacted FERPA, also referred to as the "Buckley Amendment," in 1974. FERPA conditions federal educational funding on providing students access to, and maintaining the privacy of, education records.
This mandatory online training guide consists of an explanation of FERPA (Family Educational Rights and Privacy Act) policy, a set of questions for you to use to test your comprehension of the policy, and the online form for you to submit when you have completed the training. The training takes approximately 30 minutes and should be completed in one sitting. If you exit the training before you complete it, then you must re-start at the beginning of the training when you return.
Please contact your supervisor if you have any questions regarding this training.
The University's FERPA Compliance Policy can be found online at http://www20.csueastbay.edu/students/student-services/student-records/ferpa-privacy-policy.html. The summary information in this tutorial cannot be a substitute for reading the Cal State East Bay's Compliance Policy. We also encourage you to review FERPA directly at http://www.ed.gov/policy/gen/reg/ferpa/index.html.
The rights under FERPA apply to eligible students. An eligible student is an individual who is, or has been, in attendance at Cal State East Bay. FERPA does not apply to applicants unless they are admitted and attend Cal State East Bay.
There are seven primary rights under FERPA. These are:
FERPA defines an education record subject to the Act to include those records, files, documents, and other materials that:
For purposes of FERPA, the term "education records" does not include the following:
In general, an institution cannot disclose "education records" or information from "education records" to anyone other than the relevant student unless it first has obtained a signed and dated written consent from the relevant student (or all relevant students, if the records are "directly related" to more than one student).
The student can provide a written release giving specific consent to the disclosure of the student's education records. The release needs to be dated and signed and must describe the records that may be disclosed, the purpose for which they may be disclosed, the persons or classes of persons to whom the records may be disclosed, and time period the release is effective. There are a number of different releases at the University, including a generic release and releases specifically designed for student athletes and for job references. A faculty member should have a student sign a release before providing a job reference or reference for the student for certain academic purposes, such as scholarships or awards. The faculty member may obtain this release through a personal letter or e-mail from the student, or have the student sign a "Request for Verification" release form. FERPA permits Cal State East Bay to accept a signed and dated written consent in electronic format as a valid consent to disclose education records. "Signed and dated written consent" includes a record and signature in electronic format that (1) identifies and authenticates a particular person as the source of the electronic consent; and (2) indicates such person's approval of the information contained in the electronic consent. If a record contains personally identifiable information on other students, redact that information before disclosing the record on behalf of the student who has provided written consent. The University Registrar is the university official responsible for keeping all official academic education records. Only the Office of Student Records may release an official transcript. All requests for education record information originating from outside the University should be directed to the Office of Student Records.
Cal State East Bay may disclose "education records" without consent only if it first redacts all "personally identifiable information" from the records or one of the 15 exceptions enumerated in FERPA applies. Many of these exceptions are provided in the regulations to allow for the reasonable and practical workings of an educational institution. The exceptions are listed in the University's Student Record Policy. Some of the most common exceptions include:
When a student over the age of 18 is in attendance at the University, the student possesses his or her rights under FERPA. The student may authorize the University to release information to a parent by completing the Release of Information Form which must be signed by the student and parent, and submitted in person to the Student Information Lobby at Hayward or Concord campuses accompanied with Photo ID. Written consent to disclose education records is not required to parents of a minor student, if that minor is still claimed by the parents as a dependent for income tax purposes. Faculty and staff need to be careful when a parent calls and asks for information about a student. If there is no written waiver by the student, disclosure even to a parent can be unlawful. If you are in doubt, faculty and staff should obtain assistance first from the University Registrar or the Office of Student Records.
FERPA permits institutions to specifically define some education record information as directory information not confidential under FERPA. Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed. Cal State East Bay has defined "directory information" as:
To take advantage of this exception, the University must give its students notice of the information it has designated as "directory information" and an opportunity to opt out. Even though directory information is considered public, the University is not required to release any information designated as directory information. There are situations where the campus might decide for policy reasons not to release directory information. For example, the University has opted not to release lists of student e-mail addresses to outsiders even though most, if not all, campuses have designated student e-mail addresses as directory information. As discussed below, before releasing any directory information, review the student's record in PeopleSoft to determine if the student has placed a FERPA block on their record to prevent the release of any information, including directory information. Any request for information from an external organization that involves identifiable student data should be directed to the University Registrar.
Yes. The University must allow a student to opt out of the release of directory information. Students must complete a Disclosure of Directory Information Form to request that all directory information be restricted from release. Therefore, faculty and staff need to be careful about assuming that because an item is directory information it can be freely disclosed. If a student restricted the Disclosure of Directory Information, a service indicator icon will appear on every page of their record in PeopleSoft.
A school official is a person employed by the University in an administrative, supervisory, academic or research role, or support staff person (including law enforcement unit personnel and health staff); a person or company with whom the University has contracted as its agent to provide a service instead of using University employees or officials (such as an attorney, auditor or collection agent); a person serving on the Board of Trustees; or a student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. The University must give annual notice of its criteria for determining who is a "School official."
If at any time you receive a request for student data from an external organization that is not associated with the University or contracted by the University to process or study student data, those requests should be directed to the University Registrar. You should not release any information on students to individuals or organizations that are not contracted by the University without the signed and written consent of the student or students in question.
"Legitimate educational interests" are defined as those interests, which are essential to the general process of higher education prescribed by the body of policy adopted by the Board of Trustees. Persons who require the records to perform the functions of their job have legitimate educational interests. Legitimate educational interests would include teaching, research, public service, and such directly supportive activities as academic advising, career counseling, discipline, financial assistance and advisement, medical services, and academic assistance activities. The University must give annual notice of its criteria for determining what is a "legitimate educational interest."
The responsibility for enforcing FERPA rests with the Family Policy Compliance Office of the Department of Education, which is authorized to investigate and review potential violations and to provide technical assistance regarding compliance issues. If it determines that a complaint is meritorious, the Office will recommend steps necessary to ensure compliance with the act and provide a reasonable time for the institution to come into compliance. If the University does not come into compliance, the Department is authorized to terminate all or any portion of the University's federal funds. While there is generally no private cause of action directly under FERPA, students may seek to hold the University or individuals liable under common law tort theories such as invasion of privacy.
The Office of Student Records is the first stop for any student records questions regarding FERPA or the University's policy and implementation of FERPA. University Counsel is also a good resource. At a minimum, each person on campus who has access to student record information should read the annual notice to students and the Student Record Policy.
* ADAPTED FROM OF COUNSEL - A BULLETIN ON LEGAL ISSUES AT CATHOLIC UNIVERSITY OF AMERICA - NOVEMBER 1997.
THANK YOU FOR COMPLETING THE EDUCATIONAL PORTION OF THIS TUTORIAL.
In the next section you will be asked a series of questions that are designed to help you better understand the application of FERPA at Cal State East Bay. You will not be graded on this exercise but you must complete it to receive your FERPA certification. Failure to answer all the questions on the quiz will prevent you from receiving the certification and cause you to lose access to the University data system or any reports generated through it. When taking the quiz you are asked at times to think of yourself as the caretaker of the data to which the questions refer. Please try to place yourself in the specific situation asked and answer the question as best you can.
A parent calls to ask how his son or daughter is doing in class. The student's directory information has not been suppressed. Can you give the parent information about the student's grades?
Yes No
No is the correct answer. You may not give out the information because:
You are the custodian of certain student records and you receive a phone call from someone claiming to be the parent of a student who is currently enrolled at the University. They claim that the student is under the age of 18 and that they, the caller, have the right to view the student's academic record. You look up the student and realize they are under the age of 18 but there is no Release of Information Form. Do you give the caller the information?
No is the correct answer. You may not give out the information. There are a number of reasons you should not give the data to the caller above. First, the request is made over the phone and there is no way to verify the identity of the caller. Although the student is not yet 18 years of age, it is Cal State East Bay policy not to release any information to parents of any currently enrolled or previously enrolled students if there is no Release of Information Form on file that covers the period of attendance for which the request has been made.
The Records Office receives a formal request in the form of a letter from the parent of a registered student for whom directory information is suppressed. The parent wants to know if the student is registered for the current semester. Should the Records Office release that information?
No the Records Office should not release that information. Indeed the correct response for any external inquiry regarding a student whose directory information has been suppressed is, "There is no information available for anyone by that name."
You receive a call from the police asking for a student's class schedule for the current term. They are investigating a crime. Can you give them the information?
No is the correct answer. A student's class schedule is not considered directory information. You may not release it. Law enforcement authorities must provide a court order or subpoena to obtain private educational records. Furthermore, the University must make a reasonable attempt to notify the student before releasing the information to authorities, unless the court order specifically forbids notification of the student. Refer authorities to the University Registrar for information and assistance. If authorities ask for directory information, you may provide it if the student has not suppressed the information.
The University of California, Berkeley submits a request for a student's final transcript claiming that the student has applied to graduate school at UCB. Should Office of Student Records send an official transcript in response to the official request?
Yes is the correct answer. In accordance with FERPA and CSUEB policy the Office of Student Records is allowed to release academic records for a student to, "another school where the student seeks to enroll."
The Office of Student Records receives a request from an academic department chair who asks for a list of names and addresses for students who are enrolled in a specific course in the department. The addresses will be used to mail a survey about the quality of the course. Results of the survey will be used to improve the course. Is this an appropriate use of student records?
Yes is the correct answer. It is permissible to supply the list of students because the information is to be used by a University official to carry out responsibilities that are related to the educational interests of the students.
An academic department is preparing an e-mail message to departmental students about a critical academic deadline. Should the name and e-mail address of a student who has requested that their directory information be suppressed be included in the mailing list?
No is the correct answer. Students who have requested that their directory information be withheld should not appear on a list of any kind. Best practice in such a mass e-mail to students would be to enter all students e-mail addresses as blind copy recipients.
A well-respected faculty member asks a college office for a list of student e-mail addresses in order to contact the students about an academic research project she is conducting. Should the college office supply the information?
No is the correct answer. The college office may not supply this information. The Institutional Review Board (IRB) must approve any use of student information in connection with academic research, so the professor must apply to the IRB for approval first. The IRB application is available on the Web. If the application is approved, the faculty member may then work with the Office of Student Records to provide the appropriate data.
The University Registrar is informed that the United States Marine Corps intends to conduct a recruitment activity on campus and the Registrar receives a formal request to supply them with a list of students who are enrolled in the current term and their mailing address so the Marine Corps can inform them they will be on campus and invite the student to meet with them during that appointed time. Do you supply the information to the Marine Corps?
Yes is the correct answer. In accordance with the with 1996 Solomon Amendment, any institution of higher education that receives federal funds, must disclose certain kinds of student information, referred to as " Student Recruiting Information," to United States military recruiters if the student does not have a FERPA block. "Student Recruiting Information" includes:
You receive a subpoena for individual student data and you are unclear as to whom you should give the subpoena. The record involves a student's enrollment and their financial aid. You should refer the person to one of the following:
a) Office of Student Financial Aid b) The Vice President for Planning, Enrollment Management, and Student Affairs c) Vice President for Administration and Finance d) The Registrar and/or Office of Student Records
The correct answer is the (c) Vice President for Administration and Finance. Although in most cases when you are unsure of whether you can or cannot disclose information to an external person or organization is determined by the University Registrar and/or Office of Student Records, all lawfully issued subpoenas are processed through the Vice President for Administration and Finance's Office. The Vice President then ensures, in consultation with the relevant University offices, an appropriate response to the subpoena is issued.
A faculty member posts grades outside his office. He states this is acceptable because only partially redacted social security numbers are used to indentify the students. Is he violating FERPA?
Yes is the correct answer. The faculty member is in violation of FERPA. The faculty member claims that no one will know who the students are based on the partially redacted Social Security Numbers are not acceptable. The court, in a letter to Hunter College, stated that even the partial use of a student's social security number to publically post grades is a violation of FERPA.
A professor has a stack of term papers for students to pick up. Is it acceptable to leave the papers in a location where students can look through the stack to locate their own paper?
No is the correct answer. Leaving the papers in a location where students can look through the stack would violate the confidentiality of each individual student, since students can see the names and grades of their classmates.
You receive a request from another office within the University to receive names and social security numbers of students in a particular University sponsored program. You retrieve the data from the university's information system and download it to a data file and attach the data file to an e-mail and send it to the requesting party. Was this the correct way to transfer this information?
No is the correct answer. Although some may argue this is not a strict violation of FERPA, schools must make efforts to ensure that individually identifiable student data is protected. E-mail is not considered a secure form to transfer these forms of data. All data that is non-directory and can potentially indentify individual students should not be passed to another party through e-mail. Data transfers of this kind should be conducted through a secure web interface or another data transfer mechanism sanctioned by the University Information Security Officer.
An unauthorized person obtains private student information from a computer screen that was left unattended. Is this a violation of FERPA?
Yes is the correct answer. Measures must be taken to prevent inadvertent release of educational records. Carefully protect information on computer screens, in print, in conversation, or stored on a computer.
A non-University person comes to a department office with a signed letter giving consent to release the transcript of a student. Should the department provide information from the student's transcript?
No is the correct answer. Do not give any private student records to third parties, even if they have a release. Refer transcript requests to the Office of Student Records or the University Registrar. Click here to complete the training
