A number of federal and state laws govern access to and privacy of information maintained in University files, including student records (i.e. student information, course materials, completed assignments). Access to student records is governed by federal regulation (Family Educational Rights and Privacy Act of 1974 — FERPA), state law (Information Practices Act), and by the University of California Policies Applying to the Disclosure of Information from Student Records.
FERPA and University Policies require restricted, confidential, or student information must never be stored, received, processed or published in non-UC systems unless you have worked with Purchasing to ensure that a UC-approved agreement is in place that addresses information security and privacy requirements and concerns. Similarly, don’t rely on external information systems or services for critical university business processes unless a UC-approved agreement is in place. For detailed information on FERPA and University Privacy Policies visit the privacy section of the University Registrar website.
Don’t risk a violation! Treat all student records as confidential. Ask first if you are unsure whether you can discuss or disclose any type of student information with another individual or organization.
Full list of student record criteria
A The Student Record review of a third party tool is a two step process:
- Identify and define student information involved
- Determine FERPA Requirements
Step 1: Identify and define student information involved
|Student Information||Student Self-Reported||Campus Provided||Created / Maintained by Third Party||Notes|
Step 2: Determine FERPA Requirements
|No FERPA Concerns|
|FERPA concerns are minimal|
|FERPA compliance is required|
If FERPA compliance is required, the 3rd party must be recognized as a campus official. The 3rd party may be recognized as a campus official provided that:
- the 3rd party performs an institutional service or function for which the University would otherwise use employees;
- the 3rd party is under the direct control of the University with respect to the use and maintenance of student records; and
- the outside party may not disclose the information to any other party without the student’s consent, and may not use the information for any purpose other than the purpose for which the disclosure was made.
The 3rd party must enter in a written agreement with the University that:
- specifies the student information exchange between the 3rd party and the University;
- specifies the purpose, scope, and intended use of the student information;
- agrees to use the student information for the specified purpose, scope and intended use;
- specifies appropriate security measures to protect the student information from unauthorized use or unauthorized access; and
- prevents the re-disclosing of student information to any individual, office, department or organization, without prior written consent from the University or as required by law.