CSUB FERPA GUIDELINES

Summary of the Family Educational Rights and Privacy Act (FERPA), from the U.S Department of Education:

The California State University complies with The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99). FERPA is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. 

FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students."

Parents or eligible students have the right to inspect and review the student's education records maintained by the school. Schools are not required to provide copies of records unless, for reasons such as great distance, it is impossible for parents or eligible students to review the records. Schools may charge a fee for copies.

Parents or eligible students have the right to request that a school correct records which they believe to be inaccurate or misleading. If the school decides not to amend the record, the parent or eligible student then has the right to a formal hearing. After the hearing, if the school still decides not to amend the record, the parent or eligible student has the right to place a statement with the record setting forth his or her view about the contested information.

Generally, schools must have written permission from the parent or eligible student in order to release any information from a student's education record. However, FERPA allows schools to disclose those records, without consent, to any of the following parties or under the following conditions (34 CFR § 99.31):

  • School officials with legitimate educational interest
  • Other schools to which a student is transferring
  • Specified officials for audit or evaluation purposes
  • Appropriate parties in connection with financial aid to a student
  • Organizations conducting certain studies for or on behalf of the school;
  • Accrediting organizations
  • To comply with a judicial order or lawfully issued subpoena
  • Appropriate officials in cases of health and safety emergencies
  • State and local authorities, within a juvenile justice system, pursuant to specific State law

Schools may disclose, without consent, "directory" information such as a student's name, address, telephone number, date and place of birth, honors and awards, dates of attendance, department employed, and student employee status.

Students employed by a department and directory information for their employment status apply only to those under the Unit 11 bargaining unit. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them.

Schools must notify parents and eligible students annually of their rights under FERPA. The actual means of notification (special letter, inclusion in a bulletin, student handbook, or newspaper article) is left to the discretion of each school.

 

Staff and faculty seeking access to FERPA-protected data should follow these steps. All requestors will be asked to confirm that they have reviewed this website and understand all relevant information and definitions when submitting their request.

  1. Complete the FERPA Data Request Form (Kuali form coming soon).
  2. Requests can be made by CSUB staff or faculty members designated as school officials with a legitimate educational interest.
  3. The supervising MPP must approve the request.
  4. The MPP must acknowledge their responsibility for maintaining the confidentiality and security of FERPA information and confirm they have read and understood the FERPA guidelines.
  5. The provided data is protected and cannot be downloaded or shared
 

Education records refer to documents directly associated with a student and kept by the institution or an agent of the institution. However, the term "education records" does not encompass the following:

  1. Sole Possession Records: Notes or documents created by an educator that are kept private and not shared with anyone else are excluded.

  2. Law Enforcement Records: Records generated by the institution's law enforcement unit specifically for law enforcement purposes are not considered education records.

  3. Employment Records: Records pertaining to individuals employed by the institution that are maintained in the normal course of business and relate solely to their roles as employees are excluded. However, records of individuals who are employed due to their status as students (like work-study participants) are classified as education records.

  4. Medical Records: Documents created by healthcare professionals or paraprofessionals in the course of providing treatment to a student, which are kept confidential and not disclosed to anyone other than those involved in the treatment, are also not considered education records.

Faculty, administrators, CSUB police officials, student employees, clerical staff, and other individuals responsible for managing student records may access a student’s record when there is a legitimate educational purpose. Only information relevant to that purpose will be disclosed.

This access also extends to contractors, consultants, volunteers, and other external providers working with California State University, Bakersfield.

 

Current students may release their academic records to their parents, a prospective employer, insurance companies, etc., by submitting an electronic release request to the Office of the Registrar.

Current students may submit an electronic request through the myCSUB Portal. Within the myCSUB Portal, under the Personal Information drop-down menu, select "FERPA Release Authorization".

Legitimate educational interest refers to the demonstrated need for information by school officials who are acting in the educational interest of the student. At California State University, Bakersfield, any official who requires access to a student’s education records in order to perform their instructional, advisory, or administrative duties has a legitimate educational interest.

Under FERPA, a school official has a legitimate educational interest if they need to access an education record to fulfill their responsibilities. This includes:

  • Performing tasks outlined in their job description or contract.
  • Carrying out duties related to a student’s education.
  • Managing student disciplinary matters.
  • Providing services to the student or their family, such as healthcare, counseling, job placement, or financial aid.

What is NOT "legitimate educational interest"?
Legitimate educational interest does not grant access to all student information. The law differentiates between educational interests and personal or private interests; educational records cannot be accessed for personal reasons. Additionally, having a legitimate educational interest does not give an official the authority to disclose information to third parties without the student’s written consent.

FERPA directory information is information contained in your education record that generally would not be considered harmful or an invasion of privacy if disclosed. Under current CSUB policy, the following information is designated as directory information:

  1. Student name. If provided, a preferred name will be used when there is not a documented business or legal reason to provide a student's primary name. Students may select a diploma name for graduation and commencement materials.
  2. Campus email address, subject to the limitation described below.
  3. Dates of attendance
  4. Previous educational institutions attended
  5. School/college or division of enrollment
  6. Majors, minors and field of study
  7. Classification level (e.g., freshman, sophomore, graduate student)
  8. University-recognized honors and awards
  9. Degree status (e.g., expected graduation date and/or conferral dates/semesters)
  10. Enrollment status
  11. Employment related to student status (e.g., teaching assistant, resident assistant or work-study) and dates positions held.
  12. Participation in officially recognized activities/sports, including height and weight of athletes
  13. Photos and videos taken or maintained by the university

Although these items are designated by CSUB as directory information, only a limited amount of this information is routinely disclosed by CSUB officials, and the University retains the discretion to refuse to disclose directory information if it believes such disclosure would be an infringement of privacy rights. Disclosure of campus email addresses is limited to requestors who agree not to use the campus email addresses for solicitation.

Currently enrolled students may withhold disclosure of directory information under FERPA by completing a Directory Privacy Request form with Office of the Vice President for Student Affairs  (Student Affairs Building #38)

CSUB may change the designation of directory information from time to time. You will be notified of changes through email publication.

FERPA allows the institution the right to disclose student records or identifiable information without the student's consent under the following circumstances:

  • To authorized representatives for audit of Federal or State supported programs and local authorities conducting an audit, evaluation, or enforcement of education programs.
  • To university employees who are in the process of carrying out their specifically assigned educational or administrative responsibilities acting in the student's educational interest, including contractors, consultants, volunteers and other outside providers used by the California State University, Bakersfield
  • Veteran's Administration officials.
  • Officials of other institutions in which a student seeks or intends to enroll, after transfer enrollment or admission, disability and other health records may be released in the event of an emergency in the need to protect the health and safety of a student or other persons under FERPA.
  • Persons or organizations providing financial aid to students.
  • Organizations conducting studies for, or on behalf of, educational agencies or institutions to develop, validate, and administer predictive tests, to administer student aid programs or to improve instruction, provided that individual identity of students is not made.
  • Accrediting organizations carrying out their accrediting functions.
  • Parents of a student who have established that student's status as a dependent according to Internal Revenue Code of 1954, Section 152; in connection with a health and safety emergency in connection with § 99.36; or the student is under 21 and has violated a federal, state or local law or a policy of the university related to the use or possession of alcohol or a controlled substance.
  • Persons in compliance with a judicial order or a lawfully issued subpoena, provided that the institution makes a reasonable attempt to notify the student in advance of compliance. NOTE: The institution is not required to notify the student if a federal grand jury subpoena, or any other subpoena issued for a law enforcement purpose, orders the institution not to disclose the existence or contents of the subpoena.
  • Persons in an emergency, if the knowledge of information, in fact, is necessary to protect the health or safety of students or other persons.
  • An alleged victim of any crime of violence of the results of any institutional disciplinary proceeding against the alleged perpetrator. The information may only be given in respect to the crime committed.
  • Schools may disclose personally identifiable information from education records to an outside contractor without prior written student consent if the outside contractor is a "party acting for" the institution and is performing a service which the institution would otherwise have to perform for itself (as in the case of the National Student Loan Clearinghouse for loan verification).
  • Representatives of the Department of Homeland Security or Immigration and Customs Enforcement, for purposes of the coordinated interagency partnership regulating the Student and Exchange Visitor Information System (SEVIS).
  • FERPA has been amended to permit educational agencies and institutions to disclose personally identifiable information from the student's records to the Attorney General of the United States or to his designee in response to an ex parte order in connection with the investigation or prosecution of terrorism crimes, under the US Patriot Act.
  • Allows the return of an educational record, or information from an educational record, to the party identified as the provider or creator of the record.
  • Information regarding a registered sex offender's enrollment or employment status, or any changes of such If the school determines that there is an articulable and significant threat to the health and safety to a student or other individuals, it may disclose information from educational records to appropriate parties.

FERPA governs access to a student's disciplinary file. The student and/or those university officials who demonstrate a legitimate educational need for disciplinary information may have access to the student's disciplinary file.

In addition, parent(s) may be notified if a student under 21 years of age is found responsible for a violation involving use or possession of alcohol and drugs.

The Campus Security Act permits higher education institutions to disclose to alleged victims of any crime of violence (murder, robbery, aggravated assault, burglary, motor vehicle theft) the results of the conduct proceedings conducted by the institution against an alleged perpetrator with respect to such crime. The Campus Security Act also requires that both accused and the accuser be informed of campus conduct proceedings involving a sexual assault.

Additionally, the Higher Education Amendments of 1998 permit disclosure of the final results of disciplinary cases in which a student has been found responsible for a violation involving violence or for a sex offense.

 

Students have the right to access, amend, and control the release of their education records as outlined below.

To request access to their education records, a student must submit a written request to the registrar, dean, chairperson of the relevant academic department, or another official responsible for maintaining the records they wish to inspect. The request should specify, as clearly as possible, the particular records the student wants to review by type, topic, date, or other relevant criteria.

The university official in charge of the records will gather the requested documents and assess whether they are eligible for access.

If the requested education record contains information about multiple students, the student may only view their own information. In this case, the record custodian must redact any other students' information before the student is allowed to review it. Any questions regarding record eligibility for review or proper redaction should be directed to the Office of the Registrar.

Before denying a student access to their education record, record custodians must consult with the Registrar and document the reason for the denial in writing.

The record custodian must respond to requests for access within a reasonable timeframe, not exceeding forty-five (45) days from when the request is received. If the records are not held by the custodian to whom the request was submitted, the custodian should help the student identify the correct custodian.

The record custodian will arrange for access and inform the student of the time and location where the records can be inspected.

At the post-secondary level, the right to inspect a student's education records is limited solely to the student. Records may be released to a parent or other third party only under the following circumstances:

  • Through the written consent of the student
  • In compliance with a subpoena
  • By submission of evidence that the parents declare the student as a dependent on their most recent Federal Income Tax form (IRS Code, Section 152) 
  • Under the alcohol and controlled substance exception or in connection with a health and safety emergency under the circumstances set forth in § 99.36 (if the student is under 21 years of age)
If a student believes that information in their records is inaccurate, misleading, or violates their privacy rights, they may request that the university amend the records. For issues stemming from clerical or processing errors, the student should contact the Registrar and follow the established procedures for making corrections. If the concern involves the appropriateness of a grade or other academic decisions, the student should use the grievance or appeal process specific to their situation. This procedure does not apply to students challenging a grade; those students should follow the academic grievance policy within their college.

If a correction is not achieved through normal channels, or if the requested amendment does not relate to processing errors or academic decisions, the student should follow these steps:

  1. The record custodian (Registrar) will review the amendment request along with any related documentation submitted by the student. The Registrar may ask for additional information if necessary to make a decision.

  2. Within a reasonable time after receiving the written request, the record custodian will determine whether to amend the record as requested.

  3. If the request is granted, the record custodian will make the necessary amendments to the education record and notify the student in writing about the action taken.

  4. If the request is denied, the record custodian will inform the student in writing of the decision and their right to request a hearing on the matter. Further details about the hearing procedures will be provided when the student is notified of their right to a hearing.

A student may request a hearing within ninety (90) days of the denial of their amendment request by the record custodian. The Registrar may act as the hearing officer or appoint another individual to serve in that role. The appointed hearing officer must have no direct interest in the hearing's outcome and will not review matters concerning official grades or other academic determinations.

The hearing will follow these procedures:

  1. Notification: The hearing officer will notify all relevant parties of the date, time, and location of the hearing in advance. The hearing should be scheduled within a reasonable timeframe after receiving the petition.

  2. Presentation of Evidence: The student will have the opportunity to present evidence related to the contested part of the education record. They may bring a representative to the hearing, but that representative cannot participate in the proceedings.

  3. Evidence and Testimony: The hearing officer may accept any relevant evidence and testimony, whether presented orally or in writing. The officer is not bound by strict legal evidentiary rules and may allow the introduction of any evidence deemed relevant.

  4. Decision: The hearing officer will issue a written decision within a reasonable period, based solely on the evidence presented during the hearing. This decision, including a summary of the relevant evidence, will be shared with the student, the record custodian, and the Registrar. The decision made by the hearing officer will be final.

  5. Outcome: If the hearing officer determines that the information is inaccurate, misleading, or violates the student’s privacy rights, they will instruct the record custodian to make the necessary amendments. The record custodian will then notify the student in writing once the amendment has been made.

  6. If Denied: If the hearing officer finds that the information is not inaccurate or misleading, they will inform the student in writing about their right to add a statement to the record. This statement may comment on the contested information or explain the student's disagreement with the decision. The university must keep this statement with the contested portion of the record for as long as it is maintained and must disclose it whenever that part of the record is shared.

 

Students who have ceased attendance or have graduated from an institution of higher education have essentially the same FERPA rights as students currently attending California State University, Bakersfield including the right to:

  • Inspect their education records
  • Have a hearing to amend an education record
  • Have their education privacy protected by the institution
  • Have the institution honor the previously established opt-out request

Once students leave the university, they do not have the right to request that a privacy code (non-disclosure) be placed on their records.

All faculty or staff members who obtain myCSUB and/or myHR administrative access must agree to and abide by FERPA regulations as outlined in their respective confidentiality agreements, signed upon employment with the university. These agreements can be found below.

Faculty: Faculty Confidentiality Agreement

Staff: Staff Confidentiality Agreement

Here are some important guidelines on how student data is handled at California State University, Bakersfield:

  1. Data Protection: Any spreadsheets or attachments that identify a student, whether by name or student ID, and contain protected information (such as GPAs, course enrollments, probation status, suspension details, etc.) must be password protected. If personally identifiable information (PII) is linked to non-directory FERPA data and is accessed by someone without a legitimate educational interest, it constitutes a FERPA violation.

  2. Email Security: Be cautious when addressing emails to recipients with legitimate educational interest in this data. However, remember that email is not a secure communication method (as per the CSUB Confidentiality of Email Policy). Never send unprotected files containing sensitive data via email unless they are password protected. Also, unsecured attachments may be forwarded to individuals who do not have a legitimate educational interest. Always ensure files are password protected.

  3. Directory Information: You may send a spreadsheet with directory information (such as college or major) unless it includes details about a student who has opted for full privacy protection. In that case, you must password protect the file. It’s best practice to always protect files, even those containing only student IDs.

  4. Email Content: If the body of an email includes a student’s ID, full name, and protected data, this should be avoided. Use the last four digits of the student ID for communications involving a small number of students. Alternatively, you can use the student ID along with their last name or initial. If discussing multiple students, place the information in an attachment and password protect it.

  5. Document Disposal: When disposing of documents containing FERPA-protected data, use confidential disposal methods. Simply throwing them in your desk-side trash or recycling bin can expose sensitive information. Always dispose of such documents in a confidential disposal bin or shred them.

  6. Social Security Numbers (SSNs): Never send SSNs via email. Identity theft is a growing concern, and reports have shown that employees with access to personal data are often targeted for scams. As custodians of sensitive personal data regarding students, faculty, and staff, we must remain vigilant about these risks. Data breaches can be costly, so protect university data as you would your own personal information.

Information about individuals should be retained only so long as it is valid and useful. Those responsible for academic information have an obligation to destroy information when conditions under which it was collected no longer prevail.

Any document containing personally identifiable information must be disposed of properly through some means of confidential disposal.

The Office of the Chief Privacy Officer of the Department of Education reviews and investigates complaints of violations of FERPA. If the Office finds that there has been a failure to comply with FERPA, it will notify the institution about the corrections that need to be made to bring the institution into compliance. The Office will establish a reasonable period of time for the institution to voluntarily accomplish the specified changes. If the Secretary of Education finds that, after this reasonable period of time, an institution has failed to comply with FERPA and determines that compliance cannot be secured by any means, he can, among other options direct that no federal funds under his administrative control (financial aid, education grants, etc.) be made available to that institution.
All such inquirers should be directed to University Police at 661-654-2677.

CSUB provides a secure web application by which faculty submit their grades to the registrar. Students are able to view their academic record, including grades, via a secure web application in their myCSUB Portal.

The public posting of grades either by the student’s name or social security number or university ID is a violation of FERPA. This includes the posting of grades to a class web site and applies to any public posting of grades for students taking distance education courses.

Notification of grades via e-mail is not recommended. There is minimal guarantee of confidentiality on e-mail. The institution would be held responsible if an unauthorized third party gained access, in any manner, to a student’s educational record through any electronic transmission method. For additional online grading information, click here or visit the Office of the Registrar homepage.