UTS183 Maintenance of Education Records Subject to the Family Educational Rights and Privacy Act (FERPA)
Sec. 1 Purpose.
The purpose of this Policy is to ensure that each University of Texas System (U. T. System) institution and U. T. System Administration (System Administration) have procedures in place to ensure that access to and maintenance of Education Records complies with the Family Educational Rights and Privacy Act (FERPA), other applicable state and federal law, and UT System policies.
Sec. 2 Policy Statement.
It is the Policy of U. T. System to protect the privacy and records access rights of current and former students of its institutions by complying with FERPA at all times. It is also the Policy of U. T. System to ensure that Education Records, including records maintained by third parties acting on behalf of an institution or System Administration, are:
a. properly identified as Education Records;
b. maintained confidentially and securely;
c. available for inspection and review as authorized by FERPA; and
d. available to The Board of Regents of the U. T. System (the Board) and/or System Administration, as permitted by FERPA, to allow the Board and System Administration to carry out their respective duties and responsibilities under Texas and federal law.
Sec. 3 Applicability.
This Policy applies to all U. T. System institutions and System Administration.
Sec. 4 Written Procedure.
Each U. T. System institution and System Administration shall adopt FERPA-compliant written procedures approved by the U. T. System Office of General Counsel (OGC) to ensure that its employees, third party contractors, volunteers, and all other individuals understand their respective responsibilities under FERPA, and to ensure that Education Records are maintained confidentially and securely at or on behalf of each U. T. System institution and System Administration.
Sec. 5 FERPA Guidelines for Institutions.
At a minimum, each U. T. System institution, and as applicable, System Administration, must:
a. identify each office and department that creates or maintains Education Records or outsources the creation or maintenance of Education Records;
b. identify the location of such Education Records, including Education Records for which the responsibility for creation and/or maintenance has been outsourced to a third party;
c. designate a qualified official to oversee the institution's compliance with FERPA and this Policy;
d. publish requirements, in addition to those in UTS165, that employees and others, as applicable, must follow to ensure the security and confidentiality of any Education Record created, accessed, or maintained by that individual, including, but not limited to:
1. prohibitions on re-disclosure of education records to third parties;
2. requirements addressing the removal of education records in paper form from the institution;
3. requirements addressing the creation and maintenance of Education Records in non-paper form on a non-System owned or controlled information resource, which must track the applicable requirements of the Acceptable Use Policy Template appended to UTS165; and
4. best practices to reduce potential risks to student privacy, including, whenever possible, use of de-identified or aggregate data in place of Education Records or Personally Identifiable Information from Education Records;
e. implement a process to review each proposed contract or other transaction that involves a third party to determine if it will or could result in access to, or creation or maintenance of, the institution's Education Records by a third party. If a proposed contract or other transaction could result in third-party access to Education Records, the contract must identify the records and ensure that terms are included in either the contract or a separate non-disclosure agreement that require the third party to comply with FERPA, as well as the institution's applicable data security policies;
f. adopt, as part of its Handbook of Operating Procedures, the OGC Model FERPA Policy or a policy determined by OGC to contain the essential requirements of the OGC Model FERPA Policy, including the Model Policy's definitions of "Directory Information" and "University Officials"; and
g. ensure that all officers, faculty, staff, and any other individuals who will create and/or access the institution's Education Records receive training to provide general information about FERPA prior to their initial access to System Education Records. In addition, all such individuals must receive periodic training that addresses the particular FERPA requirements that apply to the categories of Education Records they would be expected to access, create, or disclose.
Education Records- records directly related to a Student and maintained by a U. T. System institution or party acting for the institution, as well as Personally Identifiable Information about a Student that is derived from an Education Record.
Family Educational Rights & Privacy Act (FERPA) - 20 U.S.C. 1232g and 34 CFR Part 99.
Personally Identifiable Information- information derived from an Education Record that can be used alone or in combination with other information known to a requestor or the university community, to identify a student. It includes, but is not limited to: the student's name; the name of the student's parent or other family members; the mailing or email address of the student or student's family; a personal identifier, such as the student's social security number, student number, or biometric record;
Student- any individual who is or was enrolled at a U. T. System institution and any other individual who is included within a UT System's institution's FERPA policy's definition of a student.
University Official - an individual or entity identified by the University as requiring access to an Education Records in order to fulfill his or her professional duties.