Enrollment Services departments are open for in-person and virtual services. Please check the Enrollment Services Update page for hours, service offerings, and contact methods.

Breadcrumb

UCR FERPA Policy

University of California, Riverside 
Policies Applying to the Disclosure of Information from Student Records

Download the UCR Policies and Procedures.

 

1. INTRODUCTION and PURPOSE

(Revised, April 17, 2020)

The Federal Family Educational Rights and Privacy Act (FERPA) governs the disclosure of information from student records. The systemwide implementation of FERPA is the Policies Applying to the Disclosure of Information from Student Records within UCOP’s Policies Applying to Campus Activities, Organizations and Students (PACAOS). These UCR local procedures supplement the systemwide policy in areas specific to the University of California, Riverside (UCR) campus.  Other more general FERPA-related matters will not be addressed by these local procedures.

These local procedures apply only to Records pertaining to Students in their capacity as Students and do not apply to those records maintained solely for purposes unrelated to student status. When the law is silent, UCR shall be guided by two principles: (1) the privacy of an individual is of great weight; and (2) the information in a Student’s file should be disclosed to the Student on request.

Although not strictly required under federal law, as a matter of University policy for the purposes of implementing the provisions of FERPA, the University of California generally views itself as separate institutions, rather than as a single entity. Therefore, Personally Identifiable Information contained in Student Records maintained by UCR may not be disclosed to the other UC locations without the written consent of the Student, unless the disclosure is a permissible disclosure outlined in PACAOS 130.721. 

2. Definitions

  • Student

    Student: an individual for whom UCR maintains student records and who either: (a) is enrolled in or registered with an academic program at UCR; or (b) is between academic terms and has completed the immediately preceding term and is eligible for re-enrollment or is on approved educational leave or other approved leave status.

  • Record

    Record: any information or data recorded in any medium including, but not limited to, handwriting, computer media, video or audio tape, film, microfilm, and microfiche. 

  • Student Records

    Student Records: are those records directly related to a student and maintained by UCR. Student records include, but are not limited to, academic evaluations, including student examination papers, transcripts, test scores, and other academic records; general counseling and advising records; disciplinary records; and financial aid records, including student loan collection records. A description of records not included under these local procedures are detailed in PACAOS 130.234.

  • Personally Identifiable Information

    Personally Identifiable Information: any information that identifies or describes a student. It includes, but is not limited to, a student's name, the name of a student's parent or other family members, the address of a student or student's family, any personal identifier such as a student's social security number, or any personal characteristics or other information that would make a student's identity easily traceable.

    Personally identifiable information is divided into two categories: (1) public information, which may be disclosed to any party without the prior written consent of the student to whom the information pertains, except as specified in Section 3.a., and (2) confidential information which requires the student's prior written consent, except as specified in Section 3.b..

     

  • Directory Information

    Directory Information: information contained in a student record that would not generally be considered harmful or an invasion of privacy if disclosed. UCR has designated the following types of information as Directory Information:

    1. Student Name
    2. Date of Birth
    3. Place of Birth
    4. E-mail address
    5. Telephone Numbers
    6. Field of Study (including major, minor, concentration, specialization, and similar designations) 
    7. Dates of Attendance
    8. Grade Level
    9. Enrollment Status (e.g., full time or part time)
    10. Number of Units in which Enrolled
    11. Degrees and Honors Received
    12. Previous Educational Institution Attended
    13. Participation in Officially Recognized Activities, including, but not limited to, Intercollegiate Athletics; the name, weight, and height of participants in Intercollegiate UCR athletic teams.
  • Campus Official

    Campus Official: any individual designated by UCR to perform an assigned function on behalf of the university

  • Legitimate Education Interest

    Legitimate Education Interest: information relevant and necessary for a Campus Official to perform any of the following tasks:

    1.  An employment responsibility or an assigned subject matter for the inquirer
    2.  Related specifically to the Campus Official’s participation in the Student’s education
    3.  The discipline of a Student
    4.  Providing a service or benefit related to a Student or Student’s family (such as health care, counseling, job placement, or financial aid)
    5. Capitalized terms used in this procedure and not defined have the meaning given in the UC Policies Applying to the Disclosure of Information from Student Records (PACAOS 130.00).

3. Procedures Applying to the Disclosure of Information from Student Records

  • Directory Information

    Directory Information

    1. Pursuant to PACAOS 130.251, UCR has designated certain Student Record items to be Directory Information with respect to individual students, which are defined above.
    2. Students have the right to, at any time, refuse to permit any or all of the above categories of Personally Identifiable Information to be designated as Directory Information with respect to themselves. 
    3. To restrict any of the above information, log in to R’Web, go to the “Authorization & Privacy” icon and select “Directory Information Privacy.”  Check the boxes next to any information you do not want made public. UCR will adhere to these restrictions during all quarters the Student is not registered with UCR, including as an alumni. 
  • Legitimate Educational Interest

    Legitimate Educational Interest

    1.  Pursuant to PACAOS 130.292, UCR has designated certain tasks by a Campus Official as Legitimate Educational Interest, which are defined above.
    2. PACAOS 130.720 provides further documentation on permissible disclosures without student consent.  It is critical that recipients of Personally Identifiable Information are informed that information may not be further disclosed without written consent of the student and the information provided can only be used for the express purpose for which the disclosure was made.  Please see PACAOS 130.722 for additional details.

4. Student Rights

  • Annual Notification of Rights

    Annual Notification of Rights

    1.  Students shall be informed annually of their rights under FERPA and its implementing regulations, by such means and at such times as are reasonably likely to inform them of those rights. Annual notification to students is through the General Catalog and a fall quarter email communication (Appendix A). Students have the right to:
      1.  Inspect and review the Student’s own Records
      2. Request correction of Student’s own Records
      3.  Grieve an alleged violation of privacy rights
      4. Authorize the release of Personally Identifiable Information for the Student’s Record
  • Inspection and Review of Student's own Records

    Inspection and Review of Student's own Records

    1. With the exception of the Records listed in Section 4.b.vi., Students may request access to their Records by submitting a written request to the FERPA Officer/Registrar.
    2. The Student shall be permitted to inspect and review their Student Records within 45 calendar days after the receipt of the Student's request.
    3.  At the UCR’s discretion, electronic or paper copies of the Records or supervised access to inspect and review the Records may be provided. If the Student cannot come to the department to review the Records, copies must be provided.
    4. UCR will provide responses to reasonable Student requests for explanations or interpretations of the content of their records.
    5. Student Records shall not be destroyed if there is an outstanding request to review them.
    6. Records exempt from inspection and review by Students:
      1.  Financial statements of parents/guardians;
      2. Confidential letters and statements of recommendation, which were placed in the Student Records prior to January 1, 1975, provided that the letters and statements are used only for the purposes for which they were originally intended;
      3. Confidential letters and statements for recommendation, which were placed in a Student's Records after January 1, 1975, with regard to admission, application for employment, or the receipt of an honor, if the Student has waived the right to inspect and review those recommendations;
      4. Records containing Personally Identifiable Information about other Students. If the Student Records contain information on more than one Student, Students may inspect and review or be informed of only the specific information which pertains to themselves.
    7. FERPA assigns privacy rights to all enrolled students, regardless of age. Parents/Guardians or spouses have no inherent rights to inspect a student’s record. Records may be released to parents/guardians/spouses only with written authorization of the Student.
  • Request correction of the student's own records

    Request correction of the student's own records

    1. Students shall be entitled to an explanation of any information contained in official records, files, and data directly related to themselves as Students.
    2. Students may seek amendment of their Records from the FERPA Officer/Registrar if they believe the Records contain inaccurate or misleading information. The office will provide a response within a reasonable period of time.
    3. If the request is granted, the Records shall be corrected. If the request is denied, the Student shall be informed and advised of the right to a fact-finding hearing to determine whether information in the Student Record is inaccurate or misleading.
    4. The Student must request the fact-finding hearing within 30 calendar days following the conclusion of the initial review by the FERPA Officer/Registrar.
    5. The scope of the hearing is limited to determining whether records are inaccurate, misleading, or otherwise in violation.
    6. The Student and the department each have a full and fair opportunity to present evidence relevant to the issues raised in the request.
    7. The hearing shall be held within a reasonable period of time after it has been requested, and the student shall be notified of the date, place, and time reasonably in advance of the hearing;
    8. The hearing shall be led by one who has no direct interest in the outcome of the hearing;
    9. The decision rendered shall be made in writing within a reasonable period of time after the conclusion of the hearing; and
    10. The decision shall be based solely on the evidence presented at the hearing and shall include a summary of the evidence and the reason for the decision.
    11. If, as a result of the hearing, University Officials decide that the information in question is inaccurate, or misleading, the record shall be corrected accordingly and the student informed in writing of the action taken.
    12. If, as a result of the hearing, University Officials decide that the information in question is not inaccurate or misleading, the Student shall be informed of the right to insert into the record a statement commenting upon the information in the record and/or setting forth any reasons for disagreeing with the decision to leave the record unchanged. This statement shall remain a permanent part of the record as long as the contested portion remains a part of the record, and it shall be revealed to any party to whom the contested portion is revealed.
    13. Request for correction of grades given in a course of study, including written evaluations, which reflect institutional judgments of the quality of a Student’s academic performance in a course of study, are not subject to this policy.
    14. A Student may not request a change in an underlying disciplinary decision through this process.

5. Complaints and concerns regarding privacy rights

  • Student Questions or Concerns

    Student Questions or Concerns

    1. Students who have questions about their privacy rights under this policy or have introductory questions or concerns about whether their rights were violated may reached out to the campus FERPA Officer/Registrar or the campus Privacy Officer.
  • UCR Informal Grievance Submission

    UCR Informal Grievance Submission

    1. Students who believe that information contained in their Student Record has been inappropriately disclosed must attempt to resolve the matter informally with the campus FERPA Officer/Registrar, by submitting in writing an explanation of the specific action being grieved, the specific policy and/or regulation alleged to be violated and the remedy requested.
    2. The campus FERPA Officer/Registrar will initiate the UCR FERPA Incident Response Procedure, as appropriate (Appendix B).
    3. The campus FERPA Officer/Registrar will respond to the Student in writing, within fifteen (15) calendar days of receipt of request, indicating that the requested remedy is being granted, or explaining why such action has not been taken.
    4. If the FERPA Officer/Registrar determines that a serious violation occurred, such as multiple issues with a single employee, exposure of P4 data or a violation committed with malicious intent (as described in the UCR FERPA Incident Response Procedure), the FERPA Officer/Registrar will refer the matter to the Local Designated Official (LDO) or the appropriate disciplinary process. The FERPA Officer/Registrar will notify the Student that the matter has been referred.
    5. If the request is denied by the campus FERPA Officer, the Student will be informed, in writing, of the right to submit a formal grievance.

6. Authorize the Release of Personally Identifiable Information from Student Records

  1. Students must provide written consent that specifically identifies a) the Records to be disclosed, b) the purpose of the disclosure, c) the party to whom disclosures are to be made, and d) the duration of disclosure.
  2. UCR has provided electronic authorization options for the following:
    1. Transcript and enrollment verification release
    2. Creation of an authorized user online account which allows a parent/guardian (or other person student deems appropriate) to view the Student’s online account
    3. Authorization for parent/guardian (or other person student deems appropriate) to speak with Housing, Financial Aid and/or Student Business Services
    4. All other requests for release must be made in writing
  3. Consent is not required for disclosures of Directory Information defined above
  4. Consent is not required for disclosures permissible under PACAOS 130.720

7. Faculty and Staff

Faculty and staff who believe information contained in a Student Record has been wrongfully disclosed pursuant of the policies set forth above, should immediately report in writing an explanation of the specific action that occurred and the specific policy and/or regulation alleged to be violated to the campus FERPA Officer/Registrar. The campus FERPA Officer/Registrar will initiate the UCR FERPA Incident Response Procedure, as appropriate (Appendix B).

8. References and Appendices

UC - Policies Applying to the Disclosure of Information from Student Records (130.00)
Appendix A – Annual Notification of Student Privacy Rights Under FERPA
Appendix B – UCR FERPA Incident Response Procedure

9. Approval and Revision History

The approval of these local procedures resides with the Associate Vice Chancellor of Enrollment Services. These local procedures supersede the University of California, Riverside Policies Applying to the Disclosure of Information from Student Records, which were dated February 20, 2007. The local procedures were revised effective April 17, 2020, to (i) focus the procedures on matters specific to the campus; (ii) include additional items as Directory Information; (iii) specify more clearly the annual notification to students of their rights; and (iv) specify the grievance procedures for students. 

Appendices

  • Appendix A

    Dear Student
    Pursuant to UCR’s Policies Applying to the Disclosure of Information from Student Records – Local Procedure document, this is the annual notification of the Family Educational Rights and Privacy Act (FERPA).  The UCR FERPA policy is located on the Office of the Registrar website.

    FERPA affords eligible students certain rights with respect to their education records. (An “eligible student” under FERPA is a student who is 18 years of age or older or who attends a postsecondary institution at any age.) These rights include:

    1. The right to inspect and review the student's education records within 45 days after the day the Registrar’s Office at UCR, receives a request for access.

    2. The right to request the amendment of the student’s education records that the student believes is inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA.

      A student who wishes to ask UCR to amend a record should write the Registrar, clearly identify the part of the record the student wants changed, and specify why it should be changed.

    3. The right to provide written consent before UCR discloses personally identifiable information (PII) from the student's education records, except to the extent that FERPA authorizes disclosure without consent.

      Students provide access to their record in one of three ways:

      1. Customizing Directory Information through R’Web Self-Service
      2. Set up Authorized Users through R’Web Self-Service
      3. Use of Department-Specific Release Forms
       

      UCR discloses education records without a student’s prior written consent under the FERPA exception for disclosure to school officials with legitimate educational interests. UCR defines “legitimate educational interest” as information relevant and necessary for a campus official to perform any of the following tasks:

      1. An employment responsibility or an assigned subject matter for the inquirer
      2. Participation in the student’s education
      3. The discipline of a student
      4. Providing a service or benefit related to a student or student’s family (such as health care, counseling, job placement, or financial aid)
       

      Upon request, the school also discloses education records without consent to officials of another school in which a student seeks or intends to enroll. Disclosure of Information from Student Records (130.720) within UCOP’s Policies Applying to Campus Activities, Organizations and Students (PACAOS) provides further documentation on permissible disclosures without student consent.

    4. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the UCR to comply with the requirements of FERPA. The name and address of the office that administers FERPA is:

      • Family Policy Compliance Office
        U.S. Department of Education
        400 Maryland Avenue, SW
        Washington, DC 20202
       

      Students are encouraged to follow to UCR informal and formal grievance process by notifying the FERPA officer/Registrar with concerns of inappropriate disclosures.

  • Appendix B

    UCR FERPA Incident Response Procedure
    October 2023

    Summary

    This document establishes UC Riverside (UCR) incident response procedures in cases involving Family Educational Rights and Privacy Act (FERPA) and the protections and privacy of student education records.

    This procedure applies to all FERPA non-directory information breaches and incidents regardless of cause, to include inadvertent disclosures and external cyber-attack. FERPA non-directory information is classified as Protection Level 3 (P3), with the exception that Financial, Health and Government ID information are considered P4 level. Data classifications are delineated in the UC IS-3 Institutional Information and IT Resource Classification Standard.

    Procedure

    The following steps are to be taken upon notification or awareness of a FERPA non-directory breach or incident.

    FERPA Incident Response Procedure

    1. Incidents can be reported through the Chief Information Security Officer (CISO) or the University Registrar, as the UCR FERPA Compliance Officer.
    2. Information is collected to understand and evaluate the specific details of the incident to determine what occurred and provide a recommended action.
    3. The Lead Location Authority (LLA) or their designee will determine whether to convene an Incident Response Team (IRT) and, if so, will appoint the IRT Coordinator (IRTC).
    4. The department head of the area where the violation occurred is notified of the violation.
    5. In situations involving unauthorized sharing of FERPA information via email, the University Registrar will immediately request that ITS delete the shared data in effort to minimize risk of exposure.
    6. In situations where the data is shared or exposed in other methods (e.g., exploit, breach, physical media access etc.), the IRTC, working in concert with the University Registrar, will determine a method to reduce the risk of exposure.
    7. The IRTC will determine the protection level of the data which was exposed and thus the notification requirements. Guiding principles are as follows:
    • P4 data (specifically financial, health & government ID information) will require notification to the impacted student and Department of Education following Campus Counsel guidance.
    • P3 data (specifically non-financial, health & government ID related student information) will NOT require notification to the impacted student nor the Department of Education.
    • P2 data (specifically student FERPA directory information) will NOT require notification to the impacted student nor the Department of Education.
    1. Regardless of protection level, a record of all incidents must be maintained by the Registrar’s office.
    2. University Registrar informs AVC for Enrollment Services and requests approval to continue incident response process.
    3. The LLA or their designee makes the decision to notify law enforcement agencies (e.g., UC Police Department, Federal Bureau of Investigation, California Highway Patrol, Department of Homeland Security).
    4. In collaboration with the department head, University Registrar, CISO and campus counsel email/letter templates and instructions on notifying the impacted students will be established and determination will be made who signs the notification. This could vary based on circumstances.
    5. The LLA must document and establish an Incident Response Program that encompasses:
      • Creating a documented process to capture lessons learned from responding to significant incidents.
      • Creating a documented process to review the handling of routine Incidents, their metrics and the effectiveness of planned defenses and responses.
      • Updating the Location Information Security Incident Response Plan as needed.
    6. If the breach is determined to be a result of an employee violation, in consultation with the department head, the University Registrar schedules a one-hour FERPA meeting with the employee that committed the violation to review FERPA, discuss what transpired, and how to do things differently to prevent this in the future.
      • If there is a determination that there have been multiple issues with an employee or it was done with malicious intent, the University Registrar escalates discussion for consideration of revoking access to student information or other formal actions.
    7. If the breach is more cyber-security related the CISO will work with the appropriate employees to discuss lessons learned and appropriate adjustments to business practices to minimize risks in the future.