Sec. 1 Purpose.
The purpose of this Policy is ensure that each University of Texas System (UT System) institution and UT System Administration (System Administration) have procedures in place to ensure that access to and maintenance of Education Records complies with the Family Educational Rights and Privacy Act (FERPA), other applicable state and federal law, and UT System policies.
Sec. 2 Principles
UT System holds the protection of student education records as a primary responsibility. UT System requires all institutions and System Administration to foster a culture of privacy awareness and ensure that all necessary parties are informed on proper use and disclosure of such information.
Sec. 3 Policy Statement
It is the Policy of UT System to protect the privacy and records access rights of current and former students of its institutions by complying with FERPA at all times. It is also the Policy of UT System to ensure that Education Records, including records maintained by third parties acting on behalf of an institution or System Administration, are:
a) properly identified as Education Records;
b) maintained confidentially and securely;
c) available for inspection and review as authorized by FERPA; and
d) available to The Board of Regents of the UT System (the Board) and/or System Administration, as permitted by FERPA, to allow the Board and System Administration to carry out their respective duties and responsibilities under Texas and federal law.
Sec. 4 Applicability
This Policy applies to all UT System institutions and System Administration.
Sec. 5
Each UT System institution and System Administration shall adopt FERPA-compliant written procedures approved by the UT System Office of General Counsel (OGC) to ensure that its employees, third party contractors, volunteers, and other all other individuals understand their respective responsibilities under FERPA, and to ensure that Education Records are maintained confidentially and securely at or on behalf of each UT System institution and System Administration.
Sec. 6
At a minimum, each UT System institution, and as applicable, System
Administration, must:
a) identify each office and department that creates or maintains Education Records or outsources the creation or maintenance of Education Records;
b) identify the location of such Education Records, including Education Records for which the responsibility for creation and/or maintenance has been outsourced to a third party;
c) designate a qualified official to oversee the institution’s compliance with FERPA and this Policy;
d) publish requirements, in addition to those in UTS 165, that employees and others, as applicable, must follow to ensure the security and confidentiality of any Education Record created, accessed, or maintained by that individual, including, but not limited to:
i. prohibitions on re-disclosure of education records to third parties;
ii. requirements addressing the removal of education records in paper form from the institution;
iii. requirements addressing the creation and maintenance of Education Records in non-paper form on a non-System owned or controlled information resource, which must track the applicable requirements of the Acceptable Use Policy Template appended to UTS 165; and
iv. best practices to reduce potential risks to student privacy, including, whenever possible, use of de-identified or aggregate data in place of Education Records or Personally Identifiable Information from Education Records;
e) implement a process to review each proposed contract or other transaction that involves a third party to determine if it will or could result in access to, or creation or maintenance of, the institution’s Education Records by a third party. If a proposed contract or other transaction could result in third-party access to Education Records, the contract must identify the records and ensure that terms are included in either the contract or a separate non-disclosure agreement that require the third party to comply with FERPA, as well as the institution’s applicable data security policies;
f) adopt, as part of its Handbook of Operating Procedures, the OGC Model FERPA Policy or a policy determined by OGC to contain the essential requirements of the OGC Model FERPA Policy, including the Model Policy’s definitions of “Directory Information” and “University Officials”; and
g) ensure that all officers, faculty, staff, and any other individuals who will create and/or access the institution’s Education Records receive training to provide general information about FERPA prior to their initial access to System Education Records. In addition, all such individuals must receive periodic training that addresses the particular FERPA requirements that apply to the categories of Education Records they would be expected to access, create, or disclose.
Definitions
Education Records- records directly related to a Student and maintained by a UT System institution or party acting for the institution, as well as Personally Identifiable Information about a Student that is derived from an Education Record.
Family Educational Rights & Privacy Act (FERPA) - 20 U.S.C. 1232g and 34 CFR Part 99.
Personally Identifiable Information- information derived from an Education Record that can be used alone or in combination with other information known to a requestor or the university community, to identify a student. It includes, but is not limited to: the student’s name; the name of the student’s parent or other family members; the mailing or email address of the student or student’s family; a personal identifier, such as the student’s social security number, student number, or biometric record;
Student- any individual who is or was enrolled at a UT System institution and any other individual who is included within a UT System’s institution’s FERPA policy’s definition of a student.
University Official - an individual or entity identified by the University as requiring access to an Education Records in order to fulfill his or her professional duties.