Preserving Student Privacy

Reference Documents

The Family Educational Rights and Privacy Act (FERPA) and UC policy restrict the disclosure of information from student records. With electronic media prevalent and public scrutiny high, students expect the University to protect their privacy.

Presume that all student information is confidential, and do not disclose information without a student’s consent except to University officials who have a legitimate educational interest in the information. Consult with the Office of the University Registrar to understand which information the University can properly disclose.

Students have a right to access most information in the records that the University maintains about them, including email messages between faculty or staff that refer or relate to them. Knowing that a student might read your email message later, keep your email messages focused on facts and try to avoid communicating subjective judgments. Notwithstanding their general right of access, students do not have a right to access records that are kept in the sole possession of the person who created the record, are used only as a personal memory aid, and are not accessible by or revealed to any other person except a temporary substitute for the person who created the record.

Some students exercise their right under FERPA to restrict the University from disclosing any information about them, not even their name or existence at the University because serious threats to their personal safety exist or for other reasons. The University must ensure that no information about students who exercise this right is disclosed except to University officials who have a legitimate educational interest in the information.

Parents of UC students do not have a right to obtain information from student records, including grades and faculty records about a student’s performance in class. However, a student may request a transcript to provide to his/her parents.

Faculty are not automatically entitled to access all information about their students. Faculty have a legitimate educational interest in information only if the information is relevant and necessary for them to fulfill their role in the student’s education.

Faculty, teaching assistants, and readers can share information about distressed or disruptive students with University officials who have a legitimate educational interest in the information. In addition, if a health or safety emergency exists, faculty, teaching assistants, and readers can share information with other people, within and outside the University, to protect the health or safety of the student or others. The University must create a record of the basis for the disclosure.

In letters of recommendation, faculty, teaching assistants, and readers can discuss their personal observations, but they should not disclose information from student records, such as grades, without the student’s consent.

When downloading gradebooks, please remember to store this data using a campus-approved cloud service approved to hold student data, such as box.com or a secure server managed by a campus IT team. Be sure this data is not synched or stored to a local directory on your computer. For more information and IET recommendations for storing student data, see Student Educational Records.

Avoid inadvertently disclosing information from student records. For example:

Do not place graded, identifiable student work in the hallway or an unmonitored area for students to pick up;

Do not post grades publicly if grades are linked to a student ID number, name, or another identifier except for an exam number or unique ID known only to the instructor and student;

Do not send email to two or more students that includes personally identifiable information such as student name or student ID number;

Avoid requiring students to post identifiable homework assignments or projects in a publicly accessible online forum (e.g., Facebook, YouTube, and other social media spaces);

  • Instead of requiring students to participate in a publicly accessible online blog, allow students to opt-out, create a private blog, or consider using the campus learning management system;
  • If you use Doodle or a similar system to solicit or share calendar or schedule information, create a private poll so students’ information is not disclosed to other students;
  • Obtain consent from new students before sharing any of their personal information, biographical or academic, with students, faculty, or others;
  • Do not circulate or post a class roster that includes a photograph or student ID number, and do not circulate or post a class roster of student names if the roster is available to persons outside the class;
  • Placing any information about students on a website, such as a cloud-based service, not under contract with the University may raise FERPA concerns. The use of these sites should not be required, and you must allow students concerned about privacy to provide their information to you in a secure manner.

Consent to disclose information from a student record must be obtained from the student in writing prior to the release of information.  This written authorization must specify which records may be disclosed, identify the party or class of parties to whom the records may be disclosed, indicate the purpose of the disclosure, and be signed and dated by the student.

Redisclosure of Student Data

Student data may not be redisclosed by a third party without the written consent of the student. It is your responsibility when disclosing data to a third party to notify the third party of the restrictions regarding how the data may be used. When disclosing information to a third party you must include the following redisclosure notice:

"This information is being released to you in accordance with the Family Educational Rights and Privacy Act on the condition that you will not permit any other party to have access to these records without the written consent of the student, except that information may be used by your organization's officers, employees, and agents, but only for the purposes for which the disclosure was made to you" (UC Davis PPM 320-21).

Breach of Student Privacy

Under the Federal Family Educational Rights and Privacy Act of 1974 (FERPA) and the State of California Education Code, and UC system-wide policy and procedures, students’ privacy must be protected.  Only Staff and Faculty with a legitimate educational interest have the right to access information that is relevant and necessary for them to fulfill their role in the student’s education.

Reporting a Breach of Student Information

If you suspect or learn of a breach of student information, contact cybersecurity@ucdavis.edu.