Student Data Privacy
At WSU, we take student data privacy seriously and protect your personal information according to state and federal laws.
FERPA is a major law that limits access to student data. Under FERPA, your parents can access your class grades, GPA and other information on your student records. However, once you turn 18, then you are the sole owner of your data and have to give your parents permission to view your records if you choose.
WSU also has a student records management policy that governs how student information is created and stored at the University.
You can manage who has access to your student data and how that data is shared with these forms:
- Online FERPA Authorization to Access Educational Record Form – Use this form to give your parents or others permission to see your student records otherwise protected by FERPA
- FERPA Revocation – Use this form to remove someone’s access to your student records as protected by FERPA
- Student Data Non-Disclosure Request (PDF) – Use this form to restrict WSU from sharing your directory information not protected by FERPA
Family Educational Rights & Privacy Act (FERPA)
What is FERPA?
The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student educational records. These same rights are reinforced in Minnesota by several state laws, including the Minnesota Government Data Practices Act.
FERPA prohibits the funding of an educational institution that has a practice of disclosing educational records, or the personally identifiable information contained in those records, to unauthorized individuals without consent of the student’s parent.
When a student turns 18 years old or attends a postsecondary institution at any age, the rights under FERPA transfer from the parent to the student.
The words "educational record" refer to "those records that are (1) directly related to a student, and (2) maintained by an educational agency or institution or by a party acting for the agency or institution."
The words "personally identifiable information" include, but are not limited to:
- The student’s name
- The name of the student’s parent or other family member
- The address of the student or student’s family
- A personal identifier, such as the student’s social security number or student number
- A list of personal characteristics that would make the student’s identity easily traceable
- Other information that would make the student’s identity easily traceable
"Disclosure," in this context, includes "access to or the release, transfer, or other communication to any party, by any means, including oral, written, or electronic means."
What information can be shared under FERPA?
Basically, then, FERPA says that the university and its agents (faculty, staff, administrators) are not allowed to share educational information about any student without the student’s prior consent.
There are two primary exemptions to this blanket statement.
FERPA defines certain information as "directory information" and gives institutions latitude to define additional categories of directory information that can be shared with anybody who asks.
Per Winona State University Regulation 3-9 (PDF), there are two categories.
Directory information includes:
- Preferred Name
- Local Address
- Permanent City and State
- Local WSU Email Address
- Dates of Attendance
- Classification (FR, SO, JR, SR, GR, SP, etc.)
- Current Major and Minor Fields of Study and Licensure Programs
- Degrees and Awards Received
- Participation in NCAA or Club Sports
Limited Directory Data includes:
- Tech ID
- Legal Name
- Permanent Address
- Residence Status (in or out of state)
- Permanent Telephone Number
- Date of Birth
- Place of Birth
- Weight and Height
- Educational Institutions Previously Attended
- Date of WSU Graduation
- Advisor's Name
- Cell Phone Number
The university may disclose any of these items without prior written consent.
A student who does not want directory information made available must notify the Registrar in writing through the Student Data Non-Disclosure Request Form (PDF).
In order to release non-directory information, FERPA requires that we have a signed and dated written statement from the student telling us (a) what specific kinds of information we can share, and (b) whom we can share it with.
For example, a student who wants a potential employer or another school to have a transcript of their academic record must make a specific written statement allowing us to send it. The Registrar has the designated responsibility for handling FERPA disclosure statements on behalf of the university.
Non-Directory Information with Reason
FERPA allows the university to disclose non-directory information without prior consent to:
- certain school officials, including advisors, who have legitimate educational interests
- certain representatives of state and federal educational agencies
- individuals or agencies in response to a court order or a subpoena
- individuals or agencies in response to a health or safety emergency
Each of these exceptions involves some judgment to determine who has a legitimate educational interest, for example, or what constitutes an emergency. Except for those people mentioned above, the university is required to keep a record of requests for access to non-directory information and each person/agency to which that information was disclosed. The student may request to see that record at any time.
The only major exception to this rule is that the university may be required to keep a student from knowing that a law enforcement agency has received educational records in the course of a criminal investigation or in some situations governed by the Patriot Act.
"Notwithstanding any other provision of this policy, the following information is defined as Limited Directory Data for purposes of sharing with Students United so the association can communicate with their members: Student name, e-mail address, and Student Change Code (NEW/RTN/DROP)."
When does FERPA prevent sharing information?
Without a student’s written consent, we cannot respond to many requests from parents, reporters, researchers, employers, clubs, or social organizations.
Often these parties ask for information about a disciplinary action, attendance in class, grades or cumulative GPA, eligibility for participation in sports, or financial aid status. Each of these requests involves non-directory information and thus cannot be fulfilled.
Faculty or staff who receive these requests should deny them and refer the petitioner to the Registrar for any further explanation.
Faculty are not allowed to post grades in such a way that any student's individual performance can be easily identified by a third party. In practice, this prohibits posting exams scores by name, Social Security number, or Warrior ID.
Under some circumstances, it may be permissible to post by using a PIN or code known only to the student and the instructor. However, even this may be problematic in a small class or under other circumstances when a third party might easily match a student to a particular grade.
Faculty may have students evaluate each others’ work in class because the courts have determined that the work has not been "maintained," as required under the definition of educational records, until the faculty have received the finished work.
Universal access to electronic systems at WSU offers faculty secure options for posting student grades. The D2L portal system's grade book option also allows faculty to post class grades in such a way that each student only has access to their own data in the grade book.
It is also a FERPA violation to leave graded student work where others can view it or to return a student’s graded work by having another student pick it up. This means, for example, that faculty cannot have students search through a stack of other students’ papers to find their own, and that they cannot have students claim papers from a box in a hallway or departmental office. It is ok, however, to have a secretary or another faculty member return papers, provided that they do it individually, because they have a legitimate educational interest.
lt is not permissible to disclose a student's non-directory information during a class or group meeting, or in another public setting where it may be overheard by someone other than the student. For example, a staff member may not use one student’s financial aid information as an example in showing other students how to fill out a form. Also, a faculty member cannot use a student’s work as an example in class if doing so would reveal the student’s grade on the work.
A student has the right to view their own academic records and to petition to have factual errors corrected. This right does not extend to portions of the file to which the student has waived the right to access, as is often the case with letters of recommendation, for example.
What happens if FERPA policies are violated?
Penalties for Violating FERPA
Individuals cannot be penalized for FERPA violations, and the U.S. Supreme Court has held that individual students cannot sue for damages under FERPA.
However, the federal government has the right to deny funding to any educational institution that has a practice of violating FERPA. The government would base its decision in such a case upon evidence that faculty, staff, or administration had an ongoing pattern of making improper disclosures and that the university had made no effective efforts to prevent them.
University Regulation 3-9 (PDF) establishes the university’s own policy for applying FERPA and, therefore, demonstrates a commitment to complying with the law. Following through on that commitment becomes an obligation on the part of all faculty, staff, and administrators.
Also, the Minnesota Government Data Practices Act (MN Statutes 13.01 et seq.) does allow for sanctions against government agencies (like WSU) and individuals who violate data privacy expectations.
To quote the statute, "In the case of a willful violation, the political subdivision, statewide system or state agency shall be liable to exemplary damages of not less than $100, nor more than $10,000 for each violation. .... Willful violation of this chapter by any public employee constitutes just cause for suspension without pay or dismissal of the public employee." Unlike FERPA, therefore, the state law provides for --- in fact, requires --- a substantial penalty.
FERPA is Best Practice for Privacy Protections
Despite FERPA's clear regulatory tone and its legalistic recitation of rights and sanctions, it is student-friendly and fully consistent with good practice in higher education.
FERPA provides a clearly-articulated statement against which to benchmark our campus policy and our actual practice.
Even if FERPA did not exist, the standards of community behavior at Winona State University would suggest that we voluntarily commit to the spirit of its guidelines, out of respect for our students' privacy and our individual and collective sense of integrity.
WSU Student Records Retention
WSU creates and maintains a wide variety of records as students are enrolled and pursue their academic programs. All student records and information are carefully maintained for a certain period of time according to state and federal laws and statutes.
Student records are kept via paper documents, digital documents, or both. Many student records are retained for 5 years after a student has left WSU while others are kept permanently.
Once the retention period expires, the records are either destroyed or transferred an archive.
Review the WSU Student Record Retention Schedule (PDF) to learn about the types of records created and how long each record is retained.