/Institutions/Central-Connecticut-State-University/json/Current/Undergraduate-Graduate-Catalog-local.json

/Institutions/Central-Connecticut-State-University/json/Current/Undergraduate-Graduate-Catalog.json

Family Educational Rights and Privacy Act (FERPA) Notice and Directory Information Policy

Policy Purpose

The Family Educational Rights and Privacy Act (FERPA) Annual Notice and Directory Information policy is required by federal law.  This policy informs the CSCU community and eligible students of rights granted under FERPA which includes the ability to access Education Records, request corrections to inaccurate information, and control how defined personal information, designated as “Directory Information” may be released by CSCU institutions without consent. 

 

Policy Definitions

“Attendance” includes but is not limited to, (a) Attendance in person or by paper correspondence, videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom; and (b) The period during which a person is working under a work-study program. (https://studentprivacy.ed.gov/content/attendance) Dates of Attendance refers to the period during which a student attends or attended an educational agency or institution. Examples include an academic year, a spring semester or a first quarter.

“Directory Information” is FERPA protected information contained in the education records of Students that would not generally be considered harmful or an invasion of privacy if disclosed.  A college or university may disclose directory information without consent if it has given: a) public notice of the types of information which it has designated as directory information, b) eligible students the right to restrict the disclosure of such information, and c) the period of time within which an eligible student has to notify the school in writing that they do not want any or all of those types of information designated as “Directory Information.”

“Disclosure Records” are maintained by the appropriate institutional data custodians to record each request for and each disclosure of Personally Identifiable Information of a student and except those listed in section C.1 below, record the individuals or entities who have requested or obtained Personally Identifiable Information and their legitimate interest in obtaining it.

“Education Records” include any information or data (including metadata) that directly relate to a student and are maintained by an educational agency or institution or party acting on behalf of the agency or institution. Education records may be in any medium, including but not limited to: handwriting, print, computer media, video or audiotape, film, photographs, microfilm, microfiche, and electronic media such as email. This includes data captured about students when browsing college and university websites such as the student’s IP address, browser type, session information, pages visited and referral websites. Education records also include disclosure records maintained by appropriate CSCU record custodians regarding the student’s education record(s). Education records are exempt from disclosure under the Connecticut Freedom of Information Act.

The following are not education records:
•    records kept in the sole possession of the maker as a personal memory aid;
•    law enforcement records;
•    employment records relating to individuals employed by the college or university; except where employment is conditioned upon status as a student;
•    records related to treatment, “Treatment Records,” provided by a health professional when maintained solely for treatment purposes;
•    records created or received about an individual after that person is no longer a student if not related to that student’s attendance, e.g., alumni records;
•    materials in any admissions files, until the student has been admitted to and has attended the CSCU college or university for which the materials were submitted; and 
•    all other records which are excluded from the FERPA definition of Education Records.

“Eligible Student” An eligible student is an individual attending any CSCU institution, regardless of age, who is enrolled in credit and/or non-credit courses.  This includes individuals participating in dual or concurrent enrollment programs.

“Enrollment” is the official status of an individual as a student at a postsecondary institution, established when the institution creates or maintains education records through course registration or attendance in an educational activity. Enrollment occurs at a minimum when a student is registered for at least one course offered by the institution, including dual or concurrent enrollment courses, regardless of the student’s age or enrollment in secondary school.  For the purpose of this policy, students enrolled in dual or concurrent courses are considered “in attendance” at the institution.

“FERPA” is the Family Educational Rights and Privacy Act, 20 U.S.C. sec. 1232g, et seq. as amended, and the regulations at 34 C.F.R. Part 99.

“Free Application for Federal Student Aid (FAFSA)” is the official form used to apply for federal financial aid, including grants, work-study, and loans to help pay for postsecondary education.

“Federal Tax Information (FTI)” includes any federal tax return information received from the Internal Revenue Service (IRS) by the United States Department of Education (ED) under the FUTURE Act Matching Program (FA-DSS), and information indicating whether a tax return was filed. When FTI is provided by the IRS directly to ED, it is protected under the Internal Revenue Code §6103 and is subject to different restrictions than other data on the FAFSA form.

“Intention to enroll” is determined by a formal declaration of a decision to attend a specific college or university such as completing an application, completing a CSCU document that identifies the intention to transfer, submitting an enrollment deposit, accepting an offer of admission, or registering for a class.

“Legitimate Educational Interest” is the need to review an education record in order for a CSCU School Official to carry out their professional responsibilities. A school official has a legitimate educational interest if the official needs to review an Education Record in order to fulfill their professional responsibilities for the CSCU system or CSCU institution.

“Parent” is defined as including natural parents, a guardian or an individual acting as a parent in the absence of a natural parent or guardian ¹.

“Personally Identifiable Information (PII)” includes information that can be used to distinguish or trace an individual’s identity either directly or indirectly through linkages with other information.

“School Official” is defined by this policy as a person employed by a college or university in an administrative, supervisory, academic, research, or support staff position (including law enforcement unit personnel and health staff); a person serving on the Board of Regents; an employee of the Connecticut State Colleges and Universities system office; or, a student serving on an official committee, such as a disciplinary or grievance committee. A school official also may include a volunteer or contractor outside of the college or university who performs an institutional service or function for which the college or university would otherwise use its own employees and who is under the direct control of the college or university with respect to the use and maintenance of PII from education records, such as a vendor, an attorney, auditor, or collection agent or a student volunteering to assist another school official in performing their tasks.

“Student” means any person who has been notified of their acceptance for admission, registered, enrolled, or attending any College or University course or program including non-credit bearing courses. This applies whether enrollment is full-time or part-time; whether the course(s) occur on-campus, online, or at an off-campus instructional site (domestically, or internationally such as students studying abroad); and whether the student is pursuing undergraduate, graduate, non-degree seeking, post-graduate, or professional studies. Prospective students or individuals who are not Enrolled, as defined by the institution, are not yet “Students” of CSCU under FERPA.  

“Treatment Records” include records which are created or maintained by a physician, psychiatrist, psychologist or other recognized professional or paraprofessional acting or assisting in that capacity, used only in providing treatment to a student, and not available to anyone other than persons providing such treatment, except that such records may be personally reviewed by a physician or other appropriate professional of the student’s choice. Treatment records are typically related to the provision of services which are billable as healthcare treatment by an organization covered by the Health Insurance Portability and Accountability Act (HIPAA).

 

Policy Text

A.    Family Educational Rights and Privacy Act (FERPA) Annual Notice

The Family Educational Rights and Privacy Act (FERPA) affords eligible students certain rights with respect to their Education Records. Under FERPA, eligible students have the right to access their education records maintained by the postsecondary institution regardless of whether they are also enrolled in a secondary institution.  Parents retain FERPA rights to access their child’s education records maintained by a secondary school until the student turns 18.  These parental rights remain in effect for the purpose of accessing secondary school records even if the student is concurrently enrolled in college.  For the purpose of accessing postsecondary education records, FERPA rights transfer from the parents to the student once the student is enrolled and in attendance at the postsecondary institution. These rights include:

1. The right to inspect and review student's education records within 45 days after the day the College or University receives a request for access.
Students should submit to the appropriate official as identified by the institution, written requests that identify the record(s) they wish to inspect. The college or university official will make arrangements for access and notify the student of the time and place where the records may be inspected. If the records are not maintained by the college or university official to whom the request was submitted, that official shall advise the Student of the correct official to whom the request should be addressed. 
 

2. The right to request amendment of the student’s education record that the student believes is inaccurate. 
Students may ask an appropriate college or university official as identified by the institution, to amend a record that they believe is inaccurate, misleading or a violation of the student’s right to privacy. However, this right is not intended to provide a process to question substantive judgments that are correctly recorded. Consequently, amendment requests do not allow a student to contest a grade in a course because the student believes that a higher grade should have been assigned. 

To request amendment of an education record, the student should contact the official identified by the institution as responsible for the record, clearly identifying the part of the record to be changed and specifying why it is inaccurate. The institution will notify the student of the decision. If the institution decides not to amend the record as requested by the student, a college or university official will advise the student of their right to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the student when notified of the right to a hearing.
 

3. The right to provide written consent before the College or University discloses Personally Identifiable Information (PII) from the student's education records, except to the extent that FERPA authorizes disclosure without consent.
CSCU institutions shall obtain the prior consent of the student before disclosing PII contained in the student’s education records, EXCEPT to the extent that this policy authorizes disclosure without consent. 

For additional details on FERPA exceptions to the requirement for consent, see Disclosure of Student Information Without Prior Consent below.
 

4. The right to refuse to permit the College or University to release Directory Information (opt out) about the student, except to school officials with a legitimate educational interest and others as indicated in paragraph 3 above. To do so, a student exercising this right must notify the university's or college's registrar, in writing. Once filed, this notification becomes a permanent part of the student's record until the student instructs the university or college, in writing, to remove it. Communication in writing includes university issued email and completion of digital forms provided by the institution for this purpose.

A student may exercise their right to opt out of the release of directory information, prohibiting disclosure of the Student's information without the Student's consent as noted in section 3.
 

5. The right to file a complaint with the U.S. Department of Education (USDE) concerning alleged failures by colleges or universities to comply with the requirements of FERPA.  

The USDE has a website with informational videos and a complaint form with instructions at https://studentprivacy.ed.gov/file-a-complaint. The name and address of the office that administers FERPA is:

U.S. Department of Education  
Student Privacy Policy Office
400 Maryland Avenue, SW  
Washington, DC 20202-8520 

 

Disclosure of Student Information Without Prior Consent

FERPA permits the disclosure of PII from students’ education records, without consent of the student if the disclosure meets certain conditions found in § 99.31 of the FERPA regulations. Except for disclosures to school officials, disclosures related to some judicial orders or lawfully issued subpoenas, disclosures of directory information, and disclosures to the student, regulations require the institution to record the disclosure. Eligible students have a right to inspect and review the record of disclosures. 

Except in the case of a lawful judicial order or subpoena, a postsecondary institution has sole discretion and may choose to disclose PII from education records without obtaining prior written consent of students for these authorized purposes:

• School officials with Legitimate Educational Interests.
  To other School Officials, whom the college or university has determined to have Legitimate Educational Interests.
• Transfer of enrollment
  To officials of another school where the student seeks or intends to enroll, or where the student is already enrolled if the disclosure is for purposes related to the student’s enrollment or transfer.
• Audit or Evaluate Publicly Funded Education Programs. 
  To authorized representatives of the U. S. Comptroller General, the U.S. Attorney General, the U.S. Secretary of Education, or State and local educational authorities, such as a state postsecondary authority that is responsible for supervising the university’s State-supported education programs. Disclosures under this provision may be made, subject to the requirements of §99.35, in connection with an audit or evaluation of Federal- or State- supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs. These entities may make further disclosures of PII to outside entities that are designated by them as their authorized representatives to conduct any audit, evaluation, or enforcement or compliance activity on their behalf.
• Financial Aid
  The college or university may disclose education records that are not classified as Federal Tax Information (FTI) in connection with financial aid for which the Student has applied or which the Student has received, if the information is necessary to determine eligibility for the aid, determine the amount of the aid, determine the conditions of the aid, or enforce the terms and conditions of the aid.
• Limited Studies
  To organizations conducting studies for, or on behalf of, the school, in order to: (a) develop, validate, or administer predictive tests; (b) administer student aid programs; or (c) improve instruction.
• Accrediting Organizations
  To accrediting organizations to carry out their accrediting functions.
• Judicial orders and subpoenas
  To comply with a judicial order or lawfully issued subpoena.
• Emergencies
  To appropriate officials in connection with a health or safety emergency, subject to § 99.36. (§ 99.31(a)(10))
• Directory Information
  Directory information, as defined by this policy, is FERPA protected information that may be disclosed at the discretion of the college or university.
• Victims of a crime
  To a victim of an alleged perpetrator of a crime of violence or a non-forcible sex offense, subject to the requirements of § 99.39. The disclosure may only include the final results of the disciplinary proceeding with respect to that alleged crime or offense, regardless of the finding.
• Disciplinary proceedings
  To the general public, the final results of a disciplinary proceeding, subject to the requirements of § 99.39, if the school determines the student is an alleged perpetrator of a crime of violence or non-forcible sex offense and the student has committed a violation of the school’s rules or policies with respect to the allegation made against him or her.
• Violation of law
  To parents of a student regarding the student’s violation of any Federal, State, or local law, or of any rule or policy of the school, governing the use or possession of alcohol or a controlled substance if the school determines the student committed a disciplinary violation and the student is under the age of 21.  

B.    Directory Information²

Directory Information is protected under FERPA; however, FERPA allows colleges and universities to disclose directory information at the sole discretion of the institution and without prior consent of students unless the student has exercised their right to opt out of disclosure of directory information. For students who have not exercised their right to opt out, CSCU institutions have the authority to determine whether to release directory information and the conditions of the release.

FERPA requires institutions to define the concept of “Directory Information” for their institution so that there is clarity about what information from education records the institutions can disclose without prior consent under the directory information exception.  The primary purpose of classifying some information in the education record as directory information allows the institution to verify information about enrollment or degrees conferred for potential employers and to include information in certain publications such as:

- A playbill, showing the student's role in a drama production
- The annual yearbook
- Honor roll and other recognition lists
- Graduation programs and videos
- Sports activity sheets, such as for wrestling, showing weight and height of the team players 

Opting out of allowing the disclosure of directory information may make it difficult for potential employers to verify enrollment or degree(s) earned directly from CSCU institutions.  Instead, the student would need to provide a FERPA consent for every verification.  CSCU institutions would not be able to notify hometown newspapers about awards and honors students have received (e.g., Dean’s list), and students may not be automatically enrolled in useful communication services or college and university services (e.g., emergency alerts).

For purposes of disclosure to and access, the following are designated as directory information: 

Group	Quality Points	Data Elements
A	The public	Student's legal name Permanent mailing address (street, town and zip code) Photographs Dates of attendance (including terms) Class standing (e.g., freshman, sophomore, etc.) Major, minor, concentration and/or program of study Institutional information (institution of attendance, school and department names) Degree/Certificate/Credential candidacy Degree(s)/Certificate(s)/Credential(s) earned Academic Honors & Awards Full vs. Part-time status Anticipated graduation date Graduation date Charter Oak State College Only – email address
B	For purposes of publicizing participation in any recognized activity or sports	In addition to data elements that are classified as directory information for the public: Recognized activity or sport Team performance statistics Team position Photos and videos Athletic Honors & Awards Height and weight of athlete.
C	For access by military recruiters only	In addition to data elements that are classified as directory information to the public: Student email address (issued by the institution) Telephone number Age Place of birth (not collected by CSCU institutions) Current institution attended
D	For access by CSCU employees to support communication about students including enrollment opportunities for students between CSCU institutions	In addition to the elements that are classified as directory information to the public: Credits earned School assigned email address Disciplinary records about students who have been removed from campus for conduct reasons (including suspensions and expulsions)

 

C.    Institutional Obligations

1. Each CSCU Institution must maintain Disclosure Records of each request for access to and each disclosure of Personally Identifiable Information from the Education Records of each student.  For each request or disclosure, the record must include: a) the parties who have requested or received personally identifiable information from the education records; and the legitimate interests the parties had in requesting or obtaining the information.  Institutional data custodians must make the Disclosure Records available in response to an eligible student’s request to review such Disclosure Records. The requirement to maintain a record of disclosures does not apply to disclosures made:
1. To the eligible student
2. To a School Official with a legitimate educational interest.
3. To a party with written consent from the eligible student. Note, while recordkeeping of the disclosure is not required by FERPA, the institution must retain the student’s written consent as a part of its compliance obligations.
4. To a party seeking directory information; or
5. a party seeking or receiving records in accordance with a subpoena or court order.
6. Under certain FERPA exceptions, such as: Transfer of enrollment, Financial Aid, Health or safety emergencies, Accrediting functions, Studies conducted on behalf of the institution.
2. Each CSCU institution must develop and publish a list of school officials that students can contact to make a request to inspect, review or amend their education records.
3. Each CSCU institution must ensure that school officials identified as contacts understand their role and responsibilities to support students exercising their rights under this policy.
4. Each CSCU institution must have and use a process to review the designated school officials annually to ensure that contacts are current.
5. Each CSCU institution must develop and publish a process to receive student requests to exercise their right to opt-out of the release of Directory Information, and a process for students to change their opt-out status.
6. Each institution must develop and circulate to relevant staff, hearing procedures for handling instances when a student challenges an institutional decision not to amend their education record.  Requests to amend education records under FERPA are limited to correcting factual inaccuracies, misleading information, or privacy violations. These procedures are not intended to address academic judgments, such as grade disputes. Grade appeals or challenges to academic decisions are governed by separate institutional policies and processes. At minimum, the hearing procedures will align with the FERPA Appeal Process Requirements outlined in 34 CFR §§ 99.20-99.22. The hearing must:
1. Be held within a reasonable time after the request.
2. Provide advance notice of the date, time and place.
3. Be conducted by a disinterested party (e.g., someone without a direct interest in the outcome).
4. Allow the requestor to present evidence and have others present.
5. Result in a written decision based solely on evidence presented at the hearing.
6. The written decision must include a summary of the evidence and reasons for the decision.
7. Allow for a statement to be added to the record if the amendment is denied. If the institution still refuses to amend the record, the requester may insert a statement into the record explaining the disagreement. This statement must be maintained with the contested record and disclosed whenever the record is shared.
8. Provide that the President or designee will appoint a disinterested party to conduct any appeal hearing to determine whether an educational record is inaccurate, misleading or otherwise in violation of the student’s privacy rights.
7. Individuals with a direct interest in the outcome of the hearing are not permitted to serve on the hearing body. For instance, an institutional member serving on the hearing body must not be affiliated with the department or division involved in the student's FERPA-related conflict.

Enforcement

Unauthorized exposure of and access to student education records are security incidents.  All suspected and known security incidents must be reported immediately to the Campus Information System Security Officer (ISSO) and to the CSCU Information Security Program Office, ISPO, security@ct.edu according to CSCU’s Electronic Communication Policy IT-004.  The security team will alert the CSCU System Data Privacy Officer who will review the situation with the security team and privacy liaisons at the affected institution to complete a Privacy Incident Risk Assessment (PIRA) to determine requirements for notification under the law and recommendations for remediation.

Adherence to FERPA is required by federal law. Suspected and known violations of this policy are reported to the United States Department of Education (USED) as required by the Student Aid Internet Gateway agreement under the Federal Student Aid (SAIG agreement), and they are reported to the Connecticut Attorney General within sixty (60) days of the incident if the incident is also a breach of state law (CT PA 21-59) (C.G.S. § 36a-701b).  

Reporting Security Breaches to Students and the U.S. Department of Education
The U.S. Department considers any breach in the security of student records and information to be a demonstration of a potential lack of administrative capability. Schools' Student Aid Internet Gateway (SAIG) Agreements include a provision that they must immediately notify the U.S. Department of Education when there is a breach of security of student records and information through the Cybersecurity Breach Intake Form on the Federal Student Aid Partners website. Further cybersecurity compliance information and resources exist at the Federal Student Aid Cybersecurity Compliance site.

• Intake form link: https://fsapartners.ed.gov/title-iv-program-eligibility/cybersecurity/cybersecurity-breach-intake
• Cybersecurity compliance site link: https://fsapartners.ed.gov/knowledge-center/topics/fsa-cybersecurity-announcements-and-guidance

USED strongly encourages institutions to notify students of unauthorized access of education records. In addition to notifying the Student when unauthorized disclosures of student education data occur, the institution is required to place a notice in the student’s education record (34 CRF 99.32(a)(1), PTAC-CL, Sep 2012). Depending on the severity of the security incident, the institution may be required to offer affected Students identity theft protection.

CSCU regents, employees and volunteers who recklessly, intentionally or repeatedly misuse education records in violation of FERPA may be disciplined under the Policy 4-10 CSCU Code of Conduct for Regents, Employees & Volunteers.

 

¹United States Department of Education, Protecting Student Privacy, “Who is a parent?”, website accessed 4/22/25, https://studentprivacy.ed.gov/faq/who-parent

²CT FOIA § 1-210(b)(11) and (17) exempts education records protected under FERPA from public disclosure. This includes directory information, https://portal.ct.gov/foi/regulations/the-foi-act/sec-1210--formerly-sec-119--access-to-public-records--exempt-records

Policy History:
Adopted 3/20/06 (Community Technical Colleges Board of Trustees)
Revised 3/15/10, 12/18/14, 3/2/17, 6/24/21, 3/19/26