Student studying in the courtyard

FERPA: The Family Educational Rights and Privacy Act

SVSU policy grants access to students to their educational records under the conditions that conform to the Family Educational Rights and Privacy Act of 1974, as amended. This policy is regulated by U.S.A. federal guidelines. Directory information may be published or released unless a student informs the Office of the Registrar, in writing before the first day of classes each semester that any or all items should not be released without the prior consent of the student. The request to withhold directory information is valid until the end of August in the current academic year. Directory information is defined to include the student’s name, address, telephone listing, email address, date of birth, place of birth, major field of study, dates of attendance, degrees, awards and the most recent educational institution attended by the student. In addition, participation in officially recognized activities and sports, and weight and height of members of athletic teams will be considered directory information, as well.

*At SVSU, FERPA attaches or applies once the new student first attends class at SVSU. Physical attendance notwithstanding, in cases of hybrid or online classes, the student’s first day of classes for the semester marks when FERPA applies or attaches.   

For more information, please visit the U.S. Department of Education - FERPA.

 

The Family Educational Rights and Privacy Act of 1974 as amended, commonly known as FERPA, is designed to protect the privacy of a student's educational records, to establish the right of students to inspect and review their educational records, and the right of students to have some control over the disclosure of information from their records. The Act is enforced by the Family Policy Compliance Office, U.S. Department of Education. SVSU takes this Act very seriously. The penalty for noncompliance can be a withdrawal of the Department of Education funds from Saginaw Valley State University.

The Essence of FERPA

  • School faculty, administrators, staff and student employees may not disclose personally identifiable information about students nor permit inspection of their records without written permission of the student unless release or inspection is covered by certain exceptions permitted by the Act.
  • Students may authorize the release of education record information in writing by specifying the information to be disclosed, the purpose of the disclosure and party or class of parties to whom disclosure is to be made.
  • College students must be permitted to inspect their own educational records.

Please see FERPA Student Employees (166KB) and Freedom of Information Act for more information.


In accordance with FERPA regulations, SVSU will not give out private information to anyone but the student of record. If the student wants to give their parent/guardian/spouse access to their private academic and financial records they will need to sign a FERPA release form. To sign over access, the student will need to go to my.svsu.edu, select "Students" under "Self Service (Cardinal Direct)," select "Privacy Settings" and then select "Personal Information Release" where they must then fill out the appropriate information. 

Please Note: If the parent/guardian/spouse does not have the four-digit pin number when they speak to an SVSU official, then the university will not release any information regardless of whether or not their name is listed by the student.

Please see FERPA Student Employees (166KB) and Freedom of Information Act for more information.


Please download this FERPA Waiver (131KB) and return it to the Registrar at registrar@svsu.edu


GDPR: General Data Protection Regulation of the European Union

The European Union (EU) Parliament enacted the General Data Protection Regulation (GDPR) as its primary regulation designed to protect personal data that businesses and organizations compile, process and maintain on individuals. The GDPR became effective on May 25, 2018.

The GDPR is premised on the principle that the privacy of personal data is a fundamental human right in a world where there are ever-increasing amounts of personal data stored by businesses and organizations, including higher education. GDPR is enforceable for any business or organization of any size that controls or processes the personal data of individuals in the EU, regardless of where the controller or processor is physically located or where the actual data processing occurs. Entities that are found to be in violation of the GDPR are subject to the imposition of significant monetary penalties. 

Any U.S.A. university or college that recruits and admits students who are physically located in the EU is subject to the stipulations of the GDPR. If university or college officials located outside the EU interact with prospective students, current students, faculty or staff who are located inside the EU, then the GDPR applies. However, GDPR does not apply to prospective or current students (currently enrolled in a U.S.A. institution) who are EU citizens if the personal data on them is gathered while they are outside the EU.

All university activities that collect personal data from natural personals in the EU shall obtain written consent from the person concerning the collection of the information using university-approved forms. Please see SVSU's Policy on GDPR (601KB)

For more information, please visit the official EU Commission website.

The GDPR applies whenever personal data is being collected on or from a person who is physically present in an EU member country. This includes recruitment and admissions activities conducted by universities and colleges located or based in the United States of America which are directed toward people who are in the EU. Since GDPR applies to any natural person located in the EU, it also extends its protections to U.S.A. students, faculty and staff when they are in the EU.

This law does not apply to students, faculty and staff including individuals from the EU while they are physically located in the U.S.A., provided that their personal data was not obtained while they were physically present in an EU country.

SVSU must make explicit the rights of individuals on whom data is processed, maintained and stored, and this must include protocols for such individuals to have access to their data, to provide consent to disclose and share their personal data, to rescind such consent and to challenge the content or substance of their personal data.


Personal Data: Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmation, signifies agreement to the processing of personal data relating to him or her.

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Subject: A natural person (not a corporate or other organizational entity). 

European Union (EU): Those countries that have ratified membership in the Union.

Supervisory Authority: An independent public authority which is established by an EU state pursuant to GDPR.


All university activities that collect personal data from natural persons in the EU shall obtain written consent from the person concerning the collection of the information, using university-approved forms. The consent secured must both reveal the reason the personal data is being collected and how the data will be used. Any personal data collected from a natural person in the EU shall be stored, secured and accessed consistently with the SVSU ITS data security policies. Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed shall be reported to the Supervisory Authority of the EU member state within 72 hours of notice of the breach.

The individual rights of persons in the EU regarding their personal data include the rights of access, ratification, removal, restriction, portability, to object and not to be subject to automated individual decision-making and those rights shall be respected consistent with the procedures implementing this policy. Concerning academic data, including course work attempted and/or completed as well as grades associated with those courses, the University must preserve that data for legal and accrediting requirements. 

Implementation

  • All university operations that collect data should perform an analysis to determine whether and to what extent the office collects personal data that could originate from natural persons in EU member states.
  • All university third party contracts within those offices should be reviewed for compliance with the GDPR.
  • All personnel who deal with GDPR covered data shall receive appropriate training. 

Communication

  • All academic and administrative offices will be made aware of this policy through appropriate university mechanisms.

General Data Protection Regulation (GDPR) (1,277KB) - the full text of the law


The GDPR does not rescind, annul or revoke in any way the U.S.A. FERPA law that applies to institutions of higher education in the United States of America with respect to individuals not covered by the EU GDPR. However, the GDPR applies to any person (student, staff or faculty) who is physically present in the EU and on whom the university is collecting personal data irrespective of the reason for the person's presence in the EU.


Please visit the Operations Manual to review SVSU's Information Technology Services Data Security Policy.


The Provost and Vice President for Academic Affairs are responsible for enforcing the EU GDPR.

Questions and inquiries related to the GDPR can be directed to the Office of the Registrar or the Office of the General Counsel.


SVSU has established a subcommittee on the GDPR which reports to the SVSU Committee on Data Governance chaired by the Director of the Office of Institutional Research whose mission is to "enhance our understanding of what the GDPR requires of American universities, to determine how the law will affect SVSU, and to identify what policy and protocol changes we need to implement to ensure compliance. The Subcommittee's recommendations will be conveyed to the SVSU Committee on Data Governance."

The following university officials are represented on the subcommittee: 

  • Registrar/FERPA Officer
  • General Counsel
  • Executive Director of Information Technology Services
  • Manager of Information Systems Security
  • Associate Director of the Office of Scholarships and Financial Aid
  • Accountant, Campus Financial Services Center
  • Director of International Programs
  • Director of Study Abroad Programs
  • Athletic Compliance Officer
  • Head of Library Access Services

CONTACT US.






Office of the Registrar
Wickes 151
registrar@svsu.edu
(989) 964-4085