FERPA & GDPR

The Family Educational Rights and Privacy Act of 1974 as amended, commonly known as FERPA, is designed to protect the privacy of a student's educational records, to establish the right of students to inspect and review their educational records, and the right of students to have some control over the disclosure of information from their records. The Act is enforced by the Family Policy Compliance Office, U.S. Department of Education. SVSU takes this Act very seriously. The penalty for noncompliance can be a withdrawal of the Department of Education funds from Saginaw Valley State University.

The Essence of FERPA

• School faculty, administrators, staff and student employees may not disclose personally identifiable information about students nor permit inspection of their records without written permission of the student unless release or inspection is covered by certain exceptions permitted by the Act.
• Students may authorize the release of education record information in writing by specifying the information to be disclosed, the purpose of the disclosure and party or class of parties to whom disclosure is to be made.
• College students must be permitted to inspect their own educational records.

Please see FERPA Student Employees (166KB) and Freedom of Information Act for more information.

In accordance with FERPA regulations, SVSU will not give out private information to anyone but the student of record. If the student wants to give their parent/guardian/spouse access to their private academic and financial records they will need to sign a FERPA release form.

1. To sign over access, the student will need to go to my.svsu.edu, click on "Self-Service" under the quicklinks, when Self-Service opens click on "User Options" to the far left side, click on "Student Records Release", and then "Add Person/Relationship". Proceed to fill out appopriate information. 

2. To remove access for an individual, students must email registrar@svsu.edu using their SVSU email account and list the name/PIN number of the person they wish to remove. (Future upgrades to the system will allow students to edit access themselves). 

Please Note: If the parent/guardian/spouse does not have the four-digit pin number when they speak to an SVSU official, then the university will not release any information regardless of whether or not their name is listed by the student.

Please see FERPA Student Employees (166KB) and Freedom of Information Act for more information.

Please download this FERPA Waiver (131KB) and return it to the Registrar at registrar@svsu.edu. 

The Solomon Amendment is a federal law that requires institutions receiving certain federal agency funding to fulfill military recruitment requests for access to campus and for lists containing student recruiting information. It provides branches of the military access to student directory information which would have been denied them under the Family Educational Rights and Privacy Act (FERPA).

Solomon Amendment (AACRAO)

If you wish to have your information excluded from the directory, please remail registrar@svsu.edu using your SVSU email address. 

The GDPR applies whenever personal data is being collected on or from a person who is physically present in an EU member country. This includes recruitment and admissions activities conducted by universities and colleges located or based in the United States of America which are directed toward people who are in the EU. Since GDPR applies to any natural person located in the EU, it also extends its protections to U.S.A. students, faculty and staff when they are in the EU.

This law does not apply to students, faculty and staff including individuals from the EU while they are physically located in the U.S.A., provided that their personal data was not obtained while they were physically present in an EU country.

SVSU must make explicit the rights of individuals on whom data is processed, maintained and stored, and this must include protocols for such individuals to have access to their data, to provide consent to disclose and share their personal data, to rescind such consent and to challenge the content or substance of their personal data.

Personal Data: Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Consent: Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmation, signifies agreement to the processing of personal data relating to him or her.

Personal Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Data Subject: A natural person (not a corporate or other organizational entity). 

European Union (EU): Those countries that have ratified membership in the Union.

• See: https://europa.eu/european-union/about-eu/countries_en

Supervisory Authority: An independent public authority which is established by an EU state pursuant to GDPR.

All university activities that collect personal data from natural persons in the EU shall obtain written consent from the person concerning the collection of the information, using university-approved forms. The consent secured must both reveal the reason the personal data is being collected and how the data will be used. Any personal data collected from a natural person in the EU shall be stored, secured and accessed consistently with the SVSU ITS data security policies. Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed shall be reported to the Supervisory Authority of the EU member state within 72 hours of notice of the breach.

The individual rights of persons in the EU regarding their personal data include the rights of access, ratification, removal, restriction, portability, to object and not to be subject to automated individual decision-making and those rights shall be respected consistent with the procedures implementing this policy. Concerning academic data, including course work attempted and/or completed as well as grades associated with those courses, the University must preserve that data for legal and accrediting requirements. 

Implementation

• All university operations that collect data should perform an analysis to determine whether and to what extent the office collects personal data that could originate from natural persons in EU member states.
• All university third party contracts within those offices should be reviewed for compliance with the GDPR.
• All personnel who deal with GDPR covered data shall receive appropriate training. 

Communication

• All academic and administrative offices will be made aware of this policy through appropriate university mechanisms.

General Data Protection Regulation (GDPR) (1,277KB) - the full text of the law

The GDPR does not rescind, annul or revoke in any way the U.S.A. FERPA law that applies to institutions of higher education in the United States of America with respect to individuals not covered by the EU GDPR. However, the GDPR applies to any person (student, staff or faculty) who is physically present in the EU and on whom the university is collecting personal data irrespective of the reason for the person's presence in the EU.

Please visit the Operations Manual to review SVSU's Information Technology Services Data Security Policy.

The Provost and Vice President for Academic Affairs are responsible for enforcing the EU GDPR.

Questions and inquiries related to the GDPR can be directed to the Office of the Registrar or the Office of the General Counsel.

SVSU has established a subcommittee on the GDPR which reports to the SVSU Committee on Data Governance chaired by the Director of the Office of Institutional Research whose mission is to "enhance our understanding of what the GDPR requires of American universities, to determine how the law will affect SVSU, and to identify what policy and protocol changes we need to implement to ensure compliance. The Subcommittee's recommendations will be conveyed to the SVSU Committee on Data Governance."

The following university officials are represented on the subcommittee: 

• Registrar/FERPA Officer
• General Counsel
• Executive Director of Information Technology Services
• Manager of Information Systems Security
• Associate Director of the Office of Scholarships and Financial Aid
• Accountant, Campus Financial Services Center
• Director of International Programs
• Director of Study Abroad Programs
• Athletic Compliance Officer
• Head of Library Access Services