Skip to Main Content

Policies

You are in the main content

Policy 2112
Student Privacy

Date of Current Revision: April 2014
Primary Responsible Officer: Provost and Vice President for Academic Affairs

1. PURPOSE

The purpose of this policy is to outline the university's responsibility for compliance with laws concerning access to and privacy of student records and student information.

2. AUTHORITY

The Board of Visitors has been authorized by the Commonwealth of Virginia to govern James Madison University. See Code of Virginia section 23-164.6; 23-9.2:3.  The board has delegated the authority to manage the university to the president.

STATE OR FEDERAL STATUTE AND/OR REGULATION

The Family Educational Rights and Privacy Act of 1974 (“FERPA,” 20 USC 1232g et. seq.) is a federal law that addresses access to and confidentiality of student education records.  The Health Insurance Portability and Accountability Act of 1996 (“HIPAA,” 42 U.S.C. 1301 et seq.) is a federal law that addresses protections for personal health information. The Virginia Government Data Collection and Dissemination Practices Act (“Privacy Act,” Code of Virginia 2.2-3803(A)) is a state law that addresses the use of personal records held by state agencies.  The Virginia Freedom of Information Act (“FOIA,” Code of Virginia 42.1-76) is a state law that addresses public access to records maintained by state agencies. The Fair Credit Reporting Act (“FCRA,” 15 USC § 1681 et seq.) is a federal law that addresses fair and accurate consumer credit reporting. The Fair and Accurate Credit Transactions Act of 2003 (“FACTA,”) amended the FCRA and added requirements concerning protection of consumers from identity theft. The Gramm-Leach-Bliley Act (“GLBA,” 15 U.S.C. §6801 et seq.) is a federal law that addresses confidentiality of consumer financial information.

3. DEFINITIONS

Consumer Financial Information:
This information includes Social Security Numbers, financial account numbers, credit card numbers, dates of birth, names, addresses, and phone numbers when collected with financial data, and details of any financial transactions between the university and a student.

Directory Information:
This information includes a student’s name, telephone numbers, addresses, date and place of birth, major and minor fields of study, college of major and year (first year student, sophomore, etc.), enrollment status (full-time/part-time) including credit hours, dates of attendance, degree sought and time, degrees conferred, awards and honors conferred, participation in officially recognized activities and sports, weight and height of members of athletic teams; the most recent previous educational agency or institution attended by the student, fraternity and/or sorority and educational societies.  This list may be amended from time to time by the university. For the current list, consult the current Undergraduate Catalog.

Education Records:
Records directly related to a student and maintained by the institution or a party acting for the institution related to the student’s education. The term "education record" does not include the following:

a. Records of an instructional, supervisory, administrative, and educational nature, maintained by university officials for their personal use only.
b. Student employee records. These records may be covered by the Privacy Act.
c. Alumni records (generated after a student is no longer enrolled at the institution).
d. Student health records. These records are covered by HIPAA.
e. Records concerning a student who is deceased.
f. Law enforcement records.

FACTA:
The Fair and Accurate Credit Transactions Act of 2003.

FERPA:
The Family Educational Rights and Privacy Act.

FOIA:
The Virginia Freedom of Information Act.

GLBA:
The Gramm-Leach-Bliley Act.

Health Records:
Student health, psychiatric, and counseling records maintained in connection with the treatment of the student.

HIPAA:
The Health Insurance Portability and Accountability Act of 1996.

Hold:
An administrative action taken by the university to flag a student’s record, thus prohibiting the student from changing his or her status without clearing the administrative action by specific procedures.

Legitimate Educational Interests:
Those interests that are essential to the general process of higher education. Legitimate educational interests would include teaching, research, public service, and such directly supportive activities as academic advising, general counseling, therapeutic counseling, discipline, vocational counseling and job placement, financial assistance and advisement, medical services, academic assistance, and audit activities. In addition, legitimate educational interests include appropriate co-curricular activities that are generally supportive of overall goals of the institution and contribute to the general well being of the entire student body and specifically to many individuals who participate in these activities. These activities include varsity and intramural sports, social fraternities, specific interest clubs, and student government.

Personally Identifiable Information:
Data or information which include 1) the name of the student, the student's parent(s), or other family members; 2) the student's address; 3) a personal identifier such as a social security number or student number; or 4) a list of personal characteristics, or other information which would make the student's identify easily traceable.

Privacy Act:
The Virginia Government Data Collection and Dissemination Practices Act.

Privacy Flag:
An indication on a student’s record that he or she has requested that Directory Information not be disclosed. 

School Officials:
University employees with general or specific responsibility for promoting the educational objectives of the university. Employees whose responsibilities place them within this category include: teachers; faculty advisors; admissions counselors; academic advisors; counselors; employment placement personnel; deans, department heads, directors, and other administrative officials responsible for some part of the academic enterprise or one of the supporting activities; administrative and faculty sponsors of officially recognized clubs, organizations, etc; members, including students and alumni, of official university committees, and clerical personnel employed to assist university officials in discharging professional responsibilities.

University Health Care Provider:
University health care providers include all providers of services (e.g., the student health center, the counseling center, the athletics training facilities) and providers of medical or health services (e.g., physicians, trainers, nurses, counselors and other medical practitioners) as defined by Medicare, and any other person or organizational unit that furnishes, bills, or is paid for health care of students.

4. APPLICABILITY

This policy applies to all employees, students and individuals acting on behalf of the university.  It applies to all personally identifiable information maintained by the university concerning current or former students. For health records of a student, it applies to any university health care provider who transmits health information about a student in connection with claims, benefit eligibility inquiries, referral authorization requests, or other transactions.

5. POLICY

5.1 Although the university’s records are public documents covered by FOIA, which must be disclosed upon request by a citizen of Virginia or a representative of media doing business within Virginia, an exception within FOIA provides that FERPA protects personally identifiable information in student education records. Student health records are protected under HIPAA.  Student employment records are protected under the Privacy Act. Student consumer financial information is protected under GLBA and FACTA, and includes protection against identity theft.  

5.2 Students have privacy rights in their education records, including: 

a. The right to inspect and review their own education records, except as noted in 5.3 below.

b. The right to challenge (seek correction of) the contents of their own education records, and to have a formal hearing, if necessary, for a fair consideration of such a challenge, and the right to place an explanatory note in their own education record in the event that a challenge of contents is unsuccessful.

c. The right to control, with certain exceptions listed in 6.3 below, the disclosure of the contents of education records. This includes the right to place or remove a Privacy Flag on their education records under 6.3.B below.

5.3 The university is not required to permit students access to the following types of information in their own education record:

  • Financial information submitted by parents.
  • Confidential letters of recommendation submitted prior to January 1, 1975.
  • Confidential letters and recommendations on which a student has waived the right of inspection.
  • Any part of a record pertaining to another student.
  • Information specifically excluded under FERPA's definition of "education records.”

5.4 Under FERPA, employees and officials at the university are prohibited from disclosing personally identifiable information from student education records without the express written consent of the student.  However, the university is allowed to release information maintained in education records concerning a student without obtaining the student’s permission in certain limited circumstances outlined in 6.3 below.

5.5 A request for information that does not reveal personally identifiable information concerning any individual student is subject to disclosure under the terms of FOIA.  For responses to FOIA requests, see Policy 1103, Responding to External Requests for Information.

5.6 Student health information and student employment records will not be disclosed to individuals or entities outside of the university without the student’s permission.  Within the university, only those individuals who have a legitimate need to know the information will be given access to such information. The university will take appropriate steps to secure student health information.

5.7 The university will safeguard student financial information and take appropriate steps to protect students against identity theft.

6. PROCEDURES

6.1 Inspection
Students who wish to inspect and review their education records may do so by submitting a written request to the official responsible for the specific record desired. The responsible official must respond within 45 days of the request by sending the student a copy of the requested record or arranging an appointment for the student to review the requested data.

6.2 Copies
Copies of education records or record entries, with certain exceptions, may be obtained by the student at the cost of $.15 per page. Unofficial copies of a student's permanent academic record (transcript) will be provided at no charge. The university reserves the right to deny a copy of an education record for which a financial hold exists, or for a transcript of an original source document which exists elsewhere.

6.3 Consent
University employees who maintain education records on students generally must receive written consent from the student before releasing personally identifiable information, evidenced by a signed document.  Only in the following limited circumstances may information be released without the written consent of the student:

A. A student's education records may be released without consent to officials within the university having a "legitimate educational interest" in such information. Access by these officials is restricted only to students for whom they have professional responsibility and only to that portion of the student record necessary for the discharge of assigned duties.

B. At its discretion, the university may provide directory information concerning an individual student to anyone, unless the student specifically requests in writing that this information not be released. This request for a Privacy Flag must be submitted in writing to the Office of the Registrar within five days of the first day of classes of each school year. The request for a privacy “flag” may be withdrawn at any time by the student.

C. The university may also release personally identifiable information contained in a student's record to:

a. Officials of other institutions in which a student seeks to enroll. 
b. Government officials in connection with the audit and evaluation of federal and state-supported education programs. 
c. Persons and organizations providing the student with financial aid. 
d. Persons or organizations conducting research, studies or data collection on behalf of the university for the development of tests, administration of financial aid, or the improvement of instruction.  
e. Accrediting agencies. 
f. Parents of dependent students as defined by the United States Internal Revenue Code of 1954. Under Virginia law, the university will release information to parents of dependent students at the parent’s request. Dependency must be established by the student’s signing a dependency form in the Registrar’s Office or by the parent’s providing to the university the most recent year’s federal tax return.
g. Appropriate persons in an emergency in order to protect the health and safety of the student or of others. 
h. Parents of dependent students when the student has received mental health treatment at the health center or counseling center, if in the opinion of the treating health care provider the student is likely to be a danger to himself or others, unless the treating health care provider determines that notification will result in harm to the student, according to the Virginia Privacy Act.  
i. Courts, agencies or individuals in compliance with a validly issued judicial order or subpoena. In this case, the student will be notified in advance of disclosing the records (generally with two weeks notice), unless the subpoena specifically mandates that no notice be given.
j. Parents of a dependent student when the student has violated university rules or criminal laws concerning alcohol or drugs.

6.4 Challenging the Contents 
Students may challenge the contents of an education record that they consider to be inaccurate, misleading or otherwise in violation of their privacy rights. Students may initiate a challenge by submitting a written request to the custodian of the particular record in question who shall attempt to resolve the problem through informal discussions. If a challenge to a record is not satisfactorily resolved by this procedure, students will be informed of their right to a formal hearing, the procedures to be followed concerning such a hearing, and its composition. Students requesting a hearing will be notified in writing of the date, place, and time of their hearing. At the hearing, students may present evidence in support of their request and may be assisted by an advisor or attorney.

Decisions of the hearing panel are final. If decisions of the hearing board are unsatisfactory to students, they may place in the education records their own statement commenting on the information contained in the record and setting forth any reason for disagreeing with the decision of the hearing panel.

6.5 Waivers/permission
Students may waive any of their FERPA rights including the release of their education records by providing written consent. Such permission must be signed and dated by the student and specify the exact records to be released and the individual to whom the records should be released.  

6.6 Student Employment Records
A student wishing to see his or her employment records may request them from the office that maintains the records.

6.7 Student Health Records
A student wishing to see his or her health records may request them from the office that maintains the records, but the health care provider may decline to provide access to the student in appropriate circumstances.

7. RESPONSIBILITIES

7.1 It is the responsibility of university health providers maintaining student health information to safeguard the privacy of student health records.  

7.2 It is the responsibility of university officials maintaining student employment records to safeguard the privacy of those records. It is also the responsibility of these officials to arrange for access by the student to his or her own employment records.

7.3 It is the responsibility of university officials maintaining education records to comply with this policy and safeguard the privacy of student records.  It is also the responsibility of these officials to arrange for access by the student to his or her own education records.

7.4 The university offices maintaining education records shall keep a record of all parties obtaining access to the contents of student records (except in case of requests by students for access to their own record; by school officials with legitimate educational interests; by parties with specific written consent of the student; or by parties requesting directory information). This record of requests must identify the person(s) seeking and obtaining information contained in a record, the nature of the information disclosed, the date of the disclosure, and the notice to the student of the disclosure, if any.  The record of disclosures is available for inspection by the student identified by the record.

James Madison University maintains the following "education records" as defined by FERPA and responsibility for them as listed below.

RECORD OFFICE CUSTODIAN WEBSITE
Permanent Office of the Registrar University Registrar

http://www.jmu.edu/registrar/

Academic
(transcript)
Office of the Registrar University Registrar

http://www.jmu.edu/registrar/transcripts.shtml

Disciplinary Student Life-
Judicial Affairs
Director of Judicial Affairs

http://www.jmu.edu/judicial/

Financial Aid Financial Aid &
Scholarships
Director of Financial Aid &
Scholarships

http://www.jmu.edu/financialaid/

Financial
Accounts
Student Financial
Services
Director of Financial Services

http://www.jmu.edu/financialaid/

Placement Academic Advising &
Career Development
Director of Academic
Advising & Career
Development

http://www.jmu.edu/cap/

 

8. SANCTIONS

Sanctions will be commensurate with the severity and/or frequency of the offense and may include termination of employment.

9. EXCLUSIONS

The following records are not covered by this policy:

• Records of an instructional, supervisory, administrative, and educational nature maintained by university officials for their personal use only.

• Alumni records (generated after a student is no longer enrolled at the institution). 

• Law enforcement records.

10. INTERPRETATION

The authority to interpret this policy rests with the President, and is generally delegated to the Vice President for Academic Affairs.

Previous version:  May 2002
Approved by the President:  May 2014