Student Education Data Use and Privacy

A student education record is defined as any record maintained by the University in any medium (e.g., electronic, microfilm, paper) or an agent of the university that is directly related to a student.  Examples of student education records include, but are not limited to admission applications; bio/demographic data; class enrollment and schedules; credits attempted, earned and transferred; grades; grade point averages; test scores; degrees; majors and minors; transcripts; academic standing; honors and awards; involvement in activities; misconduct; and withdrawals.

Marquette University adheres to the Family Educational Rights and Privacy Act which protects student records, as well as Marquette University Policy and Procedures 1-28:  Information Sensitivity.Student education records fall under the category of Marquette University Confidential in this policy.

Marquette University Confidential includes information that may not be disclosed publicly as a matter of law or that has value to Marquette University because it is not publicly available and is only shared internally or with selected third parties under a confidentiality obligation.  It includes information in any format and information acquired from third parties with a promise from Marquette University that it will not be further disclosed.  It is a continuum, in that it is understood that some Marquette University Confidential information is more sensitive than others and therefore must be protected in a more secure manner.

Under the Family Education Rights and Privacy Act, Marquette University has designated specific personally identifiable items as directory information. 

This means the university may release directory information items without authorization from the student, unless the student has blocked the release of such information.  It should be noted, however, Marquette University does not routinely release such information.  The Office of the Registrar is to be consulted prior to the release of any information relating to students.

Any information not listed in the aforementioned items may not be released without authorization from the student, unless required by law, or requested by an individual with a legitimate educational interest.

 Generally, only a school official with a legitimate educational interest may receive individual level record data.

A school official is:

• a person employed by the university in an administrative, supervisory, academic, research or support staff position.
• a person elected to the Marquette University Board of Trustees.
• a person hired or utilized by the university on a contractual and/or temporary basis to perform a special function (e.g., attorneys, auditors, third party vendors).
• a person utilized by the university for the purposes of verifying scholarships, honor society or other academic honors and/or selecting recipients for such honors or scholarships.
• a person utilized by the university in a volunteer capacity.

A legitimate educational interest is:

• performing a task specified in his/her position description or contract or pursuant to written/oral direction from appropriate supervisory personnel.
• performing a task related to a student's education.
• performing a task related to the discipline of a student.
• providing a service or benefit relating to the student, such as health care, counseling, job placement, honor societies and academic honors consideration, or financial aid including scholarships.

Offices that maintain student data and records reserve the right to inquire as to any requestor's intentions and role within the university.  The Office of General Counsel or the Office of the Registrar is to be consulted to ensure compliance with FERPA for the release of individual student records.

Marquette University does not share student education records with third parties except in cases where Marquette University has a signed contract with an approved vendor which provides the university with secure services and/or software used to conduct the business of the University, or unless otherwise allowed by FERPA.

Marquette University does not sell or share student education records for marketing purposes outside of the university and faculty/staff who receive student education records may not use these records for any initiatives outside of the university, such as for campaigns, marketing purposes, research, or surveys.

Marquette University does not provide aggregated data in cases where an individual student could be personally identified.

 Marquette University does not provide student education records directly to fellow students for any reason.  However, if a student is working on a Marquette University class project or is a leader of a recognized honor society, and has a faculty or staff adviser supporting the project or honor society, Marquette University may provide data to the faculty or staff adviser, for release to the student.  In such cases, the faculty or staff adviser and student requestor will be required to complete the FERPA tutorial prior to the faculty or staff adviser receiving any data.  Faculty and staff advisers, as well as students are responsible for ensuring compliance with FEPA and this policy.  Students who wish to conduct surveys of students are free to ask for volunteers among there classmates, place an ad in the Marquette Tribune, etc.  Students who wish to survey, communicate or distribute information to their students are expected to follow the polices outline in the At Marquette student handbook.  Likewise, student organizations are expected to work with the Office of Student Development to communicate or distribute information.

Students who wish to review their own education records may do so per the FERPA policy.

 Faculty or staff within the university who wish to communicate to all students or students outside of their area(s) of responsibility are advised to publish an article in NewsBriefs via the Office of Marketing and Communication, or publish the information in the student newspaper, the Marquette Tribune.

Marquette University generally does not provide student education records to faculty or staff for purposes of research, except in cases where faculty or staff conduct research to support their specific roles within the university, e.g., assess a method of teaching, develop a new curriculum.  Class observation for research purposes is restricted to Marquette University researchers; researchers must obtain permission from the course instructor and written permission from each student.  Course instructors wishing to use student education records for research must consult with the Office of the Registrar and the Office of Research Compliance regarding consent/release requirements.  Generally collection or use of student data with the intent of publication or presentation requires prior approval of the Institutional Review Board.  The Institutional Review Board/Office of Research Compliance and the Office of the Registrar confer on research protocols that involve current and/or former students or their records to ensure that all federal regulations and Marquette University polices are followed.

Individuals who need student education records in order to accomplish their required position responsibilities must utilize the Student Information Data Request form.  Faculty/staff must submit a new request for each project/initiative and must not use data previously provided.  The Office of the Registrar is generally able to reply to student education record requests within five business days except on occasion, such as at the start and end of each term.

End users may not distribute, recycle, sell, reuse or otherwise share data with others unless otherwise approved at the time of request.

The education record of a student may also take the form of a transcript, rather than a list or report.  In this case, only the Office of the Registrar ma provide transcripts to third parties, whether that be an unofficial or official transcript.  Unofficial transcripts may be generated by the college/schools, but solely for internal use purposes, such as, but not limited to:  advising, audit for degree completion, accreditation, etc.

All lists and reports produced that include student education records in electronic format are to be encrypted or password protected by the originating source and securely stored by the end user.  Thus any list or report that includes student education records received from any office must be password protected.

Likewise, any list or report containing student education records that is printed for internal use must be protected and kept in a secure location.  This includes locking the printed material in the area where the data is stored and confidential shredding of same when the printed material is no longer needed.

It is the responsibility of all faculty and staff to protect all student education records in their personal possession and/or shared within the university, and/or transmitted to any approved external parties per Marquette University Policy and Procedures 1-28:  Information Sensitivity.  This protection includes the requirement that transmission of student education records must be encrypted or password protected when transmitting this information to any other user, including those on-campus.  In addition, all users of Marquette University's electronic resources are expected to follow Marquette University Policy and Procedure 1-05:  Acceptable Use of Electronic Resources.  In the event of a data breach, individuals must follow the protocol found in Marquette University Policy and Procedure 1-23:  Unauthorized Release of Electronic Information.

Individuals who complete the FERPA tutorial and are granted access to student information are bound by the following confidentiality agreement.

I understand that student, employee, and financial information from any sources, and in any form, is confidential and is available to me solely for the performance of my official duties as Marquette employee or contractor.  I shall protect the privacy and confidentiality of student, employee, and financial information to which I have access and shall use it solely for the performance of my official duties.  I agree not to access student, employee, or financial information unless such access is required for the performance of my official duties.  I further understand that failure to comply with this agreement may lead to disciplinary action, up to and including termination, and/or civil/criminal penalties.

FURTHERMORE: 

1. I agree that I will be a responsible user of data and will not update any data in CheckMarq until I have been properly trained by a qualified person. 
2. I agree to store data obtained from any University information system or source under secure conditions. 
3. I will make every reasonable effort to maintain privacy of the data. 
4. I will make every reasonable effort to interpret the data accurately and in a professional manner. 
5. Prior to sharing data with others, electronically or otherwise, I will ensure that the recipient is authorized and has a need to access the data and understands their responsibilities as a user. 
6. I will sign off the system when not using it. 
7. I will not disclose my password to other individuals.  I will not use another person’s password.  If I have reason to believe my password, or that of another individual has been compromised or is being used by a person other than the individual to whom it was issued, I will report it to a supervisor or the Database/Security Administrator. 
8. I am responsible for protecting the security of the records and confidentiality of the information to which I have access.  Specifically: 

• • I will not use the information I have access to in an unauthorized manner. 
  • I will neither knowingly include, nor cause to be included, a false or misleading entry in any record. 
  • I will not change or delete any entry in any record unless it is done in accordance with University policies and procedures. 
  • I will not copy, reproduce, electronically print, or forward any record, except in the performance of my defined duties and in accordance with the University policies and procedures. 
  • I will not divulge, in any way, knowledge of any confidential information that I have learned. 
  • I will dispose of confidential reports in an appropriate manner when done with them.