STUDENT- AND COURSE-DATA ACCESS POLICY

This policy, governing access to student and course data, resulted from the recommendations of a campus committee appointed by the Provost and Vice Chancellor for Academic Affairs and from subsequent administrative review.

Student Data:
Campus student-data access policy is predicated on requirements imposed by the Family Educational Rights and Privacy Act of 1974 (FERPA); more complete information about the campus implementation of FERPA can be found in the Code on Campus Affairs and Handbook of Policies and Regulations Applying to All Students. Related requirements governing the release and use of individually identifiable data for research can be found in the Handbook for Investigators: For the Protection of Human Subjects.

Course Data:
Generally, access privileges to course information are established by the Associate Provost (333-2353) and the Office of Facility Management and Scheduling (333-1233). FERPA governs access to course information only in so far as it is contained in the records of individually identifiable students. State statute places further limits on the use of some student and course information, because the information is state property.

Data administration offices (those offices assigned the responsibility for campus-level management of data) have primary responsibility (a) for ensuring the security and proper use of data, (b) for evaluating how data will be transmitted to users, and (c) for determining levels of appropriate access for prospective users. Such offices will apply the policies in this document, weighing the goals of maximizing authorized data access against minimizing the risk of unauthorized access. Data requesters may seek higher review of administrative decisions according to generally accepted administrative guidelines.

Data administration offices assume the responsibility of disseminating information about data-access policies through printed material and staff training. In accepting access to student and course data, data users assume the responsibility of familiarizing themselves with campus policies on data access and use and of complying with those policies. Advice on data use and storage is available from offices that administer primary student and course databases and from the University Research Board. Some important elements of those policies are included on the following pages.

Access privileges are granted to specific users with defined needs. Authentication of user identity is a principal element in access control. Access control will preserve and monitor access to granted privileges and will monitor user identity.

STUDENT DATA

For the purposes of this policy, student data are classified as directory information, information that must only be used under certain restricted conditions, generally by University staff for official use.

The principal test for access privileges to nondirectory information is that the requester have "a legitimate educational interest" in the data for which access is requested. The principal requirement is that the data user limit data use to that required for fulfilling officially assigned University responsibilities.

Data may be transferred among University staff in the discharge of University responsibilities. Data must not be released to third parties outside the University, including parents of students, that FERPA considers legal third parties. Designated staff may release data in emergency situations, and parents of dependent students may certify themselves as such and be given access to their children's records.

While the audience for data access changes over time, general categories of data users and types of use are described below. Additional specific operating guidelines may apply.

DIRECTORY INFORMATION. The campus has identified the following as items of directory information: name; addresses (local and home); telephone numbers; college, curriculum and major field of study; class level; date of birth; dates of attendance and full- or part-time status; eligibility for membership in registered University honoraries; degrees, honors, and certificates received or anticipated; weight and height, if an athletic team member; participation in officially recognized activities and sports; and institutions previously attended.

1. Directory information will be made available to all UIUC staff for official use.
2. *Student organizations may have access only to directory information, only upon application to and with the approval of the dean of students or the college dean, for single college organizations. Faculty/staff advisers of registered organizations may have access to machine-processable directory information by completing an agreement in which they accept responsibility to ensure that heir organizations are in compliance with data-access policy.
3. *The standard source of directory information for non-University organizations is the Student/Staff Directory. These organizations may be given additional access, where, in the opinion of University administrators, the organization's use of the data directly supports a University-sanctioned service.
4. *Honorary organizations whose directors and selection committees are not composed entirely of faculty may have access only to directory information for membership selection.
5. Directory information provided to units other than academic and administrative ones is released only for the purpose described in the request. Other use is strictly prohibited.

NONDIRECTORY INFORMATION. All data collected about students that are not specifically defined as directory information are considered nondirectory information. General categories of nondirectory information include identification, demographic, address, admissions (class ranks, standardized test scores, post-secondary grades), detailed previous institutional attendance, standardized tests, placement and proficiency exam, UIUC program participation, academic status, UIUC course enrollment and grades, teacher certification, evaluation of degree progress, family financial data, financial needs, financial aid awards, student account, loan repayment and other financial performance, and details about eligibility for participation in athletic events.

GLOBAL PRIVILEGES. (All data for all students). College deans and principal advisory staff in college offices; chief advisers in schools and academic departments; data administration offices; and senior administrative staff in student affairs units have access to these data.

COHORT PRIVILEGES. Cohorts of student records may be organized in any of four general ways:

• By student's advising college/department — Advising units have access to all data for the students they advise.
• By student course enrollment — Teaching units have access to that information necessary for the administration and evaluation of their teaching activities. This includes information necessary for the ordinary operation of teaching activities and information used in research efforts to improve instructional effectiveness. Faculty members who have no advising responsibilities do not have access to academic history information of individual students.
• By program participation — Units that operate student support programs have full or selected data about students in that unit's program.
• By special cohorts identified from the basic eligibility criteria of honorary organizations — If the entire membership of the executive and membership selection committees are faculty members, the organization may have access to nondirectory information for the purpose of selecting prospective members.

STUDENT CONTROLLED PRIVILEGES. Students may allow access to their records by prior consent.

• Users not otherwise eligible to access directly nondirectory information may obtain such access by obtaining the student's written permission to access centrally stored data.
• Students may grant access to centrally stored data by providing their network ID and password to staff for example, to those advisory staff who would not otherwise have such access.

Stripped of data elements that can identify individual students, student records on selected databases are made available to all campus staff for unlimited research use without special prior review. Published research results must still ensure the anonymity of research subjects.

Where University faculty and staff researchers must maintain the individual identity of the subject throughout the research, for example, where it is necessary to merge student data with other independently collected subject data, data will be provided to those researchers upon prior written request that complies with FERPA and the Institutional Review Board's guidelines.

Students may update those items of their own data that are appropriate and where procedures can be developed to authenticate student identity reliably.

Other update access to student and course data is established by common agreement between the primary data administrators and other campus units in a position to collect data effectively.

For access considerations, course data are classified as published information that is public and as nonpublished information for which there is restricted access. Published information is typically that which appears in the Courses, Undergraduate Programs, and Graduate Programs catalogs, and in the Timetable. Nonpublished information includes the data maintained by departments in the management of seat assignment and research data about instructional programs.

Students, staff, and the general public are granted display privileges for all published course information. This information may not be electronically copied or reproduced without University permission.

Access to nonpublished course information is generally limited to teaching departments, those beyond departments in the administrative reporting path to the Chancellor, and those administrative departments authorized by the Provost and Vice Chancellor for Academic Affairs.

Questions concerning this policy statement should be directed to the Associate Director for Systems, Office of Admissions and Records, 333-6383 or Assistant Vice President for Systems Development, Office of Administrative Information Technology Services, 244-0100.