FERPA

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) protects the privacy of student education records. FERPA is a federal law that applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

All faculty, staff, and students, including temporary employees, student assistants and consultants, must comply with state and federal laws and University policies regarding the access to, and use of, student education records, whether these records are printed or electronic. Maintaining the confidentiality of student education records is everyone's responsibility.

Students

Yes, individuals who have been authorized as having a legitimate reason to access student education records can do so. Records will not be disclosed without written authorization. Access to student education records is strictly limited to the specific information and data that is relevant and necessary for those authorized individuals to perform their job-related duties.

Only those individuals who have been authorized as having a legitimate reason to access student education records can do so. Access to student education records is strictly limited to the specific information and data that is relevant and necessary for those authorized individuals to perform their job-related duties. However, directory information such as a student's name, address, telephone number, date and place of birth, honors and awards, and days of attendance may be disclosed without authorization by schools.

Cal State Los Angeles defines the following Directory Information:

  • Student's name
  • Address
  • Telephone number
  • Date of Birth
  • Major field of study
  • E-mail address
  • Dates of attendance
  • Enrollment Status
  • Most recent school attended

Parents

Academic records are protected under FERPA and are not considered Directory Information. FERPA protects students who are enrolled in a post-secondary institution or when the student turns 18 years of age. Without a signed authorization form by the student, you may not view their academic records. 

Unless the student has given written agreement, a school may not reveal personally identifiable information from a student's education record to a third party. However, directory information such as a student's name, address, telephone number, date and place of birth, honors and awards, and days of attendance may be disclosed without authorization by school.

Cal State Los Angeles defines the following Directory Information:

  • Student's name
  • Address
  • Telephone number
  • Date of Birth
  • Major field of study
  • E-mail address
  • Dates of attendance
  • Enrollment Status
  • Most recent school attended

Staff and Faculty FERPA Training

Newly hired employees will receive an email message from CSU Learn that the Data Security and FERPA training has been assigned to you once your CSU Learn account has been created.

For Cal State LA staff and faculty, you will complete the FERPA training through CSU Learn. You will need to log in through MyCalStateLA Portal in order to access CSU Learn. In CSU Learn, click on Assigned Learning, then click on Data Security and FERPA to begin your training.

For Third-party vendors, you will complete the FERPA 101 for Colleges and Universities training available on the Department of Education website: Protecting Student Privacy. Once you have completed the training, email your certificate of completion to your Cal State LA contact or the contracting department contact at Cal State LA.

  • Security Incident Response Training 
  • PCI Compliance Training 

Request for System Access

  1. Once a request for access is reviewed by IT security and it is found that Data Security & FERPA training is pending completion, the request will be held in pending for a maximum of 30 days to allow for the user to complete this requirement.
  2. Once the 30 day grace period has passed and the required training remains incomplete, the form will be closed with a status of "Closed Incomplete" and the user will need to submit a new request if the access is still needed.