St. Cloud State University Policies & Procedures

Data Privacy and Data Practice

St Cloud State University must comply with two statues regarding data:

  • State Statute: Minnesota Statutes, Chapter 13 - The Minnesota Government Data Practices Act (MGDPA)
  • Federal Statute: Family Education Rights and Privacy Act of 1974 (FERPA)

MGDPA Information

The Minnesota Government Data Practices Act is a state law that establishes a presumption that government data are public unless a federal law, a state statute, or classification of data provides that the specific data are not public. The Minnesota Government Data Practices Act regulates all aspects of data, including the collection, creation, storage, maintenance, dissemination, and access to government data in government entities.

Data Request Forms and Information

For information about data classifications, data subject rights, member of the public rights, how to make a data request, costs associated with data requests, and how SCSU will respond to data requests, refer to the Data Practices policy and procedure.

Data Request Form (pdf)

Data Release Consent Form (pdf)

Notary Identity Verification Form (pdf)

Identity Verification Guide (pdf)

Data Practices Contact Information

Data Practices Compliance Official:
Judith Siminoe, Special Advisor to the President
AS 200 | 308-2122
jpsiminoe@stcloudstate.edu

Responsible Authority:
Robbyn Wacker, President
AS 200, 308-2122

Data Practices Designee Contact Information

Data Access and Breach

In compliance with Minnesota Statute section 13.05, subd. 5, the St. Cloud State policy and procedure, Ensuring Safety of Non-Public Data, was establish to provide safeguards including that "not public data" are only accessible to persons whose work assignment reasonably requires access. Additionally, St. Cloud State provides data privacy training, data security resources, and follows Minnesota State Board Policy 5.23. Non-public data may be exposed to, or accessed by, non-authorized individuals in rare instances, such as when a work laptop is stolen or a USB Flash drive is lost. Any potential data breach should be immediately reported to the Data Practices Compliance Official (See Data Practices Contact Information section).

FERPA Information

FERPA is a federal law designed to protect the privacy of education records (Link to definition of Education record).  FERPA applies to all educational agencies and institutions that receive funding under any program administered by the US Department of Education and to private entities who perform services on behalf of those educational agencies and institutions.

Student Rights Under FERPA

This information is also sent in an annual notice to all enrolled students, as required by FERPA

  1. The right to inspect and review the student’s education record within 45 days of the day the University receives a written request for access.
  2. The right to request the amendment of the student’s education records that the student believes is inaccurate, misleading or otherwise in violation of the student’s privacy rights under FERPA.

Request to Amend or Remove (PDF)

Request for a Formal Hearing (PDF)

  1. The right to provide written consent before the University discloses personally identifiable information (PII) from the student’s education records, except to the extent that FERPA authorizes disclosure without consent.
  2. The right to file a complaint with the U.S. Department of Education concerning alleged failures by the University to comply with the requirements of FERPA. The name and address of the Office that administers FERPA is:
    Family Policy Compliance Office
    U.S. Department of Education
    400 Maryland Avenue, SW
    Washington, DC 20202-4605
    www.ed.gov/offices/om/fpco/index.html
Additional requirements concerning education records are found in the Minnesota Government Data Practices Act: www.revisor.leg.state.mn.us/statutes/?id=13.32.

FERPA Authorization of Disclosure without Consent

Generally, a student must provide written consent using the Data Release Consent Form before the University will release personally identifiable information (PII) from a student record. FERPA has made exceptions to this ruling that allows schools to disclose PII without consent in the following circumstances and/or to the following parties:

  • School officials who have a legitimate educational interest in the records in order to perform their duties
  • Another school in which the student seeks or intends to enroll
  • Accrediting organizations
  • To determine the eligibility, amount, and/or conditions of financial aid, and to determine and enforce the terms and conditions of the aid
  • Parents of dependent students if either parent has claimed the student as a dependent on their most recent year's income tax statement
  • Parents or other appropriate parties in connection with a health or safety emergency
  • Parents of a student under the age of 21 if that student violates any Federal, State, or local law, or any rule or policy of the school governing the use or possession of controlled substances or alcohol
  • Certain government officials involved in audit or evaluation of Federal or State supported programs, or for the enforcement of or compliance with the legal requirements of those programs
  • Organizations conducting studies on behalf of the school for the purposes of improving instruction or administering predictive tests or student aid programs
  • To comply with a judicial order or lawfully issued subpoena
  • To provide an alleged victim of a crime of violence or non-forcible sexual offense with the final results of a disciplinary proceeding with respect to the alleged crime
  • To any third party the final results (which can only include the alleged perpetrator’s name, the violation committed, and any sanctions imposed) of a disciplinary proceeding related to a crime of violence or non-forcible sexual offense if the student who is the alleged perpetrator is found to have violated the school’s rules or policies

Anyone requesting Directory Information unless the student has opted to restrict this information.

Definitions:

Dependent Student: a student who is a qualifying child or relative as defined in 26 U.S. Code § 152 of the Internal Revenue Code.

Directory Information: information contained in the education records of a student that would not generally be considered harmful or an invasion of privacy if disclosed. (See SCSU’s approved Directory Information List)

Education records: records that are directly related to a “student” and maintained by an “educational agency or institution” or by a party acting for the agency or institution. (The term “student” excludes individuals who have not been in attendance at the agency or institution.)

Financial Aid: payment of funds provided to an individual (or payment in kind of tangible or intangible property to the individual) that is conditioned on the individual's attendance at a school.

Legitimate Educational Interest: interests related to pursuits of higher education, conduct or discipline, the well-being of the student body, or the overall goals of the school which may include, but is not limited to teaching, research, advising, counseling, investigations, job placement, financial assistance, medical services, safety, student government, clubs, intramural sports, events, and public service. A school official only has a legitimate educational interest if the information is required to fulfill his/her professional responsibilities.

Personally Identifiable Information: data including a student’s name and other direct personal identifiers, such as the student’s SSN or student number or biometric identifiers such as fingerprints, DNA, handwriting, or facial characteristics. PII also includes indirect identifiers, such as the name of the student’s parent or other family members; the student’s or family’s address, and personal characteristics or other information that would make the student’s identity easily traceable.

School Officials: parties such as professors; instructors; administrators; health staff; counselors; attorneys; clerical staff; trustees; members of committees and disciplinary boards; and a contractor, volunteer or other party to whom the school has outsourced institutional services or functions.

Restricting Disclosure

A student may choose to restrict their directory information from being disclosed by completing a Request to Restrict Information Disclosure form. There are a few things students should understand about this restriction:

  • Even if a restriction is placed, a student’s name can still be disclosed in on-site or online classes.
  • Even if a restriction is placed, SCSU will still use a student’s directory information as needed to perform university business such as processing a financial aid application or preparing a diploma.
  • There may be consequences or inconveniences related to restricting disclosure including, but not limited to, SCSU becoming unable to: notify a potential employer of awards or degrees earned; include a student’s name in the commencement program; or acknowledge participation in a sport or student organization to a scholarship approval/advisory committee.
  • A student’s restriction remains in effect until we receive a formal written request to remove the restriction. This holds true even if a student has graduated or ceases to be enrolled. There is a section at the bottom of the Request to Restrict Information Disclosure form provided for this purpose.

St. Cloud State University Approved Directory Information List

SCSU may release the following directory information without authorization unless a restriction has been placed.

  • Name
  • Major field of study
  • Class status (freshman, sophomore, etc.)
  • Participation in official recognized activities and sports
  • Weight and height of athletic team members
  • Dates of attendance
  • Degrees and dates awarded
  • Awards and scholarships received
  • Most recent previous educational institution
  • Hometown

Approved Limited Directory List

SCSU has chosen to adopt a limited directory policy as allowed by FERPA. This means SCSU will limit to whom, and the purposes for which, the following data are disclosed. SCSU will not provide a student’s limited directory data to outside parties intending to use the information for strictly commercial marketing purposes, nor will we knowingly make the information readily available to potential identity predators. To this end, SCSU has removed its online student directory. This data will only be used internally by SCSU and the Minnesota State Colleges and Universities system as needed for university purposes. One such purpose is inclusion of limited directory data in a global address list or directory (i.e. the Microsoft Office Address Book) accessible to Minnesota State students and employees. FERPA also permits exceptions by which we may use this data such as including a student’s email address in on-site or online classes.

Limited Directory Information

  • Campus & Non-campus email address
  • Local and permanent mailing address
  • Telephone numbers
  • StarID