FERPA applies to an educational agency or institution to which funds have been made available under any program administered by the Department of Education if the educational institution provides educational services or instruction, or both, to students; or the education agency is authorized to direct and control public elementary or secondary, or postsecondary educational institutions.

FERPA applies to an educational agency or institution to which funds Everyone who has access to protected student record data must comply with FERPA. This includes faculty, staff, and contractors/third-parties to whom access has been granted.

Education records are those records that are directly related to a student and maintained by the University or by a party acting for the University (contractors, third-parties, vendors, third-party websites). Education records does not include records that are kept in the sole possession of the maker, are used only as a personal memory aid, and are not accessible or revealed to any other person except as a temporary substitute for the maker of the record. It also does not include records of UVM Police or records that the University maintains as part of a student’s employment at UVM when those records are maintained in the normal course of business, relate exclusively to the student in their capacity as an employee and are not available for any other purpose.

Education records also include records the Center for Health and Wellbeing (CHWB) records created, maintained, or used in connection with health care treatment of students. CHWB records are protected under FERPA and not under HIPAA.

No. CHWB is not a “covered entity” under HIPAA so, therefore, that regulation does not apply. However, the University is still required to protect the privacy and confidentiality of these records as they do fall under UVM’s FERPA responsibilities.

CHWB’s Privacy Notice (PDF)

PII includes, but is not limited to:

1. The student's name;
2. The name of the student's parent or other family members; 
3. The address of the student or student's family;
4. A personal identifier, such as the student's social security number, student number, or biometric record; 
5. Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
6. Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
7. Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.

The University may disclose PII from an education record without consent if the disclosure meets one or more of the following conditions:

1. The disclosure is to school officials, including faculty and lecturers, within UVM who have a legitimate educational interest or a third party to whom the University has outsourced services or functions provided that the outside party performs a service or function for which UVM would otherwise use employees, is under the direct control of UVM with respect to the
   use and maintenance of the educational records, and is subject to FERPA’s requirements governing the use and redisclosure of PII from education records.
2. The University has implemented reasonable methods to ensure that school officials and third parties obtain access to only those education records in which they have legitimate educational interests. Depending on system capabilities, reasonable methods may include technology controls and/or written policies and procedures.
3. The disclosure is to officials of another institute of higher education where the student seeks to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student’s enrollment or transfer.
4. The disclosure is to authorized federal, state and local authorities including, but not limited to, the Attorney General of the United States and the Secretary of the Department of Education or to other State and local officials when certain conditions are met.
5. The disclosure is in connection with financial aid for which the student has applied or which the student has received but only if the information is necessary for authorized purposes. See the financial aid section for more details.
6. The disclosure is to organizations conducting studies for, or on behalf of, educational agencies or institutions to develop, validate or administer predictive tests, administer student aid programs or improve instruction and only when certain conditions are met. The use of PII from an education record for research that does not fall into one of these categories is not allowed under FERPA.
7. The disclosure is to accrediting organizations to carry out their accrediting functions.
8. The disclosure is to comply with a judicial order or lawfully issued subpoena.
9. The disclosure is in connection with a health or safety emergency and certain conditions are met.
10. The disclosure is for “directory information”, the University has provided notice to the student and has given the student the ability to opt out of the directory.
11. The disclosure, subject to certain conditions, is to a victim of an alleged perpetrator of a crime of violence or a non-forcible sex offense. The disclosure may only the disciplinary proceeding results.
12. The disclosure, subject to certain conditions, is in connection with a disciplinary proceeding. The disclosure may only contain specific information.
13. The disclosure is to a parent or legal guardian in the event the student is under the age of 21 and the student violates Federal, State or local law, or of any UVM rule or policy, governing the use or possession of alcohol or a controlled substance.
14. The disclosure concerns sex offenders and other individuals required to register under federal or state law and the information was provided to the University under applicable federal, state regulations or guidelines.

When the disclosure is for any reason not listed under the “without consent” section.

PII from student education records that was provided in connection with financial aid for which the student has applied or which the student has received may be disclosed ONLY if the disclosure is to:

• Determine eligibility for the aid;
• Determine the amount of the aid;
• Determine the conditions for the aid; or
• Enforce the terms and conditions of the aid.

Accessing, using or disclosing information obtained for this purpose outside of these allowed reasons is a violation of FERPA. Doing so puts the University’s Title IV funding at risk and also could result in a violation of the Gramm-Leach-Bliley Act (GLBA).

PI from a student education record may only be used for research under the following conditions:

1. With consent. The student is afforded the opportunity to provide consent. The consent is only valid if it specifies the records that may be disclosed, the purpose of the disclosure and to whom the disclosure is being made. Consent must also be freely given and given on a voluntary basis.
2. If the PII has been de-identified.

Under FERPA, records are considered de-identified only after ALL personally identifiable information has been removed and only when the University has made a reasonable determination that the information cannot be used by itself or in combination of other information to re-identify a student.

A code may be assigned to the data that could allow for the re-identification of the data provided that all information about how the code was generated and assigned is secured and not also shared. The code may ONLY be used for purposes of education research (described herein) and can never be used to ascertain personally identifiable information about a student. The code cannot be based on a social security number or any other personal information.

UVM’s FERPA Rights Disclosure Policy (PDF opens in new window)

The U.S. Department of Education's FERPA regulations (opens in new window)

HIPAA stands for the Health Insurance Portability and Accountability Act. This act passed by Congress in 1996 is an expansive set of rules that includes establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, an employers.

The University is considered a "hybrid entity" for HIPAA compliance purposes. This means that only certain identified components of the University are subject to the HIPAA Privacy rules. The University is able to designate some components that are medical components or group health plans that are separate and distinct from non-medical components.  Only those components that the University has identified as medical components or group health plans are subject to the privacy requirements of HIPAA.

The University has identified the following components as subject to the HIPAA Privacy Rule:

As health care providers:

• Eleanor M. Luse Center for Communication: Speech, Language and Hearing

Employee Group Health Plans

University departments that have signed Business Associate Agreements with other entities are subject to the use and disclosure provisions of the Privacy Rule.

• UVM's HIPAA FAQ's
• The Department of Health & Human Services Health Information Privacy portal

GLBA requires that financial institutions explain their information-sharing practices to their customers and to safeguard sensitive data.

GLBA applies to “financial institutions”. According to GLBA, a financial institution is a company that offers financial products or services like loans, financial or investment advice, or insurance to consumers. Since the University provides loans to students, it is a “financial institution” under GLBA and for those operations related to these loans, the University is required to comply with this regulation.

GLBA requires that the University develop a written information security plan that describes its program to protect customer information. As part of our plan, the University must:

• Designate one or more employees to coordinate its information security program;
• Identify and assess the risks to customer information in each relevant area of the University, and evaluate the effectiveness of the current safeguards for controlling these risks;
• Design and implement a safeguards program, and regularly monitor and test it;
• Select service providers that can maintain appropriate safeguards, make sure contracts require them to maintain safeguards, and oversee their handling of student financial data; and
• Evaluate and adjust the program in light of relevant circumstances or the results of security testing and monitoring.

The day-to-day compliance requirements of GLBA, for the most part, fall to employees within Enrollment Management and, specifically, the Department of Student Financial Services (SFS). However, anyone who has access to student financial data needs to be aware of GLBA and is required to comply with both the regulation and with the University’s policies and procedures related to the privacy and security of personal data.

No. Student financial information is protected under both FERPA and GLBA. Information collected by the University in it’s role as a lender cannot be used for research purposes unless an exception applies. Contact the Office of Student Financial Services for more information.

The Information Security Officer (ISO), the Chief Privacy Officer (CPO), the Registrar, and the Director for Student Financial Services (SFS) are designated as the individuals responsible for coordinating its GLBA information security program. The Associate Director for Student Financial Services has been designated as the individual with day-to-day oversight of the program.

• UVM’s GLBA Information Security Program (PDF)
• The Federal Trade Commission’s information website

GDPR was enacted by the European Union to provide greater protections and rights to EU data subjects.

GDPR covers personal data on “data subjects” regardless of where we are physically located. There are many reasons why GDPR pertains to UVM. Data subjects may include, but are not limited to:

• Students from the EU studying at UVM
• Research affiliates in the EU
• Research participants in the EU
• Employees, guest lecturers, visiting scholars from the EU
• Students traveling to the EU for study abroad
• Donors
• Alumni
• Vendors from the EU

We also care about it because the fines and penalties are some of the highest we’ve seen for these types of regulations.

GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses. While GDPR provides discretion to the enforcement agencies in determining the amount of the fine(s), the regulation specifies two tiers of fines. The first is for less severe infringements and could result in fines up to € 10 million euro (depending on current conversion rates, that could be around $11.2 million US dollars) or 2% of worldwide yearly revenue, whichever is higher. The higher tier allows for fines up to € 20 million euro (around $22 million US dollars) or 4% of worldwide yearly revenue, whichever is higher.

UVM’s GDPR Notice (opens in new window)

The European Union’s GDPR page (opens in new window).

9 V.S.A. § 2435, more commonly known as the Vermont Data Breach Notification Law, requires businesses and state agencies to notify the Attorney General and consumers in the event it suffers a “security breach”. The law requires that businesses notify the Attorney General within 14-days (unless they have obtained a waiver of this requirement) and that they notify individuals as soon as possible and without unreasonable delay, and no later than 45 days after discovery or notice of the breach.

A security breach under Vermont law is defined as the “unauthorized acquisition or a reasonable belief of an unauthorized acquisition of electronic data that compromises the security,confidentiality, or integrity of personal information maintained by” the University of Vermont.

Personal information is defined as an individual’s first name or initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or protected by another method that renders them unreadable or unusable by unauthorized persons:

• Social Security Number;
• Motor vehicle operator’s license number or non-driver identification card number;
• Financial account number or credit or debit card number, if circumstances exist in which the number could be used without other identifying information, access codes or passwords; or
• Account passwords or personal identification numbers or other access codes for a financial account.

• UVM’s policy on Data Breach Notification (PDF opens in new window)
• The Vermont Attorney General's Privacy and Security website (opens in new window)

22 V.S.A. § 171-173 requires that libraries keep user registration and transaction records confidential. Under this law, a library cannot disclose records about someone's use of library resources and services to anyone outside the library unless an exception applies.

The only exceptions to the disclosure prohibition are when the request is made under an authorized judicial order or warrant directing disclosure or when the library user has given written permission for the disclosure.

According to 1 V.S.A. § 317(C)(19), library patrons' registration records and transaction records are exempt from public inspection and copying.

The UVM Libraries Confidentiality Policy Statement and Procedures (opens in new window).