Skip to main content
UCLA X icon logo

Credit, Grading and the Continuing Education Unit - AA121

Last Reviewed: May 2016

Intent

The purpose of this policy is to reaffirm our commitment to protect the confidentiality of our students’ and other clients’ records and all personally identifiable information (PII) contained therein, to limit as required by law the PII for which we prompt to just that necessary to conduct approved business functions, and to memorialize our specific obligations under UC and UCLA policies, federal law, state law, and bank and credit card consortium regulations regarding the management of the data contained therein.

 

Definitions

  • The term "student record" pertains to personally identifiable information regarding any person who enrolls, or who has enrolled at UCLA Extension. Such records include elements such as names and contact information, grades, posted awards of certificates, transcripts, test scores, general counseling and advising records, disciplinary records, financial aid records, payment histories and records of indebtedness, and records pertaining to non-immigrant visa status.
  • The term “client record” pertains to personally identifiable information regarding persons (including corporate persons, partnerships and certain students) who establish a relationship with UCLA Extension that obligates them to pay in the future for services we agree to provide now or in the future, or that engage in agency agreements that oblige them to make payment to us on behalf of others. In common use, “client records” are held in Extension’s Accounts/Receivable system.
  • "Disclosure" is the act of permitting access to records, or otherwise releasing, transferring, or transmitting the personally identifiable information contained therein, orally, in writing, or by electronic or any other means, to any party.
  • A “directory” is defined as a listing of students made available to them in order to facilitate their contact with one another. Extension has historically not published directories, but plans to do so with the release of a student web portal.
  • The term "directory information," as used in Federal and State statutes with respect to students, is synonymous with "public information" as used in University policy. "Public information" is limited to the student’s name, address (local or permanent), telephone numbers, e-mail address, date of birth, dates of attendance, participation in official activities such as classes and programs, and certificates and honors received.
  • Roster” is defined as a report displaying the identities of students enrolled in classes, administrative fee sections, and programs. The principal user of the roster is the instructor for identifying students and thereby controlling access to the classroom.
  • Transcript” is defined as an official copy of a student’s record of academic work. Transcripts are routinely produced by the Records Office in Student Services at the request of students.

 

Custodial Responsibility

In accordance with the State of California Information Practices Act of 1977, UCLA Extension will maintain in its student records (in any format) only that personally identifiable information (PII) that is relevant and necessary to accomplish its mission of continuing education, this in addition to data collected to comply with state or federal law. The Dean and his/her delegates will have final approval on what a student can be asked to present as a requirement to receive services from UCLA Extension. (See below Privacy Notification.) The Dean and his/her delegates will have final approval on what a student can be asked to volunteer such that data legitimately contributes to a statistical understanding of Extension’s clientele. The Dean has final authority on just what constitutes an approved business function.

The Director of Student and Alumni Services is the principal administrative officer responsible for archiving, recording, retrieving, and disclosing public and private information from student records. Inasmuch as the disclosure of information from student records is delegated to the staff of Student and Alumni Services and to other staff, and that improper disclosure exposes students to risk of identity theft and the University to sanctions and financial loss, the Director or his/her designee will conduct mandatory annual training. The purpose of the training will be to acquaint and remind staff of their responsibility under this policy and other University policies, as well as statutory obligations under state and federal law and our security obligations as a credit card merchant. Access by staff to various types of student data is predicated on a “need to know,” with the test of “need” defined as that which is required for the successful completion of an assigned task.

The Director of Budget and Financial Services is the principal administrative officer responsible for archiving, recording, retrieving, and disclosing public and private information from client records. Inasmuch as the disclosure of information from client records may involve information about students, and that in any event improper
disclosure may result in sanctions being imposed on the University, the Director or his/her designee will conduct training as described above. Access by staff to various types of client data is predicated on a “need to know,” with the test of “need” defined as that which is required for the successful completion of an assigned task.

The Manager of Enrollment and Payment Services is the administrative officer immediately responsible for physical security of receipts, for compliance with the University’s Policy on Handling Cash and Cash Equivalents, and Credit Card merchant agreements. The incumbent will annually coordinate the review of and identify new requirements of Payment Card Industry (“PCI”) security compliance.

The Director of Information Technology Services is the principal administrative officer responsible for the security of electronically stored data.

 

Use of Destiny Functions and High-Security Document Requirements

The mode by which information is stored can either increase or mitigate risks of liability due to unauthorized access or release. UCLA Extension’s Destiny student information system supports a capacity for the online storage of unencrypted PDF images of documents attributable to students’ and instructors’ records. The following
provision defines how these PDF document storage capabilities will be used to our greatest advantage and with no additional risk.

Digital Document Storage – Academic Decision Support. Using Destiny, program department personnel may capture image files of documents, including correspondence and academic transcripts that memorialize CEs’approval (or rejection) of petitions for admission into restricted programs and classes, and for course waivers and advanced standing in certificate and sequential program curricula. Documents will be scanned and stored after redaction to eliminate PII such as Social Security numbers, and any contact information. No other documents about students will be stored in Destiny. The documents so stored will be available to staff in the Registrar’s Office to verify students’ completion of certificate programs. Registrar’s Office staff have a standing directive to remove any document images that are unrelated to program admission, progress or completion incidentally found in the students’ file.

 

Third Party Disclosures, Pseudonymous Identities and Release Options 

Students may ask the Records Office to release transcripts to third parties. Grade reports (not full transcripts) can be made to a corporate entity for whom we are delivering instruction without the explicit prior consent of the student if the student has been provided notice of our intent to do so. The Records Office will retain a record of to whom each transcript has been sent for a period of five years. Requests for release of students’ records in response to a subpoena or other valid lawful process will be stored in the Records Office for a minimum of five years as required by law.

Directory information contained in students’ records may not be disclosed to third parties without the students’ explicit permission; except, with conferences jointly offered by UCLA Extension and another organization, and where the joint responsibility for the program is clearly disclosed to all who enroll, students can expect that contact information presented at the time of enrollment can and will be shared with the other organization.

UCLA Extension staff, and public personalities such as published authors, stage and screen actors, sports figures and holders of or candidates for public office may from time to time request a pseudonymous identity thus protecting their identity even further. Requests for pseudonymous identity will be referred to the Registrar or the Manager of Academic Records in Student Services.

 

Inadvertent Disclosures due to Data Security Breaches

As required by section 1798.29 of the California Civil Code, in the event of a believed or proven unauthorized acquisition of computerized student data in which a name is acquired in combination with a social security number (SSN), or a credit or debit card number with expiration date (enabling access to students’ financial account); and, when either the name or the credit, debit or social security number is not encrypted, prompt notice must be made to the affected students. Notice can be achieved by letter, by e-mail notice, or with a conspicuous posting on the web site.

 

Preventing Attempts by Unauthorized Third Parties to Obtain Student and Client Information

In compliance with regulations arising from the federal Fair and Accurate Credit Transactions Act of 2003, The Director of Student Services shall maintain a “controls matrix” of “red flags” to identify suspicious circumstances that could be used by criminals to inappropriately steal information and/or the identity of persons whose records are stored in what are defined in the law as “covered accounts.” A mandatory annual training program will be conducted by the Manager of Enrollment and Payment Services that surveys for what may be new covered accounts, draws attention to known “red flags,” and prompts staff to recommend amendments to the controls matrix with respect to prevention, reporting, and remedial actions. In compliance with federal regulations, a report shall be prepared for review by the Dean of UCLA Extension, and others in authority at UC or UCLA as UC and UCLA may later prescribe, of any successful, fraudulent theft of information about our clientele.

The annual training conducted to achieve compliance with the federal regulations may be combined with the mandatory annual training for card payment industry security standards compliance.

 

Public Notices / Catalog Copy

Public notice of the Family Educational Right and Privacy Act of 1974 (FERPA) and general privacy is required both by law and by University Policy. The following text or a contextually meaningful equivalent will appear in catalogs and on the web:

Under provisions of the federal Family Educational Rights and Privacy Act of 1974 ("FERPA," 20 U.S.C. sec. 1232g), you have the right to:

  • Inspect and review records pertaining to you in your capacity as a student;
  • Have withheld from disclosure, absent your prior consent for release, personally identifiable information from your student records, except as provided by the Federal Act and University Policies;
  • Inspect records maintained by the University of disclosures of personally identifiable information from your student record;
  • Seek correction of your student record through a request to amend the records, subsequently through a hearing;
  • File complaints with the Department of Education regarding alleged violations of the rights accorded you by the Federal Act.

FERPA allows Universities to confirm attendance and publish directories of their students without their prior consent, but requires a procedure to be presented allowing you to opt out. Certain conferences and short courses are designed to support professional networking opportunities and will include provisions for nametags and the sharing of participant rosters. When planned with such support, notice will be provided in the course listing. Students may opt out of planned participant rosters by sending an e-mail to Records@uclaextension.edu. For all other programs, students are welcome to opt in to our published participant communities available at MyExtension.

The California Civil Code, section 1798.17 obliges us to explain to students completing any form for service the rationale for requesting personal information, and the consequence of not completing information indicated as required. The following text or a contextually meaningful equivalent will appear in catalogs and on the web:

Privacy Notification

Furnishing all information required on forms presented by UCLA Extension is mandatory with the exception of Social Security number (SSN), date of birth, gender, educational level and ethnic identity. Failure to provide required information will delay or may even prevent completion of the action for which the form is being filled out.

  • Information that is not required but which we ask you to volunteer (such as gender, educational level and ethnic identity) will be used solely for statistical purposes to measure the diversity of the audience we serve. 
  • If you do not have or could not provide us with your SSN/TIN, you will be permitted to enroll; however, UCLA Extension will not be able to provide the IRS with evidence of fee payments that might entitle you to tax credits provided under the Taxpayer Relief Act of 1997. Each year in December, UCLA Extension will conduct an annual solicitation of students whose records are subject to IRS reporting but where the SSN/TIN field remains blank, this to ensure that an oversight on your part can be addressed. You may append your record online at any time by logging in to MyExtension, or submit IRS form W-9S by mail to UCLA Extension Records Office, 10995 Le Conte Avenue Room 113, Los Angeles, CA 90024.
  • Consistent with California practice for amending tax returns, UCLA Extension’s interest in retaining SSN for reporting purposes expires 4 years beyond the tax year in which you enroll. SSN data are stored in an encrypted state. You may request at any time to have SSN data deleted.
  • Information you furnish may be used by University departments and publicly announced program co-sponsors for distribution of information on future programs and activities of interest to you. This and other information will be transmitted to the state and federal government if required by law.
  • The official responsible for maintaining the information requested on forms in this catalog or website is the Registrar, UCLA Extension, P.O. Box 24901, Los Angeles, CA 90024-0901.

 

Instructor Guide Copy

To ensure that instructors are properly advised and provided formal notice about students’ rights to privacy, the following language will appear on the Instructor Contract website and thereby be incorporated into their contracts:

Grading Policy. Grades are considered private information under the federal Family Educational Rights and Privacy Act (FERPA). You may not publicly post grades for all students to see, even for group exercises. You may not disclose students’ final grades or the grades on any interim exercises to any third party, including the parents of minor children.

and

You will be able to view rosters of your students both within the Canvas LMS and through the Instructor Portal, but you will find no address, phone or email contact information. This omission is by design. California Civil Code [sec. 1798] prohibits the University from distributing this information to persons without explicit authorization of the party of record, and UCLA Extension policy prohibits the distribution of student and instructor mailing list/directory information to persons who have no defined business purpose or need. Adult students tend to covet their privacy. We therefore begin with a bias favoring students’ privacy.

 

References and Listing

This policy will be publicly listed. Questions and comments are welcomed by the Office of the Dean, Continuing Education and UCLA Extension, (310) 825-2362; DeansOffice@uclaextension.edu.

See also:

  • Family Educational Rights and Privacy Act of 1974, 20 United States Code, Sec 1232g et. seq.
  • Federal Privacy Act of 1974, 5 USCA, Sec 552a et. seq.
  • Information Practices Act of 1977, California Civil Code, Section 1798 et. seq.
  • Taxpayer Relief Act of 1997, 26 USC 6050S.
  • Fair and Accurate Credit Transactions Act of 2003, as amended. 
  • Federal Trade Commission “Red Flag” Guidelines, Appendix A, 16 CFR 681.
  • Public Records Act, California Government Code, Section 6250 et. seq.
  • University of California, Office of the President. Business and Finance Bulletin, Series BUS number 49. Policy for Handling Cash and Cash Equivalents. Rev. September 28, 2008.
  • University of California, Office of the President. 130.00 Policies Applying to the Disclosure of Information from Student Records. UC Systemwide Policies and Guidelines. Student Affairs Administration, UC Policies on Campus Activities, Organization and Students, revised August 15, 1994.
  • University of California, Office of the President. RMP 8: Legal Requirements on Privacy of and Access to Information. UC Systemwide Policies and Guidelines. Business and Finance Administration, UC Business and Finance Bulletins, UC-BFB RMP Series-Records Management, July 1, 1992.
  • University of California, Office of the President. Section 7: RMP-7, Privacy of and Access to Information Responsibilities. UC Systemwide Policies and Guidelines. Business and Finance Administration, UC Business and Finance Bulletins, UC-BFB RMP Series-Records Management, November 1, 1985.
  • UCLA Extension. SA504.1 Procedures Regarding Access to and Disclosure of Information about Students. UCLA Extension Policies and Procedures. Procedures.
  • UCLA Extension CC270 Records Management and Retention