[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[H.R. 3157 Introduced in House (IH)]

114th CONGRESS
  1st Session
                                H. R. 3157

  To amend the General Education Provisions Act to strengthen privacy 
                 protections for students and parents.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             July 22, 2015

    Mr. Rokita (for himself, Ms. Fudge, Mr. Kline, and Mr. Scott of 
  Virginia) introduced the following bill; which was referred to the 
                Committee on Education and the Workforce

_______________________________________________________________________

                                 A BILL


 
  To amend the General Education Provisions Act to strengthen privacy 
                 protections for students and parents.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Student Privacy Protection Act''.

SEC. 2. REFERENCES.

    Except as otherwise expressly provided, whenever in this Act an 
amendment or repeal is expressed in terms of an amendment to, or repeal 
of, a subsection or other provision, the reference shall be considered 
to be made to a subsection or other provision of section 444 of the 
General Education Provisions Act (20 U.S.C. 1232g) (commonly known as 
the ``Family Educational Rights and Privacy Act of 1974'').

SEC. 3. FERPA SHORT TITLE.

    Subsection (a) (20 U.S.C. 1232g(a)) is amended to read as follows:
    ``(a) Short Title.--This section may be cited as the `Family 
Educational Rights and Privacy Act of 1974'.''.

SEC. 4. REQUIREMENTS.

    Such section (20 U.S.C. 1232g) is amended by striking subsection 
(b), except for paragraph (1)(J), and inserting the following:
    ``(b) In General.--No funds shall be made available under any 
applicable program to any educational agency or institution, or State 
educational authority, unless such agency or institution, or State 
educational authority, complies with the following requirements:
            ``(1) Parental access.--
                    ``(A) Educational agency or institution.--The 
                educational agency or institution shall not deny or 
                effectively prevent the parents of students who are or 
                have been in attendance at a school of such agency or 
                at such institution, as the case may be, the right to 
                inspect and review the education records of their 
                children. If any material or document in the education 
                record of a student includes information on more than 
                one student, a parent shall have the right to inspect 
                and review only such part of such material or document 
                that relates to such parent's child.
                    ``(B) Appropriate procedures.--
                            ``(i) In general.--The State educational 
                        authority shall establish appropriate 
                        procedures for the granting of a request by 
                        parents for access to the education records of 
                        their children who are or have been in 
                        attendance at any educational agency or 
                        institution under the jurisdiction of the State 
                        educational authority.
                            ``(ii) Reasonable response time.--The 
                        educational agency or institution, or the State 
                        educational authority, shall establish 
                        appropriate procedures for the granting of a 
                        request by parents for access to the education 
                        records of their children within a reasonable 
                        period of time, but in no case more than 30 
                        days after the request has been received.
            ``(2) Restrictions on parent and student access.--
                    ``(A) Restrictions.--The educational agency or 
                institution shall not make available to students 
                enrolled in an institution of higher education the 
                following:
                            ``(i) Financial records of the parents of 
                        the student or any information contained 
                        therein.
                            ``(ii) Confidential letters and statements 
                        of recommendation, which were placed in the 
                        education records prior to January 1, 1975, if 
                        such letters or statements are not used for 
                        purposes other than those for which they were 
                        specifically intended.
                            ``(iii) If the student, while in high 
                        school at any age, has signed a waiver of the 
                        student's right of access in accordance with 
                        subparagraph (B), confidential 
                        recommendations--
                                    ``(I) respecting admission to any 
                                educational agency or institution;
                                    ``(II) respecting an application 
                                for employment; and
                                    ``(III) respecting the receipt of 
                                an honor or honorary recognition.
                    ``(B) Waiver.--
                            ``(i) In general.--A student or a person 
                        applying for admission may waive the right to 
                        access confidential statements described in 
                        subparagraph (A)(ii), except that such waiver 
                        shall apply to recommendations only if--
                                    ``(I) the student is, upon request, 
                                notified of the names of all persons 
                                making confidential recommendations; 
                                and
                                    ``(II) such recommendations are 
                                used solely for the purposes for which 
                                they were specifically intended.
                            ``(ii) Limitations.--A waiver under this 
                        subparagraph may not be required as a condition 
                        for admission to, receipt of financial aid 
                        from, or receipt of any other services or 
                        benefits from such agency or institution.
            ``(3) Adjustments to record.--The educational agency or 
        institution shall provide parents of students who are or have 
        been in attendance at a school of such agency or at such 
        institution an opportunity to--
                    ``(A) challenge and correct the content of the 
                education record that the parent believes is inaccurate 
                or misleading at the time of attendance or otherwise in 
                violation of privacy rights of students through a 
                hearing by such agency or institution, in accordance 
                with the regulations of the Secretary; and
                    ``(B) insert into such education records a written 
                explanation of the parents respecting the content of 
                such records.
            ``(4) Disclosure of records without parental consent.--
        Except as otherwise provided under subsection (c), the 
        educational agency or institution shall not permit the 
        disclosure of education records (or personally identifiable 
        information contained therein) of students without the written 
        consent of their parents to any individual, agency, or 
        organization.
            ``(5) Recordkeeping.--
                    ``(A) In general.--The educational agency or 
                institution shall maintain a record, kept with the 
                education records of each student, in an easy to 
                retrieve and understandable format, which will 
                indicate--
                            ``(i) each individual, agency, or 
                        organization (other than an individual, agency, 
                        or organization specified under subsection (c)) 
                        that has obtained access to a student's 
                        education record maintained by such educational 
                        agency or institution; and
                            ``(ii) specifically the legitimate interest 
                        that each such individual, agency, or 
                        organization has in obtaining such information.
                    ``(B) Availability of records.--Such record of 
                access shall be available only to parents, to the 
                school officials and their assistants who are 
                responsible for the custody of such record of access, 
                and to the Secretary or the designee of the Secretary, 
                as a means of monitoring compliance with this section.
                    ``(C) Written agreements.--The educational agency 
                or institution and the State educational authority 
                shall maintain a copy of and make available to parents, 
                upon request, any written agreements that are required 
                under this section.
            ``(6) Security practices.--The educational agency or 
        institution, and the State educational authority shall--
                    ``(A) establish, implement, and enforce policies 
                and procedures regarding information security practices 
                that--
                            ``(i) serve to protect the education 
                        records (and personally identifiable 
                        information contained therein) held or 
                        maintained by that educational agency or 
                        institution, or State educational authority; 
                        and
                            ``(ii) require any party that is given 
                        access to such education records (or personally 
                        identifiable information contained therein) on 
                        behalf of the educational agency or 
                        institution, or State educational authority, to 
                        have information security practices that serve 
                        to protect such records and information;
                    ``(B) designate an official who shall be 
                responsible for maintaining the security of its 
                education records; and
                    ``(C) establish a breach notification policy in the 
                case of a breach of the security practices under 
                subparagraph (A) or the release of the education 
                records or information contained therein in violation 
                of this section, under which the educational agency or 
                institution, or State educational authority--
                            ``(i) provides notification of the breach 
                        or violation to parents in not less than 3 days 
                        of being made aware of such breach; and
                            ``(ii) works with the third parties 
                        involved with such breach or violation to 
                        gather the information necessary to provide 
                        such notification.
            ``(7) Duty to inform.--The educational agency or 
        institution shall effectively--
                    ``(A) inform the parents of students, or the 
                students (if such students are 18 years of age or 
                older, or are attending an institution of higher 
                education) of the rights accorded them by this section; 
                and
                    ``(B) inform students of high school age of the 
                rights of parents and students under this section, and 
                how those rights transfer from a parent to a student in 
                accordance with paragraph (8).
            ``(8) Transfer of rights.--The educational agency or 
        institution shall ensure that whenever a student has attained 
        18 years of age, or is attending an institution of higher 
        education, the consent required of and the rights accorded to 
        the parents of the student shall thereafter only be required of 
        and accorded to the student.
            ``(9) Ensuring compliance.--The State educational authority 
        shall--
                    ``(A) verify that each educational agency and 
                institution under its jurisdiction--
                            ``(i) has provided the appropriate notices 
                        to parents and students required under this 
                        section in an easy-to-understand format; and
                            ``(ii) is in compliance with the 
                        requirements of this section; and
                    ``(B) certify to the Secretary that each 
                educational agency and institution under its 
                jurisdiction is in compliance with the requirements of 
                this section.''.

SEC. 5. DISCLOSURE OF RECORDS WITHOUT PARENTAL CONSENT.

    (a) In General.--Such section (20 U.S.C. 1232g) is amended by 
striking subsection (c) and inserting the following:
    ``(c) Disclosure of Records Without Parental Consent.--
Notwithstanding subsection (b)(4) and subject to subsection (h), an 
educational agency or institution may permit the disclosure of 
education records (or personally identifiable information contained 
therein) of students without the written consent of their parents to, 
or for, any of the following:
            ``(1) Other school officials, including teachers, within 
        the same educational agency or institution, who have been 
        determined by such agency or institution to have legitimate 
        educational interests, including the educational interests of 
        the child for whom consent would otherwise be required.
            ``(2) An education service provider, contractor, 
        consultant, volunteer, or other party who has been determined 
        by such educational agency or institution to have legitimate 
        educational interests and to whom the educational agency or 
        institution has outsourced institutional services or functions, 
        provided that--
                    ``(A) the party--
                            ``(i) performs an institutional service or 
                        function for which the agency or institution 
                        would otherwise use employees;
                            ``(ii) is under the direct control of the 
                        educational agency or institution with respect 
                        to the use and maintenance of education 
                        records;
                            ``(iii) is in compliance with the 
                        requirements of this section relating to the 
                        use and release of personally identifiable 
                        information contained in such education 
                        records; and
                            ``(iv) has entered into a written agreement 
                        with the educational agency or institution, 
                        subject to the regulations of the Secretary, 
                        that establishes requirements concerning the 
                        protection of the information that will be 
                        disclosed to the party, including--
                                    ``(I) clear provisions outlining 
                                how and what information from the 
                                education records shall be disclosed to 
                                the party and what personally 
                                identifiable information the party will 
                                create in carrying out the party's 
                                duties under the agreement;
                                    ``(II) a description of any 
                                subcontractor or person acting for the 
                                party in carrying out its duties under 
                                the agreement;
                                    ``(III) requirements that prohibit 
                                the party from releasing personally 
                                identifiable information to any other 
                                party, except to a subcontractor or 
                                person acting for the party described 
                                in subclause (II);
                                    ``(IV) clear provisions--
                                            ``(aa) outlining policies 
                                        and practices to ensure that 
                                        education records (including 
                                        personally identifiable 
                                        information contained therein) 
                                        will be secured using commonly 
                                        accepted industry standards, by 
                                        electronic or physical means by 
                                        such party; and
                                            ``(bb) which stipulate that 
                                        such means will secure such 
                                        records and information from 
                                        unauthorized access and that 
                                        such policies and practices 
                                        will be followed;
                                    ``(V) the penalties for a security 
                                breach in violation of the agreement; 
                                and
                                    ``(VI) provisions that specify the 
                                acceptable uses by such party of the 
                                personally identifiable information in 
                                compliance with this section; and
                    ``(B) the educational agency or institution--
                            ``(i) notifies parents and students of the 
                        policies and means the party uses, without 
                        disclosing the specific policies or means used, 
                        to protect the security of personally 
                        identifiable information maintained by the 
                        party; and
                            ``(ii) ensures that--
                                    ``(I) any education records that 
                                are held by the party shall, at a 
                                minimum, be handled and stored in a 
                                manner that meets the commonly accepted 
                                industry standards on privacy 
                                protection; and
                                    ``(II) upon request, a parent is 
                                provided access by the educational 
                                agency or institution to the personally 
                                identifiable information held about 
                                their children by the party to the same 
                                extent and in the same manner as such 
                                access is provided in subsection 
                                (b)(1).
            ``(3) The disclosure of directory information, as so 
        designated by the educational agency or institution under this 
        paragraph, provided that the educational agency or institution 
        which the student attends--
                    ``(A) has implemented a directory information 
                policy, which may include a directory information 
                policy limiting the parties to or purposes for which 
                directory information may be disclosed;
                    ``(B) has given public notice, including an easy-
                to-understand notice to parents of students, of--
                            ``(i) the categories of information which 
                        the agency or institution has designated as 
                        directory information with respect to students 
                        attending the institution or agency; and
                            ``(ii) the right of a parent to opt out of 
                        allowing their child's information to be 
                        disclosed as directory information; and
                    ``(C) has allowed a reasonable period of time after 
                such notice has been given under subparagraph (B), but 
                not less than 15 school days, for a parent to inform 
                the institution or agency that any or all of the 
                information designated as directory information shall 
                not be disclosed without the parent's prior consent.
            ``(4) Officials of another educational agency or 
        institution in which the student seeks or intends to enroll, 
        upon condition that the student's parents be notified of the 
        transfer, receive a copy of the education record if desired, 
        and have an opportunity for a hearing to challenge the content 
        of the record.
            ``(5)(A) An official listed in subparagraph (B) or an 
        authorized representative working for, or on behalf of, such 
        official, subject to the limitations described in this 
        paragraph and subsection (m)(1)(B), and only in connection with 
        and to the extent necessary for--
                    ``(i) the audit, evaluation, or enforcement of 
                local, State, or Federal law;
                    ``(ii) the audit or evaluation of locally 
                supported, State-supported, or federally supported 
                education programs pursuant to local, State, or Federal 
                law; or
                    ``(iii) the enforcement of the Federal or State 
                legal requirements which relate to the programs 
                described in clause (ii).
            ``(B) The following officials are covered by this 
        paragraph:
                    ``(i) The Comptroller of the United States.
                    ``(ii) The Secretary.
                    ``(iii) State or local educational authorities.
                    ``(iv) The Attorney General.
            ``(C) Any data collected by an official listed in 
        subparagraph (B) shall be protected in a manner that will not 
        permit the personal identification of students and their 
        parents by other than such official, and such education records 
        and personally identifiable information in such records shall 
        be destroyed when no longer needed for the audit, evaluation, 
        and enforcement of legal requirements described in clause (i), 
        (ii), or (iii) of subparagraph (A).
            ``(6) Organizations conducting a study for, or on behalf 
        of, an educational agency or institution, provided that--
                    ``(A) such study is conducted in such a manner as 
                will not permit the personal identification of students 
                and their parents by persons other than representatives 
                of such organizations and such personally identifiable 
                information will be destroyed when no longer needed for 
                the purpose of the study;
                    ``(B) the organization has agreed to and has 
                appropriate security that meets the information 
                security requirements of subparagraphs (A) and (C) of 
                subsection (b)(6); and
                    ``(C) the purpose of the study is limited to 
                improving the academic outcomes of students attending 
                that educational agency or institution.
            ``(7) Officials in connection with a student's application 
        for, or receipt of, financial aid.
            ``(8) State and local officials or authorities to whom 
        personally identifiable information in education records is 
        specifically allowed to be reported or disclosed pursuant to a 
        State statute regarding the juvenile justice system.
            ``(9) The Secretary of Agriculture, or the designee of the 
        Secretary from the Food and Nutrition Service acting on behalf 
        of the Food and Nutrition Service, for the purposes of 
        conducting program monitoring, evaluations, and performance 
        measurements of State and local educational and other agencies 
        and institutions receiving funding or providing benefits of 1 
        or more programs authorized under the Richard B. Russell 
        National School Lunch Act (42 U.S.C. 1751 et seq.) or the Child 
        Nutrition Act of 1966 (42 U.S.C. 1771 et seq.) for which the 
        results will be reported in an aggregate form that does not 
        identify any individual, on the conditions that--
                    ``(A) any data collected under this paragraph shall 
                be protected in a manner that will not permit the 
                personal identification of students and their parents 
                by anyone other than the Secretary of Agriculture or 
                the designee of such Secretary;
                    ``(B) any personally identifiable information shall 
                be destroyed when the information is no longer needed 
                for program monitoring, evaluations, or performance 
                measurements; and
                    ``(C) the parents of the student have been notified 
                that the student's education records will be disclosed 
                for the purposes described in this paragraph.
            ``(10) Accrediting organizations in order to carry out 
        their accrediting functions.
            ``(11) Parents of a dependent student of such parents, as 
        defined in section 152 of the Internal Revenue Code of 1986.
            ``(12) In connection with an emergency, appropriate persons 
        if the knowledge of such information is necessary to protect 
        the health or safety of the student or other persons.
            ``(13) Teachers and school officials who have legitimate 
        educational interest in the behavior of the student, including 
        teachers and school officials in another educational agency or 
        institution who need to know information in the education 
        record of a student to protect the safety of their students, if 
        the information concerns disciplinary action taken against a 
        student for conduct that posed a significant risk to the safety 
        or well-being of that student, other students, or other members 
        of the educational agency or institution community.
            ``(14)(A) An agency caseworker or other representative of a 
        State or local child welfare agency, or tribal organization (as 
        defined in section 4 of the Indian Self-Determination and 
        Education Assistance Act (25 U.S.C. 450b)), who has the right 
        to access a foster youth's case plan (as defined and determined 
        by the State or tribal organization), when such agency or 
        organization is legally responsible (in accordance with State 
        or tribal law), for the care and protection of the student in 
        foster care placement, provided that the education records, or 
        the personally identifiable information contained in such 
        records, of the student will not be released by such agency or 
        organization, except to an individual or entity engaged in 
        addressing the student's education needs and authorized by such 
        agency or organization to receive such disclosure, and such 
        disclosure is consistent with the State or tribal laws 
        applicable to protecting the confidentiality of a student's 
        education records.
            ``(B) Nothing in this paragraph shall prevent a State from 
        further limiting the number or type of State or local officials 
        who will continue to have access under this paragraph.''.
    (b) Transfer and Redesignations.--(1) Subsection (b)(1) (20 U.S.C. 
1232g(b)(1)) is amended by moving subparagraph (J) so that it appears 
at the end of subsection (c) (as so amended).
    (2) Subparagraph (J) of subsection (c) (20 U.S.C. 1232g(c)), as 
amended by paragraph (1), is further amended--
            (A) by striking ``(J)(i)'' and inserting ``(15)''; and
            (B) by striking ``(ii)'' and inserting ``(16)''.

SEC. 6. DISCLOSURE OF RECORDS FOR COLLEGE ADMISSIONS, CREDIT, AND AID.

    Subsection (d) (20 U.S.C. 1232g(d)) is amended to read as follows:
    ``(d) Disclosure of Records for College Admissions, Credit, and 
Aid.--
            ``(1) In general.--Records, files, documents, information, 
        or other materials that are collected during or based on the 
        administration of an examination that meets the requirements of 
        paragraph (2) may be used or released by the developer of such 
        examination, provided that--
                    ``(A) such developer is not an educational agency 
                or institution or State educational authority; and
                    ``(B) such records, files, documents, information, 
                or other materials are released by such developer 
                solely for the purposes of college admissions, college 
                placement, college academic credit, or college 
                scholarships to any entity eligible to receive funds 
                under title IV of the Higher Education Act of 1965 (20 
                U.S.C. 1070 et seq.) or any entity that has a 
                legitimate interest in such records, files, documents, 
                information, or other materials to award scholarships 
                to a student for attendance at an institution of higher 
                education.
            ``(2) Examination.--An examination covered under paragraph 
        (1) is an examination that--
                    ``(A) may culminate in academic credit that is 
                widely accepted by institutions of higher education;
                    ``(B) is norm-referenced and used for college 
                admissions or scholarship purposes; or
                    ``(C) is administered by institutions of higher 
                education for purposes of college placement.''.

SEC. 7. RULES OF CONSTRUCTION.

    Subsection (e) (20 U.S.C. 1232g(e)) is amended to read as follows:
    ``(e) Rules of Construction.--
            ``(1) Disciplinary proceedings.--
                    ``(A) In general.--Nothing in this section shall be 
                construed to prohibit an institution of higher 
                education from disclosing--
                            ``(i) to an alleged victim of any crime of 
                        violence (as that term is defined in section 26 
                        of title 18, United States Code), or a 
                        nonforcible sex offense, the final results of 
                        any disciplinary proceeding conducted by such 
                        institution against the alleged perpetrator of 
                        such crime or offense with respect to such 
                        crime or offense; or
                            ``(ii) the final results of any 
                        disciplinary proceeding conducted by such 
                        institution against a student who is an alleged 
                        perpetrator of any crime of violence (as that 
                        term is defined in section 16 of title 18, 
                        United States Code), or a nonforcible sex 
                        offense, if the institution determines as a 
                        result of that disciplinary proceeding that the 
                        student committed a violation of the 
                        institution's rules or policies with respect to 
                        such crime or offense.
                    ``(B) Definition.--For the purpose of this 
                paragraph, the final results of any disciplinary 
                proceeding--
                            ``(i) shall include only the name of the 
                        student, the violation committed, and any 
                        sanction imposed by the institution on that 
                        student; and
                            ``(ii) may include the name of any other 
                        student, such as a victim or witness, only with 
                        the written consent of that other student.
            ``(2) Drug and alcohol disclosures.--
                    ``(A) In general.--Nothing in this Act or the 
                Higher Education Act of 1965 shall be construed to 
                prohibit an institution of higher education from 
                disclosing, to a parent or legal guardian of a student, 
                information regarding any violation of any Federal, 
                State, or local law, or of any rule or policy of the 
                institution, governing the use or possession of alcohol 
                or a controlled substance, regardless of whether that 
                information is contained in the student's education 
                records, if--
                            ``(i) the student is under the age of 21; 
                        and
                            ``(ii) the institution determines that the 
                        student has committed a disciplinary violation 
                        with respect to such use or possession.
                    ``(B) State law regarding disclosure.--Nothing in 
                this paragraph shall be construed to supersede any 
                provision of State law that prohibits an institution of 
                higher education from making the disclosure described 
                in subparagraph (A).
            ``(3) Adam walsh child protection and safety act of 2006.--
                    ``(A) In general.--Nothing in this Act shall be 
                construed to prohibit an educational agency or 
                institution from disclosing information provided to the 
                agency or institution under the Adam Walsh Child 
                Protection and Safety Act of 2006 (42 U.S.C. 16901 et 
                seq.).
                    ``(B) Notification.--The Secretary shall take 
                appropriate steps to notify educational agencies and 
                institutions that disclosure of information described 
                in subparagraph (A) is permitted.''.

SEC. 8. OTHER DISCLOSURES.

    Such section (20 U.S.C. 1232g) is further amended--
            (1) by striking subsection (f); and
            (2) by redesignating subsection (j) as subsection (f).

SEC. 9. MARKETING AND ADVERTISING BAN.

    Subsection (g) (20 U.S.C. 1232g(g)) is amended to read as follows:
    ``(g) Marketing and Advertising Ban.--
            ``(1) General prohibition.--No person with access to an 
        education record or a student's personally identifiable 
        information contained in the education record shall market or 
        otherwise advertise directly to students with the use of the 
        information gained through access to such record or 
        information.
            ``(2) Prohibitions relating to education service 
        providers.--Subject to paragraph (3), an educational agency or 
        institution or State educational authority shall not contract 
        or enter into an agreement with an education service provider 
        that has a policy or practice of using, releasing, or otherwise 
        providing access to personally identifiable information in the 
        education record of a student--
                    ``(A) to advertise or market a product or service; 
                or
                    ``(B) for the development of commercial products or 
                services.
            ``(3) Exceptions.--The prohibitions described in paragraph 
        (2) shall not apply with respect to--
                    ``(A) official school pictures, class rings, 
                yearbooks, or other traditional school-sanctioned 
                commemorative products, events, or activities;
                    ``(B) personally identifiable information which may 
                be used by an education service provider to develop, 
                diagnose, or deliver services to improve a student's 
                academic outcomes or to assist an educational agency or 
                institution to develop, diagnose, or deliver services 
                to improve a student's academic outcomes;
                    ``(C) an educational agency or institution or State 
                educational authority sharing information on 
                educational opportunities offered by such agency, 
                institution, or authority; or
                    ``(D) in a case in which the parent of a student at 
                an educational agency or institution has provided 
                written consent for an educational service provider 
                described in paragraph (2) to carry out the activities 
                described in such paragraph with the personally 
                identifiable information contained in such student's 
                education record.''.

SEC. 10. GENERAL RULES ON DISCLOSURE OR RELEASE OF INFORMATION.

    Subsection (h) (20 U.S.C. 1232g(h)) is amended to read as follows:
    ``(h) General Rules on Disclosure or Release of Information.--
            ``(1) In general.--A disclosure or release of education 
        records or personally identifiable information in such records 
        under this section shall be limited to records or information 
        determined by the appropriate educational agency or institution 
        or State educational authority to be necessary to meet the 
        specific conditions of the permitted disclosures listed under 
        subsection (c).
            ``(2) State or local laws.--A State or local law may 
        further restrict the permitted disclosures or release of 
        information under subsection (c) or provide additional rights 
        to parents with respect to the disclosure of education records 
        (or the personally identifiable information contained 
        therein).''.

SEC. 11. ENFORCEMENT.

    Subsection (i) (20 U.S.C. 1232g(i)) is amended to read as follows:
    ``(i) Enforcement.--
            ``(1) In general.--The Secretary shall take appropriate 
        actions to enforce this section and to address violations of 
        this section, in accordance with this Act, except that action 
        to terminate assistance may be taken only if the Secretary 
        finds there has been a failure to comply with this section, and 
        the Secretary has determined that compliance cannot be secured 
        by voluntary means.
            ``(2) Fines.--
                    ``(A) Educational agencies and institutions.--The 
                Secretary may impose, on an educational agency or 
                institution, or State educational authority, for 
                failure to voluntarily comply with this section or for 
                a substantial violation of this section (which may 
                include a single violation), a fine equal to a minimum 
                of $100 and a maximum of $1,500,000, depending on the 
                severity of the violation, except in no case may such a 
                fine exceed 10 percent of the annual budget of such 
                agency or institution, or authority.
                    ``(B) Other parties.--With respect to a release of 
                an education record or personally identifiable 
                information contained therein, which was made by a 
                party that is not subject to a fine under subparagraph 
                (A), and which violates this section because the 
                release was made without the parental consent required 
                under this section, or in violation of a written 
                agreement entered into under this section or another 
                provision of this section, the Secretary shall--
                            ``(i) refer such violation, and the 
                        supporting material for such violation, to the 
                        Commissioner of the Federal Trade Commission or 
                        the Attorney General for action; and
                            ``(ii) require the educational agency or 
                        institution, or local educational agency or 
                        State educational authority involved to 
                        prohibit access to such personally identifiable 
                        information by such party (or individuals who 
                        worked for or with such party at the time of 
                        such violation) for a period of not less than 
                        5, and not more than 12 years, as determined by 
                        the Secretary.
            ``(3) Distribution of certain monetary penalties 
        collected.--Any monetary penalty or settlement collected under 
        this subsection with respect to an offense punishable under 
        this section shall be transferred to the Secretary to be used 
        for the purposes of providing technical assistance on privacy 
        and security and enforcing the provisions of this section.''.

SEC. 12. COMPLIANCE OFFICE.

    Such section (20 U.S.C. 1232g) is further amended by adding at the 
end the following:
    ``(j) Compliance Office.--
            ``(1) In general.--The Secretary shall establish or 
        designate an office within the Department for the purpose of 
        investigating, processing, reviewing, and adjudicating 
        violations of this section and investigating, processing, 
        reviewing, and adjudicating complaints which may be filed 
        concerning alleged violations of this section. This office 
        shall be the official office within the Department to address 
        privacy concerns in student education records.
            ``(2) Regional offices.--Except for the conduct of 
        hearings, none of the functions of the Secretary under this 
        section shall be carried out in any of the regional offices of 
        such Department.''.

SEC. 13. PROHIBITION ON DATA GATHERING.

    Such section (20 U.S.C. 1232g) (as amended by section 12) is 
further amended by adding at the end the following:
    ``(k) Prohibition on Data Gathering.--No survey or data-gathering 
activities shall be conducted by the Secretary, or an administrative 
head of an education agency under an applicable program, unless such 
activities are authorized by Federal law.''.

SEC. 14. REGULATIONS.

    Such section (20 U.S.C. 1232g) (as amended by section 13) is 
further amended by adding at the end the following:
    ``(l) Regulations.--
            ``(1) In general.--The Secretary, in accordance with this 
        section and section 446, shall adopt appropriate regulations or 
        procedures or identify existing regulations or procedures, 
        which protect the rights of privacy of students and their 
        families in connection with any surveys or data-gathering 
        activities conducted, assisted, or authorized by the Secretary 
        or an administrative head of an education agency and ensure 
        that parents are aware of their rights under those sections.
            ``(2) Contents.--Regulations established under this 
        subsection shall include provisions controlling the use, 
        dissemination, and protection of such data.''.

SEC. 15. DEFINITIONS.

    Such section (20 U.S.C. 1232g) (as amended by section 14) is 
further amended by adding at the end the following:
    ``(m) Definitions.--For purposes of this section:
            ``(1) Authorized representative.--
                    ``(A) In general.--The term `authorized 
                representative' means any individual, agency, or 
                organization--
                            ``(i) who is an employee or contractor 
                        designated by an official listed in subsection 
                        (c)(5)(B) to conduct an activity described in 
                        clause (i), (ii), or (iii) of subsection 
                        (c)(5)(A); and
                            ``(ii) who is under the direct control of 
                        an official listed in subsection (c)(5)(B) with 
                        respect to the use and maintenance of education 
                        records.
                    ``(B) Limitation on release of information.--An 
                authorized representative shall not release to any 
                individual, agency, or organization, any education 
                records or personally identifiable information of a 
                student collected while serving as an authorized 
                representative, except that an authorized 
                representative may release such records or such 
                information in a case in which the authorized 
                representative is in compliance with information 
                security requirements of subparagraphs (A) and (C) of 
                subsection (b)(6), and such representative--
                            ``(i) has written consent from the 
                        student's parents specifying the education 
                        records to be released;
                            ``(ii) releases such records or information 
                        to the official under whom the authorized 
                        representative is an employee or contractor; or
                            ``(iii) releases such records or 
                        information--
                                    ``(I) in compliance with the 
                                publically available, written agreement 
                                specifying the terms of such release 
                                and permitting such release without the 
                                written consent of the student's 
                                parents; and
                                    ``(II) under the approval of the 
                                official under whom such representative 
                                is working as an employee or 
                                contractor.
            ``(2) Directory information.--The term `directory 
        information' includes, with respect to a student, the student's 
        name, address, telephone listing, electronic mail address, date 
        and place of birth, major field of study, grade level, and 
        enrollment status in higher education, dates of attendance, 
        participation in officially recognized activities and sports, 
        weight and height (if the student is a member of an athletic 
        team for an official game program or roster at an educational 
        agency or institution), dates of attendance, degrees, honors 
        and awards received, and the name of the educational agency or 
        institution most recently attended by the student.
            ``(3) Educational agency or institution.--The term 
        `educational agency or institution' means any public or private 
        elementary school or secondary school, local educational 
        agency, or institution of higher education, which is--
                    ``(A) principally engaged in the provision of 
                education, including early childhood education, to 
                students; and
                    ``(B) the recipient of funds under an applicable 
                program.
            ``(4) Education records.--
                    ``(A) In general.--Except as provided in 
                subparagraph (B), the term `education records' means 
                those records, files, documents, and other materials 
                which contain information directly related to a student 
                and are--
                            ``(i) maintained, electronically, 
                        digitally, or physically, by an educational 
                        agency or institution, or by a person acting 
                        for such agency or institution;
                            ``(ii) accessible, collected, used, or 
                        maintained by a party described in subsection 
                        (c)(2) in the course of providing services to a 
                        school official; or
                            ``(iii) created by or for a State 
                        educational authority, without regard to 
                        whether the student who attends a school 
                        subject to this section attends a school under 
                        the jurisdiction of such State educational 
                        authority.
                    ``(B) Limitations.--The term `education records' 
                does not include--
                            ``(i) records of instructional, 
                        supervisory, and administrative personnel and 
                        educational personnel ancillary thereto which 
                        are not created in conjunction with the student 
                        and are in the sole possession of the maker 
                        thereof and which are not accessible or 
                        revealed to any other person;
                            ``(ii) records maintained by a law 
                        enforcement unit of the educational agency or 
                        institution that were created by that law 
                        enforcement unit for the purpose of law 
                        enforcement;
                            ``(iii) in the case of persons who are 
                        employed by an educational agency or 
                        institution but who are not in attendance at 
                        such agency or institution, records made and 
                        maintained in the normal course of business 
                        which relate exclusively to such person in that 
                        person's capacity as an employee and are not 
                        available for use for any other purpose; or
                            ``(iv) records on a student who is 18 years 
                        of age or older, or is attending an institution 
                        of higher education, which are made or 
                        maintained by a physician, psychiatrist, 
                        psychologist, or other recognized professional 
                        or paraprofessional acting in his professional 
                        or paraprofessional capacity, or assisting in 
                        that capacity, and which are made, maintained, 
                        or used only in connection with the provision 
                        of treatment to the student, and are not 
                        available to anyone other than the student (if 
                        showing the student the records would not be 
                        detrimental to the student or others) or 
                        persons providing such treatment, except that 
                        such records can be personally reviewed by a 
                        physician or other appropriate professional of 
                        the student's choice.
                    ``(C) Maintain.--The term `maintain' when used with 
                respect to an education record, means keeping, 
                retaining, conserving, or preserving such education 
                record, in any manner, whether physically, 
                electronically or digitally, for any non-trivial length 
                of time, except that student tests and papers that are 
                peer-graded are not maintained until such tests or 
                papers are turned into or collected by the teacher or 
                other school official involved.
            ``(5) Education service provider.--The term `education 
        service provider' means any provider, other than a school 
        official or employee, of services developed and targeted to 
        students for an educational purpose, whether specifically 
        marketed to schools, institutions of higher education, 
        educational agency or institution employees or officers, or 
        other individuals primarily engaged in the provision of 
        education services.
            ``(6) ESEA terms.--The terms `elementary school', 
        `secondary school', and `local educational agency' have the 
        meanings given such terms in section 9101 of the Elementary and 
        Secondary Education Act of 1965 (20 U.S.C. 7801).
            ``(7) Institution of higher education.--The term 
        `institution of higher education' has the meaning given the 
        term in section 102 of the Higher Education Act of 1965 (20 
        U.S.C. 1002).
            ``(8) Personally identifiable information.--The term 
        `personally identifiable information' means--
                    ``(A) any information (such as a student's name, 
                Social Security number, email address, or parent's 
                name), or compilation of information, in electronic, 
                digital, or paper form that, alone or in combination, 
                is linked or linkable to a specific student that would 
                allow a reasonable person in the school community, who 
                does not have personal knowledge of the relevant 
                circumstances, to identify the student with reasonable 
                certainty;
                    ``(B) biometric information, including any record 
                of one or more measurable biological or behavioral 
                characteristics that may be used for automated 
                recognition of a student, such as fingerprints, retina 
                and iris patterns, voiceprints, DNA sequence, facial 
                characteristics, and handwriting; or
                    ``(C) information in an education record requested 
                by a person who an educational agency or institution 
                reasonably believes knows the identity of the student 
                to whom the education record relates.
            ``(9) State educational authority.--The term `State 
        educational authority' means a State agency or other entity in 
        charge of the education programs of a State.
            ``(10) Student.--The term `student' includes any person 
        with respect to whom an educational agency or institution 
        maintains education records or personally identifiable 
        information, but does not include a person who has not been in 
        attendance at such agency or institution.''.

SEC. 16. CONFORMING AMENDMENT.

    Section 446(a) of the General Education Provisions Act (20 U.S.C. 
1232i(a)) is amended by striking ``444(b)(1)(D)'' and inserting 
``444(c)(7)''.

SEC. 17. FERPA REGULATIONS.

    The definition of the terms ``early childhood education program'' 
and ``education program'' in section 99.3 of title 34, Code of Federal 
Regulations, are repealed and shall have no legal effect.
                                 <all>