[Federal Register Volume 73, Number 57 (Monday, March 24, 2008)]
[Proposed Rules]
[Pages 15574-15602]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-5790]



[[Page 15573]]

-----------------------------------------------------------------------

Part II





Department of Education





-----------------------------------------------------------------------



34 CFR Part 99



Family Educational Rights and Privacy; Proposed Rule

  Federal Register / Vol. 73, No. 57 / Monday, March 24, 2008 / 
Proposed Rules  

[[Page 15574]]


-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

34 CFR Part 99

RIN 1855-AA05
[Docket ID ED-2008-OPEPD-0002]


Family Educational Rights and Privacy

AGENCY: Office of Planning, Evaluation, and Policy Development, 
Department of Education.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Secretary proposes to amend the regulations governing 
education records maintained by educational agencies and institutions 
under section 444 of the General Education Provisions Act, which is 
also known as the Family Educational Rights and Privacy Act of 1974, as 
amended (FERPA). These proposed regulations are needed to implement 
amendments to FERPA contained in the USA Patriot Act and the Campus Sex 
Crimes Prevention Act, to implement two U.S. Supreme Court decisions 
interpreting FERPA, and to make necessary changes identified as a 
result of the Department's experience administering FERPA and current 
regulations. These changes would clarify permissible disclosures to 
parents of eligible students and conditions that apply to disclosures 
in health and safety emergencies; clarify permissible disclosures of 
student identifiers as directory information; allow disclosures to 
contractors and other outside parties in connection with the 
outsourcing of institutional services and functions; revise the 
definitions of attendance, disclosure, education records, personally 
identifiable information, and other key terms; clarify permissible 
redisclosures by State and Federal officials; and update investigation 
and enforcement provisions.

DATES: We must receive your comments on or before May 8, 2008.

ADDRESSES: Submit your comments through the Federal eRulemaking Portal 
or via postal mail, commercial delivery, or hand delivery. We will not 
accept comments by fax or by e-mail. Please submit your comments only 
one time, in order to ensure that we do not receive duplicate copies. 
In addition, please include the Docket ID at the top of your comments.
    Federal eRulemaking Portal: Go to http://www.regulations.gov. Under 
``Search Documents'' go to ``Optional Step 2'' and select ``Department 
of Education'' from the agency drop-down menu; then click ``Submit.'' 
In the Docket ID column, select ED-2008-OPEPD-0002 to add or view 
public comments and to view supporting and related materials available 
electronically. Information on using Regulations.gov, including 
instructions for submitting comments, accessing documents, and viewing 
the docket after the close of the comment period, is available through 
the site's ``User Tips'' link.
    Postal Mail, Commercial Delivery, or Hand Delivery. If you mail or 
deliver your comments about these proposed regulations, address them to 
LeRoy S. Rooker, U.S. Department of Education, 400 Maryland Avenue, 
SW., room 6W243, Washington, DC 20202-5920.

    Privacy Note: The Department's policy for comments received from 
members of the public (including those comments submitted by mail, 
commercial delivery, or hand delivery) is to make these submissions 
available for public viewing in their entirety on the Federal 
eRulemaking Portal at http://www.regulations.gov. Therefore, 
commenters should be careful to include in their comments only 
information that they wish to make publicly available on the 
Internet.


FOR FURTHER INFORMATION CONTACT: Frances Moran, U.S. Department of 
Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-
8250. Telephone: (202) 260-3887.
    If you use a telecommunications device for the deaf (TDD), you may 
call the Federal Relay Service (FRS) at 1-800-877-8339.
    Individuals with disabilities may obtain this document in an 
alternative format (e.g., Braille, large print, audiotape, or computer 
diskette) on request to the contact person listed under FOR FURTHER 
INFORMATION CONTACT.

Invitation To Comment

    We invite you to submit comments and recommendations regarding 
these proposed regulations. To ensure that your comments have maximum 
effect in developing the final regulations, we urge you to identify 
clearly the specific section or sections of the proposed regulations 
that each of your comments addresses and to arrange your comments in 
the same order as the proposed regulations.
    We invite you to assist us in complying with the specific 
requirements of Executive Order 12866 and its overall requirement of 
reducing regulatory burden that might result from these proposed 
regulations. Please let us know of any further opportunities we should 
take to reduce potential costs or increase potential benefits while 
preserving the effective and efficient administration of the program.
    During and after the comment period, you may inspect all public 
comments about these proposed regulations in room 6W243, 400 Maryland 
Avenue, SW., Washington, DC, between the hours of 8:30 a.m. and 4 p.m. 
Eastern time, Monday through Friday of each week except Federal 
holidays. Public comments may also be inspected at www.regulations.gov.

Assistance to Individuals With Disabilities in Reviewing the Rulemaking 
Record

    On request, we will supply an appropriate aid to an individual with 
a disability who needs assistance to review the comments or other 
documents in the public rulemaking record for these proposed 
regulations. If you want to schedule an appointment for this type of 
aid, please contact the person listed under FOR FURTHER INFORMATION 
CONTACT.

Background

    These proposed regulations would implement section 507 of the 
Uniting and Strengthening America by Providing Appropriate Tools 
Required to Intercept and Obstruct Terrorism (USA Patriot Act) of 2001 
(Pub. L. 107-56), enacted Oct. 26, 2001, and the Campus Sex Crimes 
Prevention Act, section 1601(d) of the Victims of Trafficking and 
Violence Protection Act of 2000 (Pub. L. 106-386), enacted Oct. 28, 
2000, both of which amended FERPA. The proposed regulations also would 
implement the U.S. Supreme Court's decisions in Owasso Independent 
School Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso) and 
Gonzaga University v. Doe, 536 U.S. 273 (2002) (Gonzaga). Finally, the 
proposed regulations respond to changes in information technology and 
address other issues identified through the Department's experience 
administering FERPA, including the need to clarify how postsecondary 
institutions may share information with parents and other parties in 
light of the tragic events at Virginia Tech in April 2007. The 
Department has developed these proposed regulations in accordance with 
its ``Principles for Regulating,'' which are intended to ensure that 
the Department regulates in the most flexible, equitable, and least 
burdensome way possible. These proposed regulations seek to provide the 
greatest flexibility to State and local governments and schools while 
ensuring that personally identifiable information about students 
remains protected from unauthorized disclosure.

Technical Corrections

    The proposed regulations correct Sec.  99.33(e) by adding the 
statutory

[[Page 15575]]

language ``outside the educational agency or institution'' after the 
words ``third party'' in the first sentence. They also correct an error 
in the section number cited in Sec.  99.34(a)(1)(ii).

Significant Proposed Regulations

    We discuss substantive issues under the sections of the proposed 
regulations to which they pertain. Generally, we do not address 
proposed regulatory provisions that are technical or otherwise minor in 
effect.

1. Definitions (Sec.  99.3)

Attendance
    Statute: 20 U.S.C. 1232g(a)(6) defines the term student as any 
person with respect to whom an educational agency or institution 
maintains education records or personally identifiable information but 
does not include a person who has not been in attendance at such agency 
or institution. The statute does not define attendance.
    Current Regulations: As defined in the current regulations, the 
term attendance includes attendance in person or by correspondence, and 
the period during which a person is working under a work-study program. 
The current definition does not address the status of distance learners 
who are taught through the use of electronic information and 
telecommunications technologies.
    Proposed Regulations: The proposed regulations in Sec.  99.3 would 
add attendance by videoconference, satellite, Internet, or other 
electronic information and telecommunications technologies for students 
who are not physically present in the classroom.
    Reasons: The proposed regulations are needed to clarify that 
students who are not physically present in the classroom may attend an 
educational agency or institution not only through traditional 
correspondence courses but through advanced electronic information and 
telecommunications technologies used for distance education, such as 
videoconferencing, satellite, and Internet-based communications.
Directory Information
    Statute: 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2) allows 
disclosure without consent of information such as a student's name and 
address, telephone listing, date and place of birth, major field of 
study, etc., defined as directory information, provided that specified 
notice and opt out conditions have been met.
    Current Regulations: Directory information is defined in Sec.  99.3 
as information contained in an education record of a student that would 
not generally be considered harmful or an invasion of privacy if 
disclosed, and includes information listed in FERPA (e.g., a student's 
name and address, telephone listing) as well as other information, such 
as a student's electronic mail (e-mail) address, enrollment status, and 
photograph. Current regulations do not specify whether a student's 
Social Security Number (SSN), official student identification (ID) 
number, or personal identifier for use in electronic systems may be 
designated and disclosed as directory information.
    Proposed Regulations: The proposed regulations would provide that 
an educational agency or institution may not designate as directory 
information a student's SSN or other student ID number. However, 
directory information may include a student's user ID or other unique 
identifier used by the student to access or communicate in electronic 
systems, but only if the electronic identifier cannot be used to gain 
access to education records except when used in conjunction with one or 
more factors that authenticate the student's identity, such as a 
personal identification number (PIN), password, or other factor known 
or possessed only by the student.
    Reasons: SSNs and other student ID numbers are personal identifiers 
that are typically used for identification purposes in order to 
establish an account, gain access to or confirm private information, 
obtain services, etc. The proposed regulations are needed to ensure 
that educational agencies and institutions do not disclose these 
identifiers as directory information, or include them with other 
personally identifiable information that may be disclosed as directory 
information, because SSNs and other student ID numbers can be used to 
impersonate the owner of the number and obtain information or services 
by fraud. The proposed regulations are also needed to clarify that 
unique personal identifiers used for electronic communications may be 
disclosed as directory information under certain conditions.
    Names and addresses are personal identifiers (and personally 
identifiable information under Sec.  99.3) that have always been 
available for disclosure as directory information under FERPA because 
they are generally known to others and often appear in public 
directories outside the school context. (It is precisely because names 
and addresses are widely available that they may not be used to 
authenticate identity, as discussed below in connection with proposed 
Sec.  99.31(c).) SSNs and other student ID numbers are also personal 
identifiers and personally identifiable information under Sec.  99.3. 
Unlike names and addresses, SSNs and other student ID numbers are 
typically used to obtain a variety of non-public information about an 
individual, such as employment, credit, financial, health, motor 
vehicle, and educational information, that would be harmful or an 
invasion of privacy if disclosed. An SSN or other student ID number can 
also be used in conjunction with commonly available information, such 
as name, address, and date of birth, to establish fraudulent accounts 
and otherwise impersonate an individual. As a result, under the 
proposed regulations, SSNs and other student ID numbers may not be 
designated and disclosed as directory information.
    Educational agencies and institutions have reported to us that in 
addition to needing a traditional student ID number (or SSN used as a 
student ID number), they need to identify or assign to students a 
unique electronic identifier that can be made available publicly. 
(Names are generally not appropriate for these purposes because they 
may not be unique to the population.) Unique electronic identifiers are 
needed, for example, for students to be able to use portals or single 
sign-on approaches to student information systems that provide access 
to class registration, academic records, library resources, and other 
student services. Much of the directory-based software used for these 
systems, as well as protocols for electronic collaboration by students 
and teachers within and among institutions, essentially cannot function 
without making an individual's user ID or other electronic identifier 
publicly available in these kinds of systems.
    Some systems, for example, require users to log on with their e-
mail address or other published user name or account ID. (Note that a 
student's e-mail address was added to the regulatory definition of 
directory information in the final regulations published on July 6, 
2000 (65 FR 41852, 41855). Public key infrastructure (PKI) technology 
for encryption and digital signatures also requires wide dissemination 
of the sender's public key. These are the types of circumstances in 
which educational agencies and institutions may need to publish or 
disclose a student's unique electronic identifier.
    The proposed regulations would permit disclosure of a student's 
user ID or other electronic identifier as directory information, but 
only if the identifier functions essentially as a name; that is, the 
identifier is not used by itself to authenticate identity and cannot be

[[Page 15576]]

used by itself to gain access to education records. A unique electronic 
identifier disclosed as directory information may be used to provide 
access to the student's education records, but only when combined with 
other factors known only to the authorized user (student, parent, or 
school official), such as a secret password or PIN, or some other 
method to authenticate the user's identity and ensure that the user is, 
in fact, a person authorized to access the records.
    Note that eligible students and parents have a right under FERPA to 
opt out of directory information disclosures and refuse to allow the 
student's e-mail address, user ID or other electronic identifier 
disclosed as directory information (except as provided in proposed 
Sec.  99.37(c), discussed elsewhere in this document). This is similar 
to a decision not to participate in an institution's paper-based 
student directory, yearbook, commencement program, etc. In these cases, 
the student or parent will not be able to take advantage of the 
services, such as portals for class registration, academic records, 
etc., provided solely through the electronic communications or software 
that require public disclosure of the student's unique electronic 
identifier.
Disclosure
    Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an 
educational agency or institution subject to FERPA may not have a 
policy or practice of releasing, permitting the release of, or 
providing access to personally identifiable information from education 
records without prior written consent.
    Current Regulations: The regulations in Sec.  99.3 define the term 
disclosure to mean permitting access to or the release, transfer, or 
other communication of personally identifiable information from 
education records to any party by any means. The regulations do not 
address issues relating to the return of records to the party that 
provided or created them.
    Proposed Regulations: The proposed regulations would exclude from 
the definition of disclosure the release or return of an education 
record, or personally identifiable information from an education 
record, to the party identified as the party that provided or created 
the record. This would allow an educational agency or institution 
(School B) to send a transcript, letter of recommendation, or other 
record that appears to have been falsified back to the institution or 
school official identified as the creator or sender of the record 
(School A) for confirmation of its status as an authentic record. 
School A may confirm or deny that the record is accurate and send the 
correct version back to School B under Sec.  99.31(a)(2), which allows 
an institution to disclose education records without prior written 
consent to an institution in which the student seeks or intends to 
enroll, or is already enrolled.
    The proposed regulations would also permit a State or local 
educational authority or other entity to redisclose education records 
or personally identifiable information from education records, without 
consent, to the school district, institution, or other party that 
provided the records or information.
    Reasons: School officials have reported to the Department that they 
are receiving with more frequency what appear to be falsified 
transcripts, letters of recommendation, and other information about 
students from educational agencies and institutions. The proposed 
amendment is needed to verify the accuracy of this type of information 
and to ensure that the privacy protections in FERPA are not used to 
shield or prevent detection of fraud.
    Several State educational agencies (SEAs) that maintain 
consolidated student records systems have also expressed uncertainty 
whether they may allow a local school district to obtain access to 
personally identifiable information from education records provided to 
the SEA by that district. The amendment is needed to clarify that SEAs 
and other parties that maintain education records provided by school 
districts and other educational agencies and institutions may allow a 
party to obtain access to the specific records and information that the 
party provided to the consolidated student records system.
Education Records
    Statute: 20 U.S.C. 1232g(a)(4) provides a broad, general definition 
of education records that includes all records that are directly 
related to a student and maintained by an educational agency or 
institution. Student, in turn, is defined in 20 U.S.C. 1232g(a)(6) to 
exclude individuals who have not been in attendance at the agency or 
institution.
    Current Regulations: The definition of education records in Sec.  
99.3 excludes records that only contain information about an individual 
after he or she is no longer a student.
    Proposed Regulations: The proposed regulations would clarify that, 
with respect to former students, the term education records excludes 
records that are created or received by the educational agency or 
institution after an individual is no longer a student in attendance 
and are not directly related to the individual's attendance as a 
student.
    Reasons: Institutions have told us that there is some confusion 
about the provision in the definition of education records that 
excludes certain alumni records from the definition. Some schools have 
mistakenly interpreted this provision to mean that any record created 
or received after a student is no longer enrolled is not an education 
record under FERPA. The proposed regulations are needed to clarify that 
the exclusion is intended to cover records that concern an individual 
or events that occur after the individual is no longer a student in 
attendance, such as alumni activities. The exclusion is not intended to 
cover records that are created and matters that occur after an 
individual is no longer in attendance but that are directly related to 
his or her previous attendance as a student, such as a settlement 
agreement that concerns matters that arose while the individual was in 
attendance as a student.
    Statute: The statute does not address peer-grading practices in 
relation to FERPA requirements.
    Current Regulations: The definition of education records includes 
records that are maintained by an educational agency or institution, or 
a party acting for the educational agency or institution, but does not 
provide any guidance on the status of student-graded tests and 
assignments before they have been collected and recorded by a teacher.
    Proposed Regulations: Proposed regulations in Sec.  99.3 would 
clarify that peer-graded papers that have not been collected and 
recorded by a teacher are not considered maintained by an educational 
agency or institution and, therefore, are not education records under 
FERPA.
    Reasons: The proposed regulations are needed to implement the U.S. 
Supreme Court's decision on peer-graded papers in Owasso. ``Peer-
grading'' refers to a common educational practice in which students 
exchange and grade one another's papers and then either call out the 
grade or turn in the work to the teacher for recordation. In Owasso, 
the Court held that this practice does not violate FERPA because ``the 
grades on students' papers would not be covered under FERPA at least 
until the teacher has collected them and recorded them in his or her 
grade book.'' Owasso, 534 U.S. at 436.

[[Page 15577]]

Personally Identifiable Information
    Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an 
educational agency or institution may not have a policy or practice of 
permitting the release of or providing access to education records or 
any personally identifiable information other than directory 
information in education records without prior written consent except 
in accordance with statutory exceptions.
    Current Regulations: The term personally identifiable information 
is defined in Sec.  99.3 to include the student's name and other 
personal identifiers, such as the student's social security number or 
student number. Current regulations also include indirect identifiers, 
such as the name of the student's parent or other family members; the 
address of the student or the student's family; and personal 
characteristics or other information that would make the student's 
identity easily traceable.
    Proposed Regulations: The proposed regulations would add biometric 
record to the list of personal identifiers and add other indirect 
identifiers, such as date and place of birth and mother's maiden name, 
to the list of personally identifiable information. The regulations 
would remove language about personal characteristics and other 
information that would make the student's identity easily traceable and 
provide instead that personally identifiable information includes other 
information that, alone or in combination, is linked or linkable to a 
specific student that would allow a reasonable person in the school or 
its community, who does not have personal knowledge of the relevant 
circumstances, to identify the student with reasonable certainty. 
Personally identifiable information would also include information 
requested by a person who the educational agency or institution 
reasonably believes has direct, personal knowledge of the identity of 
the student to whom the education record directly relates.
    Reasons: See the discussion of proposed regulations adding a new 
Sec.  99.31(b) for de-identified education records elsewhere in this 
document.
State Auditor
    Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) allows an 
educational agency or institution to disclose personally identifiable 
information from education records, without prior written consent, to 
State and local educational authorities and officials for the audit or 
evaluation of Federal or State supported education programs, or for the 
enforcement of or compliance with Federal legal requirements that 
relate to those programs.
    Current Regulations: The current regulations do not address the 
disclosure of education records to State auditors.
    Proposed Regulations: The proposed regulations in Sec.  99.3 would 
define State auditor as a party under any branch of government with 
authority and responsibility under State law for conducting audits. We 
propose to add a new paragraph (a)(2) to Sec.  99.35 to clarify that 
State auditors that are not State or local educational authorities may 
have access to education records in connection with an audit of Federal 
or State supported education programs.
    Reasons: 20 U.S.C. 1232g(b)(3) (section (b)(3) of the statute) 
allows disclosure of education records without consent to ``State 
educational authorities'' for audit and evaluation purposes. According 
to the legislative history of FERPA, section (b)(5) of the statute, 
which allows disclosure of education records without consent to ``State 
and local educational officials'' for audit and evaluation purposes, 
was added in 1979 to ``correct an anomaly'' in which the existing 
exception in section (b)(3) was interpreted to preclude State auditors 
from obtaining records in order to conduct State audits of local and 
State-supported programs.
    See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 (1979), 
reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. The amended 
statutory language in section (b)(5) is ambiguous, however, because it 
does not actually mention State auditors and, like section (b)(3), 
refers only to educational officials. Over the years several States 
have questioned whether this exception includes audits conducted by 
legislative branch officials and other parties that may not be 
considered educational authorities or officials.
    The regulations are needed to clarify that State auditors may 
receive personally identifiable information from education records, 
without prior written consent, even if they are not considered State or 
local educational authorities or officials, provided that they are 
auditing a Federal or State supported education program. We are 
interested in receiving comments about whether the definition needs to 
cover local auditors as well. The exception for disclosure of education 
records to State auditors is narrowly limited to audits (defined in 
proposed Sec.  99.35 as testing compliance with applicable laws, 
regulations, and standards) and does not include the broader concept of 
evaluations, for which disclosure of education records remains limited 
to educational authorities or officials.

2. Disclosures to Parents of Eligible Students (Sec. Sec.  99.5, 99.36)

Section 99.5(a) (Rights of Students)
    Statute: 20 U.S.C. 1232g(d) provides that once a student reaches 18 
years of age or attends a postsecondary institution, all rights 
accorded to parents under FERPA, and the consent required to disclose 
education records, transfer from the parents to the student. Under 20 
U.S.C. 1232g(b)(1)(H), an educational agency or institution may 
disclose personally identifiable information from an education record 
without meeting FERPA's written consent requirement to parents of a 
dependent student as defined in 26 U.S.C. 152. Under 20 U.S.C. 
1232g(i), an institution of higher education may disclose personally 
identifiable information from an education record, without meeting 
FERPA's written consent requirement, to a parent or legal guardian of a 
student information regarding the student's violation of any Federal, 
State or local law, or any rule or policy of the institution governing 
the use or possession of alcohol or a controlled substance if the 
student is under the age of 21 and the institution determines that the 
student has committed a disciplinary violation with respect to such use 
or possession. Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or 
institution may disclose personally identifiable information from an 
education record, without meeting FERPA's written consent requirement, 
to appropriate persons in connection with an emergency if the knowledge 
of such information is necessary to protect the health or safety of the 
student or other persons.
    Current Regulations: Section 99.3 defines an eligible student as a 
student who has reached 18 years of age or attends a postsecondary 
institution. Section 99.5(a) states that rights accorded to parents, 
and consent required of parents, to disclose education records under 
FERPA transfer from parents to a student when the student meets the 
definition of an eligible student.
    Section 99.31(a)(8) provides that an educational agency or 
institution may disclose personally identifiable information from 
education records without consent to parents of a dependent student as 
defined in section 152 of the Internal Revenue Code of 1986. Under 
Sec.  99.31(a)(15) written consent is not required, regardless of 
dependency status, to disclose to a

[[Page 15578]]

parent of a student at an institution of postsecondary education 
information regarding the student's violation of any Federal, State or 
local law, or of any rule or policy of the institution, governing the 
use or possession of alcohol or a controlled substance if the 
institution determines that the student has committed a disciplinary 
violation with respect to that use or possession and the student is 
under the age of 21 at the time of the disclosure to the parent.
    Section 99.31(a)(10) provides that an educational agency or 
institution may disclose personally identifiable information from 
education records without consent if the disclosure is in connection 
with a health or safety emergency under the conditions described in 
Sec.  99.36. Section 99.36 provides that an educational agency or 
institution may disclose personally identifiable information from an 
education record to appropriate parties in connection with an emergency 
if knowledge of the information is necessary to protect the health or 
safety of the student or other individuals.
    Proposed Regulations: The proposed regulations in Sec.  99.5 
clarify that even after a student has become an eligible student, an 
educational agency or institution may disclose education records to the 
student's parents, without the consent of the eligible student, if the 
student is a dependent for Federal income tax purposes (Sec.  
99.31(a)(8)); in connection with a health or safety emergency (Sec.  
99.31(a)(10)); if the student is under the age of 21 and has violated 
an institutional rule or policy governing the use or possession of 
alcohol or a controlled substance (Sec.  99.31(a)(15)); and if the 
disclosure falls within any other exception to the consent requirement 
in Sec.  99.31(a) of the regulations, such as the disclosure of 
directory information or in compliance with a court order or lawfully 
issued subpoena. The proposed regulations in Sec.  99.36(a) would 
clarify that an eligible student's parents are appropriate parties to 
whom an educational agency or institution may disclose personally 
identifiable information from education records without consent in a 
health or safety emergency.
    Reasons: The Secretary is concerned that some institutions are 
under the mistaken impression that FERPA prevents them from providing 
parents with any information about a college student. The proposed 
regulations are needed to clarify that FERPA contains exceptions to the 
written consent requirement that permit colleges and other educational 
agencies and institutions to disclose personally identifiable 
information from education records to parents of certain eligible 
students whether or not the student consents.
    Section 99.31(a)(8) permits an educational agency or institution to 
disclose education records, without consent, to either parent if at 
least one of the parents has claimed the student as a dependent on the 
parent's most recent tax return. Because many college students (and 18-
year-old high school students) are tax dependents of their parents, 
this provision allows these institutions to disclose information from 
education records to the students' parents without meeting the written 
consent requirements in Sec.  99.30. (Institutions must first determine 
that a parent has claimed the student as a dependent on the parent's 
Federal income tax return. Institutions can determine that a parent 
claimed a student as a dependent by asking the parent to submit a copy 
of the parent's most recent Federal tax return. Institutions can also 
rely on a student's assertion that he or she is not a dependent unless 
the parent provides contrary evidence.)
    The proposed regulations are also needed to clarify that colleges 
and other institutions may disclose information from education records 
to an eligible student's parents, without consent, under Sec.  
99.31(a)(15) if the institution has determined that the student has 
violated Federal, State, or local law or an institution's rules or 
policies governing alcohol or substance abuse (provided the student is 
under 21 years of age), and in connection with a health or safety 
emergency under Sec. Sec.  99.31(a)(10) and 99.36 (regardless of the 
student's age) if the information is needed to protect the health or 
safety of the student or other individuals. These exceptions apply 
whether or not the student is a dependent of a parent for tax purposes. 
These proposed regulations would clarify the Department's policy with 
respect to an agency's or institution's disclosure of information from 
education records to parents under the health and safety emergency 
exception and do not represent a change in the Department's 
interpretation of who may qualify as an appropriate party under the 
health or safety emergency exception to the consent requirement. While 
institutions may choose to follow a policy of not disclosing education 
records to parents of eligible students in these circumstances, FERPA 
does not mandate such a policy.

3. Authorized Disclosure of Education Records Without Prior Written 
Consent (Sec.  99.31)

Section 99.31(a)(1) (School Officials) Outsourcing
    Statute: 20 U.S.C. 1232g(a)(4)(A) defines education records to 
include records maintained by an educational agency or institution or 
by ``a person acting for'' the agency or institution. Under 20 U.S.C. 
1232g(b)(1)(A), an educational agency or institution may allow teachers 
and other school officials within the institution or agency, without 
prior written consent, to obtain access to education records if the 
institution or agency has determined that they have legitimate 
educational interests in the information.
    Current Regulations: Section 99.31(a)(1) allows disclosure of 
personally identifiable information from education records without 
consent to school officials, including teachers, within the agency or 
institution if the educational agency or institution has determined 
that they have legitimate educational interests in the information. An 
educational agency or institution that discloses information under this 
exception must specify in its annual notification of FERPA rights under 
Sec.  99.7(a)(3)(iii) the criteria it uses to determine who constitutes 
a school official and what constitutes legitimate educational 
interests. The recordkeeping requirements in Sec.  99.32(d) do not 
apply to disclosures to school officials with legitimate educational 
interests. Current regulations do not address disclosure of education 
records without consent to contractors, consultants, volunteers, and 
other outside parties providing institutional services and functions or 
otherwise acting for an agency or institution.
    Proposed Regulations: The proposed regulations in Sec.  
99.31(a)(1)(i)(B) would expand the school official exception to include 
contractors, consultants, volunteers, and other outside parties to whom 
an educational agency or institution has outsourced institutional 
services or functions that it would otherwise use employees to perform. 
The outside party who obtains access to education records without 
consent must be under the direct control of the agency or institution 
and subject to the same conditions governing the use and redisclosure 
of education records that apply to other school officials under Sec.  
99.33(a) of the regulations. These proposed regulations supersede 
previous technical assistance guidance issued by the Family Policy 
Compliance Office (Office) regarding disclosure of

[[Page 15579]]

education records without consent to parties acting for an educational 
agency or institution.
    Educational agencies and institutions that outsource institutional 
services and functions must comply with the annual FERPA notification 
requirements under the current regulations in Sec.  99.7(a)(3)(iii) by 
specifying their contractors, consultants, and volunteers as school 
officials retained to provide various institutional services and 
functions. Failure to comply with the notice requirements for school 
officials in Sec.  99.7(a)(3)(iii) is not excused by recording the 
disclosure under Sec.  99.32. (We note that under current regulations 
disclosures to school officials under Sec.  99.31(a)(1) are 
specifically excluded from the recordation requirements under Sec.  
99.32(d).) As a result, an educational agency or institution that has 
not included contractors and other outside service providers as school 
officials with legitimate educational interests in its annual FERPA 
notification may not disclose any personally identifiable information 
from education records to these parties until it has complied with the 
notice requirements in Sec.  99.7(a)(3)(iii).
    Educational agencies and institutions are responsible for their 
outside service providers' failures to comply with applicable FERPA 
requirements. The agency or institution must ensure that the outside 
party does not use or allow anyone to obtain access to personally 
identifiable information from education records except in strict 
accordance with the requirements established by the educational agency 
or institution that discloses the information.
    All outside parties serving as school officials are subject to 
FERPA's restrictions on the use and redisclosure of personally 
identifiable information from education records. These restrictions 
include current provisions in Sec.  99.33(a), which requires an 
educational agency or institution that discloses personally 
identifiable information from education records to do so only on the 
condition that the recipient, including a teacher or other school 
official, will use the information only for the purpose for which the 
disclosure was made and will not redisclose the information to any 
other party without the prior consent of the parent or eligible student 
unless the educational agency or institution has authorized the 
redisclosure under a FERPA exception and the agency or institution 
records the subsequent disclosure in accordance with the requirements 
in Sec.  99.32(b).
    For example, under the proposed regulations, a party that contracts 
with an educational agency or institution to provide enrollment and 
degree verification services must ensure that only individuals with 
legitimate educational interests obtain access to personally 
identifiable information from education records maintained on behalf of 
the agency or institution. In accordance with current regulations at 
Sec.  99.33(b), a contractor may not redisclose personally identifiable 
information without prior written consent unless the educational agency 
or institution has authorized the redisclosure under a FERPA exception 
and the agency or institution records the subsequent disclosure in 
accordance with the requirements in Sec.  99.32(b). Like other school 
officials, contractors and other outside parties who provide 
institutional services may not decide unilaterally to redisclose 
personally identifiable information from education records, even in 
circumstances that would comply with an exception in Sec.  99.31(a).
    Additionally, records directly related to a student that are 
maintained by a party acting for an educational agency or institution 
are education records subject to all FERPA requirements. This includes 
any new student records created under an outsourcing agreement that are 
maintained by the outside service provider.
    Reasons: The proposed regulations are needed to resolve uncertainty 
about the specific conditions under which educational agencies and 
institutions may disclose personally identifiable information from 
education records, without prior written consent, to contractors, 
consultants, volunteers, and other outside parties performing 
institutional services or functions. While there is no explicit 
statutory exception to the prior written consent requirement for 
disclosures to contractors and other non-employees to whom an 
educational agency or institution has outsourced services, we note that 
the statutory definition of education records protects records that are 
maintained by a party acting for the agency or institution. See 20 
U.S.C. 1232g(a)(4)(A)(ii). Indeed, the Joint Statement in Explanation 
of Buckley/Pell Amendment (120 Cong. Rec. S39862, Dec. 13, 1974) refers 
specifically to materials that are maintained by a school ``or by one 
of its agents'' when describing the meaning of the new term education 
records in the December 1974 amendments to the statute.
    The Department has long recognized in guidance that FERPA does not 
prevent educational agencies and institutions from outsourcing 
institutional services and functions and disclosing education records 
to contractors and other outside parties performing those services and 
functions in appropriate circumstances, such as for legal advice; debt 
collection; transcript distribution; fundraising and alumni 
communications; development and management of information systems; and 
degree and enrollment verification. The Secretary wishes to clarify and 
define the scope of this practice to avoid further confusion and 
prevent weakening of FERPA's privacy protections because of uncertainty 
about the requirements for making these kinds of disclosures.
    One of the most frequently used exceptions to the prior written 
consent requirement allows teachers and other school officials to 
obtain access to education records provided the educational agency or 
institution has determined that the school official has legitimate 
educational interests in the information. This exception covers not 
only teachers and principals, but also school counselors, registrars, 
admissions personnel, attorneys, accountants, human resource staff, 
information systems specialists, and designated support and clerical 
personnel when they need access to personally identifiable information 
from education records in order to perform their official functions and 
duties for their employer. As noted above, an educational agency or 
institution that allows school officials to obtain access to education 
records under this exception must, under Sec.  99.7(a)(3), include in 
its annual notification of FERPA rights a specification of its criteria 
for determining who constitutes a school official and what constitutes 
legitimate educational interests under Sec.  99.31(a)(1). Disclosures 
to school officials under current regulations are subject to the 
restrictions on the use and redisclosure of information in Sec.  99.33 
but are exempt from the FERPA recordkeeping requirements in Sec.  
99.32.
    The proposed regulations are included with the exception for school 
officials in Sec.  99.31(a)(1) because we believe that disclosures made 
for contract, volunteer, and other outsourced services and functions 
should be subject to the same conditions that would apply if the 
outside party were, in fact, providing institutional services or 
functions as an employee or officer of the educational agency or 
institution. In particular, the outside party must be under the direct 
control of the agency or institution with respect to the maintenance 
and use of personally identifiable information from education records. 
The outside party

[[Page 15580]]

must also perform the type of institutional services or functions for 
which the agency or institution would otherwise use its own employees. 
For example, an institution may disclose education records without 
consent under this provision to an outside party retained to provide 
enrollment verification services to student loan holders because the 
institution would otherwise have to use its own employees to conduct 
the required verifications. In contrast, an institution may not use 
this provision to disclose education records, without consent, to a 
financial institution or insurance company that provides a good student 
discount on its services and needs students' ID numbers and grades to 
verify an individual's eligibility, even if the institution enters into 
a contract with these companies to provide the student discount.
Access to Education Records by School Officials
    Statute: 20 U.S.C. 1232g(b)(1)(A) provides that an educational 
agency or institution may allow teachers and other school officials 
within the agency or institution to obtain access to education records, 
without prior written consent, if the agency or institution has 
determined that the school official has legitimate educational 
interests in the information.
    Current Regulations: Section 99.31(a)(1) allows an educational 
agency or institution to disclose personally identifiable information 
from education records without consent to school officials, including 
teachers, within the agency or institution if the educational agency or 
institution has determined that they have legitimate educational 
interests in the information. An educational agency or institution that 
discloses information under this exception must specify in its annual 
notification of FERPA rights under Sec.  99.7(a)(3)(iii) the criteria 
it uses to determine who constitutes a school official and what 
constitutes legitimate educational interests. Current regulations do 
not specify whether the agency or institution must ensure that school 
officials obtain access to only those education records in which they 
have legitimate educational interests.
    Proposed Regulations: The proposed regulations in Sec.  
99.31(a)(1)(ii) would require an educational agency or institution to 
use reasonable methods to ensure that teachers and other school 
officials obtain access to only those education records in which they 
have legitimate educational interests. This requirement would apply to 
education records maintained in either paper or electronic format. 
Agencies and institutions that choose not to use physical or 
technological controls to restrict a school official's access to 
education records must ensure that their administrative policy for 
controlling access to and maintenance of education records is effective 
and that the agency or institution remains in compliance with the 
legitimate educational interests requirement in Sec.  
99.31(a)(1)(i)(A). (These proposed regulations do not address what 
constitutes a legitimate educational interest under the regulations.)
    Reasons: The proposed regulations are needed to ensure that 
teachers and other school officials only gain access to education 
records in which they have a legitimate educational interest. While the 
proposed regulations apply to records in any format (as defined in 
Sec.  99.3), the need to ensure compliance with the legitimate 
educational interest requirement has been driven largely by the 
increased use of computerized or electronic recordkeeping systems in 
which a user may have access to all records.
    Many of the smaller educational agencies and institutions typically 
use a combination of physical and administrative methods to restrict 
access by school officials to paper copy records. For example, paper 
copy records may be maintained in lockable cabinets, desks, or rooms 
with distribution of records to school officials controlled by the 
teacher, registrar, or other authorized custodian as appropriate. With 
the advent of computerized or electronic records, particularly by the 
mid-size and larger agencies and institutions, parents and students 
have complained that school officials may have unrestricted access to 
the records of all students in an institution's or local educational 
agency's (LEA) system. Agencies and institutions establishing or 
upgrading electronic student information systems have also expressed 
uncertainty about what methods they should use to comply with the 
legitimate educational interest requirement in this new environment.
    Under the proposed regulations, an educational agency or 
institution should implement controls to protect student records. These 
controls should consist of a combination of appropriate physical, 
technical, administrative, and operational controls which will allow 
access to be limited when required. (Some examples of possible 
information security controls can be found in ``The National Institute 
of Standards and Technology (NIST) 800-53, Recommended Security 
Controls for Federal Information Systems'' (December 2007). Educational 
institutions and agencies are not required to implement the NIST 800-53 
guidance, but may find it useful when determining possible controls.) 
For example, software used to access electronic records may contain 
role-based security features that allow teachers to view only 
information about students currently enrolled in their classes. 
Similarly, a school principal or registrar may maintain paper records 
in locked cabinets and distribute records to authorized officials on an 
as needed basis.
    An educational agency or institution that does not use some kind of 
physical or technological controls to restrict access and leaves 
education records open to all school officials may rely instead on 
administrative controls, such as an institutional policy that prohibits 
teachers and other school officials from accessing records except when 
they have a legitimate educational interest. However, an agency or 
institution that forgoes physical or technological access controls must 
ensure that its administrative policy for controlling access is 
effective and that it remains in compliance with the legitimate 
educational interest requirement in Sec.  99.31(a)(1). In that regard, 
if a parent or eligible student alleges that a school official obtained 
access to a student's education records without a legitimate 
educational interest, an agency or institution must show that the 
school official possessed a legitimate educational interest in 
obtaining the personally identifiable information from education 
records maintained by the agency or institution. An agency or 
institution may wish to restrict or track school officials who obtain 
access to education records to ensure that it is in compliance with 
Sec.  99.31(a)(1)(i)(A).
    The risk of unauthorized access to education records by school 
officials means the likelihood that records may be targeted for 
compromise and the harm that could result. Methods used by an 
educational agency or institution to ensure compliance with the 
legitimate educational interests requirement are considered reasonable 
under the proposed regulations if they reduce the risk of unauthorized 
access by school officials to a level commensurate with the likely 
threat and potential harm. The greater the harm that would result from 
unauthorized access or disclosure and the greater the likelihood that 
unauthorized access or disclosure will occur, the more protections an 
agency or institution must use to ensure that its methods are 
reasonable. For example, high risk records, such as those that

[[Page 15581]]

contain credit card information, SSNs and other elements used for 
identity theft, immunization and other health records, certain records 
on special education students, and official transcripts and grades 
should generally receive greater and more immediate protection than 
medium or low risk records, such as those containing only publicly 
releasable directory information. Methods that an educational agency or 
institution should use to reduce risk to an acceptable level will 
depend on a variety of factors, including the organization's size and 
resources. In all cases, reasonableness depends ultimately on what are 
the usual and customary good business practices of educational agencies 
and institutions, which requires ongoing review and modification of 
methods and procedures, where appropriate, as standards and 
technologies continue to change.
Section 99.31(a)(2) (Disclosure to a School Where Student Seeks or 
Intends To Enroll)
    Statute: 20 U.S.C. 1232g(b)(1)(B) allows an educational agency or 
institution to disclose, under certain conditions, education records to 
another school or school system in which the student seeks or intends 
to enroll without obtaining the prior written consent of a parent or 
eligible student.
    Current Regulations: Under Sec.  99.31(a)(2), an educational agency 
or institution may disclose education records, without prior written 
consent, to officials of another school, school system, or 
postsecondary institution where the student seeks or intends to enroll, 
provided that the agency or institution complies with the requirements 
in Sec.  99.34(a) regarding notification to the parent or eligible 
student of the disclosure and, upon request, provide a copy of the 
records and an opportunity for a hearing under subpart C of the 
regulations.
    Proposed Regulations: The proposed regulations in Sec.  99.31(a)(2) 
would allow an educational agency or institution to disclose education 
records, without consent, to another institution even after a student 
has already enrolled or transferred, and not just if the student seeks 
or intends to enroll, if the disclosure is for purposes related to the 
student's enrollment or transfer.
    Reasons: The proposed amendments are needed to resolve uncertainty 
about whether consent is required to send a student's records to the 
student's new school after the student has already transferred and 
enrolled. This proposed exception to the consent requirement is 
intended to ease administrative burdens on educational agencies and 
institutions by allowing them to send transcripts and other information 
from education records to schools where a student seeks or intends to 
enroll without meeting the formal consent requirements in Sec.  99.30. 
We have concluded that authority to disclose or transfer information to 
a student's new school under this exception does not cease 
automatically the moment a student has actually enrolled. Rather, an 
educational agency or institution may transfer education records to a 
student's new school, including a postsecondary institution, at any 
point in time if the disclosure is in connection with the student's 
enrollment in the new school.
    Based on these considerations, we have also determined that an 
educational agency or institution may update, correct, or explain 
information it has disclosed to another educational agency or 
institution as part of the original disclosure under Sec.  99.31(a)(2) 
without complying with the written consent requirements in Sec.  99.30. 
That is, a student's previous institution is not required to obtain 
prior written consent under Sec.  99.30 to respond to the new 
institution's request to explain the meaning of education records sent 
to it in connection with a student's new enrollment.
    Finally, in the aftermath of the shooting at Virginia Tech, some 
questions have arisen about whether FERPA prohibits the disclosure of 
certain types of information from students' education records to new 
schools or postsecondary institutions to which they have applied. 
(Further discussion of the tragic events that occurred at Virginia Tech 
in April 2007 is included in the discussion of the proposed amendments 
to Sec.  99.36, which appears later in this document.) Under Sec.  
99.31(a)(2) and Sec.  99.34(a), FERPA permits school officials to 
disclose any and all education records, including health and 
disciplinary records, to another institution where the student seeks or 
intends to enroll.
Section 99.31(a)(6) (Organizations Conducting Studies for or on Behalf 
of an Educational Agency or Institution)
    Statute: 20 U.S.C. 1232g(b)(1)(F) allows an educational agency or 
institution to disclose personally identifiable information from 
education records, without consent, to organizations conducting studies 
for or on behalf of the agency or institution for purposes of testing, 
student aid, and improvement of instruction. The information must be 
protected so that students and their parents cannot be identified by 
anyone other than representatives of the organization that conducts the 
study and must be destroyed when no longer needed for the study. As 
explained in Sec.  99.31(a)(6)(iii), failure to destroy information in 
accordance with this requirement could lead to a five-year ban on 
disclosure of information to that organization.
    Current Regulations: The regulations restate the statutory language 
that the study is conducted ``for, or on behalf of'' the educational 
agency or institution, but do not explain what this language means.
    Proposed Regulations: The proposed regulations require an 
educational agency or institution that discloses education records 
without consent under Sec.  99.31(a)(6) to enter into a written 
agreement with the recipient organization that specifies the purposes 
of the study. The agency or institution that discloses education 
records under this exception does not have to agree with or endorse the 
conclusions or results of the study. The written agreement must specify 
that information from education records may only be used to meet the 
purposes of the study stated in the written agreement and must contain 
the current restrictions on redisclosure and destruction of information 
requirements applicable to information disclosed under this exception.
    Reasons: Research organizations have asked for clarification about 
the circumstances in which an educational agency or institution may 
disclose to them personally identifiable information from education 
records under Sec.  99.31(a)(6)(iii), and educational agencies and 
institutions have asked whether they may provide personally 
identifiable information to organizations for research purposes without 
parental consent even if the educational agency or institution has no 
particular interest in the study.
    This exception to the consent requirement is intended to allow 
educational agencies and institutions to retain the services of outside 
organizations (or individuals) to conduct studies for or on their 
behalf to develop, validate, or administer predictive tests; administer 
student aid programs; or improve instruction. An educational agency or 
institution need not initiate research requests or agree with or 
endorse a study's results and conclusions under this exception. 
However, the statutory language ``for, or on behalf of'' indicates that 
the disclosing agency or institution agrees with the purposes of the 
study and retains control over the information from education records 
that is disclosed.

[[Page 15582]]

The written agreement required under the proposed regulations will help 
ensure that information from education records is used only to meet the 
purposes of the study stated in the written agreement and that all 
applicable requirements are met. (See discussion of Sec.  99.31(b) 
below regarding disclosure of de-identified information to independent 
educational researchers.)
Section 99.31(a)(9) (USA Patriot Act)
    Statute: The USA Patriot Act, Public Law 107-56, amended FERPA by 
providing a new subsection 1232g(j), 20 U.S.C. 1232g(j), that 
authorizes the United States Attorney General (or designee not lower 
than an Assistant Attorney General) to apply for an ex parte court 
order (an order issued by a court without notice to an adverse party) 
allowing the Attorney General (or designee) to collect education 
records from an educational agency or institution, without the consent 
or knowledge of the student or parent, that are relevant to an 
investigation or prosecution of an offense listed in 18 U.S.C. 
2332b(g)(5)(B) or an act of domestic or international terrorism 
specified in 18 U.S.C. 2331. The statute requires the Attorney General 
(or designee not lower than an Assistant Attorney General) to certify 
facts in support of the order and to retain, disseminate, and use the 
records in a manner that is consistent with confidentiality guidelines 
established by the Attorney General in consultation with the Secretary 
of Education. Agencies and institutions are not required to record the 
disclosure and cannot be held liable to anyone for producing education 
records in good faith in accordance with a court order issued under 
this provision.
    Current Regulations: The current regulations do not address the 
amendments made by the USA Patriot Act.
    Proposed Regulations: The proposed regulations add new exceptions 
to the written consent requirement in Sec.  99.31(a)(9)(ii) and the 
recordkeeping requirement in Sec.  99.32(a) allowing disclosure of 
education records without notice in compliance with an ex parte court 
order obtained by the Attorney General (or designee) concerning 
investigations or prosecutions of an offense listed in 18 U.S.C. 
2332b(g)(5)(B) or an act of domestic or international terrorism defined 
in 18 U.S.C. 2331.
    Reasons: The proposed regulations are necessary to implement the 
statutory amendment. An educational agency or institution that is 
served with an ex parte court order from the Attorney General (or 
designee) under this provision should ensure that the order is facially 
valid, just as it does when determining whether to comply with other 
judicial orders and subpoenas under Sec.  99.31(a)(9). An educational 
agency or institution is not, however, required or authorized to 
examine the underlying certification of facts presented to the court in 
the Attorney General's application for the ex parte court order.
    The proposed regulations provide that an educational agency or 
institution may comply with the court order without notice to the 
parent or eligible student. (Note that Sec.  99.31(a)(9)(ii)(B) also 
allows an educational agency or institution to disclose education 
records without notice to representatives of the Attorney General or 
other law enforcement authorities who produce a subpoena that has been 
issued for law enforcement purposes and the court or other issuing 
agency has ordered that the existence or contents of the subpoena or 
information furnished in response to the subpoena not be disclosed.)
Section 99.31(a)(16) (Registered Sex Offenders)
    Statute: The Campus Sex Crimes Prevention Act (CSCPA), section 
1601(d) of the Victims of Trafficking and Violence Protection Act of 
2000, Public Law 106-386, amended FERPA by adding 20 U.S.C. 
1232g(b)(7), which provides that educational agencies and institutions 
may disclose information concerning registered sex offenders provided 
under State sex offender registration and community notification 
programs required by section 170101 of the Violent Crime Control and 
Law Enforcement Act of 1994, Public Law 103-322, 42 U.S.C. 14071. 
Section 170101 contains the Jacob Wetterling Crimes Against Children 
and Sexually Violent Offender Registration Act (Wetterling Act).
    Current Regulations: The current regulations do not address the 
disclosure of information concerning registered sex offenders.
    Proposed Regulations: The proposed regulations add a new exception 
to the consent requirement in Sec.  99.31(a)(16) that permits an 
educational agency or institution to disclose information that the 
agency or institution received under a State community notification 
program about a student who is required to register as a sex offender 
in the State. Note that nothing in FERPA or these proposed regulations 
requires or encourages an educational agency or institution to collect 
or maintain information about registered sex offenders.
    Reasons: The regulations implement the CSCPA amendment to FERPA, 
which allows educational agencies and institutions to disclose 
information about registered sex offenders without consent if the 
information was received through and complies with guidelines regarding 
a State community notification program issued by the U.S. Attorney 
General under the Wetterling Act. Wetterling Act guidelines issued by 
the Attorney General were published in the Federal Register on October 
25, 2002 (67 FR 65598), and January 5, 1999 (64 FR 572).
    The Wetterling Act sets forth minimum national standards for sex 
offender registration and community notification programs. Under the 
Wetterling Act, States must establish programs that require sexually 
violent predators (and anyone convicted of specified criminal offenses 
against minors) to register their name and address with the appropriate 
State authority where the offender lives, works, or is enrolled as a 
student. States are also required to release relevant information 
necessary to protect the public concerning persons required to 
register, excluding the identity of any victim. (This community 
notification provision is commonly known as the ``Megan's Law'' 
amendment to the Wetterling Act.)
    CSCPA supplemented the general standards for sex offender 
registration and community notification programs in the Wetterling Act 
with provisions specifically designed for higher education campus 
communities. These include a requirement that States collect 
information about a registered offender's enrollment or employment at 
an institution of higher education, including any change in enrollment 
or employment status at the institution, and make this information 
available promptly to a campus police department or other appropriate 
law enforcement agency having jurisdiction where the institution is 
located. CSCPA also amended the Higher Education Act of 1965, as 
amended (HEA), by requiring institutions of higher education to advise 
the campus community where it can obtain information about registered 
sex offenders provided by the State pursuant to the Wetterling Act, 
such as the campus law enforcement office, a local law enforcement 
agency, or a computer network address. See 20 U.S.C. 1092(f)(1)(I) and 
34 CFR 668.46(b)(12).
    While the FERPA amendment was made in the context of CSCPA's 
enhancements to registration and

[[Page 15583]]

notification requirements applicable to the higher education community, 
the Department has determined that all educational institutions, 
including elementary and secondary schools, are covered by this 
amendment. The registration and community notification requirements 
apply in the State where an offender lives, works, or is a student, 
which is defined as ``a person who is enrolled on a full-time or part-
time basis, in any public or private educational institution, including 
any secondary school, trade, or professional institution, or 
institution of higher education.'' See 42 U.S.C. 14071(a)(3)(G). 
Because the sex offender registration and community notification 
requirements apply broadly to students enrolled in ``any public or 
private educational institution,'' the Department likewise interprets 
the FERPA amendment to apply to all educational agencies and 
institutions subject to FERPA.

4. De-Identification of Information (Sec.  99.31(b))

    Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an 
educational agency or institution may not have a policy or practice of 
permitting the release of or providing access to education records, or 
personally identifiable information from education records, without 
prior written consent except in accordance with statutory exceptions.
    Current Regulations: Personally identifiable information under 
Sec.  99.3 includes personal identifiers such as a student's name, 
address, and identification numbers, as well as personal 
characteristics or other information that would make the student's 
identity easily traceable.
    Proposed Regulations: The proposed regulations would amend Sec.  
99.31(b) to provide objective standards under which educational 
agencies and institutions may release, without consent, education 
records, or information from education records, that has been de-
identified through the removal of all personally identifiable 
information. Personally identifiable information is defined in Sec.  
99.3 to mean information that can be used to identify a student, 
including direct identifiers, such as the student's name, SSN, and 
biometric records, alone or combined with other personal or identifying 
information that is linked or linkable to a specific individual, 
including indirect identifiers such as the name of the student's parent 
or other family member, the student's or family's address, and the 
student's date and place of birth and mother's maiden name, that would 
allow a reasonable person in the school or its community, who does not 
have personal knowledge of the relevant circumstance, to identify the 
student with reasonable certainty. The Department does not hold 
educational agencies and institutions responsible for knowing the 
status of all non-educational records about students (e.g., law 
enforcement or hospital records). However, the Department encourages 
educational agencies and institutions to be sensitive to publicly 
available data on students and to the cumulative effect of disclosures 
of student data. Additionally, personally identifiable information 
includes information that is requested by a person who an agency or 
institution reasonably believes has direct, personal knowledge of the 
identity of the student to whom the education record directly relates. 
This is known as a targeted request.
    Reasons: Disclosure is defined in the regulations as permitting 
access to or releasing, transferring, or otherwise communicating 
personally identifiable information contained in education records. 
Accordingly, there is no ``disclosure'' under FERPA when education 
records are released if all identifiers have been removed, along with 
other personally identifiable information. The proposed regulations are 
needed to establish this guidance in a definitive and legally binding 
interpretation, and to provide standards for ensuring that a student's 
personally identifiable information is not disclosed.
    The Department's November 18, 2004, letter to the Tennessee 
Department of Education (TNDOE) explains that an educational agency or 
institution may release for educational research purposes (without 
parental consent) anonymous data files, i.e., records from which all 
personally identifiable information has been removed but that have 
coded each student's record with a non-personal identifier as described 
in the letter. (Records or data that have been stripped of identifiers 
and coded may be re-identified and, therefore, are properly 
characterized as de-identified.) Under the guidance in the TNDOE 
letter, a party must ensure that the identity of any student cannot be 
determined in coded records, including assurances of sufficient cell 
and subgroup size, and the linking key that connects the code to 
student information must not be shared with the requesting entity.
    The Department recognizes that avoiding the risk of disclosure of 
identity or individual attributes in statistical information cannot be 
completely eliminated, at least not without negating the utility of the 
information, and is always a matter of analyzing and balancing risk so 
that the risk of disclosure is very low. The reasonable certainty 
standard in the proposed definition of personally identifiable 
information requires such a balancing test. (Similarly, we are 
proposing here to use the term ``de-identified'' instead of 
``anonymous''--which appears in previous guidance--because it is more 
consistent with terminology used by experts in the field and reflects 
more accurately the level of disclosure risk that should be achieved.)
    Many educational institutions have asked for guidance about how 
they may disclose ``redacted'' education records that concern students 
or incidents that are well-known in the school or its community. For 
example, a school has suspended a student from school and given the 
student a failing grade for cheating on a test. The parent believes the 
discipline is too harsh and inconsistent with discipline given to other 
students and asks to see the redacted records of other students who 
have been disciplined for cheating on tests that year. Only one student 
has been disciplined for this infraction during the year, and the name 
of that student is widely known because her parents went to the media 
about the accusation. The school may not release the record in redacted 
form because the publicity has made the record personally identifiable.
    Additionally, personally identifiable information includes 
information that is requested by a person who an agency or institution 
reasonably believes has direct, personal knowledge of the identity of 
the student to whom the education record directly relates. This is 
known as a targeted request. In the simplest case, if an individual 
asks for the disciplinary report for a named student, the institution 
may not release a redacted copy of the report because the requester 
knows the identity of the student who is the subject of the report. An 
individual can also make a targeted request without mentioning the 
student's name. For example, a person running for local office is known 
to have graduated from a particular university in 1978. Rumors 
circulate that the candidate plagiarized other students' work while in 
school. A local reporter asks the university for redacted disciplinary 
records for all students who graduated in 1978 who were disciplined for 
plagiarism. The university may not release the records in redacted form 
because the circumstances indicate that the requester has made a 
targeted request, i.e. has direct, personal

[[Page 15584]]

knowledge of the subject of the case. In another case, a local reporter 
reviewed law enforcement unit records in October 2007 and learned that 
a prominent high school athlete was under investigation for use of 
illegal drugs. The newspaper published front-page articles about the 
matter that same month. Thereafter, the reporter asked the student's 
school for a redacted copy of all disciplinary records related to 
illegal drug use by student athletes since October 2007. The school may 
not release the records in redacted form because the reporter has made 
a targeted request.
    Clearly, extenuating circumstances sometimes cause identity to be 
revealed even after all identifiers have been removed, whether in 
aggregated or student-level data. In these situations, the key 
consideration in determining whether the information is personally 
identifiable is whether a reasonable person in the school or its 
community, without personal knowledge of the relevant circumstances, 
would be able to identify a student with reasonable certainty. The 
Department is interested in receiving comments on the scope of the 
``school or its community'' limitation in the reasonable person 
standard, and how it would apply to the release of redacted records as 
well as statistical information, including information released by 
State educational authorities and entities other than local districts 
and institutions.
    In regard to numerical or statistical information, several 
educational agencies and institutions have expressed concern about the 
public release of information that contains small data sets that may be 
personally identifiable. We have advised States and schools generally 
that they may not report publicly on the number of students of a 
specified race, gender, disability, English language proficiency, 
migrant status, or other condition who failed to graduate, received 
financial aid, achieved certain test scores, etc., unless there is a 
sufficient number of students in the defined category so that 
personally identifiable information is not released. Some schools have 
indicated, for example, that they would not disclose that two Hispanic, 
female students failed to graduate, even if there are several Hispanic 
females at the institution, because of the likelihood that the students 
who failed to graduate could easily be identified in such a small data 
set.
    A review of data confidentiality issues, especially as concerns the 
Federal statistical agencies, indicates that it is not possible to 
prescribe a single method to apply in every circumstance to minimize 
risk of disclosing personally identifiable information. This is true 
for several reasons, including the wide variety of data compilations 
and systems maintained by different agencies and institutions and the 
different types of search requests they receive and data sets they wish 
to disclose. More generally, and as indicated in the Federal Committee 
on Statistical Methodology's Statistical Policy Working Paper 22 
(available at http://www.fcsm.gov/working-papers/wp22.html), 
educational agencies and institutions may wish to consider current 
statistical, scientific and technological concepts, and standards when 
making decisions about analyzing and minimizing the risk of disclosure 
in statistical information. Consistent with that view, the Department 
has consistently declined to take a categorical approach and advised 
instead that the parties themselves are in the best position to analyze 
and identify the best methods to use to protect the confidentiality of 
their own data. See, for example, the September 25, 2003, letter to 
Board of Regents of the University System of Georgia at http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/georgialtr.html; October 
19, 2004, letter to Miami University at http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/unofmiami.html.
    However, the Department recognizes that there are some practices 
from the existing professional literature on disclosure limitation that 
can assist covered entities in developing a sound approach to de-
identifying data for release, particularly when consultation with 
professional statisticians with experience in disclosure limitation 
methods is not feasible. Each of the items discussed in the following 
subsection is elaborated on in Statistical Working Paper 22 for further 
reference.
    There are several steps that can assist with de-identifying any 
data release. The choice of methods depends on the nature of the data 
release that must be de-identified. First, covered entities should 
recognize that the re-identification risk of any given release is 
cumulative, i.e., directly related to what has previously been 
released. Previous releases include both publicly-available directory 
information and de-identified data releases. For example, if a publicly 
available directory provides date and place of birth, then a de-
identified data release that also contains the same information for a 
group of students could pose a re-identification risk if one of those 
students has an unusual date and place of birth relevant to others in 
the data release.
    Second, covered entities should minimize information released in 
directories to the extent possible. The Department is not attempting to 
limit the statutory authority available to covered entities in 
releasing directory information, but recognizes that since the 
statute's enactment, the risk of re-identification from such 
information has grown as a result of new technologies and methods.
    Third, covered entities should apply a consistent de-identification 
strategy for all of its data releases of a similar type. The two major 
types of data release are aggregated data (such as tables showing 
numbers of enrolled students by race, age and sex) and microdata (such 
as individual level student assessment results by grade and school). 
There are several acceptable de-identification strategies for each type 
of data. Major methods used by the Department for tabular data include 
defining a minimum cell size (meaning no results will be released for 
any cell of a table with a number smaller than ``X'' or else cells are 
aggregated until no cells based on one or two cases remain) or 
controlled rounding (meaning that cells with a number smaller than 
``X'' require that numbers in the affected rows and columns be rounded 
so that the totals remain unchanged. For microdata releases, the 
primary consideration is whether the proposed release contains any 
``unique'' individuals whose identity can be deduced by the combination 
of variables in the file. If such a condition exists, there are a 
number of methods that can be employed. These include ``top coding'' a 
variable (e.g., test scores above a certain level are recoded to a 
defined maximum), converting continuous data elements into categorical 
data elements (e.g., creating categories that subsume unique cases) or 
data swapping to introduce uncertainty so that the data user does not 
know whether the real data values correspond to certain records.
    The Department seeks public comment on whether it needs to develop 
further guidance on this topic to assist educational agencies and 
institutions.
    Although FERPA does not contain a general ``research'' exception to 
the consent requirement, the Department recognizes that useful and 
valid educational research may be conducted using de-identified data 
where disclosure of personally identifiable information from education 
records would not be permissible under the limited standards of Sec.  
99.31(a)(6) or

[[Page 15585]]

Sec.  99.31(a)(3), discussed above. This regulation should not be 
interpreted to discourage de-identified data releases, but rather to 
clarify how to do so in a manner that minimizes the risk of re-
identification. Accordingly, the proposed regulations are also needed 
to provide a method that may be used by a school, school district, 
state department of education, postsecondary institution or commission, 
or another party that maintains education records to release student-
level or microdata for purposes of education research. We believe that 
these standards establish an appropriate balance that facilitates 
educational research and accountability while preserving the privacy 
protections in FERPA.
    In order to permit ongoing educational research with the same data, 
the party that releases the information may attach a unique descriptor 
to each de-identified record that will allow the recipient to match 
other de-identified information received from the same source. However, 
the recipient may not be allowed to have access to any information 
about how the descriptor is generated and assigned, or that would allow 
it to match the information from education records with data from any 
other source, unless that data is de-identified and coded by the party 
that discloses education records. Furthermore, a record descriptor 
assigned for educational research purposes under this rule may not be 
based on a student's social security number.
    De-identified, student-level data released for educational research 
purposes must still conform to the requirements discussed above 
regarding small data sets that may lead to personal identification of 
students. However, unlike information released in personally 
identifiable form under Sec. Sec.  99.31(a)(3) and 99.31(a)(6), de-
identified information from education records is not subject to any 
destruction requirements because, by definition, it is not ``personally 
identifiable information'' under FERPA.
    The Department cannot specify in general which statistical 
disclosure limitation (SDL) methods should be used in any particular 
case. However, educational agencies and institutions should monitor 
releases of coded, de-identified microdata and take reasonable measures 
to ensure that overlapping or successive releases do not result in data 
sets in which a student's personally identifiable information is 
disclosed.

5. Identification and Authentication of Identity (Sec.  99.31(c))

    Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an 
educational agency or institution may not have a policy or practice of 
releasing, permitting the release of, or providing access to any 
personally identifiable information from education records without 
written consent, except in accordance with specified statutory 
exceptions.
    Current Regulations: Current regulations do not address whether an 
educational agency or institution must ensure that it has properly 
identified a party to whom it discloses personally identifiable 
information from education records.
    Proposed Regulations: The proposed regulations in Sec.  99.31(c) 
would require an educational agency or institution to use reasonable 
methods to identify and authenticate the identity of parents, students, 
school officials, and any other parties to whom the agency or 
institution discloses personally identifiable information from 
education records.
    Reasons: The proposed regulations are needed to ensure that 
educational agencies and institutions disclose personally identifiable 
information from education records only to authorized recipients. 
Identification in this context means determining who is the intended or 
authorized recipient of the information in question; authentication of 
identity means ensuring that the recipient is, in fact, who he or she 
purports to be.
    Identification of a party requesting disclosure of hard copy 
education records is relatively simple--the responsible school official 
can confirm the name and correct address for records sent by mail and 
obtain photo identification for personal delivery of records to 
students, parents, school officials, and other authorized recipients 
who are not recognized personally by the custodian of the records. 
Identification presents unique challenges in an electronic or 
telephonic environment, where personal recognition and photo 
identification cards are irrelevant.
    Occasionally educational agencies and institutions disclose 
education records to the wrong party because someone misaddresses an 
envelope, or puts the wrong material in a properly addressed envelope. 
This is a failure to properly identify the authorized recipient. More 
commonly, parents and students complain that unauthorized parties 
obtain access to the student's education records because agencies and 
institutions use widely available information, such as name and date of 
birth, or name and SSN or other student ID number, when providing 
access to electronic records or disclosing information about a student 
by telephone. This is a failure to properly authenticate identity. 
These proposed regulations would address both of these problems.
    Authentication of identity is a complex subject that continues to 
advance as new methods and technologies are developed to meet evolving 
standards for safeguarding financial, health, and other types of 
electronic records. The proposed regulations allow an educational 
agency or institution to use any reasonable method. As discussed above 
in connection with controlling access to education records by school 
officials, methods are considered reasonable if they reduce the risk of 
unauthorized disclosure to a level that is commensurate with the likely 
threat and potential harm and depend on variety of factors, including 
the organization's size and resources. The greater the harm that would 
result from unauthorized access or disclosure, and consequently the 
greater the likelihood that unauthorized access or disclosure will be 
attempted, the more protections an agency or institution must use to 
ensure that its methods are reasonable. Again, reasonableness depends 
ultimately on what are the usual and customary good business practices 
of educational agencies and institutions, which requires ongoing review 
and modification of procedures, where appropriate, as standards and 
technologies change.
    Authentication of identity generally involves requiring a user to 
provide something that only the user knows, such as a PIN, password, or 
answer to a personal question; something that only the user has, such 
as a smart card or token; or a biometric factor associated with no one 
other than the user, such as a finger, iris, or voice print. Under the 
proposed regulations an educational agency or institution may determine 
that single-factor authentication, such as a standard form user name 
combined with a secret PIN or password, is reasonable for protecting 
access to electronic grades and transcripts. Single-factor 
authentication may not be reasonable, however, for protecting access to 
SSNs, credit card numbers, and similar information that could be used 
for identity theft and financial fraud.
    Likewise, an educational agency or institution must ensure that it 
does not deliver a password, PIN, smart card, or

[[Page 15586]]

other factor used to authenticate identity in a manner that would allow 
access to unauthorized recipients. For example, an agency or 
institution may not make education records available electronically by 
using a common form user name (e.g., last name and first name initial) 
with date of birth or SSN, or a portion of the SSN, as an initial 
password to be changed upon first use of the system.

6. Redisclosure of Education Records by Officials Listed in Sec.  
99.31(a)(3) (Sec.  99.32, Sec.  99.35)

    Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) permits an 
educational agency or institution to disclose education records, 
without prior written consent, to authorized representatives of the 
United States Comptroller General, the Secretary of Education, State 
and local educational authorities, and the U.S. Attorney General as 
necessary in connection with the audit or evaluation of Federal and 
State supported education programs, or in connection with the 
enforcement of Federal legal requirements that relate to those 
programs. Except when the collection of personally identifiable 
information is specifically authorized by Federal law, personally 
identifiable information of parents and students may not be redisclosed 
to any other parties and must be destroyed when no longer needed for 
such audit, evaluation or enforcement purposes.
    In contrast, section 1232g(b)(4)(B) contains a general prohibition 
on the redisclosure of information from education records. In 
particular, by statute an educational agency or institution may 
disclose personal information from education records only on the 
condition that the recipient will not redisclose the information to any 
other party without meeting the prior written consent requirement. If a 
recipient rediscloses personally identifiable information from 
education records in violation of the prior written consent 
requirement, the agency or institution that disclosed the records may 
not permit that recipient to have access to information from education 
records for at least five years. There is no general destruction 
requirement similar to the specific requirement for destruction of 
personally identifiable information described above for records 
disclosed for audit, evaluation, and enforcement purposes under section 
1232g(b)(3).
    Current Regulations: Section 99.31(a)(3) lists the four officials 
or authorities that may receive education records, without consent, for 
the specified audit, evaluation, or compliance and enforcement 
purposes. The Department has interpreted the term ``evaluation'' 
broadly to include all manner of studies, assessments, measurements, 
appraisals, research, and other efforts, including analyses of 
statistical or numerical data derived from education records. Section 
99.35 provides that information disclosed under this exception to the 
consent requirement must be protected in a manner that does not permit 
personal identification of individuals by anyone except the officials 
listed in Sec.  99.31(a)(3) and must be destroyed when no longer needed 
for the audit, evaluation, or compliance and enforcement purposes, 
unless a parent or eligible student consents to the disclosure or 
Federal law specifically authorizes the collection of personally 
identifiable information. Current regulations do not specify any 
further conditions under which these officials or authorities may 
redisclose personally identifiable information from education records 
without prior written consent.
    Section 99.33(c) establishes specific exceptions to the general 
statutory prohibition on redisclosure of information from education 
records under 20 U.S.C. 1232g(b)(4)(B). Section 99.33(b) also allows an 
educational agency or institution to disclose education records with 
the understanding that the recipient may make further disclosures of 
the information on its behalf if the disclosures could be made under 
Sec.  99.31 and the educational agency or institution complies with the 
recordkeeping requirements specified in Sec.  99.32(b). Section 
99.32(a) requires an educational agency or institution to maintain a 
record of each request for access to and each disclosure of personally 
identifiable information from the education records of each student. If 
a recipient is authorized to make further disclosures of personally 
identifiable information from education records under Sec.  99.33(b), 
the educational agency or institution must record the names of the 
additional parties to which the receiving party may disclose the 
information on behalf of the educational agency or institution and 
their legitimate interests under Sec.  99.31 in requesting or obtaining 
the information. Each student's record of disclosures is an education 
record that must be made available to a parent or eligible student 
under Sec.  99.32(c). The Department has not applied the regulatory 
exception in Sec.  99.33(b) to officials or authorities that receive 
information under Sec. Sec.  99.31(a)(3) and 99.35 because of the more 
specific statutory limitations, including the destruction requirement, 
that generally apply to these disclosures.
    Proposed Regulations: The proposed regulations in Sec.  99.35(b)(1) 
would permit officials and authorities listed in Sec.  99.31(a)(3)(i) 
to redisclose personally identifiable information from education 
records under the same conditions, set forth in Sec.  99.33(b), that 
apply to parties that receive personally identifiable information from 
education records under other exceptions in Sec.  99.31. For example, 
this proposed change would allow a State educational agency (SEA) to 
use the exception in Sec.  99.31(a)(2) to transfer a student's 
education records to a student's new school district on behalf of the 
former district. Similarly, an SEA or other official listed in Sec.  
99.31(a)(3) would be able to redisclose personally identifiable 
information from education records received under Sec.  99.35 to an 
accrediting agency under Sec.  99.31(a)(7); in response to a subpoena 
or court order under Sec.  99.31(a)(9); or in connection with a health 
or safety emergency under Sec. Sec.  99.31(a)(10) and 99.36. The 
proposed regulations would also apply to the redisclosure of education 
records by an SEA (or other official listed in Sec.  99.31(a)(3)) to 
another listed official, such as the Secretary, for audit, evaluation, 
or compliance and enforcement purposes under Sec.  99.35. The 
regulations would also clarify that authority to conduct an audit, 
evaluation, or compliance or enforcement activity is not conferred by 
FERPA and must be established under other Federal, State, or local law, 
including valid administrative regulations. Like redisclosures 
permitted currently under Sec.  99.33(b), redisclosures made by 
officials listed in Sec.  99.31(a)(3)(i) under the proposed amendment 
would be subject to the recordation requirements in Sec.  99.32(b).
    Reasons: School districts and postsecondary institutions typically 
disclose education records, or personally identifiable information from 
education records, to their SEA or State higher education authority, 
without prior written consent, for audit, evaluation, or compliance and 
enforcement purposes subject to the requirements of Sec.  99.35. 
Several SEAs that maintain Statewide, consolidated systems for school 
district records subject to Sec.  99.35 have questioned whether they 
may allow a student's new school district to obtain access to 
personally identifiable information from education records submitted to 
the system by the student's former district. (Historically, when a 
student transfers to a new school, the former school district sends the 
student's education records to the student's new district,

[[Page 15587]]

without consent, under Sec.  99.31(a)(2).) Others have asked whether 
records subject to Sec.  99.35 may be redisclosed in compliance with a 
subpoena or court order and, if so, what conditions apply. States have 
also asked about the operation of longitudinal data systems that 
consolidate K-12 and postsecondary education records.
    As noted elsewhere in this notice, there are no specific statutory 
exceptions to either the prohibition on redisclosure of education 
records disclosed under Sec.  99.31 or the more specific limitations 
for records disclosed under Sec.  99.35. Accordingly, final regulations 
published on June 17, 1976 (41 FR 24662) provided in Sec.  99.33(a) 
that educational agencies and institutions must inform a third party to 
whom personally identifiable information from education records is 
disclosed that it may not redisclose any personally identifiable 
information without the written consent of a parent or eligible 
student. However, these regulations also added a provision in Sec.  
99.33(b) that permits the agency or institution to disclose

personally identifiable information under Sec.  99.31 with the 
understanding that the information will be redisclosed to other 
parties under that section; Provided, That the recordkeeping 
requirements of Sec.  99.32 are met with respect to each of those 
parties.

41 FR 24662, 24679.

    The Secretary recognizes that officials and authorities that 
receive education records for audit, evaluation, compliance, or 
enforcement purposes under Sec. Sec.  99.31(a)(3) and 99.35 are no less 
capable of protecting the information against unauthorized access and 
disclosure than parties that receive education records under other 
exceptions in Sec.  99.31. The proposed amendment is needed so that 
SEAs and other officials and authorities listed in Sec.  99.31(a)(3)(i) 
may take advantage of the regulatory exception in Sec.  99.33(b) and 
redisclose personally identifiable information from education records 
directly to a qualified recipient under an exception in Sec.  99.31 
instead of requiring that party to go to each school district or 
institution that submitted the records for audit, evaluation, 
compliance, or enforcement purposes. Similarly, the proposed 
regulations are needed to clarify that an official or authority that 
maintains personally identifiable information from education records 
subject to Sec.  99.35 may redisclose that information to another 
authority listed in Sec.  99.31(a)(3)(i) for another qualifying audit, 
evaluation, compliance, or enforcement activity, notwithstanding the 
limitations in Sec.  99.35.
    The proposed regulations clarify that while FERPA permits the 
disclosure and redisclosure of education records without consent to 
officials and authorities listed in Sec.  99.31(a)(3)(i) for the 
purposes specified, it does not confer or establish the underlying 
authority for those officials and authorities to conduct an audit, 
evaluation, or compliance or enforcement activity. If Federal, State, 
or local law authorizes a particular entity to audit or evaluate the 
education records, then FERPA permits the disclosure of personally 
identifiable information for that purpose without consent. For example, 
this exception allows a school district to disclose education records 
to its own State department of education or other SEA because that 
agency is legally authorized to audit or evaluate the school district's 
education programs, or enforce Federal legal requirements related to 
those programs. This exception does not allow a school district to 
disclose education records to the State higher education authority 
without parental consent unless that agency is empowered under Federal, 
State or local law to conduct an audit, evaluation, or compliance or 
enforcement activity with respect to that school district's education 
programs. The legal authority to audit, evaluate, or enforce education 
programs does not derive from FERPA itself.
    These proposed regulations would also ensure that State and local 
educational authorities may redisclose personally identifiable 
information from education records in order to consolidate K-16 
education records for audit, evaluation, compliance, or enforcement 
purposes under Sec.  99.35(a). For example, under the proposed 
regulations, a State's postsecondary or higher education authority may 
redisclose personally identifiable information from the education 
records it maintains to a consolidated data system operated by the SEA 
if the SEA is legally authorized to conduct an audit, evaluation, 
compliance, or enforcement activity of postsecondary education 
programs. Likewise, an SEA may redisclose personally identifiable 
information from K-12 education records to a consolidated database 
operated by a State's higher education authority if the higher 
education authority is legally authorized to conduct the audit, 
evaluation, compliance, or enforcement activity of K-12 educational 
programs.
    As noted above, disclosures under Sec.  99.33(b) are based on an 
understanding on the part of the educational agency or institution that 
the recipient will redisclose information to specified recipients on 
its behalf subject to the recordation requirements in Sec.  99.32(b). 
The Department is interested in relieving any administrative burdens 
associated with recording disclosures of education records and, 
therefore, invites public comment on whether an SEA, the Department, or 
other official or agency listed in Sec.  99.31(a)(3) should be allowed 
to maintain the record of the redisclosures it makes on behalf of an 
educational agency or institution under Sec.  99.32(b).

7. Limitations on the Redisclosure of Information From Education 
Records (Sec.  99.33)

Section 99.31(a)(9) (Subpoenas and Court Orders)
    Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational 
agency or institution may disclose personally identifiable information 
from education records to a third party only on the condition that the 
recipient will not redisclose the information to anyone else without 
written consent of the parent or eligible student. If a third party 
outside the educational agency or institution permits access to 
information without written consent of a parent or eligible student as 
required under 20 U.S.C. 1232g(b)(2)(A), the educational agency or 
institution may not permit access to information from education records 
by that third party for a period of not less than five years. There is 
no specific statutory exception to the prohibition on redisclosure of 
personally identifiable information from education records.
    20 U.S.C. 1232g(b)(2)(B) provides that an educational agency or 
institution may disclose personally identifiable information without 
consent if the information is furnished in compliance with a judicial 
order or any lawfully issued subpoena, upon the condition that parents 
and students are notified in advance of compliance. Advance notice is 
not required for certain Federal grand jury subpoenas and subpoenas 
issued for law enforcement purposes. 20 U.S.C. 1232g(b)(1)(J).
    Current Regulations: Section 99.33(a)(1) permits an educational 
agency or institution to disclose personally identifiable information 
from education records only on the condition that the recipient will 
not redisclose the information to any other party without the prior 
consent of the parent or eligible student. Section 99.33(b) provides 
for an exception to this general rule. Specifically, under Sec.  
99.33(b), an educational agency or institution may

[[Page 15588]]

disclose personally identifiable information from education records 
with the understanding that the party receiving the information may 
make further disclosures on behalf of the educational agency or 
institution if the disclosures meet the requirements of Sec.  99.31(a) 
and the educational agency or institution complies with the 
recordkeeping requirements in Sec.  99.32(b). Under Sec.  99.33(e), if 
the Office determines that a third party improperly rediscloses 
personally identifiable information from education records in violation 
of the prohibition on redisclosure in Sec.  99.33(a), subject to the 
provisions of Sec.  99.33(b), the educational agency or institution may 
not allow that third party access to personally identifiable 
information from education records for at least five years.
    Section 99.31(a)(9) permits an educational agency or institution to 
disclose personally identifiable information from education records 
without consent in compliance with a judicial order or lawfully issued 
subpoena, provided that the agency or institution makes a reasonable 
effort to notify the parent or eligible student of the order or 
subpoena in advance of compliance so that the parent or eligible 
student may seek protective action. Notification is not required for 
certain grand jury and law enforcement subpoenas.
    Proposed Regulations: The proposed regulations in Sec.  99.33(b)(2) 
would require a party that has received personally identifiable 
information from education records from an educational agency or 
institution, including an SEA or other official listed in Sec.  
99.31(a)(3)(i), to provide the notice to parents and eligible students, 
if any, required under Sec.  99.31(a)(9) before it rediscloses 
personally identifiable information from the records on behalf of an 
educational agency or institution in compliance with a judicial order 
or lawfully issued subpoena, as authorized under Sec.  99.33(b).
    Reasons: Section 99.33(b) allows a party to redisclose personally 
identifiable information under Sec.  99.31(a) on behalf of an 
educational agency or institution, including redisclosure in compliance 
with a judicial order or lawfully issued subpoena under Sec.  
99.31(a)(9). (As noted above, the proposed amendments to Sec.  99.35 
would extend this authority to SEAs and other officials and agencies 
listed in Sec.  99.31(a)(3)(i).) The proposed regulations are needed to 
clarify which party is responsible for notifying parents and eligible 
students before an SEA or other third party outside of the educational 
agency or institution complies with a judicial order or subpoena to 
redisclose personally identifiable information from education records. 
The Secretary believes that the party that has been ordered to produce 
the information should be responsible for ensuring that the parent or 
eligible student has been notified because the educational agency or 
institution has no control over whether and when that party will 
comply. The penalty in Sec.  99.33(e) would prohibit an educational 
agency or institution from providing access to any third party that 
fails to provide reasonable notice to parents and eligible students 
before complying with a judicial or lawfully issued subpoena.
Disclosures Required Under the Clery Act
    Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational 
agency or institution may disclose personally identifiable information 
from education records to a third party only on the condition that the 
recipient will not redisclose the information to anyone else without 
written consent of the parent or eligible student. 20 U.S.C. 
1232g(b)(6)(B) allows a postsecondary institution to disclose to any 
party, without consent, the final results of a disciplinary proceeding 
against a student for crimes of violence or non-forcible sex offenses 
if the institution determines as a result of the disciplinary 
proceeding that the student committed the violation in question. 20 
U.S.C. 1232g(b)(6)(A) allows a postsecondary institution to disclose to 
the alleged victim the final results of disciplinary proceedings 
against a student for crimes of violence or non-forcible sex offenses 
regardless of the outcome. The Jeanne Clery Disclosure of Campus 
Security Policy and Campus Crime Statistics Act (Clery Act), which 
amended the HEA, requires postsecondary institutions to inform both the 
accuser and the accused of the outcome of a campus disciplinary 
proceeding brought alleging a sexual assault regardless of the outcome. 
20 U.S.C. 1092(f)(8)(B)(iv)(II); 34 CFR 668.46(b)(11)(vi)(B).
    Current Regulations: Regulations implementing the Clery Act, 34 CFR 
Sec.  668.46(b)(11)(iv)(B), require postsecondary institutions to 
inform both the accuser and the accused of the outcome of any 
institutional disciplinary proceeding brought alleging a sex offense. 
Under this provision the outcome of a disciplinary proceeding means 
only the institution's final determination with respect to the alleged 
sex offense and any sanction that is imposed against the accused. 
Section 99.33(a) permits an educational agency or institution to 
disclose personally identifiable information from education records 
only on the condition that the recipient will not redisclose the 
information to any other party without the prior consent of the parent 
or eligible student. Section 99.33(c) excludes from the statutory 
prohibition on redisclosure information that an educational agency or 
institution may disclose without consent to any member of the public, 
such as directory information under Sec.  99.31(a)(11) and the final 
results of a disciplinary proceeding for acts constituting crimes of 
violence or non-forcible sex offenses under Sec.  99.31(a)(14) when a 
postsecondary institution has determined that the student committed the 
violation in question. Current regulations in Sec.  99.33(c) do not 
exclude from the redisclosure prohibition disclosures made by 
postsecondary institutions to an alleged victim of a crime of violence 
or non-forcible sex offense under Sec.  99.31(a)(13) or disclosures 
they are required to make under the Clery Act.
    Proposed Regulations: The proposed regulations would amend Sec.  
99.33(c) to exclude from the statutory prohibition on redisclosure of 
education records information that postsecondary institutions are 
required to disclose under the Clery Act to the accuser and accused 
regarding the outcome of any campus disciplinary proceeding brought 
alleging a sexual offense.
    Reasons: Some postsecondary institutions have required the accuser 
to execute a non-disclosure agreement before they disclose the outcome 
of a disciplinary proceeding for an alleged sexual offense as required 
under the Clery Act. In analyzing and ruling on these practices, the 
Department determined that the statutory prohibition on redisclosure of 
information from education records in FERPA does not apply to 
information that a postsecondary institution is required to release to 
students under the Clery Act. The proposed regulations would clarify 
that postsecondary institutions may not require the accuser to execute 
a non-disclosure agreement or otherwise interfere with the redisclosure 
or other use of information disclosed as required under the Clery Act.

8. Health and Safety Emergencies (Sec.  99.36)

Section 99.36(c) (Conditions That Apply to Disclosure of Information in 
Health and Safety Emergencies)
    Statute: Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or 
institution may disclose personally

[[Page 15589]]

identifiable information from education records without prior written 
consent, subject to regulations by the Secretary, in connection with an 
emergency to appropriate persons if the knowledge of such information 
is necessary to protect the health or safety of the student or other 
persons.
    Current regulations: Under Sec.  99.36(a), an educational agency or 
institution may disclose personally identifiable information from 
education records to appropriate parties in connection with an 
emergency if knowledge of the information is necessary to protect the 
health or safety of the student or other individuals. Under Sec.  
99.36(b), educational agencies and institutions may include in a 
student's education records appropriate information concerning 
disciplinary action taken against the student for conduct that posed a 
significant risk to the safety or well-being of that student, other 
students, or other members of the school community. Educational 
agencies and institutions may also disclose appropriate information 
about these kinds of disciplinary actions to teachers and school 
officials within the agency or institution or in other schools who have 
legitimate educational interests in the behavior of the student. Under 
Sec.  99.36(c), all of these regulatory provisions must be strictly 
construed.
    Proposed regulations: The Department proposes to revise Sec.  
99.36(c) to remove the language requiring strict construction of this 
exception and add a provision that in making a determination under 
Sec.  99.36(a), an educational agency or institution may take into 
account the totality of the circumstances pertaining to a threat to the 
safety or health of a student or other individuals. If the educational 
agency or institution determines that there is an articulable and 
significant threat to the health or safety of a student or other 
individuals, it may disclose information from education records to any 
person whose knowledge of the information is necessary to protect the 
health and safety of the student or other individuals. If, based on the 
information available at the time of the determination, there is a 
rational basis for the determination, the Department will not 
substitute its judgment for that of the educational agency or 
institution in evaluating the circumstances and making its 
determination.
    Reasons: In the wake of the tragic shootings at Virginia Tech, the 
President directed the Secretary, together with the Secretary of Health 
and Human Services and the Attorney General, to travel to communities 
across the nation and to meet with educators, mental health experts, 
law enforcement and State and local officials to discuss the broader 
issues raised by the tragedy. On June 13, 2007, those officials 
transmitted a ``Report to the President on Issues Raised by the 
Virginia Tech Tragedy.'' See http://www.hhs.gov/vtreport.html. In 
relevant part, the report provided:

    A consistent theme and broad perception in our meetings was that 
this confusion and differing interpretations about state and federal 
privacy laws and regulations impede appropriate information sharing. 
In some sessions, there were concerns and confusion about the 
potential liability of teachers, administrators, or institutions 
that could arise from sharing information, or from not sharing 
information, under privacy laws, as well as laws designed to protect 
individuals from discrimination on the basis of mental illness. It 
was almost universally observed that these fears and 
misunderstandings likely limit the transfer of information in more 
significant ways than is required by law. Particularly, although 
participants in each state meeting were aware of both [the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA)] and 
FERPA, there was significant misunderstanding about the scope and 
application of these laws and their interrelation with state laws. 
In a number of discussions, participants reported circumstances in 
which they incorrectly believed that they were subject to liability 
or foreclosed from sharing information under federal law. Other 
participants were unsure whether and how HIPAA and FERPA actually 
limit or allow information to be shared and unaware of exceptions 
that could allow relevant information to be shared.

Report at page 7. The report went on to charge the Department with 
certain specific recommended actions:

    The U.S. Departments of Health and Human Services and Education 
should develop additional guidance that clarifies how information 
can be shared legally under HIPAA and FERPA and disseminate it 
widely to the mental health, education, and law enforcement 
communities. The U.S. Department of Education should ensure that 
parents and school officials understand how and when post-secondary 
institutions can share information on college students with parents. 
In addition, the U.S. Departments of Education and Health and Human 
Services should consider whether further actions are needed to 
balance more appropriately the interests of safety, privacy, and 
treatment implicated by FERPA and HIPAA.

Report at page 8 (italics in original). The Department of Education and 
the Department of Health and Human Services are currently working 
together on guidance for our respective communities on these issues. 
This guidance is in addition to compliance training and guidance that 
the two agencies have provided since issuance of the HIPAA Privacy Rule 
in December 2000 and, more recently, since the events in April 2007 at 
Virginia Tech.

    Further, the Secretary has carefully considered the appropriate 
relationship between conditions associated with Federal funding and the 
exigencies of administering an agency or institution of education on a 
daily basis. In examining the application of FERPA to the recipients of 
Departmental funds, the Secretary is mindful that the ``health and 
safety'' exception does not allow disclosures on a routine, non-
emergency basis. For example, the ``health and safety'' exception does 
not permit a school district to routinely share its student information 
database with the local police department. The present regulation, 
however, which merely admonishes that the regulation should be 
``strictly construed,'' does not provide a standard to determine 
whether a particular disclosure complies with the statute. 
Consequently, the Secretary has decided to provide a new standard for 
the administration of this exception to the written consent requirement 
in FERPA. To assure that there are adequate safeguards on this 
exception, the Secretary requires that, considering the totality of the 
circumstances, there must be an articulable and significant threat to 
the health or safety of a student or other individuals, and that the 
disclosure be to any person whose knowledge of the information is 
necessary to protect against the threat.
    On the other hand, the Secretary has determined that greater 
flexibility and deference should be afforded to administrators so they 
can bring appropriate resources to bear on a circumstance that 
threatens the health or safety of individuals. To provide for 
appropriate flexibility and deference, the Secretary has determined 
that if, based on the information available at the time of the 
determination, there is a rational basis for the determination, the 
Department will not substitute its judgment for that of the educational 
agency or institution in evaluating the circumstances and making its 
determination.
    In short, in balancing the interests of safety, privacy, and 
treatment, the Secretary proposes to revise the regulation to specify 
legal standards, but to couple those standards with greater flexibility 
and deference to administrators so they can bring appropriate resources 
to bear on a circumstance that threatens the health or safety of 
individuals.

[[Page 15590]]

9. Directory Information (Sec.  99.37)

Section 99.37(b) (Disclosure of Directory Information About Former 
Students)
    Statute: Under 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2), an 
educational agency or institution may disclose directory information 
without meeting FERPA's written consent requirements provided that it 
first notifies the parents or eligible student of the types of 
information that may be disclosed and allows them to opt out of the 
disclosure. The statute lists a number of items in the definition of 
directory information, including a student's name, address and 
telephone listing. The statute does not address procedures for 
disclosing directory information about former students.
    Current Regulations: Section 99.37(a) requires an educational 
agency or institution to provide public notice to parents of students 
in attendance and eligible students in attendance of the types of 
directory information that may be disclosed and the parent's or 
eligible student's right to opt out. Section 99.37(b) allows the agency 
or institution to disclose directory information about former students 
without providing the notice required under Sec.  99.37(a).
    Proposed Regulations: Proposed Sec.  99.37(b) clarifies that an 
agency or institution must continue to honor any valid request to opt 
out of directory information disclosures made while the individual was 
a student unless the parent or eligible student rescinds the decision 
to opt out of directory information disclosures.
    Reasons: Some institutions have indicated that Sec.  99.37(b) 
creates uncertainty about whether they must continue to honor a 
parent's or eligible student's decision to opt out of directory 
information disclosures once the student no longer attends the 
institution. The regulations are needed to clarify that while an agency 
or institution does not have to notify former students about its policy 
on directory information disclosures and their right to opt out, 
directory information may not be disclosed once an individual is no 
longer a student if the individual made a valid request to opt out 
while a student in attendance and has not rescinded that request.
Section 99.37(c) (Identification of Students and Communications in 
Class)
    Statute: The statute does not address whether parents and students 
may use their right to opt out of directory information disclosures to 
prevent school officials from identifying the student by name or 
disclosing the student's electronic identifier or institutional e-mail 
address in class.
    Current Regulations: Current regulations do not address whether 
parents and students may use their right to opt out of directory 
information disclosures to prevent school officials from identifying 
the student by name or disclosing the student's electronic identifier 
or institutional e-mail address in class.
    Proposed Regulations: The proposed regulations would provide in 
Sec.  99.37(c) that a parent or eligible student may not use their 
right to opt out of directory information disclosures to prevent an 
educational agency or institution from disclosing or requiring a 
student to disclose the student's name, electronic identifier, or 
institutional e-mail address in a class in which the student is 
enrolled.
    Reasons: Several institutions have asked whether a teacher can 
include in a classroom roll call or sign-in sheet the names of students 
who have opted out of directory information disclosures. They have also 
asked whether a student's e-mail address may be disclosed to other 
students in an on-line class if the student has opted out of directory 
information disclosures. The proposed regulations are needed to clarify 
that the right to opt out of directory information disclosures is not a 
tool for students to remain anonymous in class.
    The directory information exception is intended to facilitate 
communication among school officials, parents, students, alumni, and 
others, and permit schools to publicize and promote institutional 
activities to the general public. Many institutions do so by publishing 
paper or electronic directories that contain student names, addresses, 
telephone listings, e-mail addresses, and other information the 
institution has designated as directory information. Some institutions 
do not publish a directory but do release directory information on a 
more selective basis. FERPA clearly allows a parent or eligible student 
to opt out of these disclosures (under the conditions specified in 
paragraph (a)), whether the information is made available to the 
general public, limited to members of the school community, or released 
only to specified individuals.
    The Secretary believes, however, that the right to opt out of 
directory information disclosures does not include a right to remain 
anonymous in class and, therefore, may not be used to impede routine 
classroom communications and interactions by preventing a teacher from 
identifying a student by name in class, whether class is held in a 
specified physical location or on-line through electronic 
communications. This means, for example, that regardless of a student's 
block on directory information disclosures, a teacher may call students 
by first and last name in class and require students to place their 
names on a sign-in sheet circulated in class, whether the class is 
conducted in person or on-line. Because students generally do not have 
face-to-face communications in on-line classes (or in an on-line 
component of traditional classes), schools may also disclose or require 
students to disclose a unique electronic identifier or e-mail address 
used for students to communicate with one another for on-line class 
work. This could be either an e-mail address assigned by the 
institution or one selected by the student for this purpose. Note that 
this provision is strictly limited to information needed to identify 
and enable students to communicate in class, i.e., the student's name, 
unique electronic identifier, and institutional e-mail address. It 
provides no authority to disclose any directory information outside of 
the student's class. Further, no other kinds of directory information, 
including a student's home or campus address, telephone listing, or 
personal e-mail address not used for class communications, may be 
disclosed, even within the student's own class, if the parent or 
eligible student has exercised the right to opt out of directory 
information disclosures.
Section 99.37(d) (Prohibition on Use of SSNs To Identify Students When 
Disclosing or Confirming Directory Information)
    Statute: The statute does not address the permissibility of using 
SSNs to identify students when disclosing or confirming directory 
information.
    Current Regulations: Current regulations do not explicitly prohibit 
the use of SSNs to identify students when disclosing or confirming 
directory information.
    Proposed Regulations: Section 99.37(d) would prohibit an 
educational agency or institution from using an SSN, either alone or 
when combined with other data elements, to identify or help identify a 
student or the student's records when disclosing or confirming 
directory information unless the student has provided written consent 
in accordance with FERPA.
    Reasons: Some institutions, along with vendors that provide 
services on behalf of institutions, allow employers and others who seek 
directory information about a student, such as

[[Page 15591]]

whether a student has ever attended the institution or received a 
degree, to submit the student's SSN as a means of identifying the 
individual. These regulations are needed to provide a legally binding 
interpretation that this practice violates FERPA unless the student has 
provided prior written consent for the institution to disclose the 
student's SSN, even if the institution or vendor only explicitly 
releases or confirms directory information about the student. Use of an 
SSN to identify a student or the student's records constitutes an 
implicit confirmation of the SSN, even if several other data elements 
are also used to help identify the student in the process.

10. Enforcement (Sec. Sec.  99.62, 99.64, 99.65, 99.66, and 99.67)

    These proposed amendments are intended to clarify the Secretary's 
enforcement authority in light of the decision of the U.S. Supreme 
Court in Gonzaga University v. Doe, 536 U.S. 273 (2002). They do not 
reflect an intention or plan on the part of the Secretary to initiate 
FERPA institutional compliance reviews or otherwise expand FERPA 
investigations beyond the current practice of the Office. The 
Department will exercise its authority to investigate a specific agency 
or institution only when possible violations are brought to The 
Department's attention.
    Statute: 20 U.S.C. 1232g(f) and (g) directs the Secretary to take 
appropriate actions to enforce FERPA. The statute does not specify any 
requirements an educational agency or institution must meet in 
connection with the Office's investigation of complaints and violations 
of FERPA.
Section 99.62 (Information Required for the Office To Investigate and 
Resolve Complaints and Violations)
    Current Regulations: Under Sec.  99.62 the Office may require an 
educational agency or institution to submit reports containing 
information needed by the Office to resolve complaints.
    Proposed Regulations: The proposed regulations in Sec.  99.62 would 
specify materials that the Office may require an educational agency or 
institution to submit in order to carry out its investigation and other 
enforcement responsibilities, including information on the agency's or 
institution's policies and procedures, annual notifications, training 
materials, and other relevant information.
    Reasons: The regulations are needed to clarify the kinds of 
information that may be required should the Office seek to determine 
whether a violation constitutes a policy or practice of the agency or 
institution.
Section 99.64 (Complaint and Investigation Procedure)
    Statute: 20 U.S.C. 1232g(g) provides that the Secretary must 
establish or designate an office and review board to investigate, 
process, review, and adjudicate FERPA violations and complaints 
alleging FERPA violations. The statute does not specify the 
requirements of a complaint or procedures to be followed by the Office 
in investigating and resolving alleged FERPA violations.
    Current Regulations: Section 99.64(a) provides that a complaint 
must contain specific allegations of fact that an educational agency or 
institution has violated FERPA. Under Sec.  99.64(b), the Office 
investigates each timely complaint to determine whether a violation 
occurred.
    Proposed Regulations: The proposed regulations provide in Sec.  
99.64(a) that a complaint does not have to allege that a violation or 
failure to comply with FERPA is based on a policy or practice of the 
agency or institution. Under proposed Sec.  99.64(b), if the Office 
determines that the agency or institution has violated or failed to 
comply with a FERPA requirement, the Office may also seek to determine 
whether the violation or failure to comply was based on a policy or 
practice of the agency or institution. In addition, the Office may 
investigate a possible FERPA violation even if it has not received a 
timely complaint from a parent or student or if a valid complaint is 
subsequently withdrawn.
    Reasons: The proposed regulations are needed to clarify that the 
Department's enforcement responsibilities, as described in Gonzaga 
University v. Doe, 536 U.S. 273 (2002), include the authority to 
investigate possible FERPA violations even if no complaint has been 
filed or a complaint has been withdrawn. While not a widespread 
problem, the Department needs to establish in its regulations that the 
Office may investigate allegations of non-compliance provided by a 
school official or some other party who is not a parent or eligible 
student because sometimes parents and students are not aware of an 
ongoing FERPA problem that needs to be addressed.
    The proposed amendments to Sec.  99.64 are also needed to clarify 
that the Office may investigate a FERPA complaint even if the party has 
not specifically alleged that the agency or institution has a policy or 
practice in violation of FERPA. In these circumstances, the Office may 
elect to investigate and determine whether conduct that violates a 
specific FERPA requirement also constitutes a policy or practice of the 
agency or institution. (As explained below in connection with proposed 
amendments to Sec.  99.66, the Department may not seek to withhold 
funding, terminate eligibility to receive funding under an applicable 
program, or take other enforcement actions unless it determines that an 
educational agency or institution has a policy or practice in violation 
of FERPA requirements and has not come into compliance voluntarily.)
Section 99.65 (Content of Notice of Investigation)
    Statute: The statute does not specify what information the Office 
must include in a notice of investigation of a FERPA violation.
    Current Regulations: Under Sec.  99.65 the Office asks an 
educational agency or institution to submit a written response to a 
notice of investigation.
    Proposed Regulations: Proposed Sec.  99.65(a) would allow the 
Office to ask an educational agency or institution to submit a written 
response and other relevant information as set forth in Sec.  99.62.
    Reasons: The regulations are needed to clarify that the Office may 
ask an agency or institution to submit any relevant information needed 
to resolve a complaint or otherwise conduct an investigation under 
FERPA.
Section 99.66 (Enforcement Responsibilities of the Office)
    Statute: 20 U.S.C. 1232g(a)(1)(A) and (B) provides that no funds 
shall be made available under any program administered by the Secretary 
to an educational agency or institution or an SEA that has a policy of 
denying or effectively prevents parents from exercising their right to 
inspect and review the student's education records. 20 U.S.C. 
1232g(a)(2) provides that no funds shall be made available under any 
program administered by the Secretary to an educational agency or 
institution unless parents are provided an opportunity for a hearing to 
challenge the content of the student's education records under 
specified conditions. 20 U.S.C. 1232g(b)(1) and (b)(2) provide that no 
funds shall be made available under any program administered by the 
Secretary to an educational agency or institution that has a policy or 
practice of permitting the release of, releasing, or providing access 
to personally identifiable information in education records without 
prior written consent except as authorized under FERPA. 20

[[Page 15592]]

U.S.C. 1232g(f) directs the Secretary to take appropriate actions to 
enforce and deal with FERPA violations, except that action to terminate 
assistance may be taken only if the Secretary finds that there has been 
a failure to comply and that compliance cannot be secured by voluntary 
means. The statute does not specify what steps the Secretary should 
take to conduct investigations and seek voluntary compliance.
    Current Regulations: Under Sec.  99.66, the Office reviews a 
complaint and response from an educational agency or institution and 
may permit the parties to submit further written or oral arguments or 
information. Following its investigation, the Office provides to the 
complainant and the agency or institution written notice of its 
findings, including the basis for its findings. If the Office finds 
that the educational agency or institution has failed to comply with a 
FERPA requirement, its notice includes a statement of the specific 
steps that the agency or institution must take to comply and provides a 
reasonable period of time, given all the circumstances, during which 
the agency or institution may comply voluntarily.
    Proposed Regulations: Section 99.66(c) would allow the Office to 
issue a notice of findings that an educational agency or institution 
violated FERPA without also finding that the violation constituted a 
policy or practice of the agency or institution.
    Reasons: In light of the Supreme Court's ruling in Gonzaga, the 
proposed regulations are needed to clarify that, consistent with its 
current practice, the Office may find that an agency or institution 
violated FERPA even if the Office does not make a further determination 
that the violation was based on a policy or practice of the agency or 
institution. As explained below in connection with proposed amendments 
to Sec.  99.67(a), however, the Secretary may not take an enforcement 
action unless the Office has determined that the educational agency or 
institution has a policy or practice in violation of FERPA.
Section 99.67 (Enforcement Actions)
    Statute: 20 U.S.C. 1232g(a)(1)(A) and (B) provides that no funds 
shall be made available under any program administered by the Secretary 
to an educational agency or institution or an SEA that has a policy of 
denying or effectively prevents parents from exercising their right to 
inspect and review the student's education records. 20 U.S.C. 
1232g(a)(2) provides that no funds shall be made available under any 
program administered by the Secretary to an educational agency or 
institution unless parents are provided an opportunity for a hearing to 
challenge the content of the student's education records under 
specified conditions. 20 U.S.C. 1232g(b)(1) and (b)(2) provide that no 
funds shall be made available under any program administered by the 
Secretary to an educational agency or institution that has a policy or 
practice of permitting the release of, releasing, or providing access 
to education records without prior written consent except as authorized 
under FERPA. 20 U.S.C. 1232g(f) directs the Secretary to take 
appropriate actions to enforce and deal with FERPA violations, except 
that action to terminate assistance may be taken only if the Secretary 
finds that there has been a failure to comply and that compliance 
cannot be secured by voluntary means. The statute does not specify what 
steps the Secretary should take to conduct investigations and seek 
voluntary compliance or what enforcement actions the Secretary may take 
in cases of non-compliance.
    Current Regulations: Under Sec.  99.67(a), the Secretary may 
withhold further payments under any applicable program, issue a 
complaint to compel compliance through a cease and desist order, or 
terminate eligibility to receive funding under any applicable program 
only if an educational agency or institution fails to comply 
voluntarily with a notice finding that the agency or institution has 
not complied with the Act.
    Proposed Regulations: Under proposed Sec.  99.67(a), the Secretary 
may take enforcement actions if the Office determines that the 
educational agency or institution has a policy or practice in violation 
of FERPA requirements and has failed to come into compliance 
voluntarily. The proposed regulations also clarify that the Secretary 
may take any other appropriate enforcement action in addition to those 
listed specifically in the regulations.
    Reasons: The proposed regulations are needed to clarify that the 
Office may issue a notice of violation or failure to comply with 
specific FERPA requirements, such as a single failure to provide a 
parent with access to education records, and require corrective action. 
However, the Office may not seek to withhold payments, terminate 
eligibility for funding, or take other enforcement actions unless the 
Office determines that the agency or institution has a policy or 
practice in violation of FERPA requirements. The proposed regulations 
are also needed to clarify that the Secretary may take any other 
enforcement action that is legally available, such as entering into a 
compliance agreement under 20 U.S.C. 1234f or seeking an injunction.

Executive Order 12866

    Under Executive Order 12866, the Secretary must determine whether 
this regulatory action is ``significant'' and therefore subject to the 
requirements of the Executive Order and subject to review by the OMB. 
Section 3(f) of Executive Order 12866 defines a ``significant 
regulatory action'' as an action likely to result in a rule that may 
(1) have an annual effect on the economy of $100 million or more, or 
adversely affect a sector of the economy, productivity, competition, 
jobs, the environment, public health or safety, or State, local or 
tribal governments or communities in a material way (also referred to 
as an ``economically significant'' rule); (2) create serious 
inconsistency or otherwise interfere with an action taken or planned by 
another agency; (3) materially alter the budgetary impacts of 
entitlement grants, user fees, or loan programs or the rights and 
obligations of recipients thereof; or (4) raise novel legal or policy 
issues arising out of legal mandates, the President's priorities, or 
the principles set forth in the Executive order. The Secretary has 
determined that this regulatory action is significant under section 
3(f)(4) of the Executive order.

1. Potential Costs and Benefits

    Following is an analysis of the potential costs and benefits of the 
most significant proposed changes to the FERPA regulations. In 
conducting this analysis, the Department examined the extent to which 
the regulations add to or reduce the costs of educational agencies and 
institutions and, where appropriate, State educational agencies (SEAs) 
and other State and local educational authorities in relation to their 
costs of complying with the FERPA regulations prior to these changes.
    This analysis is based on data from the most recent Digest of 
Education Statistics (2006) published by the National Center for 
Education Statistics (NCES), which projects total enrollment of 
48,948,000 students in public elementary and secondary schools and 
17,648,000 students in postsecondary institutions; and a total of 
96,513 public K-12 schools; 14,315 school districts; and 6,585 
postsecondary institutions. (Excluded are data from private 
institutions that do not receive Federal funding from the Department 
and, therefore, are not subject to FERPA.) Based on this analysis, the 
Secretary has concluded that the changes in these proposed regulations 
would not impose

[[Page 15593]]

significant net costs on educational agencies and institutions. 
Analyses of specific provisions follow.

Alumni Records

    The proposed regulations clarify the current exclusion from the 
definition of education records for records that only contain 
information about an individual after he or she is no longer a student, 
which is intended to cover records of alumni and similar activities. 
Some institutions have applied this exclusion to records that are 
created after a student has ceased attending the institution but that 
are directly related to his or her attendance as a student, such as 
investigatory reports and settlement agreements about incidents and 
injuries that occurred during the student's enrollment. The amendment 
would clarify that this provision applies only to records created or 
received by an educational agency or institution after an individual is 
no longer a student in attendance and that are not directly related to 
the individual's attendance as a student.
    We believe that most of the more than 102,000 K-12 schools and 
postsecondary institutions subject to FERPA already adhere to this 
revised interpretation in the proposed regulations and that for those 
that do not, the number of records affected is likely to be very small. 
Assuming that each year one half of one percent of the 66,596,000 
students enrolled in these institutions have one record each affected 
by the proposed change, in the year following issuance of the 
regulations institutions would be required to try to obtain written 
consent before releasing 332,980 records that they would otherwise 
release without consent. We estimate that for the first year contacting 
the affected parent or student to seek and process written consent for 
these disclosures would take approximately \1/2\ hour per record at an 
average cost of $32.67 per hour for a total cost of $5,439,229. 
(Compensation for administrative staff time is based on published 
estimates for 2005 from the Bureau of Labor Statistics' National 
Compensation Survey of $23.50 per hour plus an average 39 percent 
benefit load for Level 8 administrators in education and related 
fields.)
    In terms of benefits, the proposed change would protect the privacy 
of parents and students by clarifying the intent of this regulatory 
exclusion and help prevent the unlawful disclosure of these records. It 
would also provide greater legal certainty and therefore some cost 
savings for those agencies and institutions that may be required to 
litigate this issue in connection with a request under a State open 
records act or other legal proceeding. For these reasons, we believe 
that the overall benefits outweigh the potential costs of this change.

Exclusion of SSNs and ID Numbers From Directory Information

    The proposed regulations clarify that a student's SSN or student ID 
number is personally identifiable information that may not be disclosed 
as directory information under FERPA. The principal effect of this 
change is that educational agencies and institutions may not post 
grades by SSN or student ID number and may not include these 
identifiers with directory information they disclose about a student, 
such as a student's name, school, and grade level or class, on rosters 
or sign-in sheets that are made available to students and others. 
(Educational agencies and institutions may continue to include SSNs and 
student ID numbers on class rosters and schedules that are disclosed 
only to teachers and other school officials who have legitimate 
educational interests in this information.)
    A class roster or sign-in sheet that contains or requires students 
to affix their SSN or student ID number makes that information 
available to every individual who signs-in or sees the document and who 
may be able to use it for identity theft or to find out a student's 
grades or other confidential educational information. In regard to 
posting grades, an individual who knows which classes a particular 
student attends may be able to ascertain that student's SSN or student 
ID number by comparing class lists for repeat numbers. Because SSNs are 
not randomly generated, it may be possible to identify a student by 
State of origin based on the first three (area) digits of the number, 
or by date of issuance based on the two middle digits.
    The Department does not have any actual data on how many class or 
test grades are posted by SSN or student ID number at this time, but we 
believe that the practice is rare or non-existent below the secondary 
level. Although the practice was once widespread, particularly at the 
postsecondary level, anecdotal evidence suggests that as a result of 
consistent training and informal guidance by the Department over the 
past several years, together with the increased attention States and 
privacy advocates have given to the use of SSNs, many institutions now 
either require teachers to use a code known only to the teacher and the 
student or prohibit posting of grades entirely.
    The most recent figures available from the Bureau of Labor 
Statistics (2004) indicate that there are approximately 2.7 million 
secondary and postsecondary teachers in the United States. As noted 
above, we assume that most of these teachers either do not post grades 
at all or already use a code known only to the teacher or student. We 
assume further that additional costs to deliver grades personally in 
the classroom or through electronic mail, instead of posting, would be 
minimal. For purposes of this analysis, we estimate that no more than 5 
percent of 2.7 million, or 135,000 teachers would continue to post 
grades and need to convert to a code, which would require them to spend 
an average of one half hour each semester establishing and managing 
grading codes for students. Using the Bureau of Labor Statistics' 
published estimate of average hourly wages of $42.98 for teachers at 
postsecondary institutions and an average 39 percent load for benefits, 
we estimate an average cost of $59.74 per teacher per year, for a total 
of $8,064,900. Parents and students should incur no costs except for 
the time they might have to spend to contact the school official if 
they forget the student's grading code.
    This proposed change will benefit parents and students and 
educational agencies and institutions by reducing the risk of identity 
theft associated with posting grades by SSN, and the risk of disclosing 
grades and other confidential educational information caused by posting 
grades by student ID number. It is difficult to quantify the value of 
reducing the risk of identity theft. We note, however, that for the 
past few years over one-third of complaints filed with the Federal 
Trade Commission have been for identity theft. See Federal Trade 
Commission, Consumer Fraud and Identity Theft Data, February 2008, at 
page 2.
    According to the Better Business Bureau, identity theft cost 
businesses nearly $57 billion in 2006 while victims spent an average of 
40 hours resolving identity theft issues. It is even more difficult to 
measure the benefits of enhanced privacy protections for student grades 
and other confidential educational information from education records 
because the value individuals place on the privacy of this information 
varies considerably and because we are unable to determine how often it 
happens. Therefore, the Secretary seeks public comment on the value of 
these enhanced privacy protections in relation to the expected costs to 
implement the proposed changes.

[[Page 15594]]

Prohibit Use of SSN To Confirm Directory Information

    The proposed regulations would prevent an educational agency or 
institution (or a contractor providing services for an agency or 
institution) from using a student's SSN (or student ID number) to 
identify the student when releasing or confirming directory 
information. This occurs, for example, when a prospective employer or 
insurance company telephones an institution or submits a Web site 
inquiry to find out whether a particular individual is enrolled in or 
has graduated from the institution. While this provision would apply to 
educational agencies and institutions at all grade levels, we believe 
that it will affect mainly postsecondary institutions because 
enrollment and degree verification services typically are not offered 
at the K-12 level.
    A survey conducted in March 2002 by the American Association of 
Collegiate Registrars and Admissions Officers (AACRAO) showed that 
nearly half of postsecondary institutions used SSNs as the primary 
means to track students in academic databases. Since then, use of SSNs 
as a student identifier has decreased significantly in response to 
public concern about identity theft. While postsecondary institutions 
may continue to collect students SSNs for financial aid and tax 
reporting purposes, many have ceased using the SSN as a student 
identifier either voluntarily or in compliance with State laws. Also, 
over the past several years the Department has provided training on 
this issue and published on the Office Web site a 2004 letter finding a 
postsecondary institution in violation of FERPA when its agent used a 
student's SSN, without consent, to search its database to verify that 
the student had received a degree. http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/auburnuniv.html. In these circumstances, we estimate 
that possibly one-quarter of the nearly 6,585 postsecondary 
institutions in the United States, or 1,646 institutions, may ask a 
requester to provide the student's SSN (or student ID number) in order 
to locate the record and respond to an inquiry for directory 
information.
    Under the proposed amendment an educational agency or institution 
that identifies students by SSN (or student ID number) when releasing 
directory information will either have to ensure that the student has 
provided written consent to disclose the number to the requester, or 
rely solely on a student's name and other properly designated directory 
information to identify the student, such as address, date of birth, 
dates of enrollment, year of graduation, major field of study, degree 
received, etc. Costs to an institution of ensuring that students have 
provided written consent for these disclosures, for example by 
requiring the requester to fax copies of each written consent to the 
institution or its contractor, or making arrangements to receive them 
electronically, could be substantial for large institutions and 
organizations that utilize electronic recordkeeping systems. 
Institutions may choose instead to conduct these verifications without 
using SSNs or student IDs, which may make it more difficult to ensure 
that the correct student has been identified because of the known 
problems in matching records without the use of a universal identifier. 
Increased institutional costs either to verify that the student has 
provided consent or to conduct a search without use of SSNs or student 
ID numbers should be less for smaller institutions, where the chances 
of duplicate records are decreased. Parents and students may incur 
additional costs if an employer, insurance company, or other requester 
is unable to verify enrollment or graduation based solely on directory 
information and written consent for disclosure of the student's SSN or 
student ID number is required. Due to the difficulty in ascertaining 
actual costs associated with these transactions, the Secretary asks for 
public comment on costs that educational agencies and institutions and 
parents and students would expect to incur under this proposed change.
    The enhanced privacy protections of this proposed amendment will 
benefit students and parents by reducing the risk that third parties 
will use a student's SSN without consent and possibly confirm a 
questionable number for purposes of identity theft. Similarly, 
preventing institutions from implicitly confirming a questionable 
student ID number will help prevent unauthorized individuals from 
obtaining confidential information from education records. In 
evaluating the benefits or value of this proposed change, we note that 
this provision does not affect any activity that an educational agency 
or institution is required to perform under FERPA or other Federal law, 
such as using SSNs to confirm enrollment for student loan purposes, 
which is permitted without consent under the financial aid exception in 
Sec.  99.31.

User ID for Electronic Communications

    The proposed regulations would allow an educational agency or 
institution to disclose as directory information a student's user ID or 
other electronic identifier so long as it functions like a name, that 
is, it cannot be used without a PIN, password, or some other 
authentication factor to gain access to education records. This change 
would impose no costs and would result in regulatory relief by allowing 
agencies and institutions to use directory services in electronic 
communications systems without incurring the administrative costs 
associated with obtaining student consent for these disclosures.
    Costs related to honoring a student's decision to opt out of these 
disclosures should be minimal because of the small number of students 
who would elect not to participate in electronic communications at 
their school. Applying this proposed change to records of both K-12 and 
postsecondary students and assuming that one-tenth of a percent of 
parents and eligible students would opt out of these disclosures, we 
estimate that institutions would have to flag the records of 
approximately 67,000 students for opt out purposes. Recognizing that 
institutions currently flag records for directory information opt outs 
for other purposes, the Secretary seeks public comment on the 
administrative and information technology costs institutions would 
incur to process these potential new directory information opt outs.

Student Anonymity in the Classroom

    The proposed regulations would ensure that parents and students do 
not use the right to opt out of directory information disclosures to 
prevent disclosure of the student's name, institutional e-mail address, 
or electronic identifier in the student's physical or electronic 
classroom. We estimate that this change would result in a small net 
benefit to educational agencies and institutions because they would 
have greater legal certainty about this element of classroom 
administration, and it would reduce the institutional costs of 
responding to complaints from students and parents about the release of 
this information. FERPA could not be used to allow students to remain 
anonymous to their peers in class, but the safety of students might be 
enhanced by allowing them to know the name of every student in their 
class.

Disclosing Education Records to New School and to Party Identified as 
Source Record

    The proposed amendment to Sec.  99.31(a)(2) would allow an 
educational agency or institution to disclose education records, or

[[Page 15595]]

personally identifiable information from education records, to a 
student's new school even after the student is already attending the 
new school so long as the disclosure relates to the student's 
enrollment in the new school. This change would provide regulatory 
relief by reducing legal uncertainty about how long a school may 
continue to send records or information to a student's new school, 
without consent, under the ``seeks or intends to enroll'' exception.
    The proposed amendment to the definition of disclosure in Sec.  
99.3 would allow a school that has concerns about the validity of a 
transcript, letter of recommendation, or other record to return these 
documents (or personally identifiable information from these documents) 
to the student's previous school or other party identified as the 
source of the record in order to resolve questions about their 
validity. Combined with the proposed change to Sec.  99.31(a)(2), 
discussed earlier in this analysis, this change would also allow the 
student's previous school to continue to send education records, or 
clarification about education records, to the student's new school in 
response to questions about the validity or meaning of records sent 
previously by that party. We believe that these changes would provide 
significant regulatory relief to educational agencies and institutions 
by helping to reduce transcript and other educational fraud based on 
falsified records.

Outsourcing

    The proposed regulations would allow educational agencies and 
institutions to disclose education records, or personally identifiable 
information from education records, without consent to contractors, 
volunteers, and other non-employees performing institutional services 
and functions as school officials. The agency or institution may have 
to amend its annual notification of FERPA rights to include these 
parties as school officials with legitimate educational interests.
    This change would provide regulatory relief by permitting and 
clarifying the conditions for a non-consensual disclosure of education 
records that is not allowed under current regulations. Our experience 
suggests that virtually all of the more than 102,000 schools subject to 
FERPA will take advantage of this provision. We have no actual data on 
how many school districts publish annual FERPA notifications for the 
96,513 K-12 public schools included in the 102,000 total and, 
therefore, how many entities would be affected by this requirement. 
However, since educational agencies and institutions are already 
required under existing regulations to publish a FERPA notification 
annually, we believe that costs to include this new information would 
be minimal.

Access Control and Tracking

    The proposed regulations in Sec.  99.31(a)(1)(ii) would require an 
educational agency or institution to use reasonable methods to ensure 
that teachers and other school officials obtain access to only those 
education records in which they have legitimate educational interests. 
This requirement would apply to both computerized or electronic records 
and paper, film, and other hard copy records. Agencies and institutions 
that choose not to restrict access with physical or technological 
controls, such as locked cabinets and role-based software security, 
must ensure that their policy is effective and that school officials 
gain access to only those education records in which they have 
legitimate educational interests.
    Information gathered by the director of the Family Policy 
Compliance Office at numerous FERPA training sessions and seminars, 
along with recent discussions with software vendors and educational 
organizations, indicates that the vast majority of mid and large size 
school districts and postsecondary institutions currently use 
commercial software for student information systems. We have been 
advised that these systems all include role-based security features 
that allow administrators to control access to specific records, 
screens, or fields according to a school official's duties and 
responsibilities; these systems also typically contain transactional 
logging features that document or track a user's actual access to 
particular records, which an agency or institution may use to help 
ensure the effectiveness of its policies regarding access to education 
records. Educational agencies and institutions that already have these 
systems would incur no additional costs to comply with the proposed 
regulations.
    For purposes of this analysis we excluded from a total of 14,315 
school districts and 6,585 postsecondary institutions those with more 
than 1,000 students, for a total of 6,998 small K-12 districts and 
3,933 small postsecondary institutions that may not have software with 
access control security features. The director's discussions with 
numerous SEAs and local districts suggest that the vast majority of 
these small districts and institutions do not make education records 
available to school officials electronically or by computer but instead 
use some system of administrative and physical controls.
    We estimate for this analysis that 20 percent, or 1,400, of these 
small districts and institutions use home-built computerized or 
electronic systems that may not have the role-based security features 
of commercial software. The most recent published estimate we have for 
software costs comes from the final Standards for Privacy of 
Individually Identifiable Health Information under the Health Insurance 
Portability and Accountability Act of 1996 (HIPAA Privacy Rule) 
published by the Department of Health and Human Services (HHS) on 
December 28, 2000, which estimated that the cost of software upgrades 
to track the disclosure of medical records would be $35,000 initially 
for each hospital. 65 FR 82462, 82768. We determined that use of the 
cost estimate from the HIPAA Privacy Rule was appropriate because, as 
discussed above, software that tracks disclosure history can also be 
used to control or restrict access to electronic records. Recent 
discussions with information technology (IT) staff in the Department 
suggested that it was reasonable to conclude that an institutional 
license for software that controls and tracks access to electronic 
records would cost approximately $35,000 at this time; adjustments for 
inflation were not deemed necessary because software costs do not track 
with inflation in as straightforward a way as do other goods and 
services. Further, while discussions with HHS staff indicate that the 
disclosure tracking software cost estimates in the HIPAA Privacy Rule 
preamble were provided primarily with hospitals and larger institutions 
in mind, the Department's IT staff found no difference between software 
costs depending on the size of the institutions.
    Based on these determinations and assumptions, if 1,400 small K-12 
districts and postsecondary institutions purchased student information 
software to comply with the proposed regulations, they would incur 
estimated costs of $49,000,000. We believe that the remaining 5,600 
small districts and institutions would not purchase new software 
because they do not make education records available electronically and 
rely instead on less costly administrative and physical methods to 
control access to records by school officials. Districts and 
institutions that provide school officials with open access to 
education records may need to devote some additional administrative 
staff time to ensuring that their policies are effective and that they 
remain in compliance with the

[[Page 15596]]

legitimate educational interest requirement with respect to school 
officials who access records. However, no reliable estimates exist for 
the average number of teachers and other school officials who access 
education records or the number of times access is sought. Accordingly, 
we are seeking public comment on any potential net costs associated 
with this proposed requirement for ensuring that legitimate educational 
interest policies are effective.

Identification and Authentication of Identity

    The proposed regulations in Sec.  99.31(c) would require 
educational agencies and institutions to use reasonable methods to 
identify and authenticate the identity of parents, students, school 
officials and other parties to whom the agency or institution discloses 
personally identifiable information from education records. They would 
impose no new costs for educational agencies and institutions that 
disclose hard copy records through the U.S. postal service or private 
delivery services with use of the recipient's name and last known 
official address. We were unable to find reliable data that would allow 
us to estimate the additional administrative time that educational 
agencies and institutions would incur to check photo identification, 
where appropriate, when releasing education records in person and seek 
public comment on this point.
    Authentication of identity for electronic records involves a wider 
array of security options because of continuing advances in 
technologies but is not necessarily more costly than authentication of 
identity for hard copy records. We assume that educational agencies and 
institutions that require users to enter a secret password or PIN to 
authenticate identity will deliver the password or PIN through the U.S. 
postal service or in person. We estimate that no new costs would be 
associated with this process because agencies and institutions already 
have direct contact with parents, eligible students, and school 
officials for a variety of other purposes and would use these 
opportunities to deliver a secret authentication factor.
    As noted above, single-factor authentication of identity, such as a 
standard form user name combined with a secret password or PIN, may not 
provide reasonable protection for access to all types of education 
records or under all circumstances. The Secretary invites public 
comment on the potential costs of authenticating identity when 
educational agencies and institutions allow authorized users to access 
sensitive personal or financial information in electronic records for 
which single-factor authentication would not be reasonable.

Redisclosure and Recordkeeping

    The proposed regulations would allow the officials and agencies 
listed in Sec.  99.31(a)(3)(i) (the U.S. Comptroller General; the U.S. 
Attorney General; the Secretary; and State and local educational 
authorities) to redisclose education records, or personally 
identifiable information from education records, without consent under 
the same conditions that apply currently to other recipients of 
education records under Sec.  99.33(b). This proposed change would 
provide substantial regulatory relief to these parties by allowing them 
to redisclose information on behalf of educational agencies and 
institutions under any provision in Sec.  99.31(a), which allows 
disclosure of education records without consent. For example, States 
would be able to consolidate K-16 education records under the SEA or 
State higher educational authority without having to obtain written 
consent under Sec.  99.30. Parties that currently request access to 
records from individual school districts and postsecondary institutions 
would in many instances be able to obtain the same information in a 
more cost effective manner from the appropriate State educational 
authority, or from the Department.
    In accordance with existing regulations in Sec.  99.32(b), an 
educational agency or institution must record any redisclosure of 
education records made on its behalf under Sec.  99.33(b), including 
the names of the additional parties to which the receiving party may 
redisclose the information and their legitimate interests or basis for 
the disclosure without consent under Sec.  99.31 in obtaining the 
information. The proposed regulations would allow SEAs and other State 
educational authorities (such as higher education authorities), the 
Secretary, and other officials or agencies listed in Sec.  
99.31(a)(3)(i) to maintain the record of redisclosure required under 
Sec.  99.32(b), provided that the educational agency or institution 
makes that record available to parents and eligible students as 
required under Sec.  99.32(c).
    SEAs and other officials listed in Sec.  99.31(a)(3)(i) would incur 
new administrative costs if they elect to maintain the record of 
redisclosure for the educational agency or institution on whose behalf 
they redisclose education records under the proposed regulations. We 
estimate that two educational authorities or agencies in each State and 
the District of Columbia (one for K-12 and one for postsecondary) and 
the Department itself, for a total of 103 authorities will elect to 
maintain the required records of redisclosures. We estimate further 
that these authorities will need to record two redisclosures per year 
from their records and that it will take one hour of administrative 
time to record each redisclosure electronically at an average hourly 
rate of $32.67, for a total annual administrative cost of $6,730. 
(Compensation for administrative staff time is explained above.) We 
also assume for purposes of this analysis that State educational 
authorities and the Department already have software that would allow 
them to record these disclosures electronically.
    State educational authorities and other officials that elect to 
maintain records of redisclosures would also have to make that 
information available to a parent or eligible student, on request, if 
the educational agency or institution on whose behalf the information 
was redisclosed does not do so. We assume that few parents and students 
request this information and, therefore, use an estimate that one in 
one thousand of a total of 66,596,000 students will make such a request 
each year, or 66,596 requests. If it takes one-quarter of an hour to 
locate and printout a record of disclosures at an average 
administrative hourly rate of $32.67, the average annual administrative 
cost for this service would be $543,923, plus mailing costs (at $.41 
per letter) of $27,304, for a total of $571,227. Educational agencies 
and institutions themselves would incur these costs if they make these 
records of redisclosure available to parents and students instead.
    The Department believes that the proposed change would result in a 
net benefit to both educational agencies and institutions and the 
officials that redisclose information under this provision because the 
redisclosing parties would not have to send their records of 
redisclosure to the educational agencies and institutions unless a 
parent or student requests that information and the educational agency 
or institution wishes to make the record available itself. Further, the 
costs to State authorities and the Department to record their own 
redisclosures would be outweighed by the savings that educational 
agencies and institutions would realize by not having to record the 
disclosures themselves.

Notification of Compliance With Court Order or Subpoena

    The proposed regulations would require any party that rediscloses

[[Page 15597]]

education records in compliance with a court order or subpoena under 
Sec.  99.31(a)(9) to provide the notice to parents and eligible 
students required under Sec.  99.31(a)(9)(ii). We anticipate that this 
provision will affect mostly State and local educational authorities, 
which maintain education records they have obtained from their 
constituent districts and institutions and, under the proposed 
regulations discussed above, may redisclose the information, without 
consent, in compliance with a court order or subpoena under Sec.  
99.31(a)(9).
    There is no change in costs as a result of shifting responsibility 
for notification to the disclosing party under this proposed change. 
However, we believe that minimizing or eliminating uncertainty about 
which party is legally responsible for the notification would result in 
a net benefit to all parties.

State Auditors

    The proposed regulations would allow State auditors to have access 
to education records without consent under Sec. Sec.  99.31(a)(3) and 
99.35, which allows disclosures in connection with an audit or 
evaluation of Federal or State supported education programs, or for the 
enforcement of or compliance with Federal legal requirements related to 
those programs. This change would involve no increased costs and 
provide regulatory relief by clarifying that these disclosures are 
permitted even if the State auditor is not a State educational 
authority (or other official listed in Sec.  99.31(a)(3)(i)).
    The proposed change is limited to disclosures for purposes of an 
audit, which is defined as testing compliance with applicable laws, 
regulations, and standards. We believe that this limitation does not 
impose additional costs because a State auditor may conduct activities 
outside the scope of an audit, such as evaluate the effectiveness of 
educational programs, by establishing a contractual relationship with 
the State educational authority or school district or institution in 
possession of the records that qualifies the auditor as an authorized 
representative or school official, respectively.

Directory Information Opt Outs

    The proposed regulations clarify that while an educational agency 
or institution is not required to notify former students under Sec.  
99.37(a) about the institution's directory information policy or allow 
former students to opt out of directory information disclosures, they 
must continue to honor a parent's or student's decision to opt out of 
directory information disclosures after the student leaves the 
institution. Most agencies and institutions should already comply with 
this requirement because of informal guidance and training provided by 
FPCO. We have insufficient information to estimate the number of 
institutions affected and the additional costs involved in changing 
systems to maintain opt out flags on education records of former 
students and seek public comment on the matter.

2. Clarity of the Regulations

    Executive Order 12866 and the Presidential Memorandum on ``Plain 
Language in Government Writing'' require each agency to write 
regulations that are easy to understand.
    The Secretary invites comments on how to make these proposed 
regulations easier to understand, including answers to questions such 
as the following:
     Are the requirements in the proposed regulations clearly 
stated?
     Do the proposed regulations contain technical terms or 
other wording that interferes with their clarity?
     Does the format of the proposed regulations (grouping and 
order of sections, use of headings, paragraphing, etc.) aid or reduce 
their clarity?
     Would the proposed regulations be easier to understand if 
we divided them into more (but shorter) sections? (A ``section'' is 
preceded by the symbol ``Sec.  '' and a numbered heading; for example, 
Sec.  99.30 Under what conditions is prior consent required to disclose 
information?)
     Could the description of the proposed regulations in the 
SUPPLEMENTARY INFORMATION section of this preamble be more helpful in 
making the proposed regulations easier to understand? If so, how?
     What else could we do to make the proposed regulations 
easier to understand?
    Send any comments that concern how the Department could make these 
proposed regulations easier to understand to the person listed in the 
ADDRESSES section of the preamble.

Regulatory Flexibility Act Certification

    The Secretary certifies that these proposed regulations would not 
have a significant economic impact on a substantial number of small 
entities. The small entities that would be affected by these proposed 
regulations are small local educational agencies (LEAs) that receive 
Federal funds from the Department and certain 4- and 2-year colleges 
and for-profit postsecondary trade and technical schools with small 
enrollments that receive Federal funds, such as student aid programs 
under Title IV of the HEA. However, the regulations would not have a 
significant economic impact on these small agencies and institutions 
because the regulations would not impose excessive regulatory burdens 
or require unnecessary Federal supervision. The regulations would 
impose minimal requirements to ensure that LEAs and postsecondary 
institutions comply with the educational privacy protection 
requirements in FERPA.

Federalism

    Executive Order 13132 requires us to ensure meaningful and timely 
input by State and local elected officials in the development of 
regulatory policies that have federalism implications. ``Federalism 
implications'' means substantial direct effects on the States, on the 
relationship between the National Government and the States, or on the 
distribution of power and responsibilities among the various levels of 
government. The proposed regulations in Sec. Sec.  99.3 through 99.67 
may have federalism implications, as defined in Executive Order 13132, 
in that they will have some effect on the States and the operation of 
educational agencies and institutions subject to FERPA. We encourage 
State and local elected officials to review and provide comments on 
these proposed regulations. To facilitate review and comment by 
appropriate State and local officials, the Department will, aside from 
publication in the Federal Register, post the NPRM to the FPCO Web site 
and to the Office of Planning, Evaluation, and Policy Development 
(OPEPD) Web site and make a specific e-mail posting via a special 
listserv that is sent to each State department of education 
superintendent and higher education commission director.

Paperwork Reduction Act of 1995

    These proposed regulations do not contain any information 
collection requirements.

Intergovernmental Review

    These proposed regulations are not subject to Executive Order 12372 
and the regulations in 34 CFR part 79.

Assessment of Educational Impact

    The Secretary particularly requests comments on whether these 
proposed regulations would require transmission of information that any 
other agency or authority of the United States gathers or makes 
available.

[[Page 15598]]

Department Recommendations for Safeguarding Education Records

    The Department recognizes that agencies and institutions face 
significant challenges in safeguarding educational records. We are 
providing the following information and recommendations to assist 
agencies and institutions in meeting these challenges.
    As noted elsewhere in this document, FERPA provides that no funds 
administered by the Secretary may be made available to any educational 
agency or institution that has a policy or practice of releasing, 
permitting the release of, or providing access to personally 
identifiable information from education records without the prior 
written consent of a parent or eligible student except in accordance 
with specified exceptions. In light of these requirements, the 
Secretary encourages educational agencies and institutions to utilize 
appropriate methods to protect education records, especially in 
electronic data systems.
    In recent months the following incidents have come to the 
Department's attention:
     Students' grades or financial information, including SSNs, 
have been posted on publicly available web servers;
     Laptops and other portable devices containing similar 
information from education records have been lost or stolen;
     Education records, or devices that maintain education 
records, have not been retrieved from school officials upon termination 
of their employment or service as a contractor, consultant, or 
volunteer;
     Computer systems at colleges and universities have become 
favored targets because they hold many of the same records as banks but 
are much easier to access. See ``College Door Ajar for Online 
Criminals'' (May 2006), available at http://www.uh.edu/ednews/2006/latimes/200605/20060530hackers.html and July 10, 2006, Viewpoint in 
BusinessWeek/Online available at http://www.businessweek.com/technology/content/jul2006/tc20060710_558020.htm;
     Nearly 65 percent of postsecondary educational 
institutions identified theft of personal information (SSNs, credit/
debit/ATM card, account or PIN numbers, etc.) as a high risk area. See 
Table 7, Perceived Risks at http://www.educause.edu/ir/library/pdf/ecar_so/ers/ers0606/Ekf0606.pdf; and
     In December 2006, a large postsecondary institution 
alerted some 800,000 students and others that the campus computer 
system containing their names, addresses and SSNs had been compromised.
    The Department's Office of Inspector General (OIG) noted in Final 
Inspection Alert Memorandum dated February 3, 2006, that between 
February 15, 2005, and November 19, 2005, there were 93 documented 
computer breaches of electronic files involving personal information 
from education records such as SSNs, credit card information, and dates 
of birth. According to the reported data, 45 percent of these incidents 
have occurred at colleges and universities nationwide. OIG expressed 
concern that student information may be compromised due to a failure to 
implement or administer proper security controls for information 
systems at postsecondary institutions.
    The Department recognizes that no system for maintaining and 
transmitting education records, whether in paper or electronic form, 
can be guaranteed safe from every hacker and thief, technological 
failure, violation of administrative rules, and other causes of 
unauthorized access and disclosure. Although FERPA does not dictate 
requirements for safeguarding education records, the Department 
encourages the holders of personally identifiable information to 
consider actions that mitigate the risk and are reasonably calculated 
to protect such information. Of course, an educational agency or 
institution may use any method, combination of methods, or technologies 
it determines to be reasonable, taking into consideration the size, 
complexity, and resources available to the institution; the context of 
the information; the type of information to be protected (such as 
social security numbers or directory information); and methods used by 
other institutions in similar circumstances. The greater the harm that 
would result from unauthorized access or disclosure and the greater the 
likelihood that unauthorized access or disclosure will be attempted, 
the more protections an agency or institution should consider using to 
ensure that its methods are reasonable.
    One resource for administrators of electronic data systems is ``The 
National Institute of Standards and Technology (NIST) 800-100, 
Information Security Handbook: A Guide for Managers'' (October 2006). A 
second resource is NIST 800-53, which catalogs information security 
controls. Similarly, a May 22, 2007 memorandum to heads of federal 
agencies from the Office of Management and Budget requires executive 
departments and agencies to ensure that proper safeguards are in place 
to protect personally identifiable information that they maintain, 
eliminate the unnecessary use of SSNs, and develop and implement a 
``breach notification policy.'' This memorandum, although directed 
towards federal agencies, may also serve as a resource for educational 
agencies and institutions. See http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf.
    Finally, if an educational agency or institution has experienced a 
theft of files or computer equipment, hacking or other intrusion, 
software or hardware malfunction, inadvertent release of data to 
Internet sites, or other unauthorized release or disclosure of 
education records, the Department suggests consideration of one or more 
of the following steps:
     Report the incident to law enforcement authorities.
     Determine exactly what information was compromised, i.e., 
names, addresses, SSNs, ID numbers, credit card numbers, grades, and 
the like.
     Take steps immediately to retrieve data and prevent any 
further disclosures.
     Identify all affected records and students.
     Determine how the incident occurred, including which 
school officials had control of and responsibility for the information 
that was compromised.
     Determine whether institutional policies and procedures 
were breached, including organizational requirements governing access 
(user names, passwords, PINS, etc.); storage; transmission; and 
destruction of information from education records.
     Determine whether the incident occurred because of a lack 
of monitoring and oversight.
     Conduct a risk assessment and identify appropriate 
physical, technological and administrative measures for preventing 
similar incidents in the future.
     Notify students that the Department's Office of Inspector 
General maintains a Web site describing steps students may take if they 
suspect they are a victim of identity theft at http://www.ed.gov/about/offices/list/oig/misused/idtheft.html; and http://www.ed.gov/about/offices/list/oig/misused/victim.html.
    FERPA does not require an educational agency or institution to 
notify students that information from their education records was 
stolen or otherwise subject to an unauthorized release, although it 
does require the agency or institution to maintain a record of each 
disclosure. 34 CFR 99.32(a)(1). (However, student

[[Page 15599]]

notification may be required in these circumstances for postsecondary 
institutions under the Federal Trade Commission's Standards for 
Insuring the Security, Confidentiality, Integrity and Protection of 
Customer Records and Information (``Safeguards Rule'') in 16 CFR part 
314.) In any case, direct student notification may be advisable if the 
compromised data includes student SSNs and other identifying 
information that could lead to identity theft.

Electronic Access to This Document

    You may view this document, as well as all other Department of 
Education documents published in the Federal Register, in text or Adobe 
Portable Document Format (PDF) on the Internet at the following site: 
http://www.ed.gov/news/fedregister.
    To use PDF you must have Adobe Acrobat Reader, which is available 
free at this site. If you have questions about using PDF, call the U.S. 
Government Printing Office (GPO), toll free, at 1-888-293-6498; or in 
the Washington, DC, area at (202) 512-1530.

    Note: The official version of this document is the document 
published in the Federal Register. Free Internet access to the 
official edition of the Federal Register and the Code of Federal 
Regulations is available on GPO Access at: http://www.gpoaccess.gov/nara/index.html.


(Catalog of Federal Domestic Assistance Number does not apply.)

List of Subjects in 34 CFR Part 99

    Administrative practice and procedure, Directory information, 
Education records, Information, Parents, Privacy, Records, Social 
Security Numbers, Students.

    Dated: March 17, 2008.
Margaret Spellings,
Secretary of Education.

    For the reasons discussed in the preamble, the Secretary proposes 
to amend part 99 of title 34 of the Code of Federal Regulations as 
follows:

PART 99--FAMILY EDUCATIONAL RIGHTS AND PRIVACY

    1. The authority citation for part 99 continues to read as follows:

    Authority: 20 U.S.C. 1232g, unless otherwise noted.

    2. Section 99.2 is amended by revising the note following the 
authority citation to read as follows:


Sec.  99.2  What is the purpose of these regulations?

* * * * *

    Note to Sec.  99.2: 34 CFR 300.610 through 300.626 contain 
requirements regarding the confidentiality of information relating 
to children with disabilities who receive evaluations, services or 
other benefits under Part B of the Individuals with Disabilities 
Education Act (IDEA). 34 CFR 303.402 and 303.460 identify the 
confidentiality of information requirements regarding children and 
infants and toddlers with disabilities and their families who 
receive evaluations, services or other benefits under Part C of 
IDEA.

    3. Section 99.3 is amended by:
    A. Adding, in alphabetical order, a definition for State auditor.
    B. Revising the definitions of Attendance, Directory information, 
Disclosure, and Personally identifiable information.
    C. In the definition of Education records, revising paragraph 
(b)(5) and adding a new paragraph (b)(6).
    These additions and revisions read as follows:


Sec.  99.3  What definitions apply to these regulations?

* * * * *
    Attendance includes, but is not limited to--
    (a) Attendance in person or by paper correspondence, 
videoconference, satellite, Internet, or other electronic information 
and telecommunications technologies for students who are not physically 
present in the classroom; and
    (b) The period during which a person is working under a work-study 
program.

(Authority: 20 U.S.C. 1232g)

* * * * *
    Directory information means information contained in an education 
record of a student that would not generally be considered harmful or 
an invasion of privacy if disclosed.
    (a) Directory information includes, but is not limited to, the 
student's name; address; telephone listing; electronic mail address; 
photograph; date and place of birth; major field of study; grade level; 
enrollment status (e.g., undergraduate or graduate, full-time or part-
time); dates of attendance; participation in officially recognized 
activities and sports; weight and height of members of athletic teams; 
degrees, honors and awards received; and the most recent educational 
agency or institution attended.
    (b) Directory information does not include a student's social 
security number or student identification (ID) number.
    (c) Directory information includes a student's user ID or other 
unique personal identifier used by the student for purposes of 
accessing or communicating in electronic systems, but only if the 
electronic identifier cannot be used to gain access to education 
records except when used in conjunction with one or more factors that 
authenticate the user's identity, such as a personal identification 
number (PIN), password, or other factor known or possessed only by the 
authorized user.

(Authority: 20 U.S.C. 1232g(a)(5)(A))

* * * * *
    Disclosure means to permit access to or the release, transfer, or 
other communication of personally identifiable information contained in 
education records by any means, including oral, written, or electronic 
means, to any party except the party identified as the party that 
provided or created the record.

(Authority: 20 U.S.C. 1232g(b)(1) and (b)(2))

* * * * *

Education Records

* * * * *
    (b) * * *
    (5) Records created or received by an educational agency or 
institution after an individual is no longer a student in attendance 
and that are not directly related to the individual's attendance as a 
student.
    (6) Grades on peer-graded papers before they are collected and 
recorded by a teacher.
* * * * *

Personally Identifiable Information

    The term includes, but is not limited to
    (a) The student's name;
    (b) The name of the student's parent or other family members;
    (c) The address of the student or student's family;
    (d) A personal identifier, such as the student's social security 
number, student number, or biometric record;
    (e) Other indirect identifiers, such as date of birth, place of 
birth, and mother's maiden name;
    (f) Other information that, alone or in combination, is linked or 
linkable to a specific student that would allow a reasonable person in 
the school or its community, who does not have personal knowledge of 
the relevant circumstances, to identify the student with reasonable 
certainty; or
    (g) Information requested by a person who the educational agency or 
institution reasonably believes has direct, personal knowledge of the 
identity of the student to whom the education record directly relates.

(Authority: 20 U.S.C. 1232g)

* * * * *
    State auditor means a party under any branch of government with 
authority

[[Page 15600]]

and responsibility under State law for conducting audits.

(Authority: 20 U.S.C. 1232g(b)(5))
* * * * *
    4. Section 99.5 is amended by redesignating paragraph (a) as 
paragraph (a)(1) and adding a new paragraph (a)(2) to read as follows:


Sec.  99.5  What are the rights of students?

    (a)(1) * * *
    (2) Nothing in this section prevents an educational agency or 
institution from disclosing education records, or personally 
identifiable information from education records, to a parent without 
the prior written consent of an eligible student if the disclosure 
meets the conditions in Sec.  99.31(a)(8), Sec.  99.31(a)(10), Sec.  
99.31(a)(15), or any other provision in Sec.  99.31(a).
* * * * *
    5. Section 99.31 is amended by:
    A. Redesignating paragraph (a)(1) as paragraph (a)(1)(i)(A) and 
adding new paragraphs (a)(1)(i)(B) and (a)(1)(ii).
    B. Revising paragraph (a)(2).
    C. Revising paragraph (a)(6)(ii).
    D. In paragraph (a)(9)(ii)(A), removing the word `` or'' after the 
punctuation ``;''.
    E. In paragraph (a)(9)(ii)(B), removing the punctuation ``.'' and 
adding in its place the word ``; or''.
    F. Adding paragraph (a)(9)(ii)(C).
    G. Adding paragraph (a)(16).
    H. Revising paragraph (b).
    I. Adding paragraphs (c) and (d).
    J. Revising the authority citation at the end of the section.
    The additions and revisions read as follows:


Sec.  99.31  Under what conditions is prior consent not required to 
disclose information?

    (a) * * *
    (1)(i)(A) * * *
    (B) A contractor, consultant, volunteer, or other party to whom an 
agency or institution has outsourced institutional services or 
functions may be considered a school official under this paragraph 
provided that the outside party--
    (1) Performs an institutional service or function for which the 
agency or institution would otherwise use employees;
    (2) Is under the direct control of the agency or institution; and
    (3) Is subject to the requirements of Sec.  99.33(a) governing the 
use and redisclosure of personally identifiable information from 
education records.
    (ii) An educational agency or institution must use reasonable 
methods to ensure that school officials obtain access to only those 
education records in which they have legitimate educational interests. 
An educational agency or institution that does not use physical or 
technological access controls must ensure that its administrative 
policy for controlling access to education records is effective and 
that it remains in compliance with the legitimate educational interest 
requirement in paragraph 99.31(a)(1)(i)(A).
    (2) The disclosure is, subject to the requirements of Sec.  99.34, 
to officials of another school, school system, or institution of 
postsecondary education where the student seeks or intends to enroll, 
or where the student is already enrolled so long as the disclosure is 
for purposes related to the student's enrollment or transfer.

    Note: Section 4155(b) of the No Child Left Behind Act of 2001, 
20 U.S.C. 7165(b), requires each State to assure the Secretary of 
Education that it has a procedure in place to facilitate the 
transfer of disciplinary records of a student who was suspended or 
expelled by a local educational agency to any private or public 
elementary or secondary school in which the student is subsequently 
enrolled or seeks, intends, or is instructed to enroll.

    (6) * * *
    (ii) An educational agency or institution may disclose personally 
identifiable information under paragraph (a)(6)(i) of this section only 
if it enters into a written agreement with the organization specifying 
the purposes of the study. An educational agency or institution is not 
required to agree with or endorse the conclusions or results of the 
study. The written agreement required under this paragraph must ensure 
that--
    (A) Information from education records is used only to meet the 
purpose or purposes of the study stated in the written agreement;
    (B) The organization conducts the study in a manner that does not 
permit personal identification of parents and students, as defined in 
this part, by individuals other than representatives of the 
organization that conducts the study; and
    (C) The information is destroyed or returned to the educational 
agency or institution when it is no longer needed for the purposes for 
which the study was conducted.
* * * * *
    (9) * * *
    (ii) * * *
    (C) An ex parte court order obtained by the United States Attorney 
General (or designee not lower than an Assistant Attorney General) 
concerning investigations or prosecutions of an offense listed in 18 
U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism 
as defined in 18 U.S.C. 2331.
* * * * *
    (16) The disclosure concerns an individual required to register 
under section 170101 of the Violent Crime Control and Law Enforcement 
Act of 1994, 42 U.S.C. 14071, and the information was obtained and 
disclosed by the educational agency or institution in compliance with a 
State community notification program under 42 U.S.C. 14071(e) or (j) 
and applicable Federal guidelines. Nothing in the Act or these 
regulations requires or encourages an educational agency or institution 
to collect or maintain information about registered sex offenders.
    (b)(1) De-identified records and information. An educational agency 
or institution, or a party that has received education records or 
information from education records under this part, may release the 
records or information without the consent required by Sec.  99.30 
after the removal of all personally identifiable information provided 
that the educational agency or institution or other party has made a 
reasonable determination that a student's identity is not personally 
identifiable because of unique patterns of information about that 
student, whether through single or multiple releases, and taking into 
account other reasonably available information.
    (2) An educational agency or institution, or a party that has 
received education records or information from education records under 
this part, may release de-identified student level data from education 
records for the purpose of education research by attaching a code to 
each record that may allow the recipient to match information received 
from the same source, provided that--
    (i) An educational agency or institution or other party that 
releases de-identified data under paragraph (b) of this section does 
not disclose any information about how it generates and assigns a 
record code, or that would allow a recipient to identify a student 
based on a record code;
    (ii) The record code is used for no purpose other than identifying 
a de-identified record for purposes of education research and cannot be 
used to ascertain personally identifiable information about a student; 
and
    (iii) The record code is not based on a student's social security 
number or other personal information.
    (c) An educational agency or institution must use reasonable 
methods to identify and authenticate the identity of parents, students, 
school officials, and any other parties to whom the

[[Page 15601]]

agency or institution discloses personally identifiable information 
from education records.
    (d) Paragraphs (a) and (b) of this section do not require an 
educational agency or institution or any other party to disclose 
education records or information from education records to any party.

(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h), (i), and (j))

    6. Section 99.32 is amended by revising paragraph (d)(5) to read as 
follows:


Sec.  99.32  What recordkeeping requirements exist concerning requests 
and disclosures?

* * * * *
    (d) * * *
    (5) A party seeking or receiving records in accordance with Sec.  
99.31(a)(9)(ii)(A) through (C).
* * * * *
    7. Section 99.33 is amended by revising paragraphs (b), (c), (d), 
and (e) to read as follows:


Sec.  99.33  What limitations apply to the redisclosure of information?

* * * * *
    (b)(1) Paragraph (a) of this section does not prevent an 
educational agency or institution from disclosing personally 
identifiable information with the understanding that the party 
receiving the information may make further disclosures of the 
information on behalf of the educational agency or institution if:
    (i) The disclosures meet the requirements of Sec.  99.31; and
    (ii) The educational agency or institution has complied with the 
requirements of Sec.  99.32(b).
    (2) A party that rediscloses personally identifiable information 
from education records on behalf of an educational agency or 
institution in response to a court order or lawfully issued subpoena 
under Sec.  99.31(a)(9) must provide the notification required under 
Sec.  99.31(a)(9)(ii).
    (c) Paragraph (a) of this section does not apply to disclosures 
under Sec.  99.31(a)(8), (9), (11), (12), (14), (15), (16), and to 
information that postsecondary institutions are required to disclose 
under the Clery Act to the accuser and accused regarding the outcome of 
any campus disciplinary proceeding brought alleging a sexual offense.
    (d) An educational agency or institution must inform a party to 
whom disclosure is made of the requirements of paragraph (a) of this 
section except for disclosures made under Sec.  99.31(a)(8), (9), (11), 
(12), (14), (15), and (16), and to information that postsecondary 
institutions are required to disclose under the Clery Act to the 
accuser and accused regarding the outcome of any campus disciplinary 
proceeding brought alleging a sexual offense.
    (e) If this Office determines that a third party outside the 
educational agency or institution improperly rediscloses personally 
identifiable information from education records in violation of this 
section, the educational agency or institution may not allow that third 
party access to personally identifiable information from education 
records for at least five years.
* * * * *
    8. Section 99.34 is amended by revising paragraph (a)(1)(ii) to 
read as follows:


Sec.  99.34  What conditions apply to disclosure of information to 
other educational agencies and institutions?

    (a) * * *
    (1) * * *
    (ii) The annual notification of the agency or institution under 
Sec.  99.7 includes a notice that the agency or institution forwards 
education records to other agencies or institutions that have requested 
the records and in which the student seeks or intends to enroll;
* * * * *
    9. Section 99.35 is amended by revising paragraphs (a) and (b)(1) 
to read as follows:


Sec.  99.35  What conditions apply to disclosure of information for 
Federal or State program purposes?

    (a)(1) Authorized representatives of the officials or agencies 
headed by officials listed in Sec.  99.31(a)(3)(i) may have access to 
education records in connection with an audit or evaluation of Federal 
or State supported education programs, or for the enforcement of or 
compliance with Federal legal requirements that relate to those 
programs.
    (2) Authority for an agency or official listed in Sec.  
99.31(a)(3)(i) to conduct an audit, evaluation, or compliance or 
enforcement activity is not conferred by the Act or this part and must 
be established under other Federal, State, or local law, including 
valid administrative regulations.
    (3) State auditors that are not authorized representatives of State 
and local educational authorities may have access to education records 
in connection with an audit of Federal or State supported education 
programs. For purposes of this provision, an audit is limited to 
testing compliance with applicable laws, regulations, and standards.
    (b) * * *
    (1) Be protected in a manner that does not permit personal 
identification of individuals by anyone other than the officials or 
agencies headed by officials referred to in paragraph (a) of this 
section, except that those officials or agencies may make further 
disclosures of personally identifiable information from education 
records on behalf of the educational agency or institution in 
accordance with the requirements of Sec.  99.33(b); and
* * * * *
    10. Section 99.36 is amended by revising paragraphs (a) and (c) to 
read as follows:


Sec.  99.36  What conditions apply to disclosure of information in 
health and safety emergencies?

    (a) An educational agency or institution may disclose personally 
identifiable information from an education record to appropriate 
parties, including parents of an eligible student, in connection with 
an emergency if knowledge of the information is necessary to protect 
the health or safety of the student or other individuals.
* * * * *
    (c) In making a determination under paragraph (a) of this section, 
an educational agency or institution may take into account the totality 
of the circumstances pertaining to a threat to the safety or health of 
a student or other individuals. If the educational agency or 
institution determines that there is articulable and significant threat 
to the health or safety of a student or other individuals, it may 
disclose information from education records to any person whose 
knowledge of the information is necessary to protect the health and 
safety of the student or other individuals. If, based on the 
information available at the time of the determination, there is a 
rational basis for the determination, the Department will not 
substitute its judgment for that of the educational agency or 
institution in evaluating the circumstances and making its 
determination.
* * * * *
    11. Section 99.37 is amended by:
    A. Revising paragraph (b).
    B. Adding new paragraphs (c) and (d).
    The revision and additions read as follows:


Sec.  99.37  What conditions apply to disclosing directory information?

* * * * *
    (b) An educational agency or institution may disclose directory 
information about former students without complying with the notice and 
opt out conditions in paragraph (a) of this section. However, the 
agency or

[[Page 15602]]

institution must continue to honor any valid request to opt out of the 
disclosure of directory information made while a student was in 
attendance unless the student rescinds the opt out request.
    (c) A parent or eligible student may not use the right under 
paragraph (a)(2) of this section to opt out of directory information 
disclosures to prevent an educational agency or institution from 
disclosing or requiring a student to disclose the student's name, 
electronic identifier, or institutional e-mail address in a class in 
which the student is enrolled.
    (d) An educational agency or institution may not disclose or 
confirm directory information without meeting the written consent 
requirements in Sec.  99.30 if a student's social security number or 
other non-directory information is used alone or combined with other 
data elements to identify or help identify the student or the student's 
records.
* * * * *
    12. Section 99.62 is revised to read as follows:


Sec.  99.62  What information must an educational agency or institution 
submit to the Office?

    The Office may require an educational agency or institution to 
submit reports, information on policies and procedures, annual 
notifications, training materials, and other information necessary to 
carry out its enforcement responsibilities under the Act or this part.

(Authority: 20 U.S.C. 1232g(f) and (g))


    13. Section 99.64 is amended by:
    A. Revising the section heading.
    B. Revising paragraphs (a) and (b).
    The revisions read as follows:


Sec.  99.64  What is the investigation procedure?

    (a) A complaint must contain specific allegations of fact giving 
reasonable cause to believe that a violation of the Act or this part 
has occurred. A complaint does not have to allege that a violation is 
based on a policy or practice of the educational agency or institution.
    (b) The Office investigates a timely complaint filed by a parent or 
eligible student, or conducts its own investigation when no complaint 
has been filed or a complaint has been withdrawn, to determine whether 
an educational agency or institution has failed to comply with a 
provision of the Act or this part. If the Office determines that an 
educational agency or institution has failed to comply with a provision 
of the Act or this part, it may also determine whether the failure to 
comply is based on a policy or practice of the agency or institution.
* * * * *
    14. Section 99.65 is revised to read as follows:


Sec.  99.65  What is the content of the notice of investigation issued 
by the Office?

    (a) The Office notifies the complainant, if any, and the 
educational agency or institution in writing if it initiates an 
investigation under Sec.  99.64(b). The notice to the educational 
agency or institution--
    (1) Includes the substance of the allegations against the 
educational agency or institution; and
    (2) Directs the agency or institution to submit a written response 
and other relevant information, as set forth in Sec.  99.62, within a 
specified period of time, including information about its policies and 
practices regarding education records.
    (b) The Office notifies the complainant if it does not initiate an 
investigation because the complaint fails to meet the requirements of 
Sec.  99.64.

(Authority: 20 U.S.C. 1232g(g))


    15. Section 99.66 is amended by revising paragraphs (a), (b), and 
the introductory text of paragraph (c) to read as follows:


Sec.  99.66  What are the responsibilities of the Office in the 
enforcement process?

    (a) The Office reviews a complaint, if any, information submitted 
by the educational agency or institution, and any other relevant 
information. The Office may permit the parties to submit further 
written or oral arguments or information.
    (b) Following its investigation, the Office provides to the 
complainant, if any, and the educational agency or institution a 
written notice of its findings and the basis for its findings.
    (c) If the Office finds that an educational agency or institution 
has not complied with a provision of the Act or this part, it may also 
find that the failure to comply was based on a policy or practice of 
the agency or institution. A notice of findings issued under paragraph 
(b) of this section to an educational agency or institution that has 
not complied with a provision of the Act or this part--
* * * * *
    16. Section 99.67 is amended by:
    A. Revising the introductory text of paragraph (a).
    B. In paragraph (a)(1), removing the punctuation ``;'' and adding, 
in its place, the punctuation ``.''.
    C. In paragraph (a)(2) removing the word ``; or'' and adding, in 
its place, the punctuation ``.''.
    The revision reads as follows:


Sec.  99.67  How does the Secretary enforce decisions?

    (a) If the Office determines that an educational agency or 
institution has a policy or practice in violation of the Act or this 
part, the Secretary may take any legally available enforcement action, 
including the following enforcement actions available in accordance 
with part E of the General Education Provisions Act:
* * * * *
 [FR Doc. E8-5790 Filed 3-21-08; 8:45 am]
BILLING CODE 4000-01-P