[Federal Register Volume 73, Number 237 (Tuesday, December 9, 2008)]
[Rules and Regulations]
[Pages 74806-74855]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E8-28864]
[[Page 74805]]
-----------------------------------------------------------------------
Part II
Department of Education
-----------------------------------------------------------------------
34 CFR Part 99
Family Educational Rights and Privacy; Final Rule
��Federal Register / Vol. 73 , No. 237 / Tuesday, December 9, 2008 /
Rules and Regulations��
[[Page 74806]]
-----------------------------------------------------------------------
DEPARTMENT OF EDUCATION
34 CFR Part 99
RIN 1855-AA05
[Docket ID ED-2008-OPEPD-0002]
Family Educational Rights and Privacy
AGENCY: Office of Planning, Evaluation, and Policy Development,
Department of Education.
ACTION: Final regulations.
-----------------------------------------------------------------------
SUMMARY: The Secretary amends our regulations implementing the Family
Educational Rights and Privacy Act (FERPA), which is section 444 of the
General Education Provisions Act. These amendments are needed to
implement a provision of the USA Patriot Act and the Campus Sex Crimes
Prevention Act, which added new exceptions permitting the disclosure of
personally identifiable information from education records without
consent. The amendments also implement two U.S. Supreme Court decisions
interpreting FERPA, and make necessary changes identified as a result
of the Department's experience administering FERPA and the current
regulations.
These changes clarify permissible disclosures to parents of
eligible students and conditions that apply to disclosures in health
and safety emergencies; clarify permissible disclosures of student
identifiers as directory information; allow disclosures to contractors
and other outside parties in connection with the outsourcing of
institutional services and functions; revise the definitions of
attendance, disclosure, education records, personally identifiable
information, and other key terms; clarify permissible redisclosures by
State and Federal officials; and update investigation and enforcement
provisions.
DATES: These regulations are effective January 8, 2009.
FOR FURTHER INFORMATION CONTACT: Frances Moran, U.S. Department of
Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-
8250. Telephone: (202) 260-3887.
If you use a telecommunications device for the deaf (TDD), you may
call the Federal Relay Service (FRS) at 1-800-877-8339.
Individuals with disabilities may obtain this document in an
alternative format (e.g., Braille, large print, audiotape, or computer
diskette) on request to the contact person listed under FOR FURTHER
INFORMATION CONTACT.
SUPPLEMENTARY INFORMATION: On March 24, 2008, the U.S. Department of
Education (the Department or we) published a notice of proposed
rulemaking (NPRM) in the Federal Register (73 FR 15574). In the
preamble to the NPRM, the Secretary discussed the major changes
proposed in that document that are necessary to implement statutory
changes made to FERPA, to implement two U.S. Supreme Court decisions,
to respond to changes in information technology, and to address other
issues identified through the Department's experience in administering
FERPA.
We believe that the regulatory changes adopted in these final
regulations provide clarification on many important issues that have
arisen over time with regard to how FERPA affects decisions that school
officials have to make on an everyday basis. Educational agencies and
institutions face considerable challenges, especially with regard to
maintaining safe campuses, protecting personally identifiable
information in students' education records, and responding to requests
for data on student progress. These final regulations, as well as the
discussion on various provisions in the preamble, will assist school
officials in addressing these challenges in a manner that complies with
FERPA and protects the privacy of students' education records.
Notice of Proposed Rulemaking
In the NPRM, we proposed regulations to implement section 507 of
the USA Patriot Act (Pub. L. 107-56), enacted October 26, 2001, and the
Campus Sex Crimes Prevention Act, section 1601(d) of the Victims of
Trafficking and Violence Protection Act of 2000 (Pub. L. 106-386),
enacted October 28, 2000. Other major changes proposed in the NPRM
included the following:
Amending Sec. 99.5 to clarify the conditions under which
an educational agency or institution may disclose personally
identifiable information from an eligible student's education records
to a parent without the prior written consent of the eligible student;
Amending Sec. 99.31(a)(1) to authorize the disclosure of
education records without consent to contractors, consultants,
volunteers, and other outside parties to whom an educational agency or
institution has outsourced institutional services or functions;
Amending Sec. 99.31(a)(1) to ensure that teachers and
other school officials only gain access to education records in which
they have legitimate educational interests;
Amending Sec. 99.31(a)(2) to permit educational agencies
and institutions to disclose education records, without consent, to
another institution even after the student has enrolled or transferred
so long as the disclosure is for purposes related to the student's
enrollment or transfer;
Amending Sec. 99.31(a)(6) to require that an educational
agency or institution may disclose personally identifiable information
under this section only if it enters into a written agreement with the
organization specifying the purposes of the study and the use and
destruction of the data;
Amending Sec. 99.31 to include a new subsection to
provide standards for the release of information from education records
that has been de-identified;
Amending Sec. 99.35 to permit State and local educational
authorities and Federal officials listed in Sec. 99.31(a)(3) to make
further disclosures of personally identifiable information from
education records on behalf of the educational agency or institution;
and
Amending Sec. 99.36 to remove the language requiring
strict construction of this exception and add a provision stating that
if an educational agency or institution determines that there is an
articulable and significant threat to the health or safety of a student
or other individual, it may disclose the information to any person,
including parents, whose knowledge of the information is necessary to
protect the health or safety of the student or other individuals.
Significant Changes From the NPRM
These final regulations contain several significant changes from
the NPRM as follows:
Amending the definition of personally identifiable
information in Sec. 99.3 to provide a definition of biometric record;
Removing the proposed definition of State auditor in Sec.
99.3 and provisions in Sec. 99.35(a)(3) related to State auditors and
audits;
Revising Sec. 99.31(a)(6) to clarify the specific types
of information that must be contained in the written agreement between
an educational agency or institution and an organization conducting a
study for the agency or institution;
Removing the statement from Sec. 99.31(a)(16) that FERPA
does not require or encourage agencies or institutions to collect or
maintain information concerning registered sex offenders;
Requiring a State or local educational authority or
Federal official or agency that rediscloses personally identifiable
information from education records to record that disclosure if the
[[Page 74807]]
educational agency or institution does not do so under Sec. 99.32(b);
and
Revising Sec. 99.32(b) to require an educational agency
or institution that makes a disclosure in a health or safety emergency
to record information concerning the circumstances of the emergency.
These changes are explained in greater detail in the following
Analysis of Comments and Changes.
Analysis of Comments and Changes
In response to the Secretary's invitation in the NPRM, 121 parties
submitted comments on the proposed regulations. An analysis of the
comments and of the changes in the regulations since publication of the
NPRM follows.
We group major issues according to subject, with applicable
sections of the regulations referenced in parentheses. We discuss other
substantive issues under the sections of the regulations to which they
pertain. Generally, we do not address technical and other minor
changes, or suggested changes that the law does not authorize the
Secretary to make. We also do not address comments pertaining to issues
that were not within the scope of the NPRM.
Definitions (Sec. 99.3)
(a) Attendance
Comment: We received no comments objecting to the proposed changes
to the definition of the term attendance. Three commenters expressed
support for the changes because the availability and use of alternative
instructional formats are not clearly addressed by the current
regulations. One commenter suggested that the definition could avoid
obsolescence by referring to the receipt of instruction leading to a
diploma or certificate instead of listing the types of instructional
formats.
Discussion: We proposed to revise the definition of attendance
because we received inquiries from some educational agencies and
institutions asking whether FERPA was applicable to the records of
students receiving instruction through the use of new technology
methods that do not require a physical presence in a classroom. Because
the definition of attendance is key to determining when an individual's
records at a school are education records protected by FERPA, it is
essential that schools and institutions understand the scope of the
term. To prevent the regulations from becoming out of date as new
formats and methods are developed, the definition provides that
attendance may also include ``other electronic information and
telecommunications technologies.''
While most schools are aware of the various formats distance
learning may take, we believe it is informative to list the different
communications media that are currently used. Also, we believe that
parents, eligible students, and other individuals and organizations
that use the FERPA regulations may find the listing of formats useful.
We do not agree that the definition of attendance should be limited
to receipt of instruction leading to a diploma or certificate, because
this would improperly exclude many instructional formats.
Changes: None.
(b) Directory Information (Sec. Sec. 99.3 and 99.37)
(1) Definition (Sec. 99.3)
Comment: We received a number of comments on our proposal to revise
the definition of directory information to provide that an educational
agency or institution may not designate as directory information a
student's social security number (SSN) or other student identification
(ID) number. The proposed definition also provided that a student's
user ID or other unique identifier used by the student to access or
communicate in electronic systems could be considered directory
information but only if the electronic identifier cannot be used to
gain access to education records except when used in conjunction with
one or more factors that authenticate the student's identity.
All commenters agreed that student SSNs should not be disclosed as
directory information. Several commenters strongly supported the
definition of directory information as proposed, noting that failure to
curtail the use of SSNs and student ID numbers as directory information
could facilitate identity theft and other fraudulent activities.
One commenter said that the proposed regulations did not go far
enough to prohibit the use of students' SSNs as a student ID number,
placing SSNs on academic transcripts, and using SSNs to search an
electronic database. Another commenter expressed concern that the
proposed regulations could prohibit reporting needed to enforce
students' financial obligations and other routine business practices.
According to this commenter, restrictions on the use of SSNs in FERPA
and elsewhere demonstrate the need for a single student identifier that
can be tied to the SSN and other identifying information to use for
grade transcripts, enrollment verification, default prevention, and
other activities that depend on sharing student information. Another
commenter stated that institutions should not be allowed to penalize
students who opt out of directory information disclosures by denying
them access to benefits, services, and required activities.
Several commenters said that the definition in the proposed
regulations was confusing and unnecessarily restrictive because it
treats a student ID number as the functional equivalent of an SSN. They
explained that when providing access to records and services, many
institutions no longer use an SSN or other single identifier that both
identifies and authenticates identity. As a result, at many
institutions, the condition specified in the regulations for treating
electronic identifiers as directory information, i.e., that the
identifier cannot be used to gain access to education records except
when used in conjunction with one or more factors that authenticate the
user's identity, often applies to student ID numbers as well because
they cannot be used to gain access to education records without a
personal identification number (PIN), password, or some other factor to
authenticate the user's identity. Some commenters suggested that our
nomenclature is the problem and that regardless of what it is called,
an identifier that does not allow access to education records without
the use of authentication factors should be treated as directory
information. According to one commenter, allowing institutions to treat
student ID numbers as directory information in these circumstances
would improve business practices and enhance student privacy by
encouraging institutions to require additional authentication factors
when using student ID numbers to provide access to education records.
One commenter strongly opposed allowing institutions to treat a
student's electronic identifier as directory information if the
identifier could be made available to parties outside the school
system. This commenter noted that electronic identifiers may act as a
key, offering direct access to the student's entire file, and that PINs
and passwords alone do not provide adequate security for education
records. Another commenter said that if electronic identifiers and ID
numbers can be released as directory information, then password
requirements need to be more stringent to guard against unauthorized
access to information and identity theft.
Some commenters recommended establishing categories of directory
information, with certain information
[[Page 74808]]
made available only within the educational community. One commenter
expressed concern about Internet safety because the regulations allow
publication of a student's e-mail address. Another said that FERPA
should not prevent institutions from printing the student's ID number
on an ID card or otherwise restrict its use on campus but that
publication in a directory should not be allowed.
Two commenters asked the Department to confirm that the regulations
allow institutions to post grades using a code known only by the
teacher and the student.
Discussion: We share commenters' concerns about the use of
students' SSNs. In general, however, there is no statutory authority
under FERPA to prohibit an educational agency or institution from using
SSNs as a student ID number, on academic transcripts, or to search an
electronic database so long as the agency or institution does not
disclose the SSN in violation of FERPA requirements. As discussed
elsewhere in this preamble, FERPA does prohibit using a student's SSN,
without consent, to search records in order to confirm directory
information.
Some States prohibit the use of SSNs as a student ID number, and
some institutions have voluntarily ceased using SSNs in this manner
because of concerns about identity theft. Students are required to
provide their SSNs in order to receive Federal financial aid, and the
regulations do not prevent an agency or institution from using SSNs for
this purpose. We note that FERPA does not address, and we do not
believe that there is statutory authority under FERPA to require,
creation of a single student identifier to replace the SSN. In any
case, the Department encourages educational agencies and institutions,
as well as State educational authorities, to follow best practices of
the educational community with regard to protecting students' SSNs.
We agree that students should not be penalized for opting out of
directory information disclosures. Indeed, an educational agency or
institution may not require parents and students to waive their rights
under FERPA, including the right to opt out of directory information
disclosures. On the other hand, we do not interpret FERPA to require
educational agencies and institutions to ensure that students can
remain anonymous to others in the school community when using an
institution's electronic communications systems. As a result, parents
and students who opt out of directory information disclosures may not
be able to use electronic communications systems that require the
release of the student's name or electronic identifier within the
school community. (As discussed later in this notice in our discussion
of the comments on Sec. 99.37(c), the right to opt out of directory
information disclosures may not be used to allow a student to remain
anonymous in class.)
The regulations allow an educational agency or institution to
designate a student's user ID or other electronic identifier as
directory information if the identifier functions essentially like the
student's name, and therefore, disclosure would not be considered
harmful or an invasion of privacy. That is, the identifier cannot be
used to gain access to education records except when combined with one
or more factors that authenticate the student's identity.
We have historically advised that student ID numbers may not be
disclosed as directory information because they have traditionally been
used like SSNs, i.e., as both an identifier and authenticator of
identity. We agree, however, that the proposed definition was confusing
and unnecessarily restrictive because it failed to recognize that many
institutions no longer use student ID numbers in this manner. If a
student identifier cannot be used to access records or communicate
electronically without one or more additional factors to authenticate
the user's identity, then the educational agency or institution may
treat it as directory information under FERPA regardless of what the
identifier is called. We have revised the definition of directory
information to provide this flexibility.
We share the commenters' concerns about the use of PINs and
passwords. In the preamble to the NPRM, we explained that PINs or
passwords, and single-factor authentication of any kind, may not be
reasonable for protecting access to certain kinds of information (73 FR
15585). We also recognize that user IDs and other electronic
identifiers may provide greater access and linking to information than
does a person's name. Therefore, we remind educational agencies and
institutions that disclose student ID numbers, user IDs, and other
electronic identifiers as directory information to examine their
recordkeeping and data sharing practices and ensure that, when these
identifiers are used, the methods they select for authenticating
identity provide adequate protection against the unauthorized
disclosure of information in education records.
We also share the concern of commenters who stated that students'
e-mail addresses and other identifiers should be disclosed as directory
information only within the school system and should not be made
available outside the institution. The disclosure of directory
information is permissive under FERPA, and, therefore, an agency or
institution is not required to designate and disclose any student
identifier (or any other item) as directory information. Further, while
FERPA does not expressly recognize different levels or categories of
directory information, an agency or institution is not required to make
student directories and other directory information available to the
general public just because the information is shared within the
institution. For example, under FERPA, an institution may decide to
make students' electronic identifiers and e-mail addresses available
within the institution but not release them to the general public as
directory information. In fact, the preamble to the NPRM suggested that
agencies and institutions should minimize the public release of student
directories to mitigate the risk of re-identifying information that has
been de-identified (73 FR 15584).
With regard to student ID numbers in particular, an agency or
institution may print an ID number on a student's ID card whether or
not the number is treated as directory information because under FERPA
simply printing the ID number on a card, without more, is not a
disclosure and, therefore, is not prohibited. See 20 U.S.C.
1232g(b)(2). If the student ID number is not designated as directory
information, then the agency or institution may not disclose the card,
or require the student to disclose the card, except in accordance with
one of the exceptions to the consent requirement, such as to school
officials with legitimate educational interests. If the student ID
number is designated as directory information in accordance with these
regulations, then it may be disclosed. However, the agency or
institution may still decide against making a directory of student ID
numbers available to the general public.
We discuss codes used by teachers to post grades in our discussion
of the definition of personally identifiable information elsewhere in
this preamble.
Changes: We have revised the definition of directory information in
Sec. 99.3 to provide that directory information includes a student ID
number if it cannot be used to gain access to education records except
when used with one or more other factors to authenticate the user's
identity.
[[Page 74809]]
(2) Conditions for Disclosing Directory Information
(i) 99.37(b)
Comment: All comments on this provision supported our proposal to
clarify that an educational agency or institution must continue to
honor a valid request to opt out of directory information disclosures
even after the student no longer attends the institution. One commenter
stated that the proposed regulations appropriately provided former
students with the continuing ability to control the release of
directory information and remarked that this will benefit students and
families. One commenter asked how long an opt out from directory
information disclosures must be honored. Another commenter said that
students may object if their former schools do not disclose directory
information without their specific written consent because the school
is unable to determine whether the student previously opted out. This
could occur, for example, if a school declined to disclose that a
student had received a degree to a prospective employer.
Discussion: The regulations clarify that once a parent or eligible
student opts out of directory information disclosures, the educational
agency or institution must continue to honor that election after the
student is no longer in attendance. While this is not a new
interpretation, school districts and postsecondary institutions have
been unclear about its application and have not administered it
consistently. The inclusion in the regulations of this longstanding
interpretation is necessary to ensure that schools clearly understand
their obligation to continue to honor a decision to opt out of the
disclosure of directory information after a student stops attending the
school, until the parent or eligible student rescinds it.
Educational agencies and institutions are not required under FERPA
to disclose directory information to any party. Therefore, parents and
students have no basis for objecting if an agency or institution does
not disclose directory information because it is not certain whether
the parent or student opted out. The regulations provide an educational
agency or institution with the flexibility to determine the process it
believes is best suited to serve its population as long as it honors
prior elections to opt out of directory information disclosures.
Changes: None.
(ii) Sec. 99.37(c)
Comment: We received two comments in support of our proposal to
clarify in this section that parents and students may not use the right
to opt out of directory information disclosures to prevent disclosure
of the student's name or other identifier in the classroom.
Discussion: We appreciate the commenters' support.
Changes: None.
(iii) Sec. 99.37(d)
Comment: Two commenters supported the prohibition on using a
student's SSN to disclose or confirm directory information unless a
parent or eligible student provides written consent. One of these
commenters questioned the statutory basis for this interpretation.
Several commenters asked whether, under the proposed regulations, a
school must deny a request for directory information if the requester
supplies the student's SSN. One commenter asked whether a request for
directory information that contains a student's SSN may be honored so
long as the school does not use the SSN to locate the student's
records. One commenter stated that the regulations could more
effectively protect students' SSNs but was concerned that denying a
request for directory information that contains an SSN may
inadvertently confirm the SSN.
One commenter expressed concern that the prohibition on using a
student's SSN to verify directory information would leave schools with
large student populations unable to locate the appropriate record
because they will need to rely solely on the student's name and other
directory information, if any, provided by the requester, which may be
duplicated in their databases. This commenter said that students would
object if institutions were unable to respond quickly to requests by
banks or landlords for confirmation of enrollment because the request
contained the student's SSN.
One commenter suggested that the regulations require an educational
agency or institution to notify a requester that the release or
confirmation of directory information does not confirm the accuracy of
the SSN or other non-directory information submitted with the request.
Another commenter asked whether the regulations apply to confirmation
of student enrollment and other directory information by outside
service providers such as the National Student Clearinghouse.
Discussion: The provision in the proposed regulations prohibiting
an educational agency or institution from using a student's SSN when
disclosing or verifying directory information is based on the statutory
prohibition on disclosing personally identifiable information from
education records without consent in 20 U.S.C. 1232g(b). The
prohibition applies also to any party outside the agency or institution
providing degree, enrollment, or other confirmation services on behalf
of an educational agency or institution, such as the National Student
Clearinghouse.
A school is not required to deny a request for directory
information about a student, such as confirmation whether a student is
enrolled or has received a degree, if the requester supplies the
student's SSN (or other non-directory information) along with the
request. However, in releasing or confirming directory information
about a student, the school may not use the student's SSN (or other
non-directory information) supplied by the requester to identify the
student or locate the student's records unless a parent or eligible
student has provided written consent. This is because confirmation of
information in education records is considered a disclosure under
FERPA. See 20 U.S.C. 1232g(b). A school's use of a student's SSN (or
other non-directory information) provided by the requester to confirm
enrollment or other directory information implicitly confirms and,
therefore, discloses, the student's SSN (or other non-directory
information). This is true even if the requester also provides the
school with the student's name, date of birth, or other directory
information to help identify the student.
A school may choose to deny a request for directory information,
whether or not it contains a student's SSN, because only a parent or
eligible student has a right to obtain education records under FERPA.
Denial of a request for directory information that contains a student's
SSN is not an implicit confirmation or disclosure of the SSN.
These regulations will not adversely affect the ability of
institutions to respond quickly to requests by parties such as banks
and landlords for confirmation of enrollment that contain the student's
SSN because students generally provide written consent for schools to
disclose information to the inquiring party in order to obtain banking
and housing services. We note, however, that if a school wishes to use
the student's SSN to confirm enrollment or other directory information
about the student, it must ensure that the written consent provided by
the student includes consent for the school to
[[Page 74810]]
disclose the student's SSN to the requester.
There is no authority in FERPA to require a school to notify
requesters that it is not confirming the student's SSN (or other non-
directory information) when it discloses or confirms directory
information. However, when a party submits a student's SSN along with a
request for directory information, in order to avoid confusion, unless
a parent or eligible student has provided written consent for the
disclosure of the student's SSN, the school may indicate that it has
not used the SSN (or other non-directory information) to locate the
student's records and that its response may not and does not confirm
the accuracy of the SSN (or other non-directory information) supplied
with the request.
We recognize that with a large database of student information,
there may be some loss of ability to identify students who have common
names if SSNs are not used to help identify the individual. However,
schools that do not use SSNs supplied by a party requesting directory
information, either because the student has not provided written
consent or because the school is not certain that the written consent
includes consent for the school to disclose the student's SSN,
generally may use the student's address, date of birth, school, class,
year of graduation, and other directory information to identify the
student or locate the student's records.
Changes: None.
(c) Disclosure (Sec. 99.3)
Comment: Two commenters said that the proposal to revise the
definition of disclosure to exclude the return of a document to its
source was too broad and could lead to improper release of highly
sensitive documents, such as an individualized education program (IEP)
contained in a student's special education records, to anyone claiming
to be the creator of a record. One of the commenters stated that
changing the definition was unnecessary, as schools already have a
means of verifying documents by requesting additional copies from the
source. Both commenters also expressed concern that, because
recordation is not required, a parent or eligible student will not be
aware that the verification occurred.
We also received comments of strong support for the proposed change
to the definition of disclosure. The commenters stated that this
change, targeted to permit the release of records back to the
institution that presumably created them, will enhance an institution's
ability to identify and investigate suspected fraudulent records in a
timely manner.
Discussion: For several years now, school officials have advised us
that problems related to fraudulent records typically involve a
transcript or letter of recommendation that has been altered by someone
other than the responsible school official. Under the current
regulations, an educational agency or institution may ask for a copy of
a record from the presumed source when it suspects fraudulent activity.
However, simply asking for a copy of a record may not be adequate, for
example, if the original record no longer exists at the sending
institution. In these circumstances, an institution will need to return
a record to its identified source to be able to verify its
authenticity. The final regulations permit a targeted release of
records back to the stated source for verification purposes in order to
provide schools with the flexibility needed for this process while
preserving a more general prohibition on the release of information
from education records.
We do not agree that the term disclosure as proposed in the NPRM is
too broad and could lead to the improper release of highly sensitive
documents to anyone claiming to be the creator of the record. School
officials have not advised us that they have had problems receiving IEP
records and other highly sensitive materials from parties who did not
in fact create or provide the record. Therefore, we do not believe that
the proposed definition of disclosure is too broad.
The commenters are correct that the return of an education record
to its source does not have to be recorded, because it is not a
disclosure. We do not consider this problematic, however, because the
information is merely being returned to the party identified as its
source. This is similar to the situation in which a school is not
required under the regulations to record disclosures of education
records made to school officials with legitimate educational interests.
As in that instance, there is no direct notice to a parent or student
of either the disclosure of the record or the information in the
record. We also believe that if a questionable document is deemed to be
inauthentic by the source, the student will be informed of the results
of the authentication process by means other than seeing a record of
the disclosure in the student's file. There appears to be little value
in notifying a parent or student that a document was suspected of being
fraudulent if the document is found to be genuine and accurate.
Finally, we note that a transcript or other document does not lose
its protection under FERPA, including the written consent requirements,
when an educational agency or institution returns it to the source. The
document and the information in it remains an ``education record''
under FERPA when it is returned to its source. As an education record,
it may not be redisclosed except in accordance with FERPA requirements,
including Sec. 99.31(a)(1), which allows the source institution to
disclose the information to teachers and other school officials with
legitimate educational interests, such as persons who need to verify
the accuracy or authenticity of the information. If the source
institution makes any further disclosures of the record or information,
it must record them.
Changes: None.
Additional Changes to the Definition of Disclosure
Comment: Several commenters requested additional changes to the
definition of disclosure. One commenter requested that any transfer of
education records to a State's longitudinal data system not be
considered a disclosure. Several commenters requested that additional
changes be made so that a school could provide current education
records of students back to the students' former schools or districts.
A commenter recommended excluding from the definition of disclosure
statistical information that is personally identifiable because of
small cell sizes when the recipient agrees to maintain the
confidentiality of the information.
Discussion: The revised definition of disclosure, which excludes
the return of a document to its stated source, clarifies that
information provided by school districts or postsecondary institutions
to State educational authorities, including information maintained in a
consolidated student records system, may be provided back to the
original district or institution without consent. There is no statutory
authority, however, to exclude from the definition of disclosure a
school district's or institution's release or transfer of personally
identifiable information from education records to its State
longitudinal data system. (We discuss the disclosure of education
records in connection with the development of consolidated,
longitudinal data systems in our response to comments on redisclosure
and recordkeeping requirements elsewhere in this preamble.) Likewise,
there is no statutory authority to exclude from the definition of
disclosure the release of personally identifiable information from
[[Page 74811]]
education records to parties that agree to keep the information
confidential. (See our discussion of personally identifiable
information and de-identified records and information elsewhere in this
preamble.)
The revised regulations do not authorize the disclosure of
education records to third parties who are not identified as the
provider or creator of the record. For example, a college may not send
a student's current college records to a student's high school under
the revised definition of disclosure because the high school is not the
stated source of those records. (We discuss this issue elsewhere in the
preamble under Disclosure of Education Records to Students' Former
Schools.)
Changes: None.
(d) Education Records
(1) Paragraph (b)(5)
Comment: Several commenters supported our proposal to clarify the
existing exclusion from the definition of education records for records
that only contain information about an individual after he or she is no
longer a student, which we referred to as ``alumni records'' in the
NPRM, 73 FR 15576. One commenter suggested that the term ``directly
related,'' which is used in the amended definition in reference to a
student's attendance, is inconsistent with the use of the term
``personally identifiable'' in other sections of the regulations and
could cause confusion.
One commenter asked whether a postsecondary school could provide a
student's education records from the postsecondary school to a
secondary school that the student attended previously.
Several commenters objected to the proposed regulations because,
according to the commenters, the regulations would expand the records
subject to FERPA's prohibition on disclosure of education records
without consent. A journalist stated that the settlement agreement
cited in the NPRM is an example of a record that should be excluded
from the definition and that schools already are permitted to protect
too broad a range of documents from public review because the documents
are education records. The commenter stated that information from
education records such as a settlement agreement is newsworthy,
unlikely to contain confidential information, and that disclosure of
such information provides a benefit to the public. Another commenter
expressed concern that the regulations allow schools to collect
negative information about a former student without giving the
individual an opportunity to challenge the content because the
information is not an education record under FERPA.
Discussion: It has long been the Department's interpretation that
records created or received by an educational agency or institution on
a former student that are directly related to the individual's
attendance as a student are not excluded from the definition of
education records under FERPA, and that records created or received on
a former student that are not directly related to the individual's
attendance as a student are excluded from the definition and,
therefore, are not ``education records.'' The proposed regulations in
paragraph (b)(5) were intended to clarify the use of this exclusion,
not to change or expand its scope.
Our use of the phrase ``directly related to the individual's
attendance as a student'' to describe records that do not fall under
this exclusion from the definition of education records is not
inconsistent with the term ``personally identifiable'' as used in other
parts of the regulations and should not be confused. The term
``personally identifiable information'' is used in the statute and
regulations to describe the kind of information from education records
that may not be disclosed without consent. See 20 U.S.C. 1232g(b); 34
CFR 99.3, 99.30. While ``personally identifiable information''
maintained by an agency or institution is generally considered an
``education record'' under FERPA, personally identifiable information
does not fall under this exclusion from the definition of education
records if the information is not directly related to the student's
attendance as a student. For example, personally identifiable
information related solely to a student's activities as an alumnus of
an institution is excluded from the definition of education records
under this provision. We think that the term ``directly related'' is
clear in this context and will not be confused with ``personally
identifiable.''
A postsecondary institution may not disclose a student's
postsecondary education records to the secondary school previously
attended by the student under this provision because these records are
directly related to the student's attendance as a student at the
postsecondary institution. (We discuss this issue further under
Disclosure of Education Records to Students' Former Schools.)
We do not agree that documents such as settlement agreements are
unlikely to contain confidential information. Our experience has been
that these documents often contain highly confidential information,
such as special education diagnoses, educational supports, or mental or
physical health and treatment information. Our changes to the
definition were intended to clarify that schools may not disclose this
information to the media or other parties, without consent, simply
because a student is no longer in attendance at the school at the time
the record was created or received. A parent or eligible student who
wishes to share the student's own records with the media or other
parties is free to do so.
Neither FERPA nor the regulations contains a provision for a parent
or eligible student to challenge information that is not contained in
an education record. FERPA does not prohibit a parent or student from
using other venues to seek redress for collection and release of
information in non-education records.
Changes: None.
(2) Paragraph (b)(6)
Comment: We received several comments supporting the proposed
changes to the definition of education records that would exclude from
the definition grades on peer-graded papers before they are collected
and recorded by a teacher. These commenters expressed appreciation that
this revision would be consistent with the U.S. Supreme Court's
decision on peer-graded papers in Owasso Independent School Dist. No.
I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso). Two commenters asked how
the provision would be applied to the use of group projects and group
grading within the classroom.
Discussion: The proposed changes to the definition of education
records in paragraph (b)(6) are designed to implement the U.S. Supreme
Court's 2002 decision in Owasso, which held that peer grading does not
violate FERPA. As noted in the NPRM, 73 FR 15576, the Court held in
Owasso that peer grading does not violate FERPA because ``the grades on
students' papers would not be covered under FERPA at least until the
teacher has collected them and recorded them in his or her grade
book.'' 534 U.S. at 436.
As suggested by the Supreme Count in Owasso, 534 U.S. at 435, FERPA
is not intended to interfere with a teacher's ability to carry out
customary practices, such as group grading of team assignments within
the classroom. Just as FERPA does not prevent teachers from allowing
students to grade a test or homework assignment of another student or
from calling out that grade in class, even though the grade may
eventually become an education record,
[[Page 74812]]
FERPA does not prohibit the discussion of group or individual grades on
classroom group projects, so long as those individual grades have not
yet been recorded by the teacher. The process of assigning grades or
grading papers falls outside the definition of education records in
FERPA because the grades are not ``maintained'' by an educational
agency or institution at least until the teacher has recorded the
grades.
Changes: None.
(e) Personally Identifiable Information
Comments on the proposed definition of personally identifiable
information are discussed elsewhere in this preamble under the heading
Personally Identifiable Information and De-identified Records and
Information.
(f) State Auditors and Audits (Sec. Sec. 99.3 and Proposed
99.35(a)(3))
Comment: Several commenters supported the clarification in proposed
Sec. 99.35(a)(3) that State auditors may have access to education
records, without consent, in connection with an ``audit'' of Federal or
State supported education programs under the exception to the written
consent requirement for authorized representatives of ``State and local
educational authorities.'' All but one of the commenters, however,
disagreed strongly with the proposed definition of audit in Sec.
99.35(a)(3), which was limited to testing compliance with applicable
laws, regulations, and standards and did not include the broader
concept of evaluations.
In general, the commenters said that the proposed definition of
audit was too narrow and would prevent State auditors from conducting
performance audits and other services that they routinely provide in
accordance with professional auditing standards, including the U.S.
Comptroller's Government Auditing Standards. See www.gao.gov/govaud/ybk01.htm. A State legislative auditor noted, for example, that 45
State legislatures have established legislative program evaluation
offices whose express purpose is to provide research and evaluation for
legislative decision making, and that these offices regularly use
personally identifiable information from education records for their
work. Some of the commenters also questioned whether financial audits
and attestation engagements would be excluded under the proposed
definition.
One commenter said that the State auditor provisions in proposed
Sec. Sec. 99.3 and 99.35(a)(3) should be expanded to apply to other
non-education State officials responsible for evaluating publicly
funded programs. Another commenter recommended that the regulations
include examination of education records by health department officials
to improve compliance with mandated immunization schedules.
The majority of the comments we received with respect to the
inclusion of local auditors in the proposed definition of State auditor
in Sec. 99.3 supported permitting local auditors to have access to
personally identifiable information for purposes of auditing Federal or
State supported education programs. One commenter said that local
auditors should not be included in the definition, while another
commenter stated that auditors for the city health department need
access to FERPA-protected information to determine the accuracy of
claims for payment and asked for further clarification on the issue.
Discussion: We explained in the preamble to the NPRM that the
statute allows disclosure of personally identifiable information from
education records without consent to authorized representatives of
``State educational authorities'' in connection with an audit or
evaluation of Federal or State supported education programs. 73 FR
15577. Legislative history indicates that Congress amended the statute
in 1979 to ``correct an anomaly'' in which the existing exception to
the consent requirement in 20 U.S.C. 1232g(b)(3) was interpreted to
preclude State auditors from obtaining access to education records for
audit purposes. See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10
(1979), reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824.
However, because the amended statutory language in 20 U.S.C.
1232g(b)(5) refers only to ``State and local educational officials,''
the proposed regulations sought to clarify that this included ``State
auditors'' or auditors with authority and responsibility under State
law for conducting audits. Due to the breadth of this inclusion,
however, the proposed regulations also sought to limit access to
education records by State auditors by narrowing the definition of
audit.
The Secretary has carefully reviewed the comments and, based upon
further intradepartmental review, has decided to remove from the final
regulations the provisions related to State auditors and audits in
Sec. Sec. 99.3 and 99.35(a)(3). We share the commenters' concerns
about preventing State auditors from conducting activities that they
routinely perform under applicable auditing standards. However, because
our focus was on the narrow definition of audit, we proposed a very
broad definition of State auditor in Sec. 99.3 and did not examine
which of the various types of officials, offices, committees, and staff
in executive and legislative branches of State government should be
included in the definition. We are concerned that without the narrow
definition of audit as proposed in Sec. 99.35(a)(3), the proposed
definition of State auditor may allow non-consensual disclosures of
education records to a variety of officials for purposes not supported
by the statute. The Department will study the matter further and may
issue new regulations or guidance, as appropriate. In the interim, the
Department will provide guidance on a case-by-case basis.
Changes: We are not including the definition of State auditor in
Sec. 99.3 and the provisions related to State auditors and audits in
Sec. 99.35(a)(3) in these final regulations.
Disclosures to Parents (Sec. Sec. 99.5 and 99.36)
Comment: A majority of commenters approved of the Secretary's
efforts to clarify that, even after a student has become an eligible
student, an educational agency or institution may disclose education
records to the student's parents, without the consent of the student,
if certain conditions are met. Those commenters stated that the
clarification was especially helpful, particularly in light of issues
that arose after the April 2007 shootings at the Virginia Polytechnic
Institute and State University (Virginia Tech). A commenter stated that
the clarification will assist emergency management officials on college
and university campuses and help school officials know when they can
properly share student information with parents and students. One
commenter expressed support for the proposed regulations, because it
has been her experience that colleges do not share information with
parents on their children's financial aid or academic status.
Some commenters disagreed with the proposed changes. One stated
that, due to varying family dynamics, disclosures should not be limited
only to parents, but should also include other appropriate family
members. Another commenter objected to the phrase in Sec. 99.5(a)(2)
that would permit disclosure to a parent without the student's consent
if the disclosure meets ``any other provision in Sec. 99.31(a).'' The
commenter stated that this ``catch-all phrase'' exceeded statutory
authority.
Noting the sensitivity of financial information included in income
tax returns, a few commenters raised concerns about the discussion in
the
[[Page 74813]]
NPRM in which we explained that an institution can determine that a
parent claimed a student as a dependent by asking the parent to supply
a copy of the parent's most recent Federal tax return. Another
commenter stated that the NPRM did not go far enough and recommended
specifically requiring an institution to rely on a copy of a parent's
most recent Federal tax return to determine a student's dependent
status, while another commenter recommended that we change the
regulations to indicate that only the parent who has claimed the
student as a dependent may have access to the student's education
records.
A commenter noted that some States have high school students who
are concurrently enrolled in secondary schools and postsecondary
institutions as early as ninth grade and supported the clarification
that postsecondary institutions may disclose information to parents of
students who are tax dependents.
Discussion: Parents' rights under FERPA transfer to a student when
the student reaches age 18 or enters a postsecondary institution. 20
U.S.C. 1232g(d). However, under Sec. 99.31(a)(8), an educational
agency or institution may disclose education records to an eligible
student's parents if the student is a dependent as defined in section
152 of the Internal Revenue Code of 1986. Under Sec. 99.31(a)(8),
neither the age of a student nor the parent's status as custodial
parent is relevant to the determination whether disclosure of
information from an eligible student's education records to that parent
without written consent is permissible under FERPA. If a student is
claimed as a dependent for Federal income tax purposes by either
parent, then under the regulations, either parent may have access to
the student's education records without the student's consent.
The statutory exception to the consent requirement in FERPA for the
disclosure of records of dependent students applies only to the parents
of the student. 20 U.S.C. 1232g(b)(1)(H). Accordingly, the Secretary
does not have statutory authority to apply Sec. 99.31(a)(8) to any
other family members. However, under Sec. 99.30(b)(3), an eligible
student may provide consent for the school to disclose information from
his or her education records to another family member. In some
situations, such as when there is no parent in the student's life or
the student is married, a spouse or other family member may be
considered an appropriate party to whom a disclosure may be made,
without consent, in connection with a health or safety emergency under
Sec. Sec. 99.31(a)(10) and 99.36.
In most cases, when an educational agency or institution discloses
education records to parents of an eligible student, we expect the
disclosure to be made under the dependent student provision (Sec.
99.31(a)(8)), in connection with a health or safety emergency
(Sec. Sec. 99.31(a)(10) and 99.36), or if a student has committed a
disciplinary violation with respect to the use or possession of alcohol
or a controlled substance (Sec. 99.31(a)(15)). This is the reason we
mention these provisions specifically in the regulations. However,
inclusion of the phrase ``of any other provision in Sec. 99.31(a)'' in
Sec. 99.5(a)(2) is necessary and within our statutory authority
because there may be other exceptions to FERPA's general consent
requirement under which an agency or institution might disclose
education records to a parent of an eligible student, such as the
directory information provision in Sec. 99.31(a)(11) and the provision
permitting disclosure in compliance with a court order or lawfully
issued subpoena in Sec. 99.31(a)(9).
As we explained in the NPRM, institutions can determine that a
parent claims a student as a dependent by asking the parent to submit a
copy of the parent's most recent Federal income tax return. However, we
do not think it is appropriate to require an agency or institution to
rely only on the most recent tax return to determine the student's
dependent status because institutions should have flexibility in how to
reach this determination. For instance, institutions may rely instead
on a student's assertion that he or she is not a dependent unless the
parent provides contrary evidence. We agree that financial information
on a Federal tax return is sensitive information and, for that reason,
in providing technical assistance and compliance training to school
officials, we have advised that parents may redact all financial and
other unnecessary information that appears on the form, as long as the
tax return clearly shows the parent's or parents' names and the fact
that the student is claimed as a dependent.
In addition, in the fall of 2007, we developed two model forms that
appear on the Department's Family Policy Compliance Office (FPCO or the
Office) Web site that institutions may adapt and provide to students at
orientation to indicate whether they are a dependent and, if not,
obtaining consent from the student for disclosure of information to
parents: http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/modelform.html and http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/modelform2.html.
With regard to the comment about high school students who are
concurrently enrolled in postsecondary institutions as early as ninth
grade, FERPA not only permits those postsecondary institutions to
disclose information to parents of the high school students who are
dependents for Federal income tax purposes, it also permits high
schools and postsecondary institutions who have dually-enrolled
students to share information. Where a student is enrolled in both a
high school and a postsecondary institution, the two schools may share
education records without the consent of either the parents or the
student under Sec. 99.34(b). If the student is under 18, the parents
still retain the right under FERPA to inspect and review any education
records maintained by the high school, including records that the
college or university disclosed to the high school, even though the
student is also attending the postsecondary institution.
Changes: None.
Outsourcing (Sec. 99.31(a)(1)(i)(B))
(a) Outside Parties Who Qualify as School Officials
Comment: A few commenters disagreed with the proposal to expand the
``school officials'' exception in Sec. 99.31(a)(1)(i)(B) to include
contractors, consultants, volunteers, and other outside parties to whom
an educational agency or institution has outsourced institutional
services or functions it would otherwise use employees to perform. They
believed that the modifications undermined the plain language of the
statute and congressional intent. Several other commenters supported
the proposed regulations, saying that it was helpful to include in the
regulations what has historically been the Department's interpretation
of the ``school officials'' exception. A majority of commenters, while
not agreeing or disagreeing with the proposed changes in Sec.
99.31(a)(1)(i)(B), raised a number of issues concerning the proposal.
Several commenters expressed concern that the requirement that an
outside party must perform an institutional service or function for
which the agency or institution would otherwise use employees is too
restrictive and impractical. One commenter noted that some functions
that a contractor performs could not be performed by a school official.
Some commenters said we should clarify the regulations to explain
the
[[Page 74814]]
circumstances under which volunteers may serve as school officials and
have access to personally identifiable information from education
records in connection with their services or responsibilities to the
school. One commenter noted that this clarification was needed
especially for parent-volunteers working at a school attended by their
own children where they are likely to know other students and their
families.
Several commenters asked that we clarify in the regulations that
Sec. 99.31(a)(1) also applies to school transportation officials,
school bus drivers, and school bus attendants who need access to
education records in order to safely and efficiently transport
students. Another commenter asked for clarification whether, under the
proposed regulations, practicum students, fieldwork students, and
unpaid interns in schools would be considered ``school officials.'' One
commenter asked whether Sec. 99.31(a)(1) permits outsourced medical
providers to be considered ``school officials.''
One commenter asked how proposed Sec. 99.31(a)(1) would apply to
parties other than educational agencies and institutions. The commenter
was concerned about permitting SEAs to disclose personally identifiable
information to outside parties under Sec. 99.31(a)(1)(i)(B) because
SEAs are not subject to Sec. 99.7, which requires educational agencies
and institutions to annually notify parents and eligible students of
their rights under FERPA, including a specific requirement in Sec.
99.7(a)(3)(iii) that an educational agency or institution that has a
policy of disclosing information under Sec. 99.31(a)(1) must include
in its annual notice a specification of criteria for determining who
constitutes a school official and what constitutes a legitimate
educational interest. A number of commenters requested clarification
about the applicability of Sec. 99.31(a)(1)(i)(B) to State authorities
that operate State longitudinal data systems that maintain records of
local educational agencies (LEAs) or institutions and are responsible
for certain reporting requirements under the No Child Left Behind Act.
Some of these commenters believe that State authorities operating these
systems are ``school officials'' under Sec. 99.31(a)(1) who should be
able to disclose education records for the purpose of outsourcing under
Sec. 99.31(a)(1)(i)(B).
One commenter recommended that the regulations permit the
disclosure of education records to non-educational State agencies for
evaluation purposes under Sec. 99.31(a)(1). Another commenter asked
that we revise the regulations to permit representatives of the Centers
for Disease Control and Prevention to access education records for the
purpose of public health surveillance under the ``school officials''
exception.
Another commenter requested further guidance on how Sec.
99.31(a)(1) would apply to local law enforcement officers who work in
collaboration with schools in various capacities and whether education
records could be shared with these officers in order to ensure safe
campuses.
Discussion: The Secretary does not agree that the proposed changes
to Sec. 99.31(a)(1) go beyond the plain reading of the statute and
congressional intent. As we explained in the NPRM, FERPA's broad
definition of education records includes records that are maintained by
``a person acting for'' an educational agency or institution. 20 U.S.C.
1232g(a)(4)(A)(ii); see 34 CFR 99.3. (In floor remarks describing the
meaning of the definition of education records, Senators James Buckley
and Claiborne Pell, principal sponsors of the December 1974 FERPA
amendments, specifically referred to materials that are maintained by a
school ``or by one of its agents.'' See ``Joint Statement in
Explanation of Buckley/Pell Amendment'' (Joint Statement), 120 Cong.
Rec. S21488 (Dec. 13, 1974).) Although the Secretary is concerned that
educational agencies and institutions not misapply Sec. 99.31(a)(1),
the changes to the regulations are necessary to clarify the scope of
the ``school officials'' exception in FERPA.
We disagree with commenters that the requirement in Sec.
99.31(a)(1)(i)(B)(1) that the outside party must perform an
institutional service or function for which the agency or institution
would otherwise use employees is too restrictive or unworkable. The
requirement serves to ensure that the ``school officials'' exception
does not expand into a general exception to the consent requirement in
FERPA that would allow disclosure any time a vendor or other outside
party wants access to education records to provide a product or service
to schools, parents, and students. As explained in the preceding
paragraphs and in the NPRM, 73 FR 15578-15579, the statutory basis for
expanding the ``school officials'' exception to outside service
providers is that they are ``acting for'' the agency or institution,
not selling products and services. This means, for example, that a
school may not use the ``school officials'' exception to disclose
personally identifiable information from a student's education record,
such as the student's SSN or student ID number, without consent, to an
insurance company that wishes to offer students a discount on auto
insurance because the school is not outsourcing an institutional
service or function for which it would otherwise use its own employees.
Further, the requirement that the outside party must be performing
services or functions an employee would otherwise perform does not mean
that a school employee must be able to perform the outsourced service
in order for the outside party to be considered a school official under
Sec. 99.31(a)(1)(i)(B)(1). For example, many school districts
outsource their legal services on an as-needed basis. Even though these
school districts may have never hired an attorney as an employee, they
may still disclose personally identifiable information from education
records to outside legal counsel to whom they have outsourced their
legal services. FERPA does not otherwise restrict whether a school may
outsource institutional services and functions; it only addresses to
whom and under what conditions personally identifiable information from
students' education records may be disclosed.
Once a school has determined that an outside party is a ``school
official'' with a ``legitimate educational interest'' in viewing
certain education records, that party may have access to the education
records, without consent, in order to perform the required
institutional services and functions for the school. These outside
parties may include parents and other volunteers who assist schools in
various capacities, such as serving on official committees, serving as
teachers' aides, and working in administrative offices, where they need
access to students' education records to perform their duties.
The disclosure of education records under any of the conditions
listed in Sec. 99.31, including the ``school officials'' exception, is
permissive and not required. (Only parents and eligible students have a
right under FERPA to inspect and review their education records.)
Therefore, schools should always use good judgment in determining the
extent to which volunteers, as well as other school officials, need to
have access to education records and to ensure that school officials,
including volunteers, do not improperly disclose information from
students' education records.
We decline to adopt commenters' suggestion that we include in Sec.
99.31(a)(1)(i)(B) a list of the types of parties who may serve as
school officials and receive personally identifiable information from
education
[[Page 74815]]
records in connection with the institutional services and functions
outsourced by the school. We think it would be impossible to provide a
comprehensive listing and believe that agencies and institutions are in
the best position to make these determinations. At the discretion of a
school, school officials may include school transportation officials
(including bus drivers), school nurses, practicum and fieldwork
students, unpaid interns, consultants, contractors, volunteers, and
other outside parties providing institutional services and performing
institutional functions, provided that each of the requirements in
Sec. 99.31(a)(1)(i)(B) has been met.
Under Sec. 99.31(a)(1), a university could outsource the practical
training of students. The information disclosed to the hospital,
clinic, or business conducting the practical training may only be used
for the purposes for which it was disclosed. In the NPRM, we discuss in
more detail the types of services and functions covered under Sec.
99.31(a)(1)(i)(B). (73 FR 15578-15580.)
In response to the comment about the applicability of Sec.
99.31(a)(1)(i)(B) to State educational authorities that operate State
longitudinal data systems, such officials are not ``school officials''
under FERPA. Rather, these officials are generally considered
authorized representatives of a State educational authority, and LEAs
typically disclose information from students' education records to a
longitudinal data system maintained by an SEA or other State
educational authorities under the exception to the consent requirement
for disclosures to authorized representatives of State and local
educational authorities, Sec. 99.31(a)(3)(iv)), not the ``school
officials'' exception. This issue is explained in more detail elsewhere
in this preamble under Educational research (Sec. Sec. 99.31(a)(6),
99.31(a)(3). We also discuss disclosures to non-educational agencies,
such as to public health agencies, in the section of this preamble
entitled Disclosure of Education Records to Non-Educational Agencies.
Members of a school's law enforcement unit, as defined in Sec.
99.8 of the regulations, who are employed by the agency or institution
qualify as school officials under Sec. 99.31(a)(1)(i)(A) if the school
has complied with the notification requirements in Sec.
99.7(a)(3)(iii). As school officials, they may be given access to
personally identifiable information from those students' education
records in which the school has determined they have legitimate
educational interests. The school's law enforcement unit must protect
the privacy of education records it receives and may disclose them only
with consent or under one of the exceptions to consent listed in Sec.
99.31. For that reason, it is advisable that officials of a law
enforcement unit maintain education records separately from law
enforcement unit records, which are not subject to FERPA requirements.
As we explained in Balancing Student Privacy and School Safety: A Guide
to the Family Educational Rights and Privacy Act for Elementary and
Secondary Schools, investigative reports and other records created by
an institution's law enforcement unit are excluded from the definition
of education records under Sec. 99.3 and, therefore, are not subject
to FERPA requirements. Accordingly, schools may disclose information
from law enforcement unit records to anyone, including local police and
other outside law enforcement authorities, without consent. This
brochure can be found on FPCO's ``Safe Schools & FERPA'' Web page:
http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/index.html.
Outside police officers or other non-employees to whom the school
has outsourced its safety and security functions do not qualify as
``school officials'' under FERPA unless they meet each of the
requirements of Sec. 99.31(a)(1)(i)(B). If these police officers or
other outside parties do not meet the requirements for being a school
official under FERPA, they may not have access to students' education
records without consent, unless there is a health or safety emergency,
a lawfully issued subpoena or court order, or some other exception to
FERPA's general consent requirement under which the disclosure falls.
With respect to our amendment to the ``school officials''
exception, we note that Sec. 99.32(d) excludes from the recordation
requirements disclosures of education records that educational agencies
and institutions make to school officials. This exclusion from the
recordation requirement will apply as well to disclosures to
contractors, consultants, volunteers, and other outside parties to whom
an agency or institution discloses education records under Sec.
99.31(a)(1)(i)(B). The Department has long recognized that FERPA does
not prevent schools from outsourcing institutional services and
functions; to require schools to record disclosures to these outside
parties serving as school officials would be overly burdensome and
unworkable.
An educational agency or institution that complies with the
notification requirements in Sec. 99.7(a)(3)(iii) by specifying its
policy regarding the disclosure of education records to contractors and
other outside parties serving as school officials provides legally
sufficient notice to parents and students regarding these disclosures.
We have posted model notifications on our Web site, one for
postsecondary institutions and one for LEAs. See http://www.ed.gov/policy/gen/guid/fpco/ferpa/ps-officials.html and http://www.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html.
Changes: None.
(b) Direct Control
Comment: Some commenters asked the Department to clarify what the
term ``direct control'' means as used in Sec. 99.31(a)(1)(i)(B)(2).
This section provides that in order to be considered a ``school
official'' an outside party must be under the direct control of the
agency or institution. Some commenters asked if this term means that
the school must monitor the operations of the outside party, and how it
affects an agency's or institution's relationship with subcontractors
or third- or fourth-party database hosting companies. One commenter
stated that the regulations should not distinguish between whether the
education records are hosted in a vendor's offsite network or within
the institution's local network servers, while another commenter asked
for clarification of how Sec. 99.31(a)(1)(i)(B) applies to outsourcing
electronic mail (e-mail) services to third parties such as Microsoft or
Google.
One commenter stated that institutions should be required to verify
that parties to whom they outsource services have the necessary
resources to safeguard education records provided to them.
A commenter suggested that, instead of the proposed ``direct
control'' standard, the Department adopt language similar to the
safeguarding standard found in the Gramm-Leach-Bliley Act (GLB) (Pub.
L. 106-102, November 12, 1999). The commenter suggested that, as
adapted in FERPA, the standard would require that for an outside party,
acting on behalf of an educational institution, to be considered a
``school official,'' the institution would have to: (1) Take reasonable
steps to select and retain contractors, consultants, volunteers, or
other outside parties that are capable of maintaining appropriate
safeguards with respect to education records; and (2) mandate by
contract that the outside party implement and maintain such safeguards.
Discussion: The term ``direct control'' in Sec.
99.31(a)(1)(i)(B)(2), is intended to
[[Page 74816]]
ensure that an educational agency or institution does not disclose
education records to an outside service provider unless it can control
that party's maintenance, use, and redisclosure of education records.
This could mean, for example, requiring a contractor to maintain
education records in a particular manner and to make them available to
parents upon request. We are revising the regulations, however, to
provide this clarification.
Neither the statute nor the FERPA regulations specifically requires
that educational agencies and institutions verify that outside parties
to whom schools outsource services have the necessary resources to
safeguard education records provided to them. However, as discussed in
the NPRM, educational agencies and institutions are responsible under
FERPA for ensuring that they themselves do not have a policy or
practice of releasing, permitting the release of, or providing access
to personally identifiable information from education records, except
in accordance with FERPA. This includes ensuring that outside parties
that provide institutional services or functions as ``school
officials'' under Sec. 99.31(a)(1)(i)(B) do not maintain, use, or
redisclose education records except as directed by the agency or
institution that disclosed the information.
The ``direct control'' requirement is intended to apply only to the
outside party's provision of specific institutional services or
functions that have been outsourced and the education records provided
to that outside party to perform the services or function. It is not
intended to affect an outside service provider's status as an
independent contractor or render that party an employee under State or
Federal law.
We believe that the use of the ``direct control'' standard strikes
an appropriate balance in identifying the necessary and proper
relationship between the school and its outside parties that are
serving as ``school officials.'' The recommendation that we adopt a
standard more closely aligned with the GLB standard does not appear
workable, especially with regard to requiring that schools enter into
formal contracts with each outside party performing services, including
parent-volunteers. However, one way in which schools can ensure that
parties understand their responsibilities under FERPA with respect to
education records is to clearly describe those responsibilities in a
written agreement or contract.
Exercising direct control could prove more challenging in some
situations than in others. Schools outsourcing information technology
services, such as web-based and e-mail services, should make clear in
their service agreements or contracts that the outside party may not
use or allow access to personally identifiable information from
education records, except in accordance with the requirements
established by the educational agency or institution that discloses the
information.
Changes: We have revised Sec. 99.31(a)(1)(B)(2) to clarify that
the outside party must be under the direct control of the agency or
institution with respect to the use and maintenance of information from
education records.
(c) Protection of Records by Outside Parties Serving as School
Officials
Comment: We received several comments on proposed Sec.
99.31(a)(1)(i)(B)(3), which provides that an outside party serving as a
``school official'' is subject to the requirement in Sec. 99.33(a),
regarding the use and redisclosure of personally identifiable
information from education records. One commenter stated that, while he
supported and welcomed this clarification, the proposed regulations did
not go far enough to clarify that these outside third parties could not
use education records of multiple institutions for which they serve as
a contractor to engage in activities not associated with the service or
function they were providing.
Some commenters suggested that the regulations should require all
school officials who handle education records, including parties to
whom institutional services and functions are outsourced, to
participate in annual training and to undergo fingerprint and
background investigations.
Another commenter stated that any disclosures associated with the
outsourcing of institutional services and functions should include a
record that will serve as an audit trail. The commenter noted that both
the Health Insurance Portability and Accountability Act (HIPAA) and the
Privacy Act of 1974 require the maintenance of audit trails or an
accounting of disclosures of records.
Discussion: An agency or institution must ensure that an outside
party providing institutional services or functions does not use or
allow access to education records except in strict accordance with the
requirements established by the educational agency or institution that
discloses the information. Section 99.33(a)(2) of the FERPA regulations
applies to employees and outside service providers alike and prohibits
the recipient from using education records for any purpose other than
the purposes for which the disclosure was made. This includes ensuring
that outside parties do not use education records in their possession
for purposes other than those specified by the institution that
disclosed the records.
FERPA does not specifically require that educational agencies and
institutions provide annual training to school officials that handle
education records, and we decline to establish such a requirement in
these regulations. Educational agencies and institutions should have
flexibility in determining the best way to ensure that school officials
are made aware of the requirements of FERPA. However, for entities
subject to the Individuals with Disabilities Education Act (IDEA), 34
CFR 300.623(c) provides that all persons collecting or using personally
identifiable information must receive training or instruction regarding
their State's policies and procedures under 34 CFR 300.123
(Confidentiality of personally identifiable information) and 34 CFR
Part 99, the FERPA regulations. We note that while schools are
certainly free to implement a policy requiring school officials and
parties to whom services have been outsourced to undergo fingerprint
and background investigations, there is no statutory authority in FERPA
to include such a requirement in the regulations.
We note also that the Department routinely provides compliance
training on FERPA for school officials. Typically, presentations are
made throughout the year to national, regional, or State educational
association conference workshops with numerous institutions in
attendance. Training sessions are also scheduled for State departments
of education and local school districts in the vicinity of any
conference.
For a discussion of the comment that recommended that the
regulations require that schools maintain an audit trail or an
accounting of disclosures to school officials, including outside
providers, see the discussion under the following section entitled
Control of Access to Education Records by School Officials.
Changes: None.
Control of Access to Education Records by School Officials (Sec.
99.31(a)(1)(ii))
Comment: Many commenters supported proposed Sec. 99.31(a)(1)(ii),
which requires an educational agency or institution to use reasonable
methods to ensure that school officials have access to only those
education records in which the official has a legitimate educational
interest. In this section, we also proposed that an educational
[[Page 74817]]
agency or institution that does not use physical or technological
access controls must ensure that its administrative policy for
controlling access to education records is effective and that it
remains in compliance with the ``legitimate educational interest''
requirement.
One commenter who supported the proposed regulations expressed
concern that not all districts and institutions have the financial or
technological resources to create or purchase an electronic system that
provides fully automated access control and that an institution using
only administrative controls would be required to demonstrate that each
school official who accessed education records possessed a legitimate
educational interest in the education records to which the official
gained access. According to the commenter, the regulations seem to omit
the ``reasonable methods'' concept for those schools that utilize
administrative controls rather than physical or technological controls.
The commenter was concerned that smaller schools that lack resources to
create or purchase a system that fully monitors record access would be
disadvantaged by having to meet a higher standard of ensuring a
legitimate educational interest on the part of the school officials
that access the records.
One commenter expressed concern that the standard in Sec.
99.31(a)(1)(ii) is too restrictive and asked whether the Department
would use flexibility and deference in taking into consideration an
institution's efforts in compliance with the requirement.
Another commenter requested that we include in the regulations a
requirement that contractors hosting data at offsite locations must
institute effective access control measures. The commenter stated that
many schools and contractors are uncertain as to whether the school or
the contractor is responsible for ensuring that access controls are
applied to data hosted by contractors.
One commenter stated that the regulations created an unnecessary
burden, as school districts already do their best to comply with FERPA
and an occasional mistake should be excused. The commenter, however,
was pleased that the regulations do not require the use of
technological controls. The commenter was concerned that schools are
unable to pre-assign risk levels to categories of records in order to
determine appropriate methods to mitigate improper access. The
commenter supported the use of effective administrative controls as
determined by a district to ensure that information is available only
to those with a legitimate educational interest.
One commenter expressed concern that the requirement to use
reasonable methods to ensure appropriate access was not sufficiently
restrictive, because under the regulations, all volunteers would be
designated as school officials. The commenter believed that the
regulations would enable volunteers to gain access more easily to
confidential and sensitive information in education records.
A commenter who is a parent of a special education student also
expressed concern that the language in the regulations was not
adequate. The commenter described a software package used by her
district that permits all school officials unrestricted access to the
IEPs of all special education students.
Discussion: Section 99.30 requires that a parent or eligible
student provide written consent for a disclosure of personally
identifiable information from education records unless the
circumstances meet one of the exceptions to consent, such as the
release of information to a school official with a legitimate
educational interest. Thus, a district or institution that makes a
disclosure solely on the basis that the individual is a school official
violates FERPA if it does not also determine that the school official
has a legitimate educational interest. The regulations in Sec.
99.31(a)(1)(ii) are designed to clarify the responsibility of the
educational agency or institution to ensure that access to education
records by school officials is limited to circumstances in which the
school official possesses a legitimate educational interest.
We believe that the standard of ``reasonable methods'' is
sufficiently flexible to permit each educational agency or institution
to select the proper balance of physical, technological, and
administrative controls to effectively prevent unauthorized access to
education records, based on their resources and needs. In order to
establish a system driven by physical or technological access controls,
a school would generally first determine when a school official has a
legitimate educational interest in education records and then determine
which physical or technological access controls are necessary to ensure
that the official can access only those records. The regulations
require a school that uses only administrative controls to ensure that
its administrative policy for controlling access to education records
is effective and that the school is in compliance with the legitimate
educational interest requirement in Sec. 99.31(a)(1)(i)(A). However,
the ``reasonable methods'' standard applies whether the control is
physical, technological, or administrative.
The regulations permit the use of a variety of methods to protect
education records, in whatever format, from improper access. The
Department expects that educational agencies and institutions will
generally make appropriate choices in designing records access
controls, but the Department reserves the right to evaluate the
effectiveness of those efforts in meeting statutory and regulatory
requirements.
The additional language that one commenter requested concerning
outsourcing is already included in the regulations in Sec.
99.31(a)(1). That section specifically provides that contractors are
subject to the same conditions governing the access and use of records
that apply to other school officials. As long as those conditions are
met, the physical location in which the contractor provides the service
is not relevant.
Because the regulations permit the use of a variety of methods to
effectively reduce the risk of unauthorized access to education
records, we do not believe the requirement to establish ``reasonable
methods'' for controlling access is unduly burdensome. Schools have the
flexibility to decide the method or methods best suited to their own
circumstances. For the many schools, districts, and institutions that
already meet the standard, no operational changes should be necessary.
The regulations do not designate all volunteers as school
officials. Rather, the regulations clarify that schools may designate
volunteers as school officials who may be provided access to education
records only when the volunteer has a legitimate educational interest.
Schools can and should carefully assess and limit access by any school
official, including volunteers. This issue is discussed in more detail
previously in this preamble under the section entitled Outsourcing.
With regard to the parent who expressed concern that the language
in the regulations was not adequate to address the problem of software
that permits all school officials to access the IEPs of all special
education students, we believe that the language in Sec.
99.31(a)(1)(ii) is sufficient. As previously noted, FERPA prohibits
school officials from having access to education records unless they
have a legitimate educational interest. The commenter's point
illustrates the need for educational agencies and institutions to
ensure that adequate controls are in
[[Page 74818]]
place to restrict access to education records only to a school official
with a legitimate educational interest.
Changes: None.
Transfer of Education Records to Student's New School (Sec. Sec.
99.31(a)(2) and 99.34(a))
Comment: All of the comments we received on proposed Sec. Sec.
99.31(a)(2) and 99.34(a) supported the clarification that an
educational agency or institution may disclose a student's education
records to officials of another school, school system, or institution
of postsecondary education not just when the student seeks or intends
to enroll, but after the student is already enrolled, so long as the
disclosure is for purposes related to the student's enrollment or
transfer. Some commenters noted that this clarification reduces legal
uncertainty about how long a school may continue to send records or
information to a student's new school; other commenters noted that this
clarification will be helpful in serving students who are homeless or
in foster care because these students are often already enrolled in a
new school system while waiting for records from a previous enrollment.
A few commenters asked us to clarify the requirement that the
disclosure must be for purposes related to the student's enrollment or
transfer. The commenters asked whether this meant that only records
specifically related to the new school's decision to admit the student
or records related to the transfer of course credit could be disclosed,
or whether the agency or institution could also disclose information
about previously undisclosed disciplinary actions related to the
student's ongoing attendance at the new institution. One commenter
suggested that we remove the requirement that the disclosure must be
for purposes of the student's enrollment or transfer because it was
confusing and unnecessary. Some commenters asked the Department to
provide guidance about the types of records that may be sent under the
regulations to a student's new school, noting that the preamble to the
NPRM stated that the regulations allow school officials to disclose any
and all education records, including health and disciplinary records,
to the new school (73 FR 15581).
One commenter asked us to clarify that any school, not just the
school the student attended most recently, may disclose information
from education records to the institution that the student currently
attends. Another commenter asked whether the amended regulations would
permit the disclosure of education records to an institution in which a
student seeks information or services but not enrollment, such as when
a charter school student requests an evaluation under the IDEA from the
student's home school district.
Two commenters asked whether mental health and other treatment
records of postsecondary students, which are excluded from the
definition of education records under FERPA, could be disclosed to the
new school. Other commenters asked whether FERPA places any limits on
the transfer of information about student disciplinary actions to
colleges and universities and what information a postsecondary
institution may ask for and receive regarding a student's disciplinary
actions. A few commenters asked us to address the relationship between
these regulations and guidance issued by the Department's Office for
Civil Rights (OCR) prohibiting the pre-admission release of information
about a student's disability under section 504 of the Rehabilitation
Act of 1973, as amended, and Title II of the Americans with
Disabilities Act of 1990, as amended.
Discussion: The regulations are intended to eliminate uncertainty
about whether, under Sec. 99.31(a)(2), an educational agency or
institution may send education records to a student's new school even
after the student is already enrolled and attending the new school. The
requirement that the disclosure must be for purposes related to the
student's enrollment or transfer is not intended to limit the kind of
records that may be disclosed under this exception. Instead, the
regulations are intended to clarify that, after a student has already
enrolled in a new school, the student's former school may disclose any
records or information, including health records and information about
disciplinary proceedings, that it could have disclosed when the student
was seeking or intending to enroll in the new school.
These regulations apply to any school that a student previously
attended, not just the school that the student attended most recently.
For example, under Sec. 99.31(a)(2), a student's high school may send
education records directly to a graduate school in which the student
seeks admission, or is already enrolled. Section 99.34(b), which
explains the conditions that apply to the disclosure of information to
officials of another school, school system, or postsecondary
institution, allows a public charter school or other agency or
institution to disclose the education records of one of its students in
attendance to the student's home school district if the student
receives or seeks to receive services from the home school district,
including an evaluation under the IDEA. We note, however, that the
confidentiality of information regulations under Part B of the IDEA
contain additional consent requirements that may also apply in these
circumstances.
Under section 444(a)(4)(B)(iv) of FERPA, 20 U.S.C.
1232g(a)(4)(B)(iv), medical and psychological treatment records of
eligible students are excluded from the definition of education records
if they are made, maintained, and used only in connection with
treatment of the student and disclosed only to individuals providing
the treatment, including treatment providers at the student's new
school. (While the comment concerned records of postsecondary students,
we note that the treatment records exception to the definition of
education records applies also to any student who is 18 years of age or
older, including 18 year old high school students.) An educational
agency or institution may disclose an eligible student's treatment
records to the student's new school for purposes other than treatment
provided that the records are disclosed under one of the exceptions to
written consent under Sec. 99.31(a), including Sec. 99.31(a)(2), or
with the student's written consent under Sec. 99.30. If an educational
agency or institution discloses an eligible student's treatment records
for purposes other than treatment, the treatment records are no longer
excluded from the definition of education records and are subject to
all other FERPA requirements, including the right of the eligible
student to inspect and review the records and to seek to have them
amended under certain conditions. In practical terms, this means that
an agency or institution may disclose an eligible student's treatment
records to the student's new school either with the student's written
consent, or under one of the exceptions in Sec. 99.31(a), including
Sec. 99.31(a)(2), which permits disclosure to a school where a student
seeks or intends to enroll, or where the student is already enrolled so
long as the disclosure is for purposes related to the student's
enrollment or transfer.
FERPA does not contain any particular restrictions on the
disclosure of a student's disciplinary records. Further, Congress has
enacted legislation to ensure that schools transfer disciplinary
records to a student's new school in certain circumstances. In
particular, section 444(h) of the statute, 20 U.S.C. 1232g(h), and the
implementing regulations in Sec. 99.36(b) provide that nothing in
FERPA prevents an educational agency
[[Page 74819]]
or institution from including in a student's records and disclosing to
teachers and school officials, including those in other schools,
appropriate information about disciplinary actions taken against the
student for conduct that posed a significant risk to the safety or
well-being of that student, other students, or other members of the
school community. This authority is in addition to any other authority
in FERPA for the disclosure of education records without consent,
including the authority under Sec. 99.36(a) to disclose education
records in connection with a health or safety emergency. In addition,
section 4155 of the Elementary and Secondary Education Act of 1965
(ESEA), 20 U.S.C. 7165, as amended by the No Child Left Behind Act of
2001 (NCLB), requires a State that receives funds under the ESEA to
have a procedure in place to facilitate the transfer of disciplinary
records, with respect to a suspension or expulsion, by LEAs to any
private or public elementary school or secondary school for any student
who is enrolled or seeks, intends, or is instructed to enroll, on a
full-or part-time basis, in the school.
There are, however, other Federal laws, such as the IDEA, section
504 of the Rehabilitation Act of 1973, as amended (Rehabilitation Act),
and Title II of the Americans with Disabilities Act of 1990, as amended
(ADA), with different requirements that may affect the release of
student information. For example, educational agencies and institutions
that are ``public agencies'' or ``participating agencies'' under the
IDEA must comply with the requirements in the Part B confidentiality of
information regulations. See, e.g., 34 CFR 300.622(b)(2) and (3). By
way of further illustration, because educational agencies and
institutions receive Federal financial assistance, they must comply
with the regulations implementing section 504 of the Rehabilitation
Act, which generally prohibit postsecondary institutions from making
pre-admission inquiries about an applicant's disability status. See 34
CFR 104.42(b)(4) and (c). However, after admission, in connection with
an emergency and if necessary to protect the health or safety of a
student or other persons as defined under FERPA and its implementing
regulations, section 504 of the Rehabilitation Act and Title II of the
ADA do not prohibit postsecondary institutions from obtaining
information and education records concerning a current student,
including those with disabilities, from any school previously attended
by the student. See the discussion in the section entitled Health or
Safety Emergency (Sec. 99.36).
Changes: None.
Ex Parte Court Orders Under the USA Patriot Act (Sec. 99.31(a)(9))
Comment: Two commenters expressed support for the proposed
regulations, which incorporate statutory changes that allow an
educational agency or institution to comply with an ex parte court
order issued under the USA Patriot Act. One commenter said that it
would be helpful to add to the regulations a statement from the
preamble to the NPRM that an institution is not responsible for
determining the relevance of the information sought or the merits of
the underlying claim for the court order.
Several commenters opposed Sec. 99.31(a)(9). One commenter said
that the USA Patriot Act is unconstitutional and that its provisions
will sunset in 2009. Another commenter said that the regulations harm
its ability to preserve the confidentiality of education records,
particularly those of foreign students. The commenter asked us to
change the regulations to permit institutions to notify students when
records are requested, unless the ex parte court order specifically
states that the student should not be notified. Another commenter said
that schools should be required to notify parents when records are
requested and to record the disclosure.
Discussion: The USA Patriot Act amendments to FERPA have not been
ruled unconstitutional, and its provisions relevant to FERPA do not
sunset in 2009. Therefore, we are implementing these provisions in our
regulations at this time.
Under the USA Patriot Act, the U.S. Attorney General, or a designee
in a position not lower than an Assistant Attorney General, may apply
for an ex parte court order to collect, retain, disseminate, and use
certain education records in the possession of an educational agency or
institution without regard to any other FERPA requirements, including
in particular the recordkeeping requirements. 20 U.S.C. 1232g(j)(3) and
(4). The USA Patriot Act amendments to FERPA also provide that an
educational agency or institution that complies in good faith with the
court order is not liable to any person for producing the information.
Nothing in these amendments, including the ``good faith'' requirement,
requires an educational agency or institution to evaluate the
underlying merits or legal sufficiency of the court order before
disclosing the requested information without consent. As with any court
order or subpoena that forms the basis of a disclosure without consent
under Sec. 99.31(a)(9), the agency or institution must simply
determine whether the ex parte court order is facially valid. We see no
reason to include this general requirement in the regulations.
Section 99.31(a)(9)(ii) requires an agency or institution to make a
reasonable effort to notify a parent or eligible student of a judicial
order or lawfully issued subpoena in advance of compliance, except for
certain law enforcement subpoenas if the court has ordered the agency
or institution not to disclose the existence or contents of the
subpoena or information disclosed. An ex parte order is by definition
an order issued without notice to or argument from the other party,
including the party whose education records are sought, and the USA
Patriot Act amendments provide that the Attorney General may collect
and use the records without regard to any FERPA requirements, including
the recordation requirements. Under this statutory authority, the
regulations properly provide that the agency or institution is not
required to notify the parent or eligible student before complying with
the order or to record the disclosure.
We do not agree with the commenter's request that we amend the
regulations to allow agencies and institutions to notify parents and
students and record these disclosures. We note that FERPA does not
prohibit an educational agency or institution from notifying a parent
or student or recording a disclosure made in compliance with an ex
parte court order under the USA Patriot Act. However, an agency or
institution that does so may violate the terms of the court order
itself and may also fail to meet the good faith requirements in the USA
Patriot Act for avoiding liability for the disclosure. We would also
recommend that agencies and institutions consult with legal counsel
before notifying a parent or student or recording a disclosure of
education records made in compliance with an ex parte court order under
the USA Patriot Act.
Changes: None.
Registered Sex Offenders (Sec. 99.31(a)(16))
Comment: One commenter asked for clarification whether the proposed
regulations authorizing the disclosure of personally identifiable
information from education records concerning registered sex offenders
authorize only the disclosure of information that is received from
local law enforcement officials, or whether disclosure could
[[Page 74820]]
also include other information from a student's education records, such
as campus of attendance. A second commenter expressed appreciation that
the regulations clarify that school districts are not required or
encouraged to collect or maintain information on registered sex
offenders and that these disclosures are permissible but not required.
Discussion: The Campus Sex Crimes Prevention Act (CSCPA) amendments
to FERPA allow educational agencies and institutions to disclose any
information concerning registered sex offenders provided to the agency
or institution under section 170101 of the Violent Crime Control and
Law Enforcement Act of 1994, 42 U.S.C. 14071, commonly known as the
Wetterling Act. Since publication of the NPRM, we have determined that
the proposed regulations were confusing, because they limited these
disclosures to information that was obtained and disclosed by an agency
or institution in compliance with a State community notification
program. In fact, the CSCPA amendments to FERPA cover any information
provided to an educational agency or institution under the Wetterling
Act, including not only information provided under general State
community notification programs, which are required under subsection
(e) of the Wetterling Act, 42 U.S.C. 14071(e), but also information
provided under the more specific campus community notification programs
for institutions of higher education, which are required under
subsection (j), 42 U.S.C. 14071(j).
The Wetterling Act requires States to release relevant information
about persons required to register as sex offenders that is necessary
to protect the public, including specific State reporting requirements
for law enforcement agencies having jurisdiction over institutions of
higher education. The exception to the consent requirement in FERPA
allows educational agencies and institutions to make available to the
school community any information provided to it under the Wetterling
Act. We interpret this to also include any additional information about
the student that is relevant to the purpose for which the information
was provided to the educational agency or institution--protecting the
public. This could include, for example, the school or campus at which
the student is enrolled.
The proposed regulations included a sentence stating that FERPA
does not require or encourage agencies or institutions to collect or
maintain information about registered sex offenders. We have determined
through further review, however, that this sentence could be confusing
and should be removed. Participating institutions are required under
section 485(f)(1) of the Higher Education Act of 1965, as amended, 20
U.S.C. 1092(f)(1), to advise the campus community where it may obtain
law enforcement agency information provided by the State under 42
U.S.C. 14071(j) concerning registered sex offenders. Further, the
Department does not wish to discourage educational agencies and
institutions from disclosing relevant information about a registered
sex offender in appropriate circumstances.
Changes: We have revised the regulations to remove the reference to
the disclosure of information obtained by the educational agency or
institution in compliance with a State community notification program.
The regulations now simply allow disclosure without consent of any
information concerning registered offenders provided to an educational
agency or institution under 42 U.S.C. 14071 and applicable Federal
guidelines. We also have removed the sentence stating that neither
FERPA nor the regulations requires or encourages agencies or
institutions to collect or maintain information about registered sex
offenders.
Redisclosure of Education Records and Recordkeeping by State and Local
Educational Authorities and Federal Officials and Agencies (Sec. Sec.
99.31(a)(3); 99.32(b); 99.33(b); 99.35(a)(2); 99.35(b))
(a) Redisclosure
Comment: We received a number of comments on the proposed changes
in Sec. 99.35(b) that would permit State and local educational
authorities and Federal officials and agencies listed in Sec.
99.31(a)(3) to redisclose personally identifiable information from
education records on behalf of educational agencies and institutions
without parental consent under the existing redisclosure authority in
Sec. 99.33(b). (Section 99.33(b) allows an educational agency or
institution to disclose personally identifiable information from
education records with the understanding that the recipient may make
further disclosures of the information on behalf of the agency or
institution if the disclosure falls under one of the exceptions in
Sec. 99.31(a) and the agency or institution has complied with the
recordation requirements in Sec. 99.32(b).) Many commenters said that
the proposed change would ease administrative burdens on State and
local educational authorities, agencies, and institutions. For example,
under the proposed regulations, a student's new school district or
institution would be able to obtain the student's prior education
records from a single State agency instead of contacting and waiting
for records from separate districts or institutions. Commenters noted,
however, that certain issues had not been addressed in the proposed
regulations and that further clarification was required. Commenters
also supported the new redisclosure authority to the extent that it
facilitates the exchange of education records among State educational
authorities, educational agencies and institutions, and educational
researchers through consolidated, statewide systems or separate data
sharing arrangements.
Two commenters expressed substantial concerns that the regulations
inappropriately expanded the situations in which personally
identifiable information could be redisclosed without parental or
student consent. One commenter noted that the theoretical benefits of
maintaining large, consolidated data systems, which allow users to
track individual students over time, do not outweigh the need to
protect individual privacy. Another commenter stated that the
regulations should not allow State and local educational authorities
and the Federal officials and agencies listed in Sec. 99.31(a)(3) to
set up and operate record systems containing personally identifiable
information that parents and students have no right to review or amend,
and may not even know about. Barring the withdrawal of these
regulations, these commenters urged the Department to strengthen or at
least preserve the safeguards and protections that accompany this new
data sharing authority. One commenter asked us to require any State or
Federal entity that maintains education records to provide parents and
students with annual notification and the right to review and amend the
students' records.
Many commenters indicated their strong support for allowing State
educational authorities to respond to requests for information from
education records and redisclose personally identifiable information,
whether for data sharing systems, transferring records to a student's
new school, or other purposes authorized under Sec. 99.31(a), without
involving school districts and postsecondary institutions. These
commenters generally thought that State educational authorities and
Federal officials listed in Sec. 99.31(a)(3) should not be required to
consult with educational agencies and institutions when redisclosing
information from education records. One commenter
[[Page 74821]]
asked us to clarify the role of the SEA or other State educational
authority as the custodian of education records and its authority to
act for educational agencies and institutions. Several commenters urged
us to revise the regulations to make clear that the redisclosing
official is authorized to make further disclosures under Sec. 99.31(a)
without approval from, or further consultation with, the original
source of the records and maintain the appropriate record related to
the redisclosure.
One commenter said that the regulations must allow State
educational authorities to transfer records on behalf of LEAs and
postsecondary institutions. One commenter strongly supported the
changes in Sec. 99.35(b) because they would allow the State McKinney-
Vento coordinator to control transfer of education records of abused
and homeless students to their new schools and prevent potential
abusers from locating the student.
Some commenters believed that current regulations impede the
ability of States to establish and operate data sharing systems and
that regulatory changes must allow all educational agencies,
institutions, SEAs, and other State educational authorities to exchange
data among themselves and work with researchers. One commenter
recommended that we create a specific exception in Sec. 99.31(a) that
would allow data sharing across State educational authorities in order
to establish and operate consolidated, longitudinal data systems.
Several commenters asked for clarification of the requirement in
Sec. 99.35(a)(2) that authority for an agency or official listed in
Sec. 99.31(a)(3) to conduct an audit, evaluation, or compliance or
enforcement activity is not conferred by FERPA or the regulations and
must be established under other Federal, State, or local law, including
valid administrative regulations. One commenter supported data sharing
among pre-school, K-12, and postsecondary institutions, provided that
appropriate legal authority for the underlying audit, evaluation, or
compliance and enforcement activity is established as required under
Sec. 99.35(a)(2). One commenter asked whether citation to a specific
law or regulations will be required, or whether general State laws that
provide joint authority to evaluate programs at all levels are
sufficient for parties to enter into data sharing agreements under the
regulations.
One commenter indicated that its State has no laws or regulations
that specifically allow the State-level advisory council to audit or
evaluate education programs, or that allow a K-12 school district to
audit or evaluate the programs offered by postsecondary institutions,
and vice versa, and the commenter asked whether general authority for
these entities to act under State law would be sufficient. Two
commenters whose States do not house their K-12 and postsecondary
systems within the same agency expressed concern whether they will be
able to develop consolidated databases under the regulations if their
K-12 and postsecondary agencies do not have appropriate authority to
audit or evaluate each other's programs.
Discussion: We continue to believe that State and local educational
authorities and Federal officials that receive education records under
Sec. Sec. 99.31(a)(3) and 99.35 should be permitted to redisclose
education records on behalf of educational agencies and institutions in
accordance with the existing regulations governing the redisclosure of
information in Sec. 99.33(b). We agree with the commenters that this
change will ease administrative burdens at all levels and facilitate
the creation and operation of statewide data sharing systems that
support the student achievement, program accountability, transfer of
records, and other objectives of Federal and State education programs
while protecting the privacy rights of parents and students in
students' education records.
We respond first to commenters' concerns about the requirement in
Sec. 99.33(b) that any redisclosure of personally identifiable
information from education records must be made on behalf of the
educational agency or institution that disclosed the information to the
receiving party, including any requirement for consulting with or
obtaining approval from the educational agency or institution that
disclosed the information. The statutory prohibitions on the
redisclosure of education records apply to education records that SEAs,
State higher educational authorities, the Department, and other Federal
officials receive under an exception to the written consent requirement
in FERPA, such as Sec. Sec. 99.31(a)(3) and 99.35 (for audit,
evaluation, compliance and enforcement purposes) and Sec. 99.31(a)(4)
(for financial aid purposes). As explained in the preamble to the NPRM,
Sec. 99.33(b) allows an educational agency or institution to disclose
education records with the understanding that the recipient may make
further disclosures on its behalf under one of the exceptions in Sec.
99.31 (73 FR 15586-15587). In that case, the disclosing agency or
institution must record the names of the additional parties to which
the receiving party may redisclose the information on behalf of the
educational agency or institution and their legitimate interests under
Sec. 99.31.
Under the regulatory framework for redisclosing education records
in Sec. 99.33(b), educational agencies and institutions retain primary
responsibility for disclosing and authorizing redisclosure of their
education records without consent. (We note again that the only
disclosures of education records that are mandatory under FERPA are
those made to parents and eligible students.) The purpose of Sec.
99.33(b), which allows redisclosure of education records
notwithstanding the general statutory restrictions, has always been to
ease administrative burdens on educational agencies and institutions
that disclose education records. The legal basis for this accommodation
is that the recipient is acting ``on behalf of'' the agency or
institution from which it received information from education records
and making a further disclosure that the agency or institution would
otherwise make itself under Sec. 99.31(a). Section 99.33(b) does not
confer on any recipient of education records independent authority to
redisclose those records apart from acting ``on behalf of'' the
disclosing educational agency or institution.
The Department recognizes that the State and local educational
authorities and Federal officials that receive education records
without consent under Sec. 99.31(a)(3) are responsible for supervising
and monitoring educational agencies and institutions and that many of
them also maintain centralized data systems that constitute a valuable
resource of information from education records. The proposed changes to
Sec. 99.35(b) would allow these State and Federal authorities and
officials to redisclose information received under Sec. 99.31(a)(3)
under any of the exceptions in Sec. 99.31(a), including transferring
education records to a student's new school under Sec. 99.31(a)(2),
sharing information among other State and local educational authorities
and Federal officials for audit or evaluation purposes under Sec.
99.31(a)(3), and using researchers to conduct evaluations and studies
under Sec. 99.31(a)(3) or Sec. 99.31(a)(6), without violating the
statutory prohibitions on redisclosing education records provided
certain conditions have been met. In the event that an educational
agency or institution objects to the redisclosure of information it has
provided, the State or
[[Page 74822]]
local educational authority or Federal official or agency may rely
instead on any independent legal authority it has to further disclose
the information.
We agree that current regulations were unclear about the ability of
States to establish and operate data sharing systems with educational
agencies and institutions, which is why we amended Sec. 99.35(b). As
explained in the NPRM (73 FR 15587), Sec. Sec. 99.35(a)(2) and
99.35(b) allow SEAs, higher education authorities, and educational
agencies and institutions, including local school districts and
postsecondary institutions, to share education records in personally
identifiable form with one another, provided that Federal, State, or
local law authorizes the recipient to conduct the audit, evaluation, or
compliance or enforcement activity in question. Accordingly, data
sharing arrangements among State and local educational authorities and
educational agencies and institutions generally must meet these
requirements to be permissible under FERPA. (Data sharing with
educational researchers is discussed below under Educational research.)
With respect to the comments recommending that we create a specific
exception in Sec. 99.31(a) to allow data sharing across State
educational authorities in order to establish and operate consolidated,
longitudinal data systems and other data sharing arrangements, there is
no provision in FERPA that allows disclosure or redisclosure of
education records, without consent, for the specific purpose of
establishing and operating consolidated databases and data sharing
systems, and, therefore, we are without authority to establish one in
these regulations.
In response to the questions concerning the need for Federal,
state, or local legal authority to disclose education records for audit
or evaluation purposes, we note that, in general, FERPA allows
educational agencies and institutions to disclose (and authorized
recipients to redisclose) education records without consent in
accordance with the exceptions listed in Sec. 99.31(a), including for
audit or evaluation purposes under Sec. Sec. 99.31(a)(3) and 99.35. It
does not, however, provide the underlying authority for individuals and
organizations to conduct the various activities that may allow them to
receive education records without consent under these exceptions. For
example, Sec. 99.31(a)(7) does not authorize an organization to
accredit educational institutions; it allows educational institutions
to disclose personally identifiable information from education records,
without consent, to an organization to carry out its accrediting
functions. If that organization is not, in fact, an accreditation
authority for that particular institution, then disclosure under Sec.
99.31(a)(7) is invalid and violates FERPA. Likewise, Sec. 99.31(a)(9)
does not authorize a court or Federal grand jury to issue an order or
subpoena; it allows an educational agency or institution to comply with
a facially valid order or subpoena, without consent.
We added the requirement in Sec. 99.35(a)(2) that the recipient
have authority under Federal, State, or local law to conduct the
activity for which the disclosure was made because there was
significant confusion in the educational community about who may
receive education records without consent for audit and evaluation
purposes under Sec. 99.35. For example, in 2005 the Pennsylvania
Department of Education (PDOE) asked the Department whether, in the
absence of parental consent, a charter school LEA responsible under
State law for providing a free appropriate public education to students
with disabilities enrolled in the charter school could send the local
school district of residence the IEP of each student with a disability.
The school districts of residence claimed that they needed this
information to substantiate the charter school's invoices for higher
payments based on the student's special education status under the
IDEA.
Our January 2006 response to PDOE explained that in order to meet
the requirements for disclosure of education records under Sec. Sec.
99.31(a)(3) and 99.35, Federal, State, or local law (including valid
administrative regulations) must authorize the relevant State or local
educational authority to conduct the audit, evaluation, or compliance
or enforcement activity in question. In particular, we noted that
charter schools in Pennsylvania could disclose the IEP cover sheet
under Sec. Sec. 99.31(a)(3) and 99.35 of the regulations if the State
law in question authorized a local school district to ``audit or
evaluate'' a charter school's request for payment of State funds at the
special education rate and the school district needed personally
identifiable information for that purpose, and that we would defer to
the State Attorney General's interpretation of State law on the matter.
We also explained that there appeared to be no legal authority that
would allow charter schools in the State to disclose a student's entire
IEP to the resident school district, as requested by the resident
school districts.
The Department has always interpreted Sec. Sec. 99.31(a)(3) and
99.35 to allow educational agencies and institutions to disclose
personally identifiable information from education records to the SEA
or State higher education board or commission responsible for their
supervision based on the understanding that those entities are
authorized to audit or evaluate (or enforce Federal legal requirements
related to) the education programs provided by the agencies and
institutions whose records are disclosed. Under this reasoning, a K-12
school district (LEA) may disclose personally identifiable information
from education records to another LEA, or to a State higher education
board or commission, without consent, if that LEA, board, or commission
has legal authority to conduct the audit, evaluation, or compliance or
enforcement activity with regard to the disclosing district's programs.
States do not have to house their K-12 or P-12 and postsecondary
systems within the same agency in order to take advantage of this
provision. However, they may need to review and modify the supervisory
and oversight responsibilities of various State and local educational
authorities to ensure that there is valid legal authority for LEAs,
postsecondary institutions, SEAs, and higher education authorities to
disclose or redisclose personally identifiable information from
education records to one another under Sec. 99.35(a) before
information is released.
It is not our intention in Sec. 99.35(a)(2) to require educational
agencies and institutions and other parties to identify specific
statutory authority before they disclose or redisclose education
records for audit or evaluation purposes but to ensure that some local,
State, or Federal legal authority exists for the audit or evaluation,
including for example an Executive Order or administrative regulation.
The Department encourages State and local educational authorities and
educational agencies and institutions to seek guidance from their State
attorney general on their legal authority to conduct a particular audit
or evaluation. The Department may also provide additional guidance, as
appropriate.
Changes: None.
(b) Recordation Requirements
Comment: In the NPRM, 73 FR 15587, we invited public comment on
whether an SEA, the Department, or other official or agency listed in
Sec. 99.31(a)(3) should be allowed to maintain the record of the
redisclosures it makes on behalf of an educational agency or
[[Page 74823]]
institution as a means of relieving any administrative burdens
associated with recording disclosures of education records. One
commenter urged the Department not to delegate responsibility for
recordkeeping to State and local educational authorities and Federal
agencies and officials that redisclose education records under Sec.
99.33(b). Another said that if a State or local educational authority
or Federal agency or official rediscloses information ``on behalf of''
an educational agency or institution under Sec. 99.35(b), these
further disclosures should be included in the student's record at the
educational agency or institution. All other comments on this issue
supported revising the regulations to allow State and local educational
authorities and Federal officials and agencies listed in Sec.
99.31(a)(3) to record any redisclosures they make under Sec. 99.33(b).
Several commenters suggested that the recordation requirements in
Sec. 99.32(b) would place an undue burden on State and local officials
when State educational authorities redisclose education records because
the State authority would need to return to each original source of the
records to record the redisclosure. Some commenters noted that
compliance with Sec. 99.32(b) is practically impossible if an LEA or
postsecondary institution is required to record all authorized
redisclosures at the time of the initial disclosure of information to
the State or Federal authority. Two commenters suggested that we
eliminate the recordation problem by redefining the term disclosure so
that it does not include disclosing information under Sec. 99.31(a)(3)
for audit, evaluation, or compliance and enforcement purposes. Another
commenter suggested that we define ``educational agency or
institution'' to include State educational authorities so that
disclosures to State educational authorities would not be considered a
disclosure under FERPA.
One commenter said that the regulations should permit State
educational authorities to record redisclosures as they are made and
without having to identify each student by name. Another commenter
asked for clarification whether the recordation requirements apply to
redisclosures that SEAs make to education researchers and other parties
that are not authorized to make any further disclosures, and what level
of detail is required in the record regarding who accessed the data and
what specific information was viewed.
One commenter stated that if State educational authorities and
Federal officials are authorized to record their own redisclosures of
information, then the educational agency or institution should be
required to retrieve these records in response to a request to review
education records by parents and eligible students who would otherwise
not know about the redisclosures. Other commenters suggested that the
State educational authority or Federal official could either make the
redisclosure record available directly to parents and students or send
it to the LEA or postsecondary institution for this purpose.
Discussion: We agree with commenters that in order to facilitate
the operation of State data systems and ease administrative burdens on
all parties, the regulations should allow State educational authorities
and Federal officials and agencies to record further disclosures they
make on behalf of educational agencies and institutions under Sec.
99.33(b). We are revising the provisions of Sec. 99.32 to address
commenters' concerns and ensure that these changes will not expand the
redisclosure authority of a State or local educational authority or
Federal official or agency under Sec. 99.35(b) and that parents and
students will have notice of and access to any State or Federal record
of further disclosures that is created.
In response to the commenter's suggestion that we define
``educational agency or institution'' and the term disclosure to
address recordation issues associated with the new redisclosure
authority in Sec. 99.35(b), we note that an educational agency or
institution is required by statute to maintain with each student's
education records a record of each request for access to and each
disclosure of personally identifiable information from the education
records of the student, including the parties who have requested or
received information and their legitimate interests in the information.
20 U.S.C. 1232g(b)(4)(A); 34 CFR 99.32(a). This includes each
disclosure of personally identifiable information from education
records that an educational agency or institution makes to an SEA or
other State educational authority and to Federal officials and
agencies, including the Department, for audit, evaluation, or
compliance and enforcement purposes under Sec. Sec. 99.31(a)(3) and
99.35, and under most other FERPA exceptions, such as the financial aid
exception in Sec. 99.31(a)(4). (Regulatory exceptions to the statutory
recordation requirements, which are set forth in Sec. 99.32(d), cover
disclosures that a parent or eligible student would generally know
about without the recordation or for which notice is prohibited under
court order; the exceptions do not include disclosures made to parties
outside the agency or institution for audit, evaluation, or compliance
and enforcement purposes.)
An educational agency or institution is required under FERPA to
record its disclosures of personally identifiable information from
education records even when it discloses information to another
educational agency or institution, such as occurs under Sec.
99.31(a)(2) when a school district transfers education records to a
student's new school. See 20 U.S.C. 1232g(b)(4)(A); 34 CFR 99.32(a).
Therefore, even if a State educational authority were considered an
``educational agency or institution'' under Sec. 99.1, a school
district or postsecondary institution would still be required to record
its own disclosures to that State educational authority; defining a
State educational authority as an educational agency or institution
would not eliminate this requirement. Therefore, a school district or
postsecondary institution is required to record its disclosures to any
State educational authority.
The term disclosure is defined in Sec. 99.3 to mean to permit
access to or the release, transfer, or other communication of
personally identifiable information contained in education records to
any party, by any means, including oral, written, or electronic means.
This includes releasing or making a student's education records
available to school officials within the agency or institution, for
which an exception to the consent requirement exists under Sec.
99.31(a)(1). We see no legal basis for redefining the term disclosure
to exclude the release of personally identifiable information to third
parties outside the educational agency or institution under the audit,
evaluation, or compliance and enforcement exception to the consent
requirement in Sec. Sec. 99.31(a)(3) and 99.35.
With regard to the level of detail required in the record of
redisclosures, current Sec. 99.32(b) requires an educational agency or
institution to record the ``names of the additional parties to which
the receiving party may disclose the information'' on its behalf and
their legitimate interests under Sec. 99.31. This means the name of
the individual (if an organization is not involved) or the organization
and the exception under Sec. 99.31(a) that would allow the
redisclosure to be made without consent. Under current Sec.
99.33(a)(2), the officers, employees, and agents of a party that
receives
[[Page 74824]]
information from education records may use the information for the
purposes for which the disclosure was made without violating the
limitations on redisclosure in Sec. 99.33(a)(1). Therefore, we
interpret the recordation requirement in Sec. 99.32(b) to mean that an
educational agency or institution may record the name of an
organization, including a research organization, to which a recipient
may make further disclosures under Sec. 99.33(b) and is not required
to record the name of each individual within the organization who is
authorized to use that information in accordance with Sec.
99.33(a)(2).
We also recognize that sometimes an educational agency or
institution does not know at the time of its disclosure of education
records that the receiving party may wish to make further disclosures
on its behalf. Therefore, we interpret Sec. 99.32(b) to allow a
receiving party to ask an educational agency or institution to record
further disclosures made on its behalf after the initial receipt of the
records or information.
These same policies apply to further disclosures made by State and
local educational authorities and Federal officials listed in Sec.
99.31(a)(3) that redisclose information on behalf of educational
agencies and institutions under the new authority in Sec. 99.35(b).
Educational agencies and institutions that disclose education records
under Sec. 99.31(a)(3) with the understanding that the State or
Federal authority or official may make further disclosures may continue
to record those further disclosures as provided in Sec. 99.32(b)(1).
Like any other recipient of education records, a State or Federal
authority or official may also ask an educational agency or institution
to record further disclosures made on its behalf after the initial
receipt of the records or information. It is incumbent upon a State or
Federal authority or official that makes further disclosures on behalf
of an educational agency or institution under Sec. 99.33(b) to
determine whether the educational agency or institution has recorded
those further disclosures. If the educational agency or institution
does not do so, then under the revisions to Sec. 99.32(b)(2)(i) in the
final regulations, the State and local educational authority or Federal
official or agency that makes further disclosures must maintain the
record of those disclosures.
We have also revised Sec. 99.32(a) to ensure that educational
agencies and institutions maintain a listing in each student's record
of the State and local educational authorities and Federal officials
and agencies that may make further disclosures of the student's
education records without consent under Sec. 99.33(b). This will help
ensure that parents and students know that the record of disclosures
maintained by an educational agency or institution as required under
Sec. 99.32(a) may not contain all further disclosures made on behalf
of the agency or institution by a State or Federal authority or
official and alert parents and students to the need to ask for access
to this additional information. We have also revised Sec. 99.32(a) to
require an educational agency or institution to obtain a copy of the
record of further disclosures maintained at the State or Federal level
and make it available for parents and students to inspect and review
upon request.
In response to commenters' suggestions, the regulations in new
Sec. 99.32(b)(2)(ii) allow a State or local educational authority or
Federal official or agency to identify the redisclosure by the
student's class, school, district, or other appropriate grouping rather
than by the name of each student whose record was redisclosed. For
example, an SEA may record that it disclosed to the State higher
education authority the scores of each student in grades nine through
12 on the State mathematics assessment for a particular year. We
believe that this procedure eases administrative burdens while ensuring
that a parent or student may access information about the redisclosure.
We note that the recordation requirements under Sec.
6401(c)(i)(IV) of the America COMPETES Act, Public Law 110-69, 20
U.S.C. 9871(c)(i)(IV), are more detailed and stringent than those
required under FERPA. In particular, a State that receives a grant to
establish a statewide P-16 education data system under Sec.
6401(c)(2), 20 U.S.C. 9871(c)(2), is required to keep an accurate
accounting of the date, nature, and purpose of each disclosure of
personally identifiable information in the statewide P-16 education
data system; a description of the information disclosed; and the name
and address of the person, agency, institution, or entity to whom the
disclosure is made. The State must also make this accounting available
on request to parents of any student whose information has been
disclosed. The Department will issue further guidance on these
requirements if the program is funded and implemented.
Changes: We have made several changes to Sec. 99.32, as follows:
New Sec. 99.32(b)(2)(i) provides that a State or local
educational authority or Federal official or agency listed in Sec.
99.31(a)(3) that makes further disclosures of information from
education records must record the names of the additional parties to
which it discloses information on behalf of an educational agency or
institution and their legitimate interests under Sec. 99.31 in the
information if the information was received from an educational agency
or institution that has not recorded the further disclosures itself or
from another State or local official or Federal official or agency
listed in Sec. 99.31(a)(3).
New Sec. 99.32(b)(2)(ii) provides that a State or local
educational authority or Federal official or agency that records
further disclosures of information may maintain the record by the
student's class, school, district or other appropriate grouping rather
than by the name of the student.
New Sec. 99.32(b)(2)(iii) provides that upon request of
an educational agency or institution, a State or local educational
authority or Federal official or agency that maintains a record of
further disclosures must provide a copy of the record of further
disclosures to the educational agency or institution within a
reasonable period of time not to exceed 30 days.
Revised Sec. 99.32(a)(1) requires educational agencies
and institutions to list in each student's record of disclosures the
names of the State and local educational authorities and Federal
officials or agencies that may make further disclosures of the
information on behalf of the educational agency or institution under
Sec. 99.33(b).
New Sec. 99.32(a)(4) requires an educational agency or
institution to obtain a copy of the record of further disclosures
maintained by a State or local educational authority or Federal
official or agency and make it available in response to a parent's or
student's request to review the student's record of disclosures.
Educational Research (Sec. Sec. 99.31(a)(6) and 99.31(a)(3))
Comment: We received a number of comments on proposed Sec.
99.31(a)(6)(ii). In this section, we proposed that an educational
agency or institution that discloses personally identifiable
information without consent to an organization conducting studies for,
or on behalf of, the educational agency or institution must enter into
a written agreement with the organization specifying the purposes of
the study and containing certain other elements. This exception to the
consent requirement is often referred to as the ``studies exception.''
While all of the comments on this provision generally supported the
changes, many of the commenters raised concerns about the scope and
[[Page 74825]]
applicability of the studies exception and requested clarification on
some of the proposed changes, particularly with regard to the
provisions relating to written agreements.
Discussion: We address commenters' specific concerns about the key
portions of these regulations in the following sections.
Changes: None.
(a) Scope and Applicability of Sec. 99.31(a)(6)
Comment: Several commenters stated that the proposed regulations
did not clearly indicate that the studies exception applies to State
educational authorities. Some commenters, assuming that Sec.
99.31(a)(6) applied to State educational authorities, noted that the
proposed regulations did not provide clear authority for State
educational authorities such as an SEA, or a State longitudinal data
system using State generated data (such as State assessment results),
to enter into research agreements on behalf of educational agencies and
institutions. One commenter stated that Sec. 99.31(a)(6) should not be
interpreted to require that research agreements be entered into by
individual schools or that any resulting redisclosures be recorded by
the individual schools.
One commenter asked for clarification regarding whether Sec.
99.31(a)(6) permitted a school to disclose a student's education
records to his or her previous school for the purpose of evaluating
Federal or State-supported education programs or for improving
instruction.
Another commenter stated that the Department should further revise
the regulations to provide that only individuals in the organization
conducting the study who have a legitimate interest in the information
disclosed be given access to the information. The commenter also stated
that the Department should specifically limit Sec. 99.31(a)(6) to bona
fide research projects by prohibiting organizations conducting studies
under this exception from using record-level data for other operational
or commercial purposes. The commenter also expressed concern about the
duration of research projects, noting that significantly more
restrictive access should be required for studies that track personally
identifiable information for long periods of time. The commenter stated
further that the Department should consider imposing a time limit on
how long information obtained through longitudinal studies can be
retained.
Discussion: FERPA permits an educational agency or institution to
disclose personally identifiable information from an education record
of a student without consent if the disclosure is to an organization
conducting studies for, or on behalf of, the educational agency or
institution to (a) develop, validate, or administer predictive tests;
(b) administer student aid programs; or (c) improve instruction. 20
U.S.C. 1232g(b)(1)(F); 34 CFR 99.31(a)(6). Disclosures made under the
studies exception may only be used by the receiving party for the
purposes for which the disclosure was made and for no other purpose or
study. As such, Sec. 99.31(a)(6) is not a general research exception
to the consent requirement in FERPA but an exception for studies
limited to the purposes specified in the statute and regulations.
We first note that it may not be necessary or even advantageous for
State educational authorities to use the studies exception in order to
conduct or authorize educational research because of the limitations in
Sec. 99.31(a)(6). In contrast, Sec. 99.31(a)(3)(iv), under the
conditions set forth in Sec. 99.35, allows educational agencies and
institutions, such as LEAs and postsecondary institutions, to disclose
education records without consent to State educational authorities for
audit and evaluation purposes, which can include a general range of
research studies beyond the more limited group of studies specified
under Sec. 99.31(a)(6). Also, as explained more fully elsewhere in
this preamble, while a State educational authority must have the
underlying legal authority to audit or evaluate the records it receives
from LEAs or postsecondary institutions under Sec. 99.35, the LEA or
postsecondary institution is not required to enter into a written
agreement for the audit or evaluation as it is required to do under
Sec. 99.31(a)(6). (See Redisclosure of Education Records and
Recordkeeping by State and Local Educational Authorities and Federal
Officials and Agencies.) The absence of an explanation of the
authorized representatives exception (Sec. 99.31(a)(3)) in the NPRM
created confusion, especially with regard to how State departments of
education may utilize education records for evaluation purposes.
Therefore, we have included that explanation here.
The conditions for disclosing education records without consent
under Sec. Sec. 99.31(a)(3)(iv) and 99.35 are discussed in the
Department's Memorandum from the Deputy Secretary of Education (January
30, 2003) available at http://www.ed.gov/policy/gen/guid/secletter/030130.html. The Deputy Secretary's memorandum explains that under this
exception an ``authorized representative'' of a State educational
authority is a party under the direct control of that authority, e.g.,
an employee or a contractor.
In general, the Department has interpreted FERPA and implementing
regulations to permit the disclosure of personally identifiable
information from education records, without consent, in connection with
the outsourcing of institutional services and functions. Accordingly,
the term ``authorized representative'' in Sec. 99.31(a)(3) includes
contractors, consultants, volunteers, and other outside parties (i.e.,
non-employees) used to conduct an audit, evaluation, or compliance or
enforcement activities specified in Sec. 99.35, or other institutional
services or functions for which the official or agency would otherwise
use its own employees. For example, a State educational authority may
disclose personally identifiable information from education records,
without consent, to an outside attorney retained to provide legal
services or an outside computer consultant hired to develop and manage
a data system for education records.
The term ``authorized representative'' also includes an outside
researcher working as a contractor of a State educational authority or
other official listed in Sec. 99.31(a)(3) that has outsourced the
evaluation of Federal or State supported education programs. An outside
researcher may conduct independent research under this provision in the
sense that the researcher may propose or initiate research projects for
consideration and approval by the State educational authority or other
official listed in Sec. 99.31(a)(3) either before or after the parties
have negotiated a research agreement. Likewise, the State educational
authority or official does not have to agree with or endorse the
researcher's results or conclusions. In so doing, an outside researcher
retained to evaluate education programs by a State educational
authority or other official listed in Sec. 99.31(a)(3) as an
``authorized representative'' may be given access to personally
identifiable information from education records, including statistical
information with unmodified small data cells. However, the term
``authorized representative'' does not include independent researchers
that are not contractors or other parties under the direct control of
an official or agency listed in Sec. 99.31(a)(3).
While an educational agency or institution may not disclose
personally identifiable information from students' education records to
independent researchers, nothing in FERPA prohibits
[[Page 74826]]
them from disclosing information that has been properly de-identified.
Further discussion of this issue is provided in the following
paragraphs and under the section entitled Personally Identifiable
Information and De-Identified Records and Information.
An SEA or other State educational authority that has legal
authority to enter into agreements for LEAs or postsecondary
institutions under its jurisdiction may enter into an agreement with an
organization conducting a study for the LEA or institution under the
studies exception. If the SEA or other State educational authority does
not have the legal authority to act for or on behalf of an LEA or
institution, then it would not be permitted to enter into an agreement
with the organization conducting the study under this exception. As
previously mentioned, FERPA authorizes certain disclosures without
consent; it does not provide an SEA or other State educational
authority with the legal authority to act for or on behalf of an LEA or
postsecondary institution.
With regard to the request for clarification whether Sec.
99.31(a)(6) permits a school to disclose a student's education records
to his or her previous school for evaluation purposes, the studies
exception only allows disclosures to organizations conducting studies
for, or on behalf of, the educational agency or institution that
discloses its records. The ``for, or on behalf of'' language from the
statute does not permit disclosures under this exception so that the
receiving organization can conduct a study for itself or some other
party. This issue is discussed in more detail under the section of this
preamble entitled Disclosure of Education Records to Student's Former
Schools.
We agree with the comment that the regulations should be revised to
provide that only those individuals in the organization conducting the
study that have a legitimate interest in the personally identifiable
information from education records can have access to the records. The
Secretary also shares the commenter's concerns about limiting Sec.
99.31(a)(6) to bona fide research projects, prohibiting commercial
utilization of education records, and limiting the duration of research
projects. We address these issues in greater detail in the following
section concerning written agreements.
Changes: None.
(b) Written Agreements for Studies
Comment: Several commenters expressed concern that Sec.
99.31(a)(6) not be read so broadly as to erode parents' and students'
privacy rights, and, therefore, supported the restrictions that the
Secretary included in this provision. Specifically, they supported the
new requirement that educational agencies and institutions must enter
into a written agreement with the organization conducting the study
that specifies: the purpose of the study, that the information from the
education records disclosed be used only for the stated purpose, that
individuals outside the organization may not have access to personally
identifiable information about the students being studied, and that the
information be destroyed or returned when it is no longer needed for
the purpose of the study.
Several commenters said that the Department should clarify that the
existence of a written agreement is not a rationale in and of itself
for the disclosure of education records. They stated that the
regulations should provide explicitly that a written agreement does not
modify the protections under FERPA or justify the use of the records
transferred other than as permitted by the statute and the regulations.
Some of these commenters stated that the written agreement should
include a description of the specific records to be disclosed for the
study.
Several commenters agreed with the provision in the proposed
regulations that specified that an educational agency or institution
does not need to agree with or endorse the conclusions or results of
the study. Other commenters asked that we include in the regulations
the explanation provided in the preamble to the NPRM that the school
also does not need to initiate the study.
One commenter suggested that we change the references from
``study'' to ``studies'' so that it is clear that an agency or
institution and a research organization could enter into one agreement
that would cover a variety of studies that support the State's or
school district's educational objectives. One commenter suggested that
the Department certify agreements between educational agencies and
research organizations as meeting the requirements of FERPA.
There were several comments on the destruction of information
requirements in FERPA. Some suggested that we include in the
regulations the specific time period by which information disclosed to
a researcher must be destroyed, while others stated that ongoing access
to data is necessary and that researchers should be permitted to retain
information indefinitely. Some commenters suggested that the required
time period for the destruction or return of education records, as
deemed necessary by the parties to support the purposes of the
authorized study or studies, be established in the written agreement.
One commenter approved including the requirements regarding the use
and destruction of data in the written agreement as a way of improving
compliance with FERPA. However, the commenter questioned our
explanation that the language in the statute providing that the study
must be conducted ``for, or on behalf of'' the educational agency or
institution means that the disclosing school must retain control over
the information once it has been given to a third party conducting a
study. The commenter believed that school districts will not be
involved in how a study is performed and that the written agreement
with the organization specifying the organization's obligations with
regard to the use and destruction of data should be sufficient.
Discussion: The Secretary shares the concerns raised by commenters
that Sec. 99.31(a)(6) not be read so broadly as to erode parents' and
students' privacy rights. Accordingly, we have revised Sec.
99.31(a)(6) to address some of these concerns and believe that these
changes will provide adequate protection of students' education records
that may be disclosed under the studies exception.
In the NPRM, we proposed to remove current Sec. 99.31(a)(6)(ii)(A)
and (B) and included these requirements under the provisions for
written agreements. These paragraphs provide that the study must be
conducted in a manner that does not permit personal identification of
parents and students by individuals other than representatives of the
organization and that the information be destroyed when no longer
needed for the purposes for which the study was conducted. We are
including Sec. 99.31(a)(6)(ii)(A) and (B) in the final regulations.
After reviewing comments on the proposed changes, we concluded that, by
moving these two provisions into the new paragraph relating to written
agreements, we would have weakened the statutory requirements
concerning the studies exception. We believe this correction will
alleviate commenters' concerns about weakening parents' and students'
privacy rights under FERPA.
We agree with the comments that the existence of a written
agreement is not a rationale in and of itself for the disclosure of
education records. As a privacy statute, FERPA requires that parents
and eligible students provide written consent before educational
agencies and institutions disclose personally identifiable information
from students' education records. There are
[[Page 74827]]
several statutory exceptions to FERPA's general consent rule, one of
which is Sec. 99.31(a)(6), an exception that permits disclosure of
records for studies limited to the purposes specified in the statute
and regulations. However, a written agreement, a memorandum of
understanding, or a contract is not a justification for disclosure of
education records. Rather, a disclosure must meet the requirements in
Sec. 99.31(a)(6) or the other permitted disclosures under Sec. 99.31.
If a disclosure meets the conditions of Sec. 99.31(a)(6), the
disclosure may be made, and the written agreement sets forth the
requirements that must be followed when entering into such an
agreement.
As noted in our earlier discussion of the scope and applicability
of the studies exception, the Secretary concurs that the regulations
should be revised to require that a written agreement expressly include
the purpose, scope, and duration of the agreed upon study, as well as
the information to be disclosed. We also agree with commenters that the
regulations should specifically limit any disclosures of personally
identifiable information from students' education records to those
individuals in the organization conducting the study that have a
legitimate interest in the information. This requirement is consistent
with Sec. 99.32(a)(3)(ii), which requires that an educational agency
or institution record the ``legitimate interests'' the parties had in
obtaining information under FERPA.
The Secretary strongly recommends that schools carefully limit the
disclosure of students' personally identifiable information under this
and the other exceptions in Sec. 99.31 and reminds educational
agencies and institutions that disclosures without consent are subject
to Sec. 99.33(a)(2), which states: ``The officers, employees, and
agents of a party that receives information under paragraph (a)(1) of
this section may use the information, but only for the purposes for
which the disclosure was made.'' The recordation requirements in Sec.
99.32 also apply to any disclosures of personally identifiable
information made under the studies exception. (We note that a school
does not have to record the disclosure of information that has been
properly de-identified.)
Although FERPA permits schools to disclose personally identifiable
information under Sec. 99.31(a)(6) to organizations conducting studies
for or on its behalf, the Secretary recommends that educational
agencies and institutions release de-identified information whenever
possible under this exception. Even when schools opt not to release de-
identified information in these circumstances, we recommend that
schools reduce the risk of unauthorized disclosure by removing direct
identifiers, such as names and SSNs, from records that don't require
them, even though these records may still contain some personally
identifiable information. This is especially important when a school
also discloses sensitive information about students, such as type of
disability and special education services received by the students.
We agree with commenters that Sec. 99.31(a)(6) should be revised
to indicate that an educational agency or institution is not required
to initiate a study. Additionally, we have revised Sec. 99.31(a)(6) to
include the word ``studies'' so that an educational agency or
institution may utilize one written agreement for more than one study,
so long as the requirements concerning information that must be in the
agreement are met.
While we do not have the authority under FERPA to officially
certify agreements between educational agencies and institutions and
organizations conducting studies, FPCO does provide technical
assistance to educational agencies or institutions on FERPA. As such,
if school officials have questions about whether an agreement meets the
requirements in Sec. 99.31(a)(6), they may contact FPCO for
assistance.
With regard to the comments that we include in the regulations a
specific time period by which information provided under the studies
exception must be destroyed, we believe that the parties entering into
the agreement should decide when information has to be destroyed or
returned to the educational agency or institution. As we have
discussed, we have revised Sec. 99.31(a)(6) to require that the
written agreement include the duration of the study and the time period
during which the organization must either destroy or return the
information to the educational agency or institution.
With regard to the comment that a written agreement with the
organization conducting the study should be sufficient for an
educational agency or institution to retain control over information
from education records once the information is given to an organization
conducting a study, we agree that a written agreement required under
the regulations will help ensure that the information is used only to
meet the purposes of the study stated in the written agreement and that
all applicable requirements are met. However, similar to the
requirement that an outside service provider serving as a school
official is subject to FERPA's restrictions on the use and redisclosure
of personally identifiable information from education records,
educational agencies and institutions must ensure that organizations
with which they have entered into an agreement to conduct a study also
comply with FERPA's restrictions on the use of personally identifiable
information from education records. (See pages 15578-15580 of the
NPRM.) That is, the school must retain control over the organization's
access to and use of personally identifiable information from education
records for purposes of the study or studies, including access by the
organization's own employees and subcontractors, as well as any school
officials whom the organization permits to have access to education
records.
An educational agency or institution may need to determine that the
organization conducting the study has reasonable controls in place to
ensure that personally identifiable information from education records
is protected. We note that it is common practice for some data sharing
agreements to have a ``controls section'' that specifies required
controls and how they will be verified (e.g., surprise inspections). We
recommend that the agreement required by Sec. 99.31(a)(6) include a
section that sets forth similar requirements. If a school is unable to
verify that these controls are in place, then it should not disclose
personally identifiable information from education records to an
organization for the purpose of conducting a study.
In this regard, it should be noted that educational agencies and
institutions are responsible for any failures by an organization
conducting a study to comply with applicable FERPA requirements. FERPA
states that if a third party outside the educational agency or
institution fails to destroy information in violation of 20 U.S.C.
1232g(b)(1)(F), the studies exception in FERPA, the educational agency
or institution shall be prohibited from permitting access to
information from education records to that third party for a period of
not less than five years. See 20 U.S.C. 1232g(b)(4)(B).
Changes: We have revised Sec. 99.31(a)(6) to: (1) Retain Sec.
99.31(a)(6)(ii)(A) and (B); (2) amend Sec. 99.31(a)(6)(ii)(A) to
provide that the study must be conducted in a manner that does not
permit personal identification of parents or students by anyone other
than representatives of the organization that have legitimate interest
in the information; (3) amend Sec. 99.31(a)(6)(ii)(C) to require that
the written agreement specify the purpose,
[[Page 74828]]
scope, and duration of the study and the information to be disclosed;
require the organization to use personally identifiable information
from education records only to meet the purpose or purposes of the
study as stated in the written agreement; limit any disclosures of
information to individuals in the organization conducting the study who
have a legitimate interest in the information; and require the
organization to destroy or return to the educational agency all
personally identifiable information when the information is no longer
needed for the purposes of the study and specify the time period during
which the organization must either destroy or return the information to
the educational agency or institution; and (4) amend Sec. 99.31(a)(6)
in new paragraph (iii) to provide that an educational agency or
institution is not required to initiate a study.
Disclosure of Education Records to Non-Educational State Agencies
Comment: Several commenters stated that the proposed amendments did
not specifically address whether an educational agency or institution
is permitted to disclose education records to non-educational State
agencies, such as State health or labor agencies, as part of an
agreement with those agencies, without first obtaining consent. One
commenter said that because the Department has taken the position that
education records may be shared with State auditors who are not
educational officials and who are not, by definition, under the control
of a State educational authority, there is no legal basis to prohibit
the disclosure of education records to other non-educational State and
local agencies.
Some officials representing State health agencies commented that
FERPA should be more closely aligned with the disclosure provisions of
the HIPAA Privacy Rule. One commenter noted that there was a critical
need for public health researchers to be able to access, without
consent, personally identifiable information contained in student
health records to allow for analyses, public health studies, and
research that will benefit school-aged children, as well as the general
population. One organization representing school nurses noted that
public health officials need access to education records for the
purposes of public health reporting, surveillance, and reimbursement.
Several commenters recommended that SEAs be authorized to share
data from education records with State social services, health,
juvenile, and employment agencies, to serve the needs of students,
including special needs, low-income, and at-risk students. One SEA
commented that it did not support extending access to student data to
non-education State agencies, except to State auditors, as specified in
proposed Sec. 99.35(a)(3). This commenter asserted that access to and
use of information from students' education records should be
controlled by a limited number of education officials who are sensitive
to the intent of FERPA and well acquainted with its safeguards.
Discussion: There is no specific exception to the written consent
requirement in FERPA that permits the disclosure of personally
identifiable information from students' education records to non-
educational State agencies. Educational agencies and institutions may
disclose personally identifiable information for audit or evaluation
purposes under Sec. Sec. 99.31(a)(3) and 99.35 only to authorized
representatives of the officials or agencies listed in Sec.
99.31(a)(3)(i) through (iv). Typically, LEAs and their constituent
schools disclose education records to State educational authorities
under Sec. 99.31(a)(3)(iv), such as the SEA, for audit, evaluation, or
compliance and enforcement purposes.
There are some exceptions that might authorize disclosures to non-
educational State agencies for specified purposes. For example,
disclosures may be made in a health or safety emergency (Sec. Sec.
99.31(a)(10) and 99.36), in connection with financial aid (Sec.
99.31(a)(4)), or pursuant to a State statute under the juvenile justice
system exception (Sec. Sec. 99.31(a)(5) and 99.38), and any
disclosures must meet the specific requirements of the particular
exception. FERPA, however, does not contain any specific exceptions to
permit disclosures of personally identifiable information without
consent for public health or employment reporting purposes. That said,
nothing in FERPA prohibits an educational agency or institution from
importing information from another source to perform its own
evaluations.
We believe that any further expansion of the list of officials and
entities in FERPA that may receive education records without the
consent of the parent or eligible student must be authorized by
legislation enacted by Congress.
We explained in the NPRM on page 15577 that, with respect to State
auditors, legislative history for the 1979 FERPA amendment indicates
that Congress specifically intended that FERPA not preclude State
auditors from obtaining personally identifiable information from
education records in order to audit Federal and State supported
education programs, notwithstanding that the statutory language in the
amendment refers only to ``State and local educational officials.'' See
20 U.S.C. 1232g(b)(5); H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10
(1979), reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. This
legislative history provides a basis for drawing a distinction between
State auditors and officials of other State agencies that also are not
under the control of the State educational authority. (As explained
more fully under State auditors, upon further review, we have removed
from the final regulations the proposed regulations related to State
auditors and audits.)
The 1979 amendment to FERPA does not apply to other State officials
or agencies, and there is no other legislative history to indicate that
Congress intended that FERPA be interpreted to permit educational
agencies and institutions, or State and local educational authorities
or Federal officials and agencies listed in Sec. 99.31(a)(3), to share
students' education records with non-educational State officials. In
fact, Congress has, on numerous occasions, indicated otherwise.
As discussed elsewhere in this preamble under the heading Health or
Safety Emergency, the HIPAA Privacy Rule specifically excludes from
coverage health care information that is maintained as an ``education
record'' under FERPA. 45 CFR 160.103, Protected health information. We
understand that the HIPAA Privacy Rule allows covered entities to
disclose identifiable health data without written consent to public
health authorities. However, there is no comparable exception to the
written consent requirement in FERPA.
As mentioned previously, in conducting an audit, evaluation, or
compliance or enforcement activity, an educational authority may
collaborate with other State agencies by importing data from those
sources and conducting necessary matches. Any reports or other
information created as a result of the data matches may only be
released to those non-educational officials in non-personally
identifiable form. Educational authorities may also release information
on students to non-educational officials that has been properly de-
identified, as described in Sec. 99.31(b)(1).
Additionally, many agencies providing services to low income or at-
risk families have parents sign a consent form authorizing disclosure
of
[[Page 74829]]
information at intake time so that the agency can receive necessary
information from schools. In 1993, we amended the FERPA regulations to
help facilitate this practice. In final regulations published in the
Federal Register on January 7, 1993 (58 FR 3188), we removed the
previous requirement in the regulations that schools ``obtain'' consent
from parents and eligible students so that parents and eligible
students may ``provide'' a signed and dated consent to third parties in
order for the school to disclose education records to those parties.
Therefore, parents can provide consent at intake time to State and
local social services and other non-educational agencies serving the
needs of students in order to permit their children's schools (or the
SEA) to disclose education records to the agency. For example, parents
routinely provide consent to the Medicaid agency that permits that
agency to collect information from other agencies on the family being
served. In many cases those consents are written in a manner that
complies with the consent requirement in Sec. 99.30, and the student's
school may disclose information to the Medicaid agency necessary for
reimbursement purposes for services provided the student.
Changes: None.
Disclosure of Education Records to Student's Former Schools (Sec. Sec.
99.31(a)(3), 99.31(a)(6), and 99.35(b))
Comment: One commenter asked for clarification whether a school
could disclose a student's education records to the student's previous
school for the purpose of evaluating Federal or State supported
education programs or for improving instruction. Several commenters
said that there is a critical need for school districts to be able to
access the records of their former students from the student's new
district or postsecondary institution so that the previous institution
can evaluate the effectiveness of its own education programs. Some
commenters said that Sec. 99.35(a) clearly allows a K-12 data system
to use postsecondary records to evaluate its own programs, and that a
K-12 system does not need to have legal authority to evaluate
postsecondary programs for the disclosure to be valid under the audit
or evaluation exception.
Discussion: Section 99.31(a)(2) allows an educational agency or
institution to disclose personally identifiable information from
education records, without consent, to a school where the student seeks
or intends to enroll or is already enrolled if the disclosure relates
to the student's enrollment or transfer. There is no specific authority
in FERPA for an educational agency or institution, or a State or local
educational authority, to disclose or redisclose personally
identifiable information from education records to a student's former
school without consent.
As discussed above, Sec. Sec. 99.31(a)(3) and 99.35 allow
educational agencies and institutions to disclose personally
identifiable information from education records without consent to
State and local educational authorities that are legally authorized to
audit or evaluate the disclosing institution's programs or records. We
encourage State and local authorities to take advantage of this
exception and establish or modify State or local legal authority, as
necessary, to allow K-12 and postsecondary educational authorities to
audit or evaluate one another's programs. As noted above, the
Department will generally defer to a State Attorney General's
interpretation of State or local law on these matters.
Section 99.31(a)(6) allows an educational agency or institution to
disclose personally identifiable information from education records
without consent to an organization conducting a study for, or on behalf
of, the agency or institution that discloses its records. The ``for, or
on behalf of'' language from the statute and regulations, however, does
not allow the educational agency or institution to disclose personally
identifiable information from education records under this exception so
that the receiving organization can conduct a study for itself or some
other party. Further, the Secretary does not as a policy matter support
expanding the studies exception to permit such a disclosure because it
would result in a vast increase in the number of parties gaining access
to and maintaining personally identifiable information on students. As
discussed below, educational agencies and institution and other
parties, including State educational authorities, may always release
information from education records to a student's former school,
without consent, if all personally identifiable information has been
removed.
Personally Identifiable Information and De-Identified Records and
Information (Sec. Sec. 99.3 and 99.31(b))
(a) Definition of Personally Identifiable Information
Comment: We received a number of comments on proposed Sec. 99.3
regarding changes to the definition of personally identifiable
information. One commenter applauded the Department's recognition of
the increasing ease of identifying individuals from redacted records
and statistical information because of the large amount of detailed
personal information that is maintained on most Americans by many
different organizations. This commenter and others, however, stated
that the proposed regulations did not go far enough to ensure that
personally identifiable information about students would not be
released.
One commenter expressed concern about our proposal to eliminate
paragraphs (e) and (f) from the existing definition of personally
identifiable information, which included a list of personal
characteristics and other information that would make a student's
identity easily traceable. The commenter said that this was a change to
long-standing Department policy and represented an unwarranted invasion
of privacy that exceeds statutory authority. This commenter also
expressed concern that eliminating the ``easily traceable'' provisions
for determining whether information was personally identifiable could
prevent parents from accessing their children's education records and
might allow school officials to circumvent FERPA requirements by using
nicknames, initials, and other personal characteristics to refer to
children.
In contrast, several commenters stated that the regulations would
be unworkable or were too restrictive and would prevent or discourage
the release of information from education records needed for school
accountability and other public purposes. These commenters stated that
paragraphs (f) and (g) in the proposed definition of personally
identifiable information, which replaces the ``easily traceable''
provisions, would provide school officials too much discretion to
conceal information the public deserves to have in order to debate
public policy. Proposed paragraph (f) provided that personally
identifiable information includes other information that, alone or in
combination, is linked or linkable to a specific student that would
allow a reasonable person in the school or its community, who does not
have personal knowledge of the relevant circumstances, to identify the
student with reasonable certainty. Proposed paragraph (g) provided that
personally identifiable information includes information requested by a
person who the educational agency or institution reasonably believes
has direct, personal knowledge of the identity of the student
[[Page 74830]]
to whom the education record relates, sometimes known as a ``targeted
request.''
Several commenters expressed support for the provisions in
paragraphs (f) and (g) of the definition of personally identifiable
information. One of these commenters said that the ``school and
community'' limitation and the ``reasonable person'' standard in
paragraph (f) is sufficiently clear for implementation by parties that
release de-identified records. Another commenter said that ambiguity in
the terms ``reasonable person'' and ``reasonable certainty'' was
necessary so that organizations can develop their own standards for
addressing the problem of ensuring that information that is released is
not personally identifiable. This commenter asked the Department to
retain the flexibility in the proposed language and provide examples of
policies that have been implemented that meet the requirements in
paragraphs (f) and (g) of the definition. The commenter said that most
school districts know when they are receiving a targeted request
(paragraph (g)) but asked that the Department provide examples to help
districts determine whether a non-targeted request will reveal
personally identifiable information.
Journalism and writers' associations expressed concern about the
``reasonable person'' standard in paragraph (f) and our statement in
the preamble to the NPRM (73 FR 15583) that an educational agency or
institution may not be able to release redacted education records that
concern students or incidents that are well-known in the school
community, including when the parent or student who is the subject of
the record contacts the media and causes the publicity that prevents
the release of the record. These commenters stated that FERPA should
not prevent schools from releasing records from which all direct and
indirect identifiers, such as name, date of birth, address, unusual
place of birth, mother's maiden name, and sibling information, have
been removed without regard to any outside information, particularly
after a student or parent has waived any pretense of confidentiality by
contacting the media. They also said that the proposed definition of
personally identifiable information does not acknowledge the public
interest in school accountability.
One commenter said that the ``reasonable person in the school or
its community'' standard in paragraph (f) was too narrow and
inappropriate because it would allow individuals with even modest
scientific and technological abilities to identify students based on
supposedly de-identified information. Another commenter said that the
reference in paragraph (f) to a ``reasonable person'' should be changed
to ``ordinary person.'' A commenter said that if we retain the
``reasonable person'' standard, we should remove the references to the
school or its community and personal knowledge of the circumstances and
simply refer to a reasonable person. Several commenters said the
``school or its community'' standard is too vague and needs to be
clarified, particularly in relation to the provision in paragraph (g)
regarding targeted requests; these commenters said that school
officials will choose to evaluate a request for information based on
whether a reasonable person in the community, a broader standard than a
reasonable person in the school, could identify the student and
automatically find their own decisions to be reasonable. One commenter
said that the phrase ``relevant circumstances'' in paragraph (f) is
vague.
One commenter said that the standard in paragraph (f) about whether
the information requested is ``linked or linkable'' to a specific
student was too vague and overly broad and could be logically extended
to cover almost any information about a student. This commenter said
that the regulations should focus on preventing the release of records
that in and of themselves contain unique personal descriptors that
would make the student identifiable in the school community and not
refer to outside information, including what members of the public
might know independently of the records themselves.
Several commenters expressed concerns that the provision in
paragraph (g) regarding targeted requests will make FERPA and the
regulations administratively unwieldy and unnecessarily subjective. One
of these commenters said that paragraph (g) is unclear and adds more
confusion as opposed to providing clarity; this commenter said that
paragraph (g) should be removed and that the requirements in paragraph
(f) were sufficient. Another commenter said that the standard in
paragraph (g) unfairly holds agencies and institutions responsible for
ascertaining the requester's personal knowledge. One commenter said
that we should delete the words ``direct, personal'' before
``knowledge'' because these terms are unclear. According to this
commenter, if a school reasonably believes that the requester knows the
student's identity, the school should not disclose the records, whether
the knowledge is ``direct'' or ``personal.''
Other commenters expressed a more general concern that the standard
for targeted requests in paragraph (g) places an undue burden on school
officials to obtain information about the person requesting information
and creates a potential conflict with State open records laws.
According to these commenters, the regulations as proposed would
encourage agencies and institutions to make illegitimate inquiries into
a requester's motives for seeking information and what the requester
intends to do with it, or require the agency or institution to read the
mind of a party requesting information. According to the commenter,
this would introduce a degree of subjective judgment that would
invariably lead to abuse because the same record that could be
considered a public record to one requester could be a confidential
document to another. A large university that has decentralized
administrative operations questioned how it could be expected to take
institutional knowledge into account in evaluating whether a request
for records is targeted and asked for confirmation that the Department
will not substitute its judgment for that of the institution so long as
there was a rational basis for the decision to release information.
We received a few comments on the example of a targeted request
that we provided in the preamble to the NPRM (73 FR 15583-15584), in
which rumors circulate that a candidate running for political office
plagiarized other students' work, and a reporter asks the university
for the redacted disciplinary records of all students who were
disciplined for plagiarism for the year in which the candidate
graduated. We explained that the university may not release the records
in redacted form because the circumstances indicate that the requester
had direct, personal knowledge of the subject of the case. Two
commenters said that confirmation that one unnamed student was
disciplined in 1978 for plagiarism does not identify that student or
confirm that the candidate was that student, and our explanation of the
standard with this example showed that the regulations would prevent
parents and the media from discharging their vital oversight
responsibilities.
One school district said that the targeted request provision could
impair due process in some student discipline cases by limiting the
release of redacted witness statements that concern more than one
student. The commenter suggested that under its current
[[Page 74831]]
practice, if four students are involved in an altercation, the school
redacts all personally identifiable information with regard to students
2 through 4 when releasing the statement without parental consent to
student 1, but under the proposed regulations, student 1's request
would violate the requirements in paragraph (g) because of the
student's knowledge of the identity of the other students to whom the
record relates. This commenter said that the regulations should not be
adopted if they do not address these due process concerns.
Several commenters said they appreciated the addition of a
student's date of birth and other indirect identifiers in the
definition of personally identifiable information. Another commenter
said that a comprehensive list of indirect identifiers would be
helpful. One commenter asked us to define the concept of indirect
identifiers. Another commenter asked us to clarify which personally
identifiable data elements may be released without consent. A commenter
asked us to define the term biometric record as used in the definition
of personally identifiable information.
Discussion: The Joint Statement explains that the purpose of FERPA
is two-fold: to assure that parents and eligible students can access
the student's education records, and to protect their right to privacy
by limiting the transferability of their education records without
their consent. 120 Cong. Rec. 39862. As such, FERPA is not an open
records statute or part of an open records system. The only parties who
have a right to obtain access to education records under FERPA are
parents and eligible students. Journalists, researchers, and other
members of the public have no right under FERPA to gain access to
education records for school accountability or other matters of public
interest, including misconduct by those running for public office.
Nonetheless, as explained in the preamble to the NPRM, 73 FR 15584-
15585, we believe that the regulatory standard for defining and
removing personally identifiable information from education records
establishes an appropriate balance that facilitates school
accountability and educational research while preserving the statutory
privacy protections in FERPA.
The simple removal of nominal or direct identifiers, such as name
and SSN (or other ID number), does not necessarily avoid the release of
personally identifiable information. Other information, such as
address, date and place of birth, race, ethnicity, gender, physical
description, disability, activities and accomplishments, disciplinary
actions, and so forth, can indirectly identify someone depending on the
combination of factors and level of detail released. Similarly, and as
noted in the preamble to the NPRM, 73 FR 15584, the existing
professional literature makes clear that public directories and
previously released information, including local publicity and even
information that has been de-identified, is sometimes linked or
linkable to an otherwise de-identified record or data set and renders
the information personally identifiable. The regulations properly
require parties that release information from education records to
address these situations.
We removed the ``easily traceable'' standard from the definition of
personally identifiable information because it lacked specificity and
clarity. We were also concerned that the ``easily traceable'' standard
suggested that a fairly low standard applied in protecting education
records, i.e., that information was considered personally identifiable
only if it was easy to identify the student.
The removal of the ``easily traceable'' standard and adoption of
the standards in paragraphs (f) and (g) will not affect a parent's
right under FERPA to inspect and review his or her child's education
records. Records that teachers and other school officials maintain on
students that use only initials, nicknames, or personal descriptions to
identify the student are education records under FERPA because they are
directly related to the student.
Further, records that identify a student by initials, nicknames, or
personal characteristics are personally identifiable information if,
alone or combined with other information, the initials are linked or
linkable to a specific student and would allow a reasonable person in
the school community who does not have personal knowledge about the
situation to identify the student with reasonable certainty. For
example, if teachers and other individuals in the school community
generally would not be able to identify a specific student based on the
student's initials, nickname, or personal characteristics contained in
the record, then the information is not considered personally
identifiable and may be released without consent. Experience has shown,
however, that initials, nicknames, and personal characteristics are
often sufficiently unique in a school community that a reasonable
person can identify the student from this kind of information even
without access to any personal knowledge, such as a key that
specifically links the initials, nickname, or personal characteristics
to the student.
In contrast, if a teacher uses a special code known only by the
teacher and the student (or parent) to identify a student, such as for
posting grades, this code is not considered personally identifiable
information under FERPA because the only reason the teacher can
identify the student is because of the teacher's access to personal
knowledge of the relevant circumstances, i.e., the key that links the
code to the student's name.
In response to the commenter who stated that a school should not be
prevented from releasing information when the subject of the record has
waived any pretense of confidentiality by contacting the media and
making the incident well-known in the community, we have found that in
limited circumstances a parent or student may impliedly waive their
privacy rights under FERPA by disclosing information to parties in a
special relationship with the institution, such as a licensing or
accreditation organization. However, we have not found and do not
believe that parents and students generally waive their privacy rights
under FERPA by sharing information with the media or other members of
the general public. The fact that information is a matter of general
public interest does not give an educational agency or institution
permission to release the same or related information from education
records without consent.
The ``reasonableness'' standards in paragraphs (f) and (g) of the
new definition, which replace the ``easily traceable'' standard, do not
require the exercise of subjective judgment or inquiries into a
requester's motives. Both provisions require the disclosing party to
use legally recognized, objective standards by referring to
identification not in the mind of the disclosing party or requester but
by a reasonable person and with reasonable certainty, and by requiring
the disclosing party to withhold information when it reasonably
believes certain facts to be present. These are not subjective
standards, and these changes will not diminish the privacy protections
in FERPA.
The standard proposed in paragraph (f) regarding the knowledge of a
reasonable person in the school or its community was not intended to
describe the technological or scientific skill level of a person who
would be capable of re-identifying statistical information or redacted
records. Rather, it provided the standard an agency or
[[Page 74832]]
institution should use to determine whether statistical information or
a redacted record will identify a student, even though certain
identifiers have been removed, because of a well-publicized incident or
some other factor known in the community. For example, as explained in
the preamble to the NPRM, 73 FR 15583, a school may not release
statistics on penalties imposed on students for cheating on a test
where the local media have published identifiable information about the
only student (or students) who received that penalty; that statistical
information or redacted record is now personally identifiable to the
student or students because of the local publicity.
Paragraph (f) in the proposed definition provided that the agency
or institution must make a determination about whether information is
personally identifiable information not with regard to what someone
with personal knowledge of the relevant circumstances would know, such
as the principal who imposed the penalty, but with regard to what a
reasonable person in the school or its community would know, i.e.,
based on local publicity, communications, and other ordinary
conditions. We agree with the comment that the ``school or its
community'' standard was confusing because it was not clear whether
just the school itself or the larger community in which the school is
located is the relevant group for determining what a reasonable person
would know.
We are changing this standard in paragraph (f) to the ``school
community'' and by this change we mean that an educational agency or
institution may not select a broader ``community'' standard when the
information to be released would be personally identifiable under the
narrower ``school'' standard. For example, it might be well known among
students, teachers, administrators, parents, coaches, volunteers, or
others at the local high school that a student was caught bringing a
gun to class last month but generally unknown in the town where the
school is located. In these circumstances, a school district may not
disclose that a high school student was suspended for bringing a gun to
class last month, even though a reasonable person in the community
where the school is located would not be able to identify the student,
because a reasonable person in the high school would be able to
identify the student. The student's privacy is further protected
because a reasonable person in the school community is also presumed to
have at least the knowledge of a reasonable person in the local
community, the region or State, the United States, and the world in
general. The ``school community'' standard, therefore, provides the
maximum privacy protection for students.
We do not agree that the reference to ``reasonable person'' should
be changed to ``ordinary person.'' ``Reasonable person'' is a legally
recognized standard that represents a hypothetical, rational, prudent,
average individual. It would be confusing and inappropriate to
introduce a new term ``ordinary'' in this context.
The standard in paragraph (f) excludes from the ``reasonable person
in the school community'' standard persons who have personal knowledge
of the ``relevant circumstances,'' which one commenter considered
vague. Under this standard, an agency or institution is not required to
take into consideration when releasing redacted or statistical
information that someone with special knowledge of the circumstances
could identify the student. For example, if it is generally known in
the school community that a particular student is HIV-positive, or that
there is an HIV-positive student in the school, then the school could
not reveal that the only HIV-positive student in the school was
suspended. However, if it is not generally known or obvious that there
is an HIV-positive student in school, then the same information could
be released, even though someone with special knowledge of the
student's status as HIV-positive would be able to identify the student
and learn that he or she had been suspended.
The provisions in paragraph (g) regarding targeted requests do not
require an educational agency or institution to ascertain or guess a
requester's motives for seeking information from education records or
what a requester intends to do with the information. This paragraph
addresses a situation in which a requester seeks what might generally
qualify as a properly redacted record but the facts indicate that
redaction is a useless formality because the subject's identity is
already known.
An educational agency or institution is not required under
paragraph (g) to make any special inquiries or otherwise seek
information about the person requesting information from education
records. It must use information that is obvious on the face of the
request or provided by the requester, such as when a requester asks for
the redacted transcripts of a particular student. Paragraph (f) also
requires an agency or institution to use information known to a
reasonable person in the school community, such as when a requester
asks for the redacted transcripts of all basketball players who were
expelled for accepting bribes after the local newspaper published a
story about the matter. Paragraphs (f) and (g) do not require an
educational agency or institution to inquire whether a requester has
special knowledge not available generally in the school community that
would make the subject of the record identifiable. We disagree with the
comment that paragraph (f) is sufficient and paragraph (g) should be
removed. Paragraph (g) addresses the problem of targeted requests,
which is not addressed under paragraph (f).
We agree with the comment that the provision in paragraph (g) under
which an agency or institution must determine whether the information
requested is personally identifiable information based on its
reasonable belief that the requester has ``direct, personal'' knowledge
of the identity of the student to whom the record relates is ambiguous
and confusing, especially in relation to what might be considered
indirect knowledge. Therefore, we have modified this provision so that
an educational agency or institution must simply have a reasonable
belief that the requester knows the identity of the student to whom the
record relates.
In reviewing a complaint that an educational agency or institution
disclosed personally identifiable information from an education record
in response to a targeted request, the Department would examine the
request itself, the facts on which the agency or institution based its
decision to release the information, as well as any information known
generally in the school community that the agency or institution failed
to take into account. The Department would also counsel an agency or
institution about the nature of the violation in connection with the
Department's responsibility for seeking voluntary compliance with FERPA
before initiating any enforcement action under Sec. 99.67.
With regard to the comment that the standard in paragraph (g) will
impair due process in student discipline cases, it is unclear what the
commenter means by releasing redacted witness statements under its
current practice. Education records are defined in FERPA as records
that are directly related to a student and maintained by an educational
agency or institution, or by a party acting for the agency or
institution. 20 U.S.C. 1232g(a)(4)(A); 34 CFR 99.3. Under this
definition, a parent (or eligible student) has a right to inspect and
review any witness statement that is directly related to the student,
even if that statement
[[Page 74833]]
contains information that is also directly related to another student,
if the information cannot be segregated and redacted without destroying
its meaning.
For example, parents of both John and Michael would have a right to
inspect and review the following information in a witness statement
maintained by their school district because it is directly related to
both students: ``John grabbed Michael's backpack and hit him over the
head with it.'' Further, in this example, before allowing Michael's
parents to inspect and review the statement, the district must also
redact any information about John (or any other student) that is not
directly related to Michael, such as: ``John also punched Steven in the
stomach and took his gloves.'' Since Michael's parents likely know from
their son about other students involved in the altercation, under
paragraph (g) the district could not release any part of this sentence
to Michael's parents. We note also that the sanction imposed on a
student for misconduct is not generally considered directly related to
another student, even the student who was injured or victimized by the
disciplined student's conduct, except if a perpetrator has been ordered
to stay away from a victim.
In order to provide maximum flexibility to educational agencies and
institutions, we did not attempt to define or list all other ``indirect
identifiers''. We believe that the examples listed in paragraph (3) of
the definition of personally identifiable information--date of birth,
place of birth, and mother's maiden name--indicate clearly the kind of
information that could identify a student. Race and ethnicity, for
example, could also be indirect identifiers. It is not possible,
however, to list all the possible indirect identifiers and ways in
which information might indirectly identify a student. Further, unlike
the HIPAA Privacy Rule, these regulations do not attempt to provide a
``safe harbor'' by listing all the information that may be removed in
order to satisfy the de-identification requirements in Sec. 99.31(b).
We have also added a definition of biometric record that is based on
National Security Presidential Directive 59 and Homeland Security
Presidential Directive 24.
Changes: We added a definition of biometric record, which provides
that the term means a record of one or more measurable biological or
behavioral characteristics that can be used for automated recognition
of an individual. Examples include fingerprints, retina and iris
patterns, voiceprints, DNA sequence, facial characteristics, and
handwriting.
We also have revised paragraph (f) in the definition of personally
identifiable information to change the reference ``school or its
community'' to ``school community.'' In paragraph (g) of the definition
of personally identifiable information, we removed the requirement that
the requester have ``direct, personal knowledge.'' As revised,
paragraph (g) provides that personally identifiable information means
information requested by a person who the educational agency or
institution reasonably believes knows the identity of the student to
whom the record relates.
(b) De-Identified Records and Information
Comment: We received a number of comments on Sec. 99.31(b)(1),
which would allow an educational agency or institution, or a party that
has received personally identifiable information from education
records, to release the records or information without parental consent
after the removal of all personally identifiable information, provided
that the educational agency or institution or other party has made a
reasonable determination that a student's identity is not personally
identifiable because of unique patterns of information about the
student, whether through single or multiple releases, and taking into
account other reasonably available information. In order to permit
ongoing educational research with the same data, Sec. 99.31(b)(2)
allows an educational agency or institution or other party that
releases de-identified, non-aggregated data (also known as
``microdata'') from education records to attach a code to each record,
which may allow the recipient to match information received from the
same source, under three conditions--(1) the educational agency or
institution does not disclose any information about how it generates
and assigns a record code, or that would allow a recipient to identify
a student based on a record code; (2) the record code is used for no
purpose other than identifying a de-identified record for purposes of
education research and cannot be used to ascertain personally
identifiable information about a student; and (3) the record code is
not based on a student's social security number or other personal
information.
Several commenters supported these proposed regulations and said
that they will help facilitate valuable educational research. One of
these commenters said that the provisions for de-identification of
education records create clear standards that will allow researchers to
conduct necessary research without compromising student privacy. One
commenter appreciated being able to attach a code or linking key to
records to facilitate matching students across data sets while
preserving student confidentiality.
One commenter stated that de-identified data do not support
appropriate analytical research that will lead to improved educational
outcomes. Further, according to this commenter, complete de-
identification of systematic, longitudinal data on every student may
not be possible.
Two commenters expressed concern that agencies and institutions
redact too much information from education records and said that the
Department should err on the side of disclosure of disaggregated data
so that journalists and researchers can obtain accurate information
about how students in every accountability subgroup are performing.
These commenters said that the regulations should take into account the
real track record of journalists and researchers in maintaining the
confidentiality of information from education records.
One commenter said that many institutions and individuals have the
ability to re-identify seemingly de-identified data and that it is
generally much easier to do than most people realize because 87 percent
of Americans can be identified uniquely from their date of birth, five-
digit zip code, and gender. This commenter said that the regulations
need to take into account that re-identification is a much greater risk
for student data than other kinds of information because FERPA allows
for the regular publication of student directories that contain a
wealth of personal information, including address and date of birth,
that can be used with existing tools and emerging technology to re-
identify statistical data, even by non-experts.
Another commenter said that because the de-identification process
is so resource-intensive, the regulations should allow the research
entity to de-identify education records as a contractor under Sec.
99.31(a)(1) of the regulations.
We explained in the preamble to the NPRM (73 FR 15585) that
educational agencies and institutions should monitor releases of coded,
de-identified microdata from education records to ensure that
overlapping or successive releases do not result in data sets in which
a student's personally identifiable information is disclosed. One
commenter said that this monitoring requirement was too burdensome
given the vast number of
[[Page 74834]]
data requests it receives and asked us to limit the monitoring
requirement to single or multiple releases it makes to the same party.
An SEA asked specifically for clarification in the regulations
regarding what steps, if any, it must take to ensure that multiple
releases of de-identified data to the same requester over time that the
requester intends to use for a longitudinal study do not result in
small data cells that may reveal the identity of the student. A school
district said that the regulations should require the destruction of
de-identified information from education records by the receiving party
to avoid the problem of combining successive data releases to identify
students.
Some commenters said that the regulations should provide objective
standards for the de-identification of education records. One commenter
asked the Department to prescribe a method for States to adopt to
ensure that student confidentiality is protected. Two commenters asked
specifically for guidance on what minimum cell size should be allowed
when releasing statistical information. Several commenters said that
SEAs and school districts need specific guidance regarding the release
of student achievement data under the NCLB, including, in particular,
reporting 100 percent achievement of certain performance levels on
State assessments. One commenter who opposed restrictions on the
release of de-identified data referred to instances in which some
States have created minimum cell sizes of 100 for reporting
disaggregated data under NCLB, which prevents the release of a great
deal of important information. Another commenter said that our
discussion of small cell sizes in the preamble to the NPRM, 73 FR
15584, reflected a misunderstanding of the problem.
One commenter said that Sec. 99.31(b) is confusing because it is
not clear how paragraph (b)(2), which is limited to educational
research, relates to paragraph (b)(1), which is not so limited. This
commenter also said that the regulations impose an unnecessary burden
on the entity receiving a request for information and that the
requirements of paragraph (f) in the definition of personally
identifiable information are sufficient to de-identify education
records. Another commenter said that the language in Sec. 99.31(b)(1)
that requires consideration of unique patterns of information about a
student is confusing and creates ambiguity because the definition of
personally identifiable information itself incorporates standards for
de-identification that appear to differ from the standard in Sec.
99.31(b).
Discussion: As explained in the preamble to the NPRM, 73 FR 15584-
15585, we believe that the regulatory standard for de-identifying
information from education records establishes an appropriate balance
that facilitates the release of appropriate information for school
accountability and educational research purposes while preserving the
statutory privacy protections in FERPA. Unlike the HIPAA Privacy Rule,
these regulations do not attempt to provide a ``safe harbor'' by
listing all the direct and indirect identifiers that may be removed to
satisfy the de-identification requirements in Sec. 99.31(b). Rather,
they are intended to provide standards under which information from
education records may be released without consent because all
personally identifiable information has been removed.
The Department recognizes that de-identified data may not be
appropriate for all educational research purposes and that complete de-
identification of longitudinal student data may not be possible without
sacrificing essential content and usability. In these situations, and
as discussed elsewhere in this preamble, FERPA allows the disclosure
and redisclosure of personally identifiable information from education
records, without consent, to researchers under the terms and conditions
specified in Sec. Sec. 99.31(a)(1), 99.31(a)(3), and 99.31(6). We note
that a researcher who receives personally identifiable information
under these provisions would, however, have to de-identify any report
or other information in accordance with Sec. 99.31(b) before releasing
it to the public or other parties, including other researchers.
In response to comments that educational agencies and institutions
may remove too much information from education records, we note that
while we have attempted to provide a balanced standard for the release
of de-identified data for school accountability and other purposes,
FERPA is a privacy statute, and no party has a right under FERPA to
obtain information from education records except parents and eligible
students. Further, there is no statutory authority in FERPA to modify
the prohibition on disclosure of personally identifiable information
from education records, or the exceptions to the written consent
requirement, based on the track record of the party, including
journalists and researchers, in maintaining the confidentiality of
information from education records that they have received.
In response to the comment about allowing a researcher to de-
identify education records, educational agencies and institutions may
outsource the de-identification process to any outside service provider
serving as a school official in accordance with the requirements in
Sec. 99.31(a)(1)(i)(B). (Those requirements are discussed in detail in
the preamble to the NPRM at 73 FR 15578-15580 and elsewhere in these
final regulations.) State and local educational authorities and Federal
officials and agencies listed in Sec. 99.31(a)(3) may outsource the
de-identification process to their authorized representatives under the
conditions specified in Sec. 99.35.
We agree that the risk of re-identification may be greater for
student data than other information because of the regular publication
of student directories, commercial databases, and de-identified but
detailed educational reports by States and researchers that can be
manipulated with increasing ease by computer technology. As noted in
the preamble to the NPRM, 73 FR 15584, the re-identification risk of
any given release is cumulative, i.e., directly related to what has
previously been released, and this includes both publicly-available
directory information, which is personally identifiable, and de-
identified data releases. For that reason, we advised in the NPRM that
parties should minimize information released in directories to the
extent possible because, since the enactment of FERPA in 1974, the risk
of re-identification from such information has grown as a result of new
technologies and methods.
In response to comments about the need to monitor releases of
coded, de-identified microdata to avoid re-identification of the data,
because the risk of re-identification is cumulative, when making a new
disclosure of coded data an educational agency or institution or other
party must take into account all releases of information from education
records it has made, not just releases it has made to the recipient of
new data. We note that some of the publicly available directory
information and de-identified data releases that need to be taken into
account have been produced by the same agency or institution, State or
local educational authority, or Federal official that wishes to release
newly de-identified information. In general, FERPA poses no
restrictions on the recipient's use of directory information and de-
identified data from education records. Therefore, it may be unclear
whether previous data releases are available generally, have been
shared with a limited number of
[[Page 74835]]
parties, or not shared at all. Further, unlike personally identifiable
information that is disclosed under Sec. Sec. 99.31(a)(3) and (a)(6),
de-identified information from education records does not have to be
destroyed when no longer needed for the purposes for which it was
released. We note, however, that a releasing party would reduce its
monitoring responsibilities if it requires destruction or prohibits
redisclosure of coded, de-identified microdata, because coded, de-
identified microdata has a higher risk of re-identification than de-
identified microdata. In the future the Department will provide further
information on how to monitor and limit disclosure of personally
identifiable information in successive statistical data releases.
In response to requests for guidance on what specific steps and
methods should be used to de-identify information (and as noted in the
preamble to the NPRM, 73 FR 15584), it is not possible to prescribe or
identify a single method to minimize the risk of disclosing personally
identifiable information in redacted records or statistical information
that will apply in every circumstance, including determining whether
defining a minimum cell size is an appropriate means to protect the
confidentiality of aggregated data and, if so, selection of an
appropriate number. This is because determining whether a particular
set of methods for de-identifying data and limiting disclosure risk is
adequate cannot be made without examining the underlying data sets,
other data that have been released, publicly available directories, and
other data that are linked or linkable to the information in question.
For these reasons, we are unable to provide examples of rules and
policies that necessarily meet the de-identification requirements in
Sec. 99.31(b). The releasing party is responsible for conducting its
own analysis and identifying the best methods to protect the
confidentiality of information from education records it chooses to
release. We recommend that State educational authorities, educational
agencies and institutions, and other parties refer to the examples and
methods described in the NPRM at page 15584 and refer to the Federal
Committee on Statistical Methodology's Statistical Policy Working Paper
22, www.fcsm.gov/working-papers/wp22.html, for additional guidance.
With regard to issues with NCLB reporting in particular,
determining the minimum cell size to ensure statistical reliability of
information is a completely different analysis than that used to
determine the appropriate minimum cell size to ensure confidentiality.
Further, as noted in the preceding paragraph and in the preamble to the
NPRM, use of minimum cell sizes or data suppression is only one of
several ways in which information from education records may be de-
identified before release. Statistical Policy Working Paper 22
describes other disclosure limitation methods, such as ``top coding''
and ``data swapping,'' which may be more suitable than simple data
suppression for releasing the maximum amount of information to the
public without breaching confidentiality requirements. Decisions
regarding whether to use data suppression or some other method or
combination of methods to avoid disclosing personally identifiable
information in statistical information must be made on a case-by-case
basis.
We agree with the commenter who said that the example we provided
in the preamble to the NPRM regarding the small cell problem in
reporting that two Hispanic females failed to graduate was misleading
and offer the following, more complete explanation. Simply knowing that
one out of 100 Hispanic females failed to graduate does not identify
which of the Hispanic females it might be. But suppose this female is
an English language learner who is also enrolled in special education
classes. The school also publishes tables on participation in special
education classes by race, ethnicity, and grade, and tables that
include the graduation status of Hispanic females disaggregated in one
table by English language proficiency status, and by participation in
special education classes in another. Suppose that these three
tabulations each show separately that there is one 12th grade Hispanic
female enrolled in special education classes, that the one Hispanic
female who did not graduate was enrolled in special education classes,
and that the one Hispanic female who did not graduate was an English
language learner. With this information, the discerning observer knows
that the one Hispanic female who failed to graduate is an English
language learner and that she was the only 12th grade Hispanic student
enrolled in special education classes. Any number of people in the
school would be able to identify the Hispanic female who did not
graduate with these three pieces of information.
Expanding the example to two individuals, the logic is similar,
except in this case each of the Hispanic females knows her own
characteristics and can find herself in each of the available tables,
and thus by a process of elimination identifies the characteristics of
the other non-graduate, perhaps learning something she did not already
know about the other student. The published tables show that there are
two 12th grade Hispanic females enrolled in special education classes,
one with a learning disability and one with mental retardation. The
tables also show that the two Hispanic females who did not graduate
were enrolled in special education classes, and that the two Hispanic
females who did not graduate were both English language learners.
Others in the school community may be able to identify the two 12th
grade Hispanic females who are English language learners enrolled in
special education classes, but not necessarily be able to distinguish
the student with the learning disability from the student with mental
retardation. However, each girl knows her own disability and by the
process of elimination now knows the other girl's disability.
Similarly, anyone with knowledge of one of the two Hispanic females who
did not graduate can find that girl in the tables, and then isolate the
characteristics that belong to the other Hispanic female.
This example can be expanded to an example with three Hispanic
females who fail to graduate. All three of the Hispanic females who did
not graduate are English language learners, and two Hispanic females
who did not graduate are enrolled in special education classes--one
with a learning disability and the other with mental retardation. In
this case, the one Hispanic female who is an English language learner
and did not graduate now knows that the other two Hispanic females in
her English language learner classes and also did not graduate are in
the special education program, but she does not know which condition
each girl has. By the same logic, each of the two females who did not
graduate and are in special education classes knows her own disability
and as a result knows the disability of the other Hispanic female who
was an English language learner enrolled in special education classes
who did not graduate. These are some examples of situations in which
small cell data reveals personally identifiable information from
education records.
The Secretary has no statutory authority to modify the regulations
to allow LEAs and SEAs to report that 100 percent of students achieved
specified performance levels. In that regard we note that the
Department's Non-Regulatory Guidance for NCLB Report Cards (2003)
provides:
[S]chools must also ensure that the data they report do not
reveal personally identifiable information about individual students
* * *. States must adopt a strategy
[[Page 74836]]
for dealing with a situation in which all students in a particular
subgroup scored at the same achievement level. One solution,
referred to as ``masking'' the data, is to use the notation of >95%
when all students in a subgroup score at the same achievement level.
See www.ed.gov/programs/titleiparta/reportcardsguidance.doc on page 3.
Likewise, LEAs and SEAs must adopt a strategy for ensuring that they do
not disclose personally identifiable information about low-performing
students when they release information about their high-performing
students.
In response to the comments that paragraphs (1) and (2) in Sec.
99.31(b) are confusing, paragraph (1) establishes a standard for de-
identifying education records that applies to disclosures made to any
party for any purpose, including, for example, parents and other
members of the general public who are interested in school
accountability issues, as well as education policy makers and
researchers. The release of de-identified information from education
records under Sec. 99.31(b)(1) is not limited to education research
purposes because, by definition, the information does not contain any
personally identifiable information.
Paragraph (2) of Sec. 99.31(b) applies only to parties conducting
education research; it allows an educational agency or institution, or
a party that has received education records, such as a State
educational authority, to attach a code to each record that may allow
the researcher to match microdata received from the same educational
source under the conditions specified. The purpose of paragraph (2) is
to facilitate education research by authorizing the release of coded
microdata. The requirements in paragraph (2) that apply to a record
code preclude matching de-identified data from education records with
data from another source. Therefore, by its terms, the release of coded
microdata under paragraph (2) is limited to education research.
We agree with the commenter who stated that the reference in Sec.
99.31(b)(1) to ``unique patterns of information about a student'' is
confusing in relation to the definition of personally identifiable
information and believe that it essentially restated the requirements
in paragraph (f) of the definition. Therefore, we have removed this
phrase from the regulations. We disagree that the definition of
personally identifiable information and the requirements in Sec.
99.31(b) impose an unnecessary burden on the entity receiving a request
for de-identified information from education records and that the
requirements in paragraph (f) in the definition are sufficient. As
explained above, paragraph (f) does not address the problem of targeted
requests. It also does not address the re-identification risk
associated with multiple data releases and other reasonably available
information, or allow for the coding of de-identified micro data for
educational research purposes. Section 99.31(b) provides the additional
standards needed to help ensure that educational agencies and
institutions and other parties do not identify students when they
release redacted records or statistical data from education records.
Changes: We have removed the reference to ``unique patterns of
information'' in Sec. 99.31(b).
Notification of Subpoena (Sec. 99.33(b)(2))
Comment: We received a few comments on our proposal in Sec.
99.33(b)(2) to require a party that has received personally
identifiable information from education records from an educational
agency or institution to provide the notice to parents and eligible
students under Sec. 99.31(a)(9) before it discloses that information
on behalf of an educational agency or institution in compliance with a
judicial order or lawfully issued subpoena. One national education
association supported the proposed amendment.
One commenter asked the Department to clarify the intent of the
proposed language. This commenter said that, when an educational agency
or institution requests that a third party make the disclosure to
comply with a lawfully issued subpoena or court order, it is reasonable
to expect the educational agency or institution to send the required
notice to the student(s). The commenter also said that it was not clear
from the proposed change whether it is sufficient for the educational
agency or institution to send the notice or whether it must come from
the third party.
Discussion: The Secretary agrees that there needs to be
clarification about which party is responsible for notifying parents
and eligible students before an SEA or other third party outside of the
educational agency or institution discloses education records to comply
with a lawfully issued subpoena or court order. We have revised the
regulation to provide that the burden to notify a parent or eligible
student rests with the recipient of the subpoena or court order. While
a third party, such as an SEA, that is the recipient of a subpoena or
court order is responsible for notifying the parents and eligible
students before complying with the order or subpoena, the educational
agency or institution could assist the third party in the notification
requirement, by providing it with contact information so that it could
provide the notice.
In order to ensure that this new requirement is enforceable, we
have also revised Sec. 99.33(e) so that if the Department determines
that a third party, such as an SEA, did not provide the notification
required under Sec. 99.31(a)(9)(ii), the educational agency or
institution may not allow that third party access to education records
for at least five years.
Changes: We have amended Sec. 99.33(b)(2) to clarify that the
third party that receives the subpoena or court order is responsible
for meeting the notification requirements under Sec. 99.31(a)(9). We
also have revised Sec. 99.33(e) to provide that if the Department
determines that a third party, such as an SEA, did not provide the
notification required under Sec. 99.31(a)(9)(ii), the educational
agency or institution may not allow that third party access to
education records for at least five years.
Health or Safety Emergency (Sec. 99.36)
Comment: We received many comments in support of our proposal to
amend Sec. 99.36 regarding disclosures of personally identifiable
information without consent in a health or safety emergency. Most of
the parties that commented stated that the proposed changes
demonstrated the right balance between student privacy and campus
safety. A number of commenters specifically supported the clarification
regarding the disclosure of information from an eligible student's
education records to that student's parents when a health or safety
emergency occurs. One commenter said that the proposed amendment would
provide appropriate protection for sensitive and otherwise protected
information while clarifying that educational agencies and institutions
may notify parents and other appropriate individuals in an emergency so
that they may intervene to help protect the health and safety of those
involved.
Discussion: We appreciate the commenters' support for the
amendments to the ``health or safety emergency'' exception in Sec.
99.36(b). Educational agencies and institutions are permitted to
disclose personally identifiable information from students' education
records, without consent, under Sec. 99.31(a)(10) in connection with a
health or safety emergency. Disclosures under Sec. 99.31(a)(10) must
meet the conditions described in Sec. 99.36. We address specific
comments
[[Page 74837]]
about the proposed amendments to this exception in the following
paragraphs.
Changes: None.
(a) Disclosure in Non-Emergency Situations
Comment: Some commenters suggested that we interpret Sec. 99.36 to
permit the sharing of information on reportable diseases to health
officials in non-emergency situations. These commenters stated that the
disclosure of routine immunization data should be subject to State,
local, and regional public health laws and regulations and not FERPA.
One of these commenters noted that the HIPAA Privacy Rule allows
covered entities to disclose personally identifiable health data,
without consent, to public health authorities.
Discussion: There is no authority in FERPA to exclude students'
immunization records from the definition of education records in FERPA.
Further, the HIPAA Privacy Rule specifically excludes from coverage
health care information that is maintained as an ``education record''
under FERPA. 45 CFR 160.103, Protected health information. We
understand that the HIPAA Privacy Rule allows covered entities to
disclose identifiable health data without written consent to public
health authorities. However, there is no statutory exception to the
written consent requirement in FERPA to permit this type of disclosure.
As explained in the preamble to the NPRM (73 FR 15589), the
amendment to the health or safety emergency exception in Sec. 99.36
does not allow disclosures on a routine, non-emergency basis, such as
the routine sharing of student information with the local police
department. Likewise, this exception does not cover routine, non-
emergency disclosures of students' immunization data to public health
authorities. Consequently, there is no statutory basis for the
Department to revise the regulatory language as requested by the
commenters.
Changes: None.
(b) Strict Construction Standard
Comment: Several commenters expressed concern that removing the
language from current Sec. 99.36 requiring strict construction of the
``health and safety emergency'' exception and substituting the language
providing for a ``rational basis'' standard would not require schools
to make an individual assessment to determine if there is an emergency
that warrants a disclosure. One commenter stated that removal of the
``strict construction'' requirement would severely weaken the
Department's enforcement capabilities and that schools may see this
change as an excuse to disclose sensitive student information when
there is not a real emergency.
A commenter stated that the removal of the ``strict construction''
requirement would mean that the Department would eliminate altogether
its review of actions taken by schools under the health and safety
emergency exception. Another commenter stated that removing the
requirement that this exception be strictly construed could erode the
privacy rights of individuals. The commenter noted that because parents
and eligible students cannot bring suit in court to enforce FERPA,
schools face virtually no liability if they violate FERPA requirements.
A commenter asked that the Department clarify what is meant by an
``emergency'' and how severe a concern must be to qualify as an
emergency.
Discussion: Section 99.36(c) eliminates the previous requirement
that paragraphs (a) and (b) of this section be ``strictly construed''
and provides instead that, in making a determination whether a
disclosure may be made under the ``health or safety emergency''
exception, an educational agency or institution may take into account
the totality of the circumstances pertaining to a threat to the health
or safety of a student or other individuals. The new provision states
that if there is an articulable and significant threat to the health or
safety of the student or other individuals, an educational agency or
institution may disclose information to appropriate parties.
As we indicated in the preamble to the NPRM, we believe paragraph
(c) provides greater flexibility and deference to school administrators
so they can bring appropriate resources to bear on a circumstance that
threatens the health or safety of individuals. 73 FR 15574, 15589. In
that regard, paragraph (c) provides that the Department will not
substitute its judgment for that of the agency or institution if, based
on the information available at the time of the determination there is
a rational basis for the agency's or institution's determination that a
health or safety emergency exists and that the disclosure was made to
appropriate parties.
We do not agree that removal of the ``strict construction''
standard weakens FERPA or erodes privacy protections. Rather, the
changes appropriately balance the important interests of safety and
privacy by providing school officials with the flexibility to act
quickly and decisively when emergencies arise. Schools should not view
FERPA's ``health or safety emergency'' exception as a blanket exception
for routine disclosures of student information but as limited to
disclosures necessary to protect the health or safety of a student or
another individual in connection with an emergency.
After consideration of the comments, we have determined that
educational agencies and institutions should be required to record the
``articulable and significant threat to the health or safety of a
student or other individuals'' so that they can demonstrate (to
parents, students, and to the Department) what circumstances led them
to determine that a health or safety emergency existed and how they
justified the disclosure. Currently, educational agencies and
institutions are required under Sec. 99.32(a) to record any disclosure
of personally identifiable information from education records made
under Sec. 99.31(a)(10) and Sec. 99.36. We are revising the
recordation requirements in Sec. 99.32(a)(5) to require an agency or
institution to record the articulable and significant threat that
formed the basis for the disclosure. The school must maintain this
record with the education records of the student for as long as the
student's education records are maintained (Sec. 99.32(a)(2)).
We do not specify in the regulations a time period in which an
educational agency or institution must record a disclosure of
personally identifiable information from education records under Sec.
99.32(a). We interpret this to mean that an agency or institution must
record a disclosure within a reasonable period of time after the
disclosure has been made, and not just at the time, if any, when a
parent or student asks to inspect the student's record of disclosures.
We will treat the requirement to record the significant and articulable
threat that forms the basis for a disclosure under the health or safety
emergency exception no differently than the recordation of other
disclosures. In determining whether a period of time for recordation is
reasonable, we would examine the relevant facts surrounding the
disclosure and anticipate that an agency or institution would address
the health or safety emergency itself before turning to recordation of
any disclosures and other administrative matters.
In response to concerns about the Department's enforcement of the
provisions of Sec. 99.36, the ``rational basis'' test does not
eliminate the Department's responsibility for oversight and
accountability. Actions that the Secretary may take in addressing
violations of this and other
[[Page 74838]]
FERPA provisions are addressed in the analysis of comments under the
section in this preamble entitled Enforcement. While parents and
eligible students do not have a right to sue for violations of FERPA in
a court of law, the statute provides that the Secretary may not make
funds available to any agency or institution that has a policy or
practice of violating parents' and students' rights under the statute
with regard to consent to the disclosure of education records. As such,
parents and eligible students may file a complaint with the Office if
they believe that a school has violated their rights under FERPA and
has disclosed education records under Sec. 99.36 inconsistent with
these regulations. In conducting an investigation, the Office will
require that schools identify the underlying facts that demonstrated
that there was an articulable and significant threat precipitating the
disclosure under Sec. 99.36.
In response to the comment about what would constitute an
emergency, FERPA permits disclosure ``* * * in connection with an
emergency * * * to protect the health or safety of the student or other
persons.'' 20 U.S.C. 1232g(b)(1)(I). We note that the word ``protect''
generally means to keep from harm, attack, or injury. As such, the
statutory text underscores that the educational agency or institution
must be able to release information from education records in
sufficient time for the institution to act to keep persons from harm or
injury. Moreover, to be ``in connection with an emergency'' means to be
related to the threat of an actual, impending, or imminent emergency,
such as a terrorist attack, a natural disaster, a campus shooting, or
the outbreak of an epidemic such as e-coli. An emergency could also be
a situation in which a student gives sufficient, cumulative warning
signs that lead an educational agency or institution to believe the
student may harm himself or others at any moment. It does not mean the
threat of a possible or eventual emergency for which the likelihood of
occurrence is unknown, such as would be addressed in emergency
preparedness activities.
Changes: We have amended the recordkeeping requirements in Sec.
99.32(a)(5) to require educational agencies and institutions to record
the articulable and significant threat that formed the basis for a
disclosure under the health or safety emergency exception and the
parties to whom the information was disclosed.
(c) Articulable and Significant Threat
Comment: One commenter stated that the word ``articulable'' in
Sec. 99.36(c) was confusing in reference to a school's determination
that there is an ``articulable and significant threat to the health or
safety of a student or other individuals.'' This commenter stated that
school officials might interpret the provision to mean that there must
be a verbal threat or that school officials must write down the exact
wording of the threat.
Discussion: The requirement that there must be an ``articulable and
significant threat'' does not mean that the threat must be verbal. It
simply means that the institution must be able to articulate what the
threat is under Sec. 99.36 when it makes and records the disclosure.
In that regard, the words ``articulable and significant'' are
adjectives modifying the key noun ``threat.'' As such, the focus is on
the threat, with the question being whether the threat itself is
articulable and significant. The word ``articulable'' is defined to
mean ``capable of being articulated.'' http://www.merriam-webster.com/dictionary/articulable. This portion of the standard simply requires
that a school official be able to express in words what leads the
official to conclude that a student poses a threat. The other half of
the standard is the word ``significant,'' which means ``of a noticeably
or measurably large amount.'' http://www.merriam-webster.com/dictionary/significant. Taken together, the phrase ``articulable and
significant threat'' means that if a school official can explain why,
based on all the information then available, the official reasonably
believes that a student poses a significant threat, such as a threat of
substantial bodily harm, to any person, including the student, the
school official may disclose education records to any person whose
knowledge of information from those records will assist in protecting a
person from that threat.
Changes: None.
(d) Parties That May Receive Information Under Sec. 99.36
Comment: A commenter recommended that the Department adopt a more
subjective standard regarding the persons to whom education records may
be disclosed under Sec. 99.36, suggesting that we remove the
requirement that the disclosure must be to a person ``whose knowledge
of the information is necessary to protect the health or safety of the
student or other individuals.'' Conversely, another commenter expressed
concern that the Department was sending the wrong message to
educational agencies and institutions with these changes to Sec.
99.36. The commenter stated that the health or safety emergency
exception must not be perceived to permit schools to routinely disclose
education records to parents, police, or others.
A commenter asked who at a school may share personally identifiable
information in a health or safety emergency, and specifically whether a
school secretary would be allowed to tell parents that a student on
campus made a threat to others.
A commenter stated that school districts, especially small or rural
districts, may not have the expertise on staff to determine whether a
situation constitutes an ``articulable and significant threat.'' The
commenter said that personally identifiable information on students may
need to be disclosed to outside law enforcement and mental health
professionals so that they can help schools determine whether a real
threat exists. The commenter recommended that the Department change the
proposed regulations to allow school districts to involve outside
experts in determining whether a health or safety emergency exists.
Noting that the NPRM addressed the disclosure of education records to
an eligible student's parents, the organization also asked for
clarification regarding whether the parents of a potential perpetrator
and the potential victim at the K-12 level could be told about a
threat.
Several commenters stated that our proposed amendments did not go
far enough and urged the Department to expand Sec. 99.36 to permit a
school to notify whomever the student has listed as his or her
emergency contact. Another commenter requested that the Secretary,
through these regulations, direct institutions to proactively notify
parents of students who are in acute care situations, such as illness
or accidents, if any institutional official is aware of the emergency.
Discussion: On its face, FERPA permits disclosure to ``appropriate
persons if the knowledge of such information is necessary to protect
the health or safety of the student or other persons.'' 20 U.S.C.
1232g(b)(1)(I). FERPA does not require that the person receiving the
information be responsible for providing the protection. Rather, the
focus of the statutory provision is on the information itself: The
``health or safety emergency'' exception permits the institution to
disclose information from education records in order to gather
information from any person who has information that would be necessary
to
[[Page 74839]]
provide the requisite protection. Thus, for example, an educational
institution that reasonably believes that a student poses a threat of
bodily harm to any person may disclose information from education
records to current or prior peers of the student or mental health
professionals who can provide the institution with appropriate
information to assist in protecting against the threat. Moreover, the
institution may disclose records to persons such as law enforcement
officials that it determines may be helpful in providing appropriate
protection from the threat. An educational agency or institution may
also generally disclose information under Sec. 99.36 to a potential
victim and the parents of a potential victim as ``other individuals''
whose health or safety may need to be protected.
Similarly, in order to obtain information that would inform its
judgment on how to address the threat, the student's current
institution may disclose information from education records to other
schools or institutions which the student previously attended. In that
regard, the same set of facts underlying the current institution's
determination that an emergency existed would also permit former
schools and institutions attended by the student to disclose personally
identifiable information from education records to the student's
current institution. That is, a former school would not need to make a
separate determination regarding the existence of an articulable and
significant threat to the health or safety of a student or others, and
could rely instead on the determination made by the school currently
attended by the student in making the disclosure.
In the discussion on page 15589 of the NPRM, we noted that the
``health or safety emergency'' exception does not permit a local school
district to routinely share its student information database with the
local police department. This example was meant to clarify that FERPA's
health or safety provisions would not permit a school to disclose
without consent education records to the local police department unless
there was a health or safety emergency and the disclosure of the
information was necessary to protect the health or safety of students
or other individuals. This does not prevent schools from having working
relationships with local police authorities and to use local police
officers in maintaining the safety of their campuses.
In response to the comment about which school official should be
permitted to disclose information under Sec. 99.36, an educational
agency or institution will need to make its own determination about
which school officials may access a student's education records and
disclose information to parents or other parties whose knowledge of the
information is necessary to protect the health or safety of the student
or other individuals. Under Sec. 99.31(a)(1), an educational agency or
institution may disclose education records, without consent, to school
officials whom the agency or institution has determined have legitimate
educational interests in the information. It may be helpful for schools
to have a policy in place concerning which school officials will have
access to and the responsibility for disclosing information in
emergency situations.
We understand that some educational agencies and institutions may
need assistance in determining whether a health or safety emergency
exists for purposes of complying with these regulations. The Department
encourages schools to implement a threat assessment program, including
the establishment of a threat assessment team that utilizes the
expertise of representatives from law enforcement agencies in the
community. Schools can respond to student behavior that raises concerns
about a student's mental health and the safety of the student and
others that is chronic or escalating by using a threat assessment team,
and then make other disclosures under the health or safety emergency
exception, as appropriate, when an ``articulable and significant
threat'' exists. Information on establishing a threat assessment
program and other helpful resources for emergency situations can be
found on the Department's Web site: http://www.ed.gov/admins/lead/safety/edpicks.jhtml?src=ln.
An educational agency or institution may disclose education records
to threat assessment team members who are not employees of the district
or institution if they qualify as ``school officials'' with
``legitimate educational interests'' under Sec. 99.31(a)(1)(i)(B),
which is discussed elsewhere in this preamble. To receive the education
records under the ``school officials'' exception, members of the threat
assessment team must be under the direct control of the educational
agency or institution with respect to the maintenance and use of
personally identifiable information from education records. For
example, a representative from the city police who serves on a school's
threat assessment team generally could not redisclose to the city
police personally identifiable information from a student's education
records to which he or she was privy as part of the team. As noted
above, however, the institution may disclose personally identifiable
information from education records when and if the threat assessment
team determines that a health or safety emergency exists under
Sec. Sec. 99.31(a)(10) and 99.36.
We believe that Sec. 99.36 does not need to be expanded to permit
a school to contact whomever an eligible student has listed as his or
her emergency contact, nor is there authority to do so. FERPA does not
preclude institutions from contacting other parties, including parents,
in addition to the emergency contacts provided by the student, if the
school determines these other parties are ``appropriate parties'' under
this exception. (An eligible student may provide consent for the
institution to notify certain individuals in case of an emergency,
should an emergency occur.)
The regulations would not prevent an institution from having a
policy of seeking prospective consent from eligible students for the
disclosure of personally identifiable information or from having a
policy for obtaining consent for disclosure on a case-by-case basis.
However, FERPA does not require that a postsecondary institution
disclose information to any party except to the eligible student, even
if the student has consented to the disclosure. Thus, the Secretary
does not have the statutory authority to require school officials to
disclose information from a student's education records in compliance
with a consent signed by the student or to otherwise require the
institution to contact a family member.
Changes: None.
(e) Treatment Records
Comment: A commenter stated that while the amendments to Sec.
99.36 provide needed clarification about when an educational agency or
institution may disclose students' education records to avert tragedies
like the one at Virginia Tech in April 2007, the NPRM did not provide
clarity on the issue of information sharing between on-campus and off-
campus health care providers. The commenter also noted that the
Virginia Tech Review Panel recommended that Congress amend FERPA to
explain how Federal privacy laws apply to medical records held for
treatment purposes and that the NPRM did not provide that clarity.
Another commenter stated that if information about a student
related to a health or safety emergency is part of the treatment
records maintained by a university's health clinic, the treatment
records should be treated like education
[[Page 74840]]
records so that they may be disclosed under the health and safety
emergency exception. A commenter asked that the Department clarify that
college health and mental health records are not education records
under FERPA and must be treated like other health and mental health
records in other settings.
Discussion: While we have carefully considered the comments
concerning ``treatment records,'' the Secretary does not believe that
it is necessary to amend the regulations to provide clarification on
the handling of health and medical records. The Departments of
Education and Health and Human Services have issued joint guidance that
explains the relationship between FERPA and the HIPAA Privacy Rule. The
guidance addresses this issue for these records at the elementary and
secondary levels, as well as at the postsecondary level. The joint
guidance, which is on the Web sites of both agencies, addresses many of
the questions raised by school administrators, health care
professionals, and others as to how these two laws apply to records
maintained on students. It also addresses certain disclosures that are
allowed without consent or authorization under both laws, especially
those related to health and safety emergency situations. The guidance
can be found here: http://www.ed.gov/policy/gen/guid/fpco/index.html.
As discussed elsewhere in this preamble with respect to Sec.
99.31(a)(2), while ``treatment records'' are excluded from the
definition of education records under FERPA, if an eligible student's
treatment records are used for any purpose other than the student's
treatment, or if a school wishes to disclose the treatment records for
any purpose other than the student's treatment, they may only be
disclosed as education records subject to FERPA requirements.
Therefore, an eligible student's treatment records may be disclosed to
any party, without consent, as long as the disclosure meets one of the
exceptions to FERPA's general consent rule. See 34 CFR 99.31. One of
the permitted disclosures under this section is the ``health or safety
emergency'' exception.
Changes: None.
Identification and Authentication of Identity (Sec. 99.31(c))
Comment: Several commenters supported our proposal to require
educational agencies and institutions to use reasonable methods to
identify and authenticate the identity of parents, students, school
officials, and any other parties to whom the agency or institution
discloses personally identifiable information from education records.
One commenter supported the provision but advocated requiring the use
of two-factor identification for information that could be used to
commit identity theft and financial fraud. (Two-factor identification
requires the use of two methods to authenticate identity, such as
fingerprint identification in addition to a PIN.)
One commenter said that the identification and authentication
requirement will help protect students affected by domestic violence
who are living in substitute care situations. The commenter noted that
many parents in situations involving domestic violence do not have
photo identification (ID) and would be unable to meet a requirement to
provide photo ID in order to access their children's education records.
One commenter strongly supported the proposed amendment and said it
will be valuable in aiding the privacy and protection of homeless
children. Another commenter questioned whether the identification and
authentication requirement is necessary for staff of large school
districts with centralized offices.
One commenter did not support the proposed regulation stating that
it will be an additional burden on school districts. The commenter
agreed with our statement in the preamble to the NPRM that the
regulations should permit districts to determine their own methods of
identification and authentication. However, the commenter stated that
districts should not be required to have a sliding scale of control
based on the level of potential threat and harm and that it would not
be practical to give every person requesting access to education
records a PIN or similar method of authentication. For example, the
commenter stated that parents might be provided with a PIN, but
districts would not want to provide a PIN to a reporter or other third
party. The commenter requested additional examples of how districts may
authenticate requests received by phone or e-mail. The commenter also
stated that districts are sometimes concerned that government-issued
photo IDs are fraudulent. As a result, the group requested that the
Department adopt a ``safe harbor'' provision that requiring a
government-issued photo ID for in-person requests is reasonable.
One commenter expressed concern that the proposed regulations were
too restrictive and could be too complex to administer, and that this
would cause an institution to choose not to transfer information even
though it is permitted to do so. This commenter asked whether the
Department will accept an institution's efforts at compliance as
sufficient without examining the effectiveness of those efforts.
Discussion: The identification and authentication methods discussed
in the NPRM (73 FR 15585) are intended as examples and should not be
considered to be exhaustive. Because there are many methods available
to provide secure authentication of identity, and as more methods
continue to be developed, we do not think it appropriate at this time
to require the use of two-factor authentication as requested by the
commenter. Two-factor authentication can be expensive and cumbersome,
and we believe that each educational agency or institution should
decide whether to use its resources to implement a two-factor
authentication method or another reasonable method to ensure that
education records are disclosed only to an authorized party. The
comment that a portion of the population will be disadvantaged if only
photo ID is permitted to authenticate identity confirms that we need to
retain flexibility in the regulations.
We do not agree that certain types of staff should be excepted from
the identification and authentication requirement. All staff members,
whether in a centralized office, or in separate administrative offices
throughout a school system, must be cognizant of and responsible for
complying with identification and authentication requirements.
Due to the differences in size, complexity, and access to
technology, we believe that educational agencies and institutions
should have the flexibility to decide the methods for identification
and authentication of identity best suited to their own circumstances.
The regulatory requirement is that agencies and institutions use
``reasonable'' methods to identify and authenticate identity when
disclosing personally identifiable information from education records.
``Effectiveness'' is certainly one measure, but not necessarily a
dispositive measure, of whether the methods used by an agency or
institution are ``reasonable''. As we explained in the NPRM, an agency
or institution is not required to eliminate all risk of unauthorized
disclosure of education records but to reduce that risk to a level
commensurate with the likely threat and potential harm. 73 FR 15585.
Further in that regard, we note that a ``sliding scale'' of
protection is not mandated per se. However, it may not be
``reasonable'' to use the same
[[Page 74841]]
methods to protect students' SSNs or credit card numbers from
unauthorized access and disclosure that are used to protect students'
names and other directory information. We believe that a PIN process
could be useful to provide access to education records for parties,
such as parents, students, or school officials, but that it would not
generally be useful for providing records to outside parties, such as
reporters or parties seeking directory information. While the use of
government-issued photo ID may be a reasonable method to authenticate
identity, depending on the circumstances and the information being
released, we are unable to conclude at this time that it is
sufficiently secure to constitute a safe harbor for meeting this
requirement.
Changes: None.
Enforcement (Sec. 99.64)
(a) Sec. 99.64(a)
Comment: One commenter supported our proposal to amend Sec.
99.64(a) to provide that a complaint submitted to FPCO does not have to
allege that a violation or failure to comply with FERPA is based on a
policy or practice of the agency or institution. The commenter stated
that parents often are not aware of legal and technical criteria, and
complaints filed by parents should not be subject to technical rules
typically applied to filings made by attorneys.
Another commenter did not support the proposed amendment and asked
several questions concerning the effects of the change. The commenter
asked whether this provision means that the Office will investigate an
allegation concerning a single and perhaps unintentional action not
related to a policy or practice of the institution. The commenter also
asked whether such an investigation could result in a finding of a
violation if the finding is not based on an institution's policy or
practice, and what enforcement actions can be taken in those
circumstances. The commenter suggested that we modify the regulations
to provide that, for complaints not alleging a violation based on an
institution's policy or practice, the Office will undertake an
investigation only when it determines that the allegations are of a
sufficiently serious nature to warrant an inquiry.
Discussion: The changes we proposed in this section were intended
to clarify that it is sufficient for a complaint to allege that an
educational agency or institution violated a requirement of FERPA, and
that a complaint does not need to allege that the violation is a result
of a policy or practice of an agency or institution in order for the
Office to investigate the complaint.
We explain in our discussion of the proposed changes to Sec. 99.67
that the Secretary must find that an educational agency or institution
has a policy or practice in violation of the non-disclosure
requirements in FERPA before seeking to withhold, terminate, or recover
program funds for that violation. However, FPCO is not limited to
investigating complaints and finding that an educational agency or
institution violated FERPA only if the allegations and findings are
based on a policy or practice of an educational agency or institution.
Moreover, we do not agree that only conduct that involves a policy
or practice or that affects multiple students is serious enough to
warrant an investigation of the allegations. An educational agency or
institution may not even be aware of FERPA violations committed by its
own school officials until the Office investigates an allegation of
misconduct. These kinds of investigations often serve the very
important purpose of helping ensure that single instances of misconduct
do not become policies or practices of an agency or institution.
Further, while an agency or institution may not think that a single,
unintentional violation of FERPA is significant, it is often considered
serious by the parent or student affected by the violation.
Therefore, consistent with its current practice, the Office may
find that an educational agency or institution violated FERPA without
also finding that the violation was based on a policy or practice. Note
that under Sec. Sec. 99.66(c) and 99.67, the Office may not take any
enforcement action against an agency or institution that has violated
FERPA until it provides the agency or institution with a reasonable
period of time to come into compliance voluntarily.
Changes: None.
(b) Sec. 99.64(b)
Comment: A number of commenters supported proposed Sec. 99.64(b),
which provided that the Office may investigate a possible FERPA
violation even if it has not received a timely complaint from a parent
or student or if a valid complaint is subsequently withdrawn. Several
of these commenters stated that it is appropriate and important to
permit persons who are not parents or eligible students, but who have
knowledge of potential FERPA violations, to provide this information to
the Office for consideration of a possible investigation.
Several commenters objected to the proposed change. One commenter
expressed serious concern that the regulations will greatly expand the
authority of the Office to investigate any potential FERPA violation,
even when no complaint is filed or when a complaint has been withdrawn.
In particular, the commenter stated that an institution would not have
an opportunity to review and respond to specific allegations when the
investigation does not concern a particular complaint.
Another commenter asserted that the Department has not demonstrated
why the proposed amendment is necessary. The commenter said that unless
there is evidence of a widespread problem, the proposed change will
increase university costs in responding to investigations without a
corresponding benefit to the public.
Another commenter said that the Office should not investigate
allegations that are not filed by a parent or eligible student because
an institution must know the name of the filing party and the specific
circumstances of the allegation in order to properly defend its
actions. The commenter said that it should not be unnecessarily
burdened by an investigation by the Office when it has already dealt
with the situation to the satisfaction of the affected student, and
that any student who is not satisfied with the institution's efforts
retains the ability to file a complaint. The commenter also noted that
a complaint filed by an affected student has more credibility than
allegations made by other parties. The commenter was concerned that
accepting information from other parties could result in filings from
persons with grievances unrelated to FERPA, such as a disgruntled
employee, or an applicant rejected for admission, or a parent or
eligible student who missed a filing deadline of some kind.
One commenter said that the proposed change would result in an
ineffective use of the limited resources of the Office because it would
be investigating allegations that may not have a sufficient basis.
Discussion: We proposed the changes to Sec. 99.64(b) to clarify
that the Office may initiate its own investigation that an educational
agency or institution has violated FERPA. (The amendment also clarifies
that if the Office determines that an agency or institution violated
FERPA, it may also determine whether the violation was based on a
policy or practice of the agency or institution.)
Our experience has shown that sometimes FERPA violations are
brought to the attention of the Office by
[[Page 74842]]
school officials, officials in other schools, or by the media. It is
important that the Office have authority to investigate allegations of
non-compliance in these situations. Consistent with its current
practice, a notice of investigation issued by the Office will provide
sufficient and specific factual information to permit the agency or
institution to adequately investigate and respond to the allegations,
whether or not the investigation is based on a complaint by a parent or
eligible student.
We do not agree that allowing the Office to initiate its own
investigations of possible FERPA violations will lead to abuses of the
process by persons seeking to redress other grievances with an
institution. The Office will continue to be responsible for evaluating
the validity of the information and allegations that come to its
attention by means other than a valid complaint and determining whether
to initiate an investigation. We do not anticipate that the Office will
initiate an investigation of every allegation or information it
receives. We believe, however, that it is important that the Office be
able to investigate any violation of FERPA for which it receives
notice. As stated in the NPRM, 73 FR 15591, the Department is not
seeking to expand the scope of FERPA investigations beyond the current
practices of the Office.
Changes: None.
(c) Sec. 99.66
Comment: We received one comment on the proposed change to Sec.
99.66(c), which allows but does not require FPCO to make a finding that
an educational agency or institution has a policy or practice in
violation of a FERPA requirement when the Office issues a notice of
findings in Sec. 99.66(b). The commenter stated that its review of
FERPA and the Supreme Court decision in Gonzaga University v. Doe, 536
U.S. 273 (2002) (Gonzaga), indicates that the Office may not issue a
finding of a violation of FERPA and require corrective action or take
any enforcement action without also finding that the violation
constituted a policy or practice of the agency or institution.
Discussion: We explain in the discussion of the changes to Sec.
99.67 that there are circumstances in which the Office would be
required to find that an educational agency or institution has a policy
or practice in violation of a FERPA requirement before taking certain
enforcement actions, such as an action to terminate funding for a
violation of the non-disclosure requirements, 20 U.S.C. 1232g(b)(1) and
(b)(2) and 34 CFR 99.30. However, the Office is not required to find a
policy or practice in violation of FERPA before issuing a notice of
findings or taking other kinds of enforcement actions.
Changes: None.
(d) Sec. 99.67
Comment: One commenter supported the clarification in proposed
Sec. 99.67 that the Office may not seek to withhold payments,
terminate eligibility for funding, or take certain other enforcement
actions unless it determines that the educational agency or institution
has a policy or practice that violates FERPA. Another commenter
expressed general support for the proposed change, including the
clarification that the Secretary may take any legally available
enforcement action, in addition to those specifically listed in the
current regulations. The commenter expressed concern, however, that the
penalties are not severe enough to effectively discourage unintentional
or willful violations by third parties, particularly in areas of
research and data sharing with outside parties.
Another commenter expressed concern that the proposed amendment
would unnecessarily broaden the enforcement options available to the
Secretary. The commenter stated that educational agencies and
institutions will not be able to assess the risks and consequences
associated with their actions without a limitation on the range of
enforcement actions available to the Department when a violation of
FERPA is found.
One commenter asked the Department to clarify that all methods of
enforcing FERPA that are contained in the current regulations will be
retained in the final regulations. The commenter said that the proposed
regulations in the NPRM (73 FR 15602) appear to remove the Secretary's
ability to terminate funding.
Discussion: We explained in the preamble to the NPRM (73 FR 15592)
that there were two reasons for the proposed changes to Sec. 99.67(a).
One was the need to clarify that the Secretary may take any enforcement
action that is legally available and is not limited to those specified
under the current regulations, i.e., withholding further payments under
any applicable program; issuing a complaint to compel compliance
through a cease-and-desist order; or terminating eligibility to receive
funding under any applicable program. Other actions the Secretary may
take to enforce FERPA include entering into a compliance agreement
under 20 U.S.C. 1234f and seeking an injunction.
This change to Sec. 99.67(a) does not broaden the Secretary's
enforcement options, as suggested by one commenter. The General
Education Provisions Act (GEPA) provides the Secretary with the
authority to take certain enforcement actions to address violations of
statutory and regulatory requirements, including general authority to
``take any other action authorized by law with respect to the
recipient.'' 20 U.S.C. 1234c(a)(4). The change to Sec. 99.67(a) simply
includes, for purposes of clarity, the Secretary's existing authority
under GEPA to take any legally available action to enforce FERPA
requirements. (We note that before taking enforcement action the Office
must determine that the educational agency or institution is failing to
comply substantially with a FERPA requirement and provide it with a
reasonable period of time to comply voluntarily. See 20 U.S.C.
1234c(a); 20 U.S.C. 1232g(f); and 34 CFR 99.66(c).)
We also proposed to amend Sec. 99.67(a) to clarify that the Office
may issue a notice of violation for failure to comply with specific
FERPA requirements and require corrective actions but may not seek to
terminate eligibility for funding, withhold payments, or take other
enforcement actions unless the Office determined that an agency or
institution has a policy or practice in violation of FERPA requirements
(73 FR 15592). Upon further review, we have decided not to adopt this
particular change because we believe it limits the Secretary's
enforcement authority in a manner that is not legally required.
In support of its holding in Gonzaga that FERPA's non-disclosure
provisions do not create rights that are enforceable under 42 U.S.C.
1983, the Court observed that FERPA provides that no funds shall be
made available to an educational agency or institution that has a
policy or practice of disclosing education records in violation of
FERPA requirements. 536 U.S. at 288; see also 20 U.S.C. 1232g(b)(1) and
(b)(2); 34 CFR 99.30. As such, the statute and Gonzaga decision suggest
that with respect to violations of FERPA's non-disclosure requirements,
the Secretary must find that an educational agency or institution has a
policy or practice in violation of FERPA requirements before taking
actions to terminate, withhold, or recover funds for those violations.
However, there is no requirement under the statute (or the Gonzaga
decision) for the Secretary to find a policy or practice in violation
of FERPA requirements on the part of an educational agency or
institution before taking other kinds of enforcement actions for
violations of the non-disclosure requirements, such as
[[Page 74843]]
seeking an injunction or a cease-and-desist order. We note also that
the Gonzaga opinion does not address violations of other FERPA
requirements, such as parents' right to inspect and review their
children's education records and the requirement that educational
agencies and institutions afford parents an opportunity for a hearing
to challenge the content of a student's education records under certain
circumstances, which do not contain the same ``policy or practice''
language as the non-disclosure requirements. Because we did not address
enforcement of these other FERPA requirements in the NPRM, we have
decided not to address in the final regulations limitations or pre-
conditions that apply solely to actions to terminate, withhold, or
recover program funds for violations of the non-disclosure
requirements.
In response to the comment that the available penalties are not
severe enough to discourage FERPA violations, we note that the
Secretary has authority to terminate, withhold, and recover program
funds and take other enforcement actions in accordance with part E of
GEPA. The Secretary may not increase penalties beyond those authorized
under FERPA and GEPA. Further, the regulations do not remove the
Secretary's authority to terminate eligibility for program funding or
any other enforcement authority. The changes noted by the commenter who
was concerned that the proposed regulations removed the Secretary's
authority to terminate funding were corrections to punctuation and
formatting only, not substantive changes.
Changes: We have removed the language in Sec. 99.67(a) that
requires the Office to determine that an educational agency or
institution has a policy or practice in violation of FERPA requirements
before taking any enforcement action.
Department Recommendations for Safeguarding Education Records
Comment: We received a few comments on the recommendations for
safeguarding education records included in the NPRM. One commenter
expressed concern that schools and school districts should exercise
enhanced security for the records of children receiving special
education services. According to the commenter, these children often
have a large number of records and may receive services from a variety
of providers, which can add to the challenge of ensuring that
appropriate privacy controls are used.
One commenter supported the safeguarding recommendations and
suggested that we revise the recommendations to list non-Federal
government sources providing guidance on methods for safeguarding
education records. Another commenter supported the recommendations, but
suggested that the regulations should require that a parent or eligible
student receive notification of an unauthorized release or theft of
information.
Discussion: The comments on the records of students who receive
special education services illustrate the necessity for educational
agencies and institutions to ensure that adequate controls are in place
so that the education records of all students are handled in accordance
with FERPA's privacy protections. The safeguarding recommendations that
we provided in the NPRM, and are repeated in these final regulations,
are intended to provide agencies and institutions additional
information and resources to assist them in meeting this
responsibility. In addition, educational agencies and institutions
should refer to the protections required under Sec. 300.623 of the
confidentiality of information requirements in Part B of the IDEA, 34
CFR 300.623 (Safeguards).
We acknowledge that there are many sources available concerning
information security technology and processes. The Department does not
wish to appear to endorse the information or product of any company or
organization; therefore, we have included only Federal government
sources in this notice.
The Department does not have the authority under FERPA to require
that agencies or institutions issue a direct notice to a parent or
student upon an unauthorized disclosure of education records. FERPA
only requires that the agency or institution record the disclosure so
that a parent or student will become aware of the disclosure during an
inspection of the student's education record.
Changes: None.
We are republishing here, for the administrative convenience of
educational agencies and institutions and other parties, the Department
Recommendations for Safeguarding Education Records that were published
in the preamble to the NPRM (73 FR 15598-15599):
The Department recognizes that agencies and institutions face
significant challenges in safeguarding educational records. We are
providing the following information and recommendations to assist
agencies and institutions in meeting these challenges.
As noted elsewhere in this document, FERPA provides that no funds
administered by the Secretary may be made available to any educational
agency or institution that has a policy or practice of releasing,
permitting the release of, or providing access to personally
identifiable information from education records without the prior
written consent of a parent or eligible student except in accordance
with specified exceptions. In light of these requirements, the
Secretary encourages educational agencies and institutions to utilize
appropriate methods to protect education records, especially in
electronic data systems.
In recent years the following incidents have come to the
Department's attention:
Students' grades or financial information, including SSNs,
have been posted on publicly available Web servers;
Laptops and other portable devices containing similar
information from education records have been lost or stolen;
Education records, or devices that maintain education
records, have not been retrieved from school officials upon termination
of their employment or service as a contractor, consultant, or
volunteer;
Computer systems at colleges and universities have become
favored targets because they hold many of the same records as banks but
are much easier to access. See ``College Door Ajar for Online
Criminals'' (May 2006), available at http://www.uh.edu/ednews/2006/latimes/200605/20060530hackers.html. and July 10, 2006, Viewpoint in
Business Week/Online available at http://www.businessweek.com/technology/content/jul2006/tc20060710_558020.htm;
Nearly 65 percent of postsecondary educational
institutions identified theft of personal information (SSNs, credit/
debit/ATM card, account or PIN numbers, etc.) as a high risk area. See
Table 7, Perceived Risks at http://www.educause.edu/ir/library/pdf/ecar_so/ers/ers0606/Ekf0606.pdf; and
In December 2006, a large postsecondary institution
alerted some 800,000 students and others that the campus computer
system containing their names, addresses, and SSNs had been
compromised.
The Department's Office of Inspector General (OIG) noted in Final
Inspection Alert Memorandum dated February 3, 2006, that the Privacy
Rights Clearinghouse reported that between February 15, 2005, and
November 19, 2005, there were 93 documented computer breaches of
electronic files
[[Page 74844]]
involving personal information from education records such as SSNs,
credit card information, and dates of birth. According to the reported
data, 45 percent of these incidents have occurred at colleges and
universities nationwide. OIG expressed concern that student information
may be compromised due to a failure to implement or administer proper
security controls for information systems at postsecondary
institutions.
The Department recognizes that no system for maintaining and
transmitting education records, whether in paper or electronic form,
can be guaranteed safe from every hacker and thief, technological
failure, violation of administrative rules, and other causes of
unauthorized access and disclosure. Although FERPA does not dictate
requirements for safeguarding education records, the Department
encourages the holders of personally identifiable information to
consider actions that mitigate the risk and are reasonably calculated
to protect such information. Of course, an educational agency or
institution may use any method, combination of methods, or technologies
it determines to be reasonable, taking into consideration the size,
complexity, and resources available to the institution; the context of
the information; the type of information to be protected (such as
social security numbers or directory information); and methods used by
other institutions in similar circumstances. The greater the harm that
would result from unauthorized access or disclosure and the greater the
likelihood that unauthorized access or disclosure will be attempted,
the more protections an agency or institution should consider using to
ensure that its methods are reasonable.
One resource for administrators of electronic data systems is ``The
National Institute of Standards and Technology (NIST) 800-100,
Information Security Handbook: A Guide for Managers'' (October 2006).
See http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf. A second resource is NIST 800-53, Information Security, which
catalogs information security controls. See http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf.
Similarly, a May 22, 2007, memorandum to heads of Federal agencies from
the Office of Management and Budget requires executive departments and
agencies to ensure that proper safeguards are in place to protect
personally identifiable information that they maintain, eliminate the
unnecessary use of SSNs, and develop and implement a ``breach
notification policy.'' This memorandum, although directed towards
Federal agencies, may also serve as a resource for educational agencies
and institutions. See http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf.
Finally, if an educational agency or institution has experienced a
theft of files or computer equipment, hacking or other intrusion,
software or hardware malfunction, inadvertent release of data to
Internet sites, or other unauthorized release or disclosure of
education records, the Department suggests consideration of one or more
of the following steps:
Report the incident to law enforcement authorities.
Determine exactly what information was compromised, i.e.,
names, addresses, SSNs, ID numbers, credit card numbers, grades, and
the like.
Take steps immediately to retrieve data and prevent any
further disclosures.
Identify all affected records and students.
Determine how the incident occurred, including which
school officials had control of and responsibility for the information
that was compromised.
Determine whether institutional policies and procedures
were breached, including organizational requirements governing access
(user names, passwords, PINS, etc.); storage; transmission; and
destruction of information from education records.
Determine whether the incident occurred because of a lack
of monitoring and oversight.
Conduct a risk assessment and identify appropriate
physical, technological, and administrative measures to prevent similar
incidents in the future.
Notify students that the Department's Office of Inspector
General maintains a Web site describing steps students may take if they
suspect they are a victim of identity theft at http://www.ed.gov/about/offices/list/oig/misused/idtheft.html; and http://www.ed.gov/about/offices/list/oig/misused/victim.html.
FERPA does not require an educational agency or institution to
notify students that information from their education records was
stolen or otherwise subject to an unauthorized release, although it
does require the agency or institution to maintain a record of each
disclosure. 34 CFR 99.32(a)(1). (However, student notification may be
required in these circumstances for postsecondary institutions under
the Federal Trade Commission's Standards for Insuring the Security,
Confidentiality, Integrity and Protection of Customer Records and
Information (``Safeguards Rule'') in 16 CFR part 314.) In any case,
direct student notification may be advisable if the compromised data
includes student SSNs and other identifying information that could lead
to identity theft.
Executive Order 12866
Under Executive Order 12866, the Secretary must determine whether
this regulatory action is ``significant'' and therefore subject to the
requirements of the Executive Order and subject to review by OMB.
Section 3(f) of Executive Order 12866 defines a ``significant
regulatory action'' as an action likely to result in a rule that may
(1) have an annual effect on the economy of $100 million or more, or
adversely affect a sector of the economy, productivity, competition,
jobs, the environment, public health or safety, or State, local or
tribal governments, or communities in a material way (also referred to
as an ``economically significant'' rule); (2) create serious
inconsistency or otherwise interfere with an action taken or planned by
another agency; (3) materially alter the budgetary impacts of
entitlement grants, user fees, or loan programs or the rights and
obligations of recipients thereof; or (4) raise novel legal or policy
issues arising out of legal mandates, the President's priorities, or
the principles set forth in the Executive order. The Secretary has
determined that this regulatory action is significant under section
3(f)(4) of the Executive order.
1. Summary of Public Comments
The Department did not receive any comments on the analysis of the
costs and benefits in the NPRM. However, since the publication of the
NPRM, we have identified several information collection requirements
that were not identified in the NPRM. We have added discussions of the
costs and benefits of two information collection requirements in the
following Summary of Costs and Benefits.
2. Summary of Costs and Benefits
Following is an analysis of the costs and benefits of the most
significant changes to the FERPA regulations. In conducting this
analysis, the Department examined the extent to which the regulations
add to or reduce the costs of educational agencies and institutions
and, where appropriate, State educational agencies (SEAs) and other
State and local educational authorities in relation to their costs of
complying with the FERPA regulations prior to these changes.
[[Page 74845]]
This analysis is based on data from the most recent Digest of
Education Statistics (2007) published by the National Center for
Education Statistics (NCES), which projects total enrollment for Fall
2008 of 49,812,000 students in public elementary and secondary schools
and 18,264,000 students in postsecondary institutions; and a total of
97,382 public K-12 schools; 14,166 school districts; and 6,463
postsecondary institutions. (Excluded are data from private
institutions that do not receive Federal funding from the Department
and, therefore, are not subject to FERPA.) Based on this analysis, the
Secretary has concluded that the changes in these regulations will not
impose significant net costs on educational agencies and institutions.
Analyses of specific provisions follow.
Alumni Records
The regulations in Sec. 99.3 clarify the current exclusion from
the definition of education records for records that only contain
information about an individual after he or she is no longer a student,
which is intended to cover records of alumni and similar activities.
Some institutions have applied this exclusion to records that are
created after a student has ceased attending the institution but that
are directly related to his or her attendance as a student, such as
investigatory reports and settlement agreements about incidents and
injuries that occurred during the student's enrollment. The amendment
will clarify that this provision applies only to records created or
received by an educational agency or institution after an individual is
no longer a student in attendance and that are not directly related to
the individual's attendance as a student.
We believe that most of the more than 103,845 K-12 schools and
postsecondary institutions subject to FERPA already adhere to this
revised interpretation in the regulations and that for those that do
not, the number of records affected is likely to be very small.
Assuming that each year one half of one percent of the 68.1 million
students enrolled in these institutions have one record each affected
by the change, in the year following issuance of the regulations
institutions will be required to try to obtain written consent before
releasing 350,380 records that they would otherwise release without
consent. We estimate that for the first year contacting the affected
parent or student to seek and process written consent for these
disclosures will take approximately one-half hour per record at an
average cost of $32.67 per hour for a total cost of $5,562,068.
(Compensation for administrative staff time is based on published
estimates for 2005 from the Bureau of Labor Statistics' National
Compensation Survey of $23.50 per hour plus an average 39 percent
benefit load for Level 8 administrators in education and related
fields.)
In terms of benefits, the change will protect the privacy of
parents and students by clarifying the intent of this regulatory
exclusion and help prevent the unlawful disclosure of these records. It
will also provide greater legal certainty and therefore some cost
savings for those agencies and institutions that may be required to
litigate this issue in connection with a request under a State open
records act or other legal proceeding. For these reasons, we believe
that the overall benefits outweigh the potential costs of this change.
Exclusion of SSNs and ID Numbers From Directory Information
The proposed regulations in Sec. 99.3 clarified that a student's
SSN or student ID number is personally identifiable information that
may not be disclosed as directory information under FERPA. The final
regulations allow an educational agency or institution to designate and
disclose student ID numbers as directory information if the number
cannot be used by itself to gain access to education records, i.e. , it
is used like a name. SSNs may never be disclosed as directory
information.
The principal effect of this change is that educational agencies
and institutions may not post grades by the student's SSN or non-
directory student ID number and may not include these identifiers with
directory information they disclose about a student, such as a
student's name, school, and grade level or class, on rosters, or on
sign-in sheets that are made available to students and others.
(Educational agencies and institutions may continue to include SSNs and
non-directory student ID numbers on class rosters and schedules that
are disclosed only to teachers and other school officials who have
legitimate educational interests in this information.)
A class roster or sign-in sheet that contains or requires students
to affix their SSN or non-directory student ID number makes that
information available to every individual who signs in or sees the
document and increases the risk that the information may be improperly
used for purposes such as identity theft or to find out a student's
grades or other confidential educational information. In regard to
posting grades, an individual who knows which classes a particular
student attends may be able to ascertain that student's SSN or non-
directory student ID number by comparing class lists for repeat
numbers. Because SSNs are not randomly generated, it may be possible to
identify a student by State of origin based on the first three (area)
digits of the number, or by date of issuance based on the two middle
digits.
The Department does not have any actual data on how many class or
test grades are posted by SSN or non-directory student ID number at
this time, but we believe that the practice is rare or non-existent
below the secondary level. Although the practice was once widespread,
particularly at the postsecondary level, anecdotal evidence suggests
that as a result of consistent training and informal guidance by the
Department over the past several years, together with the increased
attention States and privacy advocates have given to the use of SSNs,
many institutions now either require teachers to use a code known only
to the teacher and the student or prohibit the posting of grades
entirely.
The most recent figures available from the Bureau of Labor
Statistics (2007) indicate that there are approximately 2.7 million
secondary and postsecondary teachers in the United States. As noted
above, we assume that most of these teachers either do not post grades
at all or already use a code known only to the teacher or student. We
assume further that additional costs to deliver grades personally in
the classroom or through electronic mail, instead of posting, will be
minimal. For purposes of this analysis, we estimate that no more than
five percent of 2.7 million, or 135,000 teachers, continue to post
grades by SSN or non-directory student ID number and thus will need to
convert to a code, which will require them to spend an average of one-
half hour each semester establishing and managing grading codes for
students. Since we do not know how many teachers at either education
level will continue to post grades, and wages for postsecondary
teachers are higher than secondary teacher wages, we use postsecondary
teacher wages to ensure that the estimate encompasses the upper limit
of possible costs. Using the Bureau of Labor Statistics' published
estimate of average hourly wages of $42.98 for teachers at
postsecondary institutions and an average 39 percent load for benefits,
we estimate an average cost of $59.74 per teacher per year, for a total
of $8,064,900. Parents and students should incur no costs except for
the time they might have to spend to
[[Page 74846]]
contact the school official if they forget the student's grading code.
This change will benefit parents and students and educational
agencies and institutions by reducing the risk of identity theft
associated with posting grades by SSN, and the risk of disclosing
grades and other confidential educational information caused by posting
grades by a non-directory student ID number. It is difficult to
quantify the value of reducing the risk of identity theft. According to
the Federal Trade Commission, however, for the past few years over one-
third of complaints filed with that agency have been for identity
theft. According to the Better Business Bureau, identity theft costs
businesses nearly $57 billion in 2006, while victims spent an average
of 40 hours resolving identity theft issues. It is even more difficult
to measure the benefits of enhanced privacy protections for student
grades and other confidential educational information from education
records because the value individuals place on the privacy of this
information varies considerably and because we are unable to determine
how often it happens. Therefore, we have no basis to estimate the value
of these enhanced privacy protections in relation to the expected costs
to implement the changes.
Prohibit Use of SSN To Confirm Directory Information
The regulations will prevent an educational agency or institution
(or a contractor providing services for an agency or institution) from
using a student's SSN (or other non-directory information) to identify
the student when releasing or confirming directory information. This
occurs, for example, when a prospective employer or insurance company
telephones an institution or submits an inquiry through the
institution's Web site to find out whether a particular individual is
enrolled in or has graduated from the institution. While this provision
will apply to educational agencies and institutions at all grade
levels, we believe that it will affect mainly postsecondary
institutions because K-12 agencies and institutions typically do not
provide enrollment and degree verification services.
A survey conducted in March 2002 by the American Association of
Collegiate Registrars and Admissions Officers (AACRAO) showed that
nearly half of postsecondary institutions used SSNs as the primary
means to track students in academic databases. Since then, use of SSNs
as a student identifier has decreased significantly in response to
public concern about identity theft. While postsecondary institutions
may continue to collect students' SSNs for financial aid and tax
reporting purposes, many have ceased using the SSN as a student
identifier either voluntarily or in compliance with State laws. Also,
over the past several years the Department has provided training on
this issue and published on the Office Web site a 2004 letter finding a
postsecondary institution in violation of FERPA when its agent used a
student's SSN, without consent, to search its database to verify that
the student had received a degree. www.ed.gov/policy/gen/guid/fpco/ferpa/library/auburnuniv.html. Given these circumstances, we estimate
that possibly one-quarter of the nearly 6,463 postsecondary
institutions in the United States, or 1,616 institutions, may ask a
requester to provide the student's SSN (or non-directory student ID
number) in order to locate the record and respond to an inquiry for
directory information.
Under the regulations an educational agency or institution that
identifies students by SSN (or non-directory student ID number) when
releasing directory information will either have to ensure that the
student has provided written consent to disclose the number to the
requester, or rely solely on a student's name and other properly
designated directory information to identify the student, such as
address, date of birth, dates of enrollment, year of graduation, major
field of study, degree received, etc. Costs to an institution of
ensuring that students have provided written consent for these
disclosures, for example by requiring the requester to fax copies of
each written consent to the institution or its contractor, or making
arrangements to receive them electronically, could be substantial for
large institutions and organizations that utilize electronic
recordkeeping systems. Institutions may choose instead to conduct these
verifications without using SSNs or non-directory student IDs, which
may make it more difficult to ensure that the correct student has been
identified because of the known problems in matching records without
the use of a universal identifier. Increased institutional costs either
to verify that the student has provided consent or to conduct a search
without use of SSNs or non-directory student ID numbers should be less
for smaller institutions, where the chances of duplicate records are
decreased. Parents and students may incur additional costs if an
employer, insurance company, or other requester is unable to verify
enrollment or graduation based solely on directory information, and
written consent for disclosure of the student's SSN or non-directory
student ID number is required. Due to the difficulty in ascertaining
actual costs associated with these transactions, we have no basis to
estimate costs that educational agencies and institutions and parents
and students will incur as a result of this change.
The enhanced privacy protections of this amendment will benefit
students and parents by reducing the risk that third parties will
disclose a student's SSN without consent and possibly confirm a
questionable number for purposes of identity theft. Similarly,
preventing institutions from implicitly confirming a questionable non-
directory student ID number will help prevent unauthorized individuals
from obtaining confidential information from education records. In
evaluating the benefits or value of this change, we note that this
provision does not affect any activity that an educational agency or
institution is permitted to perform under FERPA or other Federal law,
such as using SSNs to identify students and confirm their enrollment
status for student loan purposes, which is permitted without consent
under the financial aid exception in Sec. 99.31.
User ID for Electronic Communications
The regulations will allow an educational agency or institution to
disclose as directory information a student's ID number, user ID or
other electronic identifier so long as the identifier functions like a
name; that is, it cannot be used without a PIN, password, or some other
authentication factor to gain access to education records. This change
will impose no costs and will provide benefits in the form of
regulatory relief allowing agencies and institutions to use directory
services in electronic communications systems without incurring the
administrative costs associated with obtaining student consent for
these disclosures.
Costs related to honoring a student's decision to opt out of these
disclosures will be minimal because we assume that only a small number
of students will elect not to participate in electronic communications
at their school. Applying this change to records of both K-12 and
postsecondary students and assuming that one-tenth of one percent of
parents and eligible students will opt out of these disclosures, we
estimate that institutions will have to flag the records of
approximately 68,000 students for opt-out purposes. We lack sufficient
data on costs institutions currently incur to flag records for
[[Page 74847]]
directory information opt-outs for other purposes, so we are unable to
estimate the administrative and information technology costs
institutions will incur to process these new directory information opt-
outs resulting from this change.
Student Anonymity in the Classroom
The final regulations will ensure that parents and students do not
use the right to opt out of directory information disclosures to remain
anonymous in the classroom, by clarifying that opting out does not
prevent disclosure of the student's name, institutional e-mail address,
or electronic identifier in the student's physical or electronic
classroom. We estimate that this change will result in a small net
benefit to educational agencies and institutions because they will have
greater legal certainty about the element of classroom administration,
and it will reduce the institutional costs of responding to complaints
from students and parents about the release of this information.
Disclosing Education Records to New School and to Party Identified as
Source Record
The final regulations in Sec. 99.31(a)(2) will allow an
educational agency or institution to disclose education records, or
personally identifiable information from education records, to a
student's new school even after the student is already attending the
new school so long as the disclosure relates to the student's
enrollment in the new school. This change will provide regulatory
relief by reducing legal uncertainty about how long a school may
continue to send records or information to a student's new school,
without consent, under the ``seeks or intends to enroll'' exception.
The amendment to the definition of disclosure in Sec. 99.3 will
allow a school that has concerns about the validity of a transcript,
letter of recommendation, or other record to return these documents (or
personally identifiable information from these documents) to the
student's previous school or other party identified as the source of
the record in order to resolve questions about their validity. Combined
with the change to Sec. 99.31(a)(2), discussed earlier in this
analysis, this change will also allow the student's previous school to
continue to send education records, or clarification about education
records, to the student's new school in response to questions about the
validity or meaning of records sent previously by that party. We are
unable to determine how much it will cost educational agencies and
institutions to return potentially fraudulent documents to the party
identified as the sender because we do not have any basis for
estimating how often this occurs. However, we believe that these
changes will provide significant regulatory relief to educational
agencies and institutions by helping to reduce transcript and other
educational fraud based on falsified records.
Outsourcing
The regulations in Sec. 99.31(a)(1)(i) will allow educational
agencies and institutions to disclose education records, or personally
identifiable information from education records, without consent to
contractors, volunteers, and other non-employees performing
institutional services and functions as school officials with
legitimate educational interests. An educational agency or institution
that uses non-employees to perform institutional service and functions
will have to amend its annual notification of FERPA rights to include
these parties as school officials with legitimate educational
interests.
This change will provide regulatory relief by permitting, and
clarifying the conditions for, non-consensual disclosure of education
records. Our experience suggests that virtually all of the more than
103,000 schools subject to FERPA will take advantage of this provision.
We have no actual data on how many school districts publish annual
FERPA notifications for the 97,382 K-12 public schools included in this
total and, therefore, how many entities will be affected by this
requirement. However, because educational agencies and institutions
were already required under previous regulations to publish a FERPA
notification annually, we believe that costs to include this new
information will be minimal.
Access Control and Tracking
The regulations in Sec. 99.31(a)(1)(ii) will require an
educational agency or institution to use reasonable methods to ensure
that teachers and other school officials obtain access to only those
education records in which they have legitimate educational interests.
This requirement will apply to records in any format, including
computerized or electronic records and paper, film, and other hard copy
records. An educational agency or institution that chooses not to
restrict access to education records with physical or technological
controls, such as locked cabinets and role-based software security,
must ensure that its administrative policy for controlling access is
effective and that it remains in compliance with the legitimate
educational interest requirement.
Administrative experience has shown that schools that allow
teachers and other school officials to have unrestricted access to
education records tend to have more problems with unauthorized
disclosures, such as school officials obtaining access to education
records for personal rather than professional reasons. Preventing
unrestricted access to education records by teachers and other school
officials will benefit parents and students by helping to ensure that
education records are used only for legitimate educational purposes. It
will also help ensure that education records are not accessed or
disclosed inadvertently.
Information gathered by the Director of the Office at numerous
FERPA training sessions and seminars, along with recent discussions
with software vendors and educational organizations, indicates that the
vast majority of mid- and large-size school districts and postsecondary
institutions currently use commercial software for student information
systems. These systems generally include role-based security features
that allow administrators to control access to specific records,
screens, or fields according to a school official's duties and
responsibilities. These systems also typically contain transactional
logging features that document or track a user's actual access to
particular records, which will help ensure that an agency's or
institution's access control methods are effective. Educational
agencies and institutions that already have these systems will incur no
additional costs to comply with the regulations.
For purposes of this analysis we excluded from a total of 14,166
school districts and 6,463 postsecondary institutions those with more
than 1,000 students, for a total of 6,887 small K-12 districts and
3,906 small postsecondary institutions that may not have software with
access control security features. The discussions that the Director of
the Office has had with numerous SEAs and local districts suggest that
the vast majority of these small districts and institutions do not make
education records available to school officials electronically or by
computer but instead use some system of administrative and physical
controls.
We estimate for this analysis that 15 percent, or 1,619, of these
small districts and institutions use home-built computerized or
electronic systems that may not have the role-based security features
of commercial software. The most recent published estimate we have for
software costs comes from the final
[[Page 74848]]
Standards for Privacy of Individually Identifiable Health Information
under the Health Insurance Portability and Accountability Act of 1996
(HIPAA Privacy Rule) published by the Department of Health and Human
Services (HHS) on December 28, 2000, which estimated that the initial
per-hospital cost of software upgrades to track the disclosure of
medical records would be $35,000 (65 FR 82768). We assume that costs
will be comparable for education records, and, as discussed above,
software that tracks disclosure history can also be used to control or
restrict access to electronic records. Based on these assumptions, if
1,619 small K-12 districts and postsecondary institutions decide to
purchase student information software rather than rely on
administrative policies to comply with the regulations, they will incur
estimated costs of $56,665,000. We estimate that the remaining 9,174
small districts and institutions will not purchase new software because
they do not make education records available electronically and rely
instead on less costly administrative and physical methods to control
access to records by school officials. Those that provide school
officials with open access to hard copy education records may incur new
costs to track actual disclosures to help ensure that they remain in
compliance with legitimate educational interests requirements. We
assume that these districts and institutions may devote some additional
administrative staff time to procedures such as keeping logs of school
officials who access records. However, no reliable estimates exist for
the average number of teachers and other school officials who access
education records or the number of times access is sought, so we are
unable to estimate the cost of restricting or tracking actual
disclosures of hard copy education records to school officials.
Education Research
The regulations in Sec. 99.31(a)(6)(ii)(C) require an educational
agency or institution to enter into a written agreement before
disclosing personally identifiable information from education records,
without consent, to organizations conducting studies for, or on behalf
of, the educational agency or institution to: (a) Develop, validate, or
administer predictive tests; (b) administer student aid programs; or
(c) improve instruction. The written agreement must specify the purpose
or purposes, scope, and duration of the study or studies and the
information to be disclosed, require the organization to conduct the
study in a manner that does not permit personal identification of
parents and students by anyone other than representatives of the
organization with legitimate interests, require the destruction or
return of the information to the educational agency or institution when
the study is completed, and specify the time period for destruction or
return of the information. We believe that the additional cost of
entering into written agreements to comply with this change is unlikely
to be significant because most educational agencies and institutions
already specify the terms under which personally identifiable
information can be used when it is disclosed to organizations for these
types of studies. Although this change will create an additional
information collection requirement, we believe the benefits of the
written agreement outweigh the costs, because it will ensure better
compliance with FERPA and provide clarity for both researchers and
educational agencies and institutions about the restrictions and use of
personally identifiable information disclosed under Sec. 99.31(a)(6)
for studies.
Identification and Authentication of Identity
The regulations in Sec. 99.31(c) require educational agencies and
institutions to use reasonable methods to identify and authenticate the
identity of parents, students, school officials and other parties to
whom the agency or institution discloses personally identifiable
information from education records. The use of widely available
information to authenticate identity, such as the recipient's name,
date of birth, SSN or student ID number, is not considered reasonable
under the regulations.
The regulations will impose no new costs for educational agencies
and institutions that disclose hard-copy records through the U.S.
postal service or private delivery services with use of the recipient's
name and last known official address.
We were unable to find reliable data that would allow us to
estimate the additional administrative time that educational agencies
and institutions will spend checking photo ID against school records or
using other reasonable methods, as appropriate, to identify and
authenticate the identity of students, parents, and other parties to
whom the agency or institution discloses education records in person.
Authentication of identity for electronic or telephonic access to
education records involves a wider array of security options because of
continuing advances in technologies, but is not necessarily more costly
than authentication of identity for hard-copy records. We assume that
educational agencies and institutions that require users to enter a
secret password or PIN to authenticate identity will deliver the
password or PIN through the U.S. postal service or in person. We
estimate that no new costs will be associated with this process because
agencies and institutions already have direct contact with parents,
eligible students, and school officials for a variety of other purposes
and will use these opportunities to deliver a secret authentication
factor.
As noted in the preamble to the NPRM, 73 FR 15585, single-factor
authentication of identity, such as a standard form user name combined
with a secret password or PIN, may not provide reasonable protection
for access to all types of education records or under all
circumstances. We lack a basis for estimating costs of authenticating
identity when educational agencies and institutions allow authorized
users to access sensitive personal or financial information in
electronic records for which single-factor authentication would not be
reasonable.
Redisclosure and Recordkeeping
The regulations allow the officials and agencies listed in Sec.
99.31(a)(3) (the U.S. Comptroller General, the U.S. Attorney General,
the Secretary, and State and local educational authorities) to
redisclose education records, or personally identifiable information
from education records, without consent under the same conditions that
apply currently to other recipients of education records under Sec.
99.33(b). This change provides substantial regulatory relief to these
parties by allowing them to redisclose information on behalf of
educational agencies and institutions under any provision in Sec.
99.31(a), which allows disclosure of education records without consent.
For example, States will be able to consolidate K-16 education records
under the SEA or State higher educational authority without having to
obtain written consent under Sec. 99.30. Parties that currently
request access to records from individual school districts and
postsecondary institutions will in many instances be able to obtain the
same information in a more cost-effective manner from the appropriate
State educational authority or the Department.
In accordance with the current regulations in Sec. 99.32(b), an
educational agency or institution must record any redisclosure of
education records made on its behalf under Sec. 99.33(b), including
the names of the additional parties to
[[Page 74849]]
which the receiving party may redisclose the information and their
legitimate interests or basis for the disclosure without consent under
Sec. 99.31 in obtaining the information. The regulations require SEAs
and other State educational authorities (such as higher education
authorities), the Secretary, and other officials or agencies listed in
Sec. 99.31(a)(3) that make further disclosures on behalf of an
educational agency or institution to maintain the record of
redisclosure required under Sec. 99.32(b) if the educational agency or
institution has not recorded the redisclosure or if the information was
obtained from another State or Federal official or agency listed in
Sec. 99.31(a)(3). The regulations also require the State or Federal
official or agency listed in Sec. 99.31(a)(3) to provide a copy of its
record of redisclosures to the educational agency or institution upon
request. In addition, an educational agency or institution must
maintain with each student's record of disclosures the names of State
and local educational authorities and Federal officials and agencies
that may make further disclosures from the student's records without
consent under Sec. 99.33(b) and must obtain a copy of the record of
redisclosure, if any, maintained by the State or Federal official that
redisclosed information on behalf of the agency or institution.
State educational authorities and Federal officials listed in Sec.
99.31(a)(3) will incur new administrative costs if they maintain the
record of redisclosure for the educational agency or institution on
whose behalf they redisclose education records under the regulations.
We estimate that two educational authorities or agencies in each State
and the District of Columbia (one for K-12 and one for postsecondary)
and the Department itself, for a total of 103 authorities, will
maintain the required records of redisclosures. (We anticipate that
educational agencies and institutions will record under Sec.
99.32(b)(1) any further disclosures made by the other Federal officials
listed in Sec. 99.31(a)(3), the U.S. Comptroller General and the U.S.
Attorney General.) We estimate further that these authorities will need
to record two redisclosures per year from their records and that it
will take one hour of administrative time to record each redisclosure
electronically at an average hourly rate of $32.67, for a total annual
administrative cost of $6,730. (Compensation for administrative staff
time is explained earlier in this analysis.) We also assume for
purposes of this analysis that State educational authorities and the
Department already have software that will allow them to record these
disclosures electronically.
State educational authorities and Federal officials that maintain
records of redisclosures will also have to make that information
available to the educational agency or institution whose records were
redisclosed, upon request, so that the agency or institution can make
that record available to a parent or eligible student who has asked to
inspect and review the student's record of disclosures. We assume that
few parents and students request this information and, therefore, use
an estimate that one tenth of one percent of a total of 68.1 million
students will make such a request each year, or 68,076 requests. If it
takes one-quarter of an hour to locate and print a record of
disclosures at an average administrative hourly rate of $32.67, the
average annual administrative cost for State and Federal officials and
agencies to provide this service will be $556,011, plus mailing costs
(at $.42 per letter) of $28,592, for a total of $584,603. We estimate
that educational agencies and institutions themselves will incur
comparable costs when they ask State and Federal officials to send them
these records of redisclosure and then make them available to parents
and students. We note that printing and mailing costs may be reduced to
the extent that e-mail is used to transmit the record, and if parents
or students pick up the record on-site, but we do not have information
to estimate these potential savings.
The Department believes that these changes will result in a net
benefit to educational agencies and institutions because they will not
have to record further disclosures made by State and Federal
authorities and officials who redisclose information from education
records on their behalf and will not have to ask for a copy unless a
parent or eligible student asks to inspect and review the student's
record of disclosures. State and Federal authorities and officials will
also benefit because they will not have to provide their record of
further disclosures to anyone unless the educational agency or
institution asks for a copy. Overall, the costs to State and Federal
authorities to record their own redisclosures will be offset by the
savings that educational agencies and institutions will realize by not
having to record the disclosures themselves.
Notification of Compliance With Court Order or Subpoena
The regulations in Sec. 99.33(b)92) require any party that
rediscloses education records in compliance with a court order or
subpoena under Sec. 99.31(a)(9) to provide the notice to parents and
eligible students required under Sec. 99.31(a)(9)(ii). We anticipate
that this provision will affect mostly State and local educational
authorities, which maintain education records they have obtained from
their constituent districts and institutions and, under Sec. 99.35(b),
may redisclose the information, without consent, in compliance with a
court order or subpoena under Sec. 99.31(a)(9).
There is no change in costs as a result of shifting responsibility
for notification to the disclosing party under this change. However, we
believe that minimizing or eliminating uncertainty about which party is
legally responsible for the notification will result in a net benefit
to all parties.
Health or Safety Emergency
The regulations in Sec. 99.32(a)(5) require that a school that
discloses information under the health and safety emergency exception
in Sec. 99.36 record the articulable and significant threat that
formed the basis for the disclosure and the parties to whom the
education records were disclosed. Because Sec. 99.32(a) already
requires schools to record disclosures made under Sec. 99.36,
including the legitimate interests the parties had in requesting or
obtaining the information, we believe these changes will not create any
significant additional administrative costs for schools and that the
benefit of including the legitimate interests the parties had in
requesting or obtaining the information outweighs the costs.
Directory Information Opt Outs
The regulations in Sec. 99.37(b) clarify that while an educational
agency or institution is not required to notify former students under
Sec. 99.37(a) about the institution's directory information policy or
allow former students to opt out of directory information disclosures,
they must continue to honor a parent's or student's decision to opt out
of directory information disclosures after the student leaves the
institution. Most agencies and institutions should already comply with
this requirement because of informal guidance and training provided by
FPCO.
Parents and students will benefit from this clarification because
it will help ensure that schools do not invalidate the parent's or
student's decisions on directory information disclosures after the
student is no longer in attendance. It will also benefit schools by
eliminating any uncertainty they may have about whether they must
continue to honor an opt out once the student is
[[Page 74850]]
no longer in attendance. We have insufficient information to estimate
the number of institutions affected and the additional costs involved
in changing systems to maintain opt-out flags on education records of
former students.
Paperwork Reduction Act of 1995
Following publication of the NPRM, we provided, through a notice
published in the Federal Register (73 FR 28810, May 19, 2008)
opportunity for the public to comment on information collections in the
current regulations, and indicated in that notice the pendency of the
NPRM. Additionally, based on comments received in response to the NPRM,
we have identified several information collection requirements
associated with these regulations. We describe these information
collections in the following paragraphs and will be submitting these
sections to OMB for review and approval. We note that the Paperwork
Reduction Act of 1995 does not require a response to these information
collection requirements unless they display a valid OMB control number.
A valid OMB control number will be assigned to the information
collection requirements at the end of the affected sections of the
regulations.
(1) Sec. 99.31(a)(6)(ii)
FERPA permits an educational agency or institution to disclose
personally identifiable information from education records, without
consent, to organizations conducting studies for or on behalf of the
agency or institution for purposes of testing, student aid, and
improvement of instruction. In the NPRM, we proposed to add Sec.
99.31(a)(6)(ii) to require that an educational agency or institution to
disclose personally identifiable information under Sec. 99.31(a)(6)(i)
only if it enters into a written agreement with the organization
specifying the purposes of the study. Under these final regulations,
this written agreement must specify the purpose, scope, and duration of
the study or studies and the information to be disclosed; require the
organization to use personally identifiable information from education
records only to meet the purpose or purposes of the study as stated in
the written agreement; require the organization to conduct the study in
a manner that does not permit personal identification of parents and
students by individuals other than representatives with legitimate
interest of the organization that conducts the study; require the
organization to destroy the information or return to the educational
agency or institution when it is no longer needed for the purposes for
which the study was conducted; and specify the time period for the
destruction or return of the information.
The Department did not identify in the NPRM the requirement in
Sec. 99.31(a)(6)(ii) as an information collection requirement under
the Paperwork Reduction Act of 1995 and did not realize this would be
an information collection requirement until a commenter brought this
matter to our attention. The commenter pointed out that, while this
change created another paperwork burden for school districts, the
commenter did not object to the written agreement requirement because
putting the requirements regarding the use and destruction of data in
writing may improve compliance with FERPA. The Department agrees with
the comment.
(2) Sec. 99.32(a)(1)
Under FERPA, an educational agency or institution is required to
record its disclosures of personally identifiable information from
education records, even when it discloses information to its own State
educational authority. This statutory requirement is reflected in the
current FERPA regulations. The final regulations permit the State and
local educational authorities and Federal officials listed in Sec.
99.31(a)(3) to make further discloses of personally identifiable
information from education records on behalf of the educational agency
or institution in accordance with the requirements of Sec. 99.33(b)
and require them to record these further disclosures of Sec. 99.33(b)
if the educational agency or institution does not do so. We have
included provisions in the final regulations that require educational
agencies and institutions to maintain a listing in each student's
record of the State and local educational authorities and Federal
officials and agencies that may make further disclosures of the
student's education records without consent so that parents and
eligible students will be made aware of these further disclosures.
(3) Sec. 99.32(a)(4)
Under this new provision, parents and eligible students will be
able to inspect and review any further disclosures that were made by
any of the parties listed under Sec. 99.31(a)(3) by asking the
educational agency or institution to obtain a copy of the record of
further disclosures. We believe that this is only a minor paperwork
burden for schools because it would involve asking officials to whom
they have disclosed education records for the record of further
disclosure or, in the case of some SEAs, accessing the State database
for this information. Also, we do not expect that a large number of
parents and eligible students will ask to see the record of further
disclosures.
(4) Sec. 99.32(a)(5)
During the development of the final regulations, we identified
another change to the recordation requirements of Sec. 99.32 that
would require the collection of information. In response to several
comments we received regarding changes to FERPA's ``health or safety
emergency exception'' in Sec. 99.36, we have amended Sec. 99.32(a) to
include a new recordation requirement. Specifically, we have added a
paragraph to the recordation requirement that requires that for any
disclosures under Sec. 99.36 a school must record the articulable and
significant threat to the health or safety of a student or other
individuals that formed the basis for the disclosure and the parties to
whom the agency or institution disclosed information.
The Secretary believes that this is only a minor paperwork burden
for schools because schools are already required to record disclosures
made under Sec. 99.36. The new language in Sec. 99.32(a)(5) simply
clarifies the type of information that must be recorded when a school
discloses personally identifiable information in response to a health
or safety emergency, either for one student or for all students in a
school.
(5) Sec. 99.32(b)(2)
In the NPRM, we specifically noted that the Department was
interested in relieving any administrative burdens associated with
recording disclosures of education records and, therefore, invited
public comment on whether an SEA, the Department, or other authority or
official listed in Sec. 99.31(a)(3) should be allowed to maintain the
record of the redisclosures it makes on behalf of an educational agency
or institution under Sec. 99.32(b).
Several commenters stated that an SEA (or other authority or
official listed in Sec. 99.31(a)(3)) should be responsible for
maintaining the record of disclosure required under Sec. 99.32 when it
rediscloses information on behalf of educational agencies and
institutions. The commenters stated that requiring each educational
agency or institution, such as school districts, to record each
redisclosure made by an SEA or other State educational authority on its
behalf imposes an unacceptable recordkeeping burden on school districts
and is impractical for State educational authorities to adhere to in
making
[[Page 74851]]
further disclosures on behalf of the agency or institution. In response
to these comments, we are revising Sec. 99.32 to require the State and
local educational authorities and Federal officials listed in Sec.
99.31(a)(3) to maintain the record of further disclosures if the
educational agency or institution does not do so and make it available
to the educational agency or institution upon request. We agree that by
requiring State and Federal authorities and officials to record their
redisclosures in these circumstances school districts will have less
total paperwork burden because schools will not have to comply with the
recordkeeping requirement in these instances.
Assessment of Educational Impact
In the NPRM, and in accordance with section 411 of the General
Education Provisions Act, 20 U.S.C. 1221e-4, we requested comments on
whether the proposed regulations would require transmission of
information that any other agency or authority of the United States
gathers or makes available.
Based on the response to the NPRM and on our review, we have
determined that these final regulations do not require transmission of
information that any other agency or authority of the United States
gathers or makes available.
Electronic Access to This Document
You may view this document, as well as all other Department of
Education documents published in the Federal Register, in text or Adobe
Portable Document Format (PDF) on the Internet at the following site:
www.ed.gov/news/fedregister.
To use PDF you must have Adobe Acrobat Reader, which is available
free at this site. If you have questions about using PDF, call the U.S.
Government Printing Office (GPO), toll free, at 1-888-293-6498; or in
the Washington, DC area at (202) 512-1530.
Note: The official version of this document is the document
published in the Federal Register. Free Internet access to the
official edition of the Federal Register and the Code of Federal
Regulations is available on GPO Access at www.gpoaccess.gov/nara/index.html.
(Catalog of Federal Domestic Assistance Number does not apply.)
List of Subjects in 34 CFR Part 99
Administrative practice and procedure, Directory information,
Education records, Information, Parents, Privacy, Records, Social
Security Numbers, Students.
Dated: December 2, 2008.
Margaret Spellings,
Secretary of Education.
0
For the reasons discussed in the preamble, the Secretary amends part 99
of title 34 of the Code of Federal Regulations as follows:
PART 99--FAMILY EDUCATIONAL RIGHTS AND PRIVACY
0
1. The authority citation for part 99 continues to read as follows:
Authority: 20 U.S.C. 1232g, unless otherwise noted.
0
2. Section 99.2 is amended by revising the note following the authority
citation to read as follows:
Sec. 99.2 What is the purpose of these regulations?
* * * * *
Note to Sec. 99.2: 34 CFR 300.610 through 300.626 contain
requirements regarding the confidentiality of information relating
to children with disabilities who receive evaluations, services or
other benefits under Part B of the Individuals with Disabilities
Education Act (IDEA). 34 CFR 303.402 and 303.460 identify the
confidentiality of information requirements regarding children and
infants and toddlers with disabilities and their families who
receive evaluations, services, or other benefits under Part C of
IDEA. 34 CFR 300.610 through 300.627 contain the confidentiality of
information requirements that apply to personally identifiable data,
information, and records collected or maintained pursuant to Part B
of the IDEA.
0
3. Section 99.3 is amended by:
0
A. Adding, in alphabetical order, a definition of Biometric record.
0
B. Revising the definitions of Attendance, Directory information,
Disclosure, and Personally identifiable information.
0
C. In the definition of Education records, revising paragraph (b)(5)
and adding a new paragraph (b)(6).
These additions and revisions read as follows:
Sec. 99.3 What definitions apply to these regulations?
* * * * *
Attendance includes, but is not limited to--
(a) Attendance in person or by paper correspondence,
videoconference, satellite, Internet, or other electronic information
and telecommunications technologies for students who are not physically
present in the classroom; and
(b) The period during which a person is working under a work-study
program.
(Authority: 20 U.S.C. 1232g)
* * * * *
Biometric record, as used in the definition of personally
identifiable information, means a record of one or more measurable
biological or behavioral characteristics that can be used for automated
recognition of an individual. Examples include fingerprints; retina and
iris patterns; voiceprints; DNA sequence; facial characteristics; and
handwriting.
(Authority: 20 U.S.C. 1232g)
* * * * *
Directory information means information contained in an education
record of a student that would not generally be considered harmful or
an invasion of privacy if disclosed.
(a) Directory information includes, but is not limited to, the
student's name; address; telephone listing; electronic mail address;
photograph; date and place of birth; major field of study; grade level;
enrollment status (e.g., undergraduate or graduate, full-time or part-
time); dates of attendance; participation in officially recognized
activities and sports; weight and height of members of athletic teams;
degrees, honors and awards received; and the most recent educational
agency or institution attended.
(b) Directory information does not include a student's--
(1) Social security number; or
(2) Student identification (ID) number, except as provided in
paragraph (c) of this section.
(c) Directory information includes a student ID number, user ID, or
other unique personal identifier used by the student for purposes of
accessing or communicating in electronic systems, but only if the
identifier cannot be used to gain access to education records except
when used in conjunction with one or more factors that authenticate the
user's identity, such as a personal identification number (PIN),
password, or other factor known or possessed only by the authorized
user.
(Authority: 20 U.S.C. 1232g(a)(5)(A))
* * * * *
Disclosure means to permit access to or the release, transfer, or
other communication of personally identifiable information contained in
education records by any means, including oral, written, or electronic
means, to any party except the party identified as the party that
provided or created the record.
(Authority: 20 U.S.C. 1232g(b)(1) and (b)(2))
* * * * *
Education Records
* * * * *
(b) * * *
(5) Records created or received by an educational agency or
institution after
[[Page 74852]]
an individual is no longer a student in attendance and that are not
directly related to the individual's attendance as a student.
(6) Grades on peer-graded papers before they are collected and
recorded by a teacher.
* * * * *
Personally Identifiable Information
The term includes, but is not limited to--
(a) The student's name;
(b) The name of the student's parent or other family members;
(c) The address of the student or student's family;
(d) A personal identifier, such as the student's social security
number, student number, or biometric record;
(e) Other indirect identifiers, such as the student's date of
birth, place of birth, and mother's maiden name;
(f) Other information that, alone or in combination, is linked or
linkable to a specific student that would allow a reasonable person in
the school community, who does not have personal knowledge of the
relevant circumstances, to identify the student with reasonable
certainty; or
(g) Information requested by a person who the educational agency or
institution reasonably believes knows the identity of the student to
whom the education record relates.
(Authority: 20 U.S.C. 1232g)
* * * * *
0
4. Section 99.5 is amended by redesignating paragraph (a) as paragraph
(a)(1) and adding a new paragraph (a)(2) to read as follows:
Sec. 99.5 What are the rights of students?
(a)(1) * * *
(2) Nothing in this section prevents an educational agency or
institution from disclosing education records, or personally
identifiable information from education records, to a parent without
the prior written consent of an eligible student if the disclosure
meets the conditions in Sec. 99.31(a)(8), Sec. 99.31(a)(10), Sec.
99.31(a)(15), or any other provision in Sec. 99.31(a).
* * * * *
0
5. Section 99.31 is amended by:
0
A. Redesignating paragraph (a)(1) as paragraph (a)(1)(i)(A) and adding
new paragraphs (a)(1)(i)(B) and (a)(1)(ii).
0
B. Revising paragraph (a)(2).
0
C. Redesignating paragraphs (a)(6)(iii) and (a)(6)(iv) as paragraphs
(a)(6)(iv) and (a)(6)(v), respectively.
0
D. Revising paragraph (a)(6)(ii).
0
E. Adding a new paragraph (a)(6)(iii).
0
F. In paragraph (a)(9)(ii)(A), removing the word ``or'' after the
punctuation ``;''.
0
G. In paragraph (a)(9)(ii)(B), removing the punctuation ``.'' and
adding in its place the word ``;or''.
0
H. Adding paragraph (a)(9)(ii)(C).
0
I. Adding paragraph (a)(16).
0
J. Revising paragraph (b).
0
K. Adding paragraphs (c) and (d).
0
L. Revising the authority citation at the end of the section.
The additions and revisions read as follows:
Sec. 99.31 Under what conditions is prior consent not required to
disclose information?
(a) * * *
(1)(i)(A) * * *
(B) A contractor, consultant, volunteer, or other party to whom an
agency or institution has outsourced institutional services or
functions may be considered a school official under this paragraph
provided that the outside party--
(1) Performs an institutional service or function for which the
agency or institution would otherwise use employees;
(2) Is under the direct control of the agency or institution with
respect to the use and maintenance of education records; and
(3) Is subject to the requirements of Sec. 99.33(a) governing the
use and redisclosure of personally identifiable information from
education records.
(ii) An educational agency or institution must use reasonable
methods to ensure that school officials obtain access to only those
education records in which they have legitimate educational interests.
An educational agency or institution that does not use physical or
technological access controls must ensure that its administrative
policy for controlling access to education records is effective and
that it remains in compliance with the legitimate educational interest
requirement in paragraph (a)(1)(i)(A) of this section.
(2) The disclosure is, subject to the requirements of Sec. 99.34,
to officials of another school, school system, or institution of
postsecondary education where the student seeks or intends to enroll,
or where the student is already enrolled so long as the disclosure is
for purposes related to the student's enrollment or transfer.
Note: Section 4155(b) of the No Child Left Behind Act of 2001,
20 U.S.C. 7165(b), requires each State to assure the Secretary of
Education that it has a procedure in place to facilitate the
transfer of disciplinary records with respect to a suspension or
expulsion of a student by a local educational agency to any private
or public elementary or secondary school in which the student is
subsequently enrolled or seeks, intends, or is instructed to enroll.
(6)(i) * * *
(ii) An educational agency or institution may disclose information
under paragraph (a)(6)(i) of this section only if--
(A) The study is conducted in a manner that does not permit
personal identification of parents and students by individuals other
than representatives of the organization that have legitimate interests
in the information;
(B) The information is destroyed when no longer needed for the
purposes for which the study was conducted; and
(C) The educational agency or institution enters into a written
agreement with the organization that--
(1) Specifies the purpose, scope, and duration of the study or
studies and the information to be disclosed;
(2) Requires the organization to use personally identifiable
information from education records only to meet the purpose or purposes
of the study as stated in the written agreement;
(3) Requires the organization to conduct the study in a manner that
does not permit personal identification of parents and students, as
defined in this part, by anyone other than representatives of the
organization with legitimate interests;
and
(4) Requires the organization to destroy or return to the
educational agency or institution all personally identifiable
information when the information is no longer needed for the purposes
for which the study was conducted and specifies the time period in
which the information must be returned or destroyed.
(iii) An educational agency or institution is not required to
initiate a study or agree with or endorse the conclusions or results of
the study.
* * * * *
(9) * * *
(ii) * * *
(C) An ex parte court order obtained by the United States Attorney
General (or designee not lower than an Assistant Attorney General)
concerning investigations or prosecutions of an offense listed in 18
U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism
as defined in 18 U.S.C. 2331.
* * * * *
(16) The disclosure concerns sex offenders and other individuals
required to register under section 170101 of the Violent Crime Control
and Law Enforcement Act of 1994, 42 U.S.C. 14071, and the information
was provided to the educational agency or institution under 42 U.S.C.
14071 and applicable Federal guidelines.
(b)(1) De-identified records and information. An educational agency
or
[[Page 74853]]
institution, or a party that has received education records or
information from education records under this part, may release the
records or information without the consent required by Sec. 99.30
after the removal of all personally identifiable information provided
that the educational agency or institution or other party has made a
reasonable determination that a student's identity is not personally
identifiable, whether through single or multiple releases, and taking
into account other reasonably available information.
(2) An educational agency or institution, or a party that has
received education records or information from education records under
this part, may release de-identified student level data from education
records for the purpose of education research by attaching a code to
each record that may allow the recipient to match information received
from the same source, provided that--
(i) An educational agency or institution or other party that
releases de-identified data under paragraph (b)(2) of this section does
not disclose any information about how it generates and assigns a
record code, or that would allow a recipient to identify a student
based on a record code;
(ii) The record code is used for no purpose other than identifying
a de-identified record for purposes of education research and cannot be
used to ascertain personally identifiable information about a student;
and
(iii) The record code is not based on a student's social security
number or other personal information.
(c) An educational agency or institution must use reasonable
methods to identify and authenticate the identity of parents, students,
school officials, and any other parties to whom the agency or
institution discloses personally identifiable information from
education records.
(d) Paragraphs (a) and (b) of this section do not require an
educational agency or institution or any other party to disclose
education records or information from education records to any party.
(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h), (i), and (j)).
0
6. Section 99.32 is amended by:
0
A. Revising paragraph (a)(1).
0
B. Adding new paragraphs (a)(4) and (a)(5).
0
C. Redesignating paragraphs (b)(1) and (b)(2) as paragraphs (b)(1)(i)
and (b)(1)(ii) and redesignating paragraph (b), introductory text, as
paragraph (b)(1).
0
D. Revising newly redesignated paragraph (b)(1).
0
E. Adding a new paragraph (b)(2).
0
F. Revising paragraph (d)(5).
The additions and revisions read as follows:
Sec. 99.32 What recordkeeping requirements exist concerning requests
and disclosures?
(a)(1) An educational agency or institution must maintain a record
of each request for access to and each disclosure of personally
identifiable information from the education records of each student, as
well as the names of State and local educational authorities and
Federal officials and agencies listed in Sec. 99.31(a)(3) that may
make further disclosures of personally identifiable information from
the student's education records without consent under Sec. 99.33(b).
* * * * *
(4) An educational agency or institution must obtain a copy of the
record of further disclosures maintained under paragraph (b)(2) of this
section and make it available in response to a parent's or eligible
student's request to review the record required under paragraph (a)(1)
of this section.
(5) An educational agency or institution must record the following
information when it discloses personally identifiable information from
education records under the health or safety emergency exception in
Sec. 99.31(a)(10) and Sec. 99.36:
(i) The articulable and significant threat to the health or safety
of a student or other individuals that formed the basis for the
disclosure; and
(ii) The parties to whom the agency or institution disclosed the
information.
(b)(1) Except as provided in paragraph (b)(2) of this section, if
an educational agency or institution discloses personally identifiable
information from education records with the understanding authorized
under Sec. 99.33(b), the record of the disclosure required under this
section must include:
* * * * *
(2)(i) A State or local educational authority or Federal official
or agency listed in Sec. 99.31(a)(3) that makes further disclosures of
information from education records under Sec. 99.33(b) must record the
names of the additional parties to which it discloses information on
behalf of an educational agency or institution and their legitimate
interests in the information under Sec. 99.31 if the information was
received from:
(A) An educational agency or institution that has not recorded the
further disclosures under paragraph (b)(1) of this section; or
(B) Another State or local educational authority or Federal
official or agency listed in Sec. 99.31(a)(3).
(ii) A State or local educational authority or Federal official or
agency that records further disclosures of information under paragraph
(b)(2)(i) of this section may maintain the record by the student's
class, school, district, or other appropriate grouping rather than by
the name of the student.
(iii) Upon request of an educational agency or institution, a State
or local educational authority or Federal official or agency listed in
Sec. 99.31(a)(3) that maintains a record of further disclosures under
paragraph (b)(2)(i) of this section must provide a copy of the record
of further disclosures to the educational agency or institution within
a reasonable period of time not to exceed 30 days.
* * * * *
(d) * * *
(5) A party seeking or receiving records in accordance with Sec.
99.31(a)(9)(ii)(A) through (C).
* * * * *
0
7. Section 99.33 is amended by revising paragraphs (b), (c), (d), and
(e) to read as follows:
* * * * *
Sec. 99.33 What limitations apply to the redisclosure of information?
* * * * *
(b)(1) Paragraph (a) of this section does not prevent an
educational agency or institution from disclosing personally
identifiable information with the understanding that the party
receiving the information may make further disclosures of the
information on behalf of the educational agency or institution if--
(i) The disclosures meet the requirements of Sec. 99.31; and
(ii)(A) The educational agency or institution has complied with the
requirements of Sec. 99.32(b); or
(B) A State or local educational authority or Federal official or
agency listed in Sec. 99.31(a)(3) has complied with the requirements
of Sec. 99.32(b)(2).
(2) A party that receives a court order or lawfully issued subpoena
and rediscloses personally identifiable information from education
records on behalf of an educational agency or institution in response
to that order or subpoena under Sec. 99.31(a)(9) must provide the
notification required under Sec. 99.31(a)(9)(ii).
(c) Paragraph (a) of this section does not apply to disclosures
under Sec. Sec. 99.31(a)(8), (9), (11), (12), (14), (15), and (16),
and to information that postsecondary institutions are required
[[Page 74854]]
to disclose under the Jeanne Clery Disclosure of Campus Security Policy
and Campus Crime Statistics Act, 20 U.S.C. 1092(f) (Clery Act), to the
accuser and accused regarding the outcome of any campus disciplinary
proceeding brought alleging a sexual offense.
(d) An educational agency or institution must inform a party to
whom disclosure is made of the requirements of paragraph (a) of this
section except for disclosures made under Sec. Sec. 99.31(a)(8), (9),
(11), (12), (14), (15), and (16), and to information that postsecondary
institutions are required to disclose under the Clery Act to the
accuser and accused regarding the outcome of any campus disciplinary
proceeding brought alleging a sexual offense.
(e) If this Office determines that a third party outside the
educational agency or institution improperly rediscloses personally
identifiable information from education records in violation of this
section, or fails to provide the notification required under paragraph
(b)(2) of this section, the educational agency or institution may not
allow that third party access to personally identifiable information
from education records for at least five years.
* * * * *
0
8. Section 99.34 is amended by revising paragraph (a)(1)(ii) to read as
follows:
Sec. 99.34 What conditions apply to disclosure of information to
other educational agencies and institutions?
(a) * * *
(1) * * *
(ii) The annual notification of the agency or institution under
Sec. 99.7 includes a notice that the agency or institution forwards
education records to other agencies or institutions that have requested
the records and in which the student seeks or intends to enroll or is
already enrolled so long as the disclosure is for purposes related to
the student's enrollment or transfer;
* * * * *
0
9. Section 99.35 is amended by revising paragraphs (a) and (b)(1) to
read as follows:
Sec. 99.35 What conditions apply to disclosure of information for
Federal or State program purposes?
(a)(1) Authorized representatives of the officials or agencies
headed by officials listed in Sec. 99.31(a)(3) may have access to
education records in connection with an audit or evaluation of Federal
or State supported education programs, or for the enforcement of or
compliance with Federal legal requirements that relate to those
programs.
(2) Authority for an agency or official listed in Sec. 99.31(a)(3)
to conduct an audit, evaluation, or compliance or enforcement activity
is not conferred by the Act or this part and must be established under
other Federal, State, or local authority.
(b) * * *
(1) Be protected in a manner that does not permit personal
identification of individuals by anyone other than the officials or
agencies headed by officials referred to in paragraph (a) of this
section, except that those officials and agencies may make further
disclosures of personally identifiable information from education
records on behalf of the educational agency or institution in
accordance with the requirements of Sec. 99.33(b); and
* * * * *
0
10. Section 99.36 is amended by revising paragraphs (a) and (c) to read
as follows:
Sec. 99.36 What conditions apply to disclosure of information in
health and safety emergencies?
(a) An educational agency or institution may disclose personally
identifiable information from an education record to appropriate
parties, including parents of an eligible student, in connection with
an emergency if knowledge of the information is necessary to protect
the health or safety of the student or other individuals.
* * * * *
(c) In making a determination under paragraph (a) of this section,
an educational agency or institution may take into account the totality
of the circumstances pertaining to a threat to the health or safety of
a student or other individuals. If the educational agency or
institution determines that there is an articulable and significant
threat to the health or safety of a student or other individuals, it
may disclose information from education records to any person whose
knowledge of the information is necessary to protect the health or
safety of the student or other individuals. If, based on the
information available at the time of the determination, there is a
rational basis for the determination, the Department will not
substitute its judgment for that of the educational agency or
institution in evaluating the circumstances and making its
determination.
* * * * *
0
11. Section 99.37 is amended by:
0
A. Revising paragraph (b).
0
B. Adding new paragraphs (c) and (d).
The revision and additions read as follows:
Sec. 99.37 What conditions apply to disclosing directory information?
* * * * *
(b) An educational agency or institution may disclose directory
information about former students without complying with the notice and
opt out conditions in paragraph (a) of this section. However, the
agency or institution must continue to honor any valid request to opt
out of the disclosure of directory information made while a student was
in attendance unless the student rescinds the opt out request.
(c) A parent or eligible student may not use the right under
paragraph (a)(2) of this section to opt out of directory information
disclosures to prevent an educational agency or institution from
disclosing or requiring a student to disclose the student's name,
identifier, or institutional e-mail address in a class in which the
student is enrolled.
(d) An educational agency or institution may not disclose or
confirm directory information without meeting the written consent
requirements in Sec. 99.30 if a student's social security number or
other non-directory information is used alone or combined with other
data elements to identify or help identify the student or the student's
records.
* * * * *
0
12. Section 99.62 is revised to read as follows:
Sec. 99.62 What information must an educational agency or institution
submit to the Office?
The Office may require an educational agency or institution to
submit reports, information on policies and procedures, annual
notifications, training materials, and other information necessary to
carry out its enforcement responsibilities under the Act or this part.
(Authority: 20 U.S.C. 1232g(f) and (g))
Sec. 99.63 [Amended]
0
13. Section 99.63 is amended by removing the mail code designation
``4605'' before the punctuation ``.''
0
14. Section 99.64 is amended by:
0
A. Revising the section heading.
0
B. Revising paragraphs (a) and (b).
The revisions read as follows:
Sec. 99.64 What is the investigation procedure?
(a) A complaint must contain specific allegations of fact giving
reasonable cause to believe that a violation of the Act or this part
has occurred. A complaint does not have to allege that a violation is
based on a policy or practice of the educational agency or institution.
[[Page 74855]]
(b) The Office investigates a timely complaint filed by a parent or
eligible student, or conducts its own investigation when no complaint
has been filed or a complaint has been withdrawn, to determine whether
an educational agency or institution has failed to comply with a
provision of the Act or this part. If the Office determines that an
educational agency or institution has failed to comply with a provision
of the Act or this part, it may also determine whether the failure to
comply is based on a policy or practice of the agency or institution.
* * * * *
0
15. Section 99.65 is revised to read as follows:
Sec. 99.65 What is the content of the notice of investigation issued
by the Office?
(a) The Office notifies the complainant, if any, and the
educational agency or institution in writing if it initiates an
investigation under Sec. 99.64(b). The notice to the educational
agency or institution--
(1) Includes the substance of the allegations against the
educational agency or institution; and
(2) Directs the agency or institution to submit a written response
and other relevant information, as set forth in Sec. 99.62, within a
specified period of time, including information about its policies and
practices regarding education records.
(b) The Office notifies the complainant if it does not initiate an
investigation because the complaint fails to meet the requirements of
Sec. 99.64.
(Authority: 20 U.S.C. 1232g(g))
0
16. Section 99.66 is amended by revising paragraphs (a), (b), and the
introductory text of paragraph (c) to read as follows:
Sec. 99.66 What are the responsibilities of the Office in the
enforcement process?
(a) The Office reviews a complaint, if any, information submitted
by the educational agency or institution, and any other relevant
information. The Office may permit the parties to submit further
written or oral arguments or information.
(b) Following its investigation, the Office provides to the
complainant, if any, and the educational agency or institution a
written notice of its findings and the basis for its findings.
(c) If the Office finds that an educational agency or institution
has not complied with a provision of the Act or this part, it may also
find that the failure to comply was based on a policy or practice of
the agency or institution. A notice of findings issued under paragraph
(b) of this section to an educational agency or institution that has
not complied with a provision of the Act or this part--
* * * * *
0
17. Section 99.67 is amended by revising paragraph (a) to read as
follows:
Sec. 99.67 How does the Secretary enforce decisions?
(a) If an educational agency or institution does not comply during
the period of time set under Sec. 99.66(c), the Secretary may take any
legally available enforcement action in accordance with the Act,
including, but not limited to, the following enforcement actions
available in accordance with part E of the General Education Provisions
Act--
* * * * *
[FR Doc. E8-28864 Filed 12-8-08; 8:45 am]
BILLING CODE 4000-01-P