Family Educational Rights and Privacy (United States)

Family Educational Rights and Privacy

Published: 2008-12-09

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Unlimited Searches
Weekly Updates on New Laws
Access to 5,345,848 Global Laws from 110 Countries
View the Original Law Side-by-Side with the Translation

Subscribe Now for only USD$40 per month.

ACTION:
Final regulations.
SUMMARY:
The Secretary amends our regulations implementing the Family Educational Rights and Privacy Act (FERPA), which is section 444 of the General Education Provisions Act. These amendments are needed to implement a provision of the USA Patriot Act and the Campus Sex Crimes Prevention Act, which added new exceptions permitting the disclosure of personally identifiable information from education records without consent. The amendments also implement two U.S. Supreme Court decisions interpreting FERPA, and make necessary changes identified as a result of the Department's experience administering FERPA and the current regulations.
These changes clarify permissible disclosures to parents of eligible students and conditions that apply to disclosures in health and safety emergencies; clarify permissible disclosures of student identifiers as directory information; allow disclosures to contractors and other outside parties in connection with the outsourcing of institutional services and functions; revise the definitions of attendance, disclosure, education records, personally identifiable information, and other key terms; clarify permissible redisclosures by State and Federal officials; and update investigation and enforcement provisions.
DATES:
These regulations are effective January 8, 2009.
FOR FURTHER INFORMATION CONTACT:
Frances Moran, U.S. Department of Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-8250. Telephone: (202) 260-3887.
If you use a telecommunications device for the deaf (TDD), you may call the Federal Relay Service (FRS) at 1-800-877-8339.
Individuals with disabilities may obtain this document in an alternative format ( e.g. , Braille, large print, audiotape, or computer diskette) on request to the contact person listed under FOR FURTHER INFORMATION CONTACT .
SUPPLEMENTARY INFORMATION:
On March 24, 2008, the U.S. Department of Education (the Department or we) published a notice of proposed rulemaking (NPRM) in the Federal Register (73 FR 15574). In the preamble to the NPRM, the Secretary discussed the major changes proposed in that document that are necessary to implement statutory changes made to FERPA, to implement two U.S. Supreme Court decisions, to respond to changes in information technology, and to address other issues identified through the Department's experience in administering FERPA.
We believe that the regulatory changes adopted in these final regulations provide clarification on many important issues that have arisen over time with regard to how FERPA affects decisions that school officials have to make on an everyday basis. Educational agencies and institutions face considerable challenges, especially with regard to maintaining safe campuses, protecting personally identifiable information in students' education records, and responding to requests for data on student progress. These final regulations, as well as the discussion on various provisions in the preamble, will assist school officials in addressing these challenges in a manner that complies with FERPA and protects the privacy of students' education records.
Notice of Proposed Rulemaking
In the NPRM, we proposed regulations to implement section 507 of the USA Patriot Act (Pub. L. 107-56), enacted October 26, 2001, and the Campus Sex Crimes Prevention Act, section 1601(d) of the Victims of Trafficking and Violence Protection Act of 2000 (Pub. L. 106-386), enacted October 28, 2000. Other major changes proposed in the NPRM included the following:
• Amending § 99.5 to clarify the conditions under which an educational agency or institution may disclose personally identifiable information from an eligible student's education records to a parent without the prior written consent of the eligible student;
• Amending § 99.31(a)(1) to authorize the disclosure of education records without consent to contractors, consultants, volunteers, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions;
• Amending § 99.31(a)(1) to ensure that teachers and other school officials only gain access to education records in which they have legitimate educational interests;
• Amending § 99.31(a)(2) to permit educational agencies and institutions to disclose education records, without consent, to another institution even after the student has enrolled or transferred so long as the disclosure is for purposes related to the student's enrollment or transfer;
• Amending § 99.31(a)(6) to require that an educational agency or institution may disclose personally identifiable information under this section only if it enters into a written agreement with the organization specifying the purposes of the study and the use and destruction of the data;
• Amending § 99.31 to include a new subsection to provide standards for the release of information from education records that has been de-identified;
• Amending § 99.35 to permit State and local educational authorities and Federal officials listed in § 99.31(a)(3) to make further disclosures of personally identifiable information from education records on behalf of the educational agency or institution; and
• Amending § 99.36 to remove the language requiring strict construction of this exception and add a provision stating that if an educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individual, it may disclose the information to any person, including parents, whose knowledge of the information is necessary to protect the health or safety of the student or other individuals.
Significant Changes From the NPRM
These final regulations contain several significant changes from the NPRM as follows:
• Amending the definition of personally identifiable information in § 99.3 to provide a definition of biometric record;
• Removing the proposed definition of State auditor in § 99.3 and provisions in § 99.35(a)(3) related to State auditors and audits;
• Revising § 99.31(a)(6) to clarify the specific types of information that must be contained in the written agreement between an educational agency or institution and an organization conducting a study for the agency or institution;
• Removing the statement from § 99.31(a)(16) that FERPA does not require or encourage agencies or institutions to collect or maintain information concerning registered sex offenders;
• Requiring a State or local educational authority or Federal official or agency that rediscloses personally identifiable information from education records to record that disclosure if the educational agency or institution does not do so under § 99.32(b); and
• Revising § 99.32(b) to require an educational agency or institution that makes a disclosure in a health or safety emergency to record information concerning the circumstances of the emergency.
These changes are explained in greater detail in the following Analysis of Comments and Changes.
Analysis of Comments and Changes
In response to the Secretary's invitation in the NPRM, 121 parties submitted comments on the proposed regulations. An analysis of the comments and of the changes in the regulations since publication of the NPRM follows.
We group major issues according to subject, with applicable sections of the regulations referenced in parentheses. We discuss other substantive issues under the sections of the regulations to which they pertain. Generally, we do not address technical and other minor changes, or suggested changes that the law does not authorize the Secretary to make. We also do not address comments pertaining to issues that were not within the scope of the NPRM.
Definitions (§ 99.3)
(a) Attendance
Comment: We received no comments objecting to the proposed changes to the definition of the term attendance. Three commenters expressed support for the changes because the availability and use of alternative instructional formats are not clearly addressed by the current regulations. One commenter suggested that the definition could avoid obsolescence by referring to the receipt of instruction leading to a diploma or certificate instead of listing the types of instructional formats.
Discussion: We proposed to revise the definition of attendance because we received inquiries from some educational agencies and institutions asking whether FERPA was applicable to the records of students receiving instruction through the use of new technology methods that do not require a physical presence in a classroom. Because the definition of attendance is key to determining when an individual's records at a school are education records protected by FERPA, it is essential that schools and institutions understand the scope of the term. To prevent the regulations from becoming out of date as new formats and methods are developed, the definition provides that attendance may also include “other electronic information and telecommunications technologies.”
While most schools are aware of the various formats distance learning may take, we believe it is informative to list the different communications media that are currently used. Also, we believe that parents, eligible students, and other individuals and organizations that use the FERPA regulations may find the listing of formats useful.
We do not agree that the definition of attendance should be limited to receipt of instruction leading to a diploma or certificate, because this would improperly exclude many instructional formats.
Changes: None.
(b) Directory Information (§§ 99.3 and 99.37)
(1) Definition (§ 99.3)
Comment: We received a number of comments on our proposal to revise the definition of directory information to provide that an educational agency or institution may not designate as directory information a student's social security number (SSN) or other student identification (ID) number. The proposed definition also provided that a student's user ID or other unique identifier used by the student to access or communicate in electronic systems could be considered directory information but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student's identity.
All commenters agreed that student SSNs should not be disclosed as directory information. Several commenters strongly supported the definition of directory information as proposed, noting that failure to curtail the use of SSNs and student ID numbers as directory information could facilitate identity theft and other fraudulent activities.
One commenter said that the proposed regulations did not go far enough to prohibit the use of students' SSNs as a student ID number, placing SSNs on academic transcripts, and using SSNs to search an electronic database. Another commenter expressed concern that the proposed regulations could prohibit reporting needed to enforce students' financial obligations and other routine business practices. According to this commenter, restrictions on the use of SSNs in FERPA and elsewhere demonstrate the need for a single student identifier that can be tied to the SSN and other identifying information to use for grade transcripts, enrollment verification, default prevention, and other activities that depend on sharing student information. Another commenter stated that institutions should not be allowed to penalize students who opt out of directory information disclosures by denying them access to benefits, services, and required activities.
Several commenters said that the definition in the proposed regulations was confusing and unnecessarily restrictive because it treats a student ID number as the functional equivalent of an SSN. They explained that when providing access to records and services, many institutions no longer use an SSN or other single identifier that both identifies and authenticates identity. As a result, at many institutions, the condition specified in the regulations for treating electronic identifiers as directory information, i.e. , that the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, often applies to student ID numbers as well because they cannot be used to gain access to education records without a personal identification number (PIN), password, or some other factor to authenticate the user's identity. Some commenters suggested that our nomenclature is the problem and that regardless of what it is called, an identifier that does not allow access to education records without the use of authentication factors should be treated as directory information. According to one commenter, allowing institutions to treat student ID numbers as directory information in these circumstances would improve business practices and enhance student privacy by encouraging institutions to require additional authentication factors when using student ID numbers to provide access to education records.
One commenter strongly opposed allowing institutions to treat a student's electronic identifier as directory information if the identifier could be made available to parties outside the school system. This commenter noted that electronic identifiers may act as a key, offering direct access to the student's entire file, and that PINs and passwords alone do not provide adequate security for education records. Another commenter said that if electronic identifiers and ID numbers can be released as directory information, then password requirements need to be more stringent to guard against unauthorized access to information and identity theft.
Some commenters recommended establishing categories of directory information, with certain information made available only within the educational community. One commenter expressed concern about Internet safety because the regulations allow publication of a student's e-mail address. Another said that FERPA should not prevent institutions from printing the student's ID number on an ID card or otherwise restrict its use on campus but that publication in a directory should not be allowed.
Two commenters asked the Department to confirm that the regulations allow institutions to post grades using a code known only by the teacher and the student.
Discussion: We share commenters' concerns about the use of students' SSNs. In general, however, there is no statutory authority under FERPA to prohibit an educational agency or institution from using SSNs as a student ID number, on academic transcripts, or to search an electronic database so long as the agency or institution does not disclose the SSN in violation of FERPA requirements. As discussed elsewhere in this preamble, FERPA does prohibit using a student's SSN, without consent, to search records in order to confirm directory information.
Some States prohibit the use of SSNs as a student ID number, and some institutions have voluntarily ceased using SSNs in this manner because of concerns about identity theft. Students are required to provide their SSNs in order to receive Federal financial aid, and the regulations do not prevent an agency or institution from using SSNs for this purpose. We note that FERPA does not address, and we do not believe that there is statutory authority under FERPA to require, creation of a single student identifier to replace the SSN. In any case, the Department encourages educational agencies and institutions, as well as State educational authorities, to follow best practices of the educational community with regard to protecting students' SSNs.
We agree that students should not be penalized for opting out of directory information disclosures. Indeed, an educational agency or institution may not require parents and students to waive their rights under FERPA, including the right to opt out of directory information disclosures. On the other hand, we do not interpret FERPA to require educational agencies and institutions to ensure that students can remain anonymous to others in the school community when using an institution's electronic communications systems. As a result, parents and students who opt out of directory information disclosures may not be able to use electronic communications systems that require the release of the student's name or electronic identifier within the school community. (As discussed later in this notice in our discussion of the comments on § 99.37(c), the right to opt out of directory information disclosures may not be used to allow a student to remain anonymous in class.)
The regulations allow an educational agency or institution to designate a student's user ID or other electronic identifier as directory information if the identifier functions essentially like the student's name, and therefore, disclosure would not be considered harmful or an invasion of privacy. That is, the identifier cannot be used to gain access to education records except when combined with one or more factors that authenticate the student's identity.
We have historically advised that student ID numbers may not be disclosed as directory information because they have traditionally been used like SSNs, i.e. , as both an identifier and authenticator of identity. We agree, however, that the proposed definition was confusing and unnecessarily restrictive because it failed to recognize that many institutions no longer use student ID numbers in this manner. If a student identifier cannot be used to access records or communicate electronically without one or more additional factors to authenticate the user's identity, then the educational agency or institution may treat it as directory information under FERPA regardless of what the identifier is called. We have revised the definition of directory information to provide this flexibility.
We share the commenters' concerns about the use of PINs and passwords. In the preamble to the NPRM, we explained that PINs or passwords, and single-factor authentication of any kind, may not be reasonable for protecting access to certain kinds of information (73 FR 15585). We also recognize that user IDs and other electronic identifiers may provide greater access and linking to information than does a person's name. Therefore, we remind educational agencies and institutions that disclose student ID numbers, user IDs, and other electronic identifiers as directory information to examine their recordkeeping and data sharing practices and ensure that, when these identifiers are used, the methods they select for authenticating identity provide adequate protection against the unauthorized disclosure of information in education records.
We also share the concern of commenters who stated that students'e-mail addresses and other identifiers should be disclosed as directory information only within the school system and should not be made available outside the institution. The disclosure of directory information is permissive under FERPA, and, therefore, an agency or institution is not required to designate and disclose any student identifier (or any other item) as directory information. Further, while FERPA does not expressly recognize different levels or categories of directory information, an agency or institution is not required to make student directories and other directory information available to the general public just because the information is shared within the institution. For example, under FERPA, an institution may decide to make students' electronic identifiers and e-mail addresses available within the institution but not release them to the general public as directory information. In fact, the preamble to the NPRM suggested that agencies and institutions should minimize the public release of student directories to mitigate the risk of re-identifying information that has been de-identified (73 FR 15584).
With regard to student ID numbers in particular, an agency or institution may print an ID number on a student's ID card whether or not the number is treated as directory information because under FERPA simply printing the ID number on a card, without more, is not a disclosure and, therefore, is not prohibited. See 20 U.S.C. 1232g(b)(2). If the student ID number is not designated as directory information, then the agency or institution may not disclose the card, or require the student to disclose the card, except in accordance with one of the exceptions to the consent requirement, such as to school officials with legitimate educational interests. If the student ID number is designated as directory information in accordance with these regulations, then it may be disclosed. However, the agency or institution may still decide against making a directory of student ID numbers available to the general public.
We discuss codes used by teachers to post grades in our discussion of the definition of personally identifiable information elsewhere in this preamble.
Changes: We have revised the definition of directory information in § 99.3 to provide that directory information includes a student ID number if it cannot be used to gain access to education records except when used with one or more other factors to authenticate the user's identity.
(2) Conditions for Disclosing Directory Information
(i) 99.37(b)
Comment: All comments on this provision supported our proposal to clarify that an educational agency or institution must continue to honor a valid request to opt out of directory information disclosures even after the student no longer attends the institution. One commenter stated that the proposed regulations appropriately provided former students with the continuing ability to control the release of directory information and remarked that this will benefit students and families. One commenter asked how long an opt out from directory information disclosures must be honored. Another commenter said that students may object if their former schools do not disclose directory information without their specific written consent because the school is unable to determine whether the student previously opted out. This could occur, for example, if a school declined to disclose that a student had received a degree to a prospective employer.
Discussion: The regulations clarify that once a parent or eligible student opts out of directory information disclosures, the educational agency or institution must continue to honor that election after the student is no longer in attendance. While this is not a new interpretation, school districts and postsecondary institutions have been unclear about its application and have not administered it consistently. The inclusion in the regulations of this longstanding interpretation is necessary to ensure that schools clearly understand their obligation to continue to honor a decision to opt out of the disclosure of directory information after a student stops attending the school, until the parent or eligible student rescinds it.
Educational agencies and institutions are not required under FERPA to disclose directory information to any party. Therefore, parents and students have no basis for objecting if an agency or institution does not disclose directory information because it is not certain whether the parent or student opted out. The regulations provide an educational agency or institution with the flexibility to determine the process it believes is best suited to serve its population as long as it honors prior elections to opt out of directory information disclosures.
Changes: None.
(ii) § 99.37(c)
Comment: We received two comments in support of our proposal to clarify in this section that parents and students may not use the right to opt out of directory information disclosures to prevent disclosure of the student's name or other identifier in the classroom.
Discussion: We appreciate the commenters' support.
Changes: None.
(iii) § 99.37(d)
Comment: Two commenters supported the prohibition on using a student's SSN to disclose or confirm directory information unless a parent or eligible student provides written consent. One of these commenters questioned the statutory basis for this interpretation.
Several commenters asked whether, under the proposed regulations, a school must deny a request for directory information if the requester supplies the student's SSN. One commenter asked whether a request for directory information that contains a student's SSN may be honored so long as the school does not use the SSN to locate the student's records. One commenter stated that the regulations could more effectively protect students' SSNs but was concerned that denying a request for directory information that contains an SSN may inadvertently confirm the SSN.
One commenter expressed concern that the prohibition on using a student's SSN to verify directory information would leave schools with large student populations unable to locate the appropriate record because they will need to rely solely on the student's name and other directory information, if any, provided by the requester, which may be duplicated in their databases. This commenter said that students would object if institutions were unable to respond quickly to requests by banks or landlords for confirmation of enrollment because the request contained the student's SSN.
One commenter suggested that the regulations require an educational agency or institution to notify a requester that the release or confirmation of directory information does not confirm the accuracy of the SSN or other non-directory information submitted with the request. Another commenter asked whether the regulations apply to confirmation of student enrollment and other directory information by outside service providers such as the National Student Clearinghouse.
Discussion: The provision in the proposed regulations prohibiting an educational agency or institution from using a student's SSN when disclosing or verifying directory information is based on the statutory prohibition on disclosing personally identifiable information from education records without consent in 20 U.S.C. 1232g(b). The prohibition applies also to any party outside the agency or institution providing degree, enrollment, or other confirmation services on behalf of an educational agency or institution, such as the National Student Clearinghouse.
A school is not required to deny a request for directory information about a student, such as confirmation whether a student is enrolled or has received a degree, if the requester supplies the student's SSN (or other non-directory information) along with the request. However, in releasing or confirming directory information about a student, the school may not use the student's SSN (or other non-directory information) supplied by the requester to identify the student or locate the student's records unless a parent or eligible student has provided written consent. This is because confirmation of information in education records is considered a disclosure under FERPA. See 20 U.S.C. 1232g(b). A school's use of a student's SSN (or other non-directory information) provided by the requester to confirm enrollment or other directory information implicitly confirms and, therefore, discloses, the student's SSN (or other non-directory information). This is true even if the requester also provides the school with the student's name, date of birth, or other directory information to help identify the student.
A school may choose to deny a request for directory information, whether or not it contains a student's SSN, because only a parent or eligible student has a right to obtain education records under FERPA. Denial of a request for directory information that contains a student's SSN is not an implicit confirmation or disclosure of the SSN.
These regulations will not adversely affect the ability of institutions to respond quickly to requests by parties such as banks and landlords for confirmation of enrollment that contain the student's SSN because students generally provide written consent for schools to disclose information to the inquiring party in order to obtain banking and housing services. We note, however, that if a school wishes to use the student's SSN to confirm enrollment or other directory information about the student, it must ensure that the written consent provided by the student includes consent for the school to disclose the student's SSN to the requester.
There is no authority in FERPA to require a school to notify requesters that it is not confirming the student's SSN (or other non-directory information) when it discloses or confirms directory information. However, when a party submits a student's SSN along with a request for directory information, in order to avoid confusion, unless a parent or eligible student has provided written consent for the disclosure of the student's SSN, the school may indicate that it has not used the SSN (or other non-directory information) to locate the student's records and that its response may not and does not confirm the accuracy of the SSN (or other non-directory information) supplied with the request.
We recognize that with a large database of student information, there may be some loss of ability to identify students who have common names if SSNs are not used to help identify the individual. However, schools that do not use SSNs supplied by a party requesting directory information, either because the student has not provided written consent or because the school is not certain that the written consent includes consent for the school to disclose the student's SSN, generally may use the student's address, date of birth, school, class, year of graduation, and other directory information to identify the student or locate the student's records.
Changes: None.
(c) Disclosure (§ 99.3)
Comment: Two commenters said that the proposal to revise the definition of disclosure to exclude the return of a document to its source was too broad and could lead to improper release of highly sensitive documents, such as an individualized education program (IEP) contained in a student's special education records, to anyone claiming to be the creator of a record. One of the commenters stated that changing the definition was unnecessary, as schools already have a means of verifying documents by requesting additional copies from the source. Both commenters also expressed concern that, because recordation is not required, a parent or eligible student will not be aware that the verification occurred.
We also received comments of strong support for the proposed change to the definition of disclosure . The commenters stated that this change, targeted to permit the release of records back to the institution that presumably created them, will enhance an institution's ability to identify and investigate suspected fraudulent records in a timely manner.
Discussion: For several years now, school officials have advised us that problems related to fraudulent records typically involve a transcript or letter of recommendation that has been altered by someone other than the responsible school official. Under the current regulations, an educational agency or institution may ask for a copy of a record from the presumed source when it suspects fraudulent activity. However, simply asking for a copy of a record may not be adequate, for example, if the original record no longer exists at the sending institution. In these circumstances, an institution will need to return a record to its identified source to be able to verify its authenticity. The final regulations permit a targeted release of records back to the stated source for verification purposes in order to provide schools with the flexibility needed for this process while preserving a more general prohibition on the release of information from education records.
We do not agree that the term disclosure as proposed in the NPRM is too broad and could lead to the improper release of highly sensitive documents to anyone claiming to be the creator of the record. School officials have not advised us that they have had problems receiving IEP records and other highly sensitive materials from parties who did not in fact create or provide the record. Therefore, we do not believe that the proposed definition of disclosure is too broad.
The commenters are correct that the return of an education record to its source does not have to be recorded, because it is not a disclosure. We do not consider this problematic, however, because the information is merely being returned to the party identified as its source. This is similar to the situation in which a school is not required under the regulations to record disclosures of education records made to school officials with legitimate educational interests. As in that instance, there is no direct notice to a parent or student of either the disclosure of the record or the information in the record. We also believe that if a questionable document is deemed to be inauthentic by the source, the student will be informed of the results of the authentication process by means other than seeing a record of the disclosure in the student's file. There appears to be little value in notifying a parent or student that a document was suspected of being fraudulent if the document is found to be genuine and accurate.
Finally, we note that a transcript or other document does not lose its protection under FERPA, including the written consent requirements, when an educational agency or institution returns it to the source. The document and the information in it remains an “education record” under FERPA when it is returned to its source. As an education record, it may not be redisclosed except in accordance with FERPA requirements, including § 99.31(a)(1), which allows the source institution to disclose the information to teachers and other school officials with legitimate educational interests, such as persons who need to verify the accuracy or authenticity of the information. If the source institution makes any further disclosures of the record or information, it must record them.
Changes: None.
Additional Changes to the Definition of Disclosure
Comment: Several commenters requested additional changes to the definition of disclosure . One commenter requested that any transfer of education records to a State's longitudinal data system not be considered a disclosure. Several commenters requested that additional changes be made so that a school could provide current education records of students back to the students' former schools or districts. A commenter recommended excluding from the definition of disclosure statistical information that is personally identifiable because of small cell sizes when the recipient agrees to maintain the confidentiality of the information.
Discussion: The revised definition of disclosure , which excludes the return of a document to its stated source, clarifies that information provided by school districts or postsecondary institutions to State educational authorities, including information maintained in a consolidated student records system, may be provided back to the original district or institution without consent. There is no statutory authority, however, to exclude from the definition of disclosure a school district's or institution's release or transfer of personally identifiable information from education records to its State longitudinal data system. (We discuss the disclosure of education records in connection with the development of consolidated, longitudinal data systems in our response to comments on redisclosure and recordkeeping requirements elsewhere in this preamble.) Likewise, there is no statutory authority to exclude from the definition of disclosure the release of personally identifiable information from education records to parties that agree to keep the information confidential. (See our discussion of personally identifiable information and de-identified records and information elsewhere in this preamble.)
The revised regulations do not authorize the disclosure of education records to third parties who are not identified as the provider or creator of the record. For example, a college may not send a student's current college records to a student's high school under the revised definition of disclosure because the high school is not the stated source of those records. (We discuss this issue elsewhere in the preamble under Disclosure of Education Records to Students' Former Schools .)
Changes: None.
(d) Education Records
(1) Paragraph (b)(5)
Comment: Several commenters supported our proposal to clarify the existing exclusion from the definition of education records for records that only contain information about an individual after he or she is no longer a student, which we referred to as “alumni records” in the NPRM, 73 FR 15576. One commenter suggested that the term “directly related,” which is used in the amended definition in reference to a student's attendance, is inconsistent with the use of the term “personally identifiable” in other sections of the regulations and could cause confusion.
One commenter asked whether a postsecondary school could provide a student's education records from the postsecondary school to a secondary school that the student attended previously.
Several commenters objected to the proposed regulations because, according to the commenters, the regulations would expand the records subject to FERPA's prohibition on disclosure of education records without consent. A journalist stated that the settlement agreement cited in the NPRM is an example of a record that should be excluded from the definition and that schools already are permitted to protect too broad a range of documents from public review because the documents are education records. The commenter stated that information from education records such as a settlement agreement is newsworthy, unlikely to contain confidential information, and that disclosure of such information provides a benefit to the public. Another commenter expressed concern that the regulations allow schools to collect negative information about a former student without giving the individual an opportunity to challenge the content because the information is not an education record under FERPA.
Discussion: It has long been the Department's interpretation that records created or received by an educational agency or institution on a former student that are directly related to the individual's attendance as a student are not excluded from the definition of education records under FERPA, and that records created or received on a former student that are not directly related to the individual's attendance as a student are excluded from the definition and, therefore, are not “education records.” The proposed regulations in paragraph (b)(5) were intended to clarify the use of this exclusion, not to change or expand its scope.
Our use of the phrase “directly related to the individual's attendance as a student” to describe records that do not fall under this exclusion from the definition of education records is not inconsistent with the term “personally identifiable” as used in other parts of the regulations and should not be confused. The term “personally identifiable information” is used in the statute and regulations to describe the kind of information from education records that may not be disclosed without consent. See 20 U.S.C. 1232g(b); 34 CFR 99.3, 99.30. While “personally identifiable information” maintained by an agency or institution is generally considered an “education record” under FERPA, personally identifiable information does not fall under this exclusion from the definition of education records if the information is not directly related to the student's attendance as a student. For example, personally identifiable information related solely to a student's activities as an alumnus of an institution is excluded from the definition of education records under this provision. We think that the term “directly related” is clear in this context and will not be confused with “personally identifiable.”
A postsecondary institution may not disclose a student's postsecondary education records to the secondary school previously attended by the student under this provision because these records are directly related to the student's attendance as a student at the postsecondary institution. (We discuss this issue further under Disclosure of Education Records to Students' Former Schools. )
We do not agree that documents such as settlement agreements are unlikely to contain confidential information. Our experience has been that these documents often contain highly confidential information, such as special education diagnoses, educational supports, or mental or physical health and treatment information. Our changes to the definition were intended to clarify that schools may not disclose this information to the media or other parties, without consent, simply because a student is no longer in attendance at the school at the time the record was created or received. A parent or eligible student who wishes to share the student's own records with the media or other parties is free to do so.
Neither FERPA nor the regulations contains a provision for a parent or eligible student to challenge information that is not contained in an education record. FERPA does not prohibit a parent or student from using other venues to seek redress for collection and release of information in non-education records.
Changes: None.
(2) Paragraph (b)(6)
Comment: We received several comments supporting the proposed changes to the definition of education records that would exclude from the definition grades on peer-graded papers before they are collected and recorded by a teacher. These commenters expressed appreciation that this revision would be consistent with the U.S. Supreme Court's decision on peer-graded papers in Owasso Independent School Dist. No. I-011 v. Falvo , 534 U.S. 426 (2002) ( Owasso ). Two commenters asked how the provision would be applied to the use of group projects and group grading within the classroom.
Discussion: The proposed changes to the definition of education records in paragraph (b)(6) are designed to implement the U.S. Supreme Court's 2002 decision in Owasso , which held that peer grading does not violate FERPA. As noted in the NPRM, 73 FR 15576, the Court held in Owasso that peer grading does not violate FERPA because “the grades on students' papers would not be covered under FERPA at least until the teacher has collected them and recorded them in his or her grade book.” 534 U.S. at 436.
As suggested by the Supreme Count in Owasso , 534 U.S. at 435, FERPA is not intended to interfere with a teacher's ability to carry out customary practices, such as group grading of team assignments within the classroom. Just as FERPA does not prevent teachers from allowing students to grade a test or homework assignment of another student or from calling out that grade in class, even though the grade may eventually become an education record, FERPA does not prohibit the discussion of group or individual grades on classroom group projects, so long as those individual grades have not yet been recorded by the teacher. The process of assigning grades or grading papers falls outside the definition of education records in FERPA because the grades are not “maintained” by an educational agency or institution at least until the teacher has recorded the grades.
Changes: None.
(e) Personally Identifiable Information
Comments on the proposed definition of personally identifiable information are discussed elsewhere in this preamble under the heading Personally Identifiable Information and De-identified Records and Information.
(f) State Auditors and Audits (§§ 99.3 and Proposed 99.35(a)(3))
Comment: Several commenters supported the clarification in proposed § 99.35(a)(3) that State auditors may have access to education records, without consent, in connection with an “audit” of Federal or State supported education programs under the exception to the written consent requirement for authorized representatives of “State and local educational authorities.” All but one of the commenters, however, disagreed strongly with the proposed definition of audit in § 99.35(a)(3), which was limited to testing compliance with applicable laws, regulations, and standards and did not include the broader concept of evaluations.
In general, the commenters said that the proposed definition of audit was too narrow and would prevent State auditors from conducting performance audits and other services that they routinely provide in accordance with professional auditing standards, including the U.S. Comptroller's Government Auditing Standards. See www.gao.gov/govaud/ybk01.htm. A State legislative auditor noted, for example, that 45 State legislatures have established legislative program evaluation offices whose express purpose is to provide research and evaluation for legislative decision making, and that these offices regularly use personally identifiable information from education records for their work. Some of the commenters also questioned whether financial audits and attestation engagements would be excluded under the proposed definition.
One commenter said that the State auditor provisions in proposed §§ 99.3 and 99.35(a)(3) should be expanded to apply to other non-education State officials responsible for evaluating publicly funded programs. Another commenter recommended that the regulations include examination of education records by health department officials to improve compliance with mandated immunization schedules.
The majority of the comments we received with respect to the inclusion of local auditors in the proposed definition of State auditor in § 99.3 supported permitting local auditors to have access to personally identifiable information for purposes of auditing Federal or State supported education programs. One commenter said that local auditors should not be included in the definition, while another commenter stated that auditors for the city health department need access to FERPA-protected information to determine the accuracy of claims for payment and asked for further clarification on the issue.
Discussion: We explained in the preamble to the NPRM that the statute allows disclosure of personally identifiable information from education records without consent to authorized representatives of “State educational authorities” in connection with an audit or evaluation of Federal or State supported education programs. 73 FR 15577. Legislative history indicates that Congress amended the statute in 1979 to “correct an anomaly” in which the existing exception to the consent requirement in 20 U.S.C. 1232g(b)(3) was interpreted to preclude State auditors from obtaining access to education records for audit purposes. See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 (1979), reprinted in 1979 U.S. Code Cong. Admin. News 819, 824. However, because the amended statutory language in 20 U.S.C. 1232g(b)(5) refers only to “State and local educational officials,” the proposed regulations sought to clarify that this included “State auditors” or auditors with authority and responsibility under State law for conducting audits. Due to the breadth of this inclusion, however, the proposed regulations also sought to limit access to education records by State auditors by narrowing the definition of audit.
The Secretary has carefully reviewed the comments and, based upon further intradepartmental review, has decided to remove from the final regulations the provisions related to State auditors and audits in §§ 99.3 and 99.35(a)(3). We share the commenters' concerns about preventing State auditors from conducting activities that they routinely perform under applicable auditing standards. However, because our focus was on the narrow definition of audit , we proposed a very broad definition of State auditor in § 99.3 and did not examine which of the various types of officials, offices, committees, and staff in executive and legislative branches of State government should be included in the definition. We are concerned that without the narrow definition of audit as proposed in § 99.35(a)(3), the proposed definition of State auditor may allow non-consensual disclosures of education records to a variety of officials for purposes not supported by the statute. The Department will study the matter further and may issue new regulations or guidance, as appropriate. In the interim, the Department will provide guidance on a case-by-case basis.
Changes: We are not including the definition of State auditor in § 99.3 and the provisions related to State auditors and audits in § 99.35(a)(3) in these final regulations.
Disclosures to Parents (§§ 99.5 and 99.36)
Comment: A majority of commenters approved of the Secretary's efforts to clarify that, even after a student has become an eligible student, an educational agency or institution may disclose education records to the student's parents, without the consent of the student, if certain conditions are met. Those commenters stated that the clarification was especially helpful, particularly in light of issues that arose after the April 2007 shootings at the Virginia Polytechnic Institute and State University (Virginia Tech). A commenter stated that the clarification will assist emergency management officials on college and university campuses and help school officials know when they can properly share student information with parents and students. One commenter expressed support for the proposed regulations, because it has been her experience that colleges do not share information with parents on their children's financial aid or academic status.
Some commenters disagreed with the proposed changes. One stated that, due to varying family dynamics, disclosures should not be limited only to parents, but should also include other appropriate family members. Another commenter objected to the phrase in § 99.5(a)(2) that would permit disclosure to a parent without the student's consent if the disclosure meets “any other provision in § 99.31(a).” The commenter stated that this “catch-all phrase” exceeded statutory authority.
Noting the sensitivity of financial information included in income tax returns, a few commenters raised concerns about the discussion in the NPRM in which we explained that an institution can determine that a parent claimed a student as a dependent by asking the parent to supply a copy of the parent's most recent Federal tax return. Another commenter stated that the NPRM did not go far enough and recommended specifically requiring an institution to rely on a copy of a parent's most recent Federal tax return to determine a student's dependent status, while another commenter recommended that we change the regulations to indicate that only the parent who has claimed the student as a dependent may have access to the student's education records.
A commenter noted that some States have high school students who are concurrently enrolled in secondary schools and postsecondary institutions as early as ninth grade and supported the clarification that postsecondary institutions may disclose information to parents of students who are tax dependents.
Discussion: Parents' rights under FERPA transfer to a student when the student reaches age 18 or enters a postsecondary institution. 20 U.S.C. 1232g(d). However, under § 99.31(a)(8), an educational agency or institution may disclose education records to an eligible student's parents if the student is a dependent as defined in section 152 of the Internal Revenue Code of 1986. Under § 99.31(a)(8), neither the age of a student nor the parent's status as custodial parent is relevant to thedetermination whether disclosure of information from an eligible student's education records to that parent without written consent is permissible under FERPA. If a student is claimed as a dependent for Federal income tax purposes by either parent, then under the regulations, either parent may have access to the student's education records without the student's consent.
The statutory exception to the consent requirement in FERPA for the disclosure of records of dependent students applies only to the parents of the student. 20 U.S.C. 1232g(b)(1)(H). Accordingly, the Secretary does not have statutory authority to apply § 99.31(a)(8) to any other family members. However, under § 99.30(b)(3), an eligible student may provide consent for the school to disclose information from his or her education records to another family member. In some situations, such as when there is no parent in the student's life or the student is married, a spouse or other family member may be considered an appropriate party to whom a disclosure may be made, without consent, in connection with a health or safety emergency under §§ 99.31(a)(10) and 99.36.
In most cases, when an educational agency or institution discloses education records to parents of an eligible student, we expect the disclosure to be made under the dependent student provision (§ 99.31(a)(8)), in connection with a health or safety emergency (§§ 99.31(a)(10) and 99.36), or if a student has committed a disciplinary violation with respect to the use or possession of alcohol or a controlled substance (§ 99.31(a)(15)). This is the reason we mention these provisions specifically in the regulations. However, inclusion of the phrase “of any other provision in § 99.31(a)” in § 99.5(a)(2) is necessary and within our statutory authority because there may be other exceptions to FERPA's general consent requirement under which an agency or institution might disclose education records to a parent of an eligible student, such as the directory information provision in § 99.31(a)(11) and the provision permitting disclosure in compliance with a court order or lawfully issued subpoena in § 99.31(a)(9).
As we explained in the NPRM, institutions can determine that a parent claims a student as a dependent by asking the parent to submit a copy of the parent's most recent Federal income tax return. However, we do not think it is appropriate to require an agency or institution to rely only on the most recent tax return to determine the student's dependent status because institutions should have flexibility in how to reach this determination. For instance, institutions may rely instead on a student's assertion that he or she is not a dependent unless the parent provides contrary evidence. We agree that financial information on a Federal tax return is sensitive information and, for that reason, in providing technical assistance and compliance training to school officials, we have advised that parents may redact all financial and other unnecessary information that appears on the form, as long as the tax return clearly shows the parent's or parents' names and the fact that the student is claimed as a dependent.
In addition, in the fall of 2007, we developed two model forms that appear on the Department's Family Policy Compliance Office (FPCO or the Office) Web site that institutions may adapt and provide to students at orientation to indicate whether they are a dependent and, if not, obtaining consent from the student for disclosure of information to parents: http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/modelform.html and http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/modelform2.html.
With regard to the comment about high school students who are concurrently enrolled in postsecondary institutions as early as ninth grade, FERPA not only permits those postsecondary institutions to disclose information to parents of the high school students who are dependents for Federal income tax purposes, it also permits high schools and postsecondary institutions who have dually-enrolled students to share information. Where a student is enrolled in both a high school and a postsecondary institution, the two schools may share education records without the consent of either the parents or the student under § 99.34(b). If the student is under 18, the parents still retain the right under FERPA to inspect and review any education records maintained by the high school, including records that the college or university disclosed to the high school, even though the student is also attending the postsecondary institution.
Changes: None.
Outsourcing (§ 99.31(a)(1)(i)(B))
(a) Outside Parties Who Qualify as School Officials
Comment: A few commenters disagreed with the proposal to expand the “school officials” exception in § 99.31(a)(1)(i)(B) to include contractors, consultants, volunteers, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions it would otherwise use employees to perform. They believed that the modifications undermined the plain language of the statute and congressional intent. Several other commenters supported the proposed regulations, saying that it was helpful to include in the regulations what has historically been the Department's interpretation of the “school officials” exception. A majority of commenters, while not agreeing or disagreeing with the proposed changes in § 99.31(a)(1)(i)(B), raised a number of issues concerning the proposal.
Several commenters expressed concern that the requirement that an outside party must perform an institutional service or function for which the agency or institution would otherwise use employees is too restrictive and impractical. One commenter noted that some functions that a contractor performs could not be performed by a school official.
Some commenters said we should clarify the regulations to explain the circumstances under which volunteers may serve as school officials and have access to personally identifiable information from education records in connection with their services or responsibilities to the school. One commenter noted that this clarification was needed especially for parent-volunteers working at a school attended by their own children where they are likely to know other students and their families.
Several commenters asked that we clarify in the regulations that § 99.31(a)(1) also applies to school transportation officials, school bus drivers, and school bus attendants who need access to education records in order to safely and efficiently transport students. Another commenter asked for clarification whether, under the proposed regulations, practicum students, fieldwork students, and unpaid interns in schools would be considered “school officials.” One commenter asked whether § 99.31(a)(1) permits outsourced medical providers to be considered “school officials.”
One commenter asked how proposed § 99.31(a)(1) would apply to parties other than educational agencies and institutions. The commenter was concerned about permitting SEAs to disclose personally identifiable information to outside parties under § 99.31(a)(1)(i)(B) because SEAs are not subject to § 99.7, which requires educational agencies and institutions to annually notify parents and eligible students of their rights under FERPA, including a specific requirement in § 99.7(a)(3)(iii) that an educational agency or institution that has a policy of disclosing information under § 99.31(a)(1) must include in its annual notice a specification of criteria for determining who constitutes a school official and what constitutes a legitimate educational interest. A number of commenters requested clarification about the applicability of § 99.31(a)(1)(i)(B) to State authorities that operate State longitudinal data systems that maintain records of local educational agencies (LEAs) or institutions and are responsible for certain reporting requirements under the No Child Left Behind Act. Some of these commenters believe that State authorities operating these systems are “school officials” under § 99.31(a)(1) who should be able to disclose education records for the purpose of outsourcing under § 99.31(a)(1)(i)(B).
One commenter recommended that the regulations permit the disclosure of education records to non-educational State agencies for evaluation purposes under § 99.31(a)(1). Another commenter asked that we revise the regulations to permit representatives of the Centers for Disease Control and Prevention to access education records for the purpose of public health surveillance under the “school officials” exception.
Another commenter requested further guidance on how § 99.31(a)(1) would apply to local law enforcement officers who work in collaboration with schools in various capacities and whether education records could be shared with these officers in order to ensure safe campuses.
Discussion: The Secretary does not agree that the proposed changes to § 99.31(a)(1) go beyond the plain reading of the statute and congressional intent. As we explained in the NPRM, FERPA's broad definition of education records includes records that are maintained by “a person acting for” an educational agency or institution. 20 U.S.C. 1232g(a)(4)(A)(ii); see 34 CFR 99.3. (In floor remarks describing the meaning of the definition of education records, Senators James Buckley and Claiborne Pell, principal sponsors of the December 1974 FERPA amendments, specifically referred to materials that are maintained by a school “or by one of its agents.” See “Joint Statement in Explanation of Buckley/Pell Amendment” (Joint Statement), 120 Cong. Rec. S21488 (Dec. 13, 1974).) Although the Secretary is concerned that educational agencies and institutions not misapply § 99.31(a)(1), the changes to the regulations are necessary to clarify the scope of the “school officials” exception in FERPA.
We disagree with commenters that the requirement in § 99.31(a)(1)(i)(B)( 1 ) that the outside party must perform an institutional service or function for which the agency or institution would otherwise use employees is too restrictive or unworkable. The requirement serves to ensure that the “school officials” exception does not expand into a general exception to the consent requirement in FERPA that would allow disclosure any time a vendor or other outside party wants access to education records to provide a product or service to schools, parents, and students. As explained in the preceding paragraphs and in the NPRM, 73 FR 15578-15579, the statutory basis for expanding the “school officials” exception to outside service providers is that they are “acting for” the agency or institution, not selling products and services. This means, for example, that a school may not use the “school officials” exception to disclose personally identifiable information from a student's education record, such as the student's SSN or student ID number, without consent, to an insurance company that wishes to offer students a discount on auto insurance because the school is not outsourcing an institutional service or function for which it would otherwise use its own employees.
Further, the requirement that the outside party must be performing services or functions an employee would otherwise perform does not mean that a school employee must be able to perform the outsourced service in order for the outside party to be considered a school official under § 99.31(a)(1)(i)(B)( 1 ). For example, many school districts outsource their legal services on an as-needed basis. Even though these school districts may have never hired an attorney as an employee, they may still disclose personally identifiable information from education records to outside legal counsel to whom they have outsourced their legal services. FERPA does not otherwise restrict whether a school may outsource institutional services and functions; it only addresses to whom and under what conditions personally identifiable information from students' education records may be disclosed.
Once a school has determined that an outside party is a “school official” with a “legitimate educational interest” in viewing certain education records, that party may have access to the education records, without consent, in order to perform the required institutional services and functions for the school. These outside parties may include parents and other volunteers who assist schools in various capacities, such as serving on official committees, serving as teachers' aides, and working in administrative offices, where they need access to students' education records to perform their duties.
The disclosure of education records under any of the conditions listed in § 99.31, including the “school officials” exception, is permissive and not required. (Only parents and eligible students have a right under FERPA to inspect and review their education records.) Therefore, schools should always use good judgment in determining the extent to which volunteers, as well as other school officials, need to have access to education records and to ensure that school officials, including volunteers, do not improperly disclose information from students' education records.
We decline to adopt commenters' suggestion that we include in § 99.31(a)(1)(i)(B) a list of the types of parties who may serve as school officials and receive personally identifiable information from education records in connection with the institutional services and functions outsourced by the school. We think it would be impossible to provide a comprehensive listing and believe that agencies and institutions are in the best position to make these determinations. At the discretion of a school, school officials may include school transportation officials (including bus drivers), school nurses, practicum and fieldwork students, unpaid interns, consultants, contractors, volunteers, and other outside parties providing institutional services and performing institutional functions, provided that each of the requirements in § 99.31(a)(1)(i)(B) has been met.
Under § 99.31(a)(1), a university could outsource the practical training of students. The information disclosed to the hospital, clinic, or business conducting the practical training may only be used for the purposes for which it was disclosed. In the NPRM, we discuss in more detail the types of services and functions covered under § 99.31(a)(1)(i)(B). (73 FR 15578-15580.)
In response to the comment about the applicability of § 99.31(a)(1)(i)(B) to State educational authorities that operate State longitudinal data systems, such officials are not “school officials” under FERPA. Rather, these officials are generally considered authorized representatives of a State educational authority, and LEAs typically disclose information from students' education records to a longitudinal data system maintained by an SEA or other State educational authorities under the exception to the consent requirement for disclosures to authorized representatives of State and local educational authorities, § 99.31(a)(3)(iv)), not the “school officials” exception. This issue is explained in more detail elsewhere in this preamble under Educational research (§§ 99.31(a)(6), 99.31(a)(3). We also discuss disclosures to non-educational agencies, such as to public health agencies, in the section of this preamble entitled Disclosure of Education Records to Non-Educational Agencies.
Members of a school's law enforcement unit, as defined in § 99.8 of the regulations, who are employed by the agency or institution qualify as school officials under § 99.31(a)(1)(i)(A) if the school has complied with the notification requirements in § 99.7(a)(3)(iii). As school officials, they may be given access to personally identifiable information from those students' education records in which the school has determined they have legitimate educational interests. The school's law enforcement unit must protect the privacy of education records it receives and may disclose them only with consent or under one of the exceptions to consent listed in § 99.31. For that reason, it is advisable that officials of a law enforcement unit maintain education records separately from law enforcement unit records, which are not subject to FERPA requirements. As we explained in Balancing Student Privacy and School Safety: A Guide to the Family Educational Rights and Privacy Act for Elementary and Secondary Schools, investigative reports and other records created by an institution's law enforcement unit are excluded from the definition of education records under § 99.3 and, therefore, are not subject to FERPA requirements. Accordingly, schools may disclose information from law enforcement unit records to anyone, including local police and other outside law enforcement authorities, without consent. This brochure can be found on FPCO's “Safe Schools FERPA” Web page: http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/index.html.
Outside police officers or other non-employees to whom the school has outsourced its safety and security functions do not qualify as “school officials” under FERPA unless they meet each of the requirements of § 99.31(a)(1)(i)(B). If these police officers or other outside parties do not meet the requirements for being a school official under FERPA, they may not have access to students' education records without consent, unless there is a health or safety emergency, a lawfully issued subpoena or court order, or some other exception to FERPA's general consent requirement under which the disclosure falls.
With respect to our amendment to the “school officials” exception, we note that § 99.32(d) excludes from the recordation requirements disclosures of education records that educational agencies and institutions make to school officials. This exclusion from the recordation requirement will apply as well to disclosures to contractors, consultants, volunteers, and other outside parties to whom an agency or institution discloses education records under § 99.31(a)(1)(i)(B). The Department has long recognized that FERPA does not prevent schools from outsourcing institutional services and functions; to require schools to record disclosures to these outside parties serving as school officials would be overly burdensome and unworkable.
An educational agency or institution that complies with the notification requirements in § 99.7(a)(3)(iii) by specifying its policy regarding the disclosure of education records to contractors and other outside parties serving as school officials provides legally sufficient notice to parents and students regarding these disclosures. We have posted model notifications on our Web site, one for postsecondary institutions and one for LEAs. See http://www.ed.gov/policy/gen/guid/fpco/ferpa/ps-officials.html and http://www.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html.
Changes: None.
(b) Direct Control
Comment: Some commenters asked the Department to clarify what the term “direct control” means as used in § 99.31(a)(1)(i)(B)( 2) . This section provides that in order to be considered a “school official” an outside party must be under the direct control of the agency or institution. Some commenters asked if this term means that the school must monitor the operations of the outside party, and how it affects an agency's or institution's relationship with subcontractors or third- or fourth-party database hosting companies. One commenter stated that the regulations should not distinguish between whether the education records are hosted in a vendor's offsite network or within the institution's local network servers, while another commenter asked for clarification of how § 99.31(a)(1)(i)(B) applies to outsourcing electronic mail (e-mail) services to third parties such as Microsoft or Google.
One commenter stated that institutions should be required to verify that parties to whom they outsource services have the necessary resources to safeguard education records provided to them.
A commenter suggested that, instead of the proposed “direct control” standard, the Department adopt language similar to the safeguarding standard found in the Gramm-Leach-Bliley Act (GLB) (Pub. L. 106-102, November 12, 1999). The commenter suggested that, as adapted in FERPA, the standard would require that for an outside party, acting on behalf of an educational institution, to be considered a “school official,” the institution would have to: (1) Take reasonable steps to select and retain contractors, consultants, volunteers, or other outside parties that are capable of maintaining appropriate safeguards with respect to education records; and (2) mandate by contract that the outside party implement and maintain such safeguards.
Discussion: The term “direct control” in § 99.31(a)(1)(i)(B)( 2 ), is intended to ensure that an educational agency or institution does not disclose education records to an outside service provider unless it can control that party's maintenance, use, and redisclosure of education records. This could mean, for example, requiring a contractor to maintain education records in a particular manner and to make them available to parents upon request. We are revising the regulations, however, to provide this clarification.
Neither the statute nor the FERPA regulations specifically requires that educational agencies and institutions verify that outside parties to whom schools outsource services have the necessary resources to safeguard education records provided to them. However, as discussed in the NPRM, educational agencies and institutions are responsible under FERPA for ensuring that they themselves do not have a policy or practice of releasing, permitting the release of, or providing access to personally identifiable information from education records, except in accordance with FERPA. This includes ensuring that outside parties that provide institutional services or functions as “school officials” under § 99.31(a)(1)(i)(B) do not maintain, use, or redisclose education records except as directed by the agency or institution that disclosed the information.
The “direct control” requirement is intended to apply only to the outside party's provision of specific institutional services or functions that have been outsourced and the education records provided to that outside party to perform the services or function. It is not intended to affect an outside service provider's status as an independent contractor or render that party an employee under State or Federal law.
We believe that the use of the “direct control” standard strikes an appropriate balance in identifying the necessary and proper relationship between the school and its outside parties that are serving as “school officials.” The recommendation that we adopt a standard more closely aligned with the GLB standard does not appear workable, especially with regard to requiring that schools enter into formal contracts with each outside party performing services, including parent-volunteers. However, one way in which schools can ensure that parties understand their responsibilities under FERPA with respect to education records is to clearly describe those responsibilities in a written agreement or contract.
Exercising direct control could prove more challenging in some situations than in others. Schools outsourcing information technology services, such as web-based and e-mail services, should make clear in their service agreements or contracts that the outside party may not use or allow access to personally identifiable information from education records, except in accordance with the requirements established by the educational agency or institution that discloses the information.
Changes: We have revised § 99.31(a)(1)(B)( 2 ) to clarify that the outside party must be under the direct control of the agency or institution with respect to the use and maintenance of information from education records.
(c) Protection of Records by Outside Parties Serving as School Officials
Comment: We received several comments on proposed § 99.31(a)(1)(i)(B)( 3 ), which provides that an outside party serving as a “school official” is subject to the requirement in § 99.33(a), regarding the use and redisclosure of personally identifiable information from education records. One commenter stated that, while he supported and welcomed this clarification, the proposed regulations did not go far enough to clarify that these outside third parties could not use education records of multiple institutions for which they serve as a contractor to engage in activities not associated with the service or function they were providing.
Some commenters suggested that the regulations should require all school officials who handle education records, including parties to whom institutional services and functions are outsourced, to participate in annual training and to undergo fingerprint and background investigations.
Another commenter stated that any disclosures associated with the outsourcing of institutional services and functions should include a record that will serve as an audit trail. The commenter noted that both the Health Insurance Portability and Accountability Act (HIPAA) and the Privacy Act of 1974 require the maintenance of audit trails or an accounting of disclosures of records.
Discussion: An agency or institution must ensure that an outside party providing institutional services or functions does not use or allow access to education records except in strict accordance with the requirements established by the educational agency or institution that discloses the information. Section 99.33(a)(2) of the FERPA regulations applies to employees and outside service providers alike and prohibits the recipient from using education records for any purpose other than the purposes for which the disclosure was made. This includes ensuring that outside parties do not use education records in their possession for purposes other than those specified by the institution that disclosed the records.
FERPA does not specifically require that educational agencies and institutions provide annual training to school officials that handle education records, and we decline to establish such a requirement in these regulations. Educational agencies and institutions should have flexibility in determining the best way to ensure that school officials are made aware of the requirements of FERPA. However, for entities subject to the Individuals with Disabilities Education Act (IDEA), 34 CFR 300.623(c) provides that all persons collecting or using personally identifiable information must receive training or instruction regarding their State's policies and procedures under 34 CFR 300.123 (Confidentiality of personally identifiable information) and 34 CFR Part 99, the FERPA regulations. We note that while schools are certainly free to implement a policy requiring school officials and parties to whom services have been outsourced to undergo fingerprint and background investigations, there is no statutory authority in FERPA to include such a requirement in the regulations.
We note also that the Department routinely provides compliance training on FERPA for school officials. Typically, presentations are made throughout the year to national, regional, or State educational association conference workshops with numerous institutions in attendance. Training sessions are also scheduled for State departments of education and local school districts in the vicinity of any conference.
For a discussion of the comment that recommended that the regulations require that schools maintain an audit trail or an accounting of disclosures to school officials, including outside providers, see the discussion under the following section entitled Control of Access to Education Records by School Officials .
Changes: None.
Control of Access to Education Records by School Officials (§ 99.31(a)(1)(ii))
Comment: Many commenters supported proposed § 99.31(a)(1)(ii), which requires an educational agency or institution to use reasonable methods to ensure that school officials have access to only those education records in which the official has a legitimate educational interest. In this section, we also proposed that an educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the “legitimate educational interest” requirement.
One commenter who supported the proposed regulations expressed concern that not all districts and institutions have the financial or technological resources to create or purchase an electronic system that provides fully automated access control and that an institution using only administrative controls would be required to demonstrate that each school official who accessed education records possessed a legitimate educational interest in the education records to which the official gained access. According to the commenter, the regulations seem to omit the “reasonable methods” concept for those schools that utilize administrative controls rather than physical or technological controls. The commenter was concerned that smaller schools that lack resources to create or purchase a system that fully monitors record access would be disadvantaged by having to meet a higher standard of ensuring a legitimate educational interest on the part of the school officials that access the records.
One commenter expressed concern that the standard in § 99.31(a)(1)(ii) is too restrictive and asked whether the Department would use flexibility and deference in taking into consideration an institution's efforts in compliance with the requirement.
Another commenter requested that we include in the regulations a requirement that contractors hosting data at offsite locations must institute effective access control measures. The commenter stated that many schools and contractors are uncertain as to whether the school or the contractor is responsible for ensuring that access controls are applied to data hosted by contractors.
One commenter stated that the regulations created an unnecessary burden, as school districts already do their best to comply with FERPA and an occasional mistake should be excused. The commenter, however, was pleased that the regulations do not require the use of technological controls. The commenter was concerned that schools are unable to pre-assign risk levels to categories of records in order to determine appropriate methods to mitigate improper access. The commenter supported the use of effective administrative controls as determined by a district to ensure that information is available only to those with a legitimate educational interest.
One commenter expressed concern that the requirement to use reasonable methods to ensure appropriate access was not sufficiently restrictive, because under the regulations, all volunteers would be designated as school officials. The commenter believed that the regulations would enable volunteers to gain access more easily to confidential and sensitive information in education records.
A commenter who is a parent of a special education student also expressed concern that the language in the regulations was not adequate. The commenter described a software package used by her district that permits all school officials unrestricted access to the IEPs of all special education students.
Discussion: Section 99.30 requires that a parent or eligible student provide written consent for a disclosure of personally identifiable information from education records unless the circumstances meet one of the exceptions to consent, such as the release of information to a school official with a legitimate educational interest. Thus, a district or institution that makes a disclosure solely on the basis that the individual is a school official violates FERPA if it does not also determine that the school official has a legitimate educational interest. The regulations in § 99.31(a)(1)(ii) are designed to clarify the responsibility of the educational agency or institution to ensure that access to education records by school officials is limited to circumstances in which the school official possesses a legitimate educational interest.
We believe that the standard of “reasonable methods” is sufficiently flexible to permit each educational agency or institution to select the proper balance of physical, technological, and administrative controls to effectively prevent unauthorized access to education records, based on their resources and needs. In order to establish a system driven by physical or technological access controls, a school would generally first determine when a school official has a legitimate educational interest in education records and then determine which physical or technological access controls are necessary to ensure that the official can access only those records. The regulations require a school that uses only administrative controls to ensure that its administrative policy for controlling access to education records is effective and that the school is in compliance with the legitimate educational interest requirement in § 99.31(a)(1)(i)(A). However, the “reasonable methods” standard applies whether the control is physical, technological, or administrative.
The regulations permit the use of a variety of methods to protect education records, in whatever format, from improper access. The Department expects that educational agencies and institutions will generally make appropriate choices in designing records access controls, but the Department reserves the right to evaluate the effectiveness of those efforts in meeting statutory and regulatory requirements.
The additional language that one commenter requested concerning outsourcing is already included in the regulations in § 99.31(a)(1). That section specifically provides that contractors are subject to the same conditions governing the access and use of records that apply to other school officials. As long as those conditions are met, the physical location in which the contractor provides the service is not relevant.
Because the regulations permit the use of a variety of methods to effectively reduce the risk of unauthorized access to education records, we do not believe the requirement to establish “reasonable methods” for controlling access is unduly burdensome. Schools have the flexibility to decide the method or methods best suited to their own circumstances. For the many schools, districts, and institutions that already meet the standard, no operational changes should be necessary.
The regulations do not designate all volunteers as school officials. Rather, the regulations clarify that schools may designate volunteers as school officials who may be provided access to education records only when the volunteer has a legitimate educational interest. Schools can and should carefully assess and limit access by any school official, including volunteers. This issue is discussed in more detail previously in this preamble under the section entitled Outsourcing .
With regard to the parent who expressed concern that the language in the regulations was not adequate to address the problem of software that permits all school officials to access the IEPs of all special education students, we believe that the language in § 99.31(a)(1)(ii) is sufficient. As previously noted, FERPA prohibits school officials from having access to education records unless they have a legitimate educational interest. The commenter's point illustrates the need for educational agencies and institutions to ensure that adequate controls are in place to restrict access to education records only to a school official with a legitimate educational interest.
Changes: None.
Transfer of Education Records to Student's New School (§§ 99.31(a)(2) and 99.34(a))
Comment: All of the comments we received on proposed §§ 99.31(a)(2) and 99.34(a) supported the clarification that an educational agency or institution may disclose a student's education records to officials of another school, school system, or institution of postsecondary education not just when the student seeks or intends to enroll, but after the student is already enrolled, so long as the disclosure is for purposes related to the student's enrollment or transfer. Some commenters noted that this clarification reduces legal uncertainty about how long a school may continue to send records or information to a student's new school; other commenters noted that this clarification will be helpful in serving students who are homeless or in foster care because these students are often already enrolled in a new school system while waiting for records from a previous enrollment.
A few commenters asked us to clarify the requirement that the disclosure must be for purposes related to the student's enrollment or transfer. The commenters asked whether this meant that only records specifically related to the new school's decision to admit the student or records related to the transfer of course credit could be disclosed, or whether the agency or institution could also disclose information about previously undisclosed disciplinary actions related to the student's ongoing attendance at the new institution. One commenter suggested that we remove the requirement that the disclosure must be for purposes of the student's enrollment or transfer because it was confusing and unnecessary. Some commenters asked the Department to provide guidance about the types of records that may be sent under the regulations to a student's new school, noting that the preamble to the NPRM stated that the regulations allow school officials to disclose any and all education records, including health and disciplinary records, to the new school (73 FR 15581).
One commenter asked us to clarify that any school, not just the school the student attended most recently, may disclose information from education records to the institution that the student currently attends. Another commenter asked whether the amended regulations would permit the disclosure of education records to an institution in which a student seeks information or services but not enrollment, such as when a charter school student requests an evaluation under the IDEA from the student's home school district.
Two commenters asked whether mental health and other treatment records of postsecondary students, which are excluded from the definition of education records under FERPA, could be disclosed to the new school. Other commenters asked whether FERPA places any limits on the transfer of information about student disciplinary actions to colleges and universities and what information a postsecondary institution may ask for and receive regarding a student's disciplinary actions. A few commenters asked us to address the relationship between these regulations and guidance issued by the Department's Office for Civil Rights (OCR) prohibiting the pre-admission release of information about a student's disability under section 504 of the Rehabilitation Act of 1973, as amended, and Title II of the Americans with Disabilities Act of 1990, as amended.
Discussion: The regulations are intended to eliminate uncertainty about whether, under § 99.31(a)(2), an educational agency or institution may send education records to a student's new school even after the student is already enrolled and attending the new school. The requirement that the disclosure must be for purposes related to the student's enrollment or transfer is not intended to limit the kind of records that may be disclosed under this exception. Instead, the regulations are intended to clarify that, after a student has already enrolled in a new school, the student's former school may disclose any records or information, including health records and information about disciplinary proceedings, that it could have disclosed when the student was seeking or intending to enroll in the new school.
These regulations apply to any school that a student previously attended, not just the school that the student attended most recently. For example, under § 99.31(a)(2), a student's high school may send education records directly to a graduate school in which the student seeks admission, or is already enrolled. Section 99.34(b), which explains the conditions that apply to the disclosure of information to officials of another school, school system, or postsecondary institution, allows a public charter school or other agency or institution to disclose the education records of one of its students in attendance to the student's home school district if the student receives or seeks to receive services from the home school district, including an evaluation under the IDEA. We note, however, that the confidentiality of information regulations under Part B of the IDEA contain additional consent requirements that may also apply in these circumstances.
Under section 444(a)(4)(B)(iv) of FERPA, 20 U.S.C. 1232g(a)(4)(B)(iv), medical and psychological treatment records of eligible students are excluded from the definition of education records if they are made, maintained, and used only in connection with treatment of the student and disclosed only to individuals providing the treatment, including treatment providers at the student's new school. (While the comment concerned records of postsecondary students, we note that the treatment records exception to the definition of education records applies also to any student who is 18 years of age or older, including 18 year old high school students.) An educational agency or institution may disclose an eligible student's treatment records to the student's new school for purposes other than treatment provided that the records are disclosed under one of the exceptions to written consent under § 99.31(a), including § 99.31(a)(2), or with the student's written consent under § 99.30. If an educational agency or institution discloses an eligible student's treatment records for purposes other than treatment, the treatment records are no longer excluded from the definition of education records and are subject to all other FERPA requirements, including the right of the eligible student to inspect and review the records and to seek to have them amended under certain conditions. In practical terms, this means that an agency or institution may disclose an eligible student's treatment records to the student's new school either with the student's written consent, or under one of the exceptions in § 99.31(a), including § 99.31(a)(2), which permits disclosure to a school where a student seeks or intends to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student's enrollment or transfer.
FERPA does not contain any particular restrictions on the disclosure of a student's disciplinary records. Further, Congress has enacted legislation to ensure that schools transfer disciplinary records to a student's new school in certain circumstances. In particular, section 444(h) of the statute, 20 U.S.C. 1232g(h), and the implementing regulations in § 99.36(b) provide that nothing in FERPA prevents an educational agency or institution from including in a student's records and disclosing to teachers and school officials, including those in other schools, appropriate information about disciplinary actions taken against the student for conduct that posed a significant risk to the safety or well-being of that student, other students, or other members of the school community. This authority is in addition to any other authority in FERPA for the disclosure of education records without consent, including the authority under § 99.36(a) to disclose education records in connection with a health or safety emergency. In addition, section 4155 of the Elementary and Secondary Education Act of 1965 (ESEA), 20 U.S.C. 7165, as amended by the No Child Left Behind Act of 2001 (NCLB), requires a State that receives funds under the ESEA to have a procedure in place to facilitate the transfer of disciplinary records, with respect to a suspension or expulsion, by LEAs to any private or public elementary school or secondary school for any student who is enrolled or seeks, intends, or is instructed to enroll, on a full-or part-time basis, in the school.
There are, however, other Federal laws, such as the IDEA, section 504 of the Rehabilitation Act of 1973, as amended (Rehabilitation Act), and Title II of the Americans with Disabilities Act of 1990, as amended (ADA), with different requirements that may affect the release of student information. For example, educational agencies and institutions that are “public agencies” or “participating agencies” under the IDEA must comply with the requirements in the Part B confidentiality of information regulations. See,
e.g., 34 CFR 300.622(b)(2) and (3). By way of further illustration, because educational agencies and institutions receive Federal financial assistance, they must comply with the regulations implementing section 504 of the Rehabilitation Act, which generally prohibit postsecondary institutions from making pre-admission inquiries about an applicant's disability status. See 34 CFR 104.42(b)(4) and (c). However, after admission, in connection with an emergency and if necessary to protect the health or safety of a student or other persons as defined under FERPA and its implementing regulations, section 504 of the Rehabilitation Act and Title II of the ADA do not prohibit postsecondary institutions from obtaining information and education records concerning a current student, including those with disabilities, from any school previously attended by the student. See the discussion in the section entitled Health or Safety Emergency (§ 99.36).
Changes: None.
Ex Parte Court Orders Under the USA Patriot Act (§ 99.31(a)(9))
Comment: Two commenters expressed support for the proposed regulations, which incorporate statutory changes that allow an educational agency or institution to comply with an ex parte court order issued under the USA Patriot Act. One commenter said that it would be helpful to add to the regulations a statement from the preamble to the NPRM that an institution is not responsible for determining the relevance of the information sought or the merits of the underlying claim for the court order.
Several commenters opposed § 99.31(a)(9). One commenter said that the USA Patriot Act is unconstitutional and that its provisions will sunset in 2009. Another commenter said that the regulations harm its ability to preserve the confidentiality of education records, particularly those of foreign students. The commenter asked us to change the regulations to permit institutions to notify students when records are requested, unless the ex parte court order specifically states that the student should not be notified. Another commenter said that schools should be required to notify parents when records are requested and to record the disclosure.
Discussion: The USA Patriot Act amendments to FERPA have not been ruled unconstitutional, and its provisions relevant to FERPA do not sunset in 2009. Therefore, we are implementing these provisions in our regulations at this time.
Under the USA Patriot Act, the U.S. Attorney General, or a designee in a position not lower than an Assistant Attorney General, may apply for an ex parte court order to collect, retain, disseminate, and use certain education records in the possession of an educational agency or institution without regard to any other FERPA requirements, including in particular the recordkeeping requirements. 20 U.S.C. 1232g(j)(3) and (4). The USA Patriot Act amendments to FERPA also provide that an educational agency or institution that complies in good faith with the court order is not liable to any person for producing the information. Nothing in these amendments, including the “good faith” requirement, requires an educational agency or institution to evaluate the underlying merits or legal sufficiency of the court order before disclosing the requested information without consent. As with any court order or subpoena that forms the basis of a disclosure without consent under § 99.31(a)(9), the agency or institution must simply determine whether the ex parte court order is facially valid. We see no reason to include this general requirement in the regulations.
Section 99.31(a)(9)(ii) requires an agency or institution to make a reasonable effort to notify a parent or eligible student of a judicial order or lawfully issued subpoena in advance of compliance, except for certain law enforcement subpoenas if the court has ordered the agency or institution not to disclose the existence or contents of the subpoena or information disclosed. An ex parte order is by definition an order issued without notice to or argument from the other party, including the party whose education records are sought, and the USA Patriot Act amendments provide that the Attorney General may collect and use the records without regard to any FERPA requirements, including the recordation requirements. Under this statutory authority, the regulations properly provide that the agency or institution is not required to notify the parent or eligible student before complying with the order or to record the disclosure.
We do not agree with the commenter's request that we amend the regulations to allow agencies and institutions to notify parents and students and record these disclosures. We note that FERPA does not prohibit an educational agency or institution from notifying a parent or student or recording a disclosure made in compliance with an ex parte court order under the USA Patriot Act. However, an agency or institution that does so may violate the terms of the court order itself and may also fail to meet the good faith requirements in the USA Patriot Act for avoiding liability for the disclosure. We would also recommend that agencies and institutions consult with legal counsel before notifying a parent or student or recording a disclosure of education records made in compliance with an ex parte court order under the USA Patriot Act.
Changes: None.
Registered Sex Offenders (§ 99.31(a)(16))
Comment: One commenter asked for clarification whether the proposed regulations authorizing the disclosure of personally identifiable information from education records concerning registered sex offenders authorize only the disclosure of information that is received from local law enforcement officials, or whether disclosure could also include other information from a student's education records, such as campus of attendance. A second commenter expressed appreciation that the regulations clarify that school districts are not required or encouraged to collect or maintain information on registered sex offenders and that these disclosures are permissible but not required.
Discussion: The Campus Sex Crimes Prevention Act (CSCPA) amendments to FERPA allow educational agencies and institutions to disclose any information concerning registered sex offenders provided to the agency or institution under section 170101 of the Violent Crime Control and Law Enforcement Act of 1994, 42 U.S.C. 14071, commonly known as the Wetterling Act. Since publication of the NPRM, we have determined that the proposed regulations were confusing, because they limited these disclosures to information that was obtained and disclosed by an agency or institution in compliance with a State community notification program. In fact, the CSCPA amendments to FERPA cover any information provided to an educational agency or institution under the Wetterling Act, including not only information provided under general State community notification programs, which are required under subsection (e) of the Wetterling Act, 42 U.S.C. 14071(e), but also information provided under the more specific campus community notification programs for institutions of higher education, which are required under subsection (j), 42 U.S.C. 14071(j).
The Wetterling Act requires States to release relevant information about persons required to register as sex offenders that is necessary to protect the public, including specific State reporting requirements for law enforcement agencies having jurisdiction over institutions of higher education. The exception to the consent requirement in FERPA allows educational agencies and institutions to make available to the school community any information provided to it under the Wetterling Act. We interpret this to also include any additional information about the student that is relevant to the purpose for which the information was provided to the educational agency or institution—protecting the public. This could include, for example, the school or campus at which the student is enrolled.
The proposed regulations included a sentence stating that FERPA does not require or encourage agencies or institutions to collect or maintain information about registered sex offenders. We have determined through further review, however, that this sentence could be confusing and should be removed. Participating institutions are required under section 485(f)(1) of the Higher Education Act of 1965, as amended, 20 U.S.C. 1092(f)(1), to advise the campus community where it may obtain law enforcement agency information provided by the State under 42 U.S.C. 14071(j) concerning registered sex offenders. Further, the Department does not wish to discourage educational agencies and institutions from disclosing relevant information about a registered sex offender in appropriate circumstances.
Changes: We have revised the regulations to remove the reference to the disclosure of information obtained by the educational agency or institution in compliance with a State community notification program. The regulations now simply allow disclosure without consent of any information concerning registered offenders provided to an educational agency or institution under 42 U.S.C. 14071 and applicable Federal guidelines. We also have removed the sentence stating that neither FERPA nor the regulations requires or encourages agencies or institutions to collect or maintain information about registered sex offenders.
Redisclosure of Education Records and Recordkeeping by State and Local Educational Authorities and Federal Officials and Agencies (§§ 99.31(a)(3); 99.32(b); 99.33(b); 99.35(a)(2); 99.35(b))
(a) Redisclosure
Comment: We received a number of comments on the proposed changes in § 99.35(b) that would permit State and local educational authorities and Federal officials and agencies listed in § 99.31(a)(3) to redisclose personally identifiable information from education records on behalf of educational agencies and institutions without parental consent under the existing redisclosure authority in § 99.33(b). (Section 99.33(b) allows an educational agency or institution to disclose personally identifiable information from education records with the understanding that the recipient may make further disclosures of the information on behalf of the agency or institution if the disclosure falls under one of the exceptions in § 99.31(a) and the agency or institution has complied with the recordation requirements in § 99.32(b).) Many commenters said that the proposed change would ease administrative burdens on State and local educational authorities, agencies, and institutions. For example, under the proposed regulations, a student's new school district or institution would be able to obtain the student's prior education records from a single State agency instead of contacting and waiting for records from separate districts or institutions. Commenters noted, however, that certain issues had not been addressed in the proposed regulations and that further clarification was required. Commenters also supported the new redisclosure authority to the extent that it facilitates the exchange of education records among State educational authorities, educational agencies and institutions, and educational researchers through consolidated, statewide systems or separate data sharing arrangements.
Two commenters expressed substantial concerns that the regulations inappropriately expanded the situations in which personally identifiable information could be redisclosed without parental or student consent. One commenter noted that the theoretical benefits of maintaining large, consolidated data systems, which allow users to track individual students over time, do not outweigh the need to protect individual privacy. Another commenter stated that the regulations should not allow State and local educational authorities and the Federal officials and agencies listed in § 99.31(a)(3) to set up and operate record systems containing personally identifiable information that parents and students have no right to review or amend, and may not even know about. Barring the withdrawal of these regulations, these commenters urged the Department to strengthen or at least preserve the safeguards and protections that accompany this new data sharing authority. One commenter asked us to require any State or Federal entity that maintains education records to provide parents and students with annual notification and the right to review and amend the students' records.
Many commenters indicated their strong support for allowing State educational authorities to respond to requests for information from education records and redisclose personally identifiable information, whether for data sharing systems, transferring records to a student's new school, or other purposes authorized under § 99.31(a), without involving school districts and postsecondary institutions. These commenters generally thought that State educational authorities and Federal officials listed in § 99.31(a)(3) should not be required to consult with educational agencies and institutions when redisclosing information from education records. One commenter asked us to clarify the role of the SEA or other State educational authority as the custodian of education records and its authority to act for educational agencies and institutions. Several commenters urged us to revise the regulations to make clear that the redisclosing official is authorized to make further disclosures under § 99.31(a) without approval from, or further consultation with, the original source of the records and maintain the appropriate record related to the redisclosure.
One commenter said that the regulations must allow State educational authorities to transfer records on behalf of LEAs and postsecondary institutions. One commenter strongly supported the changes in § 99.35(b) because they would allow the State McKinney-Vento coordinator to control transfer of education records of abused and homeless students to their new schools and prevent potential abusers from locating the student.
Some commenters believed that current regulations impede the ability of States to establish and operate data sharing systems and that regulatory changes must allow all educational agencies, institutions, SEAs, and other State educational authorities to exchange data among themselves and work with researchers. One commenter recommended that we create a specific exception in § 99.31(a) that would allow data sharing across State educational authorities in order to establish and operate consolidated, longitudinal data systems.
Several commenters asked for clarification of the requirement in § 99.35(a)(2) that authority for an agency or official listed in § 99.31(a)(3) to conduct an audit, evaluation, or compliance or enforcement activity is not conferred by FERPA or the regulations and must be established under other Federal, State, or local law, including valid administrative regulations. One commenter supported data sharing among pre-school, K-12, and postsecondary institutions, provided that appropriate legal authority for the underlying audit, evaluation, or compliance and enforcement activity is established as required under § 99.35(a)(2). One commenter asked whether citation to a specific law or regulations will be required, or whether general State laws that provide joint authority to evaluate programs at all levels are sufficient for parties to enter into data sharing agreements under the regulations.
One commenter indicated that its State has no laws or regulations that specifically allow the State-level advisory council to audit or evaluate education programs, or that allow a K-12 school district to audit or evaluate the programs offered by postsecondary institutions, and vice versa, and the commenter asked whether general authority for these entities to act under State law would be sufficient. Two commenters whose States do not house their K-12 and postsecondary systems within the same agency expressed concern whether they will be able to develop consolidated databases under the regulations if their K-12 and postsecondary agencies do not have appropriate authority to audit or evaluate each other's programs.
Discussion: We continue to believe that State and local educational authorities and Federal officials that receive education records under §§ 99.31(a)(3) and 99.35 should be permitted to redisclose education records on behalf of educational agencies and institutions in accordance with the existing regulations governing the redisclosure of information in § 99.33(b). We agree with the commenters that this change will ease administrative burdens at all levels and facilitate the creation and operation of statewide data sharing systems that support the student achievement, program accountability, transfer of records, and other objectives of Federal and State education programs while protecting the privacy rights of parents and students in students' education records.
We respond first to commenters' concerns about the requirement in § 99.33(b) that any redisclosure of personally identifiable information from education records must be made on behalf of the educational agency or institution that disclosed the information to the receiving party, including any requirement for consulting with or obtaining approval from the educational agency or institution that disclosed the information. The statutory prohibitions on the redisclosure of education records apply to education records that SEAs, State higher educational authorities, the Department, and other Federal officials receive under an exception to the written consent requirement in FERPA, such as §§ 99.31(a)(3) and 99.35 (for audit, evaluation, compliance and enforcement purposes) and § 99.31(a)(4) (for financial aid purposes). As explained in the preamble to the NPRM, § 99.33(b) allows an educational agency or institution to disclose education records with the understanding that the recipient may make further disclosures on its behalf under one of the exceptions in § 99.31 (73 FR 15586-15587). In that case, the disclosing agency or institution must record the names of the additional parties to which the receiving party may redisclose the information on behalf of the educational agency or institution and their legitimate interests under § 99.31.
Under the regulatory framework for redisclosing education records in § 99.33(b), educational agencies and institutions retain primary responsibility for disclosing and authorizing redisclosure of their education records without consent. (We note again that the only disclosures of education records that are mandatory under FERPA are those made to parents and eligible students.) The purpose of § 99.33(b), which allows redisclosure of education records notwithstanding the general statutory restrictions, has always been to ease administrative burdens on educational agencies and institutions that disclose education records. The legal basis for this accommodation is that the recipient is acting “on behalf of” the agency or institution from which it received information from education records and making a further disclosure that the agency or institution would otherwise make itself under § 99.31(a). Section 99.33(b) does not confer on any recipient of education records independent authority to redisclose those records apart from acting “on behalf of” the disclosing educational agency or institution.
The Department recognizes that the State and local educational authorities and Federal officials that receive education records without consent under § 99.31(a)(3) are responsible for supervising and monitoring educational agencies and institutions and that many of them also maintain centralized data systems that constitute a valuable resource of information from education records. The proposed changes to § 99.35(b) would allow these State and Federal authorities and officials to redisclose information received under § 99.31(a)(3) under any of the exceptions in § 99.31(a), including transferring education records to a student's new school under § 99.31(a)(2), sharing information among other State and local educational authorities and Federal officials for audit or evaluation purposes under § 99.31(a)(3), and using researchers to conduct evaluations and studies under § 99.31(a)(3) or § 99.31(a)(6), without violating the statutory prohibitions on redisclosing education records provided certain conditions have been met. In the event that an educational agency or institution objects to the redisclosure of information it has provided, the State or local educational authority or Federal official or agency may rely instead on any independent legal authority it has to further disclose the information.
We agree that current regulations were unclear about the ability of States to establish and operate data sharing systems with educational agencies and institutions, which is why we amended § 99.35(b). As explained in the NPRM (73 FR 15587), §§ 99.35(a)(2) and 99.35(b) allow SEAs, higher education authorities, and educational agencies and institutions, including local school districts and postsecondary institutions, to share education records in personally identifiable form with one another, provided that Federal, State, or local law authorizes the recipient to conduct the audit, evaluation, or compliance or enforcement activity in question. Accordingly, data sharing arrangements among State and local educational authorities and educational agencies and institutions generally must meet these requirements to be permissible under FERPA. (Data sharing with educational researchers is discussed below under Educational research .)
With respect to the comments recommending that we create a specific exception in § 99.31(a) to allow data sharing across State educational authorities in order to establish and operate consolidated, longitudinal data systems and other data sharing arrangements, there is no provision in FERPA that allows disclosure or redisclosure of education records, without consent, for the specific purpose of establishing and operating consolidated databases and data sharing systems, and, therefore, we are without authority to establish one in these regulations.
In response to the questions concerning the need for Federal, state, or local legal authority to disclose education records for audit or evaluation purposes, we note that, in general, FERPA allows educational agencies and institutions to disclose (and authorized recipients to redisclose) education records without consent in accordance with the exceptions listed in § 99.31(a), including for audit or evaluation purposes under §§ 99.31(a)(3) and 99.35. It does not, however, provide the underlying authority for individuals and organizations to conduct the various activities that may allow them to receive education records without consent under these exceptions. For example, § 99.31(a)(7) does not authorize an organization to accredit educational institutions; it allows educational institutions to disclose personally identifiable information from education records, without consent, to an organization to carry out its accrediting functions. If that organization is not, in fact, an accreditation authority for that particular institution, then disclosure under § 99.31(a)(7) is invalid and violates FERPA. Likewise, § 99.31(a)(9) does not authorize a court or Federal grand jury to issue an order or subpoena; it allows an educational agency or institution to comply with a facially valid order or subpoena, without consent.
We added the requirement in § 99.35(a)(2) that the recipient have authority under Federal, State, or local law to conduct the activity for which the disclosure was made because there was significant confusion in the educational community about who may receive education records without consent for audit and evaluation purposes under § 99.35. For example, in 2005 the Pennsylvania Department of Education (PDOE) asked the Department whether, in the absence of parental consent, a charter school LEA responsible under State law for providing a free appropriate public education to students with disabilities enrolled in the charter school could send the local school district of residence the IEP of each student with a disability. The school districts of residence claimed that they needed this information to substantiate the charter school's invoices for higher payments based on the student's special education status under the IDEA.
Our January 2006 response to PDOE explained that in order to meet the requirements for disclosure of education records under §§ 99.31(a)(3) and 99.35, Federal, State, or local law (including valid administrative regulations) must authorize the relevant State or local educational authority to conduct the audit, evaluation, or compliance or enforcement activity in question. In particular, we noted that charter schools in Pennsylvania could disclose the IEP cover sheet under §§ 99.31(a)(3) and 99.35 of the regulations if the State law in question authorized a local school district to “audit or evaluate” a charter school's request for payment of State funds at the special education rate and the school district needed personally identifiable information for that purpose, and that we would defer to the State Attorney General's interpretation of State law on the matter. We also explained that there appeared to be no legal authority that would allow charter schools in the State to disclose a student's entire IEP to the resident school district, as requested by the resident school districts.
The Department has always interpreted §§ 99.31(a)(3) and 99.35 to allow educational agencies and institutions to disclose personally identifiable information from education records to the SEA or State higher education board or commission responsible for their supervision based on the understanding that those entities are authorized to audit or evaluate (or enforce Federal legal requirements related to) the education programs provided by the agencies and institutions whose records are disclosed. Under this reasoning, a K-12 school district (LEA) may disclose personally identifiable information from education records to another LEA, or to a State higher education board or commission, without consent, if that LEA, board, or commission has legal authority to conduct the audit, evaluation, or compliance or enforcement activity with regard to the disclosing district's programs. States do not have to house their K-12 or P-12 and postsecondary systems within the same agency in order to take advantage of this provision. However, they may need to review and modify the supervisory and oversight responsibilities of various State and local educational authorities to ensure that there is valid legal authority for LEAs, postsecondary institutions, SEAs, and higher education authorities to disclose or redisclose personally identifiable information from education records to one another under § 99.35(a) before information is released.
It is not our intention in § 99.35(a)(2) to require educational agencies and institutions and other parties to identify specific statutory authority before they disclose or redisclose education records for audit or evaluation purposes but to ensure that some local, State, or Federal legal authority exists for the audit or evaluation, including for example an Executive Order or administrative regulation. The Department encourages State and local educational authorities and educational agencies and institutions to seek guidance from their State attorney general on their legal authority to conduct a particular audit or evaluation. The Department may also provide additional guidance, as appropriate.
Changes: None.
(b) Recordation Requirements
Comment: In the NPRM, 73 FR 15587, we invited public comment on whether an SEA, the Department, or other official or agency listed in § 99.31(a)(3) should be allowed to maintain the record of the redisclosures it makes on behalf of an educational agency or institution as a means of relieving any administrative burdens associated with recording disclosures of education records. One commenter urged the Department not to delegate responsibility for recordkeeping to State and local educational authorities and Federal agencies and officials that redisclose education records under § 99.33(b). Another said that if a State or local educational authority or Federal agency or official rediscloses information “on behalf of” an educational agency or institution under § 99.35(b), these further disclosures should be included in the student's record at the educational agency or institution. All other comments on this issue supported revising the regulations to allow State and local educational authorities and Federal officials and agencies listed in § 99.31(a)(3) to record any redisclosures they make under § 99.33(b).
Several commenters suggested that the recordation requirements in § 99.32(b) would place an undue burden on State and local officials when State educational authorities redisclose education records because the State authority would need to return to each original source of the records to record the redisclosure. Some commenters noted that compliance with § 99.32(b) is practically impossible if an LEA or postsecondary institution is required to record all authorized redisclosures at the time of the initial disclosure of information to the State or Federal authority. Two commenters suggested that we eliminate the recordation problem by redefining the term disclosure so that it does not include disclosing information under § 99.31(a)(3) for audit, evaluation, or compliance and enforcement purposes. Another commenter suggested that we define “ educational agency or institution ” to include State educational authorities so that disclosures to State educational authorities would not be considered a disclosure under FERPA.
One commenter said that the regulations should permit State educational authorities to record redisclosures as they are made and without having to identify each student by name. Another commenter asked for clarification whether the recordation requirements apply to redisclosures that SEAs make to education researchers and other parties that are not authorized to make any further disclosures, and what level of detail is required in the record regarding who accessed the data and what specific information was viewed.
One commenter stated that if State educational authorities and Federal officials are authorized to record their own redisclosures of information, then the educational agency or institution should be required to retrieve these records in response to a request to review education records by parents and eligible students who would otherwise not know about the redisclosures. Other commenters suggested that the State educational authority or Federal official could either make the redisclosure record available directly to parents and students or send it to the LEA or postsecondary institution for this purpose.
Discussion: We agree with commenters that in order to facilitate the operation of State data systems and ease administrative burdens on all parties, the regulations should allow State educational authorities and Federal officials and agencies to record further disclosures they make on behalf of educational agencies and institutions under § 99.33(b). We are revising the provisions of § 99.32 to address commenters' concerns and ensure that these changes will not expand the redisclosure authority of a State or local educational authority or Federal official or agency under § 99.35(b) and that parents and students will have notice of and access to any State or Federal record of further disclosures that is created.
In response to the commenter's suggestion that we define “educational agency or institution” and the term disclosure to address recordation issues associated with the new redisclosure authority in § 99.35(b), we note that an educational agency or institution is required by statute to maintain with each student's education records a record of each request for access to and each disclosure of personally identifiable information from the education records of the student, including the parties who have requested or received information and their legitimate interests in the information. 20 U.S.C. 1232g(b)(4)(A); 34 CFR 99.32(a). This includes each disclosure of personally identifiable information from education records that an educational agency or institution makes to an SEA or other State educational authority and to Federal officials and agencies, including the Department, for audit, evaluation, or compliance and enforcement purposes under §§ 99.31(a)(3) and 99.35, and under most other FERPA exceptions, such as the financial aid exception in § 99.31(a)(4). (Regulatory exceptions to the statutory recordation requirements, which are set forth in § 99.32(d), cover disclosures that a parent or eligible student would generally know about without the recordation or for which notice is prohibited under court order; the exceptions do not include disclosures made to parties outside the agency or institution for audit, evaluation, or compliance and enforcement purposes.)
An educational agency or institution is required under FERPA to record its disclosures of personally identifiable information from education records even when it discloses information to another educational agency or institution, such as occurs under § 99.31(a)(2) when a school district transfers education records to a student's new school. See 20 U.S.C. 1232g(b)(4)(A); 34 CFR 99.32(a). Therefore, even if a State educational authority were considered an “educational agency or institution” under § 99.1, a school district or postsecondary institution would still be required to record its own disclosures to that State educational authority; defining a State educational authority as an educational agency or institution would not eliminate this requirement. Therefore, a school district or postsecondary institution is required to record its disclosures to any State educational authority.
The term disclosure is defined in § 99.3 to mean to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records to any party, by any means, including oral, written, or electronic means. This includes releasing or making a student's education records available to school officials within the agency or institution, for which an exception to the consent requirement exists under § 99.31(a)(1). We see no legal basis for redefining the term disclosure to exclude the release of personally identifiable information to third parties outside the educational agency or institution under the audit, evaluation, or compliance and enforcement exception to the consent requirement in §§ 99.31(a)(3) and 99.35.
With regard to the level of detail required in the record of redisclosures, current § 99.32(b) requires an educational agency or institution to record the “names of the additional parties to which the receiving party may disclose the information” on its behalf and their legitimate interests under § 99.31. This means the name of the individual (if an organization is not involved) or the organization and the exception under § 99.31(a) that would allow the redisclosure to be made without consent. Under current § 99.33(a)(2), the officers, employees, and agents of a party that receives information from education records may use the information for the purposes for which the disclosure was made without violating the limitations on redisclosure in § 99.33(a)(1). Therefore, we interpret the recordation requirement in § 99.32(b) to mean that an educational agency or institution may record the name of an organization, including a research organization, to which a recipient may make further disclosures under § 99.33(b) and is not required to record the name of each individual within the organization who is authorized to use that information in accordance with § 99.33(a)(2).
We also recognize that sometimes an educational agency or institution does not know at the time of its disclosure of education records that the receiving party may wish to make further disclosures on its behalf. Therefore, we interpret § 99.32(b) to allow a receiving party to ask an educational agency or institution to record further disclosures made on its behalf after the initial receipt of the records or information.
These same policies apply to further disclosures made by State and local educational authorities and Federal officials listed in § 99.31(a)(3) that redisclose information on behalf of educational agencies and institutions under the new authority in § 99.35(b). Educational agencies and institutions that disclose education records under § 99.31(a)(3) with the understanding that the State or Federal authority or official may make further disclosures may continue to record those further disclosures as provided in § 99.32(b)(1). Like any other recipient of education records, a State or Federal authority or official may also ask an educational agency or institution to record further disclosures made on its behalf after the initial receipt of the records or information. It is incumbent upon a State or Federal authority or official that makes further disclosures on behalf of an educational agency or institution under § 99.33(b) to determine whether the educational agency or institution has recorded those further disclosures. If the educational agency or institution does not do so, then under the revisions to § 99.32(b)(2)(i) in the final regulations, the State and local educational authority or Federal official or agency that makes further disclosures must maintain the record of those disclosures.
We have also revised § 99.32(a) to ensure that educational agencies and institutions maintain a listing in each student's record of the State and local educational authorities and Federal officials and agencies that may make further disclosures of the student's education records without consent under § 99.33(b). This will help ensure that parents and students know that the record of disclosures maintained by an educational agency or institution as required under § 99.32(a) may not contain all further disclosures made on behalf of the agency or institution by a State or Federal authority or official and alert parents and students to the need to ask for access to this additional information. We have also revised § 99.32(a) to require an educational agency or institution to obtain a copy of the record of further disclosures maintained at the State or Federal level and make it available for parents and students to inspect and review upon request.
In response to commenters' suggestions, the regulations in new § 99.32(b)(2)(ii) allow a State or local educational authority or Federal official or agency to identify the redisclosure by the student's class, school, district, or other appropriate grouping rather than by the name of each student whose record was redisclosed. For example, an SEA may record that it disclosed to the State higher education authority the scores of each student in grades nine through 12 on the State mathematics assessment for a particular year. We believe that this procedure eases administrative burdens while ensuring that a parent or student may access information about the redisclosure.
We note that the recordation requirements under § 6401(c)(i)(IV) of the America COMPETES Act, Public Law 110-69, 20 U.S.C. 9871(c)(i)(IV), are more detailed and stringent than those required under FERPA. In particular, a State that receives a grant to establish a statewide P-16 education data system under § 6401(c)(2), 20 U.S.C. 9871(c)(2), is required to keep an accurate accounting of the date, nature, and purpose of each disclosure of personally identifiable information in the statewide P-16 education data system; a description of the information disclosed; and the name and address of the person, agency, institution, or entity to whom the disclosure is made. The State must also make this accounting available on request to parents of any student whose information has been disclosed. The Department will issue further guidance on these requirements if the program is funded and implemented.
Changes: We have made several changes to § 99.32, as follows:
• New § 99.32(b)(2)(i) provides that a State or local educational authority or Federal official or agency listed in § 99.31(a)(3) that makes further disclosures of information from education records must record the names of the additional parties to which it discloses information on behalf of an educational agency or institution and their legitimate interests under § 99.31 in the information if the information was received from an educational agency or institution that has not recorded the further disclosures itself or from another State or local official or Federal official or agency listed in § 99.31(a)(3).
• New § 99.32(b)(2)(ii) provides that a State or local educational authority or Federal official or agency that records further disclosures of information may maintain the record by the student's class, school, district or other appropriate grouping rather than by the name of the student.
• New § 99.32(b)(2)(iii) provides that upon request of an educational agency or institution, a State or local educational authority or Federal official or agency that maintains a record of further disclosures must provide a copy of the record of further disclosures to the educational agency or institution within a reasonable period of time not to exceed 30 days.
• Revised § 99.32(a)(1) requires educational agencies and institutions to list in each student's record of disclosures the names of the State and local educational authorities and Federal officials or agencies that may make further disclosures of the information on behalf of the educational agency or institution under § 99.33(b).
• New § 99.32(a)(4) requires an educational agency or institution to obtain a copy of the record of further disclosures maintained by a State or local educational authority or Federal official or agency and make it available in response to a parent's or student's request to review the student's record of disclosures.
Educational Research (§§ 99.31(a)(6) and 99.31(a)(3))
Comment: We received a number of comments on proposed § 99.31(a)(6)(ii). In this section, we proposed that an educational agency or institution that discloses personally identifiable information without consent to an organization conducting studies for, or on behalf of, the educational agency or institution must enter into a written agreement with the organization specifying the purposes of the study and containing certain other elements. This exception to the consent requirement is often referred to as the “studies exception.” While all of the comments on this provision generally supported the changes, many of the commenters raised concerns about the scope and applicability of the studies exception and requested clarification on some of the proposed changes, particularly with regard to the provisions relating to written agreements.
Discussion: We address commenters' specific concerns about the key portions of these regulations in the following sections.
Changes: None.
(a) Scope and Applicability of § 99.31(a)(6)
Comment: Several commenters stated that the proposed regulations did not clearly indicate that the studies exception applies to State educational authorities. Some commenters, assuming that § 99.31(a)(6) applied to State educational authorities, noted that the proposed regulations did not provide clear authority for State educational authorities such as an SEA, or a State longitudinal data system using State generated data (such as State assessment results), to enter into research agreements on behalf of educational agencies and institutions. One commenter stated that § 99.31(a)(6) should not be interpreted to require that research agreements be entered into by individual schools or that any resulting redisclosures be recorded by the individual schools.
One commenter asked for clarification regarding whether § 99.31(a)(6) permitted a school to disclose a student's education records to his or her previous school for the purpose of evaluating Federal or State-supported education programs or for improving instruction.
Another commenter stated that the Department should further revise the regulations to provide that only individuals in the organization conducting the study who have a legitimate interest in the information disclosed be given access to the information. The commenter also stated that the Department should specifically limit § 99.31(a)(6) to bona fide research projects by prohibiting organizations conducting studies under this exception from using record-level data for other operational or commercial purposes. The commenter also expressed concern about the duration of research projects, noting that significantly more restrictive access should be required for studies that track personally identifiable information for long periods of time. The commenter stated further that the Department should consider imposing a time limit on how long information obtained through longitudinal studies can be retained.
Discussion: FERPA permits an educational agency or institution to disclose personally identifiable information from an education record of a student without consent if the disclosure is to an organization conducting studies for, or on behalf of, the educational agency or institution to (a) develop, validate, or administer predictive tests; (b) administer student aid programs; or (c) improve instruction. 20 U.S.C. 1232g(b)(1)(F); 34 CFR 99.31(a)(6). Disclosures made under the studies exception may only be used by the receiving party for the purposes for which the disclosure was made and for no other purpose or study. As such, § 99.31(a)(6) is not a general research exception to the consent requirement in FERPA but an exception for studies limited to the purposes specified in the statute and regulations.
We first note that it may not be necessary or even advantageous for State educational authorities to use the studies exception in order to conduct or authorize educational research because of the limitations in § 99.31(a)(6). In contrast, § 99.31(a)(3)(iv), under the conditions set forth in § 99.35, allows educational agencies and institutions, such as LEAs and postsecondary institutions, to disclose education records without consent to State educational authorities for audit and evaluation purposes, which can include a general range of research studies beyond the more limited group of studies specified under § 99.31(a)(6). Also, as explained more fully elsewhere in this preamble, while a State educational authority must have the underlying legal authority to audit or evaluate the records it receives from LEAs or postsecondary institutions under § 99.35, the LEA or postsecondary institution is not required to enter into a written agreement for the audit or evaluation as it is required to do under § 99.31(a)(6). ( See Redisclosure of Education Records and Recordkeeping by State and Local Educational Authorities and Federal Officials and Agencies. ) The absence of an explanation of the authorized representatives exception (§ 99.31(a)(3)) in the NPRM created confusion, especially with regard to how State departments of education may utilize education records for evaluation purposes. Therefore, we have included that explanation here.
The conditions for disclosing education records without consent under §§ 99.31(a)(3)(iv) and 99.35 are discussed in the Department's Memorandum from the Deputy Secretary of Education (January 30, 2003) available at http://www.ed.gov/policy/gen/guid/secletter/030130.html. The Deputy Secretary's memorandum explains that under this exception an “authorized representative” of a State educational authority is a party under the direct control of that authority, e.g. , an employee or a contractor.
In general, the Department has interpreted FERPA and implementing regulations to permit the disclosure of personally identifiable information from education records, without consent, in connection with the outsourcing of institutional services and functions. Accordingly, the term “authorized representative” in § 99.31(a)(3) includes contractors, consultants, volunteers, and other outside parties ( i.e. , non-employees) used to conduct an audit, evaluation, or compliance or enforcement activities specified in § 99.35, or other institutional services or functions for which the official or agency would otherwise use its own employees. For example, a State educational authority may disclose personally identifiable information from education records, without consent, to an outside attorney retained to provide legal services or an outside computer consultant hired to develop and manage a data system for education records.
The term “authorized representative” also includes an outside researcher working as a contractor of a State educational authority or other official listed in § 99.31(a)(3) that has outsourced the evaluation of Federal or State supported education programs. An outside researcher may conduct independent research under this provision in the sense that the researcher may propose or initiate research projects for consideration and approval by the State educational authority or other official listed in § 99.31(a)(3) either before or after the parties have negotiated a research agreement. Likewise, the State educational authority or official does not have to agree with or endorse the researcher's results or conclusions. In so doing, an outside researcher retained to evaluate education programs by a State educational authority or other official listed in § 99.31(a)(3) as an “authorized representative” may be given access to personally identifiable information from education records, including statistical information with unmodified small data cells. However, the term “authorized representative” does not include independent researchers that are not contractors or other parties under the direct control of an official or agency listed in § 99.31(a)(3).
While an educational agency or institution may not disclose personally identifiable information from students' education records to independent researchers, nothing in FERPA prohibits them from disclosing information that has been properly de-identified. Further discussion of this issue is provided in the following paragraphs and under the section entitled Personally Identifiable Information and De-Identified Records and Information.
An SEA or other State educational authority that has legal authority to enter into agreements for LEAs or postsecondary institutions under its jurisdiction may enter into an agreement with an organization conducting a study for the LEA or institution under the studies exception. If the SEA or other State educational authority does not have the legal authority to act for or on behalf of an LEA or institution, then it would not be permitted to enter into an agreement with the organization conducting the study under this exception. As previously mentioned, FERPA authorizes certain disclosures without consent; it does not provide an SEA or other State educational authority with the legal authority to act for or on behalf of an LEA or postsecondary institution.
With regard to the request for clarification whether § 99.31(a)(6) permits a school to disclose a student's education records to his or her previous school for evaluation purposes, the studies exception only allows disclosures to organizations conducting studies for, or on behalf of, the educational agency or institution that discloses its records. The “for, or on behalf of” language from the statute does not permit disclosures under this exception so that the receiving organization can conduct a study for itself or some other party. This issue is discussed in more detail under the section of this preamble entitled Disclosure of Education Records to Student's Former Schools.
We agree with the comment that the regulations should be revised to provide that only those individuals in the organization conducting the study that have a legitimate interest in the personally identifiable information from education records can have access to the records. The Secretary also shares the commenter's concerns about limiting § 99.31(a)(6) to bona fide research projects, prohibiting commercial utilization of education records, and limiting the duration of research projects. We address these issues in greater detail in the following section concerning written agreements.
Changes: None.
(b) Written Agreements for Studies
Comment: Several commenters expressed concern that § 99.31(a)(6) not be read so broadly as to erode parents' and students' privacy rights, and, therefore, supported the restrictions that the Secretary included in this provision. Specifically, they supported the new requirement that educational agencies and institutions must enter into a written agreement with the organization conducting the study that specifies: the purpose of the study, that the information from the education records disclosed be used only for the stated purpose, that individuals outside the organization may not have access to personally identifiable information about the students being studied, and that the information be destroyed or returned when it is no longer needed for the purpose of the study.
Several commenters said that the Department should clarify that the existence of a written agreement is not a rationale in and of itself for the disclosure of education records. They stated that the regulations should provide explicitly that a written agreement does not modify the protections under FERPA or justify the use of the records transferred other than as permitted by the statute and the regulations. Some of these commenters stated that the written agreement should include a description of the specific records to be disclosed for the study.
Several commenters agreed with the provision in the proposed regulations that specified that an educational agency or institution does not need to agree with or endorse the conclusions or results of the study. Other commenters asked that we include in the regulations the explanation provided in the preamble to the NPRM that the school also does not need to initiate the study.
One commenter suggested that we change the references from “study” to “studies” so that it is clear that an agency or institution and a research organization could enter into one agreement that would cover a variety of studies that support the State's or school district's educational objectives. One commenter suggested that the Department certify agreements between educational agencies and research organizations as meeting the requirements of FERPA.
There were several comments on the destruction of information requirements in FERPA. Some suggested that we include in the regulations the specific time period by which information disclosed to a researcher must be destroyed, while others stated that ongoing access to data is necessary and that researchers should be permitted to retain information indefinitely. Some commenters suggested that the required time period for the destruction or return of education records, as deemed necessary by the parties to support the purposes of the authorized study or studies, be established in the written agreement.
One commenter approved including the requirements regarding the use and destruction of data in the written agreement as a way of improving compliance with FERPA. However, the commenter questioned our explanation that the language in the statute providing that the study must be conducted “for, or on behalf of” the educational agency or institution means that the disclosing school must retain control over the information once it has been given to a third party conducting a study. The commenter believed that school districts will not be involved in how a study is performed and that the written agreement with the organization specifying the organization's obligations with regard to the use and destruction of data should be sufficient.
Discussion: The Secretary shares the concerns raised by commenters that § 99.31(a)(6) not be read so broadly as to erode parents' and students' privacy rights. Accordingly, we have revised § 99.31(a)(6) to address some of these concerns and believe that these changes will provide adequate protection of students' education records that may be disclosed under the studies exception.
In the NPRM, we proposed to remove current § 99.31(a)(6)(ii)(A) and (B) and included these requirements under the provisions for written agreements. These paragraphs provide that the study must be conducted in a manner that does not permit personal identification of parents and students by individuals other than representatives of the organization and that the information be destroyed when no longer needed for the purposes for which the study was conducted. We are including § 99.31(a)(6)(ii)(A) and (B) in the final regulations. After reviewing comments on the proposed changes, we concluded that, by moving these two provisions into the new paragraph relating to written agreements, we would have weakened the statutory requirements concerning the studies exception. We believe this correction will alleviate commenters' concerns about weakening parents' and students' privacy rights under FERPA.
We agree with the comments that the existence of a written agreement is not a rationale in and of itself for the disclosure of education records. As a privacy statute, FERPA requires that parents and eligible students provide written consent before educational agencies and institutions disclose personally identifiable information from students' education records. There are several statutory exceptions to FERPA's general consent rule, one of which is § 99.31(a)(6), an exception that permits disclosure of records for studies limited to the purposes specified in the statute and regulations. However, a written agreement, a memorandum of understanding, or a contract is not a justification for disclosure of education records. Rather, a disclosure must meet the requirements in § 99.31(a)(6) or the other permitted disclosures under § 99.31. If a disclosure meets the conditions of § 99.31(a)(6), the disclosure may be made, and the written agreement sets forth the requirements that must be followed when entering into such an agreement.
As noted in our earlier discussion of the scope and applicability of the studies exception, the Secretary concurs that the regulations should be revised to require that a written agreement expressly include the purpose, scope, and duration of the agreed upon study, as well as the information to be disclosed. We also agree with commenters that the regulations should specifically limit any disclosures of personally identifiable information from students' education records to those individuals in the organization conducting the study that have a legitimate interest in the information. This requirement is consistent with § 99.32(a)(3)(ii), which requires that an educational agency or institution record the “legitimate interests” the parties had in obtaining information under FERPA.
The Secretary strongly recommends that schools carefully limit the disclosure of students' personally identifiable information under this and the other exceptions in § 99.31 and reminds educational agencies and institutions that disclosures without consent are subject to § 99.33(a)(2), which states: “The officers, employees, and agents of a party that receives information under paragraph (a)(1) of this section may use the information, but only for the purposes for which the disclosure was made.” The recordation requirements in § 99.32 also apply to any disclosures of personally identifiable information made under the studies exception. (We note that a school does not have to record the disclosure of information that has been properly de-identified.)
Although FERPA permits schools to disclose personally identifiable information under § 99.31(a)(6) to organizations conducting studies for or on its behalf, the Secretary recommends that educational agencies and institutions release de-identified information whenever possible under this exception. Even when schools opt not to release de-identified information in these circumstances, we recommend that schools reduce the risk of unauthorized disclosure by removing direct identifiers, such as names and SSNs, from records that don't require them, even though these records may still contain some personally identifiable information. This is especially important when a school also discloses sensitive information about students, such as type of disability and special education services received by the students.
We agree with commenters that § 99.31(a)(6) should be revised to indicate that an educational agency or institution is not required to initiate a study. Additionally, we have revised § 99.31(a)(6) to include the word “studies” so that an educational agency or institution may utilize one written agreement for more than one study, so long as the requirements concerning information that must be in the agreement are met.
While we do not have the authority under FERPA to officially certify agreements between educational agencies and institutions and organizations conducting studies, FPCO does provide technical assistance to educational agencies or institutions on FERPA. As such, if school officials have questions about whether an agreement meets the requirements in § 99.31(a)(6), they may contact FPCO for assistance.
With regard to the comments that we include in the regulations a specific time period by which information provided under the studies exception must be destroyed, we believe that the parties entering into the agreement should decide when information has to be destroyed or returned to the educational agency or institution. As we have discussed, we have revised § 99.31(a)(6) to require that the written agreement include the duration of the study and the time period during which the organization must either destroy or return the information to the educational agency or institution.
With regard to the comment that a written agreement with the organization conducting the study should be sufficient for an educational agency or institution to retain control over information from education records once the information is given to an organization conducting a study, we agree that a written agreement required under the regulations will help ensure that the information is used only to meet the purposes of the study stated in the written agreement and that all applicable requirements are met. However, similar to the requirement that an outside service provider serving as a school official is subject to FERPA's restrictions on the use and redisclosure of personally identifiable information from education records, educational agencies and institutions must ensure that organizations with which they have entered into an agreement to conduct a study also comply with FERPA's restrictions on the use of personally identifiable information from education records. (See pages 15578-15580 of the NPRM.) That is, the school must retain control over the organization's access to and use of personally identifiable information from education records for purposes of the study or studies, including access by the organization's own employees and subcontractors, as well as any school officials whom the organization permits to have access to education records.
An educational agency or institution may need to determine that the organization conducting the study has reasonable controls in place to ensure that personally identifiable information from education records is protected. We note that it is common practice for some data sharing agreements to have a “controls section” that specifies required controls and how they will be verified ( e.g., surprise inspections). We recommend that the agreement required by § 99.31(a)(6) include a section that sets forth similar requirements. If a school is unable to verify that these controls are in place, then it should not disclose personally identifiable information from education records to an organization for the purpose of conducting a study.
In this regard, it should be noted that educational agencies and institutions are responsible for any failures by an organization conducting a study to comply with applicable FERPA requirements. FERPA states that if a third party outside the educational agency or institution fails to destroy information in violation of 20 U.S.C. 1232g(b)(1)(F), the studies exception in FERPA, the educational agency or institution shall be prohibited from permitting access to information from education records to that third party for a period of not less than five years. See 20 U.S.C. 1232g(b)(4)(B).
Changes: We have revised § 99.31(a)(6) to: (1) Retain § 99.31(a)(6)(ii)(A) and (B); (2) amend § 99.31(a)(6)(ii)(A) to provide that the study must be conducted in a manner that does not permit personal identification of parents or students by anyone other than representatives of the organization that have legitimate interest in the information; (3) amend § 99.31(a)(6)(ii)(C) to require that the written agreement specify the purpose, scope, and duration of the study and the information to be disclosed; require the organization to use personally identifiable information from education records only to meet the purpose or purposes of the study as stated in the written agreement; limit any disclosures of information to individuals in the organization conducting the study who have a legitimate interest in the information; and require the organization to destroy or return to the educational agency all personally identifiable information when the information is no longer needed for the purposes of the study and specify the time period during which the organization must either destroy or return the information to the educational agency or institution; and (4) amend § 99.31(a)(6) in new paragraph (iii) to provide that an educational agency or institution is not required to initiate a study.
Disclosure of Education Records to Non-Educational State Agencies
Comment: Several commenters stated that the proposed amendments did not specifically address whether an educational agency or institution is permitted to disclose education records to non-educational State agencies, such as State health or labor agencies, as part of an agreement with those agencies, without first obtaining consent. One commenter said that because the Department has taken the position that education records may be shared with State auditors who are not educational officials and who are not, by definition, under the control of a State educational authority, there is no legal basis to prohibit the disclosure of education records to other non-educational State and local agencies.
Some officials representing State health agencies commented that FERPA should be more closely aligned with the disclosure provisions of the HIPAA Privacy Rule. One commenter noted that there was a critical need for public health researchers to be able to access, without consent, personally identifiable information contained in student health records to allow for analyses, public health studies, and research that will benefit school-aged children, as well as the general population. One organization representing school nurses noted that public health officials need access to education records for the purposes of public health reporting, surveillance, and reimbursement.
Several commenters recommended that SEAs be authorized to share data from education records with State social services, health, juvenile, and employment agencies, to serve the needs of students, including special needs, low-income, and at-risk students. One SEA commented that it did not support extending access to student data to non-education State agencies, except to State auditors, as specified in proposed § 99.35(a)(3). This commenter asserted that access to and use of information from students' education records should be controlled by a limited number of education officials who are sensitive to the intent of FERPA and well acquainted with its safeguards.
Discussion: There is no specific exception to the written consent requirement in FERPA that permits the disclosure of personally identifiable information from students' education records to non-educational State agencies. Educational agencies and institutions may disclose personally identifiable information for audit or evaluation purposes under §§ 99.31(a)(3) and 99.35 only to authorized representatives of the officials or agencies listed in § 99.31(a)(3)(i) through (iv). Typically, LEAs and their constituent schools disclose education records to State educational authorities under § 99.31(a)(3)(iv), such as the SEA, for audit, evaluation, or compliance and enforcement purposes.
There are some exceptions that might authorize disclosures to non-educational State agencies for specified purposes. For example, disclosures may be made in a health or safety emergency (§§ 99.31(a)(10) and 99.36), in connection with financial aid (§ 99.31(a)(4)), or pursuant to a State statute under the juvenile justice system exception (§§ 99.31(a)(5) and 99.38), and any disclosures must meet the specific requirements of the particular exception. FERPA, however, does not contain any specific exceptions to permit disclosures of personally identifiable information without consent for public health or employment reporting purposes. That said, nothing in FERPA prohibits an educational agency or institution from importing information from another source to perform its own evaluations.
We believe that any further expansion of the list of officials and entities in FERPA that may receive education records without the consent of the parent or eligible student must be authorized by legislation enacted by Congress.
We explained in the NPRM on page 15577 that, with respect to State auditors, legislative history for the 1979 FERPA amendment indicates that Congress specifically intended that FERPA not preclude State auditors from obtaining personally identifiable information from education records in order to audit Federal and State supported education programs, notwithstanding that the statutory language in the amendment refers only to “State and local educational officials.” See 20 U.S.C. 1232g(b)(5); H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 (1979), reprinted in 1979 U.S. Code Cong. Admin. News 819, 824. This legislative history provides a basis for drawing a distinction between State auditors and officials of other State agencies that also are not under the control of the State educational authority. (As explained more fully under State auditors, upon further review, we have removed from the final regulations the proposed regulations related to State auditors and audits.)
The 1979 amendment to FERPA does not apply to other State officials or agencies, and there is no other legislative history to indicate that Congress intended that FERPA be interpreted to permit educational agencies and institutions, or State and local educational authorities or Federal officials and agencies listed in § 99.31(a)(3), to share students' education records with non-educational State officials. In fact, Congress has, on numerous occasions, indicated otherwise.
As discussed elsewhere in this preamble under the heading Health or Safety Emergency, the HIPAA Privacy Rule specifically excludes from coverage health care information that is maintained as an “education record” under FERPA. 45 CFR 160.103, Protected health information. We understand that the HIPAA Privacy Rule allows covered entities to disclose identifiable health data without written consent to public health authorities. However, there is no comparable exception to the written consent requirement in FERPA.
As mentioned previously, in conducting an audit, evaluation, or compliance or enforcement activity, an educational authority may collaborate with other State agencies by importing data from those sources and conducting necessary matches. Any reports or other information created as a result of the data matches may only be released to those non-educational officials in non-personally identifiable form. Educational authorities may also release information on students to non-educational officials that has been properly de-identified, as described in § 99.31(b)(1).
Additionally, many agencies providing services to low income or at-risk families have parents sign a consent form authorizing disclosure of information at intake time so that the agency can receive necessary information from schools. In 1993, we amended the FERPA regulations to help facilitate this practice. In final regulations published in the Federal Register on January 7, 1993 (58 FR 3188), we removed the previous requirement in the regulations that schools “obtain” consent from parents and eligible students so that parents and eligible students may “provide” a signed and dated consent to third parties in order for the school to disclose education records to those parties.
Therefore, parents can provide consent at intake time to State and local social services and other non-educational agencies serving the needs of students in order to permit their children's schools (or the SEA) to disclose education records to the agency. For example, parents routinely provide consent to the Medicaid agency that permits that agency to collect information from other agencies on the family being served. In many cases those consents are written in a manner that complies with the consent requirement in § 99.30, and the student's school may disclose information to the Medicaid agency necessary for reimbursement purposes for services provided the student.
Changes: None.
Disclosure of Education Records to Student's Former Schools (§§ 99.31(a)(3), 99.31(a)(6), and 99.35(b))
Comment: One commenter asked for clarification whether a school could disclose a student's education records to the student's previous school for the purpose of evaluating Federal or State supported education programs or for improving instruction. Several commenters said that there is a critical need for school districts to be able to access the records of their former students from the student's new district or postsecondary institution so that the previous institution can evaluate the effectiveness of its own education programs. Some commenters said that § 99.35(a) clearly allows a K-12 data system to use postsecondary records to evaluate its own programs, and that a K-12 system does not need to have legal authority to evaluate postsecondary programs for the disclosure to be valid under the audit or evaluation exception.
Discussion: Section 99.31(a)(2) allows an educational agency or institution to disclose personally identifiable information from education records, without consent, to a school where the student seeks or intends to enroll or is already enrolled if the disclosure relates to the student's enrollment or transfer. There is no specific authority in FERPA for an educational agency or institution, or a State or local educational authority, to disclose or redisclose personally identifiable information from education records to a student's former school without consent.
As discussed above, §§ 99.31(a)(3) and 99.35 allow educational agencies and institutions to disclose personally identifiable information from education records without consent to State and local educational authorities that are legally authorized to audit or evaluate the disclosing institution's programs or records. We encourage State and local authorities to take advantage of this exception and establish or modify State or local legal authority, as necessary, to allow K-12 and postsecondary educational authorities to audit or evaluate one another's programs. As noted above, the Department will generally defer to a State Attorney General's interpretation of State or local law on these matters.
Section 99.31(a)(6) allows an educational agency or institution to disclose personally identifiable information from education records without consent to an organization conducting a study for, or on behalf of, the agency or institution that discloses its records. The “for, or on behalf of” language from the statute and regulations, however, does not allow the educational agency or institution to disclose personally identifiable information from education records under this exception so that the receiving organization can conduct a study for itself or some other party. Further, the Secretary does not as a policy matter support expanding the studies exception to permit such a disclosure because it would result in a vast increase in the number of parties gaining access to and maintaining personally identifiable information on students. As discussed below, educational agencies and institution and other parties, including State educational authorities, may always release information from education records to a student's former school, without consent, if all personally identifiable information has been removed.
Personally Identifiable Information and De-Identified Records and Information (§§ 99.3 and 99.31(b))
(a) Definition of Personally Identifiable Information
Comment: We received a number of comments on proposed § 99.3 regarding changes to the definition of personally identifiable information. One commenter applauded the Department's recognition of the increasing ease of identifying individuals from redacted records and statistical information because of the large amount of detailed personal information that is maintained on most Americans by many different organizations. This commenter and others, however, stated that the proposed regulations did not go far enough to ensure that personally identifiable information about students would not be released.
One commenter expressed concern about our proposal to eliminate paragraphs (e) and (f) from the existing definition of personally identifiable information, which included a list of personal characteristics and other information that would make a student's identity easily traceable. The commenter said that this was a change to long-standing Department policy and represented an unwarranted invasion of privacy that exceeds statutory authority. This commenter also expressed concern that eliminating the “easily traceable” provisions for determining whether information was personally identifiable could prevent parents from accessing their children's education records and might allow school officials to circumvent FERPA requirements by using nicknames, initials, and other personal characteristics to refer to children.
In contrast, several commenters stated that the regulations would be unworkable or were too restrictive and would prevent or discourage the release of information from education records needed for school accountability and other public purposes. These commenters stated that paragraphs (f) and (g) in the proposed definition of personally identifiable information, which replaces the “easily traceable” provisions, would provide school officials too much discretion to conceal information the public deserves to have in order to debate public policy. Proposed paragraph (f) provided that personally identifiable information includes other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Proposed paragraph (g) provided that personally identifiable information includes information requested by a person who the educational agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record relates, sometimes known as a “targeted request.”
Several commenters expressed support for the provisions in paragraphs (f) and (g) of the definition of personally identifiable information. One of these commenters said that the “school and community” limitation and the “reasonable person” standard in paragraph (f) is sufficiently clear for implementation by parties that release de-identified records. Another commenter said that ambiguity in the terms “reasonable person” and “reasonable certainty” was necessary so that organizations can develop their own standards for addressing the problem of ensuring that information that is released is not personally identifiable. This commenter asked the Department to retain the flexibility in the proposed language and provide examples of policies that have been implemented that meet the requirements in paragraphs (f) and (g) of the definition. The commenter said that most school districts know when they are receiving a targeted request (paragraph (g)) but asked that the Department provide examples to help districts determine whether a non-targeted request will reveal personally identifiable information.
Journalism and writers' associations expressed concern about the “reasonable person” standard in paragraph (f) and our statement in the preamble to the NPRM (73 FR 15583) that an educational agency or institution may not be able to release redacted education records that concern students or incidents that are well-known in the school community, including when the parent or student who is the subject of the record contacts the media and causes the publicity that prevents the release of the record. These commenters stated that FERPA should not prevent schools from releasing records from which all direct and indirect identifiers, such as name, date of birth, address, unusual place of birth, mother's maiden name, and sibling information, have been removed without regard to any outside information, particularly after a student or parent has waived any pretense of confidentiality by contacting the media. They also said that the proposed definition of personally identifiable information does not acknowledge the public interest in school accountability.
One commenter said that the “reasonable person in the school or its community” standard in paragraph (f) was too narrow and inappropriate because it would allow individuals with even modest scientific and technological abilities to identify students based on supposedly de-identified information. Another commenter said that the reference in paragraph (f) to a “reasonable person” should be changed to “ordinary person.” A commenter said that if we retain the “reasonable person” standard, we should remove the references to the school or its community and personal knowledge of the circumstances and simply refer to a reasonable person. Several commenters said the “school or its community” standard is too vague and needs to be clarified, particularly in relation to the provision in paragraph (g) regarding targeted requests; these commenters said that school officials will choose to evaluate a request for information based on whether a reasonable person in the community, a broader standard than a reasonable person in the school, could identify the student and automatically find their own decisions to be reasonable. One commenter said that the phrase “relevant circumstances” in paragraph (f) is vague.
One commenter said that the standard in paragraph (f) about whether the information requested is “linked or linkable” to a specific student was too vague and overly broad and could be logically extended to cover almost any information about a student. This commenter said that the regulations should focus on preventing the release of records that in and of themselves contain unique personal descriptors that would make the student identifiable in the school community and not refer to outside information, including what members of the public might know independently of the records themselves.
Several commenters expressed concerns that the provision in paragraph (g) regarding targeted requests will make FERPA and the regulations administratively unwieldy and unnecessarily subjective. One of these commenters said that paragraph (g) is unclear and adds more confusion as opposed to providing clarity; this commenter said that paragraph (g) should be removed and that the requirements in paragraph (f) were sufficient. Another commenter said that the standard in paragraph (g) unfairly holds agencies and institutions responsible for ascertaining the requester's personal knowledge. One commenter said that we should delete the words “direct, personal” before “knowledge” because these terms are unclear. According to this commenter, if a school reasonably believes that the requester knows the student's identity, the school should not disclose the records, whether the knowledge is “direct” or “personal.”
Other commenters expressed a more general concern that the standard for targeted requests in paragraph (g) places an undue burden on school officials to obtain information about the person requesting information and creates a potential conflict with State open records laws. According to these commenters, the regulations as proposed would encourage agencies and institutions to make illegitimate inquiries into a requester's motives for seeking information and what the requester intends to do with it, or require the agency or institution to read the mind of a party requesting information. According to the commenter, this would introduce a degree of subjective judgment that would invariably lead to abuse because the same record that could be considered a public record to one requester could be a confidential document to another. A large university that has decentralized administrative operations questioned how it could be expected to take institutional knowledge into account in evaluating whether a request for records is targeted and asked for confirmation that the Department will not substitute its judgment for that of the institution so long as there was a rational basis for the decision to release information.
We received a few comments on the example of a targeted request that we provided in the preamble to the NPRM (73 FR 15583-15584), in which rumors circulate that a candidate running for political office plagiarized other students' work, and a reporter asks the university for the redacted disciplinary records of all students who were disciplined for plagiarism for the year in which the candidate graduated. We explained that the university may not release the records in redacted form because the circumstances indicate that the requester had direct, personal knowledge of the subject of the case. Two commenters said that confirmation that one unnamed student was disciplined in 1978 for plagiarism does not identify that student or confirm that the candidate was that student, and our explanation of the standard with this example showed that the regulations would prevent parents and the media from discharging their vital oversight responsibilities.
One school district said that the targeted request provision could impair due process in some student discipline cases by limiting the release of redacted witness statements that concern more than one student. The commenter suggested that under its current practice, if four students are involved in an altercation, the school redacts all personally identifiable information with regard to students 2 through 4 when releasing the statement without parental consent to student 1, but under the proposed regulations, student 1's request would violate the requirements in paragraph (g) because of the student's knowledge of the identity of the other students to whom the record relates. This commenter said that the regulations should not be adopted if they do not address these due process concerns.
Several commenters said they appreciated the addition of a student's date of birth and other indirect identifiers in the definition of personally identifiable information. Another commenter said that a comprehensive list of indirect identifiers would be helpful. One commenter asked us to define the concept of indirect identifiers. Another commenter asked us to clarify which personally identifiable data elements may be released without consent. A commenter asked us to define the term biometric record as used in the definition of personally identifiable information.
Discussion: The Joint Statement explains that the purpose of FERPA is two-fold: to assure that parents and eligible students can access the student's education records, and to protect their right to privacy by limiting the transferability of their education records without their consent. 120 Cong. Rec. 39862. As such, FERPA is not an open records statute or part of an open records system. The only parties who have a right to obtain access to education records under FERPA are parents and eligible students. Journalists, researchers, and other members of the public have no right under FERPA to gain access to education records for school accountability or other matters of public interest, including misconduct by those running for public office. Nonetheless, as explained in the preamble to the NPRM, 73 FR 15584-15585, we believe that the regulatory standard for defining and removing personally identifiable information from education records establishes an appropriate balance that facilitates school accountability and educational research while preserving the statutory privacy protections in FERPA.
The simple removal of nominal or direct identifiers, such as name and SSN (or other ID number), does not necessarily avoid the release of personally identifiable information. Other information, such as address, date and place of birth, race, ethnicity, gender, physical description, disability, activities and accomplishments, disciplinary actions, and so forth, can indirectly identify someone depending on the combination of factors and level of detail released. Similarly, and as noted in the preamble to the NPRM, 73 FR 15584, the existing professional literature makes clear that public directories and previously released information, including local publicity and even information that has been de-identified, is sometimes linked or linkable to an otherwise de-identified record or data set and renders the information personally identifiable. The regulations properly require parties that release information from education records to address these situations.
We removed the “easily traceable” standard from the definition of personally identifiable information because it lacked specificity and clarity. We were also concerned that the “easily traceable” standard suggested that a fairly low standard applied in protecting education records, i.e. , that information was considered personally identifiable only if it was easy to identify the student.
The removal of the “easily traceable” standard and adoption of the standards in paragraphs (f) and (g) will not affect a parent's right under FERPA to inspect and review his or her child's education records. Records that teachers and other school officials maintain on students that use only initials, nicknames, or personal descriptions to identify the student are education records under FERPA because they are directly related to the student.
Further, records that identify a student by initials, nicknames, or personal characteristics are personally identifiable information if, alone or combined with other information, the initials are linked or linkable to a specific student and would allow a reasonable person in the school community who does not have personal knowledge about the situation to identify the student with reasonable certainty. For example, if teachers and other individuals in the school community generally would not be able to identify a specific student based on the student's initials, nickname, or personal characteristics contained in the record, then the information is not considered personally identifiable and may be released without consent. Experience has shown, however, that initials, nicknames, and personal characteristics are often sufficiently unique in a school community that a reasonable person can identify the student from this kind of information even without access to any personal knowledge, such as a key that specifically links the initials, nickname, or personal characteristics to the student.
In contrast, if a teacher uses a special code known only by the teacher and the student (or parent) to identify a student, such as for posting grades, this code is not considered personally identifiable information under FERPA because the only reason the teacher can identify the student is because of the teacher's access to personal knowledge of the relevant circumstances, i.e. , the key that links the code to the student's name.
In response to the commenter who stated that a school should not be prevented from releasing information when the subject of the record has waived any pretense of confidentiality by contacting the media and making the incident well-known in the community, we have found that in limited circumstances a parent or student may impliedly waive their privacy rights under FERPA by disclosing information to parties in a special relationship with the institution, such as a licensing or accreditation organization. However, we have not found and do not believe that parents and students generally waive their privacy rights under FERPA by sharing information with the media or other members of the general public. The fact that information is a matter of general public interest does not give an educational agency or institution permission to release the same or related information from education records without consent.
The “reasonableness” standards in paragraphs (f) and (g) of the new definition, which replace the “easily traceable” standard, do not require the exercise of subjective judgment or inquiries into a requester's motives. Both provisions require the disclosing party to use legally recognized, objective standards by referring to identification not in the mind of the disclosing party or requester but by a reasonable person and with reasonable certainty, and by requiring the disclosing party to withhold information when it reasonably believes certain facts to be present. These are not subjective standards, and these changes will not diminish the privacy protections in FERPA.
The standard proposed in paragraph (f) regarding the knowledge of a reasonable person in the school or its community was not intended to describe the technological or scientific skill level of a person who would be capable of re-identifying statistical information or redacted records. Rather, it provided the standard an agency or institution should use to determine whether statistical information or a redacted record will identify a student, even though certain identifiers have been removed, because of a well-publicized incident or some other factor known in the community. For example, as explained in the preamble to the NPRM, 73 FR 15583, a school may not release statistics on penalties imposed on students for cheating on a test where the local media have published identifiable information about the only student (or students) who received that penalty; that statistical information or redacted record is now personally identifiable to the student or students because of the local publicity.
Paragraph (f) in the proposed definition provided that the agency or institution must make a determination about whether information is personally identifiable information not with regard to what someone with personal knowledge of the relevant circumstances would know, such as the principal who imposed the penalty, but with regard to what a reasonable person in the school or its community would know, i.e. , based on local publicity, communications, and other ordinary conditions. We agree with the comment that the “school or its community” standard was confusing because it was not clear whether just the school itself or the larger community in which the school is located is the relevant group for determining what a reasonable person would know.
We are changing this standard in paragraph (f) to the “school community” and by this change we mean that an educational agency or institution may not select a broader “community” standard when the information to be released would be personally identifiable under the narrower “school” standard. For example, it might be well known among students, teachers, administrators, parents, coaches, volunteers, or others at the local high school that a student was caught bringing a gun to class last month but generally unknown in the town where the school is located. In these circumstances, a school district may not disclose that a high school student was suspended for bringing a gun to class last month, even though a reasonable person in the community where the school is located would not be able to identify the student, because a reasonable person in the high school would be able to identify the student. The student's privacy is further protected because a reasonable person in the school community is also presumed to have at least the knowledge of a reasonable person in the local community, the region or State, the United States, and the world in general. The “school community” standard, therefore, provides the maximum privacy protection for students.
We do not agree that the reference to “reasonable person” should be changed to “ordinary person.” “Reasonable person” is a legally recognized standard that represents a hypothetical, rational, prudent, average individual. It would be confusing and inappropriate to introduce a new term “ordinary” in this context.
The standard in paragraph (f) excludes from the “reasonable person in the school community” standard persons who have personal knowledge of the “relevant circumstances,” which one commenter considered vague. Under this standard, an agency or institution is not required to take into consideration when releasing redacted or statistical information that someone with special knowledge of the circumstances could identify the student. For example, if it is generally known in the school community that a particular student is HIV-positive, or that there is an HIV-positive student in the school, then the school could not reveal that the only HIV-positive student in the school was suspended. However, if it is not generally known or obvious that there is an HIV-positive student in school, then the same information could be released, even though someone with special knowledge of the student's status as HIV-positive would be able to identify the student and learn that he or she had been suspended.
The provisions in paragraph (g) regarding targeted requests do not require an educational agency or institution to ascertain or guess a requester's motives for seeking information from education records or what a requester intends to do with the information. This paragraph addresses a situation in which a requester seeks what might generally qualify as a properly redacted record but the facts indicate that redaction is a useless formality because the subject's identity is already known.
An educational agency or institution is not required under paragraph (g) to make any special inquiries or otherwise seek information about the person requesting information from education records. It must use information that is obvious on the face of the request or provided by the requester, such as when a requester asks for the redacted transcripts of a particular student. Paragraph (f) also requires an agency or institution to use information known to a reasonable person in the school community, such as when a requester asks for the redacted transcripts of all basketball players who were expelled for accepting bribes after the local newspaper published a story about the matter. Paragraphs (f) and (g) do not require an educational agency or institution to inquire whether a requester has special knowledge not available generally in the school community that would make the subject of the record identifiable. We disagree with the comment that paragraph (f) is sufficient and paragraph (g) should be removed. Paragraph (g) addresses the problem of targeted requests, which is not addressed under paragraph (f).
We agree with the comment that the provision in paragraph (g) under which an agency or institution must determine whether the information requested is personally identifiable information based on its reasonable belief that the requester has “direct, personal” knowledge of the identity of the student to whom the record relates is ambiguous and confusing, especially in relation to what might be considered indirect knowledge. Therefore, we have modified this provision so that an educational agency or institution must simply have a reasonable belief that the requester knows the identity of the student to whom the record relates.
In reviewing a complaint that an educational agency or institution disclosed personally identifiable information from an education record in response to a targeted request, the Department would examine the request itself, the facts on which the agency or institution based its decision to release the information, as well as any information known generally in the school community that the agency or institution failed to take into account. The Department would also counsel an agency or institution about the nature of the violation in connection with the Department's responsibility for seeking voluntary compliance with FERPA before initiating any enforcement action under § 99.67.
With regard to the comment that the standard in paragraph (g) will impair due process in student discipline cases, it is unclear what the commenter means by releasing redacted witness statements under its current practice. Education records are defined in FERPA as records that are directly related to a student and maintained by an educational agency or institution, or by a party acting for the agency or institution. 20 U.S.C. 1232g(a)(4)(A); 34 CFR 99.3. Under this definition, a parent (or eligible student) has a right to inspect and review any witness statement that is directly related to the student, even if that statement contains information that is also directly related to another student, if the information cannot be segregated and redacted without destroying its meaning.
For example, parents of both John and Michael would have a right to inspect and review the following information in a witness statement maintained by their school district because it is directly related to both students: “John grabbed Michael's backpack and hit him over the head with it.” Further, in this example, before allowing Michael's parents to inspect and review the statement, the district must also redact any information about John (or any other student) that is not directly related to Michael, such as: “John also punched Steven in the stomach and took his gloves.” Since Michael's parents likely know from their son about other students involved in the altercation, under paragraph (g) the district could not release any part of this sentence to Michael's parents. We note also that the sanction imposed on a student for misconduct is not generally considered directly related to another student, even the student who was injured or victimized by the disciplined student's conduct, except if a perpetrator has been ordered to stay away from a victim.
In order to provide maximum flexibility to educational agencies and institutions, we did not attempt to define or list all other “indirect identifiers”. We believe that the examples listed in paragraph (3) of the definition of personally identifiable information —date of birth, place of birth, and mother's maiden name—indicate clearly the kind of information that could identify a student. Race and ethnicity, for example, could also be indirect identifiers. It is not possible, however, to list all the possible indirect identifiers and ways in which information might indirectly identify a student. Further, unlike the HIPAA Privacy Rule, these regulations do not attempt to provide a “safe harbor” by listing all the information that may be removed in order to satisfy the de-identification requirements in § 99.31(b). We have also added a definition of biometric record that is based on National Security Presidential Directive 59 and Homeland Security Presidential Directive 24.
Changes: We added a definition of biometric record, which provides that the term means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints, retina and iris patterns, voiceprints, DNA sequence, facial characteristics, and handwriting.
We also have revised paragraph (f) in the definition of personally identifiable information to change the reference “school or its community” to “school community.” In paragraph (g) of the definition of personally identifiable information, we removed the requirement that the requester have “direct, personal knowledge.” As revised, paragraph (g) provides that personally identifiable information means information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the record relates.
(b) De-Identified Records and Information
Comment: We received a number of comments on § 99.31(b)(1), which would allow an educational agency or institution, or a party that has received personally identifiable information from education records, to release the records or information without parental consent after the removal of all personally identifiable information, provided that the educational agency or institution or other party has made a reasonable determination that a student's identity is not personally identifiable because of unique patterns of information about the student, whether through single or multiple releases, and taking into account other reasonably available information. In order to permit ongoing educational research with the same data, § 99.31(b)(2) allows an educational agency or institution or other party that releases de-identified, non-aggregated data (also known as “microdata”) from education records to attach a code to each record, which may allow the recipient to match information received from the same source, under three conditions—(1) the educational agency or institution does not disclose any information about how it generates and assigns a record code, or that would allow a recipient to identify a student based on a record code; (2) the record code is used for no purpose other than identifying a de-identified record for purposes of education research and cannot be used to ascertain personally identifiable information about a student; and (3) the record code is not based on a student's social security number or other personal information.
Several commenters supported these proposed regulations and said that they will help facilitate valuable educational research. One of these commenters said that the provisions for de-identification of education records create clear standards that will allow researchers to conduct necessary research without compromising student privacy. One commenter appreciated being able to attach a code or linking key to records to facilitate matching students across data sets while preserving student confidentiality.
One commenter stated that de-identified data do not support appropriate analytical research that will lead to improved educational outcomes. Further, according to this commenter, complete de-identification of systematic, longitudinal data on every student may not be possible.
Two commenters expressed concern that agencies and institutions redact too much information from education records and said that the Department should err on the side of disclosure of disaggregated data so that journalists and researchers can obtain accurate information about how students in every accountability subgroup are performing. These commenters said that the regulations should take into account the real track record of journalists and researchers in maintaining the confidentiality of information from education records.
One commenter said that many institutions and individuals have the ability to re-identify seemingly de-identified data and that it is generally much easier to do than most people realize because 87 percent of Americans can be identified uniquely from their date of birth, five-digit zip code, and gender. This commenter said that the regulations need to take into account that re-identification is a much greater risk for student data than other kinds of information because FERPA allows for the regular publication of student directories that contain a wealth of personal information, including address and date of birth, that can be used with existing tools and emerging technology to re-identify statistical data, even by non-experts.
Another commenter said that because the de-identification process is so resource-intensive, the regulations should allow the research entity to de-identify education records as a contractor under § 99.31(a)(1) of the regulations.
We explained in the preamble to the NPRM (73 FR 15585) that educational agencies and institutions should monitor releases of coded, de-identified microdata from education records to ensure that overlapping or successive releases do not result in data sets in which a student's personally identifiable information is disclosed. One commenter said that this monitoring requirement was too burdensome given the vast number of data requests it receives and asked us to limit the monitoring requirement to single or multiple releases it makes to the same party. An SEA asked specifically for clarification in the regulations regarding what steps, if any, it must take to ensure that multiple releases of de-identified data to the same requester over time that the requester intends to use for a longitudinal study do not result in small data cells that may reveal the identity of the student. A school district said that the regulations should require the destruction of de-identified information from education records by the receiving party to avoid the problem of combining successive data releases to identify students.
Some commenters said that the regulations should provide objective standards for the de-identification of education records. One commenter asked the Department to prescribe a method for States to adopt to ensure that student confidentiality is protected. Two commenters asked specifically for guidance on what minimum cell size should be allowed when releasing statistical information. Several commenters said that SEAs and school districts need specific guidance regarding the release of student achievement data under the NCLB, including, in particular, reporting 100 percent achievement of certain performance levels on State assessments. One commenter who opposed restrictions on the release of de-identified data referred to instances in which some States have created minimum cell sizes of 100 for reporting disaggregated data under NCLB, which prevents the release of a great deal of important information. Another commenter said that our discussion of small cell sizes in the preamble to the NPRM, 73 FR 15584, reflected a misunderstanding of the problem.
One commenter said that § 99.31(b) is confusing because it is not clear how paragraph (b)(2), which is limited to educational research, relates to paragraph (b)(1), which is not so limited. This commenter also said that the regulations impose an unnecessary burden on the entity receiving a request for information and that the requirements of paragraph (f) in the definition of personally identifiable information are sufficient to de-identify education records. Another commenter said that the language in § 99.31(b)(1) that requires consideration of unique patterns of information about a student is confusing and creates ambiguity because the definition of personally identifiable information itself incorporates standards for de-identification that appear to differ from the standard in § 99.31(b).
Discussion: As explained in the preamble to the NPRM, 73 FR 15584-15585, we believe that the regulatory standard for de-identifying information from education records establishes an appropriate balance that facilitates the release of appropriate information for school accountability and educational research purposes while preserving the statutory privacy protections in FERPA. Unlike the HIPAA Privacy Rule, these regulations do not attempt to provide a “safe harbor” by listing all the direct and indirect identifiers that may be removed to satisfy the de-identification requirements in § 99.31(b). Rather, they are intended to provide standards under which information from education records may be released without consent because all personally identifiable information has been removed.
The Department recognizes that de-identified data may not be appropriate for all educational research purposes and that complete de-identification of longitudinal student data may not be possible without sacrificing essential content and usability. In these situations, and as discussed elsewhere in this preamble, FERPA allows the disclosure and redisclosure of personally identifiable information from education records, without consent, to researchers under the terms and conditions specified in §§ 99.31(a)(1), 99.31(a)(3), and 99.31(6). We note that a researcher who receives personally identifiable information under these provisions would, however, have to de-identify any report or other information in accordance with § 99.31(b) before releasing it to the public or other parties, including other researchers.
In response to comments that educational agencies and institutions may remove too much information from education records, we note that while we have attempted to provide a balanced standard for the release of de-identified data for school accountability and other purposes, FERPA is a privacy statute, and no party has a right under FERPA to obtain information from education records except parents and eligible students. Further, there is no statutory authority in FERPA to modify the prohibition on disclosure of personally identifiable information from education records, or the exceptions to the written consent requirement, based on the track record of the party, including journalists and researchers, in maintaining the confidentiality of information from education records that they have received.
In response to the comment about allowing a researcher to de-identify education records, educational agencies and institutions may outsource the de-identification process to any outside service provider serving as a school official in accordance with the requirements in § 99.31(a)(1)(i)(B). (Those requirements are discussed in detail in the preamble to the NPRM at 73 FR 15578-15580 and elsewhere in these final regulations.) State and local educational authorities and Federal officials and agencies listed in § 99.31(a)(3) may outsource the de-identification process to their authorized representatives under the conditions specified in § 99.35.
We agree that the risk of re-identification may be greater for student data than other information because of the regular publication of student directories, commercial databases, and de-identified but detailed educational reports by States and researchers that can be manipulated with increasing ease by computer technology. As noted in the preamble to the NPRM, 73 FR 15584, the re-identification risk of any given release is cumulative, i.e. , directly related to what has previously been released, and this includes both publicly-available directory information, which is personally identifiable, and de-identified data releases. For that reason, we advised in the NPRM that parties should minimize information released in directories to the extent possible because, since the enactment of FERPA in 1974, the risk of re-identification from such information has grown as a result of new technologies and methods.
In response to comments about the need to monitor releases of coded, de-identified microdata to avoid re-identification of the data, because the risk of re-identification is cumulative, when making a new disclosure of coded data an educational agency or institution or other party must take into account all releases of information from education records it has made, not just releases it has made to the recipient of new data. We note that some of the publicly available directory information and de-identified data releases that need to be taken into account have been produced by the same agency or institution, State or local educational authority, or Federal official that wishes to release newly de-identified information. In general, FERPA poses no restrictions on the recipient's use of directory information and de-identified data from education records. Therefore, it may be unclear whether previous data releases are available generally, have been shared with a limited number of parties, or not shared at all. Further, unlike personally identifiable information that is disclosed under §§ 99.31(a)(3) and (a)(6), de-identified information from education records does not have to be destroyed when no longer needed for the purposes for which it was released. We note, however, that a releasing party would reduce its monitoring responsibilities if it requires destruction or prohibits redisclosure of coded, de-identified microdata, because coded, de-identified microdata has a higher risk of re-identification than de-identified microdata. In the future the Department will provide further information on how to monitor and limit disclosure of personally identifiable information in successive statistical data releases.
In response to requests for guidance on what specific steps and methods should be used to de-identify information (and as noted in the preamble to the NPRM, 73 FR 15584), it is not possible to prescribe or identify a single method to minimize the risk of disclosing personally identifiable information in redacted records or statistical information that will apply in every circumstance, including determining whether defining a minimum cell size is an appropriate means to protect the confidentiality of aggregated data and, if so, selection of an appropriate number. This is because determining whether a particular set of methods for de-identifying data and limiting disclosure risk is adequate cannot be made without examining the underlying data sets, other data that have been released, publicly available directories, and other data that are linked or linkable to the information in question. For these reasons, we are unable to provide examples of rules and policies that necessarily meet the de-identification requirements in § 99.31(b). The releasing party is responsible for conducting its own analysis and identifying the best methods to protect the confidentiality of information from education records it chooses to release. We recommend that State educational authorities, educational agencies and institutions, and other parties refer to the examples and methods described in the NPRM at page 15584 and refer to the Federal Committee on Statistical Methodology's Statistical Policy Working Paper 22, www.fcsm.gov/working-papers/wp22.html , for additional guidance.
With regard to issues with NCLB reporting in particular, determining the minimum cell size to ensure statistical reliability of information is a completely different analysis than that used to determine the appropriate minimum cell size to ensure confidentiality. Further, as noted in the preceding paragraph and in the preamble to the NPRM, use of minimum cell sizes or data suppression is only one of several ways in which information from education records may be de-identified before release. Statistical Policy Working Paper 22 describes other disclosure limitation methods, such as “top coding” and “data swapping,” which may be more suitable than simple data suppression for releasing the maximum amount of information to the public without breaching confidentiality requirements. Decisions regarding whether to use data suppression or some other method or combination of methods to avoid disclosing personally identifiable information in statistical information must be made on a case-by-case basis.
We agree with the commenter who said that the example we provided in the preamble to the NPRM regarding the small cell problem in reporting that two Hispanic females failed to graduate was misleading and offer the following, more complete explanation. Simply knowing that one out of 100 Hispanic females failed to graduate does not identify which of the Hispanic females it might be. But suppose this female is an English language learner who is also enrolled in special education classes. The school also publishes tables on participation in special education classes by race, ethnicity, and grade, and tables that include the graduation status of Hispanic females disaggregated in one table by English language proficiency status, and by participation in special education classes in another. Suppose that these three tabulations each show separately that there is one 12th grade Hispanic female enrolled in special education classes, that the one Hispanic female who did not graduate was enrolled in special education classes, and that the one Hispanic female who did not graduate was an English language learner. With this information, the discerning observer knows that the one Hispanic female who failed to graduate is an English language learner and that she was the only 12th grade Hispanic student enrolled in special education classes. Any number of people in the school would be able to identify the Hispanic female who did not graduate with these three pieces of information.
Expanding the example to two individuals, the logic is similar, except in this case each of the Hispanic females knows her own characteristics and can find herself in each of the available tables, and thus by a process of elimination identifies the characteristics of the other non-graduate, perhaps learning something she did not already know about the other student. The published tables show that there are two 12th grade Hispanic females enrolled in special education classes, one with a learning disability and one with mental retardation. The tables also show that the two Hispanic females who did not graduate were enrolled in special education classes, and that the two Hispanic females who did not graduate were both English language learners. Others in the school community may be able to identify the two 12th grade Hispanic females who are English language learners enrolled in special education classes, but not necessarily be able to distinguish the student with the learning disability from the student with mental retardation. However, each girl knows her own disability and by the process of elimination now knows the other girl's disability. Similarly, anyone with knowledge of one of the two Hispanic females who did not graduate can find that girl in the tables, and then isolate the characteristics that belong to the other Hispanic female.
This example can be expanded to an example with three Hispanic females who fail to graduate. All three of the Hispanic females who did not graduate are English language learners, and two Hispanic females who did not graduate are enrolled in special education classes—one with a learning disability and the other with mental retardation. In this case, the one Hispanic female who is an English language learner and did not graduate now knows that the other two Hispanic females in her English language learner classes and also did not graduate are in the special education program, but she does not know which condition each girl has. By the same logic, each of the two females who did not graduate and are in special education classes knows her own disability and as a result knows the disability of the other Hispanic female who was an English language learner enrolled in special education classes who did not graduate. These are some examples of situations in which small cell data reveals personally identifiable information from education records.
The Secretary has no statutory authority to modify the regulations to allow LEAs and SEAs to report that 100 percent of students achieved specified performance levels. In that regard we note that the Department's Non-Regulatory Guidance for NCLB Report Cards (2003) provides:
[S]chools must also ensure that the data they report do not reveal personally identifiable information about individual students * * *. States must adopt a strategy for dealing with a situation in which all students in a particular subgroup scored at the same achievement level. One solution, referred to as “masking” the data, is to use the notation of 95% when all students in a subgroup score at the same achievement level.
See www.ed.gov/programs/titleiparta/reportcardsguidance.doc on page 3. Likewise, LEAs and SEAs must adopt a strategy for ensuring that they do not disclose personally identifiable information about low-performing students when they release information about their high-performing students.
In response to the comments that paragraphs (1) and (2) in § 99.31(b) are confusing, paragraph (1) establishes a standard for de-identifying education records that applies to disclosures made to any party for any purpose, including, for example, parents and other members of the general public who are interested in school accountability issues, as well as education policy makers and researchers. The release of de-identified information from education records under § 99.31(b)(1) is not limited to education research purposes because, by definition, the information does not contain any personally identifiable information.
Paragraph (2) of § 99.31(b) applies only to parties conducting education research; it allows an educational agency or institution, or a party that has received education records, such as a State educational authority, to attach a code to each record that may allow the researcher to match microdata received from the same educational source under the conditions specified. The purpose of paragraph (2) is to facilitate education research by authorizing the release of coded microdata. The requirements in paragraph (2) that apply to a record code preclude matching de-identified data from education records with data from another source. Therefore, by its terms, the release of coded microdata under paragraph (2) is limited to education research.
We agree with the commenter who stated that the reference in § 99.31(b)(1) to “unique patterns of information about a student” is confusing in relation to the definition of personally identifiable information and believe that it essentially restated the requirements in paragraph (f) of the definition. Therefore, we have removed this phrase from the regulations. We disagree that the definition of personally identifiable information and the requirements in § 99.31(b) impose an unnecessary burden on the entity receiving a request for de-identified information from education records and that the requirements in paragraph (f) in the definition are sufficient. As explained above, paragraph (f) does not address the problem of targeted requests. It also does not address the re-identification risk associated with multiple data releases and other reasonably available information, or allow for the coding of de-identified micro data for educational research purposes. Section 99.31(b) provides the additional standards needed to help ensure that educational agencies and institutions and other parties do not identify students when they release redacted records or statistical data from education records.
Changes: We have removed the reference to “unique patterns of information” in § 99.31(b).
Notification of Subpoena (§ 99.33(b)(2))
Comment: We received a few comments on our proposal in § 99.33(b)(2) to require a party that has received personally identifiable information from education records from an educational agency or institution to provide the notice to parents and eligible students under § 99.31(a)(9) before it discloses that information on behalf of an educational agency or institution in compliance with a judicial order or lawfully issued subpoena. One national education association supported the proposed amendment.
One commenter asked the Department to clarify the intent of the proposed language. This commenter said that, when an educational agency or institution requests that a third party make the disclosure to comply with a lawfully issued subpoena or court order, it is reasonable to expect the educational agency or institution to send the required notice to the student(s). The commenter also said that it was not clear from the proposed change whether it is sufficient for the educational agency or institution to send the notice or whether it must come from the third party.
Discussion: The Secretary agrees that there needs to be clarification about which party is responsible for notifying parents and eligible students before an SEA or other third party outside of the educational agency or institution discloses education records to comply with a lawfully issued subpoena or court order. We have revised the regulation to provide that the burden to notify a parent or eligible student rests with the recipient of the subpoena or court order. While a third party, such as an SEA, that is the recipient of a subpoena or court order is responsible for notifying the parents and eligible students before complying with the order or subpoena, the educational agency or institution could assist the third party in the notification requirement, by providing it with contact information so that it could provide the notice.
In order to ensure that this new requirement is enforceable, we have also revised § 99.33(e) so that if the Department determines that a third party, such as an SEA, did not provide the notification required under § 99.31(a)(9)(ii), the educational agency or institution may not allow that third party access to education records for at least five years.
Changes: We have amended § 99.33(b)(2) to clarify that the third party that receives the subpoena or court order is responsible for meeting the notification requirements under § 99.31(a)(9). We also have revised § 99.33(e) to provide that if the Department determines that a third party, such as an SEA, did not provide the notification required under § 99.31(a)(9)(ii), the educational agency or institution may not allow that third party access to education records for at least five years.
Health or Safety Emergency (§ 99.36)
Comment: We received many comments in support of our proposal to amend § 99.36 regarding disclosures of personally identifiable information without consent in a health or safety emergency. Most of the parties that commented stated that the proposed changes demonstrated the right balance between student privacy and campus safety. A number of commenters specifically supported the clarification regarding the disclosure of information from an eligible student's education records to that student's parents when a health or safety emergency occurs. One commenter said that the proposed amendment would provide appropriate protection for sensitive and otherwise protected information while clarifying that educational agencies and institutions may notify parents and other appropriate individuals in an emergency so that they may intervene to help protect the health and safety of those involved.
Discussion: We appreciate the commenters' support for the amendments to the “health or safety emergency” exception in § 99.36(b). Educational agencies and institutions are permitted to disclose personally identifiable information from students' education records, without consent, under § 99.31(a)(10) in connection with a health or safety emergency. Disclosures under § 99.31(a)(10) must meet the conditions described in § 99.36. We address specific comments about the proposed amendments to this exception in the following paragraphs.
Changes: None.
(a) Disclosure in Non-Emergency Situations
Comment: Some commenters suggested that we interpret § 99.36 to permit the sharing of information on reportable diseases to health officials in non-emergency situations. These commenters stated that the disclosure of routine immunization data should be subject to State, local, and regional public health laws and regulations and not FERPA. One of these commenters noted that the HIPAA Privacy Rule allows covered entities to disclose personally identifiable health data, without consent, to public health authorities.
Discussion: There is no authority in FERPA to exclude students' immunization records from the definition of education records in FERPA. Further, the HIPAA Privacy Rule specifically excludes from coverage health care information that is maintained as an “education record” under FERPA. 45 CFR 160.103, Protected health information. We understand that the HIPAA Privacy Rule allows covered entities to disclose identifiable health data without written consent to public health authorities. However, there is no statutory exception to the written consent requirement in FERPA to permit this type of disclosure.
As explained in the preamble to the NPRM (73 FR 15589), the amendment to the health or safety emergency exception in § 99.36 does not allow disclosures on a routine, non-emergency basis, such as the routine sharing of student information with the local police department. Likewise, this exception does not cover routine, non-emergency disclosures of students' immunization data to public health authorities. Consequently, there is no statutory basis for the Department to revise the regulatory language as requested by the commenters.
Changes: None.
(b) Strict Construction Standard
Comment: Several commenters expressed concern that removing the language from current § 99.36 requiring strict construction of the “health and safety emergency” exception and substituting the language providing for a “rational basis” standard would not require schools to make an individual assessment to determine if there is an emergency that warrants a disclosure. One commenter stated that removal of the “strict construction” requirement would severely weaken the Department's enforcement capabilities and that schools may see this change as an excuse to disclose sensitive student information when there is not a real emergency.
A commenter stated that the removal of the “strict construction” requirement would mean that the Department would eliminate altogether its review of actions taken by schools under the health and safety emergency exception. Another commenter stated that removing the requirement that this exception be strictly construed could erode the privacy rights of individuals. The commenter noted that because parents and eligible students cannot bring suit in court to enforce FERPA, schools face virtually no liability if they violate FERPA requirements.
A commenter asked that the Department clarify what is meant by an “emergency” and how severe a concern must be to qualify as an emergency.
Discussion: Section 99.36(c) eliminates the previous requirement that paragraphs (a) and (b) of this section be “strictly construed” and provides instead that, in making a determination whether a disclosure may be made under the “health or safety emergency” exception, an educational agency or institution may take into account the totality of the circumstances pertaining to a threat to the health or safety of a student or other individuals. The new provision states that if there is an articulable and significant threat to the health or safety of the student or other individuals, an educational agency or institution may disclose information to appropriate parties.
As we indicated in the preamble to the NPRM, we believe paragraph (c) provides greater flexibility and deference to school administrators so they can bring appropriate resources to bear on a circumstance that threatens the health or safety of individuals. 73 FR 15574, 15589. In that regard, paragraph (c) provides that the Department will not substitute its judgment for that of the agency or institution if, based on the information available at the time of the determination there is a rational basis for the agency's or institution's determination that a health or safety emergency exists and that the disclosure was made to appropriate parties.
We do not agree that removal of the “strict construction” standard weakens FERPA or erodes privacy protections. Rather, the changes appropriately balance the important interests of safety and privacy by providing school officials with the flexibility to act quickly and decisively when emergencies arise. Schools should not view FERPA's “health or safety emergency” exception as a blanket exception for routine disclosures of student information but as limited to disclosures necessary to protect the health or safety of a student or another individual in connection with an emergency.
After consideration of the comments, we have determined that educational agencies and institutions should be required to record the “articulable and significant threat to the health or safety of a student or other individuals” so that they can demonstrate (to parents, students, and to the Department) what circumstances led them to determine that a health or safety emergency existed and how they justified the disclosure. Currently, educational agencies and institutions are required under § 99.32(a) to record any disclosure of personally identifiable information from education records made under § 99.31(a)(10) and § 99.36. We are revising the recordation requirements in § 99.32(a)(5) to require an agency or institution to record the articulable and significant threat that formed the basis for the disclosure. The school must maintain this record with the education records of the student for as long as the student's education records are maintained (§ 99.32(a)(2)).
We do not specify in the regulations a time period in which an educational agency or institution must record a disclosure of personally identifiable information from education records under § 99.32(a). We interpret this to mean that an agency or institution must record a disclosure within a reasonable period of time after the disclosure has been made, and not just at the time, if any, when a parent or student asks to inspect the student's record of disclosures. We will treat the requirement to record the significant and articulable threat that forms the basis for a disclosure under the health or safety emergency exception no differently than the recordation of other disclosures. In determining whether a period of time for recordation is reasonable, we would examine the relevant facts surrounding the disclosure and anticipate that an agency or institution would address the health or safety emergency itself before turning to recordation of any disclosures and other administrative matters.
In response to concerns about the Department's enforcement of the provisions of § 99.36, the “rational basis” test does not eliminate the Department's responsibility for oversight and accountability. Actions that the Secretary may take in addressing violations of this and other FERPA provisions are addressed in the analysis of comments under the section in this preamble entitled Enforcement. While parents and eligible students do not have a right to sue for violations of FERPA in a court of law, the statute provides that the Secretary may not make funds available to any agency or institution that has a policy or practice of violating parents' and students' rights under the statute with regard to consent to the disclosure of education records. As such, parents and eligible students may file a complaint with the Office if they believe that a school has violated their rights under FERPA and has disclosed education records under § 99.36 inconsistent with these regulations. In conducting an investigation, the Office will require that schools identify the underlying facts that demonstrated that there was an articulable and significant threat precipitating the disclosure under § 99.36.
In response to the comment about what would constitute an emergency, FERPA permits disclosure “* * * in connection with an emergency * * * to protect the health or safety of the student or other persons.” 20 U.S.C. 1232g(b)(1)(I). We note that the word “protect” generally means to keep from harm, attack, or injury. As such, the statutory text underscores that the educational agency or institution must be able to release information from education records in sufficient time for the institution to act to keep persons from harm or injury. Moreover, to be “in connection with an emergency” means to be related to the threat of an actual, impending, or imminent emergency, such as a terrorist attack, a natural disaster, a campus shooting, or the outbreak of an epidemic such as e-coli. An emergency could also be a situation in which a student gives sufficient, cumulative warning signs that lead an educational agency or institution to believe the student may harm himself or others at any moment. It does not mean the threat of a possible or eventual emergency for which the likelihood of occurrence is unknown, such as would be addressed in emergency preparedness activities.
Changes: We have amended the recordkeeping requirements in § 99.32(a)(5) to require educational agencies and institutions to record the articulable and significant threat that formed the basis for a disclosure under the health or safety emergency exception and the parties to whom the information was disclosed.
(c) Articulable and Significant Threat
Comment: One commenter stated that the word “articulable” in § 99.36(c) was confusing in reference to a school's determination that there is an “articulable and significant threat to the health or safety of a student or other individuals.” This commenter stated that school officials might interpret the provision to mean that there must be a verbal threat or that school officials must write down the exact wording of the threat.
Discussion: The requirement that there must be an “articulable and significant threat” does not mean that the threat must be verbal. It simply means that the institution must be able to articulate what the threat is under § 99.36 when it makes and records the disclosure.
In that regard, the words “articulable and significant” are adjectives modifying the key noun “threat.” As such, the focus is on the threat, with the question being whether the threat itself is articulable and significant. The word “articulable” is defined to mean “capable of being articulated.” http://www.merriam-webster.com/dictionary/articulable. This portion of the standard simply requires that a school official be able to express in words what leads the official to conclude that a student poses a threat. The other half of the standard is the word “significant,” which means “of a noticeably or measurably large amount.” http://www.merriam-webster.com/dictionary/significant. Taken together, the phrase “articulable and significant threat” means that if a school official can explain why, based on all the information then available, the official reasonably believes that a student poses a significant threat, such as a threat of substantial bodily harm, to any person, including the student, the school official may disclose education records to any person whose knowledge of information from those records will assist in protecting a person from that threat.
Changes: None.
(d) Parties That May Receive Information Under § 99.36
Comment: A commenter recommended that the Department adopt a more subjective standard regarding the persons to whom education records may be disclosed under § 99.36, suggesting that we remove the requirement that the disclosure must be to a person “whose knowledge of the information is necessary to protect the health or safety of the student or other individuals.” Conversely, another commenter expressed concern that the Department was sending the wrong message to educational agencies and institutions with these changes to § 99.36. The commenter stated that the health or safety emergency exception must not be perceived to permit schools to routinely disclose education records to parents, police, or others.
A commenter asked who at a school may share personally identifiable information in a health or safety emergency, and specifically whether a school secretary would be allowed to tell parents that a student on campus made a threat to others.
A commenter stated that school districts, especially small or rural districts, may not have the expertise on staff to determine whether a situation constitutes an “articulable and significant threat.” The commenter said that personally identifiable information on students may need to be disclosed to outside law enforcement and mental health professionals so that they can help schools determine whether a real threat exists. The commenter recommended that the Department change the proposed regulations to allow school districts to involve outside experts in determining whether a health or safety emergency exists. Noting that the NPRM addressed the disclosure of education records to an eligible student's parents, the organization also asked for clarification regarding whether the parents of a potential perpetrator and the potential victim at the K-12 level could be told about a threat.
Several commenters stated that our proposed amendments did not go far enough and urged the Department to expand § 99.36 to permit a school to notify whomever the student has listed as his or her emergency contact. Another commenter requested that the Secretary, through these regulations, direct institutions to proactively notify parents of students who are in acute care situations, such as illness or accidents, if any institutional official is aware of the emergency.
Discussion: On its face, FERPA permits disclosure to “appropriate persons if the knowledge of such information is necessary to protect the health or safety of the student or other persons.” 20 U.S.C. 1232g(b)(1)(I). FERPA does not require that the person receiving the information be responsible for providing the protection. Rather, the focus of the statutory provision is on the information itself: The “health or safety emergency” exception permits the institution to disclose information from education records in order to gather information from any person who has information that would be necessary to provide the requisite protection. Thus, for example, an educational institution that reasonably believes that a student poses a threat of bodily harm to any person may disclose information from education records to current or prior peers of the student or mental health professionals who can provide the institution with appropriate information to assist in protecting against the threat. Moreover, the institution may disclose records to persons such as law enforcement officials that it determines may be helpful in providing appropriate protection from the threat. An educational agency or institution may also generally disclose information under § 99.36 to a potential victim and the parents of a potential victim as “other individuals” whose health or safety may need to be protected.
Similarly, in order to obtain information that would inform its judgment on how to address the threat, the student's current institution may disclose information from education records to other schools or institutions which the student previously attended. In that regard, the same set of facts underlying the current institution's determination that an emergency existed would also permit former schools and institutions attended by the student to disclose personally identifiable information from education records to the student's current institution. That is, a former school would not need to make a separate determination regarding the existence of an articulable and significant threat to the health or safety of a student or others, and could rely instead on the determination made by the school currently attended by the student in making the disclosure.
In the discussion on page 15589 of the NPRM, we noted that the “health or safety emergency” exception does not permit a local school district to routinely share its student information database with the local police department. This example was meant to clarify that FERPA's health or safety provisions would not permit a school to disclose without consent education records to the local police department unless there was a health or safety emergency and the disclosure of the information was necessary to protect the health or safety of students or other individuals. This does not prevent schools from having working relationships with local police authorities and to use local police officers in maintaining the safety of their campuses.
In response to the comment about which school official should be permitted to disclose information under § 99.36, an educational agency or institution will need to make its own determination about which school officials may access a student's education records and disclose information to parents or other parties whose knowledge of the information is necessary to protect the health or safety of the student or other individuals. Under § 99.31(a)(1), an educational agency or institution may disclose education records, without consent, to school officials whom the agency or institution has determined have legitimate educational interests in the information. It may be helpful for schools to have a policy in place concerning which school officials will have access to and the responsibility for disclosing information in emergency situations.
We understand that some educational agencies and institutions may need assistance in determining whether a health or safety emergency exists for purposes of complying with these regulations. The Department encourages schools to implement a threat assessment program, including the establishment of a threat assessment team that utilizes the expertise of representatives from law enforcement agencies in the community. Schools can respond to student behavior that raises concerns about a student's mental health and the safety of the student and others that is chronic or escalating by using a threat assessment team, and then make other disclosures under the health or safety emergency exception, as appropriate, when an “articulable and significant threat” exists. Information on establishing a threat assessment program and other helpful resources for emergency situations can be found on the Department's Web site: http://www.ed.gov/admins/lead/safety/edpicks.jhtml?src=ln.
An educational agency or institution may disclose education records to threat assessment team members who are not employees of the district or institution if they qualify as “school officials” with “legitimate educational interests” under § 99.31(a)(1)(i)(B), which is discussed elsewhere in this preamble. To receive the education records under the “school officials” exception, members of the threat assessment team must be under the direct control of the educational agency or institution with respect to the maintenance and use of personally identifiable information from education records. For example, a representative from the city police who serves on a school's threat assessment team generally could not redisclose to the city police personally identifiable information from a student's education records to which he or she was privy as part of the team. As noted above, however, the institution may disclose personally identifiable information from education records when and if the threat assessment team determines that a health or safety emergency exists under §§ 99.31(a)(10) and 99.36.
We believe that § 99.36 does not need to be expanded to permit a school to contact whomever an eligible student has listed as his or her emergency contact, nor is there authority to do so. FERPA does not preclude institutions from contacting other parties, including parents, in addition to the emergency contacts provided by the student, if the school determines these other parties are “appropriate parties” under this exception. (An eligible student may provide consent for the institution to notify certain individuals in case of an emergency, should an emergency occur.)
The regulations would not prevent an institution from having a policy of seeking prospective consent from eligible students for the disclosure of personally identifiable information or from having a policy for obtaining consent for disclosure on a case-by-case basis. However, FERPA does not require that a postsecondary institution disclose information to any party except to the eligible student, even if the student has consented to the disclosure. Thus, the Secretary does not have the statutory authority to require school officials to disclose information from a student's education records in compliance with a consent signed by the student or to otherwise require the institution to contact a family member.
Changes: None.
(e) Treatment Records
Comment: A commenter stated that while the amendments to § 99.36 provide needed clarification about when an educational agency or institution may disclose students' education records to avert tragedies like the one at Virginia Tech in April 2007, the NPRM did not provide clarity on the issue of information sharing between on-campus and off-campus health care providers. The commenter also noted that the Virginia Tech Review Panel recommended that Congress amend FERPA to explain how Federal privacy laws apply to medical records held for treatment purposes and that the NPRM did not provide that clarity.
Another commenter stated that if information about a student related to a health or safety emergency is part of the treatment records maintained by a university's health clinic, the treatment records should be treated like education records so that they may be disclosed under the health and safety emergency exception. A commenter asked that the Department clarify that college health and mental health records are not education records under FERPA and must be treated like other health and mental health records in other settings.
Discussion: While we have carefully considered the comments concerning “treatment records,” the Secretary does not believe that it is necessary to amend the regulations to provide clarification on the handling of health and medical records. The Departments of Education and Health and Human Services have issued joint guidance that explains the relationship between FERPA and the HIPAA Privacy Rule. The guidance addresses this issue for these records at the elementary and secondary levels, as well as at the postsecondary level. The joint guidance, which is on the Web sites of both agencies, addresses many of the questions raised by school administrators, health care professionals, and others as to how these two laws apply to records maintained on students. It also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations. The guidance can be found here: http://www.ed.gov/policy/gen/guid/fpco/index.html.
As discussed elsewhere in this preamble with respect to § 99.31(a)(2), while “treatment records” are excluded from the definition of education records under FERPA, if an eligible student's treatment records are used for any purpose other than the student's treatment, or if a school wishes to disclose the treatment records for any purpose other than the student's treatment, they may only be disclosed as education records subject to FERPA requirements. Therefore, an eligible student's treatment records may be disclosed to any party, without consent, as long as the disclosure meets one of the exceptions to FERPA's general consent rule. See 34 CFR 99.31. One of the permitted disclosures under this section is the “health or safety emergency” exception.
Changes: None.
Identification and Authentication of Identity (§ 99.31(c))
Comment: Several commenters supported our proposal to require educational agencies and institutions to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the agency or institution discloses personally identifiable information from education records. One commenter supported the provision but advocated requiring the use of two-factor identification for information that could be used to commit identity theft and financial fraud. (Two-factor identification requires the use of two methods to authenticate identity, such as fingerprint identification in addition to a PIN.)
One commenter said that the identification and authentication requirement will help protect students affected by domestic violence who are living in substitute care situations. The commenter noted that many parents in situations involving domestic violence do not have photo identification (ID) and would be unable to meet a requirement to provide photo ID in order to access their children's education records.
One commenter strongly supported the proposed amendment and said it will be valuable in aiding the privacy and protection of homeless children. Another commenter questioned whether the identification and authentication requirement is necessary for staff of large school districts with centralized offices.
One commenter did not support the proposed regulation stating that it will be an additional burden on school districts. The commenter agreed with our statement in the preamble to the NPRM that the regulations should permit districts to determine their own methods of identification and authentication. However, the commenter stated that districts should not be required to have a sliding scale of control based on the level of potential threat and harm and that it would not be practical to give every person requesting access to education records a PIN or similar method of authentication. For example, the commenter stated that parents might be provided with a PIN, but districts would not want to provide a PIN to a reporter or other third party. The commenter requested additional examples of how districts may authenticate requests received by phone or e-mail. The commenter also stated that districts are sometimes concerned that government-issued photo IDs are fraudulent. As a result, the group requested that the Department adopt a “safe harbor” provision that requiring a government-issued photo ID for in-person requests is reasonable.
One commenter expressed concern that the proposed regulations were too restrictive and could be too complex to administer, and that this would cause an institution to choose not to transfer information even though it is permitted to do so. This commenter asked whether the Department will accept an institution's efforts at compliance as sufficient without examining the effectiveness of those efforts.
Discussion: The identification and authentication methods discussed in the NPRM (73 FR 15585) are intended as examples and should not be considered to be exhaustive. Because there are many methods available to provide secure authentication of identity, and as more methods continue to be developed, we do not think it appropriate at this time to require the use of two-factor authentication as requested by the commenter. Two-factor authentication can be expensive and cumbersome, and we believe that each educational agency or institution should decide whether to use its resources to implement a two-factor authentication method or another reasonable method to ensure that education records are disclosed only to an authorized party. The comment that a portion of the population will be disadvantaged if only photo ID is permitted to authenticate identity confirms that we need to retain flexibility in the regulations.
We do not agree that certain types of staff should be excepted from the identification and authentication requirement. All staff members, whether in a centralized office, or in separate administrative offices throughout a school system, must be cognizant of and responsible for complying with identification and authentication requirements.
Due to the differences in size, complexity, and access to technology, we believe that educational agencies and institutions should have the flexibility to decide the methods for identification and authentication of identity best suited to their own circumstances. The regulatory requirement is that agencies and institutions use “reasonable” methods to identify and authenticate identity when disclosing personally identifiable information from education records. “Effectiveness” is certainly one measure, but not necessarily a dispositive measure, of whether the methods used by an agency or institution are “reasonable”. As we explained in the NPRM, an agency or institution is not required to eliminate all risk of unauthorized disclosure of education records but to reduce that risk to a level commensurate with the likely threat and potential harm. 73 FR 15585.
Further in that regard, we note that a “sliding scale” of protection is not mandated per se. However, it may not be “reasonable” to use the same methods to protect students' SSNs or credit card numbers from unauthorized access and disclosure that are used to protect students' names and other directory information. We believe that a PIN process could be useful to provide access to education records for parties, such as parents, students, or school officials, but that it would not generally be useful for providing records to outside parties, such as reporters or parties seeking directory information. While the use of government-issued photo ID may be a reasonable method to authenticate identity, depending on the circumstances and the information being released, we are unable to conclude at this time that it is sufficiently secure to constitute a safe harbor for meeting this requirement.
Changes: None.
Enforcement (§ 99.64)
(a) § 99.64(a)
Comment: One commenter supported our proposal to amend § 99.64(a) to provide that a complaint submitted to FPCO does not have to allege that a violation or failure to comply with FERPA is based on a policy or practice of the agency or institution. The commenter stated that parents often are not aware of legal and technical criteria, and complaints filed by parents should not be subject to technical rules typically applied to filings made by attorneys.
Another commenter did not support the proposed amendment and asked several questions concerning the effects of the change. The commenter asked whether this provision means that the Office will investigate an allegation concerning a single and perhaps unintentional action not related to a policy or practice of the institution. The commenter also asked whether such an investigation could result in a finding of a violation if the finding is not based on an institution's policy or practice, and what enforcement actions can be taken in those circumstances. The commenter suggested that we modify the regulations to provide that, for complaints not alleging a violation based on an institution's policy or practice, the Office will undertake an investigation only when it determines that the allegations are of a sufficiently serious nature to warrant an inquiry.
Discussion: The changes we proposed in this section were intended to clarify that it is sufficient for a complaint to allege that an educational agency or institution violated a requirement of FERPA, and that a complaint does not need to allege that the violation is a result of a policy or practice of an agency or institution in order for the Office to investigate the complaint.
We explain in our discussion of the proposed changes to § 99.67 that the Secretary must find that an educational agency or institution has a policy or practice in violation of the non-disclosure requirements in FERPA before seeking to withhold, terminate, or recover program funds for that violation. However, FPCO is not limited to investigating complaints and finding that an educational agency or institution violated FERPA only if the allegations and findings are based on a policy or practice of an educational agency or institution.
Moreover, we do not agree that only conduct that involves a policy or practice or that affects multiple students is serious enough to warrant an investigation of the allegations. An educational agency or institution may not even be aware of FERPA violations committed by its own school officials until the Office investigates an allegation of misconduct. These kinds of investigations often serve the very important purpose of helping ensure that single instances of misconduct do not become policies or practices of an agency or institution. Further, while an agency or institution may not think that a single, unintentional violation of FERPA is significant, it is often considered serious by the parent or student affected by the violation.
Therefore, consistent with its current practice, the Office may find that an educational agency or institution violated FERPA without also finding that the violation was based on a policy or practice. Note that under §§ 99.66(c) and 99.67, the Office may not take any enforcement action against an agency or institution that has violated FERPA until it provides the agency or institution with a reasonable period of time to come into compliance voluntarily.
Changes: None.
(b) § 99.64(b)
Comment: A number of commenters supported proposed § 99.64(b), which provided that the Office may investigate a possible FERPA violation even if it has not received a timely complaint from a parent or student or if a valid complaint is subsequently withdrawn. Several of these commenters stated that it is appropriate and important to permit persons who are not parents or eligible students, but who have knowledge of potential FERPA violations, to provide this information to the Office for consideration of a possible investigation.
Several commenters objected to the proposed change. One commenter expressed serious concern that the regulations will greatly expand the authority of the Office to investigate any potential FERPA violation, even when no complaint is filed or when a complaint has been withdrawn. In particular, the commenter stated that an institution would not have an opportunity to review and respond to specific allegations when the investigation does not concern a particular complaint.
Another commenter asserted that the Department has not demonstrated why the proposed amendment is necessary. The commenter said that unless there is evidence of a widespread problem, the proposed change will increase university costs in responding to investigations without a corresponding benefit to the public.
Another commenter said that the Office should not investigate allegations that are not filed by a parent or eligible student because an institution must know the name of the filing party and the specific circumstances of the allegation in order to properly defend its actions. The commenter said that it should not be unnecessarily burdened by an investigation by the Office when it has already dealt with the situation to the satisfaction of the affected student, and that any student who is not satisfied with the institution's efforts retains the ability to file a complaint. The commenter also noted that a complaint filed by an affected student has more credibility than allegations made by other parties. The commenter was concerned that accepting information from other parties could result in filings from persons with grievances unrelated to FERPA, such as a disgruntled employee, or an applicant rejected for admission, or a parent or eligible student who missed a filing deadline of some kind.
One commenter said that the proposed change would result in an ineffective use of the limited resources of the Office because it would be investigating allegations that may not have a sufficient basis.
Discussion: We proposed the changes to § 99.64(b) to clarify that the Office may initiate its own investigation that an educational agency or institution has violated FERPA. (The amendment also clarifies that if the Office determines that an agency or institution violated FERPA, it may also determine whether the violation was based on a policy or practice of the agency or institution.)
Our experience has shown that sometimes FERPA violations are brought to the attention of the Office by school officials, officials in other schools, or by the media. It is important that the Office have authority to investigate allegations of non-compliance in these situations. Consistent with its current practice, a notice of investigation issued by the Office will provide sufficient and specific factual information to permit the agency or institution to adequately investigate and respond to the allegations, whether or not the investigation is based on a complaint by a parent or eligible student.
We do not agree that allowing the Office to initiate its own investigations of possible FERPA violations will lead to abuses of the process by persons seeking to redress other grievances with an institution. The Office will continue to be responsible for evaluating the validity of the information and allegations that come to its attention by means other than a valid complaint and determining whether to initiate an investigation. We do not anticipate that the Office will initiate an investigation of every allegation or information it receives. We believe, however, that it is important that the Office be able to investigate any violation of FERPA for which it receives notice. As stated in the NPRM, 73 FR 15591, the Department is not seeking to expand the scope of FERPA investigations beyond the current practices of the Office.
Changes: None.
(c) § 99.66
Comment: We received one comment on the proposed change to § 99.66(c), which allows but does not require FPCO to make a finding that an educational agency or institution has a policy or practice in violation of a FERPA requirement when the Office issues a notice of findings in § 99.66(b). The commenter stated that its review of FERPA and the Supreme Court decision in Gonzaga University v. Doe, 536 U.S. 273 (2002) ( Gonzaga ), indicates that the Office may not issue a finding of a violation of FERPA and require corrective action or take any enforcement action without also finding that the violation constituted a policy or practice of the agency or institution.
Discussion: We explain in the discussion of the changes to § 99.67 that there are circumstances in which the Office would be required to find that an educational agency or institution has a policy or practice in violation of a FERPA requirement before taking certain enforcement actions, such as an action to terminate funding for a violation of the non-disclosure requirements, 20 U.S.C. 1232g(b)(1) and (b)(2) and 34 CFR 99.30. However, the Office is not required to find a policy or practice in violation of FERPA before issuing a notice of findings or taking other kinds of enforcement actions.
Changes: None.
(d) § 99.67
Comment: One commenter supported the clarification in proposed § 99.67 that the Office may not seek to withhold payments, terminate eligibility for funding, or take certain other enforcement actions unless it determines that the educational agency or institution has a policy or practice that violates FERPA. Another commenter expressed general support for the proposed change, including the clarification that the Secretary may take any legally available enforcement action, in addition to those specifically listed in the current regulations. The commenter expressed concern, however, that the penalties are not severe enough to effectively discourage unintentional or willful violations by third parties, particularly in areas of research and data sharing with outside parties.
Another commenter expressed concern that the proposed amendment would unnecessarily broaden the enforcement options available to the Secretary. The commenter stated that educational agencies and institutions will not be able to assess the risks and consequences associated with their actions without a limitation on the range of enforcement actions available to the Department when a violation of FERPA is found.
One commenter asked the Department to clarify that all methods of enforcing FERPA that are contained in the current regulations will be retained in the final regulations. The commenter said that the proposed regulations in the NPRM (73 FR 15602) appear to remove the Secretary's ability to terminate funding.
Discussion: We explained in the preamble to the NPRM (73 FR 15592) that there were two reasons for the proposed changes to § 99.67(a). One was the need to clarify that the Secretary may take any enforcement action that is legally available and is not limited to those specified under the current regulations, i.e. , withholding further payments under any applicable program; issuing a complaint to compel compliance through a cease-and-desist order; or terminating eligibility to receive funding under any applicable program. Other actions the Secretary may take to enforce FERPA include entering into a compliance agreement under 20 U.S.C. 1234f and seeking an injunction.
This change to § 99.67(a) does not broaden the Secretary's enforcement options, as suggested by one commenter. The General Education Provisions Act (GEPA) provides the Secretary with the authority to take certain enforcement actions to address violations of statutory and regulatory requirements, including general authority to “take any other action authorized by law with respect to the recipient.” 20 U.S.C. 1234c(a)(4). The change to § 99.67(a) simply includes, for purposes of clarity, the Secretary's existing authority under GEPA to take any legally available action to enforce FERPA requirements. (We note that before taking enforcement action the Office must determine that the educational agency or institution is failing to comply substantially with a FERPA requirement and provide it with a reasonable period of time to comply voluntarily. See 20 U.S.C. 1234c(a); 20 U.S.C. 1232g(f); and 34 CFR 99.66(c).)
We also proposed to amend § 99.67(a) to clarify that the Office may issue a notice of violation for failure to comply with specific FERPA requirements and require corrective actions but may not seek to terminate eligibility for funding, withhold payments, or take other enforcement actions unless the Office determined that an agency or institution has a policy or practice in violation of FERPA requirements (73 FR 15592). Upon further review, we have decided not to adopt this particular change because we believe it limits the Secretary's enforcement authority in a manner that is not legally required.
In support of its holding in Gonzaga that FERPA's non-disclosure provisions do not create rights that are enforceable under 42 U.S.C. 1983, the Court observed that FERPA provides that no funds shall be made available to an educational agency or institution that has a policy or practice of disclosing education records in violation of FERPA requirements. 536 U.S. at 288; see also 20 U.S.C. 1232g(b)(1) and (b)(2); 34 CFR 99.30. As such, the statute and Gonzaga decision suggest that with respect to violations of FERPA's non-disclosure requirements, the Secretary must find that an educational agency or institution has a policy or practice in violation of FERPA requirements before taking actions to terminate, withhold, or recover funds for those violations. However, there is no requirement under the statute (or the Gonzaga decision) for the Secretary to find a policy or practice in violation of FERPA requirements on the part of an educational agency or institution before taking other kinds of enforcement actions for violations of the non-disclosure requirements, such as seeking an injunction or a cease-and-desist order. We note also that the Gonzaga opinion does not address violations of other FERPA requirements, such as parents' right to inspect and review their children's education records and the requirement that educational agencies and institutions afford parents an opportunity for a hearing to challenge the content of a student's education records under certain circumstances, which do not contain the same “policy or practice” language as the non-disclosure requirements. Because we did not address enforcement of these other FERPA requirements in the NPRM, we have decided not to address in the final regulations limitations or pre-conditions that apply solely to actions to terminate, withhold, or recover program funds for violations of the non-disclosure requirements.
In response to the comment that the available penalties are not severe enough to discourage FERPA violations, we note that the Secretary has authority to terminate, withhold, and recover program funds and take other enforcement actions in accordance with part E of GEPA. The Secretary may not increase penalties beyond those authorized under FERPA and GEPA. Further, the regulations do not remove the Secretary's authority to terminate eligibility for program funding or any other enforcement authority. The changes noted by the commenter who was concerned that the proposed regulations removed the Secretary's authority to terminate funding were corrections to punctuation and formatting only, not substantive changes.
Changes: We have removed the language in § 99.67(a) that requires the Office to determine that an educational agency or institution has a policy or practice in violation of FERPA requirements before taking any enforcement action.
Department Recommendations for Safeguarding Education Records
Comment: We received a few comments on the recommendations for safeguarding education records included in the NPRM. One commenter expressed concern that schools and school districts should exercise enhanced security for the records of children receiving special education services. According to the commenter, these children often have a large number of records and may receive services from a variety of providers, which can add to the challenge of ensuring that appropriate privacy controls are used.
One commenter supported the safeguarding recommendations and suggested that we revise the recommendations to list non-Federal government sources providing guidance on methods for safeguarding education records. Another commenter supported the recommendations, but suggested that the regulations should require that a parent or eligible student receive notification of an unauthorized release or theft of information.
Discussion: The comments on the records of students who receive special education services illustrate the necessity for educational agencies and institutions to ensure that adequate controls are in place so that the education records of all students are handled in accordance with FERPA's privacy protections. The safeguarding recommendations that we provided in the NPRM, and are repeated in these final regulations, are intended to provide agencies and institutions additional information and resources to assist them in meeting this responsibility. In addition, educational agencies and institutions should refer to the protections required under § 300.623 of the confidentiality of information requirements in Part B of the IDEA, 34 CFR 300.623 (Safeguards).
We acknowledge that there are many sources available concerning information security technology and processes. The Department does not wish to appear to endorse the information or product of any company or organization; therefore, we have included only Federal government sources in this notice.
The Department does not have the authority under FERPA to require that agencies or institutions issue a direct notice to a parent or student upon an unauthorized disclosure of education records. FERPA only requires that the agency or institution record the disclosure so that a parent or student will become aware of the disclosure during an inspection of the student's education record.
Changes: None.
We are republishing here, for the administrative convenience of educational agencies and institutions and other parties, the Department Recommendations for Safeguarding Education Records that were published in the preamble to the NPRM (73 FR 15598-15599):
The Department recognizes that agencies and institutions face significant challenges in safeguarding educational records. We are providing the following information and recommendations to assist agencies and institutions in meeting these challenges.
As noted elsewhere in this document, FERPA provides that no funds administered by the Secretary may be made available to any educational agency or institution that has a policy or practice of releasing, permitting the release of, or providing access to personally identifiable information from education records without the prior written consent of a parent or eligible student except in accordance with specified exceptions. In light of these requirements, the Secretary encourages educational agencies and institutions to utilize appropriate methods to protect education records, especially in electronic data systems.
In recent years the following incidents have come to the Department's attention:
• Students' grades or financial information, including SSNs, have been posted on publicly available Web servers;
• Laptops and other portable devices containing similar information from education records have been lost or stolen;
• Education records, or devices that maintain education records, have not been retrieved from school officials upon termination of their employment or service as a contractor, consultant, or volunteer;
• Computer systems at colleges and universities have become favored targets because they hold many of the same records as banks but are much easier to access. See “College Door Ajar for Online Criminals” (May 2006), available at http://www.uh.edu/ednews/2006/latimes/200605/20060530hackers.html. and July 10, 2006, Viewpoint in Business Week/Online available at http://www.businessweek.com/technology/content/jul2006/tc20060710_558020.htm ;
• Nearly 65 percent of postsecondary educational institutions identified theft of personal information (SSNs, credit/debit/ATM card, account or PIN numbers, etc.) as a high risk area. See Table 7, Perceived Risks at http://www.educause.edu/ir/library/pdf/ecar_so/ers/ers0606/Ekf0606.pdf; and
• In December 2006, a large postsecondary institution alerted some 800,000 students and others that the campus computer system containing their names, addresses, and SSNs had been compromised.
The Department's Office of Inspector General (OIG) noted in Final Inspection Alert Memorandum dated February 3, 2006, that the Privacy Rights Clearinghouse reported that between February 15, 2005, and November 19, 2005, there were 93 documented computer breaches of electronic files involving personal information from education records such as SSNs, credit card information, and dates of birth. According to the reported data, 45 percent of these incidents have occurred at colleges and universities nationwide. OIG expressed concern that student information may be compromised due to a failure to implement or administer proper security controls for information systems at postsecondary institutions.
The Department recognizes that no system for maintaining and transmitting education records, whether in paper or electronic form, can be guaranteed safe from every hacker and thief, technological failure, violation of administrative rules, and other causes of unauthorized access and disclosure. Although FERPA does not dictate requirements for safeguarding education records, the Department encourages the holders of personally identifiable information to consider actions that mitigate the risk and are reasonably calculated to protect such information. Of course, an educational agency or institution may use any method, combination of methods, or technologies it determines to be reasonable, taking into consideration the size, complexity, and resources available to the institution; the context of the information; the type of information to be protected (such as social security numbers or directory information); and methods used by other institutions in similar circumstances. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable.
One resource for administrators of electronic data systems is “The National Institute of Standards and Technology (NIST) 800-100, Information Security Handbook: A Guide for Managers” (October 2006). See http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf. A second resource is NIST 800-53, Information Security, which catalogs information security controls. See http://csrc.nist.gov/publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf. Similarly, a May 22, 2007, memorandum to heads of Federal agencies from the Office of Management and Budget requires executive departments and agencies to ensure that proper safeguards are in place to protect personally identifiable information that they maintain, eliminate the unnecessary use of SSNs, and develop and implement a “breach notification policy.” This memorandum, although directed towards Federal agencies, may also serve as a resource for educational agencies and institutions. See http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf.
Finally, if an educational agency or institution has experienced a theft of files or computer equipment, hacking or other intrusion, software or hardware malfunction, inadvertent release of data to Internet sites, or other unauthorized release or disclosure of education records, the Department suggests consideration of one or more of the following steps:
• Report the incident to law enforcement authorities.
• Determine exactly what information was compromised, i.e. , names, addresses, SSNs, ID numbers, credit card numbers, grades, and the like.
• Take steps immediately to retrieve data and prevent any further disclosures.
• Identify all affected records and students.
• Determine how the incident occurred, including which school officials had control of and responsibility for the information that was compromised.
• Determine whether institutional policies and procedures were breached, including organizational requirements governing access (user names, passwords, PINS, etc.); storage; transmission; and destruction of information from education records.
• Determine whether the incident occurred because of a lack of monitoring and oversight.
• Conduct a risk assessment and identify appropriate physical, technological, and administrative measures to prevent similar incidents in the future.
• Notify students that the Department's Office of Inspector General maintains a Web site describing steps students may take if they suspect they are a victim of identity theft at http://www.ed.gov/about/offices/list/oig/misused/idtheft.html; and http://www.ed.gov/about/offices/list/oig/misused/victim.html.
FERPA does not require an educational agency or institution to notify students that information from their education records was stolen or otherwise subject to an unauthorized release, although it does require the agency or institution to maintain a record of each disclosure. 34 CFR 99.32(a)(1). (However, student notification may be required in these circumstances for postsecondary institutions under the Federal Trade Commission's Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information (“Safeguards Rule”) in 16 CFR part 314.) In any case, direct student notification may be advisable if the compromised data includes student SSNs and other identifying information that could lead to identity theft.
Executive Order 12866
Under Executive Order 12866, the Secretary must determine whether this regulatory action is “significant” and therefore subject to the requirements of the Executive Order and subject to review by OMB. Section 3(f) of Executive Order 12866 defines a “significant regulatory action” as an action likely to result in a rule that may (1) have an annual effect on the economy of $100 million or more, or adversely affect a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local or tribal governments, or communities in a material way (also referred to as an “economically significant” rule); (2) create serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impacts of entitlement grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive order. The Secretary has determined that this regulatory action is significant under section 3(f)(4) of the Executive order.
1. Summary of Public Comments
The Department did not receive any comments on the analysis of the costs and benefits in the NPRM. However, since the publication of the NPRM, we have identified several information collection requirements that were not identified in the NPRM. We have added discussions of the costs and benefits of two information collection requirements in the following Summary of Costs and Benefits.
2. Summary of Costs and Benefits
Following is an analysis of the costs and benefits of the most significant changes to the FERPA regulations. In conducting this analysis, the Department examined the extent to which the regulations add to or reduce the costs of educational agencies and institutions and, where appropriate, State educational agencies (SEAs) and other State and local educational authorities in relation to their costs of complying with the FERPA regulations prior to these changes.
This analysis is based on data from the most recent Digest of Education Statistics (2007) published by the National Center for Education Statistics (NCES), which projects total enrollment for Fall 2008 of 49,812,000 students in public elementary and secondary schools and 18,264,000 students in postsecondary institutions; and a total of 97,382 public K-12 schools; 14,166 school districts; and 6,463 postsecondary institutions. (Excluded are data from private institutions that do not receive Federal funding from the Department and, therefore, are not subject to FERPA.) Based on this analysis, the Secretary has concluded that the changes in these regulations will not impose significant net costs on educational agencies and institutions. Analyses of specific provisions follow.
Alumni Records
The regulations in § 99.3 clarify the current exclusion from the definition of education records for records that only contain information about an individual after he or she is no longer a student, which is intended to cover records of alumni and similar activities. Some institutions have applied this exclusion to records that are created after a student has ceased attending the institution but that are directly related to his or her attendance as a student, such as investigatory reports and settlement agreements about incidents and injuries that occurred during the student's enrollment. The amendment will clarify that this provision applies only to records created or received by an educational agency or institution after an individual is no longer a student in attendance and that are not directly related to the individual's attendance as a student.
We believe that most of the more than 103,845 K-12 schools and postsecondary institutions subject to FERPA already adhere to this revised interpretation in the regulations and that for those that do not, the number of records affected is likely to be very small. Assuming that each year one half of one percent of the 68.1 million students enrolled in these institutions have one record each affected by the change, in the year following issuance of the regulations institutions will be required to try to obtain written consent before releasing 350,380 records that they would otherwise release without consent. We estimate that for the first year contacting the affected parent or student to seek and process written consent for these disclosures will take approximately one-half hour per record at an average cost of $32.67 per hour for a total cost of $5,562,068. (Compensation for administrative staff time is based on published estimates for 2005 from the Bureau of Labor Statistics' National Compensation Survey of $23.50 per hour plus an average 39 percent benefit load for Level 8 administrators in education and related fields.)
In terms of benefits, the change will protect the privacy of parents and students by clarifying the intent of this regulatory exclusion and help prevent the unlawful disclosure of these records. It will also provide greater legal certainty and therefore some cost savings for those agencies and institutions that may be required to litigate this issue in connection with a request under a State open records act or other legal proceeding. For these reasons, we believe that the overall benefits outweigh the potential costs of this change.
Exclusion of SSNs and ID Numbers From Directory Information
The proposed regulations in § 99.3 clarified that a student's SSN or student ID number is personally identifiable information that may not be disclosed as directory information under FERPA. The final regulations allow an educational agency or institution to designate and disclose student ID numbers as directory information if the number cannot be used by itself to gain access to education records, i.e. , it is used like a name. SSNs may never be disclosed as directory information.
The principal effect of this change is that educational agencies and institutions may not post grades by the student's SSN or non-directory student ID number and may not include these identifiers with directory information they disclose about a student, such as a student's name, school, and grade level or class, on rosters, or on sign-in sheets that are made available to students and others. (Educational agencies and institutions may continue to include SSNs and non-directory student ID numbers on class rosters and schedules that are disclosed only to teachers and other school officials who have legitimate educational interests in this information.)
A class roster or sign-in sheet that contains or requires students to affix their SSN or non-directory student ID number makes that information available to every individual who signs in or sees the document and increases the risk that the information may be improperly used for purposes such as identity theft or to find out a student's grades or other confidential educational information. In regard to posting grades, an individual who knows which classes a particular student attends may be able to ascertain that student's SSN or non-directory student ID number by comparing class lists for repeat numbers. Because SSNs are not randomly generated, it may be possible to identify a student by State of origin based on the first three (area) digits of the number, or by date of issuance based on the two middle digits.
The Department does not have any actual data on how many class or test grades are posted by SSN or non-directory student ID number at this time, but we believe that the practice is rare or non-existent below the secondary level. Although the practice was once widespread, particularly at the postsecondary level, anecdotal evidence suggests that as a result of consistent training and informal guidance by the Department over the past several years, together with the increased attention States and privacy advocates have given to the use of SSNs, many institutions now either require teachers to use a code known only to the teacher and the student or prohibit the posting of grades entirely.
The most recent figures available from the Bureau of Labor Statistics (2007) indicate that there are approximately 2.7 million secondary and postsecondary teachers in the United States. As noted above, we assume that most of these teachers either do not post grades at all or already use a code known only to the teacher or student. We assume further that additional costs to deliver grades personally in the classroom or through electronic mail, instead of posting, will be minimal. For purposes of this analysis, we estimate that no more than five percent of 2.7 million, or 135,000 teachers, continue to post grades by SSN or non-directory student ID number and thus will need to convert to a code, which will require them to spend an average of one-half hour each semester establishing and managing grading codes for students. Since we do not know how many teachers at either education level will continue to post grades, and wages for postsecondary teachers are higher than secondary teacher wages, we use postsecondary teacher wages to ensure that the estimate encompasses the upper limit of possible costs. Using the Bureau of Labor Statistics' published estimate of average hourly wages of $42.98 for teachers at postsecondary institutions and an average 39 percent load for benefits, we estimate an average cost of $59.74 per teacher per year, for a total of $8,064,900. Parents and students should incur no costs except for the time they might have to spend to contact the school official if they forget the student's grading code.
This change will benefit parents and students and educational agencies and institutions by reducing the risk of identity theft associated with posting grades by SSN, and the risk of disclosing grades and other confidential educational information caused by posting grades by a non-directory student ID number. It is difficult to quantify the value of reducing the risk of identity theft. According to the Federal Trade Commission, however, for the past few years over one-third of complaints filed with that agency have been for identity theft. According to the Better Business Bureau, identity theft costs businesses nearly $57 billion in 2006, while victims spent an average of 40 hours resolving identity theft issues. It is even more difficult to measure the benefits of enhanced privacy protections for student grades and other confidential educational information from education records because the value individuals place on the privacy of this information varies considerably and because we are unable to determine how often it happens. Therefore, we have no basis to estimate the value of these enhanced privacy protections in relation to the expected costs to implement the changes.
Prohibit Use of SSN To Confirm Directory Information
The regulations will prevent an educational agency or institution (or a contractor providing services for an agency or institution) from using a student's SSN (or other non-directory information) to identify the student when releasing or confirming directory information. This occurs, for example, when a prospective employer or insurance company telephones an institution or submits an inquiry through the institution's Web site to find out whether a particular individual is enrolled in or has graduated from the institution. While this provision will apply to educational agencies and institutions at all grade levels, we believe that it will affect mainly postsecondary institutions because K-12 agencies and institutions typically do not provide enrollment and degree verification services.
A survey conducted in March 2002 by the American Association of Collegiate Registrars and Admissions Officers (AACRAO) showed that nearly half of postsecondary institutions used SSNs as the primary means to track students in academic databases. Since then, use of SSNs as a student identifier has decreased significantly in response to public concern about identity theft. While postsecondary institutions may continue to collect students' SSNs for financial aid and tax reporting purposes, many have ceased using the SSN as a student identifier either voluntarily or in compliance with State laws. Also, over the past several years the Department has provided training on this issue and published on the Office Web site a 2004 letter finding a postsecondary institution in violation of FERPA when its agent used a student's SSN, without consent, to search its database to verify that the student had received a degree. www.ed.gov/policy/gen/guid/fpco/ferpa/library/auburnuniv.html. Given these circumstances, we estimate that possibly one-quarter of the nearly 6,463 postsecondary institutions in the United States, or 1,616 institutions, may ask a requester to provide the student's SSN (or non-directory student ID number) in order to locate the record and respond to an inquiry for directory information.
Under the regulations an educational agency or institution that identifies students by SSN (or non-directory student ID number) when releasing directory information will either have to ensure that the student has provided written consent to disclose the number to the requester, or rely solely on a student's name and other properly designated directory information to identify the student, such as address, date of birth, dates of enrollment, year of graduation, major field of study, degree received, etc. Costs to an institution of ensuring that students have provided written consent for these disclosures, for example by requiring the requester to fax copies of each written consent to the institution or its contractor, or making arrangements to receive them electronically, could be substantial for large institutions and organizations that utilize electronic recordkeeping systems. Institutions may choose instead to conduct these verifications without using SSNs or non-directory student IDs, which may make it more difficult to ensure that the correct student has been identified because of the known problems in matching records without the use of a universal identifier. Increased institutional costs either to verify that the student has provided consent or to conduct a search without use of SSNs or non-directory student ID numbers should be less for smaller institutions, where the chances of duplicate records are decreased. Parents and students may incur additional costs if an employer, insurance company, or other requester is unable to verify enrollment or graduation based solely on directory information, and written consent for disclosure of the student's SSN or non-directory student ID number is required. Due to the difficulty in ascertaining actual costs associated with these transactions, we have no basis to estimate costs that educational agencies and institutions and parents and students will incur as a result of this change.
The enhanced privacy protections of this amendment will benefit students and parents by reducing the risk that third parties will disclose a student's SSN without consent and possibly confirm a questionable number for purposes of identity theft. Similarly, preventing institutions from implicitly confirming a questionable non-directory student ID number will help prevent unauthorized individuals from obtaining confidential information from education records. In evaluating the benefits or value of this change, we note that this provision does not affect any activity that an educational agency or institution is permitted to perform under FERPA or other Federal law, such as using SSNs to identify students and confirm their enrollment status for student loan purposes, which is permitted without consent under the financial aid exception in § 99.31.
User ID for Electronic Communications
The regulations will allow an educational agency or institution to disclose as directory information a student's ID number, user ID or other electronic identifier so long as the identifier functions like a name; that is, it cannot be used without a PIN, password, or some other authentication factor to gain access to education records. This change will impose no costs and will provide benefits in the form of regulatory relief allowing agencies and institutions to use directory services in electronic communications systems without incurring the administrative costs associated with obtaining student consent for these disclosures.
Costs related to honoring a student's decision to opt out of these disclosures will be minimal because we assume that only a small number of students will elect not to participate in electronic communications at their school. Applying this change to records of both K-12 and postsecondary students and assuming that one-tenth of one percent of parents and eligible students will opt out of these disclosures, we estimate that institutions will have to flag the records of approximately 68,000 students for opt-out purposes. We lack sufficient data on costs institutions currently incur to flag records for directory information opt-outs for other purposes, so we are unable to estimate the administrative and information technology costs institutions will incur to process these new directory information opt-outs resulting from this change.
Student Anonymity in the Classroom
The final regulations will ensure that parents and students do not use the right to opt out of directory information disclosures to remain anonymous in the classroom, by clarifying that opting out does not prevent disclosure of the student's name, institutional e-mail address, or electronic identifier in the student's physical or electronic classroom. We estimate that this change will result in a small net benefit to educational agencies and institutions because they will have greater legal certainty about the element of classroom administration, and it will reduce the institutional costs of responding to complaints from students and parents about the release of this information.
Disclosing Education Records to New School and to Party Identified as Source Record
The final regulations in § 99.31(a)(2) will allow an educational agency or institution to disclose education records, or personally identifiable information from education records, to a student's new school even after the student is already attending the new school so long as the disclosure relates to the student's enrollment in the new school. This change will provide regulatory relief by reducing legal uncertainty about how long a school may continue to send records or information to a student's new school, without consent, under the “seeks or intends to enroll” exception.
The amendment to the definition of disclosure in § 99.3 will allow a school that has concerns about the validity of a transcript, letter of recommendation, or other record to return these documents (or personally identifiable information from these documents) to the student's previous school or other party identified as the source of the record in order to resolve questions about their validity. Combined with the change to § 99.31(a)(2), discussed earlier in this analysis, this change will also allow the student's previous school to continue to send education records, or clarification about education records, to the student's new school in response to questions about the validity or meaning of records sent previously by that party. We are unable to determine how much it will cost educational agencies and institutions to return potentially fraudulent documents to the party identified as the sender because we do not have any basis for estimating how often this occurs. However, we believe that these changes will provide significant regulatory relief to educational agencies and institutions by helping to reduce transcript and other educational fraud based on falsified records.
Outsourcing
The regulations in § 99.31(a)(1)(i) will allow educational agencies and institutions to disclose education records, or personally identifiable information from education records, without consent to contractors, volunteers, and other non-employees performing institutional services and functions as school officials with legitimate educational interests. An educational agency or institution that uses non-employees to perform institutional service and functions will have to amend its annual notification of FERPA rights to include these parties as school officials with legitimate educational interests.
This change will provide regulatory relief by permitting, and clarifying the conditions for, non-consensual disclosure of education records. Our experience suggests that virtually all of the more than 103,000 schools subject to FERPA will take advantage of this provision. We have no actual data on how many school districts publish annual FERPA notifications for the 97,382 K-12 public schools included in this total and, therefore, how many entities will be affected by this requirement. However, because educational agencies and institutions were already required under previous regulations to publish a FERPA notification annually, we believe that costs to include this new information will be minimal.
Access Control and Tracking
The regulations in § 99.31(a)(1)(ii) will require an educational agency or institution to use reasonable methods to ensure that teachers and other school officials obtain access to only those education records in which they have legitimate educational interests. This requirement will apply to records in any format, including computerized or electronic records and paper, film, and other hard copy records. An educational agency or institution that chooses not to restrict access to education records with physical or technological controls, such as locked cabinets and role-based software security, must ensure that its administrative policy for controlling access is effective and that it remains in compliance with the legitimate educational interest requirement.
Administrative experience has shown that schools that allow teachers and other school officials to have unrestricted access to education records tend to have more problems with unauthorized disclosures, such as school officials obtaining access to education records for personal rather than professional reasons. Preventing unrestricted access to education records by teachers and other school officials will benefit parents and students by helping to ensure that education records are used only for legitimate educational purposes. It will also help ensure that education records are not accessed or disclosed inadvertently.
Information gathered by the Director of the Office at numerous FERPA training sessions and seminars, along with recent discussions with software vendors and educational organizations, indicates that the vast majority of mid- and large-size school districts and postsecondary institutions currently use commercial software for student information systems. These systems generally include role-based security features that allow administrators to control access to specific records, screens, or fields according to a school official's duties and responsibilities. These systems also typically contain transactional logging features that document or track a user's actual access to particular records, which will help ensure that an agency's or institution's access control methods are effective. Educational agencies and institutions that already have these systems will incur no additional costs to comply with the regulations.
For purposes of this analysis we excluded from a total of 14,166 school districts and 6,463 postsecondary institutions those with more than 1,000 students, for a total of 6,887 small K-12 districts and 3,906 small postsecondary institutions that may not have software with access control security features. The discussions that the Director of the Office has had with numerous SEAs and local districts suggest that the vast majority of these small districts and institutions do not make education records available to school officials electronically or by computer but instead use some system of administrative and physical controls.
We estimate for this analysis that 15 percent, or 1,619, of these small districts and institutions use home-built computerized or electronic systems that may not have the role-based security features of commercial software. The most recent published estimate we have for software costs comes from the final Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy Rule) published by the Department of Health and Human Services (HHS) on December 28, 2000, which estimated that the initial per-hospital cost of software upgrades to track the disclosure of medical records would be $35,000 (65 FR 82768). We assume that costs will be comparable for education records, and, as discussed above, software that tracks disclosure history can also be used to control or restrict access to electronic records. Based on these assumptions, if 1,619 small K-12 districts and postsecondary institutions decide to purchase student information software rather than rely on administrative policies to comply with the regulations, they will incur estimated costs of $56,665,000. We estimate that the remaining 9,174 small districts and institutions will not purchase new software because they do not make education records available electronically and rely instead on less costly administrative and physical methods to control access to records by school officials. Those that provide school officials with open access to hard copy education records may incur new costs to track actual disclosures to help ensure that they remain in compliance with legitimate educational interests requirements. We assume that these districts and institutions may devote some additional administrative staff time to procedures such as keeping logs of school officials who access records. However, no reliable estimates exist for the average number of teachers and other school officials who access education records or the number of times access is sought, so we are unable to estimate the cost of restricting or tracking actual disclosures of hard copy education records to school officials.
Education Research
The regulations in § 99.31(a)(6)(ii)(C) require an educational agency or institution to enter into a written agreement before disclosing personally identifiable information from education records, without consent, to organizations conducting studies for, or on behalf of, the educational agency or institution to: (a) Develop, validate, or administer predictive tests; (b) administer student aid programs; or (c) improve instruction. The written agreement must specify the purpose or purposes, scope, and duration of the study or studies and the information to be disclosed, require the organization to conduct the study in a manner that does not permit personal identification of parents and students by anyone other than representatives of the organization with legitimate interests, require the destruction or return of the information to the educational agency or institution when the study is completed, and specify the time period for destruction or return of the information. We believe that the additional cost of entering into written agreements to comply with this change is unlikely to be significant because most educational agencies and institutions already specify the terms under which personally identifiable information can be used when it is disclosed to organizations for these types of studies. Although this change will create an additional information collection requirement, we believe the benefits of the written agreement outweigh the costs, because it will ensure better compliance with FERPA and provide clarity for both researchers and educational agencies and institutions about the restrictions and use of personally identifiable information disclosed under § 99.31(a)(6) for studies.
Identification and Authentication of Identity
The regulations in § 99.31(c) require educational agencies and institutions to use reasonable methods to identify and authenticate the identity of parents, students, school officials and other parties to whom the agency or institution discloses personally identifiable information from education records. The use of widely available information to authenticate identity, such as the recipient's name, date of birth, SSN or student ID number, is not considered reasonable under the regulations.
The regulations will impose no new costs for educational agencies and institutions that disclose hard-copy records through the U.S. postal service or private delivery services with use of the recipient's name and last known official address.
We were unable to find reliable data that would allow us to estimate the additional administrative time that educational agencies and institutions will spend checking photo ID against school records or using other reasonable methods, as appropriate, to identify and authenticate the identity of students, parents, and other parties to whom the agency or institution discloses education records in person.
Authentication of identity for electronic or telephonic access to education records involves a wider array of security options because of continuing advances in technologies, but is not necessarily more costly than authentication of identity for hard-copy records. We assume that educational agencies and institutions that require users to enter a secret password or PIN to authenticate identity will deliver the password or PIN through the U.S. postal service or in person. We estimate that no new costs will be associated with this process because agencies and institutions already have direct contact with parents, eligible students, and school officials for a variety of other purposes and will use these opportunities to deliver a secret authentication factor.
As noted in the preamble to the NPRM, 73 FR 15585, single-factor authentication of identity, such as a standard form user name combined with a secret password or PIN, may not provide reasonable protection for access to all types of education records or under all circumstances. We lack a basis for estimating costs of authenticating identity when educational agencies and institutions allow authorized users to access sensitive personal or financial information in electronic records for which single-factor authentication would not be reasonable.
Redisclosure and Recordkeeping
The regulations allow the officials and agencies listed in § 99.31(a)(3) (the U.S. Comptroller General, the U.S. Attorney General, the Secretary, and State and local educational authorities) to redisclose education records, or personally identifiable information from education records, without consent under the same conditions that apply currently to other recipients of education records under § 99.33(b). This change provides substantial regulatory relief to these parties by allowing them to redisclose information on behalf of educational agencies and institutions under any provision in § 99.31(a), which allows disclosure of education records without consent. For example, States will be able to consolidate K-16 education records under the SEA or State higher educational authority without having to obtain written consent under § 99.30. Parties that currently request access to records from individual school districts and postsecondary institutions will in many instances be able to obtain the same information in a more cost-effective manner from the appropriate State educational authority or the Department.
In accordance with the current regulations in § 99.32(b), an educational agency or institution must record any redisclosure of education records made on its behalf under § 99.33(b), including the names of the additional parties to which the receiving party may redisclose the information and their legitimate interests or basis for the disclosure without consent under § 99.31 in obtaining the information. The regulations require SEAs and other State educational authorities (such as higher education authorities), the Secretary, and other officials or agencies listed in § 99.31(a)(3) that make further disclosures on behalf of an educational agency or institution to maintain the record of redisclosure required under § 99.32(b) if the educational agency or institution has not recorded the redisclosure or if the information was obtained from another State or Federal official or agency listed in § 99.31(a)(3). The regulations also require the State or Federal official or agency listed in § 99.31(a)(3) to provide a copy of its record of redisclosures to the educational agency or institution upon request. In addition, an educational agency or institution must maintain with each student's record of disclosures the names of State and local educational authorities and Federal officials and agencies that may make further disclosures from the student's records without consent under § 99.33(b) and must obtain a copy of the record of redisclosure, if any, maintained by the State or Federal official that redisclosed information on behalf of the agency or institution.
State educational authorities and Federal officials listed in § 99.31(a)(3) will incur new administrative costs if they maintain the record of redisclosure for the educational agency or institution on whose behalf they redisclose education records under the regulations. We estimate that two educational authorities or agencies in each State and the District of Columbia (one for K-12 and one for postsecondary) and the Department itself, for a total of 103 authorities, will maintain the required records of redisclosures. (We anticipate that educational agencies and institutions will record under § 99.32(b)(1) any further disclosures made by the other Federal officials listed in § 99.31(a)(3), the U.S. Comptroller General and the U.S. Attorney General.) We estimate further that these authorities will need to record two redisclosures per year from their records and that it will take one hour of administrative time to record each redisclosure electronically at an average hourly rate of $32.67, for a total annual administrative cost of $6,730. (Compensation for administrative staff time is explained earlier in this analysis.) We also assume for purposes of this analysis that State educational authorities and the Department already have software that will allow them to record these disclosures electronically.
State educational authorities and Federal officials that maintain records of redisclosures will also have to make that information available to the educational agency or institution whose records were redisclosed, upon request, so that the agency or institution can make that record available to a parent or eligible student who has asked to inspect and review the student's record of disclosures. We assume that few parents and students request this information and, therefore, use an estimate that one tenth of one percent of a total of 68.1 million students will make such a request each year, or 68,076 requests. If it takes one-quarter of an hour to locate and print a record of disclosures at an average administrative hourly rate of $32.67, the average annual administrative cost for State and Federal officials and agencies to provide this service will be $556,011, plus mailing costs (at $.42 per letter) of $28,592, for a total of $584,603. We estimate that educational agencies and institutions themselves will incur comparable costs when they ask State and Federal officials to send them these records of redisclosure and then make them available to parents and students. We note that printing and mailing costs may be reduced to the extent that e-mail is used to transmit the record, and if parents or students pick up the record on-site, but we do not have information to estimate these potential savings.
The Department believes that these changes will result in a net benefit to educational agencies and institutions because they will not have to record further disclosures made by State and Federal authorities and officials who redisclose information from education records on their behalf and will not have to ask for a copy unless a parent or eligible student asks to inspect and review the student's record of disclosures. State and Federal authorities and officials will also benefit because they will not have to provide their record of further disclosures to anyone unless the educational agency or institution asks for a copy. Overall, the costs to State and Federal authorities to record their own redisclosures will be offset by the savings that educational agencies and institutions will realize by not having to record the disclosures themselves.
Notification of Compliance With Court Order or Subpoena
The regulations in § 99.33(b)92) require any party that rediscloses education records in compliance with a court order or subpoena under § 99.31(a)(9) to provide the notice to parents and eligible students required under § 99.31(a)(9)(ii). We anticipate that this provision will affect mostly State and local educational authorities, which maintain education records they have obtained from their constituent districts and institutions and, under § 99.35(b), may redisclose the information, without consent, in compliance with a court order or subpoena under § 99.31(a)(9).
There is no change in costs as a result of shifting responsibility for notification to the disclosing party under this change. However, we believe that minimizing or eliminating uncertainty about which party is legally responsible for the notification will result in a net benefit to all parties.
Health or Safety Emergency
The regulations in § 99.32(a)(5) require that a school that discloses information under the health and safety emergency exception in § 99.36 record the articulable and significant threat that formed the basis for the disclosure and the parties to whom the education records were disclosed. Because § 99.32(a) already requires schools to record disclosures made under § 99.36, including the legitimate interests the parties had in requesting or obtaining the information, we believe these changes will not create any significant additional administrative costs for schools and that the benefit of including the legitimate interests the parties had in requesting or obtaining the information outweighs the costs.
Directory Information Opt Outs
The regulations in § 99.37(b) clarify that while an educational agency or institution is not required to notify former students under § 99.37(a) about the institution's directory information policy or allow former students to opt out of directory information disclosures, they must continue to honor a parent's or student's decision to opt out of directory information disclosures after the student leaves the institution. Most agencies and institutions should already comply with this requirement because of informal guidance and training provided by FPCO.
Parents and students will benefit from this clarification because it will help ensure that schools do not invalidate the parent's or student's decisions on directory information disclosures after the student is no longer in attendance. It will also benefit schools by eliminating any uncertainty they may have about whether they must continue to honor an opt out once the student is no longer in attendance. We have insufficient information to estimate the number of institutions affected and the additional costs involved in changing systems to maintain opt-out flags on education records of former students.
Paperwork Reduction Act of 1995
Following publication of the NPRM, we provided, through a notice published in the Federal Register (73 FR 28810, May 19, 2008) opportunity for the public to comment on information collections in the current regulations, and indicated in that notice the pendency of the NPRM. Additionally, based on comments received in response to the NPRM, we have identified several information collection requirements associated with these regulations. We describe these information collections in the following paragraphs and will be submitting these sections to OMB for review and approval. We note that the Paperwork Reduction Act of 1995 does not require a response to these information collection requirements unless they display a valid OMB control number. A valid OMB control number will be assigned to the information collection requirements at the end of the affected sections of the regulations.
(1) § 99.31(a)(6)(ii)
FERPA permits an educational agency or institution to disclose personally identifiable information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institution for purposes of testing, student aid, and improvement of instruction. In the NPRM, we proposed to add § 99.31(a)(6)(ii) to require that an educational agency or institution to disclose personally identifiable information under § 99.31(a)(6)(i) only if it enters into a written agreement with the organization specifying the purposes of the study. Under these final regulations, this written agreement must specify the purpose, scope, and duration of the study or studies and the information to be disclosed; require the organization to use personally identifiable information from education records only to meet the purpose or purposes of the study as stated in the written agreement; require the organization to conduct the study in a manner that does not permit personal identification of parents and students by individuals other than representatives with legitimate interest of the organization that conducts the study; require the organization to destroy the information or return to the educational agency or institution when it is no longer needed for the purposes for which the study was conducted; and specify the time period for the destruction or return of the information.
The Department did not identify in the NPRM the requirement in § 99.31(a)(6)(ii) as an information collection requirement under the Paperwork Reduction Act of 1995 and did not realize this would be an information collection requirement until a commenter brought this matter to our attention. The commenter pointed out that, while this change created another paperwork burden for school districts, the commenter did not object to the written agreement requirement because putting the requirements regarding the use and destruction of data in writing may improve compliance with FERPA. The Department agrees with the comment.
(2) § 99.32(a)(1)
Under FERPA, an educational agency or institution is required to record its disclosures of personally identifiable information from education records, even when it discloses information to its own State educational authority. This statutory requirement is reflected in the current FERPA regulations. The final regulations permit the State and local educational authorities and Federal officials listed in § 99.31(a)(3) to make further discloses of personally identifiable information from education records on behalf of the educational agency or institution in accordance with the requirements of § 99.33(b) and require them to record these further disclosures of § 99.33(b) if the educational agency or institution does not do so. We have included provisions in the final regulations that require educational agencies and institutions to maintain a listing in each student's record of the State and local educational authorities and Federal officials and agencies that may make further disclosures of the student's education records without consent so that parents and eligible students will be made aware of these further disclosures.
(3) § 99.32(a)(4)
Under this new provision, parents and eligible students will be able to inspect and review any further disclosures that were made by any of the parties listed under § 99.31(a)(3) by asking the educational agency or institution to obtain a copy of the record of further disclosures. We believe that this is only a minor paperwork burden for schools because it would involve asking officials to whom they have disclosed education records for the record of further disclosure or, in the case of some SEAs, accessing the State database for this information. Also, we do not expect that a large number of parents and eligible students will ask to see the record of further disclosures.
(4) § 99.32(a)(5)
During the development of the final regulations, we identified another change to the recordation requirements of § 99.32 that would require the collection of information. In response to several comments we received regarding changes to FERPA's “health or safety emergency exception” in § 99.36, we have amended § 99.32(a) to include a new recordation requirement. Specifically, we have added a paragraph to the recordation requirement that requires that for any disclosures under § 99.36 a school must record the articulable and significant threat to the health or safety of a student or other individuals that formed the basis for the disclosure and the parties to whom the agency or institution disclosed information.
The Secretary believes that this is only a minor paperwork burden for schools because schools are already required to record disclosures made under § 99.36. The new language in § 99.32(a)(5) simply clarifies the type of information that must be recorded when a school discloses personally identifiable information in response to a health or safety emergency, either for one student or for all students in a school.
(5) § 99.32(b)(2)
In the NPRM, we specifically noted that the Department was interested in relieving any administrative burdens associated with recording disclosures of education records and, therefore, invited public comment on whether an SEA, the Department, or other authority or official listed in § 99.31(a)(3) should be allowed to maintain the record of the redisclosures it makes on behalf of an educational agency or institution under § 99.32(b).
Several commenters stated that an SEA (or other authority or official listed in § 99.31(a)(3)) should be responsible for maintaining the record of disclosure required under § 99.32 when it rediscloses information on behalf of educational agencies and institutions. The commenters stated that requiring each educational agency or institution, such as school districts, to record each redisclosure made by an SEA or other State educational authority on its behalf imposes an unacceptable recordkeeping burden on school districts and is impractical for State educational authorities to adhere to in making further disclosures on behalf of the agency or institution. In response to these comments, we are revising § 99.32 to require the State and local educational authorities and Federal officials listed in § 99.31(a)(3) to maintain the record of further disclosures if the educational agency or institution does not do so and make it available to the educational agency or institution upon request. We agree that by requiring State and Federal authorities and officials to record their redisclosures in these circumstances school districts will have less total paperwork burden because schools will not have to comply with the recordkeeping requirement in these instances.
Assessment of Educational Impact
In the NPRM, and in accordance with section 411 of the General Education Provisions Act, 20 U.S.C. 1221e-4, we requested comments on whether the proposed regulations would require transmission of information that any other agency or authority of the United States gathers or makes available.
Based on the response to the NPRM and on our review, we have determined that these final regulations do not require transmission of information that any other agency or authority of the United States gathers or makes available.
Electronic Access to This Document
You may view this document, as well as all other Department of Education documents published in the Federal Register , in text or Adobe Portable Document Format (PDF) on the Internet at the following site: www.ed.gov/news/fedregister.
To use PDF you must have Adobe Acrobat Reader, which is available free at this site. If you have questions about using PDF, call the U.S. Government Printing Office (GPO), toll free, at 1-888-293-6498; or in the Washington, DC area at (202) 512-1530.
Note:
The official version of this document is the document published in the Federal Register . Free Internet access to the official edition of the Federal Register and the Code of Federal Regulations is available on GPO Access at www.gpoaccess.gov/nara/index.html.
(Catalog of Federal Domestic Assistance Number does not apply.)
List of Subjects in 34 CFR Part 99
Administrative practice and procedure, Directory information, Education records, Information, Parents, Privacy, Records, Social Security Numbers, Students.
Dated: December 2, 2008.
Margaret Spellings,
Secretary of Education.
For the reasons discussed in the preamble, the Secretary amends part 99 of title 34 of the Code of Federal Regulations as follows:
PART 99—FAMILY EDUCATIONAL RIGHTS AND PRIVACY
1. The authority citation for part 99 continues to read as follows:
Authority:
20 U.S.C. 1232g, unless otherwise noted.
2. Section 99.2 is amended by revising the note following the authority citation to read as follows:
§ 99.2
Note to § 99.2:
34 CFR 300.610 through 300.626 contain requirements regarding the confidentiality of information relating to children with disabilities who receive evaluations, services or other benefits under Part B of the Individuals with Disabilities Education Act (IDEA). 34 CFR 303.402 and 303.460 identify the confidentiality of information requirements regarding children and infants and toddlers with disabilities and their families who receive evaluations, services, or other benefits under Part C of IDEA. 34 CFR 300.610 through 300.627 contain the confidentiality of information requirements that apply to personally identifiable data, information, and records collected or maintained pursuant to Part B of the IDEA.
3. Section 99.3 is amended by:
A. Adding, in alphabetical order, a definition of Biometric record.
B. Revising the definitions of Attendance, Directory information, Disclosure, and Personally identifiable information.
C. In the definition of Education records, revising paragraph (b)(5) and adding a new paragraph (b)(6).
These additions and revisions read as follows:
§ 99.3
Attendance includes, but is not limited to—
(a) Attendance in person or by paper correspondence, videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom; and
(b) The period during which a person is working under a work-study program.
(Authority: 20 U.S.C. 1232g)
Biometric record, as used in the definition of personally identifiable information, means a record of one or more measurable biological or behavioral characteristics that can be used for automated recognition of an individual. Examples include fingerprints; retina and iris patterns; voiceprints; DNA sequence; facial characteristics; and handwriting.
(Authority: 20 U.S.C. 1232g)
Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.
(a) Directory information includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status ( e.g. , undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors and awards received; and the most recent educational agency or institution attended.
(b) Directory information does not include a student's—
(1) Social security number; or
(2) Student identification (ID) number, except as provided in paragraph (c) of this section.
(c) Directory information includes a student ID number, user ID, or other unique personal identifier used by the student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the authorized user.
(Authority: 20 U.S.C. 1232g(a)(5)(A))
Disclosure means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means, to any party except the party identified as the party that provided or created the record.
(Authority: 20 U.S.C. 1232g(b)(1) and (b)(2))
Education Records
(b) * * *
(5) Records created or received by an educational agency or institution after an individual is no longer a student in attendance and that are not directly related to the individual's attendance as a student.
(6) Grades on peer-graded papers before they are collected and recorded by a teacher.
Personally Identifiable Information
The term includes, but is not limited to—
(a) The student's name;
(b) The name of the student's parent or other family members;
(c) The address of the student or student's family;
(d) A personal identifier, such as the student's social security number, student number, or biometric record;
(e) Other indirect identifiers, such as the student's date of birth, place of birth, and mother's maiden name;
(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
(g) Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
(Authority: 20 U.S.C. 1232g)
4. Section 99.5 is amended by redesignating paragraph (a) as paragraph (a)(1) and adding a new paragraph (a)(2) to read as follows:
§ 99.5
(a)(1) * * *
(2) Nothing in this section prevents an educational agency or institution from disclosing education records, or personally identifiable information from education records, to a parent without the prior written consent of an eligible student if the disclosure meets the conditions in § 99.31(a)(8), § 99.31(a)(10), § 99.31(a)(15), or any other provision in § 99.31(a).
5. Section 99.31 is amended by:
A. Redesignating paragraph (a)(1) as paragraph (a)(1)(i)(A) and adding new paragraphs (a)(1)(i)(B) and (a)(1)(ii).
B. Revising paragraph (a)(2).
C. Redesignating paragraphs (a)(6)(iii) and (a)(6)(iv) as paragraphs (a)(6)(iv) and (a)(6)(v), respectively.
D. Revising paragraph (a)(6)(ii).
E. Adding a new paragraph (a)(6)(iii).
F. In paragraph (a)(9)(ii)(A), removing the word “or” after the punctuation “;”.
G. In paragraph (a)(9)(ii)(B), removing the punctuation “.” and adding in its place the word “;or”.
H. Adding paragraph (a)(9)(ii)(C).
I. Adding paragraph (a)(16).
J. Revising paragraph (b).
K. Adding paragraphs (c) and (d).
L. Revising the authority citation at the end of the section.
The additions and revisions read as follows:
§ 99.31
(a) * * *
(1)(i)(A) * * *
(B) A contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions may be considered a school official under this paragraph provided that the outside party—
( 1 ) Performs an institutional service or function for which the agency or institution would otherwise use employees;
( 2 ) Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and
( 3 ) Is subject to the requirements of § 99.33(a) governing the use and redisclosure of personally identifiable information from education records.
(ii) An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement in paragraph (a)(1)(i)(A) of this section.
(2) The disclosure is, subject to the requirements of § 99.34, to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student's enrollment or transfer.
Note:
Section 4155(b) of the No Child Left Behind Act of 2001, 20 U.S.C. 7165(b), requires each State to assure the Secretary of Education that it has a procedure in place to facilitate the transfer of disciplinary records with respect to a suspension or expulsion of a student by a local educational agency to any private or public elementary or secondary school in which the student is subsequently enrolled or seeks, intends, or is instructed to enroll.
(6)(i) * * *
(ii) An educational agency or institution may disclose information under paragraph (a)(6)(i) of this section only if—
(A) The study is conducted in a manner that does not permit personal identification of parents and students by individuals other than representatives of the organization that have legitimate interests in the information;
(B) The information is destroyed when no longer needed for the purposes for which the study was conducted; and
(C) The educational agency or institution enters into a written agreement with the organization that—
( 1 ) Specifies the purpose, scope, and duration of the study or studies and the information to be disclosed;
( 2 ) Requires the organization to use personally identifiable information from education records only to meet the purpose or purposes of the study as stated in the written agreement;
( 3 ) Requires the organization to conduct the study in a manner that does not permit personal identification of parents and students, as defined in this part, by anyone other than representatives of the organization with legitimate interests;
and
( 4 ) Requires the organization to destroy or return to the educational agency or institution all personally identifiable information when the information is no longer needed for the purposes for which the study was conducted and specifies the time period in which the information must be returned or destroyed.
(iii) An educational agency or institution is not required to initiate a study or agree with or endorse the conclusions or results of the study.
(9) * * *
(ii) * * *
(C) An ex parte court order obtained by the United States Attorney General (or designee not lower than an Assistant Attorney General) concerning investigations or prosecutions of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism as defined in 18 U.S.C. 2331.
(16) The disclosure concerns sex offenders and other individuals required to register under section 170101 of the Violent Crime Control and Law Enforcement Act of 1994, 42 U.S.C. 14071, and the information was provided to the educational agency or institution under 42 U.S.C. 14071 and applicable Federal guidelines.
(b)(1) De-identified records and information. An educational agency or institution, or a party that has received education records or information from education records under this part, may release the records or information without the consent required by § 99.30 after the removal of all personally identifiable information provided that the educational agency or institution or other party has made a reasonable determination that a student's identity is not personally identifiable, whether through single or multiple releases, and taking into account other reasonably available information.
(2) An educational agency or institution, or a party that has received education records or information from education records under this part, may release de-identified student level data from education records for the purpose of education research by attaching a code to each record that may allow the recipient to match information received from the same source, provided that—
(i) An educational agency or institution or other party that releases de-identified data under paragraph (b)(2) of this section does not disclose any information about how it generates and assigns a record code, or that would allow a recipient to identify a student based on a record code;
(ii) The record code is used for no purpose other than identifying a de-identified record for purposes of education research and cannot be used to ascertain personally identifiable information about a student; and
(iii) The record code is not based on a student's social security number or other personal information.
(c) An educational agency or institution must use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the agency or institution discloses personally identifiable information from education records.
(d) Paragraphs (a) and (b) of this section do not require an educational agency or institution or any other party to disclose education records or information from education records to any party.
(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h), (i), and (j)).
6. Section 99.32 is amended by:
A. Revising paragraph (a)(1).
B. Adding new paragraphs (a)(4) and (a)(5).
C. Redesignating paragraphs (b)(1) and (b)(2) as paragraphs (b)(1)(i) and (b)(1)(ii) and redesignating paragraph (b), introductory text, as paragraph (b)(1).
D. Revising newly redesignated paragraph (b)(1).
E. Adding a new paragraph (b)(2).
F. Revising paragraph (d)(5).
The additions and revisions read as follows:
§ 99.32
(a)(1) An educational agency or institution must maintain a record of each request for access to and each disclosure of personally identifiable information from the education records of each student, as well as the names of State and local educational authorities and Federal officials and agencies listed in § 99.31(a)(3) that may make further disclosures of personally identifiable information from the student's education records without consent under § 99.33(b).
(4) An educational agency or institution must obtain a copy of the record of further disclosures maintained under paragraph (b)(2) of this section and make it available in response to a parent's or eligible student's request to review the record required under paragraph (a)(1) of this section.
(5) An educational agency or institution must record the following information when it discloses personally identifiable information from education records under the health or safety emergency exception in § 99.31(a)(10) and § 99.36:
(i) The articulable and significant threat to the health or safety of a student or other individuals that formed the basis for the disclosure; and
(ii) The parties to whom the agency or institution disclosed the information.
(b)(1) Except as provided in paragraph (b)(2) of this section, if an educational agency or institution discloses personally identifiable information from education records with the understanding authorized under § 99.33(b), the record of the disclosure required under this section must include:
(2)(i) A State or local educational authority or Federal official or agency listed in § 99.31(a)(3) that makes further disclosures of information from education records under § 99.33(b) must record the names of the additional parties to which it discloses information on behalf of an educational agency or institution and their legitimate interests in the information under § 99.31 if the information was received from:
(A) An educational agency or institution that has not recorded the further disclosures under paragraph (b)(1) of this section; or
(B) Another State or local educational authority or Federal official or agency listed in § 99.31(a)(3).
(ii) A State or local educational authority or Federal official or agency that records further disclosures of information under paragraph (b)(2)(i) of this section may maintain the record by the student's class, school, district, or other appropriate grouping rather than by the name of the student.
(iii) Upon request of an educational agency or institution, a State or local educational authority or Federal official or agency listed in § 99.31(a)(3) that maintains a record of further disclosures under paragraph (b)(2)(i) of this section must provide a copy of the record of further disclosures to the educational agency or institution within a reasonable period of time not to exceed 30 days.
(d) * * *
(5) A party seeking or receiving records in accordance with § 99.31(a)(9)(ii)(A) through (C).
7. Section 99.33 is amended by revising paragraphs (b), (c), (d), and (e) to read as follows:
§ 99.33
(b)(1) Paragraph (a) of this section does not prevent an educational agency or institution from disclosing personally identifiable information with the understanding that the party receiving the information may make further disclosures of the information on behalf of the educational agency or institution if—
(i) The disclosures meet the requirements of § 99.31; and
(ii)(A) The educational agency or institution has complied with the requirements of § 99.32(b); or
(B) A State or local educational authority or Federal official or agency listed in § 99.31(a)(3) has complied with the requirements of § 99.32(b)(2).
(2) A party that receives a court order or lawfully issued subpoena and rediscloses personally identifiable information from education records on behalf of an educational agency or institution in response to that order or subpoena under § 99.31(a)(9) must provide the notification required under § 99.31(a)(9)(ii).
(c) Paragraph (a) of this section does not apply to disclosures under §§ 99.31(a)(8), (9), (11), (12), (14), (15), and (16), and to information that postsecondary institutions are required to disclose under the Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act, 20 U.S.C. 1092(f) (Clery Act), to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense.
(d) An educational agency or institution must inform a party to whom disclosure is made of the requirements of paragraph (a) of this section except for disclosures made under §§ 99.31(a)(8), (9), (11), (12), (14), (15), and (16), and to information that postsecondary institutions are required to disclose under the Clery Act to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense.
(e) If this Office determines that a third party outside the educational agency or institution improperly rediscloses personally identifiable information from education records in violation of this section, or fails to provide the notification required under paragraph (b)(2) of this section, the educational agency or institution may not allow that third party access to personally identifiable information from education records for at least five years.
8. Section 99.34 is amended by revising paragraph (a)(1)(ii) to read as follows:
§ 99.34
(a) * * *
(1) * * *
(ii) The annual notification of the agency or institution under § 99.7 includes a notice that the agency or institution forwards education records to other agencies or institutions that have requested the records and in which the student seeks or intends to enroll or is already enrolled so long as the disclosure is for purposes related to the student's enrollment or transfer;
9. Section 99.35 is amended by revising paragraphs (a) and (b)(1) to read as follows:
§ 99.35
(a)(1) Authorized representatives of the officials or agencies headed by officials listed in § 99.31(a)(3) may have access to education records in connection with an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.
(2) Authority for an agency or official listed in § 99.31(a)(3) to conduct an audit, evaluation, or compliance or enforcement activity is not conferred by the Act or this part and must be established under other Federal, State, or local authority.
(b) * * *
(1) Be protected in a manner that does not permit personal identification of individuals by anyone other than the officials or agencies headed by officials referred to in paragraph (a) of this section, except that those officials and agencies may make further disclosures of personally identifiable information from education records on behalf of the educational agency or institution in accordance with the requirements of § 99.33(b); and
10. Section 99.36 is amended by revising paragraphs (a) and (c) to read as follows:
§ 99.36
(a) An educational agency or institution may disclose personally identifiable information from an education record to appropriate parties, including parents of an eligible student, in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.
(c) In making a determination under paragraph (a) of this section, an educational agency or institution may take into account the totality of the circumstances pertaining to a threat to the health or safety of a student or other individuals. If the educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health or safety of the student or other individuals. If, based on the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination.
11. Section 99.37 is amended by:
A. Revising paragraph (b).
B. Adding new paragraphs (c) and (d).
The revision and additions read as follows:
§ 99.37
(b) An educational agency or institution may disclose directory information about former students without complying with the notice and opt out conditions in paragraph (a) of this section. However, the agency or institution must continue to honor any valid request to opt out of the disclosure of directory information made while a student was in attendance unless the student rescinds the opt out request.
(c) A parent or eligible student may not use the right under paragraph (a)(2) of this section to opt out of directory information disclosures to prevent an educational agency or institution from disclosing or requiring a student to disclose the student's name, identifier, or institutional e-mail address in a class in which the student is enrolled.
(d) An educational agency or institution may not disclose or confirm directory information without meeting the written consent requirements in § 99.30 if a student's social security number or other non-directory information is used alone or combined with other data elements to identify or help identify the student or the student's records.
12. Section 99.62 is revised to read as follows:
§ 99.62
The Office may require an educational agency or institution to submit reports, information on policies and procedures, annual notifications, training materials, and other information necessary to carry out its enforcement responsibilities under the Act or this part.
(Authority: 20 U.S.C. 1232g(f) and (g))
§ 99.63
13. Section 99.63 is amended by removing the mail code designation “4605” before the punctuation “.”
14. Section 99.64 is amended by:
A. Revising the section heading.
B. Revising paragraphs (a) and (b).
The revisions read as follows:
§ 99.64
(a) A complaint must contain specific allegations of fact giving reasonable cause to believe that a violation of the Act or this part has occurred. A complaint does not have to allege that a violation is based on a policy or practice of the educational agency or institution.
(b) The Office investigates a timely complaint filed by a parent or eligible student, or conducts its own investigation when no complaint has been filed or a complaint has been withdrawn, to determine whether an educational agency or institution has failed to comply with a provision of the Act or this part. If the Office determines that an educational agency or institution has failed to comply with a provision of the Act or this part, it may also determine whether the failure to comply is based on a policy or practice of the agency or institution.
15. Section 99.65 is revised to read as follows:
§ 99.65
(a) The Office notifies the complainant, if any, and the educational agency or institution in writing if it initiates an investigation under § 99.64(b). The notice to the educational agency or institution—
(1) Includes the substance of the allegations against the educational agency or institution; and
(2) Directs the agency or institution to submit a written response and other relevant information, as set forth in § 99.62, within a specified period of time, including information about its policies and practices regarding education records.
(b) The Office notifies the complainant if it does not initiate an investigation because the complaint fails to meet the requirements of § 99.64.
(Authority: 20 U.S.C. 1232g(g))
16. Section 99.66 is amended by revising paragraphs (a), (b), and the introductory text of paragraph (c) to read as follows:
§ 99.66
(a) The Office reviews a complaint, if any, information submitted by the educational agency or institution, and any other relevant information. The Office may permit the parties to submit further written or oral arguments or information.
(b) Following its investigation, the Office provides to the complainant, if any, and the educational agency or institution a written notice of its findings and the basis for its findings.
(c) If the Office finds that an educational agency or institution has not complied with a provision of the Act or this part, it may also find that the failure to comply was based on a policy or practice of the agency or institution. A notice of findings issued under paragraph (b) of this section to an educational agency or institution that has not complied with a provision of the Act or this part—
17. Section 99.67 is amended by revising paragraph (a) to read as follows:
§ 99.67
(a) If an educational agency or institution does not comply during the period of time set under § 99.66(c), the Secretary may take any legally available enforcement action in accordance with the Act, including, but not limited to, the following enforcement actions available in accordance with part E of the General Education Provisions Act—
[FR Doc. E8-28864 Filed 12-8-08; 8:45 am]
BILLING CODE 4000-01-P