|
|
|
|
|
NASFAA
1101 Connecticut Avenue, NW,
Suite 1100
Washington, DC 20036-4303
Phone: 202-785-0453
Fax: 202-785-1487
Web@NASFAA.org
|
|
|
|
|
|
Federal Register: March 24, 2008
Volume 73, Number 57
[Notice of proposed rulemaking]
[Page 15573-15602]
[PDF version of document]
[[Page 15573]]
Part II
Department of Education
34 CFR Part 99
Family Educational Rights and Privacy; Proposed Rule
[[Page 15574]]
DEPARTMENT OF EDUCATION
34 CFR Part 99
RIN 1855-AA05
[Docket ID ED-2008-OPEPD-0002]
Family Educational Rights and Privacy
AGENCY: Office of Planning, Evaluation, and Policy Development,
Department of Education.
ACTION: Notice of proposed rulemaking.
SUMMARY: The Secretary proposes to amend the regulations governing
education records maintained by educational agencies and institutions
under section 444 of the General Education Provisions Act, which is
also known as the Family Educational Rights and Privacy Act of 1974, as
amended (FERPA). These proposed regulations are needed to implement
amendments to FERPA contained in the USA Patriot Act and the Campus Sex
Crimes Prevention Act, to implement two U.S. Supreme Court decisions
interpreting FERPA, and to make necessary changes identified as a
result of the Department's experience administering FERPA and current
regulations. These changes would clarify permissible disclosures to
parents of eligible students and conditions that apply to disclosures
in health and safety emergencies; clarify permissible disclosures of
student identifiers as directory information; allow disclosures to
contractors and other outside parties in connection with the
outsourcing of institutional services and functions; revise the
definitions of attendance, disclosure, education records, personally
identifiable information, and other key terms; clarify permissible
redisclosures by State and Federal officials; and update investigation
and enforcement provisions.
DATES: We must receive your comments on or before May 8, 2008.
ADDRESSES: Submit your comments through the Federal eRulemaking Portal
or via postal mail, commercial delivery, or hand delivery. We will not
accept comments by fax or by e-mail. Please submit your comments only
one time, in order to ensure that we do not receive duplicate copies.
In addition, please include the Docket ID at the top of your comments.
Federal eRulemaking Portal: Go to http://www.regulations.gov. Under
"Search Documents" go to "Optional Step 2" and select "Department
of Education" from the agency drop-down menu; then click "Submit."
In the Docket ID column, select ED-2008-OPEPD-0002 to add or view
public comments and to view supporting and related materials available
electronically. Information on using Regulations.gov, including
instructions for submitting comments, accessing documents, and viewing
the docket after the close of the comment period, is available through
the site's "User Tips" link.
Postal Mail, Commercial Delivery, or Hand Delivery. If you mail or
deliver your comments about these proposed regulations, address them to
LeRoy S. Rooker, U.S. Department of Education, 400 Maryland Avenue,
SW., room 6W243, Washington, DC 20202-5920.
Privacy Note: The Department's policy for comments received from
members of the public (including those comments submitted by mail,
commercial delivery, or hand delivery) is to make these submissions
available for public viewing in their entirety on the Federal
eRulemaking Portal at http://www.regulations.gov. Therefore,
commenters should be careful to include in their comments only
information that they wish to make publicly available on the
Internet.
FOR FURTHER INFORMATION CONTACT: Frances Moran, U.S. Department of
Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-
8250. Telephone: (202) 260-3887.
If you use a telecommunications device for the deaf (TDD), you may
call the Federal Relay Service (FRS) at 1-800-877-8339.
Individuals with disabilities may obtain this document in an
alternative format (e.g., Braille, large print, audiotape, or computer
diskette) on request to the contact person listed under FOR FURTHER
INFORMATION CONTACT.
Invitation To Comment
We invite you to submit comments and recommendations regarding
these proposed regulations. To ensure that your comments have maximum
effect in developing the final regulations, we urge you to identify
clearly the specific section or sections of the proposed regulations
that each of your comments addresses and to arrange your comments in
the same order as the proposed regulations.
We invite you to assist us in complying with the specific
requirements of Executive Order 12866 and its overall requirement of
reducing regulatory burden that might result from these proposed
regulations. Please let us know of any further opportunities we should
take to reduce potential costs or increase potential benefits while
preserving the effective and efficient administration of the program.
During and after the comment period, you may inspect all public
comments about these proposed regulations in room 6W243, 400 Maryland
Avenue, SW., Washington, DC, between the hours of 8:30 a.m. and 4 p.m.
Eastern time, Monday through Friday of each week except Federal
holidays. Public comments may also be inspected at www.regulations.gov.
Assistance to Individuals With Disabilities in Reviewing the Rulemaking
Record
On request, we will supply an appropriate aid to an individual with
a disability who needs assistance to review the comments or other
documents in the public rulemaking record for these proposed
regulations. If you want to schedule an appointment for this type of
aid, please contact the person listed under FOR FURTHER INFORMATION
CONTACT.
Background
These proposed regulations would implement section 507 of the
Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism (USA Patriot Act) of 2001
(Pub. L. 107-56), enacted Oct. 26, 2001, and the Campus Sex Crimes
Prevention Act, section 1601(d) of the Victims of Trafficking and
Violence Protection Act of 2000 (Pub. L. 106-386), enacted Oct. 28,
2000, both of which amended FERPA. The proposed regulations also would
implement the U.S. Supreme Court's decisions in Owasso Independent
School Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso) and
Gonzaga University v. Doe, 536 U.S. 273 (2002) (Gonzaga). Finally, the
proposed regulations respond to changes in information technology and
address other issues identified through the Department's experience
administering FERPA, including the need to clarify how postsecondary
institutions may share information with parents and other parties in
light of the tragic events at Virginia Tech in April 2007. The
Department has developed these proposed regulations in accordance with
its "Principles for Regulating," which are intended to ensure that
the Department regulates in the most flexible, equitable, and least
burdensome way possible. These proposed regulations seek to provide the
greatest flexibility to State and local governments and schools while
ensuring that personally identifiable information about students
remains protected from unauthorized disclosure.
Technical Corrections
The proposed regulations correct Sec. 99.33(e) by adding the
statutory
[[Page 15575]]
language "outside the educational agency or institution" after the
words "third party" in the first sentence. They also correct an error
in the section number cited in Sec. 99.34(a)(1)(ii).
Significant Proposed Regulations
We discuss substantive issues under the sections of the proposed
regulations to which they pertain. Generally, we do not address
proposed regulatory provisions that are technical or otherwise minor in
effect.
1. Definitions (Sec. 99.3)
Attendance
Statute: 20 U.S.C. 1232g(a)(6) defines the term student as any
person with respect to whom an educational agency or institution
maintains education records or personally identifiable information but
does not include a person who has not been in attendance at such agency
or institution. The statute does not define attendance.
Current Regulations: As defined in the current regulations, the
term attendance includes attendance in person or by correspondence, and
the period during which a person is working under a work-study program.
The current definition does not address the status of distance learners
who are taught through the use of electronic information and
telecommunications technologies.
Proposed Regulations: The proposed regulations in Sec. 99.3 would
add attendance by videoconference, satellite, Internet, or other
electronic information and telecommunications technologies for students
who are not physically present in the classroom.
Reasons: The proposed regulations are needed to clarify that
students who are not physically present in the classroom may attend an
educational agency or institution not only through traditional
correspondence courses but through advanced electronic information and
telecommunications technologies used for distance education, such as
videoconferencing, satellite, and Internet-based communications.
Directory Information
Statute: 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2) allows
disclosure without consent of information such as a student's name and
address, telephone listing, date and place of birth, major field of
study, etc., defined as directory information, provided that specified
notice and opt out conditions have been met.
Current Regulations: Directory information is defined in Sec. 99.3
as information contained in an education record of a student that would
not generally be considered harmful or an invasion of privacy if
disclosed, and includes information listed in FERPA (e.g., a student's
name and address, telephone listing) as well as other information, such
as a student's electronic mail (e-mail) address, enrollment status, and
photograph. Current regulations do not specify whether a student's
Social Security Number (SSN), official student identification (ID)
number, or personal identifier for use in electronic systems may be
designated and disclosed as directory information.
Proposed Regulations: The proposed regulations would provide that
an educational agency or institution may not designate as directory
information a student's SSN or other student ID number. However,
directory information may include a student's user ID or other unique
identifier used by the student to access or communicate in electronic
systems, but only if the electronic identifier cannot be used to gain
access to education records except when used in conjunction with one or
more factors that authenticate the student's identity, such as a
personal identification number (PIN), password, or other factor known
or possessed only by the student.
Reasons: SSNs and other student ID numbers are personal identifiers
that are typically used for identification purposes in order to
establish an account, gain access to or confirm private information,
obtain services, etc. The proposed regulations are needed to ensure
that educational agencies and institutions do not disclose these
identifiers as directory information, or include them with other
personally identifiable information that may be disclosed as directory
information, because SSNs and other student ID numbers can be used to
impersonate the owner of the number and obtain information or services
by fraud. The proposed regulations are also needed to clarify that
unique personal identifiers used for electronic communications may be
disclosed as directory information under certain conditions.
Names and addresses are personal identifiers (and personally
identifiable information under Sec. 99.3) that have always been
available for disclosure as directory information under FERPA because
they are generally known to others and often appear in public
directories outside the school context. (It is precisely because names
and addresses are widely available that they may not be used to
authenticate identity, as discussed below in connection with proposed
Sec. 99.31(c).) SSNs and other student ID numbers are also personal
identifiers and personally identifiable information under Sec. 99.3.
Unlike names and addresses, SSNs and other student ID numbers are
typically used to obtain a variety of non-public information about an
individual, such as employment, credit, financial, health, motor
vehicle, and educational information, that would be harmful or an
invasion of privacy if disclosed. An SSN or other student ID number can
also be used in conjunction with commonly available information, such
as name, address, and date of birth, to establish fraudulent accounts
and otherwise impersonate an individual. As a result, under the
proposed regulations, SSNs and other student ID numbers may not be
designated and disclosed as directory information.
Educational agencies and institutions have reported to us that in
addition to needing a traditional student ID number (or SSN used as a
student ID number), they need to identify or assign to students a
unique electronic identifier that can be made available publicly.
(Names are generally not appropriate for these purposes because they
may not be unique to the population.) Unique electronic identifiers are
needed, for example, for students to be able to use portals or single
sign-on approaches to student information systems that provide access
to class registration, academic records, library resources, and other
student services. Much of the directory-based software used for these
systems, as well as protocols for electronic collaboration by students
and teachers within and among institutions, essentially cannot function
without making an individual's user ID or other electronic identifier
publicly available in these kinds of systems.
Some systems, for example, require users to log on with their e-
mail address or other published user name or account ID. (Note that a
student's e-mail address was added to the regulatory definition of
directory information in the final regulations published on July 6,
2000 (65 FR 41852, 41855). Public key infrastructure (PKI) technology
for encryption and digital signatures also requires wide dissemination
of the sender's public key. These are the types of circumstances in
which educational agencies and institutions may need to publish or
disclose a student's unique electronic identifier.
The proposed regulations would permit disclosure of a student's
user ID or other electronic identifier as directory information, but
only if the identifier functions essentially as a name; that is, the
identifier is not used by itself to authenticate identity and cannot be
[[Page 15576]]
used by itself to gain access to education records. A unique electronic
identifier disclosed as directory information may be used to provide
access to the student's education records, but only when combined with
other factors known only to the authorized user (student, parent, or
school official), such as a secret password or PIN, or some other
method to authenticate the user's identity and ensure that the user is,
in fact, a person authorized to access the records.
Note that eligible students and parents have a right under FERPA to
opt out of directory information disclosures and refuse to allow the
student's e-mail address, user ID or other electronic identifier
disclosed as directory information (except as provided in proposed
Sec. 99.37(c), discussed elsewhere in this document). This is similar
to a decision not to participate in an institution's paper-based
student directory, yearbook, commencement program, etc. In these cases,
the student or parent will not be able to take advantage of the
services, such as portals for class registration, academic records,
etc., provided solely through the electronic communications or software
that require public disclosure of the student's unique electronic
identifier.
Disclosure
Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an
educational agency or institution subject to FERPA may not have a
policy or practice of releasing, permitting the release of, or
providing access to personally identifiable information from education
records without prior written consent.
Current Regulations: The regulations in Sec. 99.3 define the term
disclosure to mean permitting access to or the release, transfer, or
other communication of personally identifiable information from
education records to any party by any means. The regulations do not
address issues relating to the return of records to the party that
provided or created them.
Proposed Regulations: The proposed regulations would exclude from
the definition of disclosure the release or return of an education
record, or personally identifiable information from an education
record, to the party identified as the party that provided or created
the record. This would allow an educational agency or institution
(School B) to send a transcript, letter of recommendation, or other
record that appears to have been falsified back to the institution or
school official identified as the creator or sender of the record
(School A) for confirmation of its status as an authentic record.
School A may confirm or deny that the record is accurate and send the
correct version back to School B under Sec. 99.31(a)(2), which allows
an institution to disclose education records without prior written
consent to an institution in which the student seeks or intends to
enroll, or is already enrolled.
The proposed regulations would also permit a State or local
educational authority or other entity to redisclose education records
or personally identifiable information from education records, without
consent, to the school district, institution, or other party that
provided the records or information.
Reasons: School officials have reported to the Department that they
are receiving with more frequency what appear to be falsified
transcripts, letters of recommendation, and other information about
students from educational agencies and institutions. The proposed
amendment is needed to verify the accuracy of this type of information
and to ensure that the privacy protections in FERPA are not used to
shield or prevent detection of fraud.
Several State educational agencies (SEAs) that maintain
consolidated student records systems have also expressed uncertainty
whether they may allow a local school district to obtain access to
personally identifiable information from education records provided to
the SEA by that district. The amendment is needed to clarify that SEAs
and other parties that maintain education records provided by school
districts and other educational agencies and institutions may allow a
party to obtain access to the specific records and information that the
party provided to the consolidated student records system.
Education Records
Statute: 20 U.S.C. 1232g(a)(4) provides a broad, general definition
of education records that includes all records that are directly
related to a student and maintained by an educational agency or
institution. Student, in turn, is defined in 20 U.S.C. 1232g(a)(6) to
exclude individuals who have not been in attendance at the agency or
institution.
Current Regulations: The definition of education records in Sec.
99.3 excludes records that only contain information about an individual
after he or she is no longer a student.
Proposed Regulations: The proposed regulations would clarify that,
with respect to former students, the term education records excludes
records that are created or received by the educational agency or
institution after an individual is no longer a student in attendance
and are not directly related to the individual's attendance as a
student.
Reasons: Institutions have told us that there is some confusion
about the provision in the definition of education records that
excludes certain alumni records from the definition. Some schools have
mistakenly interpreted this provision to mean that any record created
or received after a student is no longer enrolled is not an education
record under FERPA. The proposed regulations are needed to clarify that
the exclusion is intended to cover records that concern an individual
or events that occur after the individual is no longer a student in
attendance, such as alumni activities. The exclusion is not intended to
cover records that are created and matters that occur after an
individual is no longer in attendance but that are directly related to
his or her previous attendance as a student, such as a settlement
agreement that concerns matters that arose while the individual was in
attendance as a student.
Statute: The statute does not address peer-grading practices in
relation to FERPA requirements.
Current Regulations: The definition of education records includes
records that are maintained by an educational agency or institution, or
a party acting for the educational agency or institution, but does not
provide any guidance on the status of student-graded tests and
assignments before they have been collected and recorded by a teacher.
Proposed Regulations: Proposed regulations in Sec. 99.3 would
clarify that peer-graded papers that have not been collected and
recorded by a teacher are not considered maintained by an educational
agency or institution and, therefore, are not education records under
FERPA.
Reasons: The proposed regulations are needed to implement the U.S.
Supreme Court's decision on peer-graded papers in Owasso. "Peer-
grading" refers to a common educational practice in which students
exchange and grade one another's papers and then either call out the
grade or turn in the work to the teacher for recordation. In Owasso,
the Court held that this practice does not violate FERPA because "the
grades on students' papers would not be covered under FERPA at least
until the teacher has collected them and recorded them in his or her
grade book." Owasso, 534 U.S. at 436.
[[Page 15577]]
Personally Identifiable Information
Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an
educational agency or institution may not have a policy or practice of
permitting the release of or providing access to education records or
any personally identifiable information other than directory
information in education records without prior written consent except
in accordance with statutory exceptions.
Current Regulations: The term personally identifiable information
is defined in Sec. 99.3 to include the student's name and other
personal identifiers, such as the student's social security number or
student number. Current regulations also include indirect identifiers,
such as the name of the student's parent or other family members; the
address of the student or the student's family; and personal
characteristics or other information that would make the student's
identity easily traceable.
Proposed Regulations: The proposed regulations would add biometric
record to the list of personal identifiers and add other indirect
identifiers, such as date and place of birth and mother's maiden name,
to the list of personally identifiable information. The regulations
would remove language about personal characteristics and other
information that would make the student's identity easily traceable and
provide instead that personally identifiable information includes other
information that, alone or in combination, is linked or linkable to a
specific student that would allow a reasonable person in the school or
its community, who does not have personal knowledge of the relevant
circumstances, to identify the student with reasonable certainty.
Personally identifiable information would also include information
requested by a person who the educational agency or institution
reasonably believes has direct, personal knowledge of the identity of
the student to whom the education record directly relates.
Reasons: See the discussion of proposed regulations adding a new
Sec. 99.31(b) for de-identified education records elsewhere in this
document.
State Auditor
Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) allows an
educational agency or institution to disclose personally identifiable
information from education records, without prior written consent, to
State and local educational authorities and officials for the audit or
evaluation of Federal or State supported education programs, or for the
enforcement of or compliance with Federal legal requirements that
relate to those programs.
Current Regulations: The current regulations do not address the
disclosure of education records to State auditors.
Proposed Regulations: The proposed regulations in Sec. 99.3 would
define State auditor as a party under any branch of government with
authority and responsibility under State law for conducting audits. We
propose to add a new paragraph (a)(2) to Sec. 99.35 to clarify that
State auditors that are not State or local educational authorities may
have access to education records in connection with an audit of Federal
or State supported education programs.
Reasons: 20 U.S.C. 1232g(b)(3) (section (b)(3) of the statute)
allows disclosure of education records without consent to "State
educational authorities" for audit and evaluation purposes. According
to the legislative history of FERPA, section (b)(5) of the statute,
which allows disclosure of education records without consent to "State
and local educational officials" for audit and evaluation purposes,
was added in 1979 to "correct an anomaly" in which the existing
exception in section (b)(3) was interpreted to preclude State auditors
from obtaining records in order to conduct State audits of local and
State-supported programs.
See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 (1979),
reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. The amended
statutory language in section (b)(5) is ambiguous, however, because it
does not actually mention State auditors and, like section (b)(3),
refers only to educational officials. Over the years several States
have questioned whether this exception includes audits conducted by
legislative branch officials and other parties that may not be
considered educational authorities or officials.
The regulations are needed to clarify that State auditors may
receive personally identifiable information from education records,
without prior written consent, even if they are not considered State or
local educational authorities or officials, provided that they are
auditing a Federal or State supported education program. We are
interested in receiving comments about whether the definition needs to
cover local auditors as well. The exception for disclosure of education
records to State auditors is narrowly limited to audits (defined in
proposed Sec. 99.35 as testing compliance with applicable laws,
regulations, and standards) and does not include the broader concept of
evaluations, for which disclosure of education records remains limited
to educational authorities or officials.
2. Disclosures to Parents of Eligible Students (Sec. Sec. 99.5, 99.36)
Section 99.5(a) (Rights of Students)
Statute: 20 U.S.C. 1232g(d) provides that once a student reaches 18
years of age or attends a postsecondary institution, all rights
accorded to parents under FERPA, and the consent required to disclose
education records, transfer from the parents to the student. Under 20
U.S.C. 1232g(b)(1)(H), an educational agency or institution may
disclose personally identifiable information from an education record
without meeting FERPA's written consent requirement to parents of a
dependent student as defined in 26 U.S.C. 152. Under 20 U.S.C.
1232g(i), an institution of higher education may disclose personally
identifiable information from an education record, without meeting
FERPA's written consent requirement, to a parent or legal guardian of a
student information regarding the student's violation of any Federal,
State or local law, or any rule or policy of the institution governing
the use or possession of alcohol or a controlled substance if the
student is under the age of 21 and the institution determines that the
student has committed a disciplinary violation with respect to such use
or possession. Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or
institution may disclose personally identifiable information from an
education record, without meeting FERPA's written consent requirement,
to appropriate persons in connection with an emergency if the knowledge
of such information is necessary to protect the health or safety of the
student or other persons.
Current Regulations: Section 99.3 defines an eligible student as a
student who has reached 18 years of age or attends a postsecondary
institution. Section 99.5(a) states that rights accorded to parents,
and consent required of parents, to disclose education records under
FERPA transfer from parents to a student when the student meets the
definition of an eligible student.
Section 99.31(a)(8) provides that an educational agency or
institution may disclose personally identifiable information from
education records without consent to parents of a dependent student as
defined in section 152 of the Internal Revenue Code of 1986. Under
Sec. 99.31(a)(15) written consent is not required, regardless of
dependency status, to disclose to a
[[Page 15578]]
parent of a student at an institution of postsecondary education
information regarding the student's violation of any Federal, State or
local law, or of any rule or policy of the institution, governing the
use or possession of alcohol or a controlled substance if the
institution determines that the student has committed a disciplinary
violation with respect to that use or possession and the student is
under the age of 21 at the time of the disclosure to the parent.
Section 99.31(a)(10) provides that an educational agency or
institution may disclose personally identifiable information from
education records without consent if the disclosure is in connection
with a health or safety emergency under the conditions described in
Sec. 99.36. Section 99.36 provides that an educational agency or
institution may disclose personally identifiable information from an
education record to appropriate parties in connection with an emergency
if knowledge of the information is necessary to protect the health or
safety of the student or other individuals.
Proposed Regulations: The proposed regulations in Sec. 99.5
clarify that even after a student has become an eligible student, an
educational agency or institution may disclose education records to the
student's parents, without the consent of the eligible student, if the
student is a dependent for Federal income tax purposes (Sec.
99.31(a)(8)); in connection with a health or safety emergency (Sec.
99.31(a)(10)); if the student is under the age of 21 and has violated
an institutional rule or policy governing the use or possession of
alcohol or a controlled substance (Sec. 99.31(a)(15)); and if the
disclosure falls within any other exception to the consent requirement
in Sec. 99.31(a) of the regulations, such as the disclosure of
directory information or in compliance with a court order or lawfully
issued subpoena. The proposed regulations in Sec. 99.36(a) would
clarify that an eligible student's parents are appropriate parties to
whom an educational agency or institution may disclose personally
identifiable information from education records without consent in a
health or safety emergency.
Reasons: The Secretary is concerned that some institutions are
under the mistaken impression that FERPA prevents them from providing
parents with any information about a college student. The proposed
regulations are needed to clarify that FERPA contains exceptions to the
written consent requirement that permit colleges and other educational
agencies and institutions to disclose personally identifiable
information from education records to parents of certain eligible
students whether or not the student consents.
Section 99.31(a)(8) permits an educational agency or institution to
disclose education records, without consent, to either parent if at
least one of the parents has claimed the student as a dependent on the
parent's most recent tax return. Because many college students (and 18-
year-old high school students) are tax dependents of their parents,
this provision allows these institutions to disclose information from
education records to the students' parents without meeting the written
consent requirements in Sec. 99.30. (Institutions must first determine
that a parent has claimed the student as a dependent on the parent's
Federal income tax return. Institutions can determine that a parent
claimed a student as a dependent by asking the parent to submit a copy
of the parent's most recent Federal tax return. Institutions can also
rely on a student's assertion that he or she is not a dependent unless
the parent provides contrary evidence.)
The proposed regulations are also needed to clarify that colleges
and other institutions may disclose information from education records
to an eligible student's parents, without consent, under Sec.
99.31(a)(15) if the institution has determined that the student has
violated Federal, State, or local law or an institution's rules or
policies governing alcohol or substance abuse (provided the student is
under 21 years of age), and in connection with a health or safety
emergency under Sec. Sec. 99.31(a)(10) and 99.36 (regardless of the
student's age) if the information is needed to protect the health or
safety of the student or other individuals. These exceptions apply
whether or not the student is a dependent of a parent for tax purposes.
These proposed regulations would clarify the Department's policy with
respect to an agency's or institution's disclosure of information from
education records to parents under the health and safety emergency
exception and do not represent a change in the Department's
interpretation of who may qualify as an appropriate party under the
health or safety emergency exception to the consent requirement. While
institutions may choose to follow a policy of not disclosing education
records to parents of eligible students in these circumstances, FERPA
does not mandate such a policy.
3. Authorized Disclosure of Education Records Without Prior Written
Consent (Sec. 99.31)
Section 99.31(a)(1) (School Officials) Outsourcing
Statute: 20 U.S.C. 1232g(a)(4)(A) defines education records to
include records maintained by an educational agency or institution or
by "a person acting for" the agency or institution. Under 20 U.S.C.
1232g(b)(1)(A), an educational agency or institution may allow teachers
and other school officials within the institution or agency, without
prior written consent, to obtain access to education records if the
institution or agency has determined that they have legitimate
educational interests in the information.
Current Regulations: Section 99.31(a)(1) allows disclosure of
personally identifiable information from education records without
consent to school officials, including teachers, within the agency or
institution if the educational agency or institution has determined
that they have legitimate educational interests in the information. An
educational agency or institution that discloses information under this
exception must specify in its annual notification of FERPA rights under
Sec. 99.7(a)(3)(iii) the criteria it uses to determine who constitutes
a school official and what constitutes legitimate educational
interests. The recordkeeping requirements in Sec. 99.32(d) do not
apply to disclosures to school officials with legitimate educational
interests. Current regulations do not address disclosure of education
records without consent to contractors, consultants, volunteers, and
other outside parties providing institutional services and functions or
otherwise acting for an agency or institution.
Proposed Regulations: The proposed regulations in Sec.
99.31(a)(1)(i)(B) would expand the school official exception to include
contractors, consultants, volunteers, and other outside parties to whom
an educational agency or institution has outsourced institutional
services or functions that it would otherwise use employees to perform.
The outside party who obtains access to education records without
consent must be under the direct control of the agency or institution
and subject to the same conditions governing the use and redisclosure
of education records that apply to other school officials under Sec.
99.33(a) of the regulations. These proposed regulations supersede
previous technical assistance guidance issued by the Family Policy
Compliance Office (Office) regarding disclosure of
[[Page 15579]]
education records without consent to parties acting for an educational
agency or institution.
Educational agencies and institutions that outsource institutional
services and functions must comply with the annual FERPA notification
requirements under the current regulations in Sec. 99.7(a)(3)(iii) by
specifying their contractors, consultants, and volunteers as school
officials retained to provide various institutional services and
functions. Failure to comply with the notice requirements for school
officials in Sec. 99.7(a)(3)(iii) is not excused by recording the
disclosure under Sec. 99.32. (We note that under current regulations
disclosures to school officials under Sec. 99.31(a)(1) are
specifically excluded from the recordation requirements under Sec.
99.32(d).) As a result, an educational agency or institution that has
not included contractors and other outside service providers as school
officials with legitimate educational interests in its annual FERPA
notification may not disclose any personally identifiable information
from education records to these parties until it has complied with the
notice requirements in Sec. 99.7(a)(3)(iii).
Educational agencies and institutions are responsible for their
outside service providers' failures to comply with applicable FERPA
requirements. The agency or institution must ensure that the outside
party does not use or allow anyone to obtain access to personally
identifiable information from education records except in strict
accordance with the requirements established by the educational agency
or institution that discloses the information.
All outside parties serving as school officials are subject to
FERPA's restrictions on the use and redisclosure of personally
identifiable information from education records. These restrictions
include current provisions in Sec. 99.33(a), which requires an
educational agency or institution that discloses personally
identifiable information from education records to do so only on the
condition that the recipient, including a teacher or other school
official, will use the information only for the purpose for which the
disclosure was made and will not redisclose the information to any
other party without the prior consent of the parent or eligible student
unless the educational agency or institution has authorized the
redisclosure under a FERPA exception and the agency or institution
records the subsequent disclosure in accordance with the requirements
in Sec. 99.32(b).
For example, under the proposed regulations, a party that contracts
with an educational agency or institution to provide enrollment and
degree verification services must ensure that only individuals with
legitimate educational interests obtain access to personally
identifiable information from education records maintained on behalf of
the agency or institution. In accordance with current regulations at
Sec. 99.33(b), a contractor may not redisclose personally identifiable
information without prior written consent unless the educational agency
or institution has authorized the redisclosure under a FERPA exception
and the agency or institution records the subsequent disclosure in
accordance with the requirements in Sec. 99.32(b). Like other school
officials, contractors and other outside parties who provide
institutional services may not decide unilaterally to redisclose
personally identifiable information from education records, even in
circumstances that would comply with an exception in Sec. 99.31(a).
Additionally, records directly related to a student that are
maintained by a party acting for an educational agency or institution
are education records subject to all FERPA requirements. This includes
any new student records created under an outsourcing agreement that are
maintained by the outside service provider.
Reasons: The proposed regulations are needed to resolve uncertainty
about the specific conditions under which educational agencies and
institutions may disclose personally identifiable information from
education records, without prior written consent, to contractors,
consultants, volunteers, and other outside parties performing
institutional services or functions. While there is no explicit
statutory exception to the prior written consent requirement for
disclosures to contractors and other non-employees to whom an
educational agency or institution has outsourced services, we note that
the statutory definition of education records protects records that are
maintained by a party acting for the agency or institution. See 20
U.S.C. 1232g(a)(4)(A)(ii). Indeed, the Joint Statement in Explanation
of Buckley/Pell Amendment (120 Cong. Rec. S39862, Dec. 13, 1974) refers
specifically to materials that are maintained by a school "or by one
of its agents" when describing the meaning of the new term education
records in the December 1974 amendments to the statute.
The Department has long recognized in guidance that FERPA does not
prevent educational agencies and institutions from outsourcing
institutional services and functions and disclosing education records
to contractors and other outside parties performing those services and
functions in appropriate circumstances, such as for legal advice; debt
collection; transcript distribution; fundraising and alumni
communications; development and management of information systems; and
degree and enrollment verification. The Secretary wishes to clarify and
define the scope of this practice to avoid further confusion and
prevent weakening of FERPA's privacy protections because of uncertainty
about the requirements for making these kinds of disclosures.
One of the most frequently used exceptions to the prior written
consent requirement allows teachers and other school officials to
obtain access to education records provided the educational agency or
institution has determined that the school official has legitimate
educational interests in the information. This exception covers not
only teachers and principals, but also school counselors, registrars,
admissions personnel, attorneys, accountants, human resource staff,
information systems specialists, and designated support and clerical
personnel when they need access to personally identifiable information
from education records in order to perform their official functions and
duties for their employer. As noted above, an educational agency or
institution that allows school officials to obtain access to education
records under this exception must, under Sec. 99.7(a)(3), include in
its annual notification of FERPA rights a specification of its criteria
for determining who constitutes a school official and what constitutes
legitimate educational interests under Sec. 99.31(a)(1). Disclosures
to school officials under current regulations are subject to the
restrictions on the use and redisclosure of information in Sec. 99.33
but are exempt from the FERPA recordkeeping requirements in Sec.
99.32.
The proposed regulations are included with the exception for school
officials in Sec. 99.31(a)(1) because we believe that disclosures made
for contract, volunteer, and other outsourced services and functions
should be subject to the same conditions that would apply if the
outside party were, in fact, providing institutional services or
functions as an employee or officer of the educational agency or
institution. In particular, the outside party must be under the direct
control of the agency or institution with respect to the maintenance
and use of personally identifiable information from education records.
The outside party
[[Page 15580]]
must also perform the type of institutional services or functions for
which the agency or institution would otherwise use its own employees.
For example, an institution may disclose education records without
consent under this provision to an outside party retained to provide
enrollment verification services to student loan holders because the
institution would otherwise have to use its own employees to conduct
the required verifications. In contrast, an institution may not use
this provision to disclose education records, without consent, to a
financial institution or insurance company that provides a good student
discount on its services and needs students' ID numbers and grades to
verify an individual's eligibility, even if the institution enters into
a contract with these companies to provide the student discount.
Access to Education Records by School Officials
Statute: 20 U.S.C. 1232g(b)(1)(A) provides that an educational
agency or institution may allow teachers and other school officials
within the agency or institution to obtain access to education records,
without prior written consent, if the agency or institution has
determined that the school official has legitimate educational
interests in the information.
Current Regulations: Section 99.31(a)(1) allows an educational
agency or institution to disclose personally identifiable information
from education records without consent to school officials, including
teachers, within the agency or institution if the educational agency or
institution has determined that they have legitimate educational
interests in the information. An educational agency or institution that
discloses information under this exception must specify in its annual
notification of FERPA rights under Sec. 99.7(a)(3)(iii) the criteria
it uses to determine who constitutes a school official and what
constitutes legitimate educational interests. Current regulations do
not specify whether the agency or institution must ensure that school
officials obtain access to only those education records in which they
have legitimate educational interests.
Proposed Regulations: The proposed regulations in Sec.
99.31(a)(1)(ii) would require an educational agency or institution to
use reasonable methods to ensure that teachers and other school
officials obtain access to only those education records in which they
have legitimate educational interests. This requirement would apply to
education records maintained in either paper or electronic format.
Agencies and institutions that choose not to use physical or
technological controls to restrict a school official's access to
education records must ensure that their administrative policy for
controlling access to and maintenance of education records is effective
and that the agency or institution remains in compliance with the
legitimate educational interests requirement in Sec.
99.31(a)(1)(i)(A). (These proposed regulations do not address what
constitutes a legitimate educational interest under the regulations.)
Reasons: The proposed regulations are needed to ensure that
teachers and other school officials only gain access to education
records in which they have a legitimate educational interest. While the
proposed regulations apply to records in any format (as defined in
Sec. 99.3), the need to ensure compliance with the legitimate
educational interest requirement has been driven largely by the
increased use of computerized or electronic recordkeeping systems in
which a user may have access to all records.
Many of the smaller educational agencies and institutions typically
use a combination of physical and administrative methods to restrict
access by school officials to paper copy records. For example, paper
copy records may be maintained in lockable cabinets, desks, or rooms
with distribution of records to school officials controlled by the
teacher, registrar, or other authorized custodian as appropriate. With
the advent of computerized or electronic records, particularly by the
mid-size and larger agencies and institutions, parents and students
have complained that school officials may have unrestricted access to
the records of all students in an institution's or local educational
agency's (LEA) system. Agencies and institutions establishing or
upgrading electronic student information systems have also expressed
uncertainty about what methods they should use to comply with the
legitimate educational interest requirement in this new environment.
Under the proposed regulations, an educational agency or
institution should implement controls to protect student records. These
controls should consist of a combination of appropriate physical,
technical, administrative, and operational controls which will allow
access to be limited when required. (Some examples of possible
information security controls can be found in "The National Institute
of Standards and Technology (NIST) 800-53, Recommended Security
Controls for Federal Information Systems" (December 2007). Educational
institutions and agencies are not required to implement the NIST 800-53
guidance, but may find it useful when determining possible controls.)
For example, software used to access electronic records may contain
role-based security features that allow teachers to view only
information about students currently enrolled in their classes.
Similarly, a school principal or registrar may maintain paper records
in locked cabinets and distribute records to authorized officials on an
as needed basis.
An educational agency or institution that does not use some kind of
physical or technological controls to restrict access and leaves
education records open to all school officials may rely instead on
administrative controls, such as an institutional policy that prohibits
teachers and other school officials from accessing records except when
they have a legitimate educational interest. However, an agency or
institution that forgoes physical or technological access controls must
ensure that its administrative policy for controlling access is
effective and that it remains in compliance with the legitimate
educational interest requirement in Sec. 99.31(a)(1). In that regard,
if a parent or eligible student alleges that a school official obtained
access to a student's education records without a legitimate
educational interest, an agency or institution must show that the
school official possessed a legitimate educational interest in
obtaining the personally identifiable information from education
records maintained by the agency or institution. An agency or
institution may wish to restrict or track school officials who obtain
access to education records to ensure that it is in compliance with
Sec. 99.31(a)(1)(i)(A).
The risk of unauthorized access to education records by school
officials means the likelihood that records may be targeted for
compromise and the harm that could result. Methods used by an
educational agency or institution to ensure compliance with the
legitimate educational interests requirement are considered reasonable
under the proposed regulations if they reduce the risk of unauthorized
access by school officials to a level commensurate with the likely
threat and potential harm. The greater the harm that would result from
unauthorized access or disclosure and the greater the likelihood that
unauthorized access or disclosure will occur, the more protections an
agency or institution must use to ensure that its methods are
reasonable. For example, high risk records, such as those that
[[Page 15581]]
contain credit card information, SSNs and other elements used for
identity theft, immunization and other health records, certain records
on special education students, and official transcripts and grades
should generally receive greater and more immediate protection than
medium or low risk records, such as those containing only publicly
releasable directory information. Methods that an educational agency or
institution should use to reduce risk to an acceptable level will
depend on a variety of factors, including the organization's size and
resources. In all cases, reasonableness depends ultimately on what are
the usual and customary good business practices of educational agencies
and institutions, which requires ongoing review and modification of
methods and procedures, where appropriate, as standards and
technologies continue to change.
Section 99.31(a)(2) (Disclosure to a School Where Student Seeks or
Intends To Enroll)
Statute: 20 U.S.C. 1232g(b)(1)(B) allows an educational agency or
institution to disclose, under certain conditions, education records to
another school or school system in which the student seeks or intends
to enroll without obtaining the prior written consent of a parent or
eligible student.
Current Regulations: Under Sec. 99.31(a)(2), an educational agency
or institution may disclose education records, without prior written
consent, to officials of another school, school system, or
postsecondary institution where the student seeks or intends to enroll,
provided that the agency or institution complies with the requirements
in Sec. 99.34(a) regarding notification to the parent or eligible
student of the disclosure and, upon request, provide a copy of the
records and an opportunity for a hearing under subpart C of the
regulations.
Proposed Regulations: The proposed regulations in Sec. 99.31(a)(2)
would allow an educational agency or institution to disclose education
records, without consent, to another institution even after a student
has already enrolled or transferred, and not just if the student seeks
or intends to enroll, if the disclosure is for purposes related to the
student's enrollment or transfer.
Reasons: The proposed amendments are needed to resolve uncertainty
about whether consent is required to send a student's records to the
student's new school after the student has already transferred and
enrolled. This proposed exception to the consent requirement is
intended to ease administrative burdens on educational agencies and
institutions by allowing them to send transcripts and other information
from education records to schools where a student seeks or intends to
enroll without meeting the formal consent requirements in Sec. 99.30.
We have concluded that authority to disclose or transfer information to
a student's new school under this exception does not cease
automatically the moment a student has actually enrolled. Rather, an
educational agency or institution may transfer education records to a
student's new school, including a postsecondary institution, at any
point in time if the disclosure is in connection with the student's
enrollment in the new school.
Based on these considerations, we have also determined that an
educational agency or institution may update, correct, or explain
information it has disclosed to another educational agency or
institution as part of the original disclosure under Sec. 99.31(a)(2)
without complying with the written consent requirements in Sec. 99.30.
That is, a student's previous institution is not required to obtain
prior written consent under Sec. 99.30 to respond to the new
institution's request to explain the meaning of education records sent
to it in connection with a student's new enrollment.
Finally, in the aftermath of the shooting at Virginia Tech, some
questions have arisen about whether FERPA prohibits the disclosure of
certain types of information from students' education records to new
schools or postsecondary institutions to which they have applied.
(Further discussion of the tragic events that occurred at Virginia Tech
in April 2007 is included in the discussion of the proposed amendments
to Sec. 99.36, which appears later in this document.) Under Sec.
99.31(a)(2) and Sec. 99.34(a), FERPA permits school officials to
disclose any and all education records, including health and
disciplinary records, to another institution where the student seeks or
intends to enroll.
Section 99.31(a)(6) (Organizations Conducting Studies for or on Behalf
of an Educational Agency or Institution)
Statute: 20 U.S.C. 1232g(b)(1)(F) allows an educational agency or
institution to disclose personally identifiable information from
education records, without consent, to organizations conducting studies
for or on behalf of the agency or institution for purposes of testing,
student aid, and improvement of instruction. The information must be
protected so that students and their parents cannot be identified by
anyone other than representatives of the organization that conducts the
study and must be destroyed when no longer needed for the study. As
explained in Sec. 99.31(a)(6)(iii), failure to destroy information in
accordance with this requirement could lead to a five-year ban on
disclosure of information to that organization.
Current Regulations: The regulations restate the statutory language
that the study is conducted "for, or on behalf of" the educational
agency or institution, but do not explain what this language means.
Proposed Regulations: The proposed regulations require an
educational agency or institution that discloses education records
without consent under Sec. 99.31(a)(6) to enter into a written
agreement with the recipient organization that specifies the purposes
of the study. The agency or institution that discloses education
records under this exception does not have to agree with or endorse the
conclusions or results of the study. The written agreement must specify
that information from education records may only be used to meet the
purposes of the study stated in the written agreement and must contain
the current restrictions on redisclosure and destruction of information
requirements applicable to information disclosed under this exception.
Reasons: Research organizations have asked for clarification about
the circumstances in which an educational agency or institution may
disclose to them personally identifiable information from education
records under Sec. 99.31(a)(6)(iii), and educational agencies and
institutions have asked whether they may provide personally
identifiable information to organizations for research purposes without
parental consent even if the educational agency or institution has no
particular interest in the study.
This exception to the consent requirement is intended to allow
educational agencies and institutions to retain the services of outside
organizations (or individuals) to conduct studies for or on their
behalf to develop, validate, or administer predictive tests; administer
student aid programs; or improve instruction. An educational agency or
institution need not initiate research requests or agree with or
endorse a study's results and conclusions under this exception.
However, the statutory language "for, or on behalf of" indicates that
the disclosing agency or institution agrees with the purposes of the
study and retains control over the information from education records
that is disclosed.
[[Page 15582]]
The written agreement required under the proposed regulations will help
ensure that information from education records is used only to meet the
purposes of the study stated in the written agreement and that all
applicable requirements are met. (See discussion of Sec. 99.31(b)
below regarding disclosure of de-identified information to independent
educational researchers.)
Section 99.31(a)(9) (USA Patriot Act)
Statute: The USA Patriot Act, Public Law 107-56, amended FERPA by
providing a new subsection 1232g(j), 20 U.S.C. 1232g(j), that
authorizes the United States Attorney General (or designee not lower
than an Assistant Attorney General) to apply for an ex parte court
order (an order issued by a court without notice to an adverse party)
allowing the Attorney General (or designee) to collect education
records from an educational agency or institution, without the consent
or knowledge of the student or parent, that are relevant to an
investigation or prosecution of an offense listed in 18 U.S.C.
2332b(g)(5)(B) or an act of domestic or international terrorism
specified in 18 U.S.C. 2331. The statute requires the Attorney General
(or designee not lower than an Assistant Attorney General) to certify
facts in support of the order and to retain, disseminate, and use the
records in a manner that is consistent with confidentiality guidelines
established by the Attorney General in consultation with the Secretary
of Education. Agencies and institutions are not required to record the
disclosure and cannot be held liable to anyone for producing education
records in good faith in accordance with a court order issued under
this provision.
Current Regulations: The current regulations do not address the
amendments made by the USA Patriot Act.
Proposed Regulations: The proposed regulations add new exceptions
to the written consent requirement in Sec. 99.31(a)(9)(ii) and the
recordkeeping requirement in Sec. 99.32(a) allowing disclosure of
education records without notice in compliance with an ex parte court
order obtained by the Attorney General (or designee) concerning
investigations or prosecutions of an offense listed in 18 U.S.C.
2332b(g)(5)(B) or an act of domestic or international terrorism defined
in 18 U.S.C. 2331.
Reasons: The proposed regulations are necessary to implement the
statutory amendment. An educational agency or institution that is
served with an ex parte court order from the Attorney General (or
designee) under this provision should ensure that the order is facially
valid, just as it does when determining whether to comply with other
judicial orders and subpoenas under Sec. 99.31(a)(9). An educational
agency or institution is not, however, required or authorized to
examine the underlying certification of facts presented to the court in
the Attorney General's application for the ex parte court order.
The proposed regulations provide that an educational agency or
institution may comply with the court order without notice to the
parent or eligible student. (Note that Sec. 99.31(a)(9)(ii)(B) also
allows an educational agency or institution to disclose education
records without notice to representatives of the Attorney General or
other law enforcement authorities who produce a subpoena that has been
issued for law enforcement purposes and the court or other issuing
agency has ordered that the existence or contents of the subpoena or
information furnished in response to the subpoena not be disclosed.)
Section 99.31(a)(16) (Registered Sex Offenders)
Statute: The Campus Sex Crimes Prevention Act (CSCPA), section
1601(d) of the Victims of Trafficking and Violence Protection Act of
2000, Public Law 106-386, amended FERPA by adding 20 U.S.C.
1232g(b)(7), which provides that educational agencies and institutions
may disclose information concerning registered sex offenders provided
under State sex offender registration and community notification
programs required by section 170101 of the Violent Crime Control and
Law Enforcement Act of 1994, Public Law 103-322, 42 U.S.C. 14071.
Section 170101 contains the Jacob Wetterling Crimes Against Children
and Sexually Violent Offender Registration Act (Wetterling Act).
Current Regulations: The current regulations do not address the
disclosure of information concerning registered sex offenders.
Proposed Regulations: The proposed regulations add a new exception
to the consent requirement in Sec. 99.31(a)(16) that permits an
educational agency or institution to disclose information that the
agency or institution received under a State community notification
program about a student who is required to register as a sex offender
in the State. Note that nothing in FERPA or these proposed regulations
requires or encourages an educational agency or institution to collect
or maintain information about registered sex offenders.
Reasons: The regulations implement the CSCPA amendment to FERPA,
which allows educational agencies and institutions to disclose
information about registered sex offenders without consent if the
information was received through and complies with guidelines regarding
a State community notification program issued by the U.S. Attorney
General under the Wetterling Act. Wetterling Act guidelines issued by
the Attorney General were published in the Federal Register on October
25, 2002 (67 FR 65598), and January 5, 1999 (64 FR 572).
The Wetterling Act sets forth minimum national standards for sex
offender registration and community notification programs. Under the
Wetterling Act, States must establish programs that require sexually
violent predators (and anyone convicted of specified criminal offenses
against minors) to register their name and address with the appropriate
State authority where the offender lives, works, or is enrolled as a
student. States are also required to release relevant information
necessary to protect the public concerning persons required to
register, excluding the identity of any victim. (This community
notification provision is commonly known as the "Megan's Law"
amendment to the Wetterling Act.)
CSCPA supplemented the general standards for sex offender
registration and community notification programs in the Wetterling Act
with provisions specifically designed for higher education campus
communities. These include a requirement that States collect
information about a registered offender's enrollment or employment at
an institution of higher education, including any change in enrollment
or employment status at the institution, and make this information
available promptly to a campus police department or other appropriate
law enforcement agency having jurisdiction where the institution is
located. CSCPA also amended the Higher Education Act of 1965, as
amended (HEA), by requiring institutions of higher education to advise
the campus community where it can obtain information about registered
sex offenders provided by the State pursuant to the Wetterling Act,
such as the campus law enforcement office, a local law enforcement
agency, or a computer network address. See 20 U.S.C. 1092(f)(1)(I) and
34 CFR 668.46(b)(12).
While the FERPA amendment was made in the context of CSCPA's
enhancements to registration and
[[Page 15583]]
notification requirements applicable to the higher education community,
the Department has determined that all educational institutions,
including elementary and secondary schools, are covered by this
amendment. The registration and community notification requirements
apply in the State where an offender lives, works, or is a student,
which is defined as "a person who is enrolled on a full-time or part-
time basis, in any public or private educational institution, including
any secondary school, trade, or professional institution, or
institution of higher education." See 42 U.S.C. 14071(a)(3)(G).
Because the sex offender registration and community notification
requirements apply broadly to students enrolled in "any public or
private educational institution," the Department likewise interprets
the FERPA amendment to apply to all educational agencies and
institutions subject to FERPA.
4. De-Identification of Information (Sec. 99.31(b))
Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an
educational agency or institution may not have a policy or practice of
permitting the release of or providing access to education records, or
personally identifiable information from education records, without
prior written consent except in accordance with statutory exceptions.
Current Regulations: Personally identifiable information under
Sec. 99.3 includes personal identifiers such as a student's name,
address, and identification numbers, as well as personal
characteristics or other information that would make the student's
identity easily traceable.
Proposed Regulations: The proposed regulations would amend Sec.
99.31(b) to provide objective standards under which educational
agencies and institutions may release, without consent, education
records, or information from education records, that has been de-
identified through the removal of all personally identifiable
information. Personally identifiable information is defined in Sec.
99.3 to mean information that can be used to identify a student,
including direct identifiers, such as the student's name, SSN, and
biometric records, alone or combined with other personal or identifying
information that is linked or linkable to a specific individual,
including indirect identifiers such as the name of the student's parent
or other family member, the student's or family's address, and the
student's date and place of birth and mother's maiden name, that would
allow a reasonable person in the school or its community, who does not
have personal knowledge of the relevant circumstance, to identify the
student with reasonable certainty. The Department does not hold
educational agencies and institutions responsible for knowing the
status of all non-educational records about students (e.g., law
enforcement or hospital records). However, the Department encourages
educational agencies and institutions to be sensitive to publicly
available data on students and to the cumulative effect of disclosures
of student data. Additionally, personally identifiable information
includes information that is requested by a person who an agency or
institution reasonably believes has direct, personal knowledge of the
identity of the student to whom the education record directly relates.
This is known as a targeted request.
Reasons: Disclosure is defined in the regulations as permitting
access to or releasing, transferring, or otherwise communicating
personally identifiable information contained in education records.
Accordingly, there is no "disclosure" under FERPA when education
records are released if all identifiers have been removed, along with
other personally identifiable information. The proposed regulations are
needed to establish this guidance in a definitive and legally binding
interpretation, and to provide standards for ensuring that a student's
personally identifiable information is not disclosed.
The Department's November 18, 2004, letter to the Tennessee
Department of Education (TNDOE) explains that an educational agency or
institution may release for educational research purposes (without
parental consent) anonymous data files, i.e., records from which all
personally identifiable information has been removed but that have
coded each student's record with a non-personal identifier as described
in the letter. (Records or data that have been stripped of identifiers
and coded may be re-identified and, therefore, are properly
characterized as de-identified.) Under the guidance in the TNDOE
letter, a party must ensure that the identity of any student cannot be
determined in coded records, including assurances of sufficient cell
and subgroup size, and the linking key that connects the code to
student information must not be shared with the requesting entity.
The Department recognizes that avoiding the risk of disclosure of
identity or individual attributes in statistical information cannot be
completely eliminated, at least not without negating the utility of the
information, and is always a matter of analyzing and balancing risk so
that the risk of disclosure is very low. The reasonable certainty
standard in the proposed definition of personally identifiable
information requires such a balancing test. (Similarly, we are
proposing here to use the term "de-identified" instead of
"anonymous"--which appears in previous guidance--because it is more
consistent with terminology used by experts in the field and reflects
more accurately the level of disclosure risk that should be achieved.)
Many educational institutions have asked for guidance about how
they may disclose "redacted" education records that concern students
or incidents that are well-known in the school or its community. For
example, a school has suspended a student from school and given the
student a failing grade for cheating on a test. The parent believes the
discipline is too harsh and inconsistent with discipline given to other
students and asks to see the redacted records of other students who
have been disciplined for cheating on tests that year. Only one student
has been disciplined for this infraction during the year, and the name
of that student is widely known because her parents went to the media
about the accusation. The school may not release the record in redacted
form because the publicity has made the record personally identifiable.
Additionally, personally identifiable information includes
information that is requested by a person who an agency or institution
reasonably believes has direct, personal knowledge of the identity of
the student to whom the education record directly relates. This is
known as a targeted request. In the simplest case, if an individual
asks for the disciplinary report for a named student, the institution
may not release a redacted copy of the report because the requester
knows the identity of the student who is the subject of the report. An
individual can also make a targeted request without mentioning the
student's name. For example, a person running for local office is known
to have graduated from a particular university in 1978. Rumors
circulate that the candidate plagiarized other students' work while in
school. A local reporter asks the university for redacted disciplinary
records for all students who graduated in 1978 who were disciplined for
plagiarism. The university may not release the records in redacted form
because the circumstances indicate that the requester has made a
targeted request, i.e. has direct, personal
[[Page 15584]]
knowledge of the subject of the case. In another case, a local reporter
reviewed law enforcement unit records in October 2007 and learned that
a prominent high school athlete was under investigation for use of
illegal drugs. The newspaper published front-page articles about the
matter that same month. Thereafter, the reporter asked the student's
school for a redacted copy of all disciplinary records related to
illegal drug use by student athletes since October 2007. The school may
not release the records in redacted form because the reporter has made
a targeted request.
Clearly, extenuating circumstances sometimes cause identity to be
revealed even after all identifiers have been removed, whether in
aggregated or student-level data. In these situations, the key
consideration in determining whether the information is personally
identifiable is whether a reasonable person in the school or its
community, without personal knowledge of the relevant circumstances,
would be able to identify a student with reasonable certainty. The
Department is interested in receiving comments on the scope of the
"school or its community" limitation in the reasonable person
standard, and how it would apply to the release of redacted records as
well as statistical information, including information released by
State educational authorities and entities other than local districts
and institutions.
In regard to numerical or statistical information, several
educational agencies and institutions have expressed concern about the
public release of information that contains small data sets that may be
personally identifiable. We have advised States and schools generally
that they may not report publicly on the number of students of a
specified race, gender, disability, English language proficiency,
migrant status, or other condition who failed to graduate, received
financial aid, achieved certain test scores, etc., unless there is a
sufficient number of students in the defined category so that
personally identifiable information is not released. Some schools have
indicated, for example, that they would not disclose that two Hispanic,
female students failed to graduate, even if there are several Hispanic
females at the institution, because of the likelihood that the students
who failed to graduate could easily be identified in such a small data
set.
A review of data confidentiality issues, especially as concerns the
Federal statistical agencies, indicates that it is not possible to
prescribe a single method to apply in every circumstance to minimize
risk of disclosing personally identifiable information. This is true
for several reasons, including the wide variety of data compilations
and systems maintained by different agencies and institutions and the
different types of search requests they receive and data sets they wish
to disclose. More generally, and as indicated in the Federal Committee
on Statistical Methodology's Statistical Policy Working Paper 22
(available at http://www.fcsm.gov/working-papers/wp22.html),
educational agencies and institutions may wish to consider current
statistical, scientific and technological concepts, and standards when
making decisions about analyzing and minimizing the risk of disclosure
in statistical information. Consistent with that view, the Department
has consistently declined to take a categorical approach and advised
instead that the parties themselves are in the best position to analyze
and identify the best methods to use to protect the confidentiality of
their own data. See, for example, the September 25, 2003, letter to
Board of Regents of the University System of Georgia at http://
www.ed.gov/policy/gen/guid/fpco/ferpa/library/georgialtr.html; October
19, 2004, letter to Miami University at http://www.ed.gov/policy/gen/
guid/fpco/ferpa/library/unofmiami.html.
However, the Department recognizes that there are some practices
from the existing professional literature on disclosure limitation that
can assist covered entities in developing a sound approach to de-
identifying data for release, particularly when consultation with
professional statisticians with experience in disclosure limitation
methods is not feasible. Each of the items discussed in the following
subsection is elaborated on in Statistical Working Paper 22 for further
reference.
There are several steps that can assist with de-identifying any
data release. The choice of methods depends on the nature of the data
release that must be de-identified. First, covered entities should
recognize that the re-identification risk of any given release is
cumulative, i.e., directly related to what has previously been
released. Previous releases include both publicly-available directory
information and de-identified data releases. For example, if a publicly
available directory provides date and place of birth, then a de-
identified data release that also contains the same information for a
group of students could pose a re-identification risk if one of those
students has an unusual date and place of birth relevant to others in
the data release.
Second, covered entities should minimize information released in
directories to the extent possible. The Department is not attempting to
limit the statutory authority available to covered entities in
releasing directory information, but recognizes that since the
statute's enactment, the risk of re-identification from such
information has grown as a result of new technologies and methods.
Third, covered entities should apply a consistent de-identification
strategy for all of its data releases of a similar type. The two major
types of data release are aggregated data (such as tables showing
numbers of enrolled students by race, age and sex) and microdata (such
as individual level student assessment results by grade and school).
There are several acceptable de-identification strategies for each type
of data. Major methods used by the Department for tabular data include
defining a minimum cell size (meaning no results will be released for
any cell of a table with a number smaller than "X" or else cells are
aggregated until no cells based on one or two cases remain) or
controlled rounding (meaning that cells with a number smaller than
"X" require that numbers in the affected rows and columns be rounded
so that the totals remain unchanged. For microdata releases, the
primary consideration is whether the proposed release contains any
"unique" individuals whose identity can be deduced by the combination
of variables in the file. If such a condition exists, there are a
number of methods that can be employed. These include "top coding" a
variable (e.g., test scores above a certain level are recoded to a
defined maximum), converting continuous data elements into categorical
data elements (e.g., creating categories that subsume unique cases) or
data swapping to introduce uncertainty so that the data user does not
know whether the real data values correspond to certain records.
The Department seeks public comment on whether it needs to develop
further guidance on this topic to assist educational agencies and
institutions.
Although FERPA does not contain a general "research" exception to
the consent requirement, the Department recognizes that useful and
valid educational research may be conducted using de-identified data
where disclosure of personally identifiable information from education
records would not be permissible under the limited standards of Sec.
99.31(a)(6) or
[[Page 15585]]
Sec. 99.31(a)(3), discussed above. This regulation should not be
interpreted to discourage de-identified data releases, but rather to
clarify how to do so in a manner that minimizes the risk of re-
identification. Accordingly, the proposed regulations are also needed
to provide a method that may be used by a school, school district,
state department of education, postsecondary institution or commission,
or another party that maintains education records to release student-
level or microdata for purposes of education research. We believe that
these standards establish an appropriate balance that facilitates
educational research and accountability while preserving the privacy
protections in FERPA.
In order to permit ongoing educational research with the same data,
the party that releases the information may attach a unique descriptor
to each de-identified record that will allow the recipient to match
other de-identified information received from the same source. However,
the recipient may not be allowed to have access to any information
about how the descriptor is generated and assigned, or that would allow
it to match the information from education records with data from any
other source, unless that data is de-identified and coded by the party
that discloses education records. Furthermore, a record descriptor
assigned for educational research purposes under this rule may not be
based on a student's social security number.
De-identified, student-level data released for educational research
purposes must still conform to the requirements discussed above
regarding small data sets that may lead to personal identification of
students. However, unlike information released in personally
identifiable form under Sec. Sec. 99.31(a)(3) and 99.31(a)(6), de-
identified information from education records is not subject to any
destruction requirements because, by definition, it is not "personally
identifiable information" under FERPA.
The Department cannot specify in general which statistical
disclosure limitation (SDL) methods should be used in any particular
case. However, educational agencies and institutions should monitor
releases of coded, de-identified microdata and take reasonable measures
to ensure that overlapping or successive releases do not result in data
sets in which a student's personally identifiable information is
disclosed.
5. Identification and Authentication of Identity (Sec. 99.31(c))
Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an
educational agency or institution may not have a policy or practice of
releasing, permitting the release of, or providing access to any
personally identifiable information from education records without
written consent, except in accordance with specified statutory
exceptions.
Current Regulations: Current regulations do not address whether an
educational agency or institution must ensure that it has properly
identified a party to whom it discloses personally identifiable
information from education records.
Proposed Regulations: The proposed regulations in Sec. 99.31(c)
would require an educational agency or institution to use reasonable
methods to identify and authenticate the identity of parents, students,
school officials, and any other parties to whom the agency or
institution discloses personally identifiable information from
education records.
Reasons: The proposed regulations are needed to ensure that
educational agencies and institutions disclose personally identifiable
information from education records only to authorized recipients.
Identification in this context means determining who is the intended or
authorized recipient of the information in question; authentication of
identity means ensuring that the recipient is, in fact, who he or she
purports to be.
Identification of a party requesting disclosure of hard copy
education records is relatively simple--the responsible school official
can confirm the name and correct address for records sent by mail and
obtain photo identification for personal delivery of records to
students, parents, school officials, and other authorized recipients
who are not recognized personally by the custodian of the records.
Identification presents unique challenges in an electronic or
telephonic environment, where personal recognition and photo
identification cards are irrelevant.
Occasionally educational agencies and institutions disclose
education records to the wrong party because someone misaddresses an
envelope, or puts the wrong material in a properly addressed envelope.
This is a failure to properly identify the authorized recipient. More
commonly, parents and students complain that unauthorized parties
obtain access to the student's education records because agencies and
institutions use widely available information, such as name and date of
birth, or name and SSN or other student ID number, when providing
access to electronic records or disclosing information about a student
by telephone. This is a failure to properly authenticate identity.
These proposed regulations would address both of these problems.
Authentication of identity is a complex subject that continues to
advance as new methods and technologies are developed to meet evolving
standards for safeguarding financial, health, and other types of
electronic records. The proposed regulations allow an educational
agency or institution to use any reasonable method. As discussed above
in connection with controlling access to education records by school
officials, methods are considered reasonable if they reduce the risk of
unauthorized disclosure to a level that is commensurate with the likely
threat and potential harm and depend on variety of factors, including
the organization's size and resources. The greater the harm that would
result from unauthorized access or disclosure, and consequently the
greater the likelihood that unauthorized access or disclosure will be
attempted, the more protections an agency or institution must use to
ensure that its methods are reasonable. Again, reasonableness depends
ultimately on what are the usual and customary good business practices
of educational agencies and institutions, which requires ongoing review
and modification of procedures, where appropriate, as standards and
technologies change.
Authentication of identity generally involves requiring a user to
provide something that only the user knows, such as a PIN, password, or
answer to a personal question; something that only the user has, such
as a smart card or token; or a biometric factor associated with no one
other than the user, such as a finger, iris, or voice print. Under the
proposed regulations an educational agency or institution may determine
that single-factor authentication, such as a standard form user name
combined with a secret PIN or password, is reasonable for protecting
access to electronic grades and transcripts. Single-factor
authentication may not be reasonable, however, for protecting access to
SSNs, credit card numbers, and similar information that could be used
for identity theft and financial fraud.
Likewise, an educational agency or institution must ensure that it
does not deliver a password, PIN, smart card, or
[[Page 15586]]
other factor used to authenticate identity in a manner that would allow
access to unauthorized recipients. For example, an agency or
institution may not make education records available electronically by
using a common form user name (e.g., last name and first name initial)
with date of birth or SSN, or a portion of the SSN, as an initial
password to be changed upon first use of the system.
6. Redisclosure of Education Records by Officials Listed in Sec.
99.31(a)(3) (Sec. 99.32, Sec. 99.35)
Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) permits an
educational agency or institution to disclose education records,
without prior written consent, to authorized representatives of the
United States Comptroller General, the Secretary of Education, State
and local educational authorities, and the U.S. Attorney General as
necessary in connection with the audit or evaluation of Federal and
State supported education programs, or in connection with the
enforcement of Federal legal requirements that relate to those
programs. Except when the collection of personally identifiable
information is specifically authorized by Federal law, personally
identifiable information of parents and students may not be redisclosed
to any other parties and must be destroyed when no longer needed for
such audit, evaluation or enforcement purposes.
In contrast, section 1232g(b)(4)(B) contains a general prohibition
on the redisclosure of information from education records. In
particular, by statute an educational agency or institution may
disclose personal information from education records only on the
condition that the recipient will not redisclose the information to any
other party without meeting the prior written consent requirement. If a
recipient rediscloses personally identifiable information from
education records in violation of the prior written consent
requirement, the agency or institution that disclosed the records may
not permit that recipient to have access to information from education
records for at least five years. There is no general destruction
requirement similar to the specific requirement for destruction of
personally identifiable information described above for records
disclosed for audit, evaluation, and enforcement purposes under section
1232g(b)(3).
Current Regulations: Section 99.31(a)(3) lists the four officials
or authorities that may receive education records, without consent, for
the specified audit, evaluation, or compliance and enforcement
purposes. The Department has interpreted the term "evaluation"
broadly to include all manner of studies, assessments, measurements,
appraisals, research, and other efforts, including analyses of
statistical or numerical data derived from education records. Section
99.35 provides that information disclosed under this exception to the
consent requirement must be protected in a manner that does not permit
personal identification of individuals by anyone except the officials
listed in Sec. 99.31(a)(3) and must be destroyed when no longer needed
for the audit, evaluation, or compliance and enforcement purposes,
unless a parent or eligible student consents to the disclosure or
Federal law specifically authorizes the collection of personally
identifiable information. Current regulations do not specify any
further conditions under which these officials or authorities may
redisclose personally identifiable information from education records
without prior written consent.
Section 99.33(c) establishes specific exceptions to the general
statutory prohibition on redisclosure of information from education
records under 20 U.S.C. 1232g(b)(4)(B). Section 99.33(b) also allows an
educational agency or institution to disclose education records with
the understanding that the recipient may make further disclosures of
the information on its behalf if the disclosures could be made under
Sec. 99.31 and the educational agency or institution complies with the
recordkeeping requirements specified in Sec. 99.32(b). Section
99.32(a) requires an educational agency or institution to maintain a
record of each request for access to and each disclosure of personally
identifiable information from the education records of each student. If
a recipient is authorized to make further disclosures of personally
identifiable information from education records under Sec. 99.33(b),
the educational agency or institution must record the names of the
additional parties to which the receiving party may disclose the
information on behalf of the educational agency or institution and
their legitimate interests under Sec. 99.31 in requesting or obtaining
the information. Each student's record of disclosures is an education
record that must be made available to a parent or eligible student
under Sec. 99.32(c). The Department has not applied the regulatory
exception in Sec. 99.33(b) to officials or authorities that receive
information under Sec. Sec. 99.31(a)(3) and 99.35 because of the more
specific statutory limitations, including the destruction requirement,
that generally apply to these disclosures.
Proposed Regulations: The proposed regulations in Sec. 99.35(b)(1)
would permit officials and authorities listed in Sec. 99.31(a)(3)(i)
to redisclose personally identifiable information from education
records under the same conditions, set forth in Sec. 99.33(b), that
apply to parties that receive personally identifiable information from
education records under other exceptions in Sec. 99.31. For example,
this proposed change would allow a State educational agency (SEA) to
use the exception in Sec. 99.31(a)(2) to transfer a student's
education records to a student's new school district on behalf of the
former district. Similarly, an SEA or other official listed in Sec.
99.31(a)(3) would be able to redisclose personally identifiable
information from education records received under Sec. 99.35 to an
accrediting agency under Sec. 99.31(a)(7); in response to a subpoena
or court order under Sec. 99.31(a)(9); or in connection with a health
or safety emergency under Sec. Sec. 99.31(a)(10) and 99.36. The
proposed regulations would also apply to the redisclosure of education
records by an SEA (or other official listed in Sec. 99.31(a)(3)) to
another listed official, such as the Secretary, for audit, evaluation,
or compliance and enforcement purposes under Sec. 99.35. The
regulations would also clarify that authority to conduct an audit,
evaluation, or compliance or enforcement activity is not conferred by
FERPA and must be established under other Federal, State, or local law,
including valid administrative regulations. Like redisclosures
permitted currently under Sec. 99.33(b), redisclosures made by
officials listed in Sec. 99.31(a)(3)(i) under the proposed amendment
would be subject to the recordation requirements in Sec. 99.32(b).
Reasons: School districts and postsecondary institutions typically
disclose education records, or personally identifiable information from
education records, to their SEA or State higher education authority,
without prior written consent, for audit, evaluation, or compliance and
enforcement purposes subject to the requirements of Sec. 99.35.
Several SEAs that maintain Statewide, consolidated systems for school
district records subject to Sec. 99.35 have questioned whether they
may allow a student's new school district to obtain access to
personally identifiable information from education records submitted to
the system by the student's former district. (Historically, when a
student transfers to a new school, the former school district sends the
student's education records to the student's new district,
[[Page 15587]]
without consent, under Sec. 99.31(a)(2).) Others have asked whether
records subject to Sec. 99.35 may be redisclosed in compliance with a
subpoena or court order and, if so, what conditions apply. States have
also asked about the operation of longitudinal data systems that
consolidate K-12 and postsecondary education records.
As noted elsewhere in this notice, there are no specific statutory
exceptions to either the prohibition on redisclosure of education
records disclosed under Sec. 99.31 or the more specific limitations
for records disclosed under Sec. 99.35. Accordingly, final regulations
published on June 17, 1976 (41 FR 24662) provided in Sec. 99.33(a)
that educational agencies and institutions must inform a third party to
whom personally identifiable information from education records is
disclosed that it may not redisclose any personally identifiable
information without the written consent of a parent or eligible
student. However, these regulations also added a provision in Sec.
99.33(b) that permits the agency or institution to disclose
personally identifiable information under Sec. 99.31 with the
understanding that the information will be redisclosed to other
parties under that section; Provided, That the recordkeeping
requirements of Sec. 99.32 are met with respect to each of those
parties.
41 FR 24662, 24679.
The Secretary recognizes that officials and authorities that
receive education records for audit, evaluation, compliance, or
enforcement purposes under Sec. Sec. 99.31(a)(3) and 99.35 are no less
capable of protecting the information against unauthorized access and
disclosure than parties that receive education records under other
exceptions in Sec. 99.31. The proposed amendment is needed so that
SEAs and other officials and authorities listed in Sec. 99.31(a)(3)(i)
may take advantage of the regulatory exception in Sec. 99.33(b) and
redisclose personally identifiable information from education records
directly to a qualified recipient under an exception in Sec. 99.31
instead of requiring that party to go to each school district or
institution that submitted the records for audit, evaluation,
compliance, or enforcement purposes. Similarly, the proposed
regulations are needed to clarify that an official or authority that
maintains personally identifiable information from education records
subject to Sec. 99.35 may redisclose that information to another
authority listed in Sec. 99.31(a)(3)(i) for another qualifying audit,
evaluation, compliance, or enforcement activity, notwithstanding the
limitations in Sec. 99.35.
The proposed regulations clarify that while FERPA permits the
disclosure and redisclosure of education records without consent to
officials and authorities listed in Sec. 99.31(a)(3)(i) for the
purposes specified, it does not confer or establish the underlying
authority for those officials and authorities to conduct an audit,
evaluation, or compliance or enforcement activity. If Federal, State,
or local law authorizes a particular entity to audit or evaluate the
education records, then FERPA permits the disclosure of personally
identifiable information for that purpose without consent. For example,
this exception allows a school district to disclose education records
to its own State department of education or other SEA because that
agency is legally authorized to audit or evaluate the school district's
education programs, or enforce Federal legal requirements related to
those programs. This exception does not allow a school district to
disclose education records to the State higher education authority
without parental consent unless that agency is empowered under Federal,
State or local law to conduct an audit, evaluation, or compliance or
enforcement activity with respect to that school district's education
programs. The legal authority to audit, evaluate, or enforce education
programs does not derive from FERPA itself.
These proposed regulations would also ensure that State and local
educational authorities may redisclose personally identifiable
information from education records in order to consolidate K-16
education records for audit, evaluation, compliance, or enforcement
purposes under Sec. 99.35(a). For example, under the proposed
regulations, a State's postsecondary or higher education authority may
redisclose personally identifiable information from the education
records it maintains to a consolidated data system operated by the SEA
if the SEA is legally authorized to conduct an audit, evaluation,
compliance, or enforcement activity of postsecondary education
programs. Likewise, an SEA may redisclose personally identifiable
information from K-12 education records to a consolidated database
operated by a State's higher education authority if the higher
education authority is legally authorized to conduct the audit,
evaluation, compliance, or enforcement activity of K-12 educational
programs.
As noted above, disclosures under Sec. 99.33(b) are based on an
understanding on the part of the educational agency or institution that
the recipient will redisclose information to specified recipients on
its behalf subject to the recordation requirements in Sec. 99.32(b).
The Department is interested in relieving any administrative burdens
associated with recording disclosures of education records and,
therefore, invites public comment on whether an SEA, the Department, or
other official or agency listed in Sec. 99.31(a)(3) should be allowed
to maintain the record of the redisclosures it makes on behalf of an
educational agency or institution under Sec. 99.32(b).
7. Limitations on the Redisclosure of Information From Education
Records (Sec. 99.33)
Section 99.31(a)(9) (Subpoenas and Court Orders)
Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational
agency or institution may disclose personally identifiable information
from education records to a third party only on the condition that the
recipient will not redisclose the information to anyone else without
written consent of the parent or eligible student. If a third party
outside the educational agency or institution permits access to
information without written consent of a parent or eligible student as
required under 20 U.S.C. 1232g(b)(2)(A), the educational agency or
institution may not permit access to information from education records
by that third party for a period of not less than five years. There is
no specific statutory exception to the prohibition on redisclosure of
personally identifiable information from education records.
20 U.S.C. 1232g(b)(2)(B) provides that an educational agency or
institution may disclose personally identifiable information without
consent if the information is furnished in compliance with a judicial
order or any lawfully issued subpoena, upon the condition that parents
and students are notified in advance of compliance. Advance notice is
not required for certain Federal grand jury subpoenas and subpoenas
issued for law enforcement purposes. 20 U.S.C. 1232g(b)(1)(J).
Current Regulations: Section 99.33(a)(1) permits an educational
agency or institution to disclose personally identifiable information
from education records only on the condition that the recipient will
not redisclose the information to any other party without the prior
consent of the parent or eligible student. Section 99.33(b) provides
for an exception to this general rule. Specifically, under Sec.
99.33(b), an educational agency or institution may
[[Page 15588]]
disclose personally identifiable information from education records
with the understanding that the party receiving the information may
make further disclosures on behalf of the educational agency or
institution if the disclosures meet the requirements of Sec. 99.31(a)
and the educational agency or institution complies with the
recordkeeping requirements in Sec. 99.32(b). Under Sec. 99.33(e), if
the Office determines that a third party improperly rediscloses
personally identifiable information from education records in violation
of the prohibition on redisclosure in Sec. 99.33(a), subject to the
provisions of Sec. 99.33(b), the educational agency or institution may
not allow that third party access to personally identifiable
information from education records for at least five years.
Section 99.31(a)(9) permits an educational agency or institution to
disclose personally identifiable information from education records
without consent in compliance with a judicial order or lawfully issued
subpoena, provided that the agency or institution makes a reasonable
effort to notify the parent or eligible student of the order or
subpoena in advance of compliance so that the parent or eligible
student may seek protective action. Notification is not required for
certain grand jury and law enforcement subpoenas.
Proposed Regulations: The proposed regulations in Sec. 99.33(b)(2)
would require a party that has received personally identifiable
information from education records from an educational agency or
institution, including an SEA or other official listed in Sec.
99.31(a)(3)(i), to provide the notice to parents and eligible students,
if any, required under Sec. 99.31(a)(9) before it rediscloses
personally identifiable information from the records on behalf of an
educational agency or institution in compliance with a judicial order
or lawfully issued subpoena, as authorized under Sec. 99.33(b).
Reasons: Section 99.33(b) allows a party to redisclose personally
identifiable information under Sec. 99.31(a) on behalf of an
educational agency or institution, including redisclosure in compliance
with a judicial order or lawfully issued subpoena under Sec.
99.31(a)(9). (As noted above, the proposed amendments to Sec. 99.35
would extend this authority to SEAs and other officials and agencies
listed in Sec. 99.31(a)(3)(i).) The proposed regulations are needed to
clarify which party is responsible for notifying parents and eligible
students before an SEA or other third party outside of the educational
agency or institution complies with a judicial order or subpoena to
redisclose personally identifiable information from education records.
The Secretary believes that the party that has been ordered to produce
the information should be responsible for ensuring that the parent or
eligible student has been notified because the educational agency or
institution has no control over whether and when that party will
comply. The penalty in Sec. 99.33(e) would prohibit an educational
agency or institution from providing access to any third party that
fails to provide reasonable notice to parents and eligible students
before complying with a judicial or lawfully issued subpoena.
Disclosures Required Under the Clery Act
Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational
agency or institution may disclose personally identifiable information
from education records to a third party only on the condition that the
recipient will not redisclose the information to anyone else without
written consent of the parent or eligible student. 20 U.S.C.
1232g(b)(6)(B) allows a postsecondary institution to disclose to any
party, without consent, the final results of a disciplinary proceeding
against a student for crimes of violence or non-forcible sex offenses
if the institution determines as a result of the disciplinary
proceeding that the student committed the violation in question. 20
U.S.C. 1232g(b)(6)(A) allows a postsecondary institution to disclose to
the alleged victim the final results of disciplinary proceedings
against a student for crimes of violence or non-forcible sex offenses
regardless of the outcome. The Jeanne Clery Disclosure of Campus
Security Policy and Campus Crime Statistics Act (Clery Act), which
amended the HEA, requires postsecondary institutions to inform both the
accuser and the accused of the outcome of a campus disciplinary
proceeding brought alleging a sexual assault regardless of the outcome.
20 U.S.C. 1092(f)(8)(B)(iv)(II); 34 CFR 668.46(b)(11)(vi)(B).
Current Regulations: Regulations implementing the Clery Act, 34 CFR
Sec. 668.46(b)(11)(iv)(B), require postsecondary institutions to
inform both the accuser and the accused of the outcome of any
institutional disciplinary proceeding brought alleging a sex offense.
Under this provision the outcome of a disciplinary proceeding means
only the institution's final determination with respect to the alleged
sex offense and any sanction that is imposed against the accused.
Section 99.33(a) permits an educational agency or institution to
disclose personally identifiable information from education records
only on the condition that the recipient will not redisclose the
information to any other party without the prior consent of the parent
or eligible student. Section 99.33(c) excludes from the statutory
prohibition on redisclosure information that an educational agency or
institution may disclose without consent to any member of the public,
such as directory information under Sec. 99.31(a)(11) and the final
results of a disciplinary proceeding for acts constituting crimes of
violence or non-forcible sex offenses under Sec. 99.31(a)(14) when a
postsecondary institution has determined that the student committed the
violation in question. Current regulations in Sec. 99.33(c) do not
exclude from the redisclosure prohibition disclosures made by
postsecondary institutions to an alleged victim of a crime of violence
or non-forcible sex offense under Sec. 99.31(a)(13) or disclosures
they are required to make under the Clery Act.
Proposed Regulations: The proposed regulations would amend Sec.
99.33(c) to exclude from the statutory prohibition on redisclosure of
education records information that postsecondary institutions are
required to disclose under the Clery Act to the accuser and accused
regarding the outcome of any campus disciplinary proceeding brought
alleging a sexual offense.
Reasons: Some postsecondary institutions have required the accuser
to execute a non-disclosure agreement before they disclose the outcome
of a disciplinary proceeding for an alleged sexual offense as required
under the Clery Act. In analyzing and ruling on these practices, the
Department determined that the statutory prohibition on redisclosure of
information from education records in FERPA does not apply to
information that a postsecondary institution is required to release to
students under the Clery Act. The proposed regulations would clarify
that postsecondary institutions may not require the accuser to execute
a non-disclosure agreement or otherwise interfere with the redisclosure
or other use of information disclosed as required under the Clery Act.
8. Health and Safety Emergencies (Sec. 99.36)
Section 99.36(c) (Conditions That Apply to Disclosure of Information in
Health and Safety Emergencies)
Statute: Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or
institution may disclose personally
[[Page 15589]]
identifiable information from education records without prior written
consent, subject to regulations by the Secretary, in connection with an
emergency to appropriate persons if the knowledge of such information
is necessary to protect the health or safety of the student or other
persons.
Current regulations: Under Sec. 99.36(a), an educational agency or
institution may disclose personally identifiable information from
education records to appropriate parties in connection with an
emergency if knowledge of the information is necessary to protect the
health or safety of the student or other individuals. Under Sec.
99.36(b), educational agencies and institutions may include in a
student's education records appropriate information concerning
disciplinary action taken against the student for conduct that posed a
significant risk to the safety or well-being of that student, other
students, or other members of the school community. Educational
agencies and institutions may also disclose appropriate information
about these kinds of disciplinary actions to teachers and school
officials within the agency or institution or in other schools who have
legitimate educational interests in the behavior of the student. Under
Sec. 99.36(c), all of these regulatory provisions must be strictly
construed.
Proposed regulations: The Department proposes to revise Sec.
99.36(c) to remove the language requiring strict construction of this
exception and add a provision that in making a determination under
Sec. 99.36(a), an educational agency or institution may take into
account the totality of the circumstances pertaining to a threat to the
safety or health of a student or other individuals. If the educational
agency or institution determines that there is an articulable and
significant threat to the health or safety of a student or other
individuals, it may disclose information from education records to any
person whose knowledge of the information is necessary to protect the
health and safety of the student or other individuals. If, based on the
information available at the time of the determination, there is a
rational basis for the determination, the Department will not
substitute its judgment for that of the educational agency or
institution in evaluating the circumstances and making its
determination.
Reasons: In the wake of the tragic shootings at Virginia Tech, the
President directed the Secretary, together with the Secretary of Health
and Human Services and the Attorney General, to travel to communities
across the nation and to meet with educators, mental health experts,
law enforcement and State and local officials to discuss the broader
issues raised by the tragedy. On June 13, 2007, those officials
transmitted a "Report to the President on Issues Raised by the
Virginia Tech Tragedy." See http://www.hhs.gov/vtreport.html. In
relevant part, the report provided:
A consistent theme and broad perception in our meetings was that
this confusion and differing interpretations about state and federal
privacy laws and regulations impede appropriate information sharing.
In some sessions, there were concerns and confusion about the
potential liability of teachers, administrators, or institutions
that could arise from sharing information, or from not sharing
information, under privacy laws, as well as laws designed to protect
individuals from discrimination on the basis of mental illness. It
was almost universally observed that these fears and
misunderstandings likely limit the transfer of information in more
significant ways than is required by law. Particularly, although
participants in each state meeting were aware of both [the Health
Insurance Portability and Accountability Act of 1996 (HIPAA)] and
FERPA, there was significant misunderstanding about the scope and
application of these laws and their interrelation with state laws.
In a number of discussions, participants reported circumstances in
which they incorrectly believed that they were subject to liability
or foreclosed from sharing information under federal law. Other
participants were unsure whether and how HIPAA and FERPA actually
limit or allow information to be shared and unaware of exceptions
that could allow relevant information to be shared.
Report at page 7. The report went on to charge the Department with
certain specific recommended actions:
The U.S. Departments of Health and Human Services and Education
should develop additional guidance that clarifies how information
can be shared legally under HIPAA and FERPA and disseminate it
widely to the mental health, education, and law enforcement
communities. The U.S. Department of Education should ensure that
parents and school officials understand how and when post-secondary
institutions can share information on college students with parents.
In addition, the U.S. Departments of Education and Health and Human
Services should consider whether further actions are needed to
balance more appropriately the interests of safety, privacy, and
treatment implicated by FERPA and HIPAA.
Report at page 8 (italics in original). The Department of Education and
the Department of Health and Human Services a | | |
