FR Doc E8-5790[Federal Register: March 24, 2008 (Volume 73, Number 57)]
[Proposed Rules]
[Page 15573-15602]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr24mr08-20]
Download: 
-----------------------------------------------------------------------
[[Page 15573]]
-----------------------------------------------------------------------
Part II
Department of Education
-----------------------------------------------------------------------
34 CFR Part 99
Family Educational Rights and Privacy; Proposed Rule
[[Page 15574]]
-----------------------------------------------------------------------
DEPARTMENT OF EDUCATION
34 CFR Part 99
RIN 1855-AA05
[Docket ID ED-2008-OPEPD-0002]
Family Educational Rights and Privacy
AGENCY: Office of Planning, Evaluation, and Policy Development,
Department of Education.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Secretary proposes to amend the regulations governing
education records maintained by educational agencies and institutions
under section 444 of the General Education Provisions Act, which is
also known as the Family Educational Rights and Privacy Act of 1974, as
amended (FERPA). These proposed regulations are needed to implement
amendments to FERPA contained in the USA Patriot Act and the Campus Sex
Crimes Prevention Act, to implement two U.S. Supreme Court decisions
interpreting FERPA, and to make necessary changes identified as a
result of the Department's experience administering FERPA and current
regulations. These changes would clarify permissible disclosures to
parents of eligible students and conditions that apply to disclosures
in health and safety emergencies; clarify permissible disclosures of
student identifiers as directory information; allow disclosures to
contractors and other outside parties in connection with the
outsourcing of institutional services and functions; revise the
definitions of attendance, disclosure, education records, personally
identifiable information, and other key terms; clarify permissible
redisclosures by State and Federal officials; and update investigation
and enforcement provisions.
DATES: We must receive your comments on or before May 8, 2008.
ADDRESSES: Submit your comments through the Federal eRulemaking Portal
or via postal mail, commercial delivery, or hand delivery. We will not
accept comments by fax or by e-mail. Please submit your comments only
one time, in order to ensure that we do not receive duplicate copies.
In addition, please include the Docket ID at the top of your comments.
Federal eRulemaking Portal: Go to http://www.regulations.gov. Under
``Search Documents'' go to ``Optional Step 2'' and select ``Department
of Education'' from the agency drop-down menu; then click ``Submit.''
In the Docket ID column, select ED-2008-OPEPD-0002 to add or view
public comments and to view supporting and related materials available
electronically. Information on using Regulations.gov, including
instructions for submitting comments, accessing documents, and viewing
the docket after the close of the comment period, is available through
the site's ``User Tips'' link.
Postal Mail, Commercial Delivery, or Hand Delivery. If you mail or
deliver your comments about these proposed regulations, address them to
LeRoy S. Rooker, U.S. Department of Education, 400 Maryland Avenue,
SW., room 6W243, Washington, DC 20202-5920.
Privacy Note: The Department's policy for comments received from
members of the public (including those comments submitted by mail,
commercial delivery, or hand delivery) is to make these submissions
available for public viewing in their entirety on the Federal
eRulemaking Portal at http://www.regulations.gov. Therefore,
commenters should be careful to include in their comments only
information that they wish to make publicly available on the
Internet.
FOR FURTHER INFORMATION CONTACT: Frances Moran, U.S. Department of
Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-
8250. Telephone: (202) 260-3887.
If you use a telecommunications device for the deaf (TDD), you may
call the Federal Relay Service (FRS) at 1-800-877-8339.
Individuals with disabilities may obtain this document in an
alternative format (e.g., Braille, large print, audiotape, or computer
diskette) on request to the contact person listed under FOR FURTHER
INFORMATION CONTACT.
Invitation To Comment
We invite you to submit comments and recommendations regarding
these proposed regulations. To ensure that your comments have maximum
effect in developing the final regulations, we urge you to identify
clearly the specific section or sections of the proposed regulations
that each of your comments addresses and to arrange your comments in
the same order as the proposed regulations.
We invite you to assist us in complying with the specific
requirements of Executive Order 12866 and its overall requirement of
reducing regulatory burden that might result from these proposed
regulations. Please let us know of any further opportunities we should
take to reduce potential costs or increase potential benefits while
preserving the effective and efficient administration of the program.
During and after the comment period, you may inspect all public
comments about these proposed regulations in room 6W243, 400 Maryland
Avenue, SW., Washington, DC, between the hours of 8:30 a.m. and 4 p.m.
Eastern time, Monday through Friday of each week except Federal
holidays. Public comments may also be inspected at www.regulations.gov.
Assistance to Individuals With Disabilities in Reviewing the Rulemaking
Record
On request, we will supply an appropriate aid to an individual with
a disability who needs assistance to review the comments or other
documents in the public rulemaking record for these proposed
regulations. If you want to schedule an appointment for this type of
aid, please contact the person listed under FOR FURTHER INFORMATION
CONTACT.
Background
These proposed regulations would implement section 507 of the
Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism (USA Patriot Act) of 2001
(Pub. L. 107-56), enacted Oct. 26, 2001, and the Campus Sex Crimes
Prevention Act, section 1601(d) of the Victims of Trafficking and
Violence Protection Act of 2000 (Pub. L. 106-386), enacted Oct. 28,
2000, both of which amended FERPA. The proposed regulations also would
implement the U.S. Supreme Court's decisions in Owasso Independent
School Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso) and
Gonzaga University v. Doe, 536 U.S. 273 (2002) (Gonzaga). Finally, the
proposed regulations respond to changes in information technology and
address other issues identified through the Department's experience
administering FERPA, including the need to clarify how postsecondary
institutions may share information with parents and other parties in
light of the tragic events at Virginia Tech in April 2007. The
Department has developed these proposed regulations in accordance with
its ``Principles for Regulating,'' which are intended to ensure that
the Department regulates in the most flexible, equitable, and least
burdensome way possible. These proposed regulations seek to provide the
greatest flexibility to State and local governments and schools while
ensuring that personally identifiable information about students
remains protected from unauthorized disclosure.
Technical Corrections
The proposed regulations correct Sec. 99.33(e) by adding the
statutory
[[Page 15575]]
language ``outside the educational agency or institution'' after the
words ``third party'' in the first sentence. They also correct an error
in the section number cited in Sec. 99.34(a)(1)(ii).
Significant Proposed Regulations
We discuss substantive issues under the sections of the proposed
regulations to which they pertain. Generally, we do not address
proposed regulatory provisions that are technical or otherwise minor in
effect.
1. Definitions (Sec. 99.3)
Attendance
Statute: 20 U.S.C. 1232g(a)(6) defines the term student as any
person with respect to whom an educational agency or institution
maintains education records or personally identifiable information but
does not include a person who has not been in attendance at such agency
or institution. The statute does not define attendance.
Current Regulations: As defined in the current regulations, the
term attendance includes attendance in person or by correspondence, and
the period during which a person is working under a work-study program.
The current definition does not address the status of distance learners
who are taught through the use of electronic information and
telecommunications technologies.
Proposed Regulations: The proposed regulations in Sec. 99.3 would
add attendance by videoconference, satellite, Internet, or other
electronic information and telecommunications technologies for students
who are not physically present in the classroom.
Reasons: The proposed regulations are needed to clarify that
students who are not physically present in the classroom may attend an
educational agency or institution not only through traditional
correspondence courses but through advanced electronic information and
telecommunications technologies used for distance education, such as
videoconferencing, satellite, and Internet-based communications.
Directory Information
Statute: 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2) allows
disclosure without consent of information such as a student's name and
address, telephone listing, date and place of birth, major field of
study, etc., defined as directory information, provided that specified
notice and opt out conditions have been met.
Current Regulations: Directory information is defined in Sec. 99.3
as information contained in an education record of a student that would
not generally be considered harmful or an invasion of privacy if
disclosed, and includes information listed in FERPA (e.g., a student's
name and address, telephone listing) as well as other information, such
as a student's electronic mail (e-mail) address, enrollment status, and
photograph. Current regulations do not specify whether a student's
Social Security Number (SSN), official student identification (ID)
number, or personal identifier for use in electronic systems may be
designated and disclosed as directory information.
Proposed Regulations: The proposed regulations would provide that
an educational agency or institution may not designate as directory
information a student's SSN or other student ID number. However,
directory information may include a student's user ID or other unique
identifier used by the student to access or communicate in electronic
systems, but only if the electronic identifier cannot be used to gain
access to education records except when used in conjunction with one or
more factors that authenticate the student's identity, such as a
personal identification number (PIN), password, or other factor known
or possessed only by the student.
Reasons: SSNs and other student ID numbers are personal identifiers
that are typically used for identification purposes in order to
establish an account, gain access to or confirm private information,
obtain services, etc. The proposed regulations are needed to ensure
that educational agencies and institutions do not disclose these
identifiers as directory information, or include them with other
personally identifiable information that may be disclosed as directory
information, because SSNs and other student ID numbers can be used to
impersonate the owner of the number and obtain information or services
by fraud. The proposed regulations are also needed to clarify that
unique personal identifiers used for electronic communications may be
disclosed as directory information under certain conditions.
Names and addresses are personal identifiers (and personally
identifiable information under Sec. 99.3) that have always been
available for disclosure as directory information under FERPA because
they are generally known to others and often appear in public
directories outside the school context. (It is precisely because names
and addresses are widely available that they may not be used to
authenticate identity, as discussed below in connection with proposed
Sec. 99.31(c).) SSNs and other student ID numbers are also personal
identifiers and personally identifiable information under Sec. 99.3.
Unlike names and addresses, SSNs and other student ID numbers are
typically used to obtain a variety of non-public information about an
individual, such as employment, credit, financial, health, motor
vehicle, and educational information, that would be harmful or an
invasion of privacy if disclosed. An SSN or other student ID number can
also be used in conjunction with commonly available information, such
as name, address, and date of birth, to establish fraudulent accounts
and otherwise impersonate an individual. As a result, under the
proposed regulations, SSNs and other student ID numbers may not be
designated and disclosed as directory information.
Educational agencies and institutions have reported to us that in
addition to needing a traditional student ID number (or SSN used as a
student ID number), they need to identify or assign to students a
unique electronic identifier that can be made available publicly.
(Names are generally not appropriate for these purposes because they
may not be unique to the population.) Unique electronic identifiers are
needed, for example, for students to be able to use portals or single
sign-on approaches to student information systems that provide access
to class registration, academic records, library resources, and other
student services. Much of the directory-based software used for these
systems, as well as protocols for electronic collaboration by students
and teachers within and among institutions, essentially cannot function
without making an individual's user ID or other electronic identifier
publicly available in these kinds of systems.
Some systems, for example, require users to log on with their e-
mail address or other published user name or account ID. (Note that a
student's e-mail address was added to the regulatory definition of
directory information in the final regulations published on July 6,
2000 (65 FR 41852, 41855). Public key infrastructure (PKI) technology
for encryption and digital signatures also requires wide dissemination
of the sender's public key. These are the types of circumstances in
which educational agencies and institutions may need to publish or
disclose a student's unique electronic identifier.
The proposed regulations would permit disclosure of a student's
user ID or other electronic identifier as directory information, but
only if the identifier functions essentially as a name; that is, the
identifier is not used by itself to authenticate identity and cannot be
[[Page 15576]]
used by itself to gain access to education records. A unique electronic
identifier disclosed as directory information may be used to provide
access to the student's education records, but only when combined with
other factors known only to the authorized user (student, parent, or
school official), such as a secret password or PIN, or some other
method to authenticate the user's identity and ensure that the user is,
in fact, a person authorized to access the records.
Note that eligible students and parents have a right under FERPA to
opt out of directory information disclosures and refuse to allow the
student's e-mail address, user ID or other electronic identifier
disclosed as directory information (except as provided in proposed
Sec. 99.37(c), discussed elsewhere in this document). This is similar
to a decision not to participate in an institution's paper-based
student directory, yearbook, commencement program, etc. In these cases,
the student or parent will not be able to take advantage of the
services, such as portals for class registration, academic records,
etc., provided solely through the electronic communications or software
that require public disclosure of the student's unique electronic
identifier.
Disclosure
Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an
educational agency or institution subject to FERPA may not have a
policy or practice of releasing, permitting the release of, or
providing access to personally identifiable information from education
records without prior written consent.
Current Regulations: The regulations in Sec. 99.3 define the term
disclosure to mean permitting access to or the release, transfer, or
other communication of personally identifiable information from
education records to any party by any means. The regulations do not
address issues relating to the return of records to the party that
provided or created them.
Proposed Regulations: The proposed regulations would exclude from
the definition of disclosure the release or return of an education
record, or personally identifiable information from an education
record, to the party identified as the party that provided or created
the record. This would allow an educational agency or institution
(School B) to send a transcript, letter of recommendation, or other
record that appears to have been falsified back to the institution or
school official identified as the creator or sender of the record
(School A) for confirmation of its status as an authentic record.
School A may confirm or deny that the record is accurate and send the
correct version back to School B under Sec. 99.31(a)(2), which allows
an institution to disclose education records without prior written
consent to an institution in which the student seeks or intends to
enroll, or is already enrolled.
The proposed regulations would also permit a State or local
educational authority or other entity to redisclose education records
or personally identifiable information from education records, without
consent, to the school district, institution, or other party that
provided the records or information.
Reasons: School officials have reported to the Department that they
are receiving with more frequency what appear to be falsified
transcripts, letters of recommendation, and other information about
students from educational agencies and institutions. The proposed
amendment is needed to verify the accuracy of this type of information
and to ensure that the privacy protections in FERPA are not used to
shield or prevent detection of fraud.
Several State educational agencies (SEAs) that maintain
consolidated student records systems have also expressed uncertainty
whether they may allow a local school district to obtain access to
personally identifiable information from education records provided to
the SEA by that district. The amendment is needed to clarify that SEAs
and other parties that maintain education records provided by school
districts and other educational agencies and institutions may allow a
party to obtain access to the specific records and information that the
party provided to the consolidated student records system.
Education Records
Statute: 20 U.S.C. 1232g(a)(4) provides a broad, general definition
of education records that includes all records that are directly
related to a student and maintained by an educational agency or
institution. Student, in turn, is defined in 20 U.S.C. 1232g(a)(6) to
exclude individuals who have not been in attendance at the agency or
institution.
Current Regulations: The definition of education records in Sec.
99.3 excludes records that only contain information about an individual
after he or she is no longer a student.
Proposed Regulations: The proposed regulations would clarify that,
with respect to former students, the term education records excludes
records that are created or received by the educational agency or
institution after an individual is no longer a student in attendance
and are not directly related to the individual's attendance as a
student.
Reasons: Institutions have told us that there is some confusion
about the provision in the definition of education records that
excludes certain alumni records from the definition. Some schools have
mistakenly interpreted this provision to mean that any record created
or received after a student is no longer enrolled is not an education
record under FERPA. The proposed regulations are needed to clarify that
the exclusion is intended to cover records that concern an individual
or events that occur after the individual is no longer a student in
attendance, such as alumni activities. The exclusion is not intended to
cover records that are created and matters that occur after an
individual is no longer in attendance but that are directly related to
his or her previous attendance as a student, such as a settlement
agreement that concerns matters that arose while the individual was in
attendance as a student.
Statute: The statute does not address peer-grading practices in
relation to FERPA requirements.
Current Regulations: The definition of education records includes
records that are maintained by an educational agency or institution, or
a party acting for the educational agency or institution, but does not
provide any guidance on the status of student-graded tests and
assignments before they have been collected and recorded by a teacher.
Proposed Regulations: Proposed regulations in Sec. 99.3 would
clarify that peer-graded papers that have not been collected and
recorded by a teacher are not considered maintained by an educational
agency or institution and, therefore, are not education records under
FERPA.
Reasons: The proposed regulations are needed to implement the U.S.
Supreme Court's decision on peer-graded papers in Owasso. ``Peer-
grading'' refers to a common educational practice in which students
exchange and grade one another's papers and then either call out the
grade or turn in the work to the teacher for recordation. In Owasso,
the Court held that this practice does not violate FERPA because ``the
grades on students' papers would not be covered under FERPA at least
until the teacher has collected them and recorded them in his or her
grade book.'' Owasso, 534 U.S. at 436.
[[Page 15577]]
Personally Identifiable Information
Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an
educational agency or institution may not have a policy or practice of
permitting the release of or providing access to education records or
any personally identifiable information other than directory
information in education records without prior written consent except
in accordance with statutory exceptions.
Current Regulations: The term personally identifiable information
is defined in Sec. 99.3 to include the student's name and other
personal identifiers, such as the student's social security number or
student number. Current regulations also include indirect identifiers,
such as the name of the student's parent or other family members; the
address of the student or the student's family; and personal
characteristics or other information that would make the student's
identity easily traceable.
Proposed Regulations: The proposed regulations would add biometric
record to the list of personal identifiers and add other indirect
identifiers, such as date and place of birth and mother's maiden name,
to the list of personally identifiable information. The regulations
would remove language about personal characteristics and other
information that would make the student's identity easily traceable and
provide instead that personally identifiable information includes other
information that, alone or in combination, is linked or linkable to a
specific student that would allow a reasonable person in the school or
its community, who does not have personal knowledge of the relevant
circumstances, to identify the student with reasonable certainty.
Personally identifiable information would also include information
requested by a person who the educational agency or institution
reasonably believes has direct, personal knowledge of the identity of
the student to whom the education record directly relates.
Reasons: See the discussion of proposed regulations adding a new
Sec. 99.31(b) for de-identified education records elsewhere in this
document.
State Auditor
Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) allows an
educational agency or institution to disclose personally identifiable
information from education records, without prior written consent, to
State and local educational authorities and officials for the audit or
evaluation of Federal or State supported education programs, or for the
enforcement of or compliance with Federal legal requirements that
relate to those programs.
Current Regulations: The current regulations do not address the
disclosure of education records to State auditors.
Proposed Regulations: The proposed regulations in Sec. 99.3 would
define State auditor as a party under any branch of government with
authority and responsibility under State law for conducting audits. We
propose to add a new paragraph (a)(2) to Sec. 99.35 to clarify that
State auditors that are not State or local educational authorities may
have access to education records in connection with an audit of Federal
or State supported education programs.
Reasons: 20 U.S.C. 1232g(b)(3) (section (b)(3) of the statute)
allows disclosure of education records without consent to ``State
educational authorities'' for audit and evaluation purposes. According
to the legislative history of FERPA, section (b)(5) of the statute,
which allows disclosure of education records without consent to ``State
and local educational officials'' for audit and evaluation purposes,
was added in 1979 to ``correct an anomaly'' in which the existing
exception in section (b)(3) was interpreted to preclude State auditors
from obtaining records in order to conduct State audits of local and
State-supported programs.
See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 (1979),
reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. The amended
statutory language in section (b)(5) is ambiguous, however, because it
does not actually mention State auditors and, like section (b)(3),
refers only to educational officials. Over the years several States
have questioned whether this exception includes audits conducted by
legislative branch officials and other parties that may not be
considered educational authorities or officials.
The regulations are needed to clarify that State auditors may
receive personally identifiable information from education records,
without prior written consent, even if they are not considered State or
local educational authorities or officials, provided that they are
auditing a Federal or State supported education program. We are
interested in receiving comments about whether the definition needs to
cover local auditors as well. The exception for disclosure of education
records to State auditors is narrowly limited to audits (defined in
proposed Sec. 99.35 as testing compliance with applicable laws,
regulations, and standards) and does not include the broader concept of
evaluations, for which disclosure of education records remains limited
to educational authorities or officials.
2. Disclosures to Parents of Eligible Students (Sec. Sec. 99.5, 99.36)
Section 99.5(a) (Rights of Students)
Statute: 20 U.S.C. 1232g(d) provides that once a student reaches 18
years of age or attends a postsecondary institution, all rights
accorded to parents under FERPA, and the consent required to disclose
education records, transfer from the parents to the student. Under 20
U.S.C. 1232g(b)(1)(H), an educational agency or institution may
disclose personally identifiable information from an education record
without meeting FERPA's written consent requirement to parents of a
dependent student as defined in 26 U.S.C. 152. Under 20 U.S.C.
1232g(i), an institution of higher education may disclose personally
identifiable information from an education record, without meeting
FERPA's written consent requirement, to a parent or legal guardian of a
student information regarding the student's violation of any Federal,
State or local law, or any rule or policy of the institution governing
the use or possession of alcohol or a controlled substance if the
student is under the age of 21 and the institution determines that the
student has committed a disciplinary violation with respect to such use
or possession. Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or
institution may disclose personally identifiable information from an
education record, without meeting FERPA's written consent requirement,
to appropriate persons in connection with an emergency if the knowledge
of such information is necessary to protect the health or safety of the
student or other persons.
Current Regulations: Section 99.3 defines an eligible student as a
student who has reached 18 years of age or attends a postsecondary
institution. Section 99.5(a) states that rights accorded to parents,
and consent required of parents, to disclose education records under
FERPA transfer from parents to a student when the student meets the
definition of an eligible student.
Section 99.31(a)(8) provides that an educational agency or
institution may disclose personally identifiable information from
education records without consent to parents of a dependent student as
defined in section 152 of the Internal Revenue Code of 1986. Under
Sec. 99.31(a)(15) written consent is not required, regardless of
dependency status, to disclose to a
[[Page 15578]]
parent of a student at an institution of postsecondary education
information regarding the student's violation of any Federal, State or
local law, or of any rule or policy of the institution, governing the
use or possession of alcohol or a controlled substance if the
institution determines that the student has committed a disciplinary
violation with respect to that use or possession and the student is
under the age of 21 at the time of the disclosure to the parent.
Section 99.31(a)(10) provides that an educational agency or
institution may disclose personally identifiable information from
education records without consent if the disclosure is in connection
with a health or safety emergency under the conditions described in
Sec. 99.36. Section 99.36 provides that an educational agency or
institution may disclose personally identifiable information from an
education record to appropriate parties in connection with an emergency
if knowledge of the information is necessary to protect the health or
safety of the student or other individuals.
Proposed Regulations: The proposed regulations in Sec. 99.5
clarify that even after a student has become an eligible student, an
educational agency or institution may disclose education records to the
student's parents, without the consent of the eligible student, if the
student is a dependent for Federal income tax purposes (Sec.
99.31(a)(8)); in connection with a health or safety emergency (Sec.
99.31(a)(10)); if the student is under the age of 21 and has violated
an institutional rule or policy governing the use or possession of
alcohol or a controlled substance (Sec. 99.31(a)(15)); and if the
disclosure falls within any other exception to the consent requirement
in Sec. 99.31(a) of the regulations, such as the disclosure of
directory information or in compliance with a court order or lawfully
issued subpoena. The proposed regulations in Sec. 99.36(a) would
clarify that an eligible student's parents are appropriate parties to
whom an educational agency or institution may disclose personally
identifiable information from education records without consent in a
health or safety emergency.
Reasons: The Secretary is concerned that some institutions are
under the mistaken impression that FERPA prevents them from providing
parents with any information about a college student. The proposed
regulations are needed to clarify that FERPA contains exceptions to the
written consent requirement that permit colleges and other educational
agencies and institutions to disclose personally identifiable
information from education records to parents of certain eligible
students whether or not the student consents.
Section 99.31(a)(8) permits an educational agency or institution to
disclose education records, without consent, to either parent if at
least one of the parents has claimed the student as a dependent on the
parent's most recent tax return. Because many college students (and 18-
year-old high school students) are tax dependents of their parents,
this provision allows these institutions to disclose information from
education records to the students' parents without meeting the written
consent requirements in Sec. 99.30. (Institutions must first determine
that a parent has claimed the student as a dependent on the parent's
Federal income tax return. Institutions can determine that a parent
claimed a student as a dependent by asking the parent to submit a copy
of the parent's most recent Federal tax return. Institutions can also
rely on a student's assertion that he or she is not a dependent unless
the parent provides contrary evidence.)
The proposed regulations are also needed to clarify that colleges
and other institutions may disclose information from education records
to an eligible student's parents, without consent, under Sec.
99.31(a)(15) if the institution has determined that the student has
violated Federal, State, or local law or an institution's rules or
policies governing alcohol or substance abuse (provided the student is
under 21 years of age), and in connection with a health or safety
emergency under Sec. Sec. 99.31(a)(10) and 99.36 (regardless of the
student's age) if the information is needed to protect the health or
safety of the student or other individuals. These exceptions apply
whether or not the student is a dependent of a parent for tax purposes.
These proposed regulations would clarify the Department's policy with
respect to an agency's or institution's disclosure of information from
education records to parents under the health and safety emergency
exception and do not represent a change in the Department's
interpretation of who may qualify as an appropriate party under the
health or safety emergency exception to the consent requirement. While
institutions may choose to follow a policy of not disclosing education
records to parents of eligible students in these circumstances, FERPA
does not mandate such a policy.
3. Authorized Disclosure of Education Records Without Prior Written
Consent (Sec. 99.31)
Section 99.31(a)(1) (School Officials) Outsourcing
Statute: 20 U.S.C. 1232g(a)(4)(A) defines education records to
include records maintained by an educational agency or institution or
by ``a person acting for'' the agency or institution. Under 20 U.S.C.
1232g(b)(1)(A), an educational agency or institution may allow teachers
and other school officials within the institution or agency, without
prior written consent, to obtain access to education records if the
institution or agency has determined that they have legitimate
educational interests in the information.
Current Regulations: Section 99.31(a)(1) allows disclosure of
personally identifiable information from education records without
consent to school officials, including teachers, within the agency or
institution if the educational agency or institution has determined
that they have legitimate educational interests in the information. An
educational agency or institution that discloses information under this
exception must specify in its annual notification of FERPA rights under
Sec. 99.7(a)(3)(iii) the criteria it uses to determine who constitutes
a school official and what constitutes legitimate educational
interests. The recordkeeping requirements in Sec. 99.32(d) do not
apply to disclosures to school officials with legitimate educational
interests. Current regulations do not address disclosure of education
records without consent to contractors, consultants, volunteers, and
other outside parties providing institutional services and functions or
otherwise acting for an agency or institution.
Proposed Regulations: The proposed regulations in Sec.
99.31(a)(1)(i)(B) would expand the school official exception to include
contractors, consultants, volunteers, and other outside parties to whom
an educational agency or institution has outsourced institutional
services or functions that it would otherwise use employees to perform.
The outside party who obtains access to education records without
consent must be under the direct control of the agency or institution
and subject to the same conditions governing the use and redisclosure
of education records that apply to other school officials under Sec.
99.33(a) of the regulations. These proposed regulations supersede
previous technical assistance guidance issued by the Family Policy
Compliance Office (Office) regarding disclosure of
[[Page 15579]]
education records without consent to parties acting for an educational
agency or institution.
Educational agencies and institutions that outsource institutional
services and functions must comply with the annual FERPA notification
requirements under the current regulations in Sec. 99.7(a)(3)(iii) by
specifying their contractors, consultants, and volunteers as school
officials retained to provide various institutional services and
functions. Failure to comply with the notice requirements for school
officials in Sec. 99.7(a)(3)(iii) is not excused by recording the
disclosure under Sec. 99.32. (We note that under current regulations
disclosures to school officials under Sec. 99.31(a)(1) are
specifically excluded from the recordation requirements under Sec.
99.32(d).) As a result, an educational agency or institution that has
not included contractors and other outside service providers as school
officials with legitimate educational interests in its annual FERPA
notification may not disclose any personally identifiable information
from education records to these parties until it has complied with the
notice requirements in Sec. 99.7(a)(3)(iii).
Educational agencies and institutions are responsible for their
outside service providers' failures to comply with applicable FERPA
requirements. The agency or institution must ensure that the outside
party does not use or allow anyone to obtain access to personally
identifiable information from education records except in strict
accordance with the requirements established by the educational agency
or institution that discloses the information.
All outside parties serving as school officials are subject to
FERPA's restrictions on the use and redisclosure of personally
identifiable information from education records. These restrictions
include current provisions in Sec. 99.33(a), which requires an
educational agency or institution that discloses personally
identifiable information from education records to do so only on the
condition that the recipient, including a teacher or other school
official, will use the information only for the purpose for which the
disclosure was made and will not redisclose the information to any
other party without the prior consent of the parent or eligible student
unless the educational agency or institution has authorized the
redisclosure under a FERPA exception and the agency or institution
records the subsequent disclosure in accordance with the requirements
in Sec. 99.32(b).
For example, under the proposed regulations, a party that contracts
with an educational agency or institution to provide enrollment and
degree verification services must ensure that only individuals with
legitimate educational interests obtain access to personally
identifiable information from education records maintained on behalf of
the agency or institution. In accordance with current regulations at
Sec. 99.33(b), a contractor may not redisclose personally identifiable
information without prior written consent unless the educational agency
or institution has authorized the redisclosure under a FERPA exception
and the agency or institution records the subsequent disclosure in
accordance with the requirements in Sec. 99.32(b). Like other school
officials, contractors and other outside parties who provide
institutional services may not decide unilaterally to redisclose
personally identifiable information from education records, even in
circumstances that would comply with an exception in Sec. 99.31(a).
Additionally, records directly related to a student that are
maintained by a party acting for an educational agency or institution
are education records subject to all FERPA requirements. This includes
any new student records created under an outsourcing agreement that are
maintained by the outside service provider.
Reasons: The proposed regulations are needed to resolve uncertainty
about the specific conditions under which educational agencies and
institutions may disclose personally identifiable information from
education records, without prior written consent, to contractors,
consultants, volunteers, and other outside parties performing
institutional services or functions. While there is no explicit
statutory exception to the prior written consent requirement for
disclosures to contractors and other non-employees to whom an
educational agency or institution has outsourced services, we note that
the statutory definition of education records protects records that are
maintained by a party acting for the agency or institution. See 20
U.S.C. 1232g(a)(4)(A)(ii). Indeed, the Joint Statement in Explanation
of Buckley/Pell Amendment (120 Cong. Rec. S39862, Dec. 13, 1974) refers
specifically to materials that are maintained by a school ``or by one
of its agents'' when describing the meaning of the new term education
records in the December 1974 amendments to the statute.
The Department has long recognized in guidance that FERPA does not
prevent educational agencies and institutions from outsourcing
institutional services and functions and disclosing education records
to contractors and other outside parties performing those services and
functions in appropriate circumstances, such as for legal advice; debt
collection; transcript distribution; fundraising and alumni
communications; development and management of information systems; and
degree and enrollment verification. The Secretary wishes to clarify and
define the scope of this practice to avoid further confusion and
prevent weakening of FERPA's privacy protections because of uncertainty
about the requirements for making these kinds of disclosures.
One of the most frequently used exceptions to the prior written
consent requirement allows teachers and other school officials to
obtain access to education records provided the educational agency or
institution has determined that the school official has legitimate
educational interests in the information. This exception covers not
only teachers and principals, but also school counselors, registrars,
admissions personnel, attorneys, accountants, human resource staff,
information systems specialists, and designated support and clerical
personnel when they need access to personally identifiable information
from education records in order to perform their official functions and
duties for their employer. As noted above, an educational agency or
institution that allows school officials to obtain access to education
records under this exception must, under Sec. 99.7(a)(3), include in
its annual notification of FERPA rights a specification of its criteria
for determining who constitutes a school official and what constitutes
legitimate educational interests under Sec. 99.31(a)(1). Disclosures
to school officials under current regulations are subject to the
restrictions on the use and redisclosure of information in Sec. 99.33
but are exempt from the FERPA recordkeeping requirements in Sec.
99.32.
The proposed regulations are included with the exception for school
officials in Sec. 99.31(a)(1) because we believe that disclosures made
for contract, volunteer, and other outsourced services and functions
should be subject to the same conditions that would apply if the
outside party were, in fact, providing institutional services or
functions as an employee or officer of the educational agency or
institution. In particular, the outside party must be under the direct
control of the agency or institution with respect to the maintenance
and use of personally identifiable information from education records.
The outside party
[[Page 15580]]
must also perform the type of institutional services or functions for
which the agency or institution would otherwise use its own employees.
For example, an institution may disclose education records without
consent under this provision to an outside party retained to provide
enrollment verification services to student loan holders because the
institution would otherwise have to use its own employees to conduct
the required verifications. In contrast, an institution may not use
this provision to disclose education records, without consent, to a
financial institution or insurance company that provides a good student
discount on its services and needs students' ID numbers and grades to
verify an individual's eligibility, even if the institution enters into
a contract with these companies to provide the student discount.
Access to Education Records by School Officials
Statute: 20 U.S.C. 1232g(b)(1)(A) provides that an educational
agency or institution may allow teachers and other school officials
within the agency or institution to obtain access to education records,
without prior written consent, if the agency or institution has
determined that the school official has legitimate educational
interests in the information.
Current Regulations: Section 99.31(a)(1) allows an educational
agency or institution to disclose personally identifiable information
from education records without consent to school officials, including
teachers, within the agency or institution if the educational agency or
institution has determined that they have legitimate educational
interests in the information. An educational agency or institution that
discloses information under this exception must specify in its annual
notification of FERPA rights under Sec. 99.7(a)(3)(iii) the criteria
it uses to determine who constitutes a school official and what
constitutes legitimate educational interests. Current regulations do
not specify whether the agency or institution must ensure that school
officials obtain access to only those education records in which they
have legitimate educational interests.
Proposed Regulations: The proposed regulations in Sec.
99.31(a)(1)(ii) would require an educational agency or institution to
use reasonable methods to ensure that teachers and other school
officials obtain access to only those education records in which they
have legitimate educational interests. This requirement would apply to
education records maintained in either paper or electronic format.
Agencies and institutions that choose not to use physical or
technological controls to restrict a school official's access to
education records must ensure that their administrative policy for
controlling access to and maintenance of education records is effective
and that the agency or institution remains in compliance with the
legitimate educational interests requirement in Sec.
99.31(a)(1)(i)(A). (These proposed regulations do not address what
constitutes a legitimate educational interest under the regulations.)
Reasons: The proposed regulations are needed to ensure that
teachers and other school officials only gain access to education
records in which they have a legitimate educational interest. While the
proposed regulations apply to records in any format (as defined in
Sec. 99.3), the need to ensure compliance with the legitimate
educational interest requirement has been driven largely by the
increased use of computerized or electronic recordkeeping systems in
which a user may have access to all records.
Many of the smaller educational agencies and institutions typically
use a combination of physical and administrative methods to restrict
access by school officials to paper copy records. For example, paper
copy records may be maintained in lockable cabinets, desks, or rooms
with distribution of records to school officials controlled by the
teacher, registrar, or other authorized custodian as appropriate. With
the advent of computerized or electronic records, particularly by the
mid-size and larger agencies and institutions, parents and students
have complained that school officials may have unrestricted access to
the records of all students in an institution's or local educational
agency's (LEA) system. Agencies and institutions establishing or
upgrading electronic student information systems have also expressed
uncertainty about what methods they should use to comply with the
legitimate educational interest requirement in this new environment.
Under the proposed regulations, an educational agency or
institution should implement controls to protect student records. These
controls should consist of a combination of appropriate physical,
technical, administrative, and operational controls which will allow
access to be limited when required. (Some examples of possible
information security controls can be found in ``The National Institute
of Standards and Technology (NIST) 800-53, Recommended Security
Controls for Federal Information Systems'' (December 2007). Educational
institutions and agencies are not required to implement the NIST 800-53
guidance, but may find it useful when determining possible controls.)
For example, software used to access electronic records may contain
role-based security features that allow teachers to view only
information about students currently enrolled in their classes.
Similarly, a school principal or registrar may maintain paper records
in locked cabinets and distribute records to authorized officials on an
as needed basis.
An educational agency or institution that does not use some kind of
physical or technological controls to restrict access and leaves
education records open to all school officials may rely instead on
administrative controls, such as an institutional policy that prohibits
teachers and other school officials from accessing records except when
they have a legitimate educational interest. However, an agency or
institution that forgoes physical or technological access controls must
ensure that its administrative policy for controlling access is
effective and that it remains in compliance with the legitimate
educational interest requirement in Sec. 99.31(a)(1). In that regard,
if a parent or eligible student alleges that a school official obtained
access to a student's education records without a legitimate
educational interest, an agency or institution must show that the
school official possessed a legitimate educational interest in
obtaining the personally identifiable information from education
records maintained by the agency or institution. An agency or
institution may wish to restrict or track school officials who obtain
access to education records to ensure that it is in compliance with
Sec. 99.31(a)(1)(i)(A).
The risk of unauthorized access to education records by school
officials means the likelihood that records may be targeted for
compromise and the harm that could result. Methods used by an
educational agency or institution to ensure compliance with the
legitimate educational interests requirement are considered reasonable
under the proposed regulations if they reduce the risk of unauthorized
access by school officials to a level commensurate with the likely
threat and potential harm. The greater the harm that would result from
unauthorized access or disclosure and the greater the likelihood that
unauthorized access or disclosure will occur, the more protections an
agency or institution must use to ensure that its methods are
reasonable. For example, high risk records, such as those that
[[Page 15581]]
contain credit card information, SSNs and other elements used for
identity theft, immunization and other health records, certain records
on special education students, and official transcripts and grades
should generally receive greater and more immediate protection than
medium or low risk records, such as those containing only publicly
releasable directory information. Methods that an educational agency or
institution should use to reduce risk to an acceptable level will
depend on a variety of factors, including the organization's size and
resources. In all cases, reasonableness depends ultimately on what are
the usual and customary good business practices of educational agencies
and institutions, which requires ongoing review and modification of
methods and procedures, where appropriate, as standards and
technologies continue to change.
Section 99.31(a)(2) (Disclosure to a School Where Student Seeks or
Intends To Enroll)
Statute: 20 U.S.C. 1232g(b)(1)(B) allows an educational agency or
institution to disclose, under certain conditions, education records to
another school or school system in which the student seeks or intends
to enroll without obtaining the prior written consent of a parent or
eligible student.
Current Regulations: Under Sec. 99.31(a)(2), an educational agency
or institution may disclose education records, without prior written
consent, to officials of another school, school system, or
postsecondary institution where the student seeks or intends to enroll,
provided that the agency or institution complies with the requirements
in Sec. 99.34(a) regarding notification to the parent or eligible
student of the disclosure and, upon request, provide a copy of the
records and an opportunity for a hearing under subpart C of the
regulations.
Proposed Regulations: The proposed regulations in Sec. 99.31(a)(2)
would allow an educational agency or institution to disclose education
records, without consent, to another institution even after a student
has already enrolled or transferred, and not just if the student seeks
or intends to enroll, if the disclosure is for purposes related to the
student's enrollment or transfer.
Reasons: The proposed amendments are needed to resolve uncertainty
about whether consent is required to send a student's records to the
student's new school after the student has already transferred and
enrolled. This proposed exception to the consent requirement is
intended to ease administrative burdens on educational agencies and
institutions by allowing them to send transcripts and other information
from education records to schools where a student seeks or intends to
enroll without meeting the formal consent requirements in Sec. 99.30.
We have concluded that authority to disclose or transfer information to
a student's new school under this exception does not cease
automatically the moment a student has actually enrolled. Rather, an
educational agency or institution may transfer education records to a
student's new school, including a postsecondary institution, at any
point in time if the disclosure is in connection with the student's
enrollment in the new school.
Based on these considerations, we have also determined that an
educational agency or institution may update, correct, or explain
information it has disclosed to another educational agency or
institution as part of the original disclosure under Sec. 99.31(a)(2)
without complying with the written consent requirements in Sec. 99.30.
That is, a student's previous institution is not required to obtain
prior written consent under Sec. 99.30 to respond to the new
institution's request to explain the meaning of education records sent
to it in connection with a student's new enrollment.
Finally, in the aftermath of the shooting at Virginia Tech, some
questions have arisen about whether FERPA prohibits the disclosure of
certain types of information from students' education records to new
schools or postsecondary institutions to which they have applied.
(Further discussion of the tragic events that occurred at Virginia Tech
in April 2007 is included in the discussion of the proposed amendments
to Sec. 99.36, which appears later in this document.) Under Sec.
99.31(a)(2) and Sec. 99.34(a), FERPA permits school officials to
disclose any and all education records, including health and
disciplinary records, to another institution where the student seeks or
intends to enroll.
Section 99.31(a)(6) (Organizations Conducting Studies for or on Behalf
of an Educational Agency or Institution)
Statute: 20 U.S.C. 1232g(b)(1)(F) allows an educational agency or
institution to disclose personally identifiable information from
education records, without consent, to organizations conducting studies
for or on behalf of the agency or institution for purposes of testing,
student aid, and improvement of instruction. The information must be
protected so that students and their parents cannot be identified by
anyone other than representatives of the organization that conducts the
study and must be destroyed when no longer needed for the study. As
explained in Sec. 99.31(a)(6)(iii), failure to destroy information in
accordance with this requirement could lead to a five-year ban on
disclosure of information to that organization.
Current Regulations: The regulations restate the statutory language
that the study is conducted ``for, or on behalf of'' the educational
agency or institution, but do not explain what this language means.
Proposed Regulations: The proposed regulations require an
educational agency or institution that discloses education records
without consent under Sec. 99.31(a)(6) to enter into a written
agreement with the recipient organization that specifies the purposes
of the study. The agency or institution that discloses education
records under this exception does not have to agree with or endorse the
conclusions or results of the study. The written agreement must specify
that information from education records may only be used to meet the
purposes of the study stated in the written agreement and must contain
the current restrictions on redisclosure and destruction of information
requirements applicable to information disclosed under this exception.
Reasons: Research organizations have asked for clarification about
the circumstances in which an educational agency or institution may
disclose to them personally identifiable information from education
records under Sec. 99.31(a)(6)(iii), and educational agencies and
institutions have asked whether they may provide personally
identifiable information to organizations for research purposes without
parental consent even if the educational agency or institution has no
particular interest in the study.
This exception to the consent requirement is intended to allow
educational agencies and institutions to retain the services of outside
organizations (or individuals) to conduct studies for or on their
behalf to develop, validate, or administer predictive tests; administer
student aid programs; or improve instruction. An educational agency or
institution need not initiate research requests or agree with or
endorse a study's results and conclusions under this exception.
However, the statutory language ``for, or on behalf of'' indicates that
the disclosing agency or institution agrees with the purposes of the
study and retains control over the information from education records
that is disclosed.
[[Page 15582]]
The written agreement required under the proposed regulations will help
ensure that information from education records is used only to meet the
purposes of the study stated in the written agreement and that all
applicable requirements are met. (See discussion of Sec. 99.31(b)
below regarding disclosure of de-identified information to independent
educational researchers.)
Section 99.31(a)(9) (USA Patriot Act)
Statute: The USA Patriot Act, Public Law 107-56, amended FERPA by
providing a new subsection 1232g(j), 20 U.S.C. 1232g(j), that
authorizes the United States Attorney General (or designee not lower
than an Assistant Attorney General) to apply for an ex parte court
order (an order issued by a court without notice to an adverse party)
allowing the Attorney General (or designee) to collect education
records from an educational agency or institution, without the consent
or knowledge of the student or parent, that are relevant to an
investigation or prosecution of an offense listed in 18 U.S.C.
2332b(g)(5)(B) or an act of domestic or international terrorism
specified in 18 U.S.C. 2331. The statute requires the Attorney General
(or designee not lower than an Assistant Attorney General) to certify
facts in support of the order and to retain, disseminate, and use the
records in a manner that is consistent with confidentiality guidelines
established by the Attorney General in consultation with the Secretary
of Education. Agencies and institutions are not required to record the
disclosure and cannot be held liable to anyone for producing education
records in good faith in accordance with a court order issued under
this provision.
Current Regulations: The current regulations do not address the
amendments made by the USA Patriot Act.
Proposed Regulations: The proposed regulations add new exceptions
to the written consent requirement in Sec. 99.31(a)(9)(ii) and the
recordkeeping requirement in Sec. 99.32(a) allowing disclosure of
education records without notice in compliance with an ex parte court
order obtained by the Attorney General (or designee) concerning
investigations or prosecutions of an offense listed in 18 U.S.C.
2332b(g)(5)(B) or an act of domestic or international terrorism defined
in 18 U.S.C. 2331.
Reasons: The proposed regulations are necessary to implement the
statutory amendment. An educational agency or institution that is
served with an ex parte court order from the Attorney General (or
designee) under this provision should ensure that the order is facially
valid, just as it does when determining whether to comply with other
judicial orders and subpoenas under Sec. 99.31(a)(9). An educational
agency or institution is not, however, required or authorized to
examine the underlying certification of facts presented to the court in
the Attorney General's application for the ex parte court order.
The proposed regulations provide that an educational agency or
institution may comply with the court order without notice to the
parent or eligible student. (Note that Sec. 99.31(a)(9)(ii)(B) also
allows an educational agency or institution to disclose education
records without notice to representatives of the Attorney General or
other law enforcement authorities who produce a subpoena that has been
issued for law enforcement purposes and the court or other issuing
agency has ordered that the existence or contents of the subpoena or
information furnished in response to the subpoena not be disclosed.)
Section 99.31(a)(16) (Registered Sex Offenders)
Statute: The Campus Sex Crimes Prevention Act (CSCPA), section
1601(d) of the Victims of Trafficking and Violence Protection Act of
2000, Public Law 106-386, amended FERPA by adding 20 U.S.C.
1232g(b)(7), which provides that educational agencies and institutions
may disclose information concerning registered sex offenders provided
under State sex offender registration and community notification
programs required by section 170101 of the Violent Crime Control and
Law Enforcement Act of 1994, Public Law 103-322, 42 U.S.C. 14071.
Section 170101 contains the Jacob Wetterling Crimes Against Children
and Sexually Violent Offender Registration Act (Wetterling Act).
Current Regulations: The current regulations do not address the
disclosure of information concerning registered sex offenders.
Proposed Regulations: The proposed regulations add a new exception
to the consent requirement in Sec. 99.31(a)(16) that permits an
educational agency or institution to disclose information that the
agency or institution received under a State community notification
program about a student who is required to register as a sex offender
in the State. Note that nothing in FERPA or these proposed regulations
requires or encourages an educational agency or institution to collect
or maintain information about registered sex offenders.
Reasons: The regulations implement the CSCPA amendment to FERPA,
which allows educational agencies and institutions to disclose
information about registered sex offenders without consent if the
information was received through and complies with guidelines regarding
a State community notification program issued by the U.S. Attorney
General under the Wetterling Act. Wetterling Act guidelines issued by
the Attorney General were published in the Federal Register on October
25, 2002 (67 FR 65598), and January 5, 1999 (64 FR 572).
The Wetterling Act sets forth minimum national standards for sex
offender registration and community notification programs. Under the
Wetterling Act, States must establish programs that require sexually
violent predators (and anyone convicted of specified criminal offenses
against minors) to register their name and address with the appropriate
State authority where the offender lives, works, or is enrolled as a
student. States are also required to release relevant information
necessary to protect the public concerning persons required to
register, excluding the identity of any victim. (This community
notification provision is commonly known as the ``Megan's Law''
amendment to the Wetterling Act.)
CSCPA supplemented the general standards for sex offender
registration and community notification programs in the Wetterling Act
with provisions specifically designed for higher education campus
communities. These include a requirement that States collect
information about a registered offender's enrollment or employment at
an institution of higher education, including any change in enrollment
or employment status at the institution, and make this information
available promptly to a campus police department or other appropriate
law enforcement agency having jurisdiction where the institution is
located. CSCPA also amended the Higher Education Act of 1965, as
amended (HEA), by requiring institutions of higher education to advise
the campus community where it can obtain information about registered
sex offenders provided by the State pursuant to the Wetterling Act,
such as the campus law enforcement office, a local law enforcement
agency, or a computer network address. See 20 U.S.C. 1092(f)(1)(I) and
34 CFR 668.46(b)(12).
While the FERPA amendment was made in the context of CSCPA's
enhancements to registration and
[[Page 15583]]
notification requirements applicable to the higher education community,
the Department has determined that all educational institutions,
including elementary and secondary schools, are covered by this
amendment. The registration and community notification requirements
apply in the State where an offender lives, works, or is a student,
which is defined as ``a person who is enrolled on a full-time or part-
time basis, in any public or private educational institution, including
any secondary school, trade, or professional institution, or
institution of higher education.'' See 42 U.S.C. 14071(a)(3)(G).
Because the sex offender registration and community notification
requirements apply broadly to students enrolled in ``any public or
private educational institution,'' the Department likewise interprets
the FERPA amendment to apply to all educational agencies and
institutions subject to FERPA.
4. De-Identification of Information (Sec. 99.31(b))
Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an
educational agency or institution may not have a policy or practice of
permitting the release of or providing access to education records, or
personally identifiable information from education records, without
prior written consent except in accordance with statutory exceptions.
Current Regulations: Personally identifiable information under
Sec. 99.3 includes personal identifiers such as a student's name,
address, and identification numbers, as well as personal
characteristics or other information that would make the student's
identity easily traceable.
Proposed Regulations: The proposed regulations would amend Sec.
99.31(b) to provide objective standards under which educational
agencies and institutions may release, without consent, education
records, or information from education records, that has been de-
identified through the removal of all personally identifiable
information. Personally identifiable information is defined in Sec.
99.3 to mean information that can be used to identify a student,
including direct identifiers, such as the student's name, SSN, and
biometric records, alone or combined with other personal or identifying
information that is linked or linkable to a specific individual,
including indirect identifiers such as the name of the student's parent
or other family member, the student's or family's address, and the
student's date and place of birth and mother's maiden name, that would
allow a reasonable person in the school or its community, who does not
have personal knowledge of the relevant circumstance, to identify the
student with reasonable certainty. The Department does not hold
educational agencies and institutions responsible for knowing the
status of all non-educational records about students (e.g., law
enforcement or hospital records). However, the Department encourages
educational agencies and institutions to be sensitive to publicly
available data on students and to the cumulative effect of disclosures
of student data. Additionally, personally identifiable information
includes information that is requested by a person who an agency or
institution reasonably believes has direct, personal knowledge of the
identity of the student to whom the education record directly relates.
This is known as a targeted request.
Reasons: Disclosure is defined in the regulations as permitting
access to or releasing, transferring, or otherwise communicating
personally identifiable information contained in education records.
Accordingly, there is no ``disclosure'' under FERPA when education
records are released if all identifiers have been removed, along with
other personally identifiable information. The proposed regulations are
needed to establish this guidance in a definitive and legally binding
interpretation, and to provide standards for ensuring that a student's
personally identifiable information is not disclosed.
The Department's November 18, 2004, letter to the Tennessee
Department of Education (TNDOE) explains that an educational agency or
institution may release for educational research purposes (without
parental consent) anonymous data files, i.e., records from which all
personally identifiable information has been removed but that have
coded each student's record with a non-personal identifier as described
in the letter. (Records or data that have been stripped of identifiers
and coded may be re-identified and, therefore, are properly
characterized as de-identified.) Under the guidance in the TNDOE
letter, a party must ensure that the identity of any student cannot be
determined in coded records, including assurances of sufficient cell
and subgroup size, and the linking key that connects the code to
student information must not be shared with the requesting entity.
The Department recognizes that avoiding the risk of disclosure of
identity or individual attributes in statistical information cannot be
completely eliminated, at least not without negating the utility of the
information, and is always a matter of analyzing and balancing risk so
that the risk of disclosure is very low. The reasonable certainty
standard in the proposed definition of personally identifiable
information requires such a balancing test. (Similarly, we are
proposing here to use the term ``de-identified'' instead of
``anonymous''--which appears in previous guidance--because it is more
consistent with terminology used by experts in the field and reflects
more accurately the level of disclosure risk that should be achieved.)
Many educational institutions have asked for guidance about how
they may disclose ``redacted'' education records that concern students
or incidents that are well-known in the school or its community. For
example, a school has suspended a student from school and given the
student a failing grade for cheating on a test. The parent believes the
discipline is too harsh and inconsistent with discipline given to other
students and asks to see the redacted records of other students who
have been disciplined for cheating on tests that year. Only one student
has been disciplined for this infraction during the year, and the name
of that student is widely known because her parents went to the media
about the accusation. The school may not release the record in redacted
form because the publicity has made the record personally identifiable.
Additionally, personally identifiable information includes
information that is requested by a person who an agency or institution
reasonably believes has direct, personal knowledge of the identity of
the student to whom the education record directly relates. This is
known as a targeted request. In the simplest case, if an individual
asks for the disciplinary report for a named student, the institution
may not release a redacted copy of the report because the requester
knows the identity of the student who is the subject of the report. An
individual can also make a targeted request without mentioning the
student's name. For example, a person running for local office is known
to have graduated from a particular university in 1978. Rumors
circulate that the candidate plagiarized other students' work while in
school. A local reporter asks the university for redacted disciplinary
records for all students who graduated in 1978 who were disciplined for
plagiarism. The university may not release the records in redacted form
because the circumstances indicate that the requester has made a
targeted request, i.e. has direct, personal
[[Page 15584]]
knowledge of the subject of the case. In another case, a local reporter
reviewed law enforcement unit records in October 2007 and learned that
a prominent high school athlete was under investigation for use of
illegal drugs. The newspaper published front-page articles about the
matter that same month. Thereafter, the reporter asked the student's
school for a redacted copy of all disciplinary records related to
illegal drug use by student athletes since October 2007. The school may
not release the records in redacted form because the reporter has made
a targeted request.
Clearly, extenuating circumstances sometimes cause identity to be
revealed even after all identifiers have been removed, whether in
aggregated or student-level data. In these situations, the key
consideration in determining whether the information is personally
identifiable is whether a reasonable person in the school or its
community, without personal knowledge of the relevant circumstances,
would be able to identify a student with reasonable certainty. The
Department is interested in receiving comments on the scope of the
``school or its community'' limitation in the reasonable person
standard, and how it would apply to the release of redacted records as
well as statistical information, including information released by
State educational authorities and entities other than local districts
and institutions.
In regard to numerical or statistical information, several
educational agencies and institutions have expressed concern about the
public release of information that contains small data sets that may be
personally identifiable. We have advised States and schools generally
that they may not report publicly on the number of students of a
specified race, gender, disability, English language proficiency,
migrant status, or other condition who failed to graduate, received
financial aid, achieved certain test scores, etc., unless there is a
sufficient number of students in the defined category so that
personally identifiable information is not released. Some schools have
indicated, for example, that they would not disclose that two Hispanic,
female students failed to graduate, even if there are several Hispanic
females at the institution, because of the likelihood that the students
who failed to graduate could easily be identified in such a small data
set.
A review of data confidentiality issues, especially as concerns the
Federal statistical agencies, indicates that it is not possible to
prescribe a single method to apply in every circumstance to minimize
risk of disclosing personally identifiable information. This is true
for several reasons, including the wide variety of data compilations
and systems maintained by different agencies and institutions and the
different types of search requests they receive and data sets they wish
to disclose. More generally, and as indicated in the Federal Committee
on Statistical Methodology's Statistical Policy Working Paper 22
(available at http://www.fcsm.gov/working-papers/wp22.html),
educational agencies and institutions may wish to consider current
statistical, scientific and technological concepts, and standards when
making decisions about analyzing and minimizing the risk of disclosure
in statistical information. Consistent with that view, the Department
has consistently declined to take a categorical approach and advised
instead that the parties themselves are in the best position to analyze
and identify the best methods to use to protect the confidentiality of
their own data. See, for example, the September 25, 2003, letter to
Board of Regents of the University System of Georgia at
http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/georgialtr.html;
October 19, 2004, letter to Miami University at
http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/unofmiami.html.
However, the Department recognizes that there are some practices
from the existing professional literature on disclosure limitation that
can assist covered entities in developing a sound approach to de-
identifying data for release, particularly when consultation with
professional statisticians with experience in disclosure limitation
methods is not feasible. Each of the items discussed in the following
subsection is elaborated on in Statistical Working Paper 22 for further
reference.
There are several steps that can assist with de-identifying any
data release. The choice of methods depends on the nature of the data
release that must be de-identified. First, covered entities should
recognize that the re-identification risk of any given release is
cumulative, i.e., directly related to what has previously been
released. Previous releases include both publicly-available directory
information and de-identified data releases. For example, if a publicly
available directory provides date and place of birth, then a de-
identified data release that also contains the same information for a
group of students could pose a re-identification risk if one of those
students has an unusual date and place of birth relevant to others in
the data release.
Second, covered entities should minimize information released in
directories to the extent possible. The Department is not attempting to
limit the statutory authority available to covered entities in
releasing directory information, but recognizes that since the
statute's enactment, the risk of re-identification from such
information has grown as a result of new technologies and methods.
Third, covered entities should apply a consistent de-identification
strategy for all of its data releases of a similar type. The two major
types of data release are aggregated data (such as tables showing
numbers of enrolled students by race, age and sex) and microdata (such
as individual level student assessment results by grade and school).
There are several acceptable de-identification strategies for each type
of data. Major methods used by the Department for tabular data include
defining a minimum cell size (meaning no results will be released for
any cell of a table with a number smaller than ``X'' or else cells are
aggregated until no cells based on one or two cases remain) or
controlled rounding (meaning that cells with a number smaller than
``X'' require that numbers in the affected rows and columns be rounded
so that the totals remain unchanged. For microdata releases, the
primary consideration is whether the proposed release contains any
``unique'' individuals whose identity can be deduced by the combination
of variables in the file. If such a condition exists, there are a
number of methods that can be employed. These include ``top coding'' a
variable (e.g., test scores above a certain level are recoded to a
defined maximum), converting continuous data elements into categorical
data elements (e.g., creating categories that subsume unique cases) or
data swapping to introduce uncertainty so that the data user does not
know whether the real data values correspond to certain records.
The Department seeks public comment on whether it needs to develop
further guidance on this topic to assist educational agencies and
institutions.
Although FERPA does not contain a general ``research'' exception to
the consent requirement, the Department recognizes that useful and
valid educational research may be conducted using de-identified data
where disclosure of personally identifiable information from education
records would not be permissible under the limited standards of Sec.
99.31(a)(6) or
[[Page 15585]]
Sec. 99.31(a)(3), discussed above. This regulation should not be
interpreted to discourage de-identified data releases, but rather to
clarify how to do so in a manner that minimizes the risk of re-
identification. Accordingly, the proposed regulations are also needed
to provide a method that may be used by a school, school district,
state department of education, postsecondary institution or commission,
or another party that maintains education records to release student-
level or microdata for purposes of education research. We believe that
these standards establish an appropriate balance that facilitates
educational research and accountability while preserving the privacy
protections in FERPA.
In order to permit ongoing educational research with the same data,
the party that releases the information may attach a unique descriptor
to each de-identified record that will allow the recipient to match
other de-identified information received from the same source. However,
the recipient may not be allowed to have access to any information
about how the descriptor is generated and assigned, or that would allow
it to match the information from education records with data from any
other source, unless that data is de-identified and coded by the party
that discloses education records. Furthermore, a record descriptor
assigned for educational research purposes under this rule may not be
based on a student's social security number.
De-identified, student-level data released for educational research
purposes must still conform to the requirements discussed above
regarding small data sets that may lead to personal identification of
students. However, unlike information released in personally
identifiable form under Sec. Sec. 99.31(a)(3) and 99.31(a)(6), de-
identified information from education records is not subject to any
destruction requirements because, by definition, it is not ``personally
identifiable information'' under FERPA.
The Department cannot specify in general which statistical
disclosure limitation (SDL) methods should be used in any particular
case. However, educational agencies and institutions should monitor
releases of coded, de-identified microdata and take reasonable measures
to ensure that overlapping or successive releases do not result in data
sets in which a student's personally identifiable information is
disclosed.
5. Identification and Authentication of Identity (Sec. 99.31(c))
Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an
educational agency or institution may not have a policy or practice of
releasing, permitting the release of, or providing access to any
personally identifiable information from education records without
written consent, except in accordance with specified statutory
exceptions.
Current Regulations: Current regulations do not address whether an
educational agency or institution must ensure that it has properly
identified a party to whom it discloses personally identifiable
information from education records.
Proposed Regulations: The proposed regulations in Sec. 99.31(c)
would require an educational agency or institution to use reasonable
methods to identify and authenticate the identity of parents, students,
school officials, and any other parties to whom the agency or
institution discloses personally identifiable information from
education records.
Reasons: The proposed regulations are needed to ensure that
educational agencies and institutions disclose personally identifiable
information from education records only to authorized recipients.
Identification in this context means determining who is the intended or
authorized recipient of the information in question; authentication of
identity means ensuring that the recipient is, in fact, who he or she
purports to be.
Identification of a party requesting disclosure of hard copy
education records is relatively simple--the responsible school official
can confirm the name and correct address for records sent by mail and
obtain photo identification for personal delivery of records to
students, parents, school officials, and other authorized recipients
who are not recognized personally by the custodian of the records.
Identification presents unique challenges in an electronic or
telephonic environment, where personal recognition and photo
identification cards are irrelevant.
Occasionally educational agencies and institutions disclose
education records to the wrong party because someone misaddresses an
envelope, or puts the wrong material in a properly addressed envelope.
This is a failure to properly identify the authorized recipient. More
commonly, parents and students complain that unauthorized parties
obtain access to the student's education records because agencies and
institutions use widely available information, such as name and date of
birth, or name and SSN or other student ID number, when providing
access to electronic records or disclosing information about a student
by telephone. This is a failure to properly authenticate identity.
These proposed regulations would address both of these problems.
Authentication of identity is a complex subject that continues to
advance as new methods and technologies are developed to meet evolving
standards for safeguarding financial, health, and other types of
electronic records. The proposed regulations allow an educational
agency or institution to use any reasonable method. As discussed above
in connection with controlling access to education records by school
officials, methods are considered reasonable if they reduce the risk of
unauthorized disclosure to a level that is commensurate with the likely
threat and potential harm and depend on variety of factors, including
the organization's size and resources. The greater the harm that would
result from unauthorized access or disclosure, and consequently the
greater the likelihood that unauthorized access or disclosure will be
attempted, the more protections an agency or institution must use to
ensure that its methods are reasonable. Again, reasonableness depends
ultimately on what are the usual and customary good business practices
of educational agencies and institutions, which requires ongoing review
and modification of procedures, where appropriate, as standards and
technologies change.
Authentication of identity generally involves requiring a user to
provide something that only the user knows, such as a PIN, password, or
answer to a personal question; something that only the user has, such
as a smart card or token; or a biometric factor associated with no one
other than the user, such as a finger, iris, or voice print. Under the
proposed regulations an educational agency or institution may determine
that single-factor authentication, such as a standard form user name
combined with a secret PIN or password, is reasonable for protecting
access to electronic grades and transcripts. Single-factor
authentication may not be reasonable, however, for protecting access to
SSNs, credit card numbers, and similar information that could be used
for identity theft and financial fraud.
Likewise, an educational agency or institution must ensure that it
does not deliver a password, PIN, smart card, or
[[Page 15586]]
other factor used to authenticate identity in a manner that would allow
access to unauthorized recipients. For example, an agency or
institution may not make education records available electronically by
using a common form user name (e.g., last name and first name initial)
with date of birth or SSN, or a portion of the SSN, as an initial
password to be changed upon first use of the system.
6. Redisclosure of Education Records by Officials Listed in Sec.
99.31(a)(3) (Sec. 99.32, Sec. 99.35)
Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) permits an
educational agency or institution to disclose education records,
without prior written consent, to authorized representatives of the
United States Comptroller General, the Secretary of Education, State
and local educational authorities, and the U.S. Attorney General as
necessary in connection with the audit or evaluation of Federal and
State supported education programs, or in connection with the
enforcement of Federal legal requirements that relate to those
programs. Except when the collection of personally identifiable
information is specifically authorized by Federal law, personally
identifiable information of parents and students may not be redisclosed
to any other parties and must be destroyed when no longer needed for
such audit, evaluation or enforcement purposes.
In contrast, section 1232g(b)(4)(B) contains a general prohibition
on the redisclosure of information from education records. In
particular, by statute an educational agency or institution may
disclose personal information from education records only on the
condition that the recipient will not redisclose the information to any
other party without meeting the prior written consent requirement. If a
recipient rediscloses personally identifiable information from
education records in violation of the prior written consent
requirement, the agency or institution that disclosed the records may
not permit that recipient to have access to information from education
records for at least five years. There is no general destruction
requirement similar to the specific requirement for destruction of
personally identifiable information described above for records
disclosed for audit, evaluation, and enforcement purposes under section
1232g(b)(3).
Current Regulations: Section 99.31(a)(3) lists the four officials
or authorities that may receive education records, without consent, for
the specified audit, evaluation, or compliance and enforcement
purposes. The Department has interpreted the term ``evaluation''
broadly to include all manner of studies, assessments, measurements,
appraisals, research, and other efforts, including analyses of
statistical or numerical data derived from education records. Section
99.35 provides that information disclosed under this exception to the
consent requirement must be protected in a manner that does not permit
personal identification of individuals by anyone except the officials
listed in Sec. 99.31(a)(3) and must be destroyed when no longer needed
for the audit, evaluation, or compliance and enforcement purposes,
unless a parent or eligible student consents to the disclosure or
Federal law specifically authorizes the collection of personally
identifiable information. Current regulations do not specify any
further conditions under which these officials or authorities may
redisclose personally identifiable information from education records
without prior written consent.
Section 99.33(c) establishes specific exceptions to the general
statutory prohibition on redisclosure of information from education
records under 20 U.S.C. 1232g(b)(4)(B). Section 99.33(b) also allows an
educational agency or institution to disclose education records with
the understanding that the recipient may make further disclosures of
the information on its behalf if the disclosures could be made under
Sec. 99.31 and the educational agency or institution complies with the
recordkeeping requirements specified in Sec. 99.32(b). Section
99.32(a) requires an educational agency or institution to maintain a
record of each request for access to and each disclosure of personally
identifiable information from the education records of each student. If
a recipient is authorized to make further disclosures of personally
identifiable information from education records under Sec. 99.33(b),
the educational agency or institution must record the names of the
additional parties to which the receiving party may disclose the
information on behalf of the educational agency or institution and
their legitimate interests under Sec. 99.31 in requesting or obtaining
the information. Each student's record of disclosures is an education
record that must be made available to a parent or eligible student
under Sec. 99.32(c). The Department has not applied the regulatory
exception in Sec. 99.33(b) to officials or authorities that receive
information under Sec. Sec. 99.31(a)(3) and 99.35 because of the more
specific statutory limitations, including the destruction requirement,
that generally apply to these disclosures.
Proposed Regulations: The proposed regulations in Sec. 99.35(b)(1)
would permit officials and authorities listed in Sec. 99.31(a)(3)(i)
to redisclose personally identifiable information from education
records under the same conditions, set forth in Sec. 99.33(b), that
apply to parties that receive personally identifiable information from
education records under other exceptions in Sec. 99.31. For example,
this proposed change would allow a State educational agency (SEA) to
use the exception in Sec. 99.31(a)(2) to transfer a student's
education records to a student's new school district on behalf of the
former district. Similarly, an SEA or other official listed in Sec.
99.31(a)(3) would be able to redisclose personally identifiable
information from education records received under Sec. 99.35 to an
accrediting agency under Sec. 99.31(a)(7); in response to a subpoena
or court order under Sec. 99.31(a)(9); or in connection with a health
or safety emergency under Sec. Sec. 99.31(a)(10) and 99.36. The
proposed regulations would also apply to the redisclosure of education
records by an SEA (or other official listed in Sec. 99.31(a)(3)) to
another listed official, such as the Secretary, for audit, evaluation,
or compliance and enforcement purposes under Sec. 99.35. The
regulations would also clarify that authority to conduct an audit,
evaluation, or compliance or enforcement activity is not conferred by
FERPA and must be established under other Federal, State, or local law,
including valid administrative regulations. Like redisclosures
permitted currently under Sec. 99.33(b), redisclosures made by
officials listed in Sec. 99.31(a)(3)(i) under the proposed amendment
would be subject to the recordation requirements in Sec. 99.32(b).
Reasons: School districts and postsecondary institutions typically
disclose education records, or personally identifiable information from
education records, to their SEA or State higher education authority,
without prior written consent, for audit, evaluation, or compliance and
enforcement purposes subject to the requirements of Sec. 99.35.
Several SEAs that maintain Statewide, consolidated systems for school
district records subject to Sec. 99.35 have questioned whether they
may allow a student's new school district to obtain access to
personally identifiable information from education records submitted to
the system by the student's former district. (Historically, when a
student transfers to a new school, the former school district sends the
student's education records to the student's new district,
[[Page 15587]]
without consent, under Sec. 99.31(a)(2).) Others have asked whether
records subject to Sec. 99.35 may be redisclosed in compliance with a
subpoena or court order and, if so, what conditions apply. States have
also asked about the operation of longitudinal data systems that
consolidate K-12 and postsecondary education records.
As noted elsewhere in this notice, there are no specific statutory
exceptions to either the prohibition on redisclosure of education
records disclosed under Sec. 99.31 or the more specific limitations
for records disclosed under Sec. 99.35. Accordingly, final regulations
published on June 17, 1976 (41 FR 24662) provided in Sec. 99.33(a)
that educational agencies and institutions must inform a third party to
whom personally identifiable information from education records is
disclosed that it may not redisclose any personally identifiable
information without the written consent of a parent or eligible
student. However, these regulations also added a provision in Sec.
99.33(b) that permits the agency or institution to disclose
personally identifiable information under Sec. 99.31 with the
understanding that the information will be redisclosed to other
parties under that section; Provided, That the recordkeeping
requirements of Sec. 99.32 are met with respect to each of those
parties.
41 FR 24662, 24679.
The Secretary recognizes that officials and authorities that
receive education records for audit, evaluation, compliance, or
enforcement purposes under Sec. Sec. 99.31(a)(3) and 99.35 are no less
capable of protecting the information against unauthorized access and
disclosure than parties that receive education records under other
exceptions in Sec. 99.31. The proposed amendment is needed so that
SEAs and other officials and authorities listed in Sec. 99.31(a)(3)(i)
may take advantage of the regulatory exception in Sec. 99.33(b) and
redisclose personally identifiable information from education records
directly to a qualified recipient under an exception in Sec. 99.31
instead of requiring that party to go to each school district or
institution that submitted the records for audit, evaluation,
compliance, or enforcement purposes. Similarly, the proposed
regulations are needed to clarify that an official or authority that
maintains personally identifiable information from education records
subject to Sec. 99.35 may redisclose that information to another
authority listed in Sec. 99.31(a)(3)(i) for another qualifying audit,
evaluation, compliance, or enforcement activity, notwithstanding the
limitations in Sec. 99.35.
The proposed regulations clarify that while FERPA permits the
disclosure and redisclosure of education records without consent to
officials and authorities listed in Sec. 99.31(a)(3)(i) for the
purposes specified, it does not confer or establish the underlying
authority for those officials and authorities to conduct an audit,
evaluation, or compliance or enforcement activity. If Federal, State,
or local law authorizes a particular entity to audit or evaluate the
education records, then FERPA permits the disclosure of personally
identifiable information for that purpose without consent. For example,
this exception allows a school district to disclose education records
to its own State department of education or other SEA because that
agency is legally authorized to audit or evaluate the school district's
education programs, or enforce Federal legal requirements related to
those programs. This exception does not allow a school district to
disclose education records to the State higher education authority
without parental consent unless that agency is empowered under Federal,
State or local law to conduct an audit, evaluation, or compliance or
enforcement activity with respect to that school district's education
programs. The legal authority to audit, evaluate, or enforce education
programs does not derive from FERPA itself.
These proposed regulations would also ensure that State and local
educational authorities may redisclose personally identifiable
information from education records in order to consolidate K-16
education records for audit, evaluation, compliance, or enforcement
purposes under Sec. 99.35(a). For example, under the proposed
regulations, a State's postsecondary or higher education authority may
redisclose personally identifiable information from the education
records it maintains to a consolidated data system operated by the SEA
if the SEA is legally authorized to conduct an audit, evaluation,
compliance, or enforcement activity of postsecondary education
programs. Likewise, an SEA may redisclose personally identifiable
information from K-12 education records to a consolidated database
operated by a State's higher education authority if the higher
education authority is legally authorized to conduct the audit,
evaluation, compliance, or enforcement activity of K-12 educational
programs.
As noted above, disclosures under Sec. 99.33(b) are based on an
understanding on the part of the educational agency or institution that
the recipient will redisclose information to specified recipients on
its behalf subject to the recordation requirements in Sec. 99.32(b).
The Department is interested in relieving any administrative burdens
associated with recording disclosures of education records and,
therefore, invites public comment on whether an SEA, the Department, or
other official or agency listed in Sec. 99.31(a)(3) should be allowed
to maintain the record of the redisclosures it makes on behalf of an
educational agency or institution under Sec. 99.32(b).
7. Limitations on the Redisclosure of Information From Education
Records (Sec. 99.33)
Section 99.31(a)(9) (Subpoenas and Court Orders)
Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational
agency or institution may disclose personally identifiable information
from education records to a third party only on the condition that the
recipient will not redisclose the information to anyone else without
written consent of the parent or eligible student. If a third party
outside the educational agency or institution permits access to
information without written consent of a parent or eligible student as
required under 20 U.S.C. 1232g(b)(2)(A), the educational agency or
institution may not permit access to information from education records
by that third party for a period of not less than five years. There is
no specific statutory exception to the prohibition on redisclosure of
personally identifiable information from education records.
20 U.S.C. 1232g(b)(2)(B) provides that an educational agency or
institution may disclose personally identifiable information without
consent if the information is furnished in compliance with a judicial
order or any lawfully issued subpoena, upon the condition that parents
and students are notified in advance of compliance. Advance notice is
not required for certain Federal grand jury subpoenas and subpoenas
issued for law enforcement purposes. 20 U.S.C. 1232g(b)(1)(J).
Current Regulations: Section 99.33(a)(1) permits an educational
agency or institution to disclose personally identifiable information
from education records only on the condition that the recipient will
not redisclose the information to any other party without the prior
consent of the parent or eligible student. Section 99.33(b) provides
for an exception to this general rule. Specifically, under Sec.
99.33(b), an educational agency or institution may
[[Page 15588]]
disclose personally identifiable information from education records
with the understanding that the party receiving the information may
make further disclosures on behalf of the educational agency or
institution if the disclosures meet the requirements of Sec. 99.31(a)
and the educational agency or institution complies with the
recordkeeping requirements in Sec. 99.32(b). Under Sec. 99.33(e), if
the Office determines that a third party improperly rediscloses
personally identifiable information from education records in violation
of the prohibition on redisclosure in Sec. 99.33(a), subject to the
provisions of Sec. 99.33(b), the educational agency or institution may
not allow that third party access to personally identifiable
information from education records for at least five years.
Section 99.31(a)(9) permits an educational agency or institution to
disclose personally identifiable information from education records
without consent in compliance with a judicial order or lawfully issued
subpoena, provided that the agency or institution makes a reasonable
effort to notify the parent or eligible student of the order or
subpoena in advance of compliance so that the parent or eligible
student may seek protective action. Notification is not required for
certain grand jury and law enforcement subpoenas.
Proposed Regulations: The proposed regulations in Sec. 99.33(b)(2)
would require a party that has received personally identifiable
information from education records from an educational agency or
institution, including an SEA or other official listed in Sec.
99.31(a)(3)(i), to provide the notice to parents and eligible students,
if any, required under Sec. 99.31(a)(9) before it rediscloses
personally identifiable information from the records on behalf of an
educational agency or institution in compliance with a judicial order
or lawfully issued subpoena, as authorized under Sec. 99.33(b).
Reasons: Section 99.33(b) allows a party to redisclose personally
identifiable information under Sec. 99.31(a) on behalf of an
educational agency or institution, including redisclosure in compliance
with a judicial order or lawfully issued subpoena under Sec.
99.31(a)(9). (As noted above, the proposed amendments to Sec. 99.35
would extend this authority to SEAs and other officials and agencies
listed in Sec. 99.31(a)(3)(i).) The proposed regulations are needed to
clarify which party is responsible for notifying parents and eligible
students before an SEA or other third party outside of the educational
agency or institution complies with a judicial order or subpoena to
redisclose personally identifiable information from education records.
The Secretary believes that the party that has been ordered to produce
the information should be responsible for ensuring that the parent or
eligible student has been notified because the educational agency or
institution has no control over whether and when that party will
comply. The penalty in Sec. 99.33(e) would prohibit an educational
agency or institution from providing access to any third party that
fails to provide reasonable notice to parents and eligible students
before complying with a judicial or lawfully issued subpoena.
Disclosures Required Under the Clery Act
Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational
agency or institution may disclose personally identifiable information
from education records to a third party only on the condition that the
recipient will not redisclose the information to anyone else without
written consent of the parent or eligible student. 20 U.S.C.
1232g(b)(6)(B) allows a postsecondary institution to disclose to any
party, without consent, the final results of a disciplinary proceeding
against a student for crimes of violence or non-forcible sex offenses
if the institution determines as a result of the disciplinary
proceeding that the student committed the violation in question. 20
U.S.C. 1232g(b)(6)(A) allows a postsecondary institution to disclose to
the alleged victim the final results of disciplinary proceedings
against a student for crimes of violence or non-forcible sex offenses
regardless of the outcome. The Jeanne Clery Disclosure of Campus
Security Policy and Campus Crime Statistics Act (Clery Act), which
amended the HEA, requires postsecondary institutions to inform both the
accuser and the accused of the outcome of a campus disciplinary
proceeding brought alleging a sexual assault regardless of the outcome.
20 U.S.C. 1092(f)(8)(B)(iv)(II); 34 CFR 668.46(b)(11)(vi)(B).
Current Regulations: Regulations implementing the Clery Act, 34 CFR
Sec. 668.46(b)(11)(iv)(B), require postsecondary institutions to
inform both the accuser and the accused of the outcome of any
institutional disciplinary proceeding brought alleging a sex offense.
Under this provision the outcome of a disciplinary proceeding means
only the institution's final determination with respect to the alleged
sex offense and any sanction that is imposed against the accused.
Section 99.33(a) permits an educational agency or institution to
disclose personally identifiable information from education records
only on the condition that the recipient will not redisclose the
information to any other party without the prior consent of the parent
or eligible student. Section 99.33(c) excludes from the statutory
prohibition on redisclosure information that an educational agency or
institution may disclose without consent to any member of the public,
such as directory information under Sec. 99.31(a)(11) and the final
results of a disciplinary proceeding for acts constituting crimes of
violence or non-forcible sex offenses under Sec. 99.31(a)(14) when a
postsecondary institution has determined that the student committed the
violation in question. Current regulations in Sec. 99.33(c) do not
exclude from the redisclosure prohibition disclosures made by
postsecondary institutions to an alleged victim of a crime of violence
or non-forcible sex offense under Sec. 99.31(a)(13) or disclosures
they are required to make under the Clery Act.
Proposed Regulations: The proposed regulations would amend Sec.
99.33(c) to exclude from the statutory prohibition on redisclosure of
education records information that postsecondary institutions are
required to disclose under the Clery Act to the accuser and accused
regarding the outcome of any campus disciplinary proceeding brought
alleging a sexual offense.
Reasons: Some postsecondary institutions have required the accuser
to execute a non-disclosure agreement before they disclose the outcome
of a disciplinary proceeding for an alleged sexual offense as required
under the Clery Act. In analyzing and ruling on these practices, the
Department determined that the statutory prohibition on redisclosure of
information from education records in FERPA does not apply to
information that a postsecondary institution is required to release to
students under the Clery Act. The proposed regulations would clarify
that postsecondary institutions may not require the accuser to execute
a non-disclosure agreement or otherwise interfere with the redisclosure
or other use of information disclosed as required under the Clery Act.
8. Health and Safety Emergencies (Sec. 99.36)
Section 99.36(c) (Conditions That Apply to Disclosure of Information in
Health and Safety Emergencies)
Statute: Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or
institution may disclose personally
[[Page 15589]]
identifiable information from education records without prior written
consent, subject to regulations by the Secretary, in connection with an
emergency to appropriate persons if the knowledge of such information
is necessary to protect the health or safety of the student or other
persons.
Current regulations: Under Sec. 99.36(a), an educational agency or
institution may disclose personally identifiable information from
education records to appropriate parties in connection with an
emergency if knowledge of the information is necessary to protect the
health or safety of the student or other individuals. Under Sec.
99.36(b), educational agencies and institutions may include in a
student's education records appropriate information concerning
disciplinary action taken against the student for conduct that posed a
significant risk to the safety or well-being of that student, other
students, or other members of the school community. Educational
agencies and institutions may also disclose appropriate information
about these kinds of disciplinary actions to teachers and school
officials within the agency or institution or in other schools who have
legitimate educational interests in the behavior of the student. Under
Sec. 99.36(c), all of these regulatory provisions must be strictly
construed.
Proposed regulations: The Department proposes to revise Sec.
99.36(c) to remove the language requiring strict construction of this
exception and add a provision that in making a determination under
Sec. 99.36(a), an educational agency or institution may take into
account the totality of the circumstances pertaining to a threat to the
safety or health of a student or other individuals. If the educational
agency or institution determines that there is an articulable and
significant threat to the health or safety of a student or other
individuals, it may disclose information from education records to any
person whose knowledge of the information is necessary to protect the
health and safety of the student or other individuals. If, based on the
information available at the time of the determination, there is a
rational basis for the determination, the Department will not
substitute its judgment for that of the educational agency or
institution in evaluating the circumstances and making its
determination.
Reasons: In the wake of the tragic shootings at Virginia Tech, the
President directed the Secretary, together with the Secretary of Health
and Human Services and the Attorney General, to travel to communities
across the nation and to meet with educators, mental health experts,
law enforcement and State and local officials to discuss the broader
issues raised by the tragedy. On June 13, 2007, those officials
transmitted a ``Report to the President on Issues Raised by the
Virginia Tech Tragedy.'' See http://www.hhs.gov/vtreport.html. In
relevant part, the report provided:
A consistent theme and broad perception in our meetings was that
this confusion and differing interpretations about state and federal
privacy laws and regulations impede appropriate information sharing.
In some sessions, there were concerns and confusion about the
potential liability of teachers, administrators, or institutions
that could arise from sharing information, or from not sharing
information, under privacy laws, as well as laws designed to protect
individuals from discrimination on the basis of mental illness. It
was almost universally observed that these fears and
misunderstandings likely limit the transfer of information in more
significant ways than is required by law. Particularly, although
participants in each state meeting were aware of both [the Health
Insurance Portability and Accountability Act of 1996 (HIPAA)] and
FERPA, there was significant misunderstanding about the scope and
application of these laws and their interrelation with state laws.
In a number of discussions, participants reported circumstances in
which they incorrectly believed that they were subject to liability
or foreclosed from sharing information under federal law. Other
participants were unsure whether and how HIPAA and FERPA actually
limit or allow information to be shared and unaware of exceptions
that could allow relevant information to be shared.
Report at page 7. The report went on to charge the Department with
certain specific recommended actions:
The U.S. Departments of Health and Human Services and Education
should develop additional guidance that clarifies how information
can be shared legally under HIPAA and FERPA and disseminate it
widely to the mental health, education, and law enforcement
communities. The U.S. Department of Education should ensure that
parents and school officials understand how and when post-secondary
institutions can share information on college students with parents.
In addition, the U.S. Departments of Education and Health and Human
Services should consider whether further actions are needed to
balance more appropriately the interests of safety, privacy, and
treatment implicated by FERPA and HIPAA.
Report at page 8 (italics in original). The Department of Education and
the Department of Health and Human Services are currently working
together on guidance for our respective communities on these issues.
This guidance is in addition to compliance training and guidance that
the two agencies have provided since issuance of the HIPAA Privacy Rule
in December 2000 and, more recently, since the events in April 2007 at
Virginia Tech.
Further, the Secretary has carefully considered the appropriate
relationship between conditions associated with Federal funding and the
exigencies of administering an agency or institution of education on a
daily basis. In examining the application of FERPA to the recipients of
Departmental funds, the Secretary is mindful that the ``health and
safety'' exception does not allow disclosures on a routine, non-
emergency basis. For example, the ``health and safety'' exception does
not permit a school district to routinely share its student information
database with the local police department. The present regulation,
however, which merely admonishes that the regulation should be
``strictly construed,'' does not provide a standard to determine
whether a particular disclosure complies with the statute.
Consequently, the Secretary has decided to provide a new standard for
the administration of this exception to the written consent requirement
in FERPA. To assure that there are adequate safeguards on this
exception, the Secretary requires that, considering the totality of the
circumstances, there must be an articulable and significant threat to
the health or safety of a student or other individuals, and that the
disclosure be to any person whose knowledge of the information is
necessary to protect against the threat.
On the other hand, the Secretary has determined that greater
flexibility and deference should be afforded to administrators so they
can bring appropriate resources to bear on a circumstance that
threatens the health or safety of individuals. To provide for
appropriate flexibility and deference, the Secretary has determined
that if, based on the information available at the time of the
determination, there is a rational basis for the determination, the
Department will not substitute its judgment for that of the educational
agency or institution in evaluating the circumstances and making its
determination.
In short, in balancing the interests of safety, privacy, and
treatment, the Secretary proposes to revise the regulation to specify
legal standards, but to couple those standards with greater flexibility
and deference to administrators so they can bring appropriate resources
to bear on a circumstance that threatens the health or safety of
individuals.
[[Page 15590]]
9. Directory Information (Sec. 99.37)
Section 99.37(b) (Disclosure of Directory Information About Former
Students)
Statute: Under 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2), an
educational agency or institution may disclose directory information
without meeting FERPA's written consent requirements provided that it
first notifies the parents or eligible student of the types of
information that may be disclosed and allows them to opt out of the
disclosure. The statute lists a number of items in the definition of
directory information, including a student's name, address and
telephone listing. The statute does not address procedures for
disclosing directory information about former students.
Current Regulations: Section 99.37(a) requires an educational
agency or institution to provide public notice to parents of students
in attendance and eligible students in attendance of the types of
directory information that may be disclosed and the parent's or
eligible student's right to opt out. Section 99.37(b) allows the agency
or institution to disclose directory information about former students
without providing the notice required under Sec. 99.37(a).
Proposed Regulations: Proposed Sec. 99.37(b) clarifies that an
agency or institution must continue to honor any valid request to opt
out of directory information disclosures made while the individual was
a student unless the parent or eligible student rescinds the decision
to opt out of directory information disclosures.
Reasons: Some institutions have indicated that Sec. 99.37(b)
creates uncertainty about whether they must continue to honor a
parent's or eligible student's decision to opt out of directory
information disclosures once the student no longer attends the
institution. The regulations are needed to clarify that while an agency
or institution does not have to notify former students about its policy
on directory information disclosures and their right to opt out,
directory information may not be disclosed once an individual is no
longer a student if the individual made a valid request to opt out
while a student in attendance and has not rescinded that request.
Section 99.37(c) (Identification of Students and Communications in
Class)
Statute: The statute does not address whether parents and students
may use their right to opt out of directory information disclosures to
prevent school officials from identifying the student by name or
disclosing the student's electronic identifier or institutional e-mail
address in class.
Current Regulations: Current regulations do not address whether
parents and students may use their right to opt out of directory
information disclosures to prevent school officials from identifying
the student by name or disclosing the student's electronic identifier
or institutional e-mail address in class.
Proposed Regulations: The proposed regulations would provide in
Sec. 99.37(c) that a parent or eligible student may not use their
right to opt out of directory information disclosures to prevent an
educational agency or institution from disclosing or requiring a
student to disclose the student's name, electronic identifier, or
institutional e-mail address in a class in which the student is
enrolled.
Reasons: Several institutions have asked whether a teacher can
include in a classroom roll call or sign-in sheet the names of students
who have opted out of directory information disclosures. They have also
asked whether a student's e-mail address may be disclosed to other
students in an on-line class if the student has opted out of directory
information disclosures. The proposed regulations are needed to clarify
that the right to opt out of directory information disclosures is not a
tool for students to remain anonymous in class.
The directory information exception is intended to facilitate
communication among school officials, parents, students, alumni, and
others, and permit schools to publicize and promote institutional
activities to the general public. Many institutions do so by publishing
paper or electronic directories that contain student names, addresses,
telephone listings, e-mail addresses, and other information the
institution has designated as directory information. Some institutions
do not publish a directory but do release directory information on a
more selective basis. FERPA clearly allows a parent or eligible student
to opt out of these disclosures (under the conditions specified in
paragraph (a)), whether the information is made available to the
general public, limited to members of the school community, or released
only to specified individuals.
The Secretary believes, however, that the right to opt out of
directory information disclosures does not include a right to remain
anonymous in class and, therefore, may not be used to impede routine
classroom communications and interactions by preventing a teacher from
identifying a student by name in class, whether class is held in a
specified physical location or on-line through electronic
communications. This means, for example, that regardless of a student's
block on directory information disclosures, a teacher may call students
by first and last name in class and require students to place their
names on a sign-in sheet circulated in class, whether the class is
conducted in person or on-line. Because students generally do not have
face-to-face communications in on-line classes (or in an on-line
component of traditional classes), schools may also disclose or require
students to disclose a unique electronic identifier or e-mail address
used for students to communicate with one another for on-line class
work. This could be either an e-mail address assigned by the
institution or one selected by the student for this purpose. Note that
this provision is strictly limited to information needed to identify
and enable students to communicate in class, i.e., the student's name,
unique electronic identifier, and institutional e-mail address. It
provides no authority to disclose any directory information outside of
the student's class. Further, no other kinds of directory information,
including a student's home or campus address, telephone listing, or
personal e-mail address not used for class communications, may be
disclosed, even within the student's own class, if the parent or
eligible student has exercised the right to opt out of directory
information disclosures.
Section 99.37(d) (Prohibition on Use of SSNs To Identify Students When
Disclosing or Confirming Directory Information)
Statute: The statute does not address the permissibility of using
SSNs to identify students when disclosing or confirming directory
information.
Current Regulations: Current regulations do not explicitly prohibit
the use of SSNs to identify students when disclosing or confirming
directory information.
Proposed Regulations: Section 99.37(d) would prohibit an
educational agency or institution from using an SSN, either alone or
when combined with other data elements, to identify or help identify a
student or the student's records when disclosing or confirming
directory information unless the student has provided written consent
in accordance with FERPA.
Reasons: Some institutions, along with vendors that provide
services on behalf of institutions, allow employers and others who seek
directory information about a student, such as
[[Page 15591]]
whether a student has ever attended the institution or received a
degree, to submit the student's SSN as a means of identifying the
individual. These regulations are needed to provide a legally binding
interpretation that this practice violates FERPA unless the student has
provided prior written consent for the institution to disclose the
student's SSN, even if the institution or vendor only explicitly
releases or confirms directory information about the student. Use of an
SSN to identify a student or the student's records constitutes an
implicit confirmation of the SSN, even if several other data elements
are also used to help identify the student in the process.
10. Enforcement (Sec. Sec. 99.62, 99.64, 99.65, 99.66, and 99.67)
These proposed amendments are intended to clarify the Secretary's
enforcement authority in light of the decision of the U.S. Supreme
Court in Gonzaga University v. Doe, 536 U.S. 273 (2002). They do not
reflect an intention or plan on the part of the Secretary to initiate
FERPA institutional compliance reviews or otherwise expand FERPA
investigations beyond the current practice of the Office. The
Department will exercise its authority to investigate a specific agency
or institution only when possible violations are brought to The
Department's attention.
Statute: 20 U.S.C. 1232g(f) and (g) directs the Secretary to take
appropriate actions to enforce FERPA. The statute does not specify any
requirements an educational agency or institution must meet in
connection with the Office's investigation of complaints and violations
of FERPA.
Section 99.62 (Information Required for the Office To Investigate and
Resolve Complaints and Violations)
Current Regulations: Under Sec. 99.62 the Office may require an
educational agency or institution to submit reports containing
information needed by the Office to resolve complaints.
Proposed Regulations: The proposed regulations in Sec. 99.62 would
specify materials that the Office may require an educational agency or
institution to submit in order to carry out its investigation and other
enforcement responsibilities, including information on the agency's or
institution's policies and procedures, annual notifications, training
materials, and other relevant information.
Reasons: The regulations are needed to clarify the kinds of
information that may be required should the Office seek to determine
whether a violation constitutes a policy or practice of the agency or
institution.
Section 99.64 (Complaint and Investigation Procedure)
Statute: 20 U.S.C. 1232g(g) provides that the Secretary must
establish or designate an office and review board to investigate,
process, review, and adjudicate FERPA violations and complaints
alleging FERPA violations. The statute does not specify the
requirements of a complaint or procedures to be followed by the Office
in investigating and resolving alleged FERPA violations.
Current Regulations: Section 99.64(a) provides that a complaint
must contain specific allegations of fact that an educational agency or
institution has violated FERPA. Under Sec. 99.64(b), the Office
investigates each timely complaint to determine whether a violation
occurred.
Proposed Regulations: The proposed regulations provide in Sec.
99.64(a) that a complaint does not have to allege that a violation or
failure to comply with FERPA is based on a policy or practice of the
agency or institution. Under proposed Sec. 99.64(b), if the Office
determines that the agency or institution has violated or failed to
comply with a FERPA requirement, the Office may also seek to determine
whether the violation or failure to comply was based on a policy or
practice of the agency or institution. In addition, the Office may
investigate a possible FERPA violation even if it has not received a
timely complaint from a parent or student or if a valid complaint is
subsequently withdrawn.
Reasons: The proposed regulations are needed to clarify that the
Department's enforcement responsibilities, as described in Gonzaga
University v. Doe, 536 U.S. 273 (2002), include the authority to
investigate possible FERPA violations even if no complaint has been
filed or a complaint has been withdrawn. While not a widespread
problem, the Department needs to establish in its regulations that the
Office may investigate allegations of non-compliance provided by a
school official or some other party who is not a parent or eligible
student because sometimes parents and students are not aware of an
ongoing FERPA problem that needs to be addressed.
The proposed amendments to Sec. 99.64 are also needed to clarify
that the Office may investigate a FERPA complaint even if the party has
not specifically alleged that the agency or institution has a policy or
practice in violation of FERPA. In these circumstances, the Office may
elect to investigate and determine whether conduct that violates a
specific FERPA requirement also constitutes a policy or practice of the
agency or institution. (As explained below in connection with proposed
amendments to Sec. 99.66, the Department may not seek to withhold
funding, terminate eligibility to receive funding under an applicable
program, or take other enforcement actions unless it determines that an
educational agency or institution has a policy or practice in violation
of FERPA requirements and has not come into compliance voluntarily.)
Section 99.65 (Content of Notice of Investigation)
Statute: The statute does not specify what information the Office
must include in a notice of investigation of a FERPA violation.
Current Regulations: Under Sec. 99.65 the Office asks an
educational agency or institution to submit a written response to a
notice of investigation.
Proposed Regulations: Proposed Sec. 99.65(a) would allow the
Office to ask an educational agency or institution to submit a written
response and other relevant information as set forth in Sec. 99.62.
Reasons: The regulations are needed to clarify that the Office may
ask an agency or institution to submit any relevant information needed
to resolve a complaint or otherwise conduct an investigation under
FERPA.
Section 99.66 (Enforcement Responsibilities of the Office)
Statute: 20 U.S.C. 1232g(a)(1)(A) and (B) provides that no funds
shall be made available under any program administered by the Secretary
to an educational agency or institution or an SEA that has a policy of
denying or effectively prevents parents from exercising their right to
inspect and review the student's education records. 20 U.S.C.
1232g(a)(2) provides that no funds shall be made available under any
program administered by the Secretary to an educational agency or
institution unless parents are provided an opportunity for a hearing to
challenge the content of the student's education records under
specified conditions. 20 U.S.C. 1232g(b)(1) and (b)(2) provide that no
funds shall be made available under any program administered by the
Secretary to an educational agency or institution that has a policy or
practice of permitting the release of, releasing, or providing access
to personally identifiable information in education records without
prior written consent except as authorized under FERPA. 20
[[Page 15592]]
U.S.C. 1232g(f) directs the Secretary to take appropriate actions to
enforce and deal with FERPA violations, except that action to terminate
assistance may be taken only if the Secretary finds that there has been
a failure to comply and that compliance cannot be secured by voluntary
means. The statute does not specify what steps the Secretary should
take to conduct investigations and seek voluntary compliance.
Current Regulations: Under Sec. 99.66, the Office reviews a
complaint and response from an educational agency or institution and
may permit the parties to submit further written or oral arguments or
information. Following its investigation, the Office provides to the
complainant and the agency or institution written notice of its
findings, including the basis for its findings. If the Office finds
that the educational agency or institution has failed to comply with a
FERPA requirement, its notice includes a statement of the specific
steps that the agency or institution must take to comply and provides a
reasonable period of time, given all the circumstances, during which
the agency or institution may comply voluntarily.
Proposed Regulations: Section 99.66(c) would allow the Office to
issue a notice of findings that an educational agency or institution
violated FERPA without also finding that the violation constituted a
policy or practice of the agency or institution.
Reasons: In light of the Supreme Court's ruling in Gonzaga, the
proposed regulations are needed to clarify that, consistent with its
current practice, the Office may find that an agency or institution
violated FERPA even if the Office does not make a further determination
that the violation was based on a policy or practice of the agency or
institution. As explained below in connection with proposed amendments
to Sec. 99.67(a), however, the Secretary may not take an enforcement
action unless the Office has determined that the educational agency or
institution has a policy or practice in violation of FERPA.
Section 99.67 (Enforcement Actions)
Statute: 20 U.S.C. 1232g(a)(1)(A) and (B) provides that no funds
shall be made available under any program administered by the Secretary
to an educational agency or institution or an SEA that has a policy of
denying or effectively prevents parents from exercising their right to
inspect and review the student's education records. 20 U.S.C.
1232g(a)(2) provides that no funds shall be made available under any
program administered by the Secretary to an educational agency or
institution unless parents are provided an opportunity for a hearing to
challenge the content of the student's education records under
specified conditions. 20 U.S.C. 1232g(b)(1) and (b)(2) provide that no
funds shall be made available under any program administered by the
Secretary to an educational agency or institution that has a policy or
practice of permitting the release of, releasing, or providing access
to education records without prior written consent except as authorized
under FERPA. 20 U.S.C. 1232g(f) directs the Secretary to take
appropriate actions to enforce and deal with FERPA violations, except
that action to terminate assistance may be taken only if the Secretary
finds that there has been a failure to comply and that compliance
cannot be secured by voluntary means. The statute does not specify what
steps the Secretary should take to conduct investigations and seek
voluntary compliance or what enforcement actions the Secretary may take
in cases of non-compliance.
Current Regulations: Under Sec. 99.67(a), the Secretary may
withhold further payments under any applicable program, issue a
complaint to compel compliance through a cease and desist order, or
terminate eligibility to receive funding under any applicable program
only if an educational agency or institution fails to comply
voluntarily with a notice finding that the agency or institution has
not complied with the Act.
Proposed Regulations: Under proposed Sec. 99.67(a), the Secretary
may take enforcement actions if the Office determines that the
educational agency or institution has a policy or practice in violation
of FERPA requirements and has failed to come into compliance
voluntarily. The proposed regulations also clarify that the Secretary
may take any other appropriate enforcement action in addition to those
listed specifically in the regulations.
Reasons: The proposed regulations are needed to clarify that the
Office may issue a notice of violation or failure to comply with
specific FERPA requirements, such as a single failure to provide a
parent with access to education records, and require corrective action.
However, the Office may not seek to withhold payments, terminate
eligibility for funding, or take other enforcement actions unless the
Office determines that the agency or institution has a policy or
practice in violation of FERPA requirements. The proposed regulations
are also needed to clarify that the Secretary may take any other
enforcement action that is legally available, such as entering into a
compliance agreement under 20 U.S.C. 1234f or seeking an injunction.
Executive Order 12866
Under Executive Order 12866, the Secretary must determine whether
this regulatory action is ``significant'' and therefore subject to the
requirements of the Executive Order and subject to review by the OMB.
Section 3(f) of Executive Order 12866 defines a ``significant
regulatory action'' as an action likely to result in a rule that may
(1) have an annual effect on the economy of $100 million or more, or
adversely affect a sector of the economy, productivity, competition,
jobs, the environment, public health or safety, or State, local or
tribal governments or communities in a material way (also referred to
as an ``economically significant'' rule); (2) create serious
inconsistency or otherwise interfere with an action taken or planned by
another agency; (3) materially alter the budgetary impacts of
entitlement grants, user fees, or loan programs or the rights and
obligations of recipients thereof; or (4) raise novel legal or policy
issues arising out of legal mandates, the President's priorities, or
the principles set forth in the Executive order. The Secretary has
determined that this regulatory action is significant under section
3(f)(4) of the Executive order.
1. Potential Costs and Benefits
Following is an analysis of the potential costs and benefits of the
most significant proposed changes to the FERPA regulations. In
conducting this analysis, the Department examined the extent to which
the regulations add to or reduce the costs of educational agencies and
institutions and, where appropriate, State educational agencies (SEAs)
and other State and local educational authorities in relation to their
costs of complying with the FERPA regulations prior to these changes.
This analysis is based on data from the most recent Digest of
Education Statistics (2006) published by the National Center for
Education Statistics (NCES), which projects total enrollment of
48,948,000 students in public elementary and secondary schools and
17,648,000 students in postsecondary institutions; and a total of
96,513 public K-12 schools; 14,315 school districts; and 6,585
postsecondary institutions. (Excluded are data from private
institutions that do not receive Federal funding from the Department
and, therefore, are not subject to FERPA.) Based on this analysis, the
Secretary has concluded that the changes in these proposed regulations
would not impose
[[Page 15593]]
significant net costs on educational agencies and institutions.
Analyses of specific provisions follow.
Alumni Records
The proposed regulations clarify the current exclusion from the
definition of education records for records that only contain
information about an individual after he or she is no longer a student,
which is intended to cover records of alumni and similar activities.
Some institutions have applied this exclusion to records that are
created after a student has ceased attending the institution but that
are directly related to his or her attendance as a student, such as
investigatory reports and settlement agreements about incidents and
injuries that occurred during the student's enrollment. The amendment
would clarify that this provision applies only to records created or
received by an educational agency or institution after an individual is
no longer a student in attendance and that are not directly related to
the individual's attendance as a student.
We believe that most of the more than 102,000 K-12 schools and
postsecondary institutions subject to FERPA already adhere to this
revised interpretation in the proposed regulations and that for those
that do not, the number of records affected is likely to be very small.
Assuming that each year one half of one percent of the 66,596,000
students enrolled in these institutions have one record each affected
by the proposed change, in the year following issuance of the
regulations institutions would be required to try to obtain written
consent before releasing 332,980 records that they would otherwise
release without consent. We estimate that for the first year contacting
the affected parent or student to seek and process written consent for
these disclosures would take approximately \1/2\ hour per record at an
average cost of $32.67 per hour for a total cost of $5,439,229.
(Compensation for administrative staff time is based on published
estimates for 2005 from the Bureau of Labor Statistics' National
Compensation Survey of $23.50 per hour plus an average 39 percent
benefit load for Level 8 administrators in education and related
fields.)
In terms of benefits, the proposed change would protect the privacy
of parents and students by clarifying the intent of this regulatory
exclusion and help prevent the unlawful disclosure of these records. It
would also provide greater legal certainty and therefore some cost
savings for those agencies and institutions that may be required to
litigate this issue in connection with a request under a State open
records act or other legal proceeding. For these reasons, we believe
that the overall benefits outweigh the potential costs of this change.
Exclusion of SSNs and ID Numbers From Directory Information
The proposed regulations clarify that a student's SSN or student ID
number is personally identifiable information that may not be disclosed
as directory information under FERPA. The principal effect of this
change is that educational agencies and institutions may not post
grades by SSN or student ID number and may not include these
identifiers with directory information they disclose about a student,
such as a student's name, school, and grade level or class, on rosters
or sign-in sheets that are made available to students and others.
(Educational agencies and institutions may continue to include SSNs and
student ID numbers on class rosters and schedules that are disclosed
only to teachers and other school officials who have legitimate
educational interests in this information.)
A class roster or sign-in sheet that contains or requires students
to affix their SSN or student ID number makes that information
available to every individual who signs-in or sees the document and who
may be able to use it for identity theft or to find out a student's
grades or other confidential educational information. In regard to
posting grades, an individual who knows which classes a particular
student attends may be able to ascertain that student's SSN or student
ID number by comparing class lists for repeat numbers. Because SSNs are
not randomly generated, it may be possible to identify a student by
State of origin based on the first three (area) digits of the number,
or by date of issuance based on the two middle digits.
The Department does not have any actual data on how many class or
test grades are posted by SSN or student ID number at this time, but we
believe that the practice is rare or non-existent below the secondary
level. Although the practice was once widespread, particularly at the
postsecondary level, anecdotal evidence suggests that as a result of
consistent training and informal guidance by the Department over the
past several years, together with the increased attention States and
privacy advocates have given to the use of SSNs, many institutions now
either require teachers to use a code known only to the teacher and the
student or prohibit posting of grades entirely.
The most recent figures available from the Bureau of Labor
Statistics (2004) indicate that there are approximately 2.7 million
secondary and postsecondary teachers in the United States. As noted
above, we assume that most of these teachers either do not post grades
at all or already use a code known only to the teacher or student. We
assume further that additional costs to deliver grades personally in
the classroom or through electronic mail, instead of posting, would be
minimal. For purposes of this analysis, we estimate that no more than 5
percent of 2.7 million, or 135,000 teachers would continue to post
grades and need to convert to a code, which would require them to spend
an average of one half hour each semester establishing and managing
grading codes for students. Using the Bureau of Labor Statistics'
published estimate of average hourly wages of $42.98 for teachers at
postsecondary institutions and an average 39 percent load for benefits,
we estimate an average cost of $59.74 per teacher per year, for a total
of $8,064,900. Parents and students should incur no costs except for
the time they might have to spend to contact the school official if
they forget the student's grading code.
This proposed change will benefit parents and students and
educational agencies and institutions by reducing the risk of identity
theft associated with posting grades by SSN, and the risk of disclosing
grades and other confidential educational information caused by posting
grades by student ID number. It is difficult to quantify the value of
reducing the risk of identity theft. We note, however, that for the
past few years over one-third of complaints filed with the Federal
Trade Commission have been for identity theft. See Federal Trade
Commission, Consumer Fraud and Identity Theft Data, February 2008, at
page 2.
According to the Better Business Bureau, identity theft cost
businesses nearly $57 billion in 2006 while victims spent an average of
40 hours resolving identity theft issues. It is even more difficult to
measure the benefits of enhanced privacy protections for student grades
and other confidential educational information from education records
because the value individuals place on the privacy of this information
varies considerably and because we are unable to determine how often it
happens. Therefore, the Secretary seeks public comment on the value of
these enhanced privacy protections in relation to the expected costs to
implement the proposed changes.
[[Page 15594]]
Prohibit Use of SSN To Confirm Directory Information
The proposed regulations would prevent an educational agency or
institution (or a contractor providing services for an agency or
institution) from using a student's SSN (or student ID number) to
identify the student when releasing or confirming directory
information. This occurs, for example, when a prospective employer or
insurance company telephones an institution or submits a Web site
inquiry to find out whether a particular individual is enrolled in or
has graduated from the institution. While this provision would apply to
educational agencies and institutions at all grade levels, we believe
that it will affect mainly postsecondary institutions because
enrollment and degree verification services typically are not offered
at the K-12 level.
A survey conducted in March 2002 by the American Association of
Collegiate Registrars and Admissions Officers (AACRAO) showed that
nearly half of postsecondary institutions used SSNs as the primary
means to track students in academic databases. Since then, use of SSNs
as a student identifier has decreased significantly in response to
public concern about identity theft. While postsecondary institutions
may continue to collect students SSNs for financial aid and tax
reporting purposes, many have ceased using the SSN as a student
identifier either voluntarily or in compliance with State laws. Also,
over the past several years the Department has provided training on
this issue and published on the Office Web site a 2004 letter finding a
postsecondary institution in violation of FERPA when its agent used a
student's SSN, without consent, to search its database to verify that
the student had received a degree.
http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/auburnuniv.html.
In these circumstances, we estimate
that possibly one-quarter of the nearly 6,585 postsecondary
institutions in the United States, or 1,646 institutions, may ask a
requester to provide the student's SSN (or student ID number) in order
to locate the record and respond to an inquiry for directory
information.
Under the proposed amendment an educational agency or institution
that identifies students by SSN (or student ID number) when releasing
directory information will either have to ensure that the student has
provided written consent to disclose the number to the requester, or
rely solely on a student's name and other properly designated directory
information to identify the student, such as address, date of birth,
dates of enrollment, year of graduation, major field of study, degree
received, etc. Costs to an institution of ensuring that students have
provided written consent for these disclosures, for example by
requiring the requester to fax copies of each written consent to the
institution or its contractor, or making arrangements to receive them
electronically, could be substantial for large institutions and
organizations that utilize electronic recordkeeping systems.
Institutions may choose instead to conduct these verifications without
using SSNs or student IDs, which may make it more difficult to ensure
that the correct student has been identified because of the known
problems in matching records without the use of a universal identifier.
Increased institutional costs either to verify that the student has
provided consent or to conduct a search without use of SSNs or student
ID numbers should be less for smaller institutions, where the chances
of duplicate records are decreased. Parents and students may incur
additional costs if an employer, insurance company, or other requester
is unable to verify enrollment or graduation based solely on directory
information and written consent for disclosure of the student's SSN or
student ID number is required. Due to the difficulty in ascertaining
actual costs associated with these transactions, the Secretary asks for
public comment on costs that educational agencies and institutions and
parents and students would expect to incur under this proposed change.
The enhanced privacy protections of this proposed amendment will
benefit students and parents by reducing the risk that third parties
will use a student's SSN without consent and possibly confirm a
questionable number for purposes of identity theft. Similarly,
preventing institutions from implicitly confirming a questionable
student ID number will help prevent unauthorized individuals from
obtaining confidential information from education records. In
evaluating the benefits or value of this proposed change, we note that
this provision does not affect any activity that an educational agency
or institution is required to perform under FERPA or other Federal law,
such as using SSNs to confirm enrollment for student loan purposes,
which is permitted without consent under the financial aid exception in
Sec. 99.31.
User ID for Electronic Communications
The proposed regulations would allow an educational agency or
institution to disclose as directory information a student's user ID or
other electronic identifier so long as it functions like a name, that
is, it cannot be used without a PIN, password, or some other
authentication factor to gain access to education records. This change
would impose no costs and would result in regulatory relief by allowing
agencies and institutions to use directory services in electronic
communications systems without incurring the administrative costs
associated with obtaining student consent for these disclosures.
Costs related to honoring a student's decision to opt out of these
disclosures should be minimal because of the small number of students
who would elect not to participate in electronic communications at
their school. Applying this proposed change to records of both K-12 and
postsecondary students and assuming that one-tenth of a percent of
parents and eligible students would opt out of these disclosures, we
estimate that institutions would have to flag the records of
approximately 67,000 students for opt out purposes. Recognizing that
institutions currently flag records for directory information opt outs
for other purposes, the Secretary seeks public comment on the
administrative and information technology costs institutions would
incur to process these potential new directory information opt outs.
Student Anonymity in the Classroom
The proposed regulations would ensure that parents and students do
not use the right to opt out of directory information disclosures to
prevent disclosure of the student's name, institutional e-mail address,
or electronic identifier in the student's physical or electronic
classroom. We estimate that this change would result in a small net
benefit to educational agencies and institutions because they would
have greater legal certainty about this element of classroom
administration, and it would reduce the institutional costs of
responding to complaints from students and parents about the release of
this information. FERPA could not be used to allow students to remain
anonymous to their peers in class, but the safety of students might be
enhanced by allowing them to know the name of every student in their
class.
Disclosing Education Records to New School and to Party Identified as
Source Record
The proposed amendment to Sec. 99.31(a)(2) would allow an
educational agency or institution to disclose education records, or
[[Page 15595]]
personally identifiable information from education records, to a
student's new school even after the student is already attending the
new school so long as the disclosure relates to the student's
enrollment in the new school. This change would provide regulatory
relief by reducing legal uncertainty about how long a school may
continue to send records or information to a student's new school,
without consent, under the ``seeks or intends to enroll'' exception.
The proposed amendment to the definition of disclosure in Sec.
99.3 would allow a school that has concerns about the validity of a
transcript, letter of recommendation, or other record to return these
documents (or personally identifiable information from these documents)
to the student's previous school or other party identified as the
source of the record in order to resolve questions about their
validity. Combined with the proposed change to Sec. 99.31(a)(2),
discussed earlier in this analysis, this change would also allow the
student's previous school to continue to send education records, or
clarification about education records, to the student's new school in
response to questions about the validity or meaning of records sent
previously by that party. We believe that these changes would provide
significant regulatory relief to educational agencies and institutions
by helping to reduce transcript and other educational fraud based on
falsified records.
Outsourcing
The proposed regulations would allow educational agencies and
institutions to disclose education records, or personally identifiable
information from education records, without consent to contractors,
volunteers, and other non-employees performing institutional services
and functions as school officials. The agency or institution may have
to amend its annual notification of FERPA rights to include these
parties as school officials with legitimate educational interests.
This change would provide regulatory relief by permitting and
clarifying the conditions for a non-consensual disclosure of education
records that is not allowed under current regulations. Our experience
suggests that virtually all of the more than 102,000 schools subject to
FERPA will take advantage of this provision. We have no actual data on
how many school districts publish annual FERPA notifications for the
96,513 K-12 public schools included in the 102,000 total and,
therefore, how many entities would be affected by this requirement.
However, since educational agencies and institutions are already
required under existing regulations to publish a FERPA notification
annually, we believe that costs to include this new information would
be minimal.
Access Control and Tracking
The proposed regulations in Sec. 99.31(a)(1)(ii) would require an
educational agency or institution to use reasonable methods to ensure
that teachers and other school officials obtain access to only those
education records in which they have legitimate educational interests.
This requirement would apply to both computerized or electronic records
and paper, film, and other hard copy records. Agencies and institutions
that choose not to restrict access with physical or technological
controls, such as locked cabinets and role-based software security,
must ensure that their policy is effective and that school officials
gain access to only those education records in which they have
legitimate educational interests.
Information gathered by the director of the Family Policy
Compliance Office at numerous FERPA training sessions and seminars,
along with recent discussions with software vendors and educational
organizations, indicates that the vast majority of mid and large size
school districts and postsecondary institutions currently use
commercial software for student information systems. We have been
advised that these systems all include role-based security features
that allow administrators to control access to specific records,
screens, or fields according to a school official's duties and
responsibilities; these systems also typically contain transactional
logging features that document or track a user's actual access to
particular records, which an agency or institution may use to help
ensure the effectiveness of its policies regarding access to education
records. Educational agencies and institutions that already have these
systems would incur no additional costs to comply with the proposed
regulations.
For purposes of this analysis we excluded from a total of 14,315
school districts and 6,585 postsecondary institutions those with more
than 1,000 students, for a total of 6,998 small K-12 districts and
3,933 small postsecondary institutions that may not have software with
access control security features. The director's discussions with
numerous SEAs and local districts suggest that the vast majority of
these small districts and institutions do not make education records
available to school officials electronically or by computer but instead
use some system of administrative and physical controls.
We estimate for this analysis that 20 percent, or 1,400, of these
small districts and institutions use home-built computerized or
electronic systems that may not have the role-based security features
of commercial software. The most recent published estimate we have for
software costs comes from the final Standards for Privacy of
Individually Identifiable Health Information under the Health Insurance
Portability and Accountability Act of 1996 (HIPAA Privacy Rule)
published by the Department of Health and Human Services (HHS) on
December 28, 2000, which estimated that the cost of software upgrades
to track the disclosure of medical records would be $35,000 initially
for each hospital. 65 FR 82462, 82768. We determined that use of the
cost estimate from the HIPAA Privacy Rule was appropriate because, as
discussed above, software that tracks disclosure history can also be
used to control or restrict access to electronic records. Recent
discussions with information technology (IT) staff in the Department
suggested that it was reasonable to conclude that an institutional
license for software that controls and tracks access to electronic
records would cost approximately $35,000 at this time; adjustments for
inflation were not deemed necessary because software costs do not track
with inflation in as straightforward a way as do other goods and
services. Further, while discussions with HHS staff indicate that the
disclosure tracking software cost estimates in the HIPAA Privacy Rule
preamble were provided primarily with hospitals and larger institutions
in mind, the Department's IT staff found no difference between software
costs depending on the size of the institutions.
Based on these determinations and assumptions, if 1,400 small K-12
districts and postsecondary institutions purchased student information
software to comply with the proposed regulations, they would incur
estimated costs of $49,000,000. We believe that the remaining 5,600
small districts and institutions would not purchase new software
because they do not make education records available electronically and
rely instead on less costly administrative and physical methods to
control access to records by school officials. Districts and
institutions that provide school officials with open access to
education records may need to devote some additional administrative
staff time to ensuring that their policies are effective and that they
remain in compliance with the
[[Page 15596]]
legitimate educational interest requirement with respect to school
officials who access records. However, no reliable estimates exist for
the average number of teachers and other school officials who access
education records or the number of times access is sought. Accordingly,
we are seeking public comment on any potential net costs associated
with this proposed requirement for ensuring that legitimate educational
interest policies are effective.
Identification and Authentication of Identity
The proposed regulations in Sec. 99.31(c) would require
educational agencies and institutions to use reasonable methods to
identify and authenticate the identity of parents, students, school
officials and other parties to whom the agency or institution discloses
personally identifiable information from education records. They would
impose no new costs for educational agencies and institutions that
disclose hard copy records through the U.S. postal service or private
delivery services with use of the recipient's name and last known
official address. We were unable to find reliable data that would allow
us to estimate the additional administrative time that educational
agencies and institutions would incur to check photo identification,
where appropriate, when releasing education records in person and seek
public comment on this point.
Authentication of identity for electronic records involves a wider
array of security options because of continuing advances in
technologies but is not necessarily more costly than authentication of
identity for hard copy records. We assume that educational agencies and
institutions that require users to enter a secret password or PIN to
authenticate identity will deliver the password or PIN through the U.S.
postal service or in person. We estimate that no new costs would be
associated with this process because agencies and institutions already
have direct contact with parents, eligible students, and school
officials for a variety of other purposes and would use these
opportunities to deliver a secret authentication factor.
As noted above, single-factor authentication of identity, such as a
standard form user name combined with a secret password or PIN, may not
provide reasonable protection for access to all types of education
records or under all circumstances. The Secretary invites public
comment on the potential costs of authenticating identity when
educational agencies and institutions allow authorized users to access
sensitive personal or financial information in electronic records for
which single-factor authentication would not be reasonable.
Redisclosure and Recordkeeping
The proposed regulations would allow the officials and agencies
listed in Sec. 99.31(a)(3)(i) (the U.S. Comptroller General; the U.S.
Attorney General; the Secretary; and State and local educational
authorities) to redisclose education records, or personally
identifiable information from education records, without consent under
the same conditions that apply currently to other recipients of
education records under Sec. 99.33(b). This proposed change would
provide substantial regulatory relief to these parties by allowing them
to redisclose information on behalf of educational agencies and
institutions under any provision in Sec. 99.31(a), which allows
disclosure of education records without consent. For example, States
would be able to consolidate K-16 education records under the SEA or
State higher educational authority without having to obtain written
consent under Sec. 99.30. Parties that currently request access to
records from individual school districts and postsecondary institutions
would in many instances be able to obtain the same information in a
more cost effective manner from the appropriate State educational
authority, or from the Department.
In accordance with existing regulations in Sec. 99.32(b), an
educational agency or institution must record any redisclosure of
education records made on its behalf under Sec. 99.33(b), including
the names of the additional parties to which the receiving party may
redisclose the information and their legitimate interests or basis for
the disclosure without consent under Sec. 99.31 in obtaining the
information. The proposed regulations would allow SEAs and other State
educational authorities (such as higher education authorities), the
Secretary, and other officials or agencies listed in Sec.
99.31(a)(3)(i) to maintain the record of redisclosure required under
Sec. 99.32(b), provided that the educational agency or institution
makes that record available to parents and eligible students as
required under Sec. 99.32(c).
SEAs and other officials listed in Sec. 99.31(a)(3)(i) would incur
new administrative costs if they elect to maintain the record of
redisclosure for the educational agency or institution on whose behalf
they redisclose education records under the proposed regulations. We
estimate that two educational authorities or agencies in each State and
the District of Columbia (one for K-12 and one for postsecondary) and
the Department itself, for a total of 103 authorities will elect to
maintain the required records of redisclosures. We estimate further
that these authorities will need to record two redisclosures per year
from their records and that it will take one hour of administrative
time to record each redisclosure electronically at an average hourly
rate of $32.67, for a total annual administrative cost of $6,730.
(Compensation for administrative staff time is explained above.) We
also assume for purposes of this analysis that State educational
authorities and the Department already have software that would allow
them to record these disclosures electronically.
State educational authorities and other officials that elect to
maintain records of redisclosures would also have to make that
information available to a parent or eligible student, on request, if
the educational agency or institution on whose behalf the information
was redisclosed does not do so. We assume that few parents and students
request this information and, therefore, use an estimate that one in
one thousand of a total of 66,596,000 students will make such a request
each year, or 66,596 requests. If it takes one-quarter of an hour to
locate and printout a record of disclosures at an average
administrative hourly rate of $32.67, the average annual administrative
cost for this service would be $543,923, plus mailing costs (at $.41
per letter) of $27,304, for a total of $571,227. Educational agencies
and institutions themselves would incur these costs if they make these
records of redisclosure available to parents and students instead.
The Department believes that the proposed change would result in a
net benefit to both educational agencies and institutions and the
officials that redisclose information under this provision because the
redisclosing parties would not have to send their records of
redisclosure to the educational agencies and institutions unless a
parent or student requests that information and the educational agency
or institution wishes to make the record available itself. Further, the
costs to State authorities and the Department to record their own
redisclosures would be outweighed by the savings that educational
agencies and institutions would realize by not having to record the
disclosures themselves.
Notification of Compliance With Court Order or Subpoena
The proposed regulations would require any party that rediscloses
[[Page 15597]]
education records in compliance with a court order or subpoena under
Sec. 99.31(a)(9) to provide the notice to parents and eligible
students required under Sec. 99.31(a)(9)(ii). We anticipate that this
provision will affect mostly State and local educational authorities,
which maintain education records they have obtained from their
constituent districts and institutions and, under the proposed
regulations discussed above, may redisclose the information, without
consent, in compliance with a court order or subpoena under Sec.
99.31(a)(9).
There is no change in costs as a result of shifting responsibility
for notification to the disclosing party under this proposed change.
However, we believe that minimizing or eliminating uncertainty about
which party is legally responsible for the notification would result in
a net benefit to all parties.
State Auditors
The proposed regulations would allow State auditors to have access
to education records without consent under Sec. Sec. 99.31(a)(3) and
99.35, which allows disclosures in connection with an audit or
evaluation of Federal or State supported education programs, or for the
enforcement of or compliance with Federal legal requirements related to
those programs. This change would involve no increased costs and
provide regulatory relief by clarifying that these disclosures are
permitted even if the State auditor is not a State educational
authority (or other official listed in Sec. 99.31(a)(3)(i)).
The proposed change is limited to disclosures for purposes of an
audit, which is defined as testing compliance with applicable laws,
regulations, and standards. We believe that this limitation does not
impose additional costs because a State auditor may conduct activities
outside the scope of an audit, such as evaluate the effectiveness of
educational programs, by establishing a contractual relationship with
the State educational authority or school district or institution in
possession of the records that qualifies the auditor as an authorized
representative or school official, respectively.
Directory Information Opt Outs
The proposed regulations clarify that while an educational agency
or institution is not required to notify former students under Sec.
99.37(a) about the institution's directory information policy or allow
former students to opt out of directory information disclosures, they
must continue to honor a parent's or student's decision to opt out of
directory information disclosures after the student leaves the
institution. Most agencies and institutions should already comply with
this requirement because of informal guidance and training provided by
FPCO. We have insufficient information to estimate the number of
institutions affected and the additional costs involved in changing
systems to maintain opt out flags on education records of former
students and seek public comment on the matter.
2. Clarity of the Regulations
Executive Order 12866 and the Presidential Memorandum on ``Plain
Language in Government Writing'' require each agency to write
regulations that are easy to understand.
The Secretary invites comments on how to make these proposed
regulations easier to understand, including answers to questions such
as the following:
Are the requirements in the proposed regulations clearly
stated?
Do the proposed regulations contain technical terms or
other wording that interferes with their clarity?
Does the format of the proposed regulations (grouping and
order of sections, use of headings, paragraphing, etc.) aid or reduce
their clarity?
Would the proposed regulations be easier to understand if
we divided them into more (but shorter) sections? (A ``section'' is
preceded by the symbol ``Sec. '' and a numbered heading; for example,
Sec. 99.30 Under what conditions is prior consent required to disclose
information?)
Could the description of the proposed regulations in the
SUPPLEMENTARY INFORMATION section of this preamble be more helpful in
making the proposed regulations easier to understand? If so, how?
What else could we do to make the proposed regulations
easier to understand?
Send any comments that concern how the Department could make these
proposed regulations easier to understand to the person listed in the
ADDRESSES section of the preamble.
Regulatory Flexibility Act Certification
The Secretary certifies that these proposed regulations would not
have a significant economic impact on a substantial number of small
entities. The small entities that would be affected by these proposed
regulations are small local educational agencies (LEAs) that receive
Federal funds from the Department and certain 4- and 2-year colleges
and for-profit postsecondary trade and technical schools with small
enrollments that receive Federal funds, such as student aid programs
under Title IV of the HEA. However, the regulations would not have a
significant economic impact on these small agencies and institutions
because the regulations would not impose excessive regulatory burdens
or require unnecessary Federal supervision. The regulations would
impose minimal requirements to ensure that LEAs and postsecondary
institutions comply with the educational privacy protection
requirements in FERPA.
Federalism
Executive Order 13132 requires us to ensure meaningful and timely
input by State and local elected officials in the development of
regulatory policies that have federalism implications. ``Federalism
implications'' means substantial direct effects on the States, on the
relationship between the National Government and the States, or on the
distribution of power and responsibilities among the various levels of
government. The proposed regulations in Sec. Sec. 99.3 through 99.67
may have federalism implications, as defined in Executive Order 13132,
in that they will have some effect on the States and the operation of
educational agencies and institutions subject to FERPA. We encourage
State and local elected officials to review and provide comments on
these proposed regulations. To facilitate review and comment by
appropriate State and local officials, the Department will, aside from
publication in the Federal Register, post the NPRM to the FPCO Web site
and to the Office of Planning, Evaluation, and Policy Development
(OPEPD) Web site and make a specific e-mail posting via a special
listserv that is sent to each State department of education
superintendent and higher education commission director.
Paperwork Reduction Act of 1995
These proposed regulations do not contain any information
collection requirements.
Intergovernmental Review
These proposed regulations are not subject to Executive Order 12372
and the regulations in 34 CFR part 79.
Assessment of Educational Impact
The Secretary particularly requests comments on whether these
proposed regulations would require transmission of information that any
other agency or authority of the United States gathers or makes
available.
[[Page 15598]]
Department Recommendations for Safeguarding Education Records
The Department recognizes that agencies and institutions face
significant challenges in safeguarding educational records. We are
providing the following information and recommendations to assist
agencies and institutions in meeting these challenges.
As noted elsewhere in this document, FERPA provides that no funds
administered by the Secretary may be made available to any educational
agency or institution that has a policy or practice of releasing,
permitting the release of, or providing access to personally
identifiable information from education records without the prior
written consent of a parent or eligible student except in accordance
with specified exceptions. In light of these requirements, the
Secretary encourages educational agencies and institutions to utilize
appropriate methods to protect education records, especially in
electronic data systems.
In recent months the following incidents have come to the
Department's attention:
Students' grades or financial information, including SSNs,
have been posted on publicly available web servers;
Laptops and other portable devices containing similar
information from education records have been lost or stolen;
Education records, or devices that maintain education
records, have not been retrieved from school officials upon termination
of their employment or service as a contractor, consultant, or
volunteer;
Computer systems at colleges and universities have become
favored targets because they hold many of the same records as banks but
are much easier to access. See ``College Door Ajar for Online
Criminals'' (May 2006), available at http://www.uh.edu/ednews/2006/
latimes/200605/20060530hackers.html and July 10, 2006, Viewpoint in
BusinessWeek/Online available at http://www.businessweek.com/
technology/content/jul2006/tc20060710_558020.htm;
Nearly 65 percent of postsecondary educational
institutions identified theft of personal information (SSNs, credit/
debit/ATM card, account or PIN numbers, etc.) as a high risk area. See
Table 7, Perceived Risks at http://www.educause.edu/ir/library/pdf/
ecar_so/ers/ers0606/Ekf0606.pdf; and
In December 2006, a large postsecondary institution
alerted some 800,000 students and others that the campus computer
system containing their names, addresses and SSNs had been compromised.
The Department's Office of Inspector General (OIG) noted in Final
Inspection Alert Memorandum dated February 3, 2006, that between
February 15, 2005, and November 19, 2005, there were 93 documented
computer breaches of electronic files involving personal information
from education records such as SSNs, credit card information, and dates
of birth. According to the reported data, 45 percent of these incidents
have occurred at colleges and universities nationwide. OIG expressed
concern that student information may be compromised due to a failure to
implement or administer proper security controls for information
systems at postsecondary institutions.
The Department recognizes that no system for maintaining and
transmitting education records, whether in paper or electronic form,
can be guaranteed safe from every hacker and thief, technological
failure, violation of administrative rules, and other causes of
unauthorized access and disclosure. Although FERPA does not dictate
requirements for safeguarding education records, the Department
encourages the holders of personally identifiable information to
consider actions that mitigate the risk and are reasonably calculated
to protect such information. Of course, an educational agency or
institution may use any method, combination of methods, or technologies
it determines to be reasonable, taking into consideration the size,
complexity, and resources available to the institution; the context of
the information; the type of information to be protected (such as
social security numbers or directory information); and methods used by
other institutions in similar circumstances. The greater the harm that
would result from unauthorized access or disclosure and the greater the
likelihood that unauthorized access or disclosure will be attempted,
the more protections an agency or institution should consider using to
ensure that its methods are reasonable.
One resource for administrators of electronic data systems is ``The
National Institute of Standards and Technology (NIST) 800-100,
Information Security Handbook: A Guide for Managers'' (October 2006). A
second resource is NIST 800-53, which catalogs information security
controls. Similarly, a May 22, 2007 memorandum to heads of federal
agencies from the Office of Management and Budget requires executive
departments and agencies to ensure that proper safeguards are in place
to protect personally identifiable information that they maintain,
eliminate the unnecessary use of SSNs, and develop and implement a
``breach notification policy.'' This memorandum, although directed
towards federal agencies, may also serve as a resource for educational
agencies and institutions. See
http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf.
Finally, if an educational agency or institution has experienced a
theft of files or computer equipment, hacking or other intrusion,
software or hardware malfunction, inadvertent release of data to
Internet sites, or other unauthorized release or disclosure of
education records, the Department suggests consideration of one or more
of the following steps:
Report the incident to law enforcement authorities.
Determine exactly what information was compromised, i.e.,
names, addresses, SSNs, ID numbers, credit card numbers, grades, and
the like.
Take steps immediately to retrieve data and prevent any
further disclosures.
Identify all affected records and students.
Determine how the incident occurred, including which
school officials had control of and responsibility for the information
that was compromised.
Determine whether institutional policies and procedures
were breached, including organizational requirements governing access
(user names, passwords, PINS, etc.); storage; transmission; and
destruction of information from education records.
Determine whether the incident occurred because of a lack
of monitoring and oversight.
Conduct a risk assessment and identify appropriate
physical, technological and administrative measures for preventing
similar incidents in the future.
Notify students that the Department's Office of Inspector
General maintains a Web site describing steps students may take if they
suspect they are a victim of identity theft at
http://www.ed.gov/about/offices/list/oig/misused/idtheft.html; and
http://www.ed.gov/about/offices/list/oig/misused/victim.html.
FERPA does not require an educational agency or institution to
notify students that information from their education records was
stolen or otherwise subject to an unauthorized release, although it
does require the agency or institution to maintain a record of each
disclosure. 34 CFR 99.32(a)(1). (However, student
[[Page 15599]]
notification may be required in these circumstances for postsecondary
institutions under the Federal Trade Commission's Standards for
Insuring the Security, Confidentiality, Integrity and Protection of
Customer Records and Information (``Safeguards Rule'') in 16 CFR part
314.) In any case, direct student notification may be advisable if the
compromised data includes student SSNs and other identifying
information that could lead to identity theft.
Electronic Access to This Document
You may view this document, as well as all other Department of
Education documents published in the Federal Register, in text or Adobe
Portable Document Format (PDF) on the Internet at the following site:
http://www.ed.gov/news/fedregister.
To use PDF you must have Adobe Acrobat Reader, which is available
free at this site. If you have questions about using PDF, call the U.S.
Government Printing Office (GPO), toll free, at 1-888-293-6498; or in
the Washington, DC, area at (202) 512-1530.
Note: The official version of this document is the document
published in the Federal Register. Free Internet access to the
official edition of the Federal Register and the Code of Federal
Regulations is available on GPO Access at:
http://www.gpoaccess.gov/nara/index.html.
(Catalog of Federal Domestic Assistance Number does not apply.)
List of Subjects in 34 CFR Part 99
Administrative practice and procedure, Directory information,
Education records, Information, Parents, Privacy, Records, Social
Security Numbers, Students.
Dated: March 17, 2008.
Margaret Spellings,
Secretary of Education.
For the reasons discussed in the preamble, the Secretary proposes
to amend part 99 of title 34 of the Code of Federal Regulations as
follows:
PART 99--FAMILY EDUCATIONAL RIGHTS AND PRIVACY
1. The authority citation for part 99 continues to read as follows:
Authority: 20 U.S.C. 1232g, unless otherwise noted.
2. Section 99.2 is amended by revising the note following the
authority citation to read as follows:
Sec. 99.2 What is the purpose of these regulations?
* * * * *
Note to Sec. 99.2: 34 CFR 300.610 through 300.626 contain
requirements regarding the confidentiality of information relating
to children with disabilities who receive evaluations, services or
other benefits under Part B of the Individuals with Disabilities
Education Act (IDEA). 34 CFR 303.402 and 303.460 identify the
confidentiality of information requirements regarding children and
infants and toddlers with disabilities and their families who
receive evaluations, services or other benefits under Part C of
IDEA.
3. Section 99.3 is amended by:
A. Adding, in alphabetical order, a definition for State auditor.
B. Revising the definitions of Attendance, Directory information,
Disclosure, and Personally identifiable information.
C. In the definition of Education records, revising paragraph
(b)(5) and adding a new paragraph (b)(6).
These additions and revisions read as follows:
Sec. 99.3 What definitions apply to these regulations?
* * * * *
Attendance includes, but is not limited to--
(a) Attendance in person or by paper correspondence,
videoconference, satellite, Internet, or other electronic information
and telecommunications technologies for students who are not physically
present in the classroom; and
(b) The period during which a person is working under a work-study
program.
(Authority: 20 U.S.C. 1232g)
* * * * *
Directory information means information contained in an education
record of a student that would not generally be considered harmful or
an invasion of privacy if disclosed.
(a) Directory information includes, but is not limited to, the
student's name; address; telephone listing; electronic mail address;
photograph; date and place of birth; major field of study; grade level;
enrollment status (e.g., undergraduate or graduate, full-time or part-
time); dates of attendance; participation in officially recognized
activities and sports; weight and height of members of athletic teams;
degrees, honors and awards received; and the most recent educational
agency or institution attended.
(b) Directory information does not include a student's social
security number or student identification (ID) number.
(c) Directory information includes a student's user ID or other
unique personal identifier used by the student for purposes of
accessing or communicating in electronic systems, but only if the
electronic identifier cannot be used to gain access to education
records except when used in conjunction with one or more factors that
authenticate the user's identity, such as a personal identification
number (PIN), password, or other factor known or possessed only by the
authorized user.
(Authority: 20 U.S.C. 1232g(a)(5)(A))
* * * * *
Disclosure means to permit access to or the release, transfer, or
other communication of personally identifiable information contained in
education records by any means, including oral, written, or electronic
means, to any party except the party identified as the party that
provided or created the record.
(Authority: 20 U.S.C. 1232g(b)(1) and (b)(2))
* * * * *
Education Records
* * * * *
(b) * * *
(5) Records created or received by an educational agency or
institution after an individual is no longer a student in attendance
and that are not directly related to the individual's attendance as a
student.
(6) Grades on peer-graded papers before they are collected and
recorded by a teacher.
* * * * *
Personally Identifiable Information
The term includes, but is not limited to
(a) The student's name;
(b) The name of the student's parent or other family members;
(c) The address of the student or student's family;
(d) A personal identifier, such as the student's social security
number, student number, or biometric record;
(e) Other indirect identifiers, such as date of birth, place of
birth, and mother's maiden name;
(f) Other information that, alone or in combination, is linked or
linkable to a specific student that would allow a reasonable person in
the school or its community, who does not have personal knowledge of
the relevant circumstances, to identify the student with reasonable
certainty; or
(g) Information requested by a person who the educational agency or
institution reasonably believes has direct, personal knowledge of the
identity of the student to whom the education record directly relates.
(Authority: 20 U.S.C. 1232g)
* * * * *
State auditor means a party under any branch of government with
authority
[[Page 15600]]
and responsibility under State law for conducting audits.
(Authority: 20 U.S.C. 1232g(b)(5))
* * * * *
4. Section 99.5 is amended by redesignating paragraph (a) as
paragraph (a)(1) and adding a new paragraph (a)(2) to read as follows:
Sec. 99.5 What are the rights of students?
(a)(1) * * *
(2) Nothing in this section prevents an educational agency or
institution from disclosing education records, or personally
identifiable information from education records, to a parent without
the prior written consent of an eligible student if the disclosure
meets the conditions in Sec. 99.31(a)(8), Sec. 99.31(a)(10), Sec.
99.31(a)(15), or any other provision in Sec. 99.31(a).
* * * * *
5. Section 99.31 is amended by:
A. Redesignating paragraph (a)(1) as paragraph (a)(1)(i)(A) and
adding new paragraphs (a)(1)(i)(B) and (a)(1)(ii).
B. Revising paragraph (a)(2).
C. Revising paragraph (a)(6)(ii).
D. In paragraph (a)(9)(ii)(A), removing the word `` or'' after the
punctuation ``;''.
E. In paragraph (a)(9)(ii)(B), removing the punctuation ``.'' and
adding in its place the word ``; or''.
F. Adding paragraph (a)(9)(ii)(C).
G. Adding paragraph (a)(16).
H. Revising paragraph (b).
I. Adding paragraphs (c) and (d).
J. Revising the authority citation at the end of the section.
The additions and revisions read as follows:
Sec. 99.31 Under what conditions is prior consent not required to
disclose information?
(a) * * *
(1)(i)(A) * * *
(B) A contractor, consultant, volunteer, or other party to whom an
agency or institution has outsourced institutional services or
functions may be considered a school official under this paragraph
provided that the outside party--
(1) Performs an institutional service or function for which the
agency or institution would otherwise use employees;
(2) Is under the direct control of the agency or institution; and
(3) Is subject to the requirements of Sec. 99.33(a) governing the
use and redisclosure of personally identifiable information from
education records.
(ii) An educational agency or institution must use reasonable
methods to ensure that school officials obtain access to only those
education records in which they have legitimate educational interests.
An educational agency or institution that does not use physical or
technological access controls must ensure that its administrative
policy for controlling access to education records is effective and
that it remains in compliance with the legitimate educational interest
requirement in paragraph 99.31(a)(1)(i)(A).
(2) The disclosure is, subject to the requirements of Sec. 99.34,
to officials of another school, school system, or institution of
postsecondary education where the student seeks or intends to enroll,
or where the student is already enrolled so long as the disclosure is
for purposes related to the student's enrollment or transfer.
Note: Section 4155(b) of the No Child Left Behind Act of 2001,
20 U.S.C. 7165(b), requires each State to assure the Secretary of
Education that it has a procedure in place to facilitate the
transfer of disciplinary records of a student who was suspended or
expelled by a local educational agency to any private or public
elementary or secondary school in which the student is subsequently
enrolled or seeks, intends, or is instructed to enroll.
(6) * * *
(ii) An educational agency or institution may disclose personally
identifiable information under paragraph (a)(6)(i) of this section only
if it enters into a written agreement with the organization specifying
the purposes of the study. An educational agency or institution is not
required to agree with or endorse the conclusions or results of the
study. The written agreement required under this paragraph must ensure
that--
(A) Information from education records is used only to meet the
purpose or purposes of the study stated in the written agreement;
(B) The organization conducts the study in a manner that does not
permit personal identification of parents and students, as defined in
this part, by individuals other than representatives of the
organization that conducts the study; and
(C) The information is destroyed or returned to the educational
agency or institution when it is no longer needed for the purposes for
which the study was conducted.
* * * * *
(9) * * *
(ii) * * *
(C) An ex parte court order obtained by the United States Attorney
General (or designee not lower than an Assistant Attorney General)
concerning investigations or prosecutions of an offense listed in 18
U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism
as defined in 18 U.S.C. 2331.
* * * * *
(16) The disclosure concerns an individual required to register
under section 170101 of the Violent Crime Control and Law Enforcement
Act of 1994, 42 U.S.C. 14071, and the information was obtained and
disclosed by the educational agency or institution in compliance with a
State community notification program under 42 U.S.C. 14071(e) or (j)
and applicable Federal guidelines. Nothing in the Act or these
regulations requires or encourages an educational agency or institution
to collect or maintain information about registered sex offenders.
(b)(1) De-identified records and information. An educational agency
or institution, or a party that has received education records or
information from education records under this part, may release the
records or information without the consent required by Sec. 99.30
after the removal of all personally identifiable information provided
that the educational agency or institution or other party has made a
reasonable determination that a student's identity is not personally
identifiable because of unique patterns of information about that
student, whether through single or multiple releases, and taking into
account other reasonably available information.
(2) An educational agency or institution, or a party that has
received education records or information from education records under
this part, may release de-identified student level data from education
records for the purpose of education research by attaching a code to
each record that may allow the recipient to match information received
from the same source, provided that--
(i) An educational agency or institution or other party that
releases de-identified data under paragraph (b) of this section does
not disclose any information about how it generates and assigns a
record code, or that would allow a recipient to identify a student
based on a record code;
(ii) The record code is used for no purpose other than identifying
a de-identified record for purposes of education research and cannot be
used to ascertain personally identifiable information about a student;
and
(iii) The record code is not based on a student's social security
number or other personal information.
(c) An educational agency or institution must use reasonable
methods to identify and authenticate the identity of parents, students,
school officials, and any other parties to whom the
[[Page 15601]]
agency or institution discloses personally identifiable information
from education records.
(d) Paragraphs (a) and (b) of this section do not require an
educational agency or institution or any other party to disclose
education records or information from education records to any party.
(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h), (i), and (j))
6. Section 99.32 is amended by revising paragraph (d)(5) to read as
follows:
Sec. 99.32 What recordkeeping requirements exist concerning requests
and disclosures?
* * * * *
(d) * * *
(5) A party seeking or receiving records in accordance with Sec.
99.31(a)(9)(ii)(A) through (C).
* * * * *
7. Section 99.33 is amended by revising paragraphs (b), (c), (d),
and (e) to read as follows:
Sec. 99.33 What limitations apply to the redisclosure of information?
* * * * *
(b)(1) Paragraph (a) of this section does not prevent an
educational agency or institution from disclosing personally
identifiable information with the understanding that the party
receiving the information may make further disclosures of the
information on behalf of the educational agency or institution if:
(i) The disclosures meet the requirements of Sec. 99.31; and
(ii) The educational agency or institution has complied with the
requirements of Sec. 99.32(b).
(2) A party that rediscloses personally identifiable information
from education records on behalf of an educational agency or
institution in response to a court order or lawfully issued subpoena
under Sec. 99.31(a)(9) must provide the notification required under
Sec. 99.31(a)(9)(ii).
(c) Paragraph (a) of this section does not apply to disclosures
under Sec. 99.31(a)(8), (9), (11), (12), (14), (15), (16), and to
information that postsecondary institutions are required to disclose
under the Clery Act to the accuser and accused regarding the outcome of
any campus disciplinary proceeding brought alleging a sexual offense.
(d) An educational agency or institution must inform a party to
whom disclosure is made of the requirements of paragraph (a) of this
section except for disclosures made under Sec. 99.31(a)(8), (9), (11),
(12), (14), (15), and (16), and to information that postsecondary
institutions are required to disclose under the Clery Act to the
accuser and accused regarding the outcome of any campus disciplinary
proceeding brought alleging a sexual offense.
(e) If this Office determines that a third party outside the
educational agency or institution improperly rediscloses personally
identifiable information from education records in violation of this
section, the educational agency or institution may not allow that third
party access to personally identifiable information from education
records for at least five years.
* * * * *
8. Section 99.34 is amended by revising paragraph (a)(1)(ii) to
read as follows:
Sec. 99.34 What conditions apply to disclosure of information to
other educational agencies and institutions?
(a) * * *
(1) * * *
(ii) The annual notification of the agency or institution under
Sec. 99.7 includes a notice that the agency or institution forwards
education records to other agencies or institutions that have requested
the records and in which the student seeks or intends to enroll;
* * * * *
9. Section 99.35 is amended by revising paragraphs (a) and (b)(1)
to read as follows:
Sec. 99.35 What conditions apply to disclosure of information for
Federal or State program purposes?
(a)(1) Authorized representatives of the officials or agencies
headed by officials listed in Sec. 99.31(a)(3)(i) may have access to
education records in connection with an audit or evaluation of Federal
or State supported education programs, or for the enforcement of or
compliance with Federal legal requirements that relate to those
programs.
(2) Authority for an agency or official listed in Sec.
99.31(a)(3)(i) to conduct an audit, evaluation, or compliance or
enforcement activity is not conferred by the Act or this part and must
be established under other Federal, State, or local law, including
valid administrative regulations.
(3) State auditors that are not authorized representatives of State
and local educational authorities may have access to education records
in connection with an audit of Federal or State supported education
programs. For purposes of this provision, an audit is limited to
testing compliance with applicable laws, regulations, and standards.
(b) * * *
(1) Be protected in a manner that does not permit personal
identification of individuals by anyone other than the officials or
agencies headed by officials referred to in paragraph (a) of this
section, except that those officials or agencies may make further
disclosures of personally identifiable information from education
records on behalf of the educational agency or institution in
accordance with the requirements of Sec. 99.33(b); and
* * * * *
10. Section 99.36 is amended by revising paragraphs (a) and (c) to
read as follows:
Sec. 99.36 What conditions apply to disclosure of information in
health and safety emergencies?
(a) An educational agency or institution may disclose personally
identifiable information from an education record to appropriate
parties, including parents of an eligible student, in connection with
an emergency if knowledge of the information is necessary to protect
the health or safety of the student or other individuals.
* * * * *
(c) In making a determination under paragraph (a) of this section,
an educational agency or institution may take into account the totality
of the circumstances pertaining to a threat to the safety or health of
a student or other individuals. If the educational agency or
institution determines that there is articulable and significant threat
to the health or safety of a student or other individuals, it may
disclose information from education records to any person whose
knowledge of the information is necessary to protect the health and
safety of the student or other individuals. If, based on the
information available at the time of the determination, there is a
rational basis for the determination, the Department will not
substitute its judgment for that of the educational agency or
institution in evaluating the circumstances and making its
determination.
* * * * *
11. Section 99.37 is amended by:
A. Revising paragraph (b).
B. Adding new paragraphs (c) and (d).
The revision and additions read as follows:
Sec. 99.37 What conditions apply to disclosing directory information?
* * * * *
(b) An educational agency or institution may disclose directory
information about former students without complying with the notice and
opt out conditions in paragraph (a) of this section. However, the
agency or
[[Page 15602]]
institution must continue to honor any valid request to opt out of the
disclosure of directory information made while a student was in
attendance unless the student rescinds the opt out request.
(c) A parent or eligible student may not use the right under
paragraph (a)(2) of this section to opt out of directory information
disclosures to prevent an educational agency or institution from
disclosing or requiring a student to disclose the student's name,
electronic identifier, or institutional e-mail address in a class in
which the student is enrolled.
(d) An educational agency or institution may not disclose or
confirm directory information without meeting the written consent
requirements in Sec. 99.30 if a student's social security number or
other non-directory information is used alone or combined with other
data elements to identify or help identify the student or the student's
records.
* * * * *
12. Section 99.62 is revised to read as follows:
Sec. 99.62 What information must an educational agency or institution
submit to the Office?
The Office may require an educational agency or institution to
submit reports, information on policies and procedures, annual
notifications, training materials, and other information necessary to
carry out its enforcement responsibilities under the Act or this part.
(Authority: 20 U.S.C. 1232g(f) and (g))
13. Section 99.64 is amended by:
A. Revising the section heading.
B. Revising paragraphs (a) and (b).
The revisions read as follows:
Sec. 99.64 What is the investigation procedure?
(a) A complaint must contain specific allegations of fact giving
reasonable cause to believe that a violation of the Act or this part
has occurred. A complaint does not have to allege that a violation is
based on a policy or practice of the educational agency or institution.
(b) The Office investigates a timely complaint filed by a parent or
eligible student, or conducts its own investigation when no complaint
has been filed or a complaint has been withdrawn, to determine whether
an educational agency or institution has failed to comply with a
provision of the Act or this part. If the Office determines that an
educational agency or institution has failed to comply with a provision
of the Act or this part, it may also determine whether the failure to
comply is based on a policy or practice of the agency or institution.
* * * * *
14. Section 99.65 is revised to read as follows:
Sec. 99.65 What is the content of the notice of investigation issued
by the Office?
(a) The Office notifies the complainant, if any, and the
educational agency or institution in writing if it initiates an
investigation under Sec. 99.64(b). The notice to the educational
agency or institution--
(1) Includes the substance of the allegations against the
educational agency or institution; and
(2) Directs the agency or institution to submit a written response
and other relevant information, as set forth in Sec. 99.62, within a
specified period of time, including information about its policies and
practices regarding education records.
(b) The Office notifies the complainant if it does not initiate an
investigation because the complaint fails to meet the requirements of
Sec. 99.64.
(Authority: 20 U.S.C. 1232g(g))
15. Section 99.66 is amended by revising paragraphs (a), (b), and
the introductory text of paragraph (c) to read as follows:
Sec. 99.66 What are the responsibilities of the Office in the
enforcement process?
(a) The Office reviews a complaint, if any, information submitted
by the educational agency or institution, and any other relevant
information. The Office may permit the parties to submit further
written or oral arguments or information.
(b) Following its investigation, the Office provides to the
complainant, if any, and the educational agency or institution a
written notice of its findings and the basis for its findings.
(c) If the Office finds that an educational agency or institution
has not complied with a provision of the Act or this part, it may also
find that the failure to comply was based on a policy or practice of
the agency or institution. A notice of findings issued under paragraph
(b) of this section to an educational agency or institution that has
not complied with a provision of the Act or this part--
* * * * *
16. Section 99.67 is amended by:
A. Revising the introductory text of paragraph (a).
B. In paragraph (a)(1), removing the punctuation ``;'' and adding,
in its place, the punctuation ``.''.
C. In paragraph (a)(2) removing the word ``; or'' and adding, in
its place, the punctuation ``.''.
The revision reads as follows:
Sec. 99.67 How does the Secretary enforce decisions?
(a) If the Office determines that an educational agency or
institution has a policy or practice in violation of the Act or this
part, the Secretary may take any legally available enforcement action,
including the following enforcement actions available in accordance
with part E of the General Education Provisions Act:
* * * * *
[FR Doc. E8-5790 Filed 3-21-08; 8:45 am]
BILLING CODE 4000-01-P