Skip to Content
Proposed Rule

Family Educational Rights and Privacy

Action

Notice Of Proposed Rulemaking.

Summary

The Secretary proposes to amend the regulations governing education records maintained by educational agencies and institutions under section 444 of the General Education Provisions Act, which is also known as the Family Educational Rights and Privacy Act of 1974, as amended (FERPA). These proposed regulations are needed to implement amendments to FERPA contained in the USA Patriot Act and the Campus Sex Crimes Prevention Act, to implement two U.S. Supreme Court decisions interpreting FERPA, and to make necessary changes identified as a result of the Department's experience administering FERPA and current regulations. These changes would clarify permissible disclosures to parents of eligible students and conditions that apply to disclosures in health and safety emergencies; clarify permissible disclosures of student identifiers as directory information; allow disclosures to contractors and other outside parties in connection with the outsourcing of institutional services and functions; revise the definitions of attendance, disclosure, education records, personally identifiable information, and other key terms; clarify permissible redisclosures by State and Federal officials; and update investigation and enforcement provisions.

Unified Agenda

Family Educational Rights and Privacy

1 action from February 2008

  • February 2008
    • NPRM
 

Table of Contents Back to Top

DATES: Back to Top

We must receive your comments on or before May 8, 2008.

ADDRESSES: Back to Top

Submit your comments through the Federal eRulemaking Portal or via postal mail, commercial delivery, or hand delivery. We will not accept comments by fax or by e-mail. Please submit your comments only one time, in order to ensure that we do not receive duplicate copies. In addition, please include the Docket ID at the top of your comments.

Federal eRulemaking Portal: Go to http://www.regulations.gov. Under “Search Documents” go to “Optional Step 2” and select “Department of Education” from the agency drop-down menu; then click “Submit.” In the Docket ID column, select ED-2008-OPEPD-0002 to add or view public comments and to view supporting and related materials available electronically. Information on using Regulations.gov, including instructions for submitting comments, accessing documents, and viewing the docket after the close of the comment period, is available through the site's “User Tips” link.

Postal Mail, Commercial Delivery, or Hand Delivery. If you mail or deliver your comments about these proposed regulations, address them to LeRoy S. Rooker, U.S. Department of Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-5920.

Privacy Note:

The Department's policy for comments received from members of the public (including those comments submitted by mail, commercial delivery, or hand delivery) is to make these submissions available for public viewing in their entirety on the Federal eRulemaking Portal at http://www.regulations.gov. Therefore, commenters should be careful to include in their comments only information that they wish to make publicly available on the Internet.

FOR FURTHER INFORMATION CONTACT: Back to Top

Frances Moran, U.S. Department of Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-8250. Telephone: (202) 260-3887.

If you use a telecommunications device for the deaf (TDD), you may call the Federal Relay Service (FRS) at 1-800-877-8339.

Individuals with disabilities may obtain this document in an alternative format (e.g., Braille, large print, audiotape, or computer diskette) on request to the contact person listed under FOR FURTHER INFORMATION CONTACT.

Invitation To Comment Back to Top

We invite you to submit comments and recommendations regarding these proposed regulations. To ensure that your comments have maximum effect in developing the final regulations, we urge you to identify clearly the specific section or sections of the proposed regulations that each of your comments addresses and to arrange your comments in the same order as the proposed regulations.

We invite you to assist us in complying with the specific requirements of Executive Order 12866 and its overall requirement of reducing regulatory burden that might result from these proposed regulations. Please let us know of any further opportunities we should take to reduce potential costs or increase potential benefits while preserving the effective and efficient administration of the program.

During and after the comment period, you may inspect all public comments about these proposed regulations in room 6W243, 400 Maryland Avenue, SW., Washington, DC, between the hours of 8:30 a.m. and 4 p.m. Eastern time, Monday through Friday of each week except Federal holidays. Public comments may also be inspected at www.regulations.gov.

Assistance to Individuals With Disabilities in Reviewing the Rulemaking Record Back to Top

On request, we will supply an appropriate aid to an individual with a disability who needs assistance to review the comments or other documents in the public rulemaking record for these proposed regulations. If you want to schedule an appointment for this type of aid, please contact the person listed under FOR FURTHER INFORMATION CONTACT.

Background Back to Top

These proposed regulations would implement section 507 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) of 2001 (Pub. L. 107-56), enacted Oct. 26, 2001, and the Campus Sex Crimes Prevention Act, section 1601(d) of the Victims of Trafficking and Violence Protection Act of 2000 (Pub. L. 106-386), enacted Oct. 28, 2000, both of which amended FERPA. The proposed regulations also would implement the U.S. Supreme Court's decisions in Owasso Independent School Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso) and Gonzaga University v. Doe, 536 U.S. 273 (2002) (Gonzaga). Finally, the proposed regulations respond to changes in information technology and address other issues identified through the Department's experience administering FERPA, including the need to clarify how postsecondary institutions may share information with parents and other parties in light of the tragic events at Virginia Tech in April 2007. The Department has developed these proposed regulations in accordance with its “Principles for Regulating,” which are intended to ensure that the Department regulates in the most flexible, equitable, and least burdensome way possible. These proposed regulations seek to provide the greatest flexibility to State and local governments and schools while ensuring that personally identifiable information about students remains protected from unauthorized disclosure.

Technical Corrections Back to Top

The proposed regulations correct § 99.33(e) by adding the statutory language “outside the educational agency or institution” after the words “third party” in the first sentence. They also correct an error in the section number cited in § 99.34(a)(1)(ii).

Significant Proposed Regulations Back to Top

We discuss substantive issues under the sections of the proposed regulations to which they pertain. Generally, we do not address proposed regulatory provisions that are technical or otherwise minor in effect.

1. Definitions (§ 99.3)

Attendance

Statute: 20 U.S.C. 1232g(a)(6) defines the term student as any person with respect to whom an educational agency or institution maintains education records or personally identifiable information but does not include a person who has not been in attendance at such agency or institution. The statute does not define attendance.

Current Regulations: As defined in the current regulations, the term attendance includes attendance in person or by correspondence, and the period during which a person is working under a work-study program. The current definition does not address the status of distance learners who are taught through the use of electronic information and telecommunications technologies.

Proposed Regulations: The proposed regulations in § 99.3 would add attendance by videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom.

Reasons: The proposed regulations are needed to clarify that students who are not physically present in the classroom may attend an educational agency or institution not only through traditional correspondence courses but through advanced electronic information and telecommunications technologies used for distance education, such as videoconferencing, satellite, and Internet-based communications.

Directory Information

Statute: 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2) allows disclosure without consent of information such as a student's name and address, telephone listing, date and place of birth, major field of study, etc., defined as directory information, provided that specified notice and opt out conditions have been met.

Current Regulations: Directory information is defined in § 99.3 as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed, and includes information listed in FERPA (e.g., a student's name and address, telephone listing) as well as other information, such as a student's electronic mail (e-mail) address, enrollment status, and photograph. Current regulations do not specify whether a student's Social Security Number (SSN), official student identification (ID) number, or personal identifier for use in electronic systems may be designated and disclosed as directory information.

Proposed Regulations: The proposed regulations would provide that an educational agency or institution may not designate as directory information a student's SSN or other student ID number. However, directory information may include a student's user ID or other unique identifier used by the student to access or communicate in electronic systems, but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the student.

Reasons: SSNs and other student ID numbers are personal identifiers that are typically used for identification purposes in order to establish an account, gain access to or confirm private information, obtain services, etc. The proposed regulations are needed to ensure that educational agencies and institutions do not disclose these identifiers as directory information, or include them with other personally identifiable information that may be disclosed as directory information, because SSNs and other student ID numbers can be used to impersonate the owner of the number and obtain information or services by fraud. The proposed regulations are also needed to clarify that unique personal identifiers used for electronic communications may be disclosed as directory information under certain conditions.

Names and addresses are personal identifiers (and personally identifiable information under § 99.3) that have always been available for disclosure as directory information under FERPA because they are generally known to others and often appear in public directories outside the school context. (It is precisely because names and addresses are widely available that they may not be used to authenticate identity, as discussed below in connection with proposed § 99.31(c).) SSNs and other student ID numbers are also personal identifiers and personally identifiable information under§ 99.3. Unlike names and addresses, SSNs and other student ID numbers are typically used to obtain a variety of non-public information about an individual, such as employment, credit, financial, health, motor vehicle, and educational information, that would be harmful or an invasion of privacy if disclosed. An SSN or other student ID number can also be used in conjunction with commonly available information, such as name, address, and date of birth, to establish fraudulent accounts and otherwise impersonate an individual. As a result, under the proposed regulations, SSNs and other student ID numbers may not be designated and disclosed as directory information.

Educational agencies and institutions have reported to us that in addition to needing a traditional student ID number (or SSN used as a student ID number), they need to identify or assign to students a unique electronic identifier that can be made available publicly. (Names are generally not appropriate for these purposes because they may not be unique to the population.) Unique electronic identifiers are needed, for example, for students to be able to use portals or single sign-on approaches to student information systems that provide access to class registration, academic records, library resources, and other student services. Much of the directory-based software used for these systems, as well as protocols for electronic collaboration by students and teachers within and among institutions, essentially cannot function without making an individual's user ID or other electronic identifier publicly available in these kinds of systems.

Some systems, for example, require users to log on with their e-mail address or other published user name or account ID. (Note that a student's e-mail address was added to the regulatory definition of directory information in the final regulations published on July 6, 2000 (65 FR 41852, 41855). Public key infrastructure (PKI) technology for encryption and digital signatures also requires wide dissemination of the sender's public key. These are the types of circumstances in which educational agencies and institutions may need to publish or disclose a student's unique electronic identifier.

The proposed regulations would permit disclosure of a student's user ID or other electronic identifier as directory information, but only if the identifier functions essentially as a name; that is, the identifier is not used by itself to authenticate identity and cannot be used by itself to gain access to education records. A unique electronic identifier disclosed as directory information may be used to provide access to the student's education records, but only when combined with other factors known only to the authorized user (student, parent, or school official), such as a secret password or PIN, or some other method to authenticate the user's identity and ensure that the user is, in fact, a person authorized to access the records.

Note that eligible students and parents have a right under FERPA to opt out of directory information disclosures and refuse to allow the student's e-mail address, user ID or other electronic identifier disclosed as directory information (except as provided in proposed § 99.37(c), discussed elsewhere in this document). This is similar to a decision not to participate in an institution's paper-based student directory, yearbook, commencement program, etc. In these cases, the student or parent will not be able to take advantage of the services, such as portals for class registration, academic records, etc., provided solely through the electronic communications or software that require public disclosure of the student's unique electronic identifier.

Disclosure

Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an educational agency or institution subject to FERPA may not have a policy or practice of releasing, permitting the release of, or providing access to personally identifiable information from education records without prior written consent.

Current Regulations: The regulations in § 99.3 define the term disclosure to mean permitting access to or the release, transfer, or other communication of personally identifiable information from education records to any party by any means. The regulations do not address issues relating to the return of records to the party that provided or created them.

Proposed Regulations: The proposed regulations would exclude from the definition of disclosure the release or return of an education record, or personally identifiable information from an education record, to the party identified as the party that provided or created the record. This would allow an educational agency or institution (School B) to send a transcript, letter of recommendation, or other record that appears to have been falsified back to the institution or school official identified as the creator or sender of the record (School A) for confirmation of its status as an authentic record. School A may confirm or deny that the record is accurate and send the correct version back to School B under § 99.31(a)(2), which allows an institution to disclose education records without prior written consent to an institution in which the student seeks or intends to enroll, or is already enrolled.

The proposed regulations would also permit a State or local educational authority or other entity to redisclose education records or personally identifiable information from education records, without consent, to the school district, institution, or other party that provided the records or information.

Reasons: School officials have reported to the Department that they are receiving with more frequency what appear to be falsified transcripts, letters of recommendation, and other information about students from educational agencies and institutions. The proposed amendment is needed to verify the accuracy of this type of information and to ensure that the privacy protections in FERPA are not used to shield or prevent detection of fraud.

Several State educational agencies (SEAs) that maintain consolidated student records systems have also expressed uncertainty whether they may allow a local school district to obtain access to personally identifiable information from education records provided to the SEA by that district. The amendment is needed to clarify that SEAs and other parties that maintain education records provided by school districts and other educational agencies and institutions may allow a party to obtain access to the specific records and information that the party provided to the consolidated student records system.

Education Records

Statute: 20 U.S.C. 1232g(a)(4) provides a broad, general definition of education records that includes all records that are directly related to a student and maintained by an educational agency or institution. Student, in turn, is defined in 20 U.S.C. 1232g(a)(6) to exclude individuals who have not been in attendance at the agency or institution.

Current Regulations: The definition of education records in § 99.3 excludes records that only contain information about an individual after he or she is no longer a student.

Proposed Regulations: The proposed regulations would clarify that, with respect to former students, the term education records excludes records that are created or received by the educational agency or institution after an individual is no longer a student in attendance and are not directly related to the individual's attendance as a student.

Reasons: Institutions have told us that there is some confusion about the provision in the definition of education records that excludes certain alumni records from the definition. Some schools have mistakenly interpreted this provision to mean that any record created or received after a student is no longer enrolled is not an education record under FERPA. The proposed regulations are needed to clarify that the exclusion is intended to cover records that concern an individual or events that occur after the individual is no longer a student in attendance, such as alumni activities. The exclusion is not intended to cover records that are created and matters that occur after an individual is no longer in attendance but that are directly related to his or her previous attendance as a student, such as a settlement agreement that concerns matters that arose while the individual was in attendance as a student.

Statute: The statute does not address peer-grading practices in relation to FERPA requirements.

Current Regulations: The definition of education records includes records that are maintained by an educational agency or institution, or a party acting for the educational agency or institution, but does not provide any guidance on the status of student-graded tests and assignments before they have been collected and recorded by a teacher.

Proposed Regulations: Proposed regulations in § 99.3 would clarify that peer-graded papers that have not been collected and recorded by a teacher are not considered maintained by an educational agency or institution and, therefore, are not education records under FERPA.

Reasons: The proposed regulations are needed to implement the U.S. Supreme Court's decision on peer-graded papers in Owasso. “Peer-grading” refers to a common educational practice in which students exchange and grade one another's papers and then either call out the grade or turn in the work to the teacher for recordation. In Owasso, the Court held that this practice does not violate FERPA because “the grades on students' papers would not be covered under FERPA at least until the teacher has collected them and recorded them in his or her grade book.”Owasso, 534 U.S. at 436.

Personally Identifiable Information

Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an educational agency or institution may not have a policy or practice of permitting the release of or providing access to education records or any personally identifiable information other than directory information in education records without prior written consent except in accordance with statutory exceptions.

Current Regulations: The term personally identifiable information is defined in § 99.3 to include the student's name and other personal identifiers, such as the student's social security number or student number. Current regulations also include indirect identifiers, such as the name of the student's parent or other family members; the address of the student or the student's family; and personal characteristics or other information that would make the student's identity easily traceable.

Proposed Regulations: The proposed regulations would add biometric record to the list of personal identifiers and add other indirect identifiers, such as date and place of birth and mother's maiden name, to the list of personally identifiable information. The regulations would remove language about personal characteristics and other information that would make the student's identity easily traceable and provide instead that personally identifiable information includes other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Personally identifiable information would also include information requested by a person who the educational agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates.

Reasons: See the discussion of proposed regulations adding a new § 99.31(b) for de-identified education records elsewhere in this document.

State Auditor

Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) allows an educational agency or institution to disclose personally identifiable information from education records, without prior written consent, to State and local educational authorities and officials for the audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.

Current Regulations: The current regulations do not address the disclosure of education records to State auditors.

Proposed Regulations: The proposed regulations in § 99.3 would define State auditor as a party under any branch of government with authority and responsibility under State law for conducting audits. We propose to add a new paragraph (a)(2) to § 99.35 to clarify that State auditors that are not State or local educational authorities may have access to education records in connection with an audit of Federal or State supported education programs.

Reasons: 20 U.S.C. 1232g(b)(3) (section (b)(3) of the statute) allows disclosure of education records without consent to “State educational authorities” for audit and evaluation purposes. According to the legislative history of FERPA, section (b)(5) of the statute, which allows disclosure of education records without consent to “State and local educational officials” for audit and evaluation purposes, was added in 1979 to “correct an anomaly” in which the existing exception in section (b)(3) was interpreted to preclude State auditors from obtaining records in order to conduct State audits of local and State-supported programs.

See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 (1979), reprinted in 1979 U.S. Code Cong. Admin. News 819, 824. The amended statutory language in section (b)(5) is ambiguous, however, because it does not actually mention State auditors and, like section (b)(3), refers only to educational officials. Over the years several States have questioned whether this exception includes audits conducted by legislative branch officials and other parties that may not be considered educational authorities or officials.

The regulations are needed to clarify that State auditors may receive personally identifiable information from education records, without prior written consent, even if they are not considered State or local educational authorities or officials, provided that they are auditing a Federal or State supported education program. We are interested in receiving comments about whether the definition needs to cover local auditors as well. The exception for disclosure of education records to State auditors is narrowly limited to audits (defined in proposed § 99.35 as testing compliance with applicable laws, regulations, and standards) and does not include the broader concept of evaluations, for which disclosure of education records remains limited to educational authorities or officials.

2. Disclosures to Parents of Eligible Students (§§ 99.5, 99.36)

Section 99.5(a) (Rights of Students)

Statute: 20 U.S.C. 1232g(d) provides that once a student reaches 18 years of age or attends a postsecondary institution, all rights accorded to parents under FERPA, and the consent required to disclose education records, transfer from the parents to the student. Under 20 U.S.C. 1232g(b)(1)(H), an educational agency or institution may disclose personally identifiable information from an education record without meeting FERPA's written consent requirement to parents of a dependent student as defined in 26 U.S.C. 152. Under 20 U.S.C. 1232g(i), an institution of higher education may disclose personally identifiable information from an education record, without meeting FERPA's written consent requirement, to a parent or legal guardian of a student information regarding the student's violation of any Federal, State or local law, or any rule or policy of the institution governing the use or possession of alcohol or a controlled substance if the student is under the age of 21 and the institution determines that the student has committed a disciplinary violation with respect to such use or possession. Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or institution may disclose personally identifiable information from an education record, without meeting FERPA's written consent requirement, to appropriate persons in connection with an emergency if the knowledge of such information is necessary to protect the health or safety of the student or other persons.

Current Regulations: Section 99.3 defines an eligible student as a student who has reached 18 years of age or attends a postsecondary institution. Section 99.5(a) states that rights accorded to parents, and consent required of parents, to disclose education records under FERPA transfer from parents to a student when the student meets the definition of an eligible student.

Section 99.31(a)(8) provides that an educational agency or institution may disclose personally identifiable information from education records without consent to parents of a dependent student as defined in section 152 of the Internal Revenue Code of 1986. Under § 99.31(a)(15) written consent is not required, regardless of dependency status, to disclose to a parent of a student at an institution of postsecondary education information regarding the student's violation of any Federal, State or local law, or of any rule or policy of the institution, governing the use or possession of alcohol or a controlled substance if the institution determines that the student has committed a disciplinary violation with respect to that use or possession and the student is under the age of 21 at the time of the disclosure to the parent.

Section 99.31(a)(10) provides that an educational agency or institution may disclose personally identifiable information from education records without consent if the disclosure is in connection with a health or safety emergency under the conditions described in § 99.36. Section 99.36 provides that an educational agency or institution may disclose personally identifiable information from an education record to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.

Proposed Regulations: The proposed regulations in § 99.5 clarify that even after a student has become an eligible student, an educational agency or institution may disclose education records to the student's parents, without the consent of the eligible student, if the student is a dependent for Federal income tax purposes (§ 99.31(a)(8)); in connection with a health or safety emergency (§ 99.31(a)(10)); if the student is under the age of 21 and has violated an institutional rule or policy governing the use or possession of alcohol or a controlled substance (§ 99.31(a)(15)); and if the disclosure falls within any other exception to the consent requirement in § 99.31(a) of the regulations, such as the disclosure of directory information or in compliance with a court order or lawfully issued subpoena. The proposed regulations in § 99.36(a) would clarify that an eligible student's parents are appropriate parties to whom an educational agency or institution may disclose personally identifiable information from education records without consent in a health or safety emergency.

Reasons: The Secretary is concerned that some institutions are under the mistaken impression that FERPA prevents them from providing parents with any information about a college student. The proposed regulations are needed to clarify that FERPA contains exceptions to the written consent requirement that permit colleges and other educational agencies and institutions to disclose personally identifiable information from education records to parents of certain eligible students whether or not the student consents.

Section 99.31(a)(8) permits an educational agency or institution to disclose education records, without consent, to either parent if at least one of the parents has claimed the student as a dependent on the parent's most recent tax return. Because many college students (and 18-year-old high school students) are tax dependents of their parents, this provision allows these institutions to disclose information from education records to the students' parents without meeting the written consent requirements in § 99.30. (Institutions must first determine that a parent has claimed the student as a dependent on the parent's Federal income tax return. Institutions can determine that a parent claimed a student as a dependent by asking the parent to submit a copy of the parent's most recent Federal tax return. Institutions can also rely on a student's assertion that he or she is not a dependent unless the parent provides contrary evidence.)

The proposed regulations are also needed to clarify that colleges and other institutions may disclose information from education records to an eligible student's parents, without consent, under § 99.31(a)(15) if the institution has determined that the student has violated Federal, State, or local law or an institution's rules or policies governing alcohol or substance abuse (provided the student is under 21 years of age), and in connection with a health or safety emergency under §§ 99.31(a)(10) and 99.36 (regardless of the student's age) if the information is needed to protect the health or safety of the student or other individuals. These exceptions apply whether or not the student is a dependent of a parent for tax purposes. These proposed regulations would clarify the Department's policy with respect to an agency's or institution's disclosure of information from education records to parents under the health and safety emergency exception and do not represent a change in the Department's interpretation of who may qualify as an appropriate party under the health or safety emergency exception to the consent requirement. While institutions may choose to follow a policy of not disclosing education records to parents of eligible students in these circumstances, FERPA does not mandate such a policy.

3. Authorized Disclosure of Education Records Without Prior Written Consent (§ 99.31)

Section 99.31(a)(1) (School Officials) Outsourcing

Statute: 20 U.S.C. 1232g(a)(4)(A) defines education records to include records maintained by an educational agency or institution or by “a person acting for” the agency or institution. Under 20 U.S.C. 1232g(b)(1)(A), an educational agency or institution may allow teachers and other school officials within the institution or agency, without prior written consent, to obtain access to education records if the institution or agency has determined that they have legitimate educational interests in the information.

Current Regulations: Section 99.31(a)(1) allows disclosure of personally identifiable information from education records without consent to school officials, including teachers, within the agency or institution if the educational agency or institution has determined that they have legitimate educational interests in the information. An educational agency or institution that discloses information under this exception must specify in its annual notification of FERPA rights under § 99.7(a)(3)(iii) the criteria it uses to determine who constitutes a school official and what constitutes legitimate educational interests. The recordkeeping requirements in § 99.32(d) do not apply to disclosures to school officials with legitimate educational interests. Current regulations do not address disclosure of education records without consent to contractors, consultants, volunteers, and other outside parties providing institutional services and functions or otherwise acting for an agency or institution.

Proposed Regulations: The proposed regulations in § 99.31(a)(1)(i)(B) would expand the school official exception to include contractors, consultants, volunteers, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions that it would otherwise use employees to perform. The outside party who obtains access to education records without consent must be under the direct control of the agency or institution and subject to the same conditions governing the use and redisclosure of education records that apply to other school officials under § 99.33(a) of the regulations. These proposed regulations supersede previous technical assistance guidance issued by the Family Policy Compliance Office (Office) regarding disclosure of education records without consent to parties acting for an educational agency or institution.

Educational agencies and institutions that outsource institutional services and functions must comply with the annual FERPA notification requirements under the current regulations in § 99.7(a)(3)(iii) by specifying their contractors, consultants, and volunteers as school officials retained to provide various institutional services and functions. Failure to comply with the notice requirements for school officials in § 99.7(a)(3)(iii) is not excused by recording the disclosure under § 99.32. (We note that under current regulations disclosures to school officials under § 99.31(a)(1) are specifically excluded from the recordation requirements under § 99.32(d).) As a result, an educational agency or institution that has not included contractors and other outside service providers as school officials with legitimate educational interests in its annual FERPA notification may not disclose any personally identifiable information from education records to these parties until it has complied with the notice requirements in § 99.7(a)(3)(iii).

Educational agencies and institutions are responsible for their outside service providers' failures to comply with applicable FERPA requirements. The agency or institution must ensure that the outside party does not use or allow anyone to obtain access to personally identifiable information from education records except in strict accordance with the requirements established by the educational agency or institution that discloses the information.

All outside parties serving as school officials are subject to FERPA's restrictions on the use and redisclosure of personally identifiable information from education records. These restrictions include current provisions in § 99.33(a), which requires an educational agency or institution that discloses personally identifiable information from education records to do so only on the condition that the recipient, including a teacher or other school official, will use the information only for the purpose for which the disclosure was made and will not redisclose the information to any other party without the prior consent of the parent or eligible student unless the educational agency or institution has authorized the redisclosure under a FERPA exception and the agency or institution records the subsequent disclosure in accordance with the requirements in § 99.32(b).

For example, under the proposed regulations, a party that contracts with an educational agency or institution to provide enrollment and degree verification services must ensure that only individuals with legitimate educational interests obtain access to personally identifiable information from education records maintained on behalf of the agency or institution. In accordance with current regulations at § 99.33(b), a contractor may not redisclose personally identifiable information without prior written consent unless the educational agency or institution has authorized the redisclosure under a FERPA exception and the agency or institution records the subsequent disclosure in accordance with the requirements in § 99.32(b). Like other school officials, contractors and other outside parties who provide institutional services may not decide unilaterally to redisclose personally identifiable information from education records, even in circumstances that would comply with an exception in § 99.31(a).

Additionally, records directly related to a student that are maintained by a party acting for an educational agency or institution are education records subject to all FERPA requirements. This includes any new student records created under an outsourcing agreement that are maintained by the outside service provider.

Reasons: The proposed regulations are needed to resolve uncertainty about the specific conditions under which educational agencies and institutions may disclose personally identifiable information from education records, without prior written consent, to contractors, consultants, volunteers, and other outside parties performing institutional services or functions. While there is no explicit statutory exception to the prior written consent requirement for disclosures to contractors and other non-employees to whom an educational agency or institution has outsourced services, we note that the statutory definition of education records protects records that are maintained by a party acting for the agency or institution. See 20 U.S.C. 1232g(a)(4)(A)(ii). Indeed, the Joint Statement in Explanation of Buckley/Pell Amendment (120 Cong. Rec. S39862, Dec. 13, 1974) refers specifically to materials that are maintained by a school “or by one of its agents” when describing the meaning of the new term education records in the December 1974 amendments to the statute.

The Department has long recognized in guidance that FERPA does not prevent educational agencies and institutions from outsourcing institutional services and functions and disclosing education records to contractors and other outside parties performing those services and functions in appropriate circumstances, such as for legal advice; debt collection; transcript distribution; fundraising and alumni communications; development and management of information systems; and degree and enrollment verification. The Secretary wishes to clarify and define the scope of this practice to avoid further confusion and prevent weakening of FERPA's privacy protections because of uncertainty about the requirements for making these kinds of disclosures.

One of the most frequently used exceptions to the prior written consent requirement allows teachers and other school officials to obtain access to education records provided the educational agency or institution has determined that the school official has legitimate educational interests in the information. This exception covers not only teachers and principals, but also school counselors, registrars, admissions personnel, attorneys, accountants, human resource staff, information systems specialists, and designated support and clerical personnel when they need access to personally identifiable information from education records in order to perform their official functions and duties for their employer. As noted above, an educational agency or institution that allows school officials to obtain access to education records under this exception must, under § 99.7(a)(3), include in its annual notification of FERPA rights a specification of its criteria for determining who constitutes a school official and what constitutes legitimate educational interests under § 99.31(a)(1). Disclosures to school officials under current regulations are subject to the restrictions on the use and redisclosure of information in § 99.33 but are exempt from the FERPA recordkeeping requirements in § 99.32.

The proposed regulations are included with the exception for school officials in § 99.31(a)(1) because we believe that disclosures made for contract, volunteer, and other outsourced services and functions should be subject to the same conditions that would apply if the outside party were, in fact, providing institutional services or functions as an employee or officer of the educational agency or institution. In particular, the outside party must be under the direct control of the agency or institution with respect to the maintenance and use of personally identifiable information from education records. The outside party must also perform the type of institutional services or functions for which the agency or institution would otherwise use its own employees. For example, an institution may disclose education records without consent under this provision to an outside party retained to provide enrollment verification services to student loan holders because the institution would otherwise have to use its own employees to conduct the required verifications. In contrast, an institution may not use this provision to disclose education records, without consent, to a financial institution or insurance company that provides a good student discount on its services and needs students' ID numbers and grades to verify an individual's eligibility, even if the institution enters into a contract with these companies to provide the student discount.

Access to Education Records by School Officials

Statute: 20 U.S.C. 1232g(b)(1)(A) provides that an educational agency or institution may allow teachers and other school officials within the agency or institution to obtain access to education records, without prior written consent, if the agency or institution has determined that the school official has legitimate educational interests in the information.

Current Regulations: Section 99.31(a)(1) allows an educational agency or institution to disclose personally identifiable information from education records without consent to school officials, including teachers, within the agency or institution if the educational agency or institution has determined that they have legitimate educational interests in the information. An educational agency or institution that discloses information under this exception must specify in its annual notification of FERPA rights under § 99.7(a)(3)(iii) the criteria it uses to determine who constitutes a school official and what constitutes legitimate educational interests. Current regulations do not specify whether the agency or institution must ensure that school officials obtain access to only those education records in which they have legitimate educational interests.

Proposed Regulations: The proposed regulations in § 99.31(a)(1)(ii) would require an educational agency or institution to use reasonable methods to ensure that teachers and other school officials obtain access to only those education records in which they have legitimate educational interests. This requirement would apply to education records maintained in either paper or electronic format. Agencies and institutions that choose not to use physical or technological controls to restrict a school official's access to education records must ensure that their administrative policy for controlling access to and maintenance of education records is effective and that the agency or institution remains in compliance with the legitimate educational interests requirement in § 99.31(a)(1)(i)(A). (These proposed regulations do not address what constitutes a legitimate educational interest under the regulations.)

Reasons: The proposed regulations are needed to ensure that teachers and other school officials only gain access to education records in which they have a legitimate educational interest. While the proposed regulations apply to records in any format (as defined in § 99.3), the need to ensure compliance with the legitimate educational interest requirement has been driven largely by the increased use of computerized or electronic recordkeeping systems in which a user may have access to all records.

Many of the smaller educational agencies and institutions typically use a combination of physical and administrative methods to restrict access by school officials to paper copy records. For example, paper copy records may be maintained in lockable cabinets, desks, or rooms with distribution of records to school officials controlled by the teacher, registrar, or other authorized custodian as appropriate. With the advent of computerized or electronic records, particularly by the mid-size and larger agencies and institutions, parents and students have complained that school officials may have unrestricted access to the records of all students in an institution's or local educational agency's (LEA) system. Agencies and institutions establishing or upgrading electronic student information systems have also expressed uncertainty about what methods they should use to comply with the legitimate educational interest requirement in this new environment.

Under the proposed regulations, an educational agency or institution should implement controls to protect student records. These controls should consist of a combination of appropriate physical, technical, administrative, and operational controls which will allow access to be limited when required. (Some examples of possible information security controls can be found in “The National Institute of Standards and Technology (NIST) 800-53, Recommended Security Controls for Federal Information Systems” (December 2007). Educational institutions and agencies are not required to implement the NIST 800-53 guidance, but may find it useful when determining possible controls.) For example, software used to access electronic records may contain role-based security features that allow teachers to view only information about students currently enrolled in their classes. Similarly, a school principal or registrar may maintain paper records in locked cabinets and distribute records to authorized officials on an as needed basis.

An educational agency or institution that does not use some kind of physical or technological controls to restrict access and leaves education records open to all school officials may rely instead on administrative controls, such as an institutional policy that prohibits teachers and other school officials from accessing records except when they have a legitimate educational interest. However, an agency or institution that forgoes physical or technological access controls must ensure that its administrative policy for controlling access is effective and that it remains in compliance with the legitimate educational interest requirement in § 99.31(a)(1). In that regard, if a parent or eligible student alleges that a school official obtained access to a student's education records without a legitimate educational interest, an agency or institution must show that the school official possessed a legitimate educational interest in obtaining the personally identifiable information from education records maintained by the agency or institution. An agency or institution may wish to restrict or track school officials who obtain access to education records to ensure that it is in compliance with § 99.31(a)(1)(i)(A).

The risk of unauthorized access to education records by school officials means the likelihood that records may be targeted for compromise and the harm that could result. Methods used by an educational agency or institution to ensure compliance with the legitimate educational interests requirement are considered reasonable under the proposed regulations if they reduce the risk of unauthorized access by school officials to a level commensurate with the likely threat and potential harm. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will occur, the more protections an agency or institution must use to ensure that its methods are reasonable. For example, high risk records, such as those that contain credit card information, SSNs and other elements used for identity theft, immunization and other health records, certain records on special education students, and official transcripts and grades should generally receive greater and more immediate protection than medium or low risk records, such as those containing only publicly releasable directory information. Methods that an educational agency or institution should use to reduce risk to an acceptable level will depend on a variety of factors, including the organization's size and resources. In all cases, reasonableness depends ultimately on what are the usual and customary good business practices of educational agencies and institutions, which requires ongoing review and modification of methods and procedures, where appropriate, as standards and technologies continue to change.

Section 99.31(a)(2) (Disclosure to a School Where Student Seeks or Intends To Enroll)

Statute: 20 U.S.C. 1232g(b)(1)(B) allows an educational agency or institution to disclose, under certain conditions, education records to another school or school system in which the student seeks or intends to enroll without obtaining the prior written consent of a parent or eligible student.

Current Regulations: Under § 99.31(a)(2), an educational agency or institution may disclose education records, without prior written consent, to officials of another school, school system, or postsecondary institution where the student seeks or intends to enroll, provided that the agency or institution complies with the requirements in § 99.34(a) regarding notification to the parent or eligible student of the disclosure and, upon request, provide a copy of the records and an opportunity for a hearing under subpart C of the regulations.

Proposed Regulations: The proposed regulations in § 99.31(a)(2) would allow an educational agency or institution to disclose education records, without consent, to another institution even after a student has already enrolled or transferred, and not just if the student seeks or intends to enroll, if the disclosure is for purposes related to the student's enrollment or transfer.

Reasons: The proposed amendments are needed to resolve uncertainty about whether consent is required to send a student's records to the student's new school after the student has already transferred and enrolled. This proposed exception to the consent requirement is intended to ease administrative burdens on educational agencies and institutions by allowing them to send transcripts and other information from education records to schools where a student seeks or intends to enroll without meeting the formal consent requirements in § 99.30. We have concluded that authority to disclose or transfer information to a student's new school under this exception does not cease automatically the moment a student has actually enrolled. Rather, an educational agency or institution may transfer education records to a student's new school, including a postsecondary institution, at any point in time if the disclosure is in connection with the student's enrollment in the new school.

Based on these considerations, we have also determined that an educational agency or institution may update, correct, or explain information it has disclosed to another educational agency or institution as part of the original disclosure under § 99.31(a)(2) without complying with the written consent requirements in § 99.30. That is, a student's previous institution is not required to obtain prior written consent under § 99.30 to respond to the new institution's request to explain the meaning of education records sent to it in connection with a student's new enrollment.

Finally, in the aftermath of the shooting at Virginia Tech, some questions have arisen about whether FERPA prohibits the disclosure of certain types of information from students' education records to new schools or postsecondary institutions to which they have applied. (Further discussion of the tragic events that occurred at Virginia Tech in April 2007 is included in the discussion of the proposed amendments to § 99.36, which appears later in this document.) Under § 99.31(a)(2) and § 99.34(a), FERPA permits school officials to disclose any and all education records, including health and disciplinary records, to another institution where the student seeks or intends to enroll.

Section 99.31(a)(6) (Organizations Conducting Studies for or on Behalf of an Educational Agency or Institution)

Statute: 20 U.S.C. 1232g(b)(1)(F) allows an educational agency or institution to disclose personally identifiable information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institution for purposes of testing, student aid, and improvement of instruction. The information must be protected so that students and their parents cannot be identified by anyone other than representatives of the organization that conducts the study and must be destroyed when no longer needed for the study. As explained in § 99.31(a)(6)(iii), failure to destroy information in accordance with this requirement could lead to a five-year ban on disclosure of information to that organization.

Current Regulations: The regulations restate the statutory language that the study is conducted “for, or on behalf of” the educational agency or institution, but do not explain what this language means.

Proposed Regulations: The proposed regulations require an educational agency or institution that discloses education records without consent under § 99.31(a)(6) to enter into a written agreement with the recipient organization that specifies the purposes of the study. The agency or institution that discloses education records under this exception does not have to agree with or endorse the conclusions or results of the study. The written agreement must specify that information from education records may only be used to meet the purposes of the study stated in the written agreement and must contain the current restrictions on redisclosure and destruction of information requirements applicable to information disclosed under this exception.

Reasons: Research organizations have asked for clarification about the circumstances in which an educational agency or institution may disclose to them personally identifiable information from education records under § 99.31(a)(6)(iii), and educational agencies and institutions have asked whether they may provide personally identifiable information to organizations for research purposes without parental consent even if the educational agency or institution has no particular interest in the study.

This exception to the consent requirement is intended to allow educational agencies and institutions to retain the services of outside organizations (or individuals) to conduct studies for or on their behalf to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction. An educational agency or institution need not initiate research requests or agree with or endorse a study's results and conclusions under this exception. However, the statutory language “for, or on behalf of” indicates that the disclosing agency or institution agrees with the purposes of the study and retains control over the information from education records that is disclosed. The written agreement required under the proposed regulations will help ensure that information from education records is used only to meet the purposes of the study stated in the written agreement and that all applicable requirements are met. (See discussion of § 99.31(b) below regarding disclosure of de-identified information to independent educational researchers.)

Section 99.31(a)(9) (USA Patriot Act)

Statute: The USA Patriot Act, Public Law 107-56, amended FERPA by providing a new subsection 1232g(j), 20 U.S.C. 1232g(j), that authorizes the United States Attorney General (or designee not lower than an Assistant Attorney General) to apply for an ex parte court order (an order issued by a court without notice to an adverse party) allowing the Attorney General (or designee) to collect education records from an educational agency or institution, without the consent or knowledge of the student or parent, that are relevant to an investigation or prosecution of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism specified in 18 U.S.C. 2331. The statute requires the Attorney General (or designee not lower than an Assistant Attorney General) to certify facts in support of the order and to retain, disseminate, and use the records in a manner that is consistent with confidentiality guidelines established by the Attorney General in consultation with the Secretary of Education. Agencies and institutions are not required to record the disclosure and cannot be held liable to anyone for producing education records in good faith in accordance with a court order issued under this provision.

Current Regulations: The current regulations do not address the amendments made by the USA Patriot Act.

Proposed Regulations: The proposed regulations add new exceptions to the written consent requirement in § 99.31(a)(9)(ii) and the recordkeeping requirement in § 99.32(a) allowing disclosure of education records without notice in compliance with an ex parte court order obtained by the Attorney General (or designee) concerning investigations or prosecutions of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism defined in 18 U.S.C. 2331.

Reasons: The proposed regulations are necessary to implement the statutory amendment. An educational agency or institution that is served with an ex parte court order from the Attorney General (or designee) under this provision should ensure that the order is facially valid, just as it does when determining whether to comply with other judicial orders and subpoenas under § 99.31(a)(9). An educational agency or institution is not, however, required or authorized to examine the underlying certification of facts presented to the court in the Attorney General's application for the ex parte court order.

The proposed regulations provide that an educational agency or institution may comply with the court order without notice to the parent or eligible student. (Note that § 99.31(a)(9)(ii)(B) also allows an educational agency or institution to disclose education records without notice to representatives of the Attorney General or other law enforcement authorities who produce a subpoena that has been issued for law enforcement purposes and the court or other issuing agency has ordered that the existence or contents of the subpoena or information furnished in response to the subpoena not be disclosed.)

Section 99.31(a)(16) (Registered Sex Offenders)

Statute: The Campus Sex Crimes Prevention Act (CSCPA), section 1601(d) of the Victims of Trafficking and Violence Protection Act of 2000, Public Law 106-386, amended FERPA by adding 20 U.S.C. 1232g(b)(7), which provides that educational agencies and institutions may disclose information concerning registered sex offenders provided under State sex offender registration and community notification programs required by section 170101 of the Violent Crime Control and Law Enforcement Act of 1994, 103, 42 U.S.C. 14071. Section 170101 contains the Jacob Wetterling Crimes Against Children and Sexually Violent Offender Registration Act (Wetterling Act).

Current Regulations: The current regulations do not address the disclosure of information concerning registered sex offenders.

Proposed Regulations: The proposed regulations add a new exception to the consent requirement in § 99.31(a)(16) that permits an educational agency or institution to disclose information that the agency or institution received under a State community notification program about a student who is required to register as a sex offender in the State. Note that nothing in FERPA or these proposed regulations requires or encourages an educational agency or institution to collect or maintain information about registered sex offenders.

Reasons: The regulations implement the CSCPA amendment to FERPA, which allows educational agencies and institutions to disclose information about registered sex offenders without consent if the information was received through and complies with guidelines regarding a State community notification program issued by the U.S. Attorney General under the Wetterling Act. Wetterling Act guidelines issued by the Attorney General were published in the Federal Register on October 25, 2002 (67 FR 65598), and January 5, 1999 (64 FR 572).

The Wetterling Act sets forth minimum national standards for sex offender registration and community notification programs. Under the Wetterling Act, States must establish programs that require sexually violent predators (and anyone convicted of specified criminal offenses against minors) to register their name and address with the appropriate State authority where the offender lives, works, or is enrolled as a student. States are also required to release relevant information necessary to protect the public concerning persons required to register, excluding the identity of any victim. (This community notification provision is commonly known as the “Megan's Law” amendment to the Wetterling Act.)

CSCPA supplemented the general standards for sex offender registration and community notification programs in the Wetterling Act with provisions specifically designed for higher education campus communities. These include a requirement that States collect information about a registered offender's enrollment or employment at an institution of higher education, including any change in enrollment or employment status at the institution, and make this information available promptly to a campus police department or other appropriate law enforcement agency having jurisdiction where the institution is located. CSCPA also amended the Higher Education Act of 1965, as amended (HEA), by requiring institutions of higher education to advise the campus community where it can obtain information about registered sex offenders provided by the State pursuant to the Wetterling Act, such as the campus law enforcement office, a local law enforcement agency, or a computer network address. See 20 U.S.C. 1092(f)(1)(I) and 34 CFR 668.46(b)(12).

While the FERPA amendment was made in the context of CSCPA's enhancements to registration and notification requirements applicable to the higher education community, the Department has determined that all educational institutions, including elementary and secondary schools, are covered by this amendment. The registration and community notification requirements apply in the State where an offender lives, works, or is a student, which is defined as “a person who is enrolled on a full-time or part-time basis, in any public or private educational institution, including any secondary school, trade, or professional institution, or institution of higher education.” See 42 U.S.C. 14071(a)(3)(G). Because the sex offender registration and community notification requirements apply broadly to students enrolled in “any public or private educational institution,” the Department likewise interprets the FERPA amendment to apply to all educational agencies and institutions subject to FERPA.

4. De-Identification of Information (§ 99.31(b))

Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an educational agency or institution may not have a policy or practice of permitting the release of or providing access to education records, or personally identifiable information from education records, without prior written consent except in accordance with statutory exceptions.

Current Regulations: Personally identifiable information under § 99.3 includes personal identifiers such as a student's name, address, and identification numbers, as well as personal characteristics or other information that would make the student's identity easily traceable.

Proposed Regulations: The proposed regulations would amend § 99.31(b) to provide objective standards under which educational agencies and institutions may release, without consent, education records, or information from education records, that has been de-identified through the removal of all personally identifiable information. Personally identifiable information is defined in § 99.3 to mean information that can be used to identify a student, including direct identifiers, such as the student's name, SSN, and biometric records, alone or combined with other personal or identifying information that is linked or linkable to a specific individual, including indirect identifiers such as the name of the student's parent or other family member, the student's or family's address, and the student's date and place of birth and mother's maiden name, that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstance, to identify the student with reasonable certainty. The Department does not hold educational agencies and institutions responsible for knowing the status of all non-educational records about students (e.g., law enforcement or hospital records). However, the Department encourages educational agencies and institutions to be sensitive to publicly available data on students and to the cumulative effect of disclosures of student data. Additionally, personally identifiable information includes information that is requested by a person who an agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates. This is known as a targeted request.

Reasons: Disclosure is defined in the regulations as permitting access to or releasing, transferring, or otherwise communicating personally identifiable information contained in education records. Accordingly, there is no “disclosure” under FERPA when education records are released if all identifiers have been removed, along with other personally identifiable information. The proposed regulations are needed to establish this guidance in a definitive and legally binding interpretation, and to provide standards for ensuring that a student's personally identifiable information is not disclosed.

The Department's November 18, 2004, letter to the Tennessee Department of Education (TNDOE) explains that an educational agency or institution may release for educational research purposes (without parental consent) anonymous data files, i.e., records from which all personally identifiable information has been removed but that have coded each student's record with a non-personal identifier as described in the letter. (Records or data that have been stripped of identifiers and coded may be re-identified and, therefore, are properly characterized as de-identified.) Under the guidance in the TNDOE letter, a party must ensure that the identity of any student cannot be determined in coded records, including assurances of sufficient cell and subgroup size, and the linking key that connects the code to student information must not be shared with the requesting entity.

The Department recognizes that avoiding the risk of disclosure of identity or individual attributes in statistical information cannot be completely eliminated, at least not without negating the utility of the information, and is always a matter of analyzing and balancing risk so that the risk of disclosure is very low. The reasonable certainty standard in the proposed definition of personally identifiable information requires such a balancing test. (Similarly, we are proposing here to use the term “de-identified” instead of “anonymous”—which appears in previous guidance—because it is more consistent with terminology used by experts in the field and reflects more accurately the level of disclosure risk that should be achieved.)

Many educational institutions have asked for guidance about how they may disclose “redacted” education records that concern students or incidents that are well-known in the school or its community. For example, a school has suspended a student from school and given the student a failing grade for cheating on a test. The parent believes the discipline is too harsh and inconsistent with discipline given to other students and asks to see the redacted records of other students who have been disciplined for cheating on tests that year. Only one student has been disciplined for this infraction during the year, and the name of that student is widely known because her parents went to the media about the accusation. The school may not release the record in redacted form because the publicity has made the record personally identifiable.

Additionally, personally identifiable information includes information that is requested by a person who an agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates. This is known as a targeted request. In the simplest case, if an individual asks for the disciplinary report for a named student, the institution may not release a redacted copy of the report because the requester knows the identity of the student who is the subject of the report. An individual can also make a targeted request without mentioning the student's name. For example, a person running for local office is known to have graduated from a particular university in 1978. Rumors circulate that the candidate plagiarized other students' work while in school. A local reporter asks the university for redacted disciplinary records for all students who graduated in 1978 who were disciplined for plagiarism. The university may not release the records in redacted form because the circumstances indicate that the requester has made a targeted request, i.e. has direct, personal knowledge of the subject of the case. In another case, a local reporter reviewed law enforcement unit records in October 2007 and learned that a prominent high school athlete was under investigation for use of illegal drugs. The newspaper published front-page articles about the matter that same month. Thereafter, the reporter asked the student's school for a redacted copy of all disciplinary records related to illegal drug use by student athletes since October 2007. The school may not release the records in redacted form because the reporter has made a targeted request.

Clearly, extenuating circumstances sometimes cause identity to be revealed even after all identifiers have been removed, whether in aggregated or student-level data. In these situations, the key consideration in determining whether the information is personally identifiable is whether a reasonable person in the school or its community, without personal knowledge of the relevant circumstances, would be able to identify a student with reasonable certainty. The Department is interested in receiving comments on the scope of the “school or its community” limitation in the reasonable person standard, and how it would apply to the release of redacted records as well as statistical information, including information released by State educational authorities and entities other than local districts and institutions.

In regard to numerical or statistical information, several educational agencies and institutions have expressed concern about the public release of information that contains small data sets that may be personally identifiable. We have advised States and schools generally that they may not report publicly on the number of students of a specified race, gender, disability, English language proficiency, migrant status, or other condition who failed to graduate, received financial aid, achieved certain test scores, etc., unless there is a sufficient number of students in the defined category so that personally identifiable information is not released. Some schools have indicated, for example, that they would not disclose that two Hispanic, female students failed to graduate, even if there are several Hispanic females at the institution, because of the likelihood that the students who failed to graduate could easily be identified in such a small data set.

A review of data confidentiality issues, especially as concerns the Federal statistical agencies, indicates that it is not possible to prescribe a single method to apply in every circumstance to minimize risk of disclosing personally identifiable information. This is true for several reasons, including the wide variety of data compilations and systems maintained by different agencies and institutions and the different types of search requests they receive and data sets they wish to disclose. More generally, and as indicated in the Federal Committee on Statistical Methodology's Statistical Policy Working Paper 22 (available at http://www.fcsm.gov/working-papers/wp22.html), educational agencies and institutions may wish to consider current statistical, scientific and technological concepts, and standards when making decisions about analyzing and minimizing the risk of disclosure in statistical information. Consistent with that view, the Department has consistently declined to take a categorical approach and advised instead that the parties themselves are in the best position to analyze and identify the best methods to use to protect the confidentiality of their own data. See, for example, the September 25, 2003, letter to Board of Regents of the University System of Georgia at http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/georgialtr.html; October 19, 2004, letter to Miami University at http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/unofmiami.html.

However, the Department recognizes that there are some practices from the existing professional literature on disclosure limitation that can assist covered entities in developing a sound approach to de-identifying data for release, particularly when consultation with professional statisticians with experience in disclosure limitation methods is not feasible. Each of the items discussed in the following subsection is elaborated on in Statistical Working Paper 22 for further reference.

There are several steps that can assist with de-identifying any data release. The choice of methods depends on the nature of the data release that must be de-identified. First, covered entities should recognize that the re-identification risk of any given release is cumulative, i.e., directly related to what has previously been released. Previous releases include both publicly-available directory information and de-identified data releases. For example, if a publicly available directory provides date and place of birth, then a de-identified data release that also contains the same information for a group of students could pose a re-identification risk if one of those students has an unusual date and place of birth relevant to others in the data release.

Second, covered entities should minimize information released in directories to the extent possible. The Department is not attempting to limit the statutory authority available to covered entities in releasing directory information, but recognizes that since the statute's enactment, the risk of re-identification from such information has grown as a result of new technologies and methods.

Third, covered entities should apply a consistent de-identification strategy for all of its data releases of a similar type. The two major types of data release are aggregated data (such as tables showing numbers of enrolled students by race, age and sex) and microdata (such as individual level student assessment results by grade and school). There are several acceptable de-identification strategies for each type of data. Major methods used by the Department for tabular data include defining a minimum cell size (meaning no results will be released for any cell of a table with a number smaller than “X” or else cells are aggregated until no cells based on one or two cases remain) or controlled rounding (meaning that cells with a number smaller than “X” require that numbers in the affected rows and columns be rounded so that the totals remain unchanged. For microdata releases, the primary consideration is whether the proposed release contains any “unique” individuals whose identity can be deduced by the combination of variables in the file. If such a condition exists, there are a number of methods that can be employed. These include “top coding” a variable (e.g., test scores above a certain level are recoded to a defined maximum), converting continuous data elements into categorical data elements (e.g., creating categories that subsume unique cases) or data swapping to introduce uncertainty so that the data user does not know whether the real data values correspond to certain records.

The Department seeks public comment on whether it needs to develop further guidance on this topic to assist educational agencies and institutions.

Although FERPA does not contain a general “research” exception to the consent requirement, the Department recognizes that useful and valid educational research may be conducted using de-identified data where disclosure of personally identifiable information from education records would not be permissible under the limited standards of § 99.31(a)(6) or § 99.31(a)(3), discussed above. This regulation should not be interpreted to discourage de-identified data releases, but rather to clarify how to do so in a manner that minimizes the risk of re-identification. Accordingly, the proposed regulations are also needed to provide a method that may be used by a school, school district, state department of education, postsecondary institution or commission, or another party that maintains education records to release student-level or microdata for purposes of education research. We believe that these standards establish an appropriate balance that facilitates educational research and accountability while preserving the privacy protections in FERPA.

In order to permit ongoing educational research with the same data, the party that releases the information may attach a unique descriptor to each de-identified record that will allow the recipient to match other de-identified information received from the same source. However, the recipient may not be allowed to have access to any information about how the descriptor is generated and assigned, or that would allow it to match the information from education records with data from any other source, unless that data is de-identified and coded by the party that discloses education records. Furthermore, a record descriptor assigned for educational research purposes under this rule may not be based on a student's social security number.

De-identified, student-level data released for educational research purposes must still conform to the requirements discussed above regarding small data sets that may lead to personal identification of students. However, unlike information released in personally identifiable form under §§ 99.31(a)(3) and 99.31(a)(6), de-identified information from education records is not subject to any destruction requirements because, by definition, it is not “personally identifiable information” under FERPA.

The Department cannot specify in general which statistical disclosure limitation (SDL) methods should be used in any particular case. However, educational agencies and institutions should monitor releases of coded, de-identified microdata and take reasonable measures to ensure that overlapping or successive releases do not result in data sets in which a student's personally identifiable information is disclosed.

5. Identification and Authentication of Identity (§ 99.31(c))

Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an educational agency or institution may not have a policy or practice of releasing, permitting the release of, or providing access to any personally identifiable information from education records without written consent, except in accordance with specified statutory exceptions.

Current Regulations: Current regulations do not address whether an educational agency or institution must ensure that it has properly identified a party to whom it discloses personally identifiable information from education records.

Proposed Regulations: The proposed regulations in § 99.31(c) would require an educational agency or institution to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the agency or institution discloses personally identifiable information from education records.

Reasons: The proposed regulations are needed to ensure that educational agencies and institutions disclose personally identifiable information from education records only to authorized recipients. Identification in this context means determining who is the intended or authorized recipient of the information in question; authentication of identity means ensuring that the recipient is, in fact, who he or she purports to be.

Identification of a party requesting disclosure of hard copy education records is relatively simple—the responsible school official can confirm the name and correct address for records sent by mail and obtain photo identification for personal delivery of records to students, parents, school officials, and other authorized recipients who are not recognized personally by the custodian of the records. Identification presents unique challenges in an electronic or telephonic environment, where personal recognition and photo identification cards are irrelevant.

Occasionally educational agencies and institutions disclose education records to the wrong party because someone misaddresses an envelope, or puts the wrong material in a properly addressed envelope. This is a failure to properly identify the authorized recipient. More commonly, parents and students complain that unauthorized parties obtain access to the student's education records because agencies and institutions use widely available information, such as name and date of birth, or name and SSN or other student ID number, when providing access to electronic records or disclosing information about a student by telephone. This is a failure to properly authenticate identity. These proposed regulations would address both of these problems.

Authentication of identity is a complex subject that continues to advance as new methods and technologies are developed to meet evolving standards for safeguarding financial, health, and other types of electronic records. The proposed regulations allow an educational agency or institution to use any reasonable method. As discussed above in connection with controlling access to education records by school officials, methods are considered reasonable if they reduce the risk of unauthorized disclosure to a level that is commensurate with the likely threat and potential harm and depend on variety of factors, including the organization's size and resources. The greater the harm that would result from unauthorized access or disclosure, and consequently the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution must use to ensure that its methods are reasonable. Again, reasonableness depends ultimately on what are the usual and customary good business practices of educational agencies and institutions, which requires ongoing review and modification of procedures, where appropriate, as standards and technologies change.

Authentication of identity generally involves requiring a user to provide something that only the user knows, such as a PIN, password, or answer to a personal question; something that only the user has, such as a smart card or token; or a biometric factor associated with no one other than the user, such as a finger, iris, or voice print. Under the proposed regulations an educational agency or institution may determine that single-factor authentication, such as a standard form user name combined with a secret PIN or password, is reasonable for protecting access to electronic grades and transcripts. Single-factor authentication may not be reasonable, however, for protecting access to SSNs, credit card numbers, and similar information that could be used for identity theft and financial fraud.

Likewise, an educational agency or institution must ensure that it does not deliver a password, PIN, smart card, or other factor used to authenticate identity in a manner that would allow access to unauthorized recipients. For example, an agency or institution may not make education records available electronically by using a common form user name (e.g., last name and first name initial) with date of birth or SSN, or a portion of the SSN, as an initial password to be changed upon first use of the system.

6. Redisclosure of Education Records by Officials Listed in § 99.31(a)(3) (§ 99.32, § 99.35)

Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) permits an educational agency or institution to disclose education records, without prior written consent, to authorized representatives of the United States Comptroller General, the Secretary of Education, State and local educational authorities, and the U.S. Attorney General as necessary in connection with the audit or evaluation of Federal and State supported education programs, or in connection with the enforcement of Federal legal requirements that relate to those programs. Except when the collection of personally identifiable information is specifically authorized by Federal law, personally identifiable information of parents and students may not be redisclosed to any other parties and must be destroyed when no longer needed for such audit, evaluation or enforcement purposes.

In contrast, section 1232g(b)(4)(B) contains a general prohibition on the redisclosure of information from education records. In particular, by statute an educational agency or institution may disclose personal information from education records only on the condition that the recipient will not redisclose the information to any other party without meeting the prior written consent requirement. If a recipient rediscloses personally identifiable information from education records in violation of the prior written consent requirement, the agency or institution that disclosed the records may not permit that recipient to have access to information from education records for at least five years. There is no general destruction requirement similar to the specific requirement for destruction of personally identifiable information described above for records disclosed for audit, evaluation, and enforcement purposes under section 1232g(b)(3).

Current Regulations: Section 99.31(a)(3) lists the four officials or authorities that may receive education records, without consent, for the specified audit, evaluation, or compliance and enforcement purposes. The Department has interpreted the term “evaluation” broadly to include all manner of studies, assessments, measurements, appraisals, research, and other efforts, including analyses of statistical or numerical data derived from education records. Section 99.35 provides that information disclosed under this exception to the consent requirement must be protected in a manner that does not permit personal identification of individuals by anyone except the officials listed in § 99.31(a)(3) and must be destroyed when no longer needed for the audit, evaluation, or compliance and enforcement purposes, unless a parent or eligible student consents to the disclosure or Federal law specifically authorizes the collection of personally identifiable information. Current regulations do not specify any further conditions under which these officials or authorities may redisclose personally identifiable information from education records without prior written consent.

Section 99.33(c) establishes specific exceptions to the general statutory prohibition on redisclosure of information from education records under 20 U.S.C. 1232g(b)(4)(B). Section 99.33(b) also allows an educational agency or institution to disclose education records with the understanding that the recipient may make further disclosures of the information on its behalf if the disclosures could be made under § 99.31 and the educational agency or institution complies with the recordkeeping requirements specified in § 99.32(b). Section 99.32(a) requires an educational agency or institution to maintain a record of each request for access to and each disclosure of personally identifiable information from the education records of each student. If a recipient is authorized to make further disclosures of personally identifiable information from education records under § 99.33(b), the educational agency or institution must record the names of the additional parties to which the receiving party may disclose the information on behalf of the educational agency or institution and their legitimate interests under § 99.31 in requesting or obtaining the information. Each student's record of disclosures is an education record that must be made available to a parent or eligible student under § 99.32(c). The Department has not applied the regulatory exception in § 99.33(b) to officials or authorities that receive information under §§ 99.31(a)(3) and 99.35 because of the more specific statutory limitations, including the destruction requirement, that generally apply to these disclosures.

Proposed Regulations: The proposed regulations in § 99.35(b)(1) would permit officials and authorities listed in § 99.31(a)(3)(i) to redisclose personally identifiable information from education records under the same conditions, set forth in § 99.33(b), that apply to parties that receive personally identifiable information from education records under other exceptions in § 99.31. For example, this proposed change would allow a State educational agency (SEA) to use the exception in § 99.31(a)(2) to transfer a student's education records to a student's new school district on behalf of the former district. Similarly, an SEA or other official listed in § 99.31(a)(3) would be able to redisclose personally identifiable information from education records received under § 99.35 to an accrediting agency under § 99.31(a)(7); in response to a subpoena or court order under § 99.31(a)(9); or in connection with a health or safety emergency under §§ 99.31(a)(10) and 99.36. The proposed regulations would also apply to the redisclosure of education records by an SEA (or other official listed in § 99.31(a)(3)) to another listed official, such as the Secretary, for audit, evaluation, or compliance and enforcement purposes under § 99.35. The regulations would also clarify that authority to conduct an audit, evaluation, or compliance or enforcement activity is not conferred by FERPA and must be established under other Federal, State, or local law, including valid administrative regulations. Like redisclosures permitted currently under § 99.33(b), redisclosures made by officials listed in § 99.31(a)(3)(i) under the proposed amendment would be subject to the recordation requirements in § 99.32(b).

Reasons: School districts and postsecondary institutions typically disclose education records, or personally identifiable information from education records, to their SEA or State higher education authority, without prior written consent, for audit, evaluation, or compliance and enforcement purposes subject to the requirements of § 99.35. Several SEAs that maintain Statewide, consolidated systems for school district records subject to § 99.35 have questioned whether they may allow a student's new school district to obtain access to personally identifiable information from education records submitted to the system by the student's former district. (Historically, when a student transfers to a new school, the former school district sends the student's education records to the student's new district, without consent, under § 99.31(a)(2).) Others have asked whether records subject to § 99.35 may be redisclosed in compliance with a subpoena or court order and, if so, what conditions apply. States have also asked about the operation of longitudinal data systems that consolidate K-12 and postsecondary education records.

As noted elsewhere in this notice, there are no specific statutory exceptions to either the prohibition on redisclosure of education records disclosed under § 99.31 or the more specific limitations for records disclosed under § 99.35. Accordingly, final regulations published on June 17, 1976 (41 FR 24662) provided in § 99.33(a) that educational agencies and institutions must inform a third party to whom personally identifiable information from education records is disclosed that it may not redisclose any personally identifiable information without the written consent of a parent or eligible student. However, these regulations also added a provision in § 99.33(b) that permits the agency or institution to disclose

personally identifiable information under § 99.31 with the understanding that the information will be redisclosed to other parties under that section; Provided, That the recordkeeping requirements of § 99.32 are met with respect to each of those parties.

41 FR 24662, 24679.

The Secretary recognizes that officials and authorities that receive education records for audit, evaluation, compliance, or enforcement purposes under §§ 99.31(a)(3) and 99.35 are no less capable of protecting the information against unauthorized access and disclosure than parties that receive education records under other exceptions in § 99.31. The proposed amendment is needed so that SEAs and other officials and authorities listed in § 99.31(a)(3)(i) may take advantage of the regulatory exception in § 99.33(b) and redisclose personally identifiable information from education records directly to a qualified recipient under an exception in § 99.31 instead of requiring that party to go to each school district or institution that submitted the records for audit, evaluation, compliance, or enforcement purposes. Similarly, the proposed regulations are needed to clarify that an official or authority that maintains personally identifiable information from education records subject to § 99.35 may redisclose that information to another authority listed in § 99.31(a)(3)(i) for another qualifying audit, evaluation, compliance, or enforcement activity, notwithstanding the limitations in § 99.35.

The proposed regulations clarify that while FERPA permits the disclosure and redisclosure of education records without consent to officials and authorities listed in § 99.31(a)(3)(i) for the purposes specified, it does not confer or establish the underlying authority for those officials and authorities to conduct an audit, evaluation, or compliance or enforcement activity. If Federal, State, or local law authorizes a particular entity to audit or evaluate the education records, then FERPA permits the disclosure of personally identifiable information for that purpose without consent. For example, this exception allows a school district to disclose education records to its own State department of education or other SEA because that agency is legally authorized to audit or evaluate the school district's education programs, or enforce Federal legal requirements related to those programs. This exception does not allow a school district to disclose education records to the State higher education authority without parental consent unless that agency is empowered under Federal, State or local law to conduct an audit, evaluation, or compliance or enforcement activity with respect to that school district's education programs. The legal authority to audit, evaluate, or enforce education programs does not derive from FERPA itself.

These proposed regulations would also ensure that State and local educational authorities may redisclose personally identifiable information from education records in order to consolidate K-16 education records for audit, evaluation, compliance, or enforcement purposes under § 99.35(a). For example, under the proposed regulations, a State's postsecondary or higher education authority may redisclose personally identifiable information from the education records it maintains to a consolidated data system operated by the SEA if the SEA is legally authorized to conduct an audit, evaluation, compliance, or enforcement activity of postsecondary education programs. Likewise, an SEA may redisclose personally identifiable information from K-12 education records to a consolidated database operated by a State's higher education authority if the higher education authority is legally authorized to conduct the audit, evaluation, compliance, or enforcement activity of K-12 educational programs.

As noted above, disclosures under § 99.33(b) are based on an understanding on the part of the educational agency or institution that the recipient will redisclose information to specified recipients on its behalf subject to the recordation requirements in § 99.32(b). The Department is interested in relieving any administrative burdens associated with recording disclosures of education records and, therefore, invites public comment on whether an SEA, the Department, or other official or agency listed in § 99.31(a)(3) should be allowed to maintain the record of the redisclosures it makes on behalf of an educational agency or institution under § 99.32(b).

7. Limitations on the Redisclosure of Information From Education Records (§ 99.33)

Section 99.31(a)(9) (Subpoenas and Court Orders)

Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational agency or institution may disclose personally identifiable information from education records to a third party only on the condition that the recipient will not redisclose the information to anyone else without written consent of the parent or eligible student. If a third party outside the educational agency or institution permits access to information without written consent of a parent or eligible student as required under 20 U.S.C. 1232g(b)(2)(A), the educational agency or institution may not permit access to information from education records by that third party for a period of not less than five years. There is no specific statutory exception to the prohibition on redisclosure of personally identifiable information from education records.

20 U.S.C. 1232g(b)(2)(B) provides that an educational agency or institution may disclose personally identifiable information without consent if the information is furnished in compliance with a judicial order or any lawfully issued subpoena, upon the condition that parents and students are notified in advance of compliance. Advance notice is not required for certain Federal grand jury subpoenas and subpoenas issued for law enforcement purposes. 20 U.S.C. 1232g(b)(1)(J).

Current Regulations: Section 99.33(a)(1) permits an educational agency or institution to disclose personally identifiable information from education records only on the condition that the recipient will not redisclose the information to any other party without the prior consent of the parent or eligible student. Section 99.33(b) provides for an exception to this general rule. Specifically, under § 99.33(b), an educational agency or institution may disclose personally identifiable information from education records with the understanding that the party receiving the information may make further disclosures on behalf of the educational agency or institution if the disclosures meet the requirements of § 99.31(a) and the educational agency or institution complies with the recordkeeping requirements in § 99.32(b). Under § 99.33(e), if the Office determines that a third party improperly rediscloses personally identifiable information from education records in violation of the prohibition on redisclosure in § 99.33(a), subject to the provisions of § 99.33(b), the educational agency or institution may not allow that third party access to personally identifiable information from education records for at least five years.

Section 99.31(a)(9) permits an educational agency or institution to disclose personally identifiable information from education records without consent in compliance with a judicial order or lawfully issued subpoena, provided that the agency or institution makes a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance so that the parent or eligible student may seek protective action. Notification is not required for certain grand jury and law enforcement subpoenas.

Proposed Regulations: The proposed regulations in § 99.33(b)(2) would require a party that has received personally identifiable information from education records from an educational agency or institution, including an SEA or other official listed in § 99.31(a)(3)(i), to provide the notice to parents and eligible students, if any, required under § 99.31(a)(9) before it rediscloses personally identifiable information from the records on behalf of an educational agency or institution in compliance with a judicial order or lawfully issued subpoena, as authorized under § 99.33(b).

Reasons: Section 99.33(b) allows a party to redisclose personally identifiable information under § 99.31(a) on behalf of an educational agency or institution, including redisclosure in compliance with a judicial order or lawfully issued subpoena under § 99.31(a)(9). (As noted above, the proposed amendments to § 99.35 would extend this authority to SEAs and other officials and agencies listed in § 99.31(a)(3)(i).) The proposed regulations are needed to clarify which party is responsible for notifying parents and eligible students before an SEA or other third party outside of the educational agency or institution complies with a judicial order or subpoena to redisclose personally identifiable information from education records. The Secretary believes that the party that has been ordered to produce the information should be responsible for ensuring that the parent or eligible student has been notified because the educational agency or institution has no control over whether and when that party will comply. The penalty in § 99.33(e) would prohibit an educational agency or institution from providing access to any third party that fails to provide reasonable notice to parents and eligible students before complying with a judicial or lawfully issued subpoena.

Disclosures Required Under the Clery Act

Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational agency or institution may disclose personally identifiable information from education records to a third party only on the condition that the recipient will not redisclose the information to anyone else without written consent of the parent or eligible student. 20 U.S.C. 1232g(b)(6)(B) allows a postsecondary institution to disclose to any party, without consent, the final results of a disciplinary proceeding against a student for crimes of violence or non-forcible sex offenses if the institution determines as a result of the disciplinary proceeding that the student committed the violation in question. 20 U.S.C. 1232g(b)(6)(A) allows a postsecondary institution to disclose to the alleged victim the final results of disciplinary proceedings against a student for crimes of violence or non-forcible sex offenses regardless of the outcome. The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act), which amended the HEA, requires postsecondary institutions to inform both the accuser and the accused of the outcome of a campus disciplinary proceeding brought alleging a sexual assault regardless of the outcome. 20 U.S.C. 1092(f)(8)(B)(iv)(II); 34 CFR 668.46(b)(11)(vi)(B).

Current Regulations: Regulations implementing the Clery Act, 34 CFR § 668.46(b)(11)(iv)(B), require postsecondary institutions to inform both the accuser and the accused of the outcome of any institutional disciplinary proceeding brought alleging a sex offense. Under this provision the outcome of a disciplinary proceeding means only the institution's final determination with respect to the alleged sex offense and any sanction that is imposed against the accused. Section 99.33(a) permits an educational agency or institution to disclose personally identifiable information from education records only on the condition that the recipient will not redisclose the information to any other party without the prior consent of the parent or eligible student. Section 99.33(c) excludes from the statutory prohibition on redisclosure information that an educational agency or institution may disclose without consent to any member of the public, such as directory information under § 99.31(a)(11) and the final results of a disciplinary proceeding for acts constituting crimes of violence or non-forcible sex offenses under § 99.31(a)(14) when a postsecondary institution has determined that the student committed the violation in question. Current regulations in § 99.33(c) do not exclude from the redisclosure prohibition disclosures made by postsecondary institutions to an alleged victim of a crime of violence or non-forcible sex offense under § 99.31(a)(13) or disclosures they are required to make under the Clery Act.

Proposed Regulations: The proposed regulations would amend § 99.33(c) to exclude from the statutory prohibition on redisclosure of education records information that postsecondary institutions are required to disclose under the Clery Act to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense.

Reasons: Some postsecondary institutions have required the accuser to execute a non-disclosure agreement before they disclose the outcome of a disciplinary proceeding for an alleged sexual offense as required under the Clery Act. In analyzing and ruling on these practices, the Department determined that the statutory prohibition on redisclosure of information from education records in FERPA does not apply to information that a postsecondary institution is required to release to students under the Clery Act. The proposed regulations would clarify that postsecondary institutions may not require the accuser to execute a non-disclosure agreement or otherwise interfere with the redisclosure or other use of information disclosed as required under the Clery Act.

8. Health and Safety Emergencies (§ 99.36)

Section 99.36(c) (Conditions That Apply to Disclosure of Information in Health and Safety Emergencies)

Statute: Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or institution may disclose personally identifiable information from education records without prior written consent, subject to regulations by the Secretary, in connection with an emergency to appropriate persons if the knowledge of such information is necessary to protect the health or safety of the student or other persons.

Current regulations: Under § 99.36(a), an educational agency or institution may disclose personally identifiable information from education records to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals. Under § 99.36(b), educational agencies and institutions may include in a student's education records appropriate information concerning disciplinary action taken against the student for conduct that posed a significant risk to the safety or well-being of that student, other students, or other members of the school community. Educational agencies and institutions may also disclose appropriate information about these kinds of disciplinary actions to teachers and school officials within the agency or institution or in other schools who have legitimate educational interests in the behavior of the student. Under § 99.36(c), all of these regulatory provisions must be strictly construed.

Proposed regulations: The Department proposes to revise § 99.36(c) to remove the language requiring strict construction of this exception and add a provision that in making a determination under § 99.36(a), an educational agency or institution may take into account the totality of the circumstances pertaining to a threat to the safety or health of a student or other individuals. If the educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health and safety of the student or other individuals. If, based on the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination.

Reasons: In the wake of the tragic shootings at Virginia Tech, the President directed the Secretary, together with the Secretary of Health and Human Services and the Attorney General, to travel to communities across the nation and to meet with educators, mental health experts, law enforcement and State and local officials to discuss the broader issues raised by the tragedy. On June 13, 2007, those officials transmitted a “Report to the President on Issues Raised by the Virginia Tech Tragedy.” See http://www.hhs.gov/vtreport.html. In relevant part, the report provided:

A consistent theme and broad perception in our meetings was that this confusion and differing interpretations about state and federal privacy laws and regulations impede appropriate information sharing. In some sessions, there were concerns and confusion about the potential liability of teachers, administrators, or institutions that could arise from sharing information, or from not sharing information, under privacy laws, as well as laws designed to protect individuals from discrimination on the basis of mental illness. It was almost universally observed that these fears and misunderstandings likely limit the transfer of information in more significant ways than is required by law. Particularly, although participants in each state meeting were aware of both [the Health Insurance Portability and Accountability Act of 1996 (HIPAA)] and FERPA, there was significant misunderstanding about the scope and application of these laws and their interrelation with state laws. In a number of discussions, participants reported circumstances in which they incorrectly believed that they were subject to liability or foreclosed from sharing information under federal law. Other participants were unsure whether and how HIPAA and FERPA actually limit or allow information to be shared and unaware of exceptions that could allow relevant information to be shared.

Report at page 7. The report went on to charge the Department with certain specific recommended actions:

The U.S. Departments of Health and Human Services and Education should develop additional guidance that clarifies how information can be shared legally under HIPAA and FERPA and disseminate it widely to the mental health, education, and law enforcement communities. The U.S. Department of Education should ensure that parents and school officials understand how and when post-secondary institutions can share information on college students with parents. In addition, the U.S. Departments of Education and Health and Human Services should consider whether further actions are needed to balance more appropriately the interests of safety, privacy, and treatment implicated by FERPA and HIPAA.

Report at page 8 (italics in original). The Department of Education and the Department of Health and Human Services are currently working together on guidance for our respective communities on these issues. This guidance is in addition to compliance training and guidance that the two agencies have provided since issuance of the HIPAA Privacy Rule in December 2000 and, more recently, since the events in April 2007 at Virginia Tech.

Further, the Secretary has carefully considered the appropriate relationship between conditions associated with Federal funding and the exigencies of administering an agency or institution of education on a daily basis. In examining the application of FERPA to the recipients of Departmental funds, the Secretary is mindful that the “health and safety” exception does not allow disclosures on a routine, non-emergency basis. For example, the “health and safety” exception does not permit a school district to routinely share its student information database with the local police department. The present regulation, however, which merely admonishes that the regulation should be “strictly construed,” does not provide a standard to determine whether a particular disclosure complies with the statute. Consequently, the Secretary has decided to provide a new standard for the administration of this exception to the written consent requirement in FERPA. To assure that there are adequate safeguards on this exception, the Secretary requires that, considering the totality of the circumstances, there must be an articulable and significant threat to the health or safety of a student or other individuals, and that the disclosure be to any person whose knowledge of the information is necessary to protect against the threat.

On the other hand, the Secretary has determined that greater flexibility and deference should be afforded to administrators so they can bring appropriate resources to bear on a circumstance that threatens the health or safety of individuals. To provide for appropriate flexibility and deference, the Secretary has determined that if, based on the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination.

In short, in balancing the interests of safety, privacy, and treatment, the Secretary proposes to revise the regulation to specify legal standards, but to couple those standards with greater flexibility and deference to administrators so they can bring appropriate resources to bear on a circumstance that threatens the health or safety of individuals.

9. Directory Information (§ 99.37)

Section 99.37(b) (Disclosure of Directory Information About Former Students)

Statute: Under 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2), an educational agency or institution may disclose directory information without meeting FERPA's written consent requirements provided that it first notifies the parents or eligible student of the types of information that may be disclosed and allows them to opt out of the disclosure. The statute lists a number of items in the definition of directory information, including a student's name, address and telephone listing. The statute does not address procedures for disclosing directory information about former students.

Current Regulations: Section 99.37(a) requires an educational agency or institution to provide public notice to parents of students in attendance and eligible students in attendance of the types of directory information that may be disclosed and the parent's or eligible student's right to opt out. Section 99.37(b) allows the agency or institution to disclose directory information about former students without providing the notice required under § 99.37(a).

Proposed Regulations: Proposed § 99.37(b) clarifies that an agency or institution must continue to honor any valid request to opt out of directory information disclosures made while the individual was a student unless the parent or eligible student rescinds the decision to opt out of directory information disclosures.

Reasons: Some institutions have indicated that § 99.37(b) creates uncertainty about whether they must continue to honor a parent's or eligible student's decision to opt out of directory information disclosures once the student no longer attends the institution. The regulations are needed to clarify that while an agency or institution does not have to notify former students about its policy on directory information disclosures and their right to opt out, directory information may not be disclosed once an individual is no longer a student if the individual made a valid request to opt out while a student in attendance and has not rescinded that request.

Section 99.37(c) (Identification of Students and Communications in Class)

Statute: The statute does not address whether parents and students may use their right to opt out of directory information disclosures to prevent school officials from identifying the student by name or disclosing the student's electronic identifier or institutional e-mail address in class.

Current Regulations: Current regulations do not address whether parents and students may use their right to opt out of directory information disclosures to prevent school officials from identifying the student by name or disclosing the student's electronic identifier or institutional e-mail address in class.

Proposed Regulations: The proposed regulations would provide in § 99.37(c) that a parent or eligible student may not use their right to opt out of directory information disclosures to prevent an educational agency or institution from disclosing or requiring a student to disclose the student's name, electronic identifier, or institutional e-mail address in a class in which the student is enrolled.

Reasons: Several institutions have asked whether a teacher can include in a classroom roll call or sign-in sheet the names of students who have opted out of directory information disclosures. They have also asked whether a student's e-mail address may be disclosed to other students in an on-line class if the student has opted out of directory information disclosures. The proposed regulations are needed to clarify that the right to opt out of directory information disclosures is not a tool for students to remain anonymous in class.

The directory information exception is intended to facilitate communication among school officials, parents, students, alumni, and others, and permit schools to publicize and promote institutional activities to the general public. Many institutions do so by publishing paper or electronic directories that contain student names, addresses, telephone listings, e-mail addresses, and other information the institution has designated as directory information. Some institutions do not publish a directory but do release directory information on a more selective basis. FERPA clearly allows a parent or eligible student to opt out of these disclosures (under the conditions specified in paragraph (a)), whether the information is made available to the general public, limited to members of the school community, or released only to specified individuals.

The Secretary believes, however, that the right to opt out of directory information disclosures does not include a right to remain anonymous in class and, therefore, may not be used to impede routine classroom communications and interactions by preventing a teacher from identifying a student by name in class, whether class is held in a specified physical location or on-line through electronic communications. This means, for example, that regardless of a student's block on directory information disclosures, a teacher may call students by first and last name in class and require students to place their names on a sign-in sheet circulated in class, whether the class is conducted in person or on-line. Because students generally do not have face-to-face communications in on-line classes (or in an on-line component of traditional classes), schools may also disclose or require students to disclose a unique electronic identifier or e-mail address used for students to communicate with one another for on-line class work. This could be either an e-mail address assigned by the institution or one selected by the student for this purpose. Note that this provision is strictly limited to information needed to identify and enable students to communicate in class, i.e., the student's name, unique electronic identifier, and institutional e-mail address. It provides no authority to disclose any directory information outside of the student's class. Further, no other kinds of directory information, including a student's home or campus address, telephone listing, or personal e-mail address not used for class communications, may be disclosed, even within the student's own class, if the parent or eligible student has exercised the right to opt out of directory information disclosures.

Section 99.37(d) (Prohibition on Use of SSNs To Identify Students When Disclosing or Confirming Directory Information)

Statute: The statute does not address the permissibility of using SSNs to identify students when disclosing or confirming directory information.

Current Regulations: Current regulations do not explicitly prohibit the use of SSNs to identify students when disclosing or confirming directory information.

Proposed Regulations: Section 99.37(d) would prohibit an educational agency or institution from using an SSN, either alone or when combined with other data elements, to identify or help identify a student or the student's records when disclosing or confirming directory information unless the student has provided written consent in accordance with FERPA.

Reasons: Some institutions, along with vendors that provide services on behalf of institutions, allow employers and others who seek directory information about a student, such as whether a student has ever attended the institution or received a degree, to submit the student's SSN as a means of identifying the individual. These regulations are needed to provide a legally binding interpretation that this practice violates FERPA unless the student has provided prior written consent for the institution to disclose the student's SSN, even if the institution or vendor only explicitly releases or confirms directory information about the student. Use of an SSN to identify a student or the student's records constitutes an implicit confirmation of the SSN, even if several other data elements are also used to help identify the student in the process.

10. Enforcement (§§ 99.62, 99.64, 99.65, 99.66, and 99.67)

These proposed amendments are intended to clarify the Secretary's enforcement authority in light of the decision of the U.S. Supreme Court in Gonzaga University v. Doe, 536 U.S. 273 (2002). They do not reflect an intention or plan on the part of the Secretary to initiate FERPA institutional compliance reviews or otherwise expand FERPA investigations beyond the current practice of the Office. The Department will exercise its authority to investigate a specific agency or institution only when possible violations are brought to The Department's attention.

Statute: 20 U.S.C. 1232g(f) and (g) directs the Secretary to take appropriate actions to enforce FERPA. The statute does not specify any requirements an educational agency or institution must meet in connection with the Office's investigation of complaints and violations of FERPA.

Section 99.62 (Information Required for the Office To Investigate and Resolve Complaints and Violations)

Current Regulations: Under § 99.62 the Office may require an educational agency or institution to submit reports containing information needed by the Office to resolve complaints.

Proposed Regulations: The proposed regulations in § 99.62 would specify materials that the Office may require an educational agency or institution to submit in order to carry out its investigation and other enforcement responsibilities, including information on the agency's or institution's policies and procedures, annual notifications, training materials, and other relevant information.

Reasons: The regulations are needed to clarify the kinds of information that may be required should the Office seek to determine whether a violation constitutes a policy or practice of the agency or institution.

Section 99.64 (Complaint and Investigation Procedure)

Statute: 20 U.S.C. 1232g(g) provides that the Secretary must establish or designate an office and review board to investigate, process, review, and adjudicate FERPA violations and complaints alleging FERPA violations. The statute does not specify the requirements of a complaint or procedures to be followed by the Office in investigating and resolving alleged FERPA violations.

Current Regulations: Section 99.64(a) provides that a complaint must contain specific allegations of fact that an educational agency or institution has violated FERPA. Under § 99.64(b), the Office investigates each timely complaint to determine whether a violation occurred.

Proposed Regulations: The proposed regulations provide in § 99.64(a) that a complaint does not have to allege that a violation or failure to comply with FERPA is based on a policy or practice of the agency or institution. Under proposed § 99.64(b), if the Office determines that the agency or institution has violated or failed to comply with a FERPA requirement, the Office may also seek to determine whether the violation or failure to comply was based on a policy or practice of the agency or institution. In addition, the Office may investigate a possible FERPA violation even if it has not received a timely complaint from a parent or student or if a valid complaint is subsequently withdrawn.

Reasons: The proposed regulations are needed to clarify that the Department's enforcement responsibilities, as described in Gonzaga University v. Doe, 536 U.S. 273 (2002), include the authority to investigate possible FERPA violations even if no complaint has been filed or a complaint has been withdrawn. While not a widespread problem, the Department needs to establish in its regulations that the Office may investigate allegations of non-compliance provided by a school official or some other party who is not a parent or eligible student because sometimes parents and students are not aware of an ongoing FERPA problem that needs to be addressed.

The proposed amendments to § 99.64 are also needed to clarify that the Office may investigate a FERPA complaint even if the party has not specifically alleged that the agency or institution has a policy or practice in violation of FERPA. In these circumstances, the Office may elect to investigate and determine whether conduct that violates a specific FERPA requirement also constitutes a policy or practice of the agency or institution. (As explained below in connection with proposed amendments to § 99.66, the Department may not seek to withhold funding, terminate eligibility to receive funding under an applicable program, or take other enforcement actions unless it determines that an educational agency or institution has a policy or practice in violation of FERPA requirements and has not come into compliance voluntarily.)

Section 99.65 (Content of Notice of Investigation)

Statute: The statute does not specify what information the Office must include in a notice of investigation of a FERPA violation.

Current Regulations: Under § 99.65 the Office asks an educational agency or institution to submit a written response to a notice of investigation.

Proposed Regulations: Proposed § 99.65(a) would allow the Office to ask an educational agency or institution to submit a written response and other relevant information as set forth in § 99.62.

Reasons: The regulations are needed to clarify that the Office may ask an agency or institution to submit any relevant information needed to resolve a complaint or otherwise conduct an investigation under FERPA.

Section 99.66 (Enforcement Responsibilities of the Office)

Statute: 20 U.S.C. 1232g(a)(1)(A) and (B) provides that no funds shall be made available under any program administered by the Secretary to an educational agency or institution or an SEA that has a policy of denying or effectively prevents parents from exercising their right to inspect and review the student's education records. 20 U.S.C. 1232g(a)(2) provides that no funds shall be made available under any program administered by the Secretary to an educational agency or institution unless parents are provided an opportunity for a hearing to challenge the content of the student's education records under specified conditions. 20 U.S.C. 1232g(b)(1) and (b)(2) provide that no funds shall be made available under any program administered by the Secretary to an educational agency or institution that has a policy or practice of permitting the release of, releasing, or providing access to personally identifiable information in education records without prior written consent except as authorized under FERPA. 20 U.S.C. 1232g(f) directs the Secretary to take appropriate actions to enforce and deal with FERPA violations, except that action to terminate assistance may be taken only if the Secretary finds that there has been a failure to comply and that compliance cannot be secured by voluntary means. The statute does not specify what steps the Secretary should take to conduct investigations and seek voluntary compliance.

Current Regulations: Under § 99.66, the Office reviews a complaint and response from an educational agency or institution and may permit the parties to submit further written or oral arguments or information. Following its investigation, the Office provides to the complainant and the agency or institution written notice of its findings, including the basis for its findings. If the Office finds that the educational agency or institution has failed to comply with a FERPA requirement, its notice includes a statement of the specific steps that the agency or institution must take to comply and provides a reasonable period of time, given all the circumstances, during which the agency or institution may comply voluntarily.

Proposed Regulations: Section 99.66(c) would allow the Office to issue a notice of findings that an educational agency or institution violated FERPA without also finding that the violation constituted a policy or practice of the agency or institution.

Reasons: In light of the Supreme Court's ruling in Gonzaga, the proposed regulations are needed to clarify that, consistent with its current practice, the Office may find that an agency or institution violated FERPA even if the Office does not make a further determination that the violation was based on a policy or practice of the agency or institution. As explained below in connection with proposed amendments to § 99.67(a), however, the Secretary may not take an enforcement action unless the Office has determined that the educational agency or institution has a policy or practice in violation of FERPA.

Section 99.67 (Enforcement Actions)

Statute: 20 U.S.C. 1232g(a)(1)(A) and (B) provides that no funds shall be made available under any program administered by the Secretary to an educational agency or institution or an SEA that has a policy of denying or effectively prevents parents from exercising their right to inspect and review the student's education records. 20 U.S.C. 1232g(a)(2) provides that no funds shall be made available under any program administered by the Secretary to an educational agency or institution unless parents are provided an opportunity for a hearing to challenge the content of the student's education records under specified conditions. 20 U.S.C. 1232g(b)(1) and (b)(2) provide that no funds shall be made available under any program administered by the Secretary to an educational agency or institution that has a policy or practice of permitting the release of, releasing, or providing access to education records without prior written consent except as authorized under FERPA. 20 U.S.C. 1232g(f) directs the Secretary to take appropriate actions to enforce and deal with FERPA violations, except that action to terminate assistance may be taken only if the Secretary finds that there has been a failure to comply and that compliance cannot be secured by voluntary means. The statute does not specify what steps the Secretary should take to conduct investigations and seek voluntary compliance or what enforcement actions the Secretary may take in cases of non-compliance.

Current Regulations: Under § 99.67(a), the Secretary may withhold further payments under any applicable program, issue a complaint to compel compliance through a cease and desist order, or terminate eligibility to receive funding under any applicable program only if an educational agency or institution fails to comply voluntarily with a notice finding that the agency or institution has not complied with the Act.

Proposed Regulations: Under proposed § 99.67(a), the Secretary may take enforcement actions if the Office determines that the educational agency or institution has a policy or practice in violation of FERPA requirements and has failed to come into compliance voluntarily. The proposed regulations also clarify that the Secretary may take any other appropriate enforcement action in addition to those listed specifically in the regulations.

Reasons: The proposed regulations are needed to clarify that the Office may issue a notice of violation or failure to comply with specific FERPA requirements, such as a single failure to provide a parent with access to education records, and require corrective action. However, the Office may not seek to withhold payments, terminate eligibility for funding, or take other enforcement actions unless the Office determines that the agency or institution has a policy or practice in violation of FERPA requirements. The proposed regulations are also needed to clarify that the Secretary may take any other enforcement action that is legally available, such as entering into a compliance agreement under 20 U.S.C. 1234f or seeking an injunction.

Executive Order 12866 Back to Top

Under Executive Order 12866, the Secretary must determine whether this regulatory action is “significant” and therefore subject to the requirements of the Executive Order and subject to review by the OMB. Section 3(f) of Executive Order 12866 defines a “significant regulatory action” as an action likely to result in a rule that may (1) have an annual effect on the economy of $100 million or more, or adversely affect a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local or tribal governments or communities in a material way (also referred to as an “economically significant” rule); (2) create serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impacts of entitlement grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive order. The Secretary has determined that this regulatory action is significant under section 3(f)(4) of the Executive order.

1. Potential Costs and Benefits

Following is an analysis of the potential costs and benefits of the most significant proposed changes to the FERPA regulations. In conducting this analysis, the Department examined the extent to which the regulations add to or reduce the costs of educational agencies and institutions and, where appropriate, State educational agencies (SEAs) and other State and local educational authorities in relation to their costs of complying with the FERPA regulations prior to these changes.

This analysis is based on data from the most recent Digest of Education Statistics (2006) published by the National Center for Education Statistics (NCES), which projects total enrollment of 48,948,000 students in public elementary and secondary schools and 17,648,000 students in postsecondary institutions; and a total of 96,513 public K-12 schools; 14,315 school districts; and 6,585 postsecondary institutions. (Excluded are data from private institutions that do not receive Federal funding from the Department and, therefore, are not subject to FERPA.) Based on this analysis, the Secretary has concluded that the changes in these proposed regulations would not impose significant net costs on educational agencies and institutions. Analyses of specific provisions follow.

Alumni Records Back to Top

The proposed regulations clarify the current exclusion from the definition of education records for records that only contain information about an individual after he or she is no longer a student, which is intended to cover records of alumni and similar activities. Some institutions have applied this exclusion to records that are created after a student has ceased attending the institution but that are directly related to his or her attendance as a student, such as investigatory reports and settlement agreements about incidents and injuries that occurred during the student's enrollment. The amendment would clarify that this provision applies only to records created or received by an educational agency or institution after an individual is no longer a student in attendance and that are not directly related to the individual's attendance as a student.

We believe that most of the more than 102,000 K-12 schools and postsecondary institutions subject to FERPA already adhere to this revised interpretation in the proposed regulations and that for those that do not, the number of records affected is likely to be very small. Assuming that each year one half of one percent of the 66,596,000 students enrolled in these institutions have one record each affected by the proposed change, in the year following issuance of the regulations institutions would be required to try to obtain written consent before releasing 332,980 records that they would otherwise release without consent. We estimate that for the first year contacting the affected parent or student to seek and process written consent for these disclosures would take approximately1/2hour per record at an average cost of $32.67 per hour for a total cost of $5,439,229. (Compensation for administrative staff time is based on published estimates for 2005 from the Bureau of Labor Statistics' National Compensation Survey of $23.50 per hour plus an average 39 percent benefit load for Level 8 administrators in education and related fields.)

In terms of benefits, the proposed change would protect the privacy of parents and students by clarifying the intent of this regulatory exclusion and help prevent the unlawful disclosure of these records. It would also provide greater legal certainty and therefore some cost savings for those agencies and institutions that may be required to litigate this issue in connection with a request under a State open records act or other legal proceeding. For these reasons, we believe that the overall benefits outweigh the potential costs of this change.

Exclusion of SSNs and ID Numbers From Directory Information Back to Top

The proposed regulations clarify that a student's SSN or student ID number is personally identifiable information that may not be disclosed as directory information under FERPA. The principal effect of this change is that educational agencies and institutions may not post grades by SSN or student ID number and may not include these identifiers with directory information they disclose about a student, such as a student's name, school, and grade level or class, on rosters or sign-in sheets that are made available to students and others. (Educational agencies and institutions may continue to include SSNs and student ID numbers on class rosters and schedules that are disclosed only to teachers and other school officials who have legitimate educational interests in this information.)

A class roster or sign-in sheet that contains or requires students to affix their SSN or student ID number makes that information available to every individual who signs-in or sees the document and who may be able to use it for identity theft or to find out a student's grades or other confidential educational information. In regard to posting grades, an individual who knows which classes a particular student attends may be able to ascertain that student's SSN or student ID number by comparing class lists for repeat numbers. Because SSNs are not randomly generated, it may be possible to identify a student by State of origin based on the first three (area) digits of the number, or by date of issuance based on the two middle digits.

The Department does not have any actual data on how many class or test grades are posted by SSN or student ID number at this time, but we believe that the practice is rare or non-existent below the secondary level. Although the practice was once widespread, particularly at the postsecondary level, anecdotal evidence suggests that as a result of consistent training and informal guidance by the Department over the past several years, together with the increased attention States and privacy advocates have given to the use of SSNs, many institutions now either require teachers to use a code known only to the teacher and the student or prohibit posting of grades entirely.

The most recent figures available from the Bureau of Labor Statistics (2004) indicate that there are approximately 2.7 million secondary and postsecondary teachers in the United States. As noted above, we assume that most of these teachers either do not post grades at all or already use a code known only to the teacher or student. We assume further that additional costs to deliver grades personally in the classroom or through electronic mail, instead of posting, would be minimal. For purposes of this analysis, we estimate that no more than 5 percent of 2.7 million, or 135,000 teachers would continue to post grades and need to convert to a code, which would require them to spend an average of one half hour each semester establishing and managing grading codes for students. Using the Bureau of Labor Statistics' published estimate of average hourly wages of $42.98 for teachers at postsecondary institutions and an average 39 percent load for benefits, we estimate an average cost of $59.74 per teacher per year, for a total of $8,064,900. Parents and students should incur no costs except for the time they might have to spend to contact the school official if they forget the student's grading code.

This proposed change will benefit parents and students and educational agencies and institutions by reducing the risk of identity theft associated with posting grades by SSN, and the risk of disclosing grades and other confidential educational information caused by posting grades by student ID number. It is difficult to quantify the value of reducing the risk of identity theft. We note, however, that for the past few years over one-third of complaints filed with the Federal Trade Commission have been for identity theft. See Federal Trade Commission, Consumer Fraud and Identity Theft Data, February 2008, at page 2.

According to the Better Business Bureau, identity theft cost businesses nearly $57 billion in 2006 while victims spent an average of 40 hours resolving identity theft issues. It is even more difficult to measure the benefits of enhanced privacy protections for student grades and other confidential educational information from education records because the value individuals place on the privacy of this information varies considerably and because we are unable to determine how often it happens. Therefore, the Secretary seeks public comment on the value of these enhanced privacy protections in relation to the expected costs to implement the proposed changes.

Prohibit Use of SSN To Confirm Directory Information Back to Top

The proposed regulations would prevent an educational agency or institution (or a contractor providing services for an agency or institution) from using a student's SSN (or student ID number) to identify the student when releasing or confirming directory information. This occurs, for example, when a prospective employer or insurance company telephones an institution or submits a Web site inquiry to find out whether a particular individual is enrolled in or has graduated from the institution. While this provision would apply to educational agencies and institutions at all grade levels, we believe that it will affect mainly postsecondary institutions because enrollment and degree verification services typically are not offered at the K-12 level.

A survey conducted in March 2002 by the American Association of Collegiate Registrars and Admissions Officers (AACRAO) showed that nearly half of postsecondary institutions used SSNs as the primary means to track students in academic databases. Since then, use of SSNs as a student identifier has decreased significantly in response to public concern about identity theft. While postsecondary institutions may continue to collect students SSNs for financial aid and tax reporting purposes, many have ceased using the SSN as a student identifier either voluntarily or in compliance with State laws. Also, over the past several years the Department has provided training on this issue and published on the Office Web site a 2004 letter finding a postsecondary institution in violation of FERPA when its agent used a student's SSN, without consent, to search its database to verify that the student had received a degree. http://www.ed.gov/policy/gen/guid/fpco/ferpa/library/auburnuniv.html. In these circumstances, we estimate that possibly one-quarter of the nearly 6,585 postsecondary institutions in the United States, or 1,646 institutions, may ask a requester to provide the student's SSN (or student ID number) in order to locate the record and respond to an inquiry for directory information.

Under the proposed amendment an educational agency or institution that identifies students by SSN (or student ID number) when releasing directory information will either have to ensure that the student has provided written consent to disclose the number to the requester, or rely solely on a student's name and other properly designated directory information to identify the student, such as address, date of birth, dates of enrollment, year of graduation, major field of study, degree received, etc. Costs to an institution of ensuring that students have provided written consent for these disclosures, for example by requiring the requester to fax copies of each written consent to the institution or its contractor, or making arrangements to receive them electronically, could be substantial for large institutions and organizations that utilize electronic recordkeeping systems. Institutions may choose instead to conduct these verifications without using SSNs or student IDs, which may make it more difficult to ensure that the correct student has been identified because of the known problems in matching records without the use of a universal identifier. Increased institutional costs either to verify that the student has provided consent or to conduct a search without use of SSNs or student ID numbers should be less for smaller institutions, where the chances of duplicate records are decreased. Parents and students may incur additional costs if an employer, insurance company, or other requester is unable to verify enrollment or graduation based solely on directory information and written consent for disclosure of the student's SSN or student ID number is required. Due to the difficulty in ascertaining actual costs associated with these transactions, the Secretary asks for public comment on costs that educational agencies and institutions and parents and students would expect to incur under this proposed change.

The enhanced privacy protections of this proposed amendment will benefit students and parents by reducing the risk that third parties will use a student's SSN without consent and possibly confirm a questionable number for purposes of identity theft. Similarly, preventing institutions from implicitly confirming a questionable student ID number will help prevent unauthorized individuals from obtaining confidential information from education records. In evaluating the benefits or value of this proposed change, we note that this provision does not affect any activity that an educational agency or institution is required to perform under FERPA or other Federal law, such as using SSNs to confirm enrollment for student loan purposes, which is permitted without consent under the financial aid exception in § 99.31.

User ID for Electronic Communications Back to Top

The proposed regulations would allow an educational agency or institution to disclose as directory information a student's user ID or other electronic identifier so long as it functions like a name, that is, it cannot be used without a PIN, password, or some other authentication factor to gain access to education records. This change would impose no costs and would result in regulatory relief by allowing agencies and institutions to use directory services in electronic communications systems without incurring the administrative costs associated with obtaining student consent for these disclosures.

Costs related to honoring a student's decision to opt out of these disclosures should be minimal because of the small number of students who would elect not to participate in electronic communications at their school. Applying this proposed change to records of both K-12 and postsecondary students and assuming that one-tenth of a percent of parents and eligible students would opt out of these disclosures, we estimate that institutions would have to flag the records of approximately 67,000 students for opt out purposes. Recognizing that institutions currently flag records for directory information opt outs for other purposes, the Secretary seeks public comment on the administrative and information technology costs institutions would incur to process these potential new directory information opt outs.

Student Anonymity in the Classroom Back to Top

The proposed regulations would ensure that parents and students do not use the right to opt out of directory information disclosures to prevent disclosure of the student's name, institutional e-mail address, or electronic identifier in the student's physical or electronic classroom. We estimate that this change would result in a small net benefit to educational agencies and institutions because they would have greater legal certainty about this element of classroom administration, and it would reduce the institutional costs of responding to complaints from students and parents about the release of this information. FERPA could not be used to allow students to remain anonymous to their peers in class, but the safety of students might be enhanced by allowing them to know the name of every student in their class.

Disclosing Education Records to New School and to Party Identified as Source Record Back to Top

The proposed amendment to § 99.31(a)(2) would allow an educational agency or institution to disclose education records, or personally identifiable information from education records, to a student's new school even after the student is already attending the new school so long as the disclosure relates to the student's enrollment in the new school. This change would provide regulatory relief by reducing legal uncertainty about how long a school may continue to send records or information to a student's new school, without consent, under the “seeks or intends to enroll” exception.

The proposed amendment to the definition of disclosure in § 99.3 would allow a school that has concerns about the validity of a transcript, letter of recommendation, or other record to return these documents (or personally identifiable information from these documents) to the student's previous school or other party identified as the source of the record in order to resolve questions about their validity. Combined with the proposed change to § 99.31(a)(2), discussed earlier in this analysis, this change would also allow the student's previous school to continue to send education records, or clarification about education records, to the student's new school in response to questions about the validity or meaning of records sent previously by that party. We believe that these changes would provide significant regulatory relief to educational agencies and institutions by helping to reduce transcript and other educational fraud based on falsified records.

Outsourcing Back to Top

The proposed regulations would allow educational agencies and institutions to disclose education records, or personally identifiable information from education records, without consent to contractors, volunteers, and other non-employees performing institutional services and functions as school officials. The agency or institution may have to amend its annual notification of FERPA rights to include these parties as school officials with legitimate educational interests.

This change would provide regulatory relief by permitting and clarifying the conditions for a non-consensual disclosure of education records that is not allowed under current regulations. Our experience suggests that virtually all of the more than 102,000 schools subject to FERPA will take advantage of this provision. We have no actual data on how many school districts publish annual FERPA notifications for the 96,513 K-12 public schools included in the 102,000 total and, therefore, how many entities would be affected by this requirement. However, since educational agencies and institutions are already required under existing regulations to publish a FERPA notification annually, we believe that costs to include this new information would be minimal.

Access Control and Tracking Back to Top

The proposed regulations in § 99.31(a)(1)(ii) would require an educational agency or institution to use reasonable methods to ensure that teachers and other school officials obtain access to only those education records in which they have legitimate educational interests. This requirement would apply to both computerized or electronic records and paper, film, and other hard copy records. Agencies and institutions that choose not to restrict access with physical or technological controls, such as locked cabinets and role-based software security, must ensure that their policy is effective and that school officials gain access to only those education records in which they have legitimate educational interests.

Information gathered by the director of the Family Policy Compliance Office at numerous FERPA training sessions and seminars, along with recent discussions with software vendors and educational organizations, indicates that the vast majority of mid and large size school districts and postsecondary institutions currently use commercial software for student information systems. We have been advised that these systems all include role-based security features that allow administrators to control access to specific records, screens, or fields according to a school official's duties and responsibilities; these systems also typically contain transactional logging features that document or track a user's actual access to particular records, which an agency or institution may use to help ensure the effectiveness of its policies regarding access to education records. Educational agencies and institutions that already have these systems would incur no additional costs to comply with the proposed regulations.

For purposes of this analysis we excluded from a total of 14,315 school districts and 6,585 postsecondary institutions those with more than 1,000 students, for a total of 6,998 small K-12 districts and 3,933 small postsecondary institutions that may not have software with access control security features. The director's discussions with numerous SEAs and local districts suggest that the vast majority of these small districts and institutions do not make education records available to school officials electronically or by computer but instead use some system of administrative and physical controls.

We estimate for this analysis that 20 percent, or 1,400, of these small districts and institutions use home-built computerized or electronic systems that may not have the role-based security features of commercial software. The most recent published estimate we have for software costs comes from the final Standards for Privacy of Individually Identifiable Health Information under the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy Rule) published by the Department of Health and Human Services (HHS) on December 28, 2000, which estimated that the cost of software upgrades to track the disclosure of medical records would be $35,000 initially for each hospital. 65 FR 82462, 82768. We determined that use of the cost estimate from the HIPAA Privacy Rule was appropriate because, as discussed above, software that tracks disclosure history can also be used to control or restrict access to electronic records. Recent discussions with information technology (IT) staff in the Department suggested that it was reasonable to conclude that an institutional license for software that controls and tracks access to electronic records would cost approximately $35,000 at this time; adjustments for inflation were not deemed necessary because software costs do not track with inflation in as straightforward a way as do other goods and services. Further, while discussions with HHS staff indicate that the disclosure tracking software cost estimates in the HIPAA Privacy Rule preamble were provided primarily with hospitals and larger institutions in mind, the Department's IT staff found no difference between software costs depending on the size of the institutions.

Based on these determinations and assumptions, if 1,400 small K-12 districts and postsecondary institutions purchased student information software to comply with the proposed regulations, they would incur estimated costs of $49,000,000. We believe that the remaining 5,600 small districts and institutions would not purchase new software because they do not make education records available electronically and rely instead on less costly administrative and physical methods to control access to records by school officials. Districts and institutions that provide school officials with open access to education records may need to devote some additional administrative staff time to ensuring that their policies are effective and that they remain in compliance with the legitimate educational interest requirement with respect to school officials who access records. However, no reliable estimates exist for the average number of teachers and other school officials who access education records or the number of times access is sought. Accordingly, we are seeking public comment on any potential net costs associated with this proposed requirement for ensuring that legitimate educational interest policies are effective.

Identification and Authentication of Identity Back to Top

The proposed regulations in § 99.31(c) would require educational agencies and institutions to use reasonable methods to identify and authenticate the identity of parents, students, school officials and other parties to whom the agency or institution discloses personally identifiable information from education records. They would impose no new costs for educational agencies and institutions that disclose hard copy records through the U.S. postal service or private delivery services with use of the recipient's name and last known official address. We were unable to find reliable data that would allow us to estimate the additional administrative time that educational agencies and institutions would incur to check photo identification, where appropriate, when releasing education records in person and seek public comment on this point.

Authentication of identity for electronic records involves a wider array of security options because of continuing advances in technologies but is not necessarily more costly than authentication of identity for hard copy records. We assume that educational agencies and institutions that require users to enter a secret password or PIN to authenticate identity will deliver the password or PIN through the U.S. postal service or in person. We estimate that no new costs would be associated with this process because agencies and institutions already have direct contact with parents, eligible students, and school officials for a variety of other purposes and would use these opportunities to deliver a secret authentication factor.

As noted above, single-factor authentication of identity, such as a standard form user name combined with a secret password or PIN, may not provide reasonable protection for access to all types of education records or under all circumstances. The Secretary invites public comment on the potential costs of authenticating identity when educational agencies and institutions allow authorized users to access sensitive personal or financial information in electronic records for which single-factor authentication would not be reasonable.

Redisclosure and Recordkeeping Back to Top

The proposed regulations would allow the officials and agencies listed in § 99.31(a)(3)(i) (the U.S. Comptroller General; the U.S. Attorney General; the Secretary; and State and local educational authorities) to redisclose education records, or personally identifiable information from education records, without consent under the same conditions that apply currently to other recipients of education records under § 99.33(b). This proposed change would provide substantial regulatory relief to these parties by allowing them to redisclose information on behalf of educational agencies and institutions under any provision in § 99.31(a), which allows disclosure of education records without consent. For example, States would be able to consolidate K-16 education records under the SEA or State higher educational authority without having to obtain written consent under § 99.30. Parties that currently request access to records from individual school districts and postsecondary institutions would in many instances be able to obtain the same information in a more cost effective manner from the appropriate State educational authority, or from the Department.

In accordance with existing regulations in § 99.32(b), an educational agency or institution must record any redisclosure of education records made on its behalf under § 99.33(b), including the names of the additional parties to which the receiving party may redisclose the information and their legitimate interests or basis for the disclosure without consent under § 99.31 in obtaining the information. The proposed regulations would allow SEAs and other State educational authorities (such as higher education authorities), the Secretary, and other officials or agencies listed in § 99.31(a)(3)(i) to maintain the record of redisclosure required under § 99.32(b), provided that the educational agency or institution makes that record available to parents and eligible students as required under § 99.32(c).

SEAs and other officials listed in § 99.31(a)(3)(i) would incur new administrative costs if they elect to maintain the record of redisclosure for the educational agency or institution on whose behalf they redisclose education records under the proposed regulations. We estimate that two educational authorities or agencies in each State and the District of Columbia (one for K-12 and one for postsecondary) and the Department itself, for a total of 103 authorities will elect to maintain the required records of redisclosures. We estimate further that these authorities will need to record two redisclosures per year from their records and that it will take one hour of administrative time to record each redisclosure electronically at an average hourly rate of $32.67, for a total annual administrative cost of $6,730. (Compensation for administrative staff time is explained above.) We also assume for purposes of this analysis that State educational authorities and the Department already have software that would allow them to record these disclosures electronically.

State educational authorities and other officials that elect to maintain records of redisclosures would also have to make that information available to a parent or eligible student, on request, if the educational agency or institution on whose behalf the information was redisclosed does not do so. We assume that few parents and students request this information and, therefore, use an estimate that one in one thousand of a total of 66,596,000 students will make such a request each year, or 66,596 requests. If it takes one-quarter of an hour to locate and printout a record of disclosures at an average administrative hourly rate of $32.67, the average annual administrative cost for this service would be $543,923, plus mailing costs (at $.41 per letter) of $27,304, for a total of $571,227. Educational agencies and institutions themselves would incur these costs if they make these records of redisclosure available to parents and students instead.

The Department believes that the proposed change would result in a net benefit to both educational agencies and institutions and the officials that redisclose information under this provision because the redisclosing parties would not have to send their records of redisclosure to the educational agencies and institutions unless a parent or student requests that information and the educational agency or institution wishes to make the record available itself. Further, the costs to State authorities and the Department to record their own redisclosures would be outweighed by the savings that educational agencies and institutions would realize by not having to record the disclosures themselves.

Notification of Compliance With Court Order or Subpoena Back to Top

The proposed regulations would require any party that rediscloses education records in compliance with a court order or subpoena under § 99.31(a)(9) to provide the notice to parents and eligible students required under § 99.31(a)(9)(ii). We anticipate that this provision will affect mostly State and local educational authorities, which maintain education records they have obtained from their constituent districts and institutions and, under the proposed regulations discussed above, may redisclose the information, without consent, in compliance with a court order or subpoena under § 99.31(a)(9).

There is no change in costs as a result of shifting responsibility for notification to the disclosing party under this proposed change. However, we believe that minimizing or eliminating uncertainty about which party is legally responsible for the notification would result in a net benefit to all parties.

State Auditors Back to Top

The proposed regulations would allow State auditors to have access to education records without consent under §§ 99.31(a)(3) and 99.35, which allows disclosures in connection with an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements related to those programs. This change would involve no increased costs and provide regulatory relief by clarifying that these disclosures are permitted even if the State auditor is not a State educational authority (or other official listed in § 99.31(a)(3)(i)).

The proposed change is limited to disclosures for purposes of an audit, which is defined as testing compliance with applicable laws, regulations, and standards. We believe that this limitation does not impose additional costs because a State auditor may conduct activities outside the scope of an audit, such as evaluate the effectiveness of educational programs, by establishing a contractual relationship with the State educational authority or school district or institution in possession of the records that qualifies the auditor as an authorized representative or school official, respectively.

Directory Information Opt Outs Back to Top

The proposed regulations clarify that while an educational agency or institution is not required to notify former students under § 99.37(a) about the institution's directory information policy or allow former students to opt out of directory information disclosures, they must continue to honor a parent's or student's decision to opt out of directory information disclosures after the student leaves the institution. Most agencies and institutions should already comply with this requirement because of informal guidance and training provided by FPCO. We have insufficient information to estimate the number of institutions affected and the additional costs involved in changing systems to maintain opt out flags on education records of former students and seek public comment on the matter.

2. Clarity of the Regulations

Executive Order 12866 and the Presidential Memorandum on “Plain Language in Government Writing” require each agency to write regulations that are easy to understand.

The Secretary invites comments on how to make these proposed regulations easier to understand, including answers to questions such as the following:

  • Are the requirements in the proposed regulations clearly stated?
  • Do the proposed regulations contain technical terms or other wording that interferes with their clarity?
  • Does the format of the proposed regulations (grouping and order of sections, use of headings, paragraphing, etc.) aid or reduce their clarity?
  • Would the proposed regulations be easier to understand if we divided them into more (but shorter) sections? (A “section” is preceded by the symbol “§ ” and a numbered heading; for example, § 99.30 Under what conditions is prior consent required to disclose information?)
  • Could the description of the proposed regulations in the SUPPLEMENTARY INFORMATION section of this preamble be more helpful in making the proposed regulations easier to understand? If so, how?
  • What else could we do to make the proposed regulations easier to understand?

Send any comments that concern how the Department could make these proposed regulations easier to understand to the person listed in the ADDRESSES section of the preamble.

Regulatory Flexibility Act Certification Back to Top

The Secretary certifies that these proposed regulations would not have a significant economic impact on a substantial number of small entities. The small entities that would be affected by these proposed regulations are small local educational agencies (LEAs) that receive Federal funds from the Department and certain 4- and 2-year colleges and for-profit postsecondary trade and technical schools with small enrollments that receive Federal funds, such as student aid programs under Title IV of the HEA. However, the regulations would not have a significant economic impact on these small agencies and institutions because the regulations would not impose excessive regulatory burdens or require unnecessary Federal supervision. The regulations would impose minimal requirements to ensure that LEAs and postsecondary institutions comply with the educational privacy protection requirements in FERPA.

Federalism Back to Top

Executive Order 13132 requires us to ensure meaningful and timely input by State and local elected officials in the development of regulatory policies that have federalism implications. “Federalism implications” means substantial direct effects on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government. The proposed regulations in §§ 99.3 through 99.67 may have federalism implications, as defined in Executive Order 13132, in that they will have some effect on the States and the operation of educational agencies and institutions subject to FERPA. We encourage State and local elected officials to review and provide comments on these proposed regulations. To facilitate review and comment by appropriate State and local officials, the Department will, aside from publication in the Federal Register, post the NPRM to the FPCO Web site and to the Office of Planning, Evaluation, and Policy Development (OPEPD) Web site and make a specific e-mail posting via a special listserv that is sent to each State department of education superintendent and higher education commission director.

Paperwork Reduction Act of 1995 Back to Top

These proposed regulations do not contain any information collection requirements.

Intergovernmental Review Back to Top

These proposed regulations are not subject to Executive Order 12372 and the regulations in 34 CFR part 79.

Assessment of Educational Impact Back to Top

The Secretary particularly requests comments on whether these proposed regulations would require transmission of information that any other agency or authority of the United States gathers or makes available.

Department Recommendations for Safeguarding Education Records Back to Top

The Department recognizes that agencies and institutions face significant challenges in safeguarding educational records. We are providing the following information and recommendations to assist agencies and institutions in meeting these challenges.

As noted elsewhere in this document, FERPA provides that no funds administered by the Secretary may be made available to any educational agency or institution that has a policy or practice of releasing, permitting the release of, or providing access to personally identifiable information from education records without the prior written consent of a parent or eligible student except in accordance with specified exceptions. In light of these requirements, the Secretary encourages educational agencies and institutions to utilize appropriate methods to protect education records, especially in electronic data systems.

In recent months the following incidents have come to the Department's attention:

  • Students' grades or financial information, including SSNs, have been posted on publicly available web servers;
  • Laptops and other portable devices containing similar information from education records have been lost or stolen;
  • Education records, or devices that maintain education records, have not been retrieved from school officials upon termination of their employment or service as a contractor, consultant, or volunteer;
  • Computer systems at colleges and universities have become favored targets because they hold many of the same records as banks but are much easier to access. See “College Door Ajar for Online Criminals” (May 2006), available at http://www.uh.edu/ednews/2006/latimes/200605/20060530hackers.html and July 10, 2006, Viewpoint in BusinessWeek/Online available at http://www.businessweek.com/technology/content/jul2006/tc20060710_558020.htm;
  • Nearly 65 percent of postsecondary educational institutions identified theft of personal information (SSNs, credit/debit/ATM card, account or PIN numbers, etc.) as a high risk area. See Table 7, Perceived Risks at http://www.educause.edu/ir/library/pdf/ecar_so/ers/ers0606/Ekf0606.pdf; and
  • In December 2006, a large postsecondary institution alerted some 800,000 students and others that the campus computer system containing their names, addresses and SSNs had been compromised.

The Department's Office of Inspector General (OIG) noted in Final Inspection Alert Memorandum dated February 3, 2006, that between February 15, 2005, and November 19, 2005, there were 93 documented computer breaches of electronic files involving personal information from education records such as SSNs, credit card information, and dates of birth. According to the reported data, 45 percent of these incidents have occurred at colleges and universities nationwide. OIG expressed concern that student information may be compromised due to a failure to implement or administer proper security controls for information systems at postsecondary institutions.

The Department recognizes that no system for maintaining and transmitting education records, whether in paper or electronic form, can be guaranteed safe from every hacker and thief, technological failure, violation of administrative rules, and other causes of unauthorized access and disclosure. Although FERPA does not dictate requirements for safeguarding education records, the Department encourages the holders of personally identifiable information to consider actions that mitigate the risk and are reasonably calculated to protect such information. Of course, an educational agency or institution may use any method, combination of methods, or technologies it determines to be reasonable, taking into consideration the size, complexity, and resources available to the institution; the context of the information; the type of information to be protected (such as social security numbers or directory information); and methods used by other institutions in similar circumstances. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable.

One resource for administrators of electronic data systems is “The National Institute of Standards and Technology (NIST) 800-100, Information Security Handbook: A Guide for Managers” (October 2006). A second resource is NIST 800-53, which catalogs information security controls. Similarly, a May 22, 2007 memorandum to heads of federal agencies from the Office of Management and Budget requires executive departments and agencies to ensure that proper safeguards are in place to protect personally identifiable information that they maintain, eliminate the unnecessary use of SSNs, and develop and implement a “breach notification policy.” This memorandum, although directed towards federal agencies, may also serve as a resource for educational agencies and institutions. See http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf.

Finally, if an educational agency or institution has experienced a theft of files or computer equipment, hacking or other intrusion, software or hardware malfunction, inadvertent release of data to Internet sites, or other unauthorized release or disclosure of education records, the Department suggests consideration of one or more of the following steps:

  • Report the incident to law enforcement authorities.
  • Determine exactly what information was compromised, i.e., names, addresses, SSNs, ID numbers, credit card numbers, grades, and the like.
  • Take steps immediately to retrieve data and prevent any further disclosures.
  • Identify all affected records and students.
  • Determine how the incident occurred, including which school officials had control of and responsibility for the information that was compromised.
  • Determine whether institutional policies and procedures were breached, including organizational requirements governing access (user names, passwords, PINS, etc.); storage; transmission; and destruction of information from education records.
  • Determine whether the incident occurred because of a lack of monitoring and oversight.
  • Conduct a risk assessment and identify appropriate physical, technological and administrative measures for preventing similar incidents in the future.
  • Notify students that the Department's Office of Inspector General maintains a Web site describing steps students may take if they suspect they are a victim of identity theft at http://www.ed.gov/about/offices/list/oig/misused/idtheft.html; and http://www.ed.gov/about/offices/list/oig/misused/victim.html.

FERPA does not require an educational agency or institution to notify students that information from their education records was stolen or otherwise subject to an unauthorized release, although it does require the agency or institution to maintain a record of each disclosure. 34 CFR 99.32(a)(1). (However, student notification may be required in these circumstances for postsecondary institutions under the Federal Trade Commission's Standards for Insuring the Security, Confidentiality, Integrity and Protection of Customer Records and Information (“Safeguards Rule”) in 16 CFR part 314.) In any case, direct student notification may be advisable if the compromised data includes student SSNs and other identifying information that could lead to identity theft.

Electronic Access to This Document Back to Top

You may view this document, as well as all other Department of Education documents published in the Federal Register, in text or Adobe Portable Document Format (PDF) on the Internet at the following site: http://www.ed.gov/news/fedregister.

To use PDF you must have Adobe Acrobat Reader, which is available free at this site. If you have questions about using PDF, call the U.S. Government Printing Office (GPO), toll free, at 1-888-293-6498; or in the Washington, DC, area at (202) 512-1530.

Note:

The official version of this document is the document published in the Federal Register. Free Internet access to the official edition of the Federal Register and the Code of Federal Regulations is available on GPO Access at: http://www.gpoaccess.gov/nara/index.html.

(Catalog of Federal Domestic Assistance Number does not apply.)

List of Subjects in 34 CFR Part 99 Back to Top

Dated: March 17, 2008.

Margaret Spellings,

Secretary of Education.

For the reasons discussed in the preamble, the Secretary proposes to amend part 99 of title 34 of the Code of Federal Regulations as follows:

begin regulatory text

PART 99—FAMILY EDUCATIONAL RIGHTS AND PRIVACY Back to Top

1. The authority citation for part 99 continues to read as follows:

Authority:

20 U.S.C. 1232g, unless otherwise noted.

2. Section 99.2 is amended by revising the note following the authority citation to read as follows:

§ 99.2 What is the purpose of these regulations?

* * * * *

Note to § 99.2:

34 CFR 300.610 through 300.626 contain requirements regarding the confidentiality of information relating to children with disabilities who receive evaluations, services or other benefits under Part B of the Individuals with Disabilities Education Act (IDEA). 34 CFR 303.402 and 303.460 identify the confidentiality of information requirements regarding children and infants and toddlers with disabilities and their families who receive evaluations, services or other benefits under Part C of IDEA.

3. Section 99.3 is amended by:

A. Adding, in alphabetical order, a definition for State auditor.

B. Revising the definitions of Attendance, Directory information, Disclosure, and Personally identifiable information.

C. In the definition of Education records, revising paragraph (b)(5) and adding a new paragraph (b)(6).

These additions and revisions read as follows:

§ 99.3 What definitions apply to these regulations?

* * * * *

Attendance includes, but is not limited to—

(a) Attendance in person or by paper correspondence, videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom; and

(b) The period during which a person is working under a work-study program.

(Authority: 20 U.S.C. 1232g)

* * * * *

Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.

(a) Directory information includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors and awards received; and the most recent educational agency or institution attended.

(b) Directory information does not include a student's social security number or student identification (ID) number.

(c) Directory information includes a student's user ID or other unique personal identifier used by the student for purposes of accessing or communicating in electronic systems, but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the authorized user.

(Authority: 20 U.S.C. 1232g(a)(5)(A))

* * * * *

Disclosure means to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records by any means, including oral, written, or electronic means, to any party except the party identified as the party that provided or created the record.

(Authority: 20 U.S.C. 1232g(b)(1) and (b)(2))

* * * * *

Education Records

* * * * *

(b) * * *

(5) Records created or received by an educational agency or institution after an individual is no longer a student in attendance and that are not directly related to the individual's attendance as a student.

(6) Grades on peer-graded papers before they are collected and recorded by a teacher.

* * * * *

Personally Identifiable Information

The term includes, but is not limited to

(a) The student's name;

(b) The name of the student's parent or other family members;

(c) The address of the student or student's family;

(d) A personal identifier, such as the student's social security number, student number, or biometric record;

(e) Other indirect identifiers, such as date of birth, place of birth, and mother's maiden name;

(f) Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or

(g) Information requested by a person who the educational agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates.

(Authority: 20 U.S.C. 1232g)

* * * * *

State auditor means a party under any branch of government with authority and responsibility under State law for conducting audits.

(Authority: 20 U.S.C. 1232g(b)(5))

* * * * *

4. Section 99.5 is amended by redesignating paragraph (a) as paragraph (a)(1) and adding a new paragraph (a)(2) to read as follows:

§ 99.5 What are the rights of students?

(a)(1) * * *

(2) Nothing in this section prevents an educational agency or institution from disclosing education records, or personally identifiable information from education records, to a parent without the prior written consent of an eligible student if the disclosure meets the conditions in § 99.31(a)(8), § 99.31(a)(10), § 99.31(a)(15), or any other provision in § 99.31(a).

* * * * *

5. Section 99.31 is amended by:

A. Redesignating paragraph (a)(1) as paragraph (a)(1)(i)(A) and adding new paragraphs (a)(1)(i)(B) and (a)(1)(ii).

B. Revising paragraph (a)(2).

C. Revising paragraph (a)(6)(ii).

D. In paragraph (a)(9)(ii)(A), removing the word “ or” after the punctuation “;”.

E. In paragraph (a)(9)(ii)(B), removing the punctuation “.” and adding in its place the word “; or”.

F. Adding paragraph (a)(9)(ii)(C).

G. Adding paragraph (a)(16).

H. Revising paragraph (b).

I. Adding paragraphs (c) and (d).

J. Revising the authority citation at the end of the section.

The additions and revisions read as follows:

§ 99.31 Under what conditions is prior consent not required to disclose information?

(a) * * *

(1)(i)(A) * * *

(B) A contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions may be considered a school official under this paragraph provided that the outside party—

(1) Performs an institutional service or function for which the agency or institution would otherwise use employees;

(2) Is under the direct control of the agency or institution; and

(3) Is subject to the requirements of § 99.33(a) governing the use and redisclosure of personally identifiable information from education records.

(ii) An educational agency or institution must use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests. An educational agency or institution that does not use physical or technological access controls must ensure that its administrative policy for controlling access to education records is effective and that it remains in compliance with the legitimate educational interest requirement in paragraph 99.31(a)(1)(i)(A).

(2) The disclosure is, subject to the requirements of § 99.34, to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll, or where the student is already enrolled so long as the disclosure is for purposes related to the student's enrollment or transfer.

Note:

Section 4155(b) of the No Child Left Behind Act of 2001, 20 U.S.C. 7165(b), requires each State to assure the Secretary of Education that it has a procedure in place to facilitate the transfer of disciplinary records of a student who was suspended or expelled by a local educational agency to any private or public elementary or secondary school in which the student is subsequently enrolled or seeks, intends, or is instructed to enroll.

(6) * * *

(ii) An educational agency or institution may disclose personally identifiable information under paragraph (a)(6)(i) of this section only if it enters into a written agreement with the organization specifying the purposes of the study. An educational agency or institution is not required to agree with or endorse the conclusions or results of the study. The written agreement required under this paragraph must ensure that—

(A) Information from education records is used only to meet the purpose or purposes of the study stated in the written agreement;

(B) The organization conducts the study in a manner that does not permit personal identification of parents and students, as defined in this part, by individuals other than representatives of the organization that conducts the study; and

(C) The information is destroyed or returned to the educational agency or institution when it is no longer needed for the purposes for which the study was conducted.

* * * * *

(9) * * *

(ii) * * *

(C) An ex parte court order obtained by the United States Attorney General (or designee not lower than an Assistant Attorney General) concerning investigations or prosecutions of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism as defined in 18 U.S.C. 2331.

* * * * *

(16) The disclosure concerns an individual required to register under section 170101 of the Violent Crime Control and Law Enforcement Act of 1994, 42 U.S.C. 14071, and the information was obtained and disclosed by the educational agency or institution in compliance with a State community notification program under 42 U.S.C. 14071(e) or (j) and applicable Federal guidelines. Nothing in the Act or these regulations requires or encourages an educational agency or institution to collect or maintain information about registered sex offenders.

(b)(1) De-identified records and information. An educational agency or institution, or a party that has received education records or information from education records under this part, may release the records or information without the consent required by § 99.30 after the removal of all personally identifiable information provided that the educational agency or institution or other party has made a reasonable determination that a student's identity is not personally identifiable because of unique patterns of information about that student, whether through single or multiple releases, and taking into account other reasonably available information.

(2) An educational agency or institution, or a party that has received education records or information from education records under this part, may release de-identified student level data from education records for the purpose of education research by attaching a code to each record that may allow the recipient to match information received from the same source, provided that—

(i) An educational agency or institution or other party that releases de-identified data under paragraph (b) of this section does not disclose any information about how it generates and assigns a record code, or that would allow a recipient to identify a student based on a record code;

(ii) The record code is used for no purpose other than identifying a de-identified record for purposes of education research and cannot be used to ascertain personally identifiable information about a student; and

(iii) The record code is not based on a student's social security number or other personal information.

(c) An educational agency or institution must use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the agency or institution discloses personally identifiable information from education records.

(d) Paragraphs (a) and (b) of this section do not require an educational agency or institution or any other party to disclose education records or information from education records to any party.

(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h), (i), and (j))

6. Section 99.32 is amended by revising paragraph (d)(5) to read as follows:

§ 99.32 What recordkeeping requirements exist concerning requests and disclosures?

* * * * *

(d) * * *

(5) A party seeking or receiving records in accordance with § 99.31(a)(9)(ii)(A) through (C).

* * * * *

7. Section 99.33 is amended by revising paragraphs (b), (c), (d), and (e) to read as follows:

§ 99.33 What limitations apply to the redisclosure of information?

* * * * *

(b)(1) Paragraph (a) of this section does not prevent an educational agency or institution from disclosing personally identifiable information with the understanding that the party receiving the information may make further disclosures of the information on behalf of the educational agency or institution if:

(i) The disclosures meet the requirements of § 99.31; and

(ii) The educational agency or institution has complied with the requirements of § 99.32(b).

(2) A party that rediscloses personally identifiable information from education records on behalf of an educational agency or institution in response to a court order or lawfully issued subpoena under § 99.31(a)(9) must provide the notification required under § 99.31(a)(9)(ii).

(c) Paragraph (a) of this section does not apply to disclosures under § 99.31(a)(8), (9), (11), (12), (14), (15), (16), and to information that postsecondary institutions are required to disclose under the Clery Act to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense.

(d) An educational agency or institution must inform a party to whom disclosure is made of the requirements of paragraph (a) of this section except for disclosures made under § 99.31(a)(8), (9), (11), (12), (14), (15), and (16), and to information that postsecondary institutions are required to disclose under the Clery Act to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense.

(e) If this Office determines that a third party outside the educational agency or institution improperly rediscloses personally identifiable information from education records in violation of this section, the educational agency or institution may not allow that third party access to personally identifiable information from education records for at least five years.

* * * * *

8. Section 99.34 is amended by revising paragraph (a)(1)(ii) to read as follows:

§ 99.34 What conditions apply to disclosure of information to other educational agencies and institutions?

(a) * * *

(1) * * *

(ii) The annual notification of the agency or institution under § 99.7 includes a notice that the agency or institution forwards education records to other agencies or institutions that have requested the records and in which the student seeks or intends to enroll;

* * * * *

9. Section 99.35 is amended by revising paragraphs (a) and (b)(1) to read as follows:

§ 99.35 What conditions apply to disclosure of information for Federal or State program purposes?

(a)(1) Authorized representatives of the officials or agencies headed by officials listed in § 99.31(a)(3)(i) may have access to education records in connection with an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.

(2) Authority for an agency or official listed in § 99.31(a)(3)(i) to conduct an audit, evaluation, or compliance or enforcement activity is not conferred by the Act or this part and must be established under other Federal, State, or local law, including valid administrative regulations.

(3) State auditors that are not authorized representatives of State and local educational authorities may have access to education records in connection with an audit of Federal or State supported education programs. For purposes of this provision, an audit is limited to testing compliance with applicable laws, regulations, and standards.

(b) * * *

(1) Be protected in a manner that does not permit personal identification of individuals by anyone other than the officials or agencies headed by officials referred to in paragraph (a) of this section, except that those officials or agencies may make further disclosures of personally identifiable information from education records on behalf of the educational agency or institution in accordance with the requirements of § 99.33(b); and

* * * * *

10. Section 99.36 is amended by revising paragraphs (a) and (c) to read as follows:

§ 99.36 What conditions apply to disclosure of information in health and safety emergencies?

(a) An educational agency or institution may disclose personally identifiable information from an education record to appropriate parties, including parents of an eligible student, in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.

* * * * *

(c) In making a determination under paragraph (a) of this section, an educational agency or institution may take into account the totality of the circumstances pertaining to a threat to the safety or health of a student or other individuals. If the educational agency or institution determines that there is articulable and significant threat to the health or safety of a student or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health and safety of the student or other individuals. If, based on the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination.

* * * * *

11. Section 99.37 is amended by:

A. Revising paragraph (b).

B. Adding new paragraphs (c) and (d).

The revision and additions read as follows:

§ 99.37 What conditions apply to disclosing directory information?

* * * * *

(b) An educational agency or institution may disclose directory information about former students without complying with the notice and opt out conditions in paragraph (a) of this section. However, the agency or institution must continue to honor any valid request to opt out of the disclosure of directory information made while a student was in attendance unless the student rescinds the opt out request.

(c) A parent or eligible student may not use the right under paragraph (a)(2) of this section to opt out of directory information disclosures to prevent an educational agency or institution from disclosing or requiring a student to disclose the student's name, electronic identifier, or institutional e-mail address in a class in which the student is enrolled.

(d) An educational agency or institution may not disclose or confirm directory information without meeting the written consent requirements in § 99.30 if a student's social security number or other non-directory information is used alone or combined with other data elements to identify or help identify the student or the student's records.

* * * * *

12. Section 99.62 is revised to read as follows:

§ 99.62 What information must an educational agency or institution submit to the Office?

The Office may require an educational agency or institution to submit reports, information on policies and procedures, annual notifications, training materials, and other information necessary to carry out its enforcement responsibilities under the Act or this part.

(Authority: 20 U.S.C. 1232g(f) and (g))

13. Section 99.64 is amended by:

A. Revising the section heading.

B. Revising paragraphs (a) and (b).

The revisions read as follows:

§ 99.64 What is the investigation procedure?

(a) A complaint must contain specific allegations of fact giving reasonable cause to believe that a violation of the Act or this part has occurred. A complaint does not have to allege that a violation is based on a policy or practice of the educational agency or institution.

(b) The Office investigates a timely complaint filed by a parent or eligible student, or conducts its own investigation when no complaint has been filed or a complaint has been withdrawn, to determine whether an educational agency or institution has failed to comply with a provision of the Act or this part. If the Office determines that an educational agency or institution has failed to comply with a provision of the Act or this part, it may also determine whether the failure to comply is based on a policy or practice of the agency or institution.

* * * * *

14. Section 99.65 is revised to read as follows:

§ 99.65 What is the content of the notice of investigation issued by the Office?

(a) The Office notifies the complainant, if any, and the educational agency or institution in writing if it initiates an investigation under § 99.64(b). The notice to the educational agency or institution—

(1) Includes the substance of the allegations against the educational agency or institution; and

(2) Directs the agency or institution to submit a written response and other relevant information, as set forth in § 99.62, within a specified period of time, including information about its policies and practices regarding education records.

(b) The Office notifies the complainant if it does not initiate an investigation because the complaint fails to meet the requirements of § 99.64.

(Authority: 20 U.S.C. 1232g(g))

15. Section 99.66 is amended by revising paragraphs (a), (b), and the introductory text of paragraph (c) to read as follows:

§ 99.66 What are the responsibilities of the Office in the enforcement process?

(a) The Office reviews a complaint, if any, information submitted by the educational agency or institution, and any other relevant information. The Office may permit the parties to submit further written or oral arguments or information.

(b) Following its investigation, the Office provides to the complainant, if any, and the educational agency or institution a written notice of its findings and the basis for its findings.

(c) If the Office finds that an educational agency or institution has not complied with a provision of the Act or this part, it may also find that the failure to comply was based on a policy or practice of the agency or institution. A notice of findings issued under paragraph (b) of this section to an educational agency or institution that has not complied with a provision of the Act or this part—

* * * * *

16. Section 99.67 is amended by:

A. Revising the introductory text of paragraph (a).

B. In paragraph (a)(1), removing the punctuation “;” and adding, in its place, the punctuation “.”.

C. In paragraph (a)(2) removing the word “; or” and adding, in its place, the punctuation “.”.

The revision reads as follows:

§ 99.67 How does the Secretary enforce decisions?

(a) If the Office determines that an educational agency or institution has a policy or practice in violation of the Act or this part, the Secretary may take any legally available enforcement action, including the following enforcement actions available in accordance with part E of the General Education Provisions Act:

* * * * *

end regulatory text

[FR Doc. E8-5790 Filed 3-21-08; 8:45 am]

BILLING CODE 4000-01-P

Site Feedback