Skip to Content
Proposed Rule

Family Educational Rights and Privacy

Action

Notice Of Proposed Rulemaking.

Summary

The Secretary proposes to amend the regulations implementing section 444 of the General Education Provisions Act, which is also known as the Family Educational Rights and Privacy Act of 1974, as amended (FERPA). These proposed amendments are necessary to ensure that the Department's implementation of FERPA continues to protect the privacy of education records, as intended by Congress, while allowing for the effective use of data in statewide longitudinal data systems (SLDS) as envisioned in the America Creating Opportunities to Meaningfully Promote Excellence in Technology, Education, and Science Act (COMPETES Act) and furthermore supported under the American Recovery and Reinvestment Act of 2009 (ARRA). Improved access to data contained within an SLDS will facilitate States' ability to evaluate education programs, to build upon what works and discard what does not, to increase accountability and transparency, and to contribute to a culture of innovation and continuous improvement in education. These proposed amendments would enable authorized representatives of State and local educational authorities, and organizations conducting studies, to use SLDS data to achieve these important outcomes while protecting privacy under FERPA through an expansion of the requirements for written agreements and the Department's enforcement mechanisms.

Unified Agenda

Family Educational Rights and Privacy

3 actions from April 8th, 2011 to December 2011

  • April 8th, 2011
  • May 23rd, 2011
    • NPRM Comment Period End
  • December 2011
    • Final Action
 

Table of Contents Back to Top

DATES: Back to Top

We must receive your comments on or before May 23, 2011. Comments received after this date will not be considered.

ADDRESSES: Back to Top

Submit your comments through the Federal eRulemaking Portal or via postal mail, commercial delivery, or hand delivery. We will not accept comments by fax or by e-mail. Please submit your comments only one time, in order to ensure that we do not receive duplicate copies. In addition, please include the Docket ID at the top of your comments.

  • Federal eRulemaking Portal: Go to http://www.regulations.gov to submit your comments electronically. Information on using Regulations.gov, including instructions for accessing agency documents, submitting comments, and viewing the docket, is available on the site under “How To Use This Site.”
  • Postal Mail, Commercial Delivery, or Hand Delivery. If you mail or deliver your comments about these proposed regulations, address them to Regina Miles, U.S. Department of Education, 400 Maryland Avenue, SW., Washington, DC 20202.

Privacy Note:

The Department's policy for comments received from members of the public (including those comments submitted by mail, commercial delivery, or hand delivery) is to make these submissions available for public viewing in their entirety on the Federal eRulemaking Portal at http://www.regulations.gov. Therefore, commenters should be careful to include in their comments only information that they wish to make publicly available on the Internet.

FOR FURTHER INFORMATION CONTACT: Back to Top

Ellen Campbell, U.S. Department of Education, 400 Maryland Avenue, SW., Washington, DC 20202. Telephone: (202) 260-3887 or via Internet: FERPA@ed.gov.

If you use a telecommunications device for the deaf, call the Federal Relay Service (FRS), toll free, at 1-800-877-8339.

Individuals with disabilities can obtain this document in an accessible format (e.g., braille, large print, audiotape, or computer diskette) on request to the contact person listed under FOR FURTHER INFORMATION CONTACT.

SUPPLEMENTARY INFORMATION: Back to Top

Invitation to Comment Back to Top

We invite you to submit comments regarding these proposed regulations. To ensure that your comments have maximum effect in developing the final regulations, we urge you to identify clearly the specific section or sections of the proposed regulations that each of your comments addresses and to arrange your comments in the same order as the proposed regulations.

We invite you to assist us in complying with the specific requirements of Executive Order 12866 and its overall requirement of reducing regulatory burden that might result from these proposed regulations. Please let us know of any further opportunities we should take to reduce potential costs or increase potential benefits while preserving the effective and efficient administration of the program.

During and after the comment period, you may inspect all public comments about these proposed regulations by accessing http://www.regulations.gov. You may also inspect the comments in person in room 6W243, 400 Maryland Avenue, SW., Washington, DC, 20202 between the hours of 8:30 a.m. and 4 p.m. Eastern time, Monday through Friday of each week except Federal holidays.

Assistance to Individuals With Disabilities in Reviewing the Rulemaking Record Back to Top

On request, we will supply an appropriate aid, such as a reader or print magnifier, to an individual with a disability who needs assistance to review the comments or other documents in the public rulemaking record for these proposed regulations. If you want to schedule an appointment for this type of aid, please contact the person listed under FOR FURTHER INFORMATION CONTACT.

Background: On February 17, 2009, the President signed the ARRA (Pub. L. 111-5) into law. The ARRA includes significant provisions relating to the expansion and development of SLDS. Under title XIV of the ARRA, in order for a State to receive funding under the State Fiscal Stabilization Fund program (SFSF), the State's Governor must provide an assurance in the State's application for SFSF funding that the State will establish an SLDS that meets the requirements of section 6401(e)(2)(D) of the COMPETES Act (20 U.S.C. 9871(e)(2)(D)).

With respect to public preschool through grade 12 and postsecondary education, COMPETES requires that the SLDS include: (a) A unique statewide student identifier that, by itself, does not permit a student to be individually identified by users of the system; (b) student-level enrollment, demographic, and program participation information; (c) student-level information about the points at which students exit, transfer in, transfer out, drop out, or complete P-16 education programs; (d) the capacity to communicate with higher education data systems; and (e) a State data audit system assessing data quality, validity, and reliability.

With respect to public preschool through grade 12 education, COMPETES requires that the SLDS include: (a) Yearly test records of individual students with respect to assessments under section 1111(b) of the Elementary and Secondary Education Act of 1965, as amended (20 U.S.C. 6311(b)); (b) information on students not tested by grade and subject; (c) a teacher identifier system with the ability to match teachers to students; (d) student-level transcript information, including information on courses completed and grades earned; and (e) student-level college readiness test scores.

With respect to postsecondary education, COMPETES requires that the SLDS include: (a) Information regarding the extent to which students transition successfully from secondary school to postsecondary education, including whether students enroll in remedial coursework; and (b) other information determined necessary to address alignment and adequate preparation for success in postsecondary education.

Separate provisions in title VIII of the ARRA appropriated $250 million for additional grants to State educational agencies (SEAs) under the Statewide Longitudinal Data Systems program, authorized under section 208 of the Educational Technical Assistance Act of 2002 (20 U.S.C. 9601, et seq.) to support the expansion of SLDS to include postsecondary and workforce information.

The extent of data sharing contemplated by these and other Federal initiatives prompted the Department to review the impact that its FERPA regulations could have on the development and use of SLDS. FERPA is a Federal law that protects student privacy by prohibiting educational agencies and institutions from having a practice or policy of disclosing personally identifiable information in student education records (“PII”) unless a parent or eligible student provides prior written consent or a statutory exception applies. In those circumstances in which educational agencies and institutions may disclose PII to third parties without consent, FERPA and its implementing regulations limit the redisclosure of PII by the recipients, except as set forth in §§ 99.33(c) and (d) and 99.35(c)(2) (see 20 U.S.C. 1232g(b)(3) and (b)(4)(B) and §§ 99.33 and 99.35(c)(2)). For example, State and local educational authorities that receive PII without consent from the parent or eligible student under the “audit or evaluation” exception may not make further disclosures of the PII on behalf of the educational agency or institution unless prior written consent from the parent or eligible student is obtained, Federal law specifically authorized the collection of the PII, or a statutory exception applies and the redisclosure and recordation requirements are met (see 20 U.S.C. 1232g(b)(3) and (b)(4) and §§ 99.32(b)(2), 99.33(b)(1)), and 99.35(c)).

In light of the ARRA, the Department has conducted a review of its FERPA regulations in 34 CFR part 99, including changes reflected in the final regulations published on December 9, 2008 (73 FR 74806). Further, the Department has reviewed its guidance interpreting FERPA, including statements made in the preamble discussion to the final regulations published on December 9, 2008 (73 FR 74806).

Based on its review, the Department has determined that the Department's December 2008 changes to the FERPA regulations promote the development and expansion of robust SLDS in the following ways:

  • Expanding the redisclosure authority in FERPA by amending § 99.35 to permit State and local educational authorities and other officials listed in § 99.31(a)(3) to make further disclosures of personally identifiable information from education records, without the consent of parents or eligible students, on behalf of the educational agency or institution from which the PII was obtained under specified conditions (see§§ 99.33(b)(1) and 99.35(b)(1)).
  • Permitting SEAs and other State educational authorities, as well as the other officials listed in § 99.31(a)(3), to record their redisclosures at the time they are made and by groups (i.e., by the student's class, school district, or other appropriate grouping rather than by the name of each student whose record was redisclosed); and only requiring them to send these records of redisclosure to the educational agencies or institutions from which the PII was obtained upon the request of an educational agency or institution (see§ 99.32(b)(2)).

Notwithstanding these provisions in the Department's FERPA regulations and the preamble discussion relating to the December 2008 changes to the regulations, the Department's review indicates that there are a small number of other regulatory provisions and policy statements that unnecessarily hinder the development and expansion of SLDS consistent with the ARRA. Because the Department has determined that these regulatory provisions and policies are not necessary to ensure privacy protections for PII, it proposes to amend 34 CFR part 99 to make the changes described in the following section.

Significant Proposed Regulations Back to Top

We discuss substantive issues under the sections of the proposed regulations to which they pertain. Generally, we do not address proposed regulatory provisions that are technical or otherwise minor in effect.

Definitions (§ 99.3) Back to Top

Authorized Representative (§§ 99.3, 99.35)

Statute: Sections (b)(1)(C), (b)(3) and (b)(5) of FERPA (20 U.S.C. 1232g(b)(1)(C), (b)(3) and (b)(5)) permit educational agencies and institutions nonconsensually to disclose PII to “authorized representatives” of State and local educational authorities, the Secretary, the Attorney General of the United States, and the Comptroller General of the United States, as may be necessary in connection with the audit, evaluation, or the enforcement of Federal legal requirements related to Federal or State supported education programs. The statute does not define the term authorized representative.

Current Regulations: The term authorized representative, which is used in current §§ 99.31(a)(3) and 99.35(a)(1), is not defined in the current regulations. Current §§ 99.31(a)(3) and 99.35(a)(1), together, implement sections (b)(1)(C), (b)(3) and (b)(5) of FERPA (20 U.S.C. 1232g(b)(1)(C), (b)(3) and (b)(5)).

Proposed Regulations: We propose to amend § 99.3 to add a definition of the term authorized representative. Under the proposed definition, an authorized representative would mean any entity or individual designated by a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) to conduct—with respect to Federal or State supported education programs—any audit, evaluation, or compliance or enforcement activity in connection with Federal legal requirements that relate to those programs.

In order to help ensure proper implementation of FERPA requirements that protect student privacy, we also propose to amend § 99.35 (What conditions apply to disclosure of information for Federal or State program purposes?). Specifically, we would provide, in proposed § 99.35(a)(2), that responsibility remains with the State or local educational authority or agency headed by an official listed in § 99.31(a)(3) to use reasonable methods to ensure that any entity designated as its authorized representative remains compliant with FERPA. We are not proposing to define “reasonable methods” in the proposed regulations in order to provide flexibility for a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3) to make these determinations. However, we are interested in receiving comments on what would be considered reasonable methods. The Department anticipates issuing non-regulatory guidance on this and other related matters when we issue the final regulations or soon thereafter.

We also would amend § 99.35 to require written agreements between a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) and its authorized representative, other than an employee (see proposed § 99.35(a)(3)). We propose that these agreements: designate the individual or entity as an authorized representative; specify the information to be disclosed and that the purpose for which the PII is disclosed to the authorized representative is only to carry out an audit or evaluation of Federal or State supported education programs, or to enforce or to comply with Federal legal requirements that relate to those programs; require the return or destruction of the PII when no longer needed for the specified purpose in accordance with the requirements of § 99.35(b)(2); specify the time period in which the PII must be returned or destroyed; and establish policies and procedures (consistent with FERPA and other Federal and State confidentiality and privacy provisions) to protect the PII from further disclosure (except back to the disclosing entity) and unauthorized use, including limiting the use of PII to only those authorized representatives with legitimate interests (see proposed § 99.35(a)(3)).

We would propose a minor change to § 99.35(b) to clarify that the requirement to protect PII from disclosure applies to authorized representatives.

Finally, proposed § 99.35(d) would clarify that if the Department's Family Policy Compliance Office (FPCO) finds that a State or local educational authority, an agency headed by an official listed in § 99.31(a)(3), or an authorized representative of a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) improperly rediscloses PII in violation of FERPA, the educational agency or institution from which the PII originated would be prohibited from permitting the entity responsible for the improper redisclosure (i.e., the authorized representative, or the State or local educational authority or the agency headed by an officials listed in § 99.31(a)(3), or both) access to the PII for at least five years (see 20 U.S.C. 1232g(b)(4)(B) and § 99.33(e)).

Reasons: Under current §§ 99.31(a)(3) and 99.35(a)(1) and 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5), an educational agency or institution may disclose PII to an authorized representative of a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3), without prior written consent, for the purposes of conducting—with respect to Federal or State supported education programs—any audit, evaluation, or compliance or enforcement activity in connection with Federal legal requirements that relate to those education programs, provided that such disclosures are subject to the applicable privacy protections in FERPA. Although the term authorized representative is not defined in FERPA or the current regulations, the Department's longstanding interpretation of this term has been that it does not include other State or Federal agencies because these agencies are not under the direct control (e.g., they are not employees or contractors) of a State educational authority (or other agencies headed by officials listed in § 99.31(a)(3)). (Memorandum from William D. Hansen, Deputy Secretary of Education, to State officials, January 30, 2003, (“Hansen memorandum”)). Under this interpretation of the term authorized representative, as it is used in current §§ 99.31(a)(3) and 99.35(a)(1) (and 1232g(b)(1)(C), (b)(3), and (b)(5)), an SEA or other State educational authority may not make further disclosures of PII to other State agencies, such as State health and human services departments, because these agencies are not employees or contractors to which the State educational authority has outsourced the audit or evaluation of education programs (or other institutional services or functions). (This interpretation was later incorporated in the preamble to the final FERPA regulations published on December 9, 2008 (73 FR 74806, 74825).)

As explained in further detail in the following paragraphs, the Department has concluded that FERPA does not require that an authorized representative be under the educational authority's direct control in order to receive PII for purposes of audit or evaluation. We also do not believe such a restrictive interpretation is warranted given Congress' intent in the ARRA to have States link data across sectors. Through these regulations, therefore, we are proposing to rescind the policy established in the January 30, 2003, Hansen memorandum and the preamble to the final FERPA regulations published on December 9, 2008 (73 FR 74806, 74825). These proposed regulations also would expressly permit State and local educational authorities and other agencies headed by officials listed in § 99.31(a)(3) to exercise the flexibility and discretion to designate other individuals and entities, including other governmental agencies, as their authorized representatives for evaluation, audit, or legal enforcement or compliance purposes of a Federal or State-supported education program, subject to the requirements in FERPA and its implementing regulations.

We first note that nothing in FERPA prescribes which agencies, organizations, or individuals may serve as an authorized representative of a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3), or whether an authorized representative must be a public or private entity or official. Moreover, the Department believes that it is unnecessarily restrictive to interpret FERPA as prohibiting an individual or entity who is not an employee or contractor under the “direct control” of a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) from serving as an authorized representative.

One of the key purposes of FERPA is to ensure the privacy of personally identifiable information in student education records. Therefore, the determination of who can serve as an authorized representative should be made in light of that purpose. Accordingly, we believe it is appropriate to require that any State or local educational authority or agency headed by an official listed in § 99.31(a)(3) that designates an individual or entity as an authorized representative—

  • Be responsible for using reasonable methods to ensure that the designated individual or entity—

○ Uses PII only for purposes of the audit, evaluation, or compliance or enforcement activity in question;

○ Destroys or returns PII when no longer needed for these purposes; and

○ Protects PII from redisclosure (and use by any other third party), except as permitted in § 99.35(b)(1) (i.e., back to the disclosing entity) (see proposed § 99.35(a)(2)); and

  • Use a written agreement that designates any authorized representative other than an employee and includes the privacy protections set forth in proposed § 99.35(a)(3) (i.e., to use reasonable methods to limit its authorized representative's use of PII for these purposes, to require the return or destruction of PII when it is no longer needed for these purposes, and to establish policies and procedures consistent with FERPA and other Federal and State confidentiality and privacy provisions) to protect PII from further disclosure (except back to the disclosing entity). If a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) is able to comply with these requirements (i.e., to use reasonable methods to limit its authorized representative's use of PII for these purposes, to establish policies and procedures to protect PII from further disclosure and to require the return or destruction of PII when it is no longer needed for these purposes), then there is no reason why a State health and human services or labor department, for example, should be precluded from serving as the authority's authorized representative and receiving non-consensual disclosures of PII to link education, workforce, health, family services, and other data for the purpose of evaluating, auditing, or enforcing Federal legal requirements related to, Federal or State supported education programs.

Furthermore, under proposed § 99.35(d), we would clarify that in the event that the Family Policy Compliance Office finds an improper redisclosure, the Department would prohibit the educational agency or institution from which the PII originated from permitting the party responsible for the improper redisclosure (i.e., the authorized representative, or the State or local educational authority or agency headed by an official listed in § 99.31(a)(3), or both) access to the PII for at least five years.

With these proposed changes to the privacy provisions in § 99.35, we believe that PII, including PII in SLDS, will be appropriately protected while giving each State the needed flexibility to house information in a SLDS that best meets the needs of the particular State. FERPA does not constrain State administrative choices regarding the data system architecture, data strategy, or technology for SLDS as long as the required designation, purpose, and privacy protections are in place. The proposed amendments to § 99.35 would require that these protections are in place.

Directory Information (§ 99.3) Back to Top

Statute: Sections (a)(5)(A), (b)(1), and (b)(2) of FERPA (20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2)) permit educational agencies and institutions nonconsensually to disclose information defined as directory information, such as a student's name and address, telephone listing, date and place of birth, and major field of study, provided that specified public notice and opt out conditions have been met.

Current Regulations: Directory information is defined in current § 99.3 as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed, and includes information listed in section (a)(5)(A) of FERPA (20 U.S.C. 1232g(a)(5)(A)) (e.g., a student's name and address, telephone listing) as well as other information, such as a student's electronic mail (e-mail) address, enrollment status, and photograph. Current regulations also specify that a student's Social Security Number (SSN) or student identification (ID) number may not be designated and disclosed as directory information. However, the current regulations state that a student ID number, user ID, or other unique personal identifier used by the student for purposes of accessing or communicating in electronic systems may be designated and disclosed as directory information if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors to authenticate the user's identity.

Proposed Regulations: The proposed regulations would modify the definition of directory information to clarify that an educational agency or institution may designate as directory information and nonconsensually disclose a student ID number or other unique personal identifier that is displayed on a student ID card or badge if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a PIN, password, or other factor known or possessed only by the authorized user.

Reasons: Directory information items, such as name, photograph, and student ID number, are the types of information that are typically displayed on a student ID card or badge. For the reasons outlined in our discussion later in this notice regarding the proposed changes in § 99.37(c), the proposed change to the definition of directory information is needed to clarify that FERPA permits educational agencies and institutions to designate student ID numbers as directory information in the public notice provided to parents and eligible students in attendance at the agency or institution under § 99.37(a)(1). Including the designation of student ID numbers as a directory information item will permit schools to disclose as directory information a student ID number on a student ID card or badge if the student ID number cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity. In situations where a student's social security number is used as the student's ID number, that number may not be designated as directory information, even for purposes of a student's ID card or badge.

Education Program (§§ 99.3, 99.35) Back to Top

Statute: The statute does not define the term education program.

Current Regulations: The term education program, which is used in current § 99.35(a)(1), is not defined in the current regulations. Current § 99.35(a)(1) provides that authorized representatives of the officials or agencies headed by officials listed in § 99.31(a)(3) may have non-consensual access to personally identifiable information from education records in connection with an audit or evaluation of Federal or State supported “education programs”, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.

Proposed Regulations: We propose to define the term education program to mean any program that is principally engaged in the provision of education, including, but not limited to early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, regardless of whether the program is administered by an educational authority.

Reasons: The proposed definition of education program in § 99.3 is intended to establish that a program need not be administered by an educational agency or institution in order for it to be considered an education program for purposes of § 99.35(a)(1) and 20 U.S.C. 1232g(b)(1). The Secretary recognizes that education may begin before kindergarten and may involve learning outside of postsecondary institutions. However, in many States, programs that the Secretary would regard as education programs are not administered by SEAs or LEAs. For example, in many States, State-level health and human services departments administer early childhood education programs, including early intervention programs authorized under Part C of the Individuals with Disabilities Education Act (IDEA). Similarly, agencies other than SEAs may administer career and technical education or adult education programs. Because all of these programs could benefit from the type of rigorous data-driven evaluation that SLDS will facilitate, we are proposing to define the term education program to include these programs that are not administered by education agencies. This proposed change would provide greater access to information on students before entering or exiting the P-16 programs. The information could be used to evaluate these education programs and provide increased opportunities to build upon successful ones and improve less successful ones. In order to accomplish these objectives, and to give States the flexibility needed to develop and expand the SLDS contemplated under the ARRA, the Department proposes to interpret the term education program, as used in FERPA and its implementing regulations, to mean any program that is principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, even when agencies other than SEAs administer such a program. [1] Thus, as an example, under the proposed definitions of the terms, authorized representative and education program, FERPA would permit a State educational authority to designate a State health and human services agency as its authorized representative in order to conduct an audit or an evaluation of any Federal or State supported education program, such as the Head Start program.

Research Studies (§ 99.31(a)(6)) Back to Top

Statute: Section (b)(1)(F) of FERPA permits educational agencies and institutions non-consensually to disclose PII to organizations conducting studies for, or on behalf of, educational agencies and institutions to improve instruction, to administer student aid programs, or to develop, validate, or administer predictive tests.

Current Regulations: Current § 99.31(a)(6)(ii)(C) requires that an educational agency or institution enter into a written agreement with the organization conducting the study that specifies the purpose, scope, and duration of the study and the information to be disclosed and meets certain other requirements. Current regulations do not indicate whether State and local educational authorities and agencies headed by officials listed in § 99.31(a)(3) that may redisclose PII on behalf of educational agencies and institutions under § 99.33(b) may also enter into this type of written agreement.

Proposed Regulations: The Secretary proposes to amend § 99.31 by redesignating paragraphs (a)(6)(ii) through (a)(6)(v) as paragraphs (a)(6)(iii) through (a)(6)(vi) and adding a new paragraph (a)(6)(ii). This new paragraph would clarify that nothing in FERPA or its implementing regulations prevents a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) from entering into agreements with organizations conducting studies under § 99.31(a)(6)(i) and redisclosing PII on behalf of the educational agencies and institutions that provided the information in accordance with the requirements of § 99.33(b). We also propose to amend § 99.31(a)(6) to require written agreements between a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) and any organization conducting studies with redisclosed PII under this exception (see proposed § 99.31(a)(6)(iii)(C)). Under this amended regulatory provision, these agreements would need to contain the specific provisions currently required in agreements between educational agencies or institutions and such organizations under current § 99.31(a)(6)(ii)(C). Thus, the only differences between proposed § 99.31(a)(6)(iii)(C) and current § 99.31(a)(6)(ii)(C) would be to make the written agreement requirements apply to State or local educational authorities or agencies headed by an official listed in § 99.31(a)(3) as well as educational agencies and institutions. Finally, newly redesignated § 99.31(a)(6)(iv) and (a)(6)(v) would be revised to ensure that these provisions apply to State and local educational authorities or agencies headed by an official listed in § 99.31(a)(3)—not only educational agencies and institutions.

Reasons: In the preamble to the FERPA regulations published in the Federal Register on December 9, 2008 (73 FR 74806, 74826), the Department explained that an SEA or other State educational authority that has legal authority to enter into agreements for LEAs or postsecondary institutions under its jurisdiction may enter into an agreement with an organization conducting a study for the LEA or institution under the studies exception in § 99.31(a)(6). The preamble explained further that if the SEA or other State educational authority does not have the legal authority to act for or on behalf of an LEA or institution, then the SEA or other State educational authority would not be permitted to enter into an agreement with an organization under this exception. The changes reflected in proposed § 99.31(a)(6)(ii) are necessary to clarify that while FERPA does not confer legal authority on State and Federal agencies to enter into agreements and act on behalf of or in place of LEAs and postsecondary institutions, nothing in FERPA prevents them from entering into these agreements and redisclosing PII on behalf of LEAs and postsecondary institutions to organizations conducting studies under § 99.31(a)(6) in accordance with the redisclosure requirements in § 99.33(b).

As explained in the preamble to the December 2008 regulations (see 73 FR 74806, 74821), the Department recognizes that the State and local educational authorities and Federal officials that receive PII without consent under § 99.31(a)(3) are generally responsible for supervising and monitoring LEAs and postsecondary institutions. SEAs and State higher educational agencies, in particular, typically have the role and responsibility to perform and support research and evaluation of publicly funded education programs for the benefit of multiple educational agencies and institutions in their States. We understand further that these relationships generally provide sufficient authority for a State educational authority to enter into an agreement with an organization conducting a study and to redisclose PII received from educational agencies and institutions that provided the information in accordance with § 99.33(b). The proposed regulations, therefore, would clarify that studies supported by these State and Federal authorities of publicly funded education programs generally may be conducted, while simultaneously ensuring that any PII disclosed is appropriately protected by the organizations conducting the studies.

In the event that an educational agency or institution objects to the redisclosure of PII it has provided, the State or local educational authority or agency headed by an official listed in § 99.31(a)(3) may rely instead on any independent authority it has to further disclose the information on behalf of the agency or institution. The Department recognizes that this authority may be implied and need not be explicitly granted.

Authority To Audit or Evaluate (§ 99.35) Back to Top

Statute: Sections (b)(1)(C), (b)(3) and (b)(5) of FERPA (20 U.S.C. 1232g(b)(1)(C), (b)(3) and (b)(5)) permit educational agencies and institutions non-consensually to disclose PII to authorized representatives of State and local educational authorities, the Secretary, the Attorney General of the United States, and the Comptroller General of the United States, as may be necessary in connection with the audit, evaluation, or the enforcement of Federal legal requirements related to Federal or State supported education programs.

Current Regulations: Current § 99.35(a)(2) provides that in order for a State or local educational authority or other agency headed by an official listed in § 99.31(a)(3) to conduct an audit, evaluation, or compliance or enforcement activity, its authority to do so must be established under other Federal, State, or local authority because that authority is not conferred by FERPA.

Proposed Regulations: The Secretary proposes to amend § 99.35(a)(2) by removing the provision that a State or local educational authority or other agency headed by an official listed in § 99.31(a)(3) must establish legal authority under other Federal, State or local law to conduct an audit, evaluation, or compliance or enforcement activity.

Reasons: Current §§ 99.33(b)(1) and 99.35(b)(1) permit State and local educational authorities and agencies headed by officials listed in § 99.31(a)(3) to further disclose PII from education records on behalf of educational agencies or institutions to other authorized recipients under § 99.31, including separate State educational authorities at different levels of education, provided that the redisclosure meets the requirements of § 99.33(b)(1) and the recordkeeping requirements in § 99.32(b). However, we believe that our prior guidance and statements made in the preambles to the notice of proposed rulemaking published on March 24, 2008 (73 FR 15574), and the final regulations published on December 9, 2008 (73 FR 74806), may have created some confusion about whether a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) that receives PII under the audit and evaluation exception must be authorized to conduct an audit or evaluation of a Federal or State supported education program, or enforcement or compliance activity in connection with Federal legal requirements related to the education program of the disclosing educational agency or institution or whether the PII may be disclosed in order for the recipient to conduct an audit, evaluation, or enforcement or compliance activity with respect to the recipient's own Federal or State supported education programs.

By removing the language concerning legal authority from current § 99.35(a)(2), the Department would clarify two things to eliminate this confusion. First, the Department would clarify that the authority for a State or local educational authority or Federal agency headed by an official listed in § 99.31(a)(3) to conduct an audit, evaluation, enforcement or compliance activity may be express or implied. And, second, the Department would clarify that FERPA permits non-consensual disclosure of PII to a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) to conduct an audit, evaluation, or compliance or enforcement activity with respect to the Federal or State supported education programs of the recipient's own Federal or State supported education programs as well as those of the disclosing educational agency or the institution.

The Department intends these clarifications to promote Federal initiatives to support the robust use of data by State and local educational authorities to evaluate the effectiveness of Federal or State supported education programs. The provision of postsecondary student data to P-12 data systems is vital to evaluating whether P-12 schools are effectively preparing students for college. This proposed clarification would, for example, establish that FERPA does not prohibit a private postsecondary institution from non-consensually disclosing to an LEA PII on the LEA's former students who are now in attendance at the private postsecondary institution, as may be necessary for the LEA to evaluate the Federal or State supported education programs that the LEA administers. This proposed clarification similarly would establish that FERPA does not prohibit a postsecondary data system from non-consensually redisclosing PII to an SEA in connection with the SEA's evaluation of whether the State's LEAs effectively prepared their graduates to enroll, persist, and succeed in postsecondary education.

Directory Information (§ 99.37) Back to Top

Section 99.37(c) (Student ID Cards and ID Badges)

Statute: The statute does not address whether parents and eligible students may use their right to opt out of directory information disclosures to prevent school officials from requiring students to disclose ID cards or to wear ID badges.

Current Regulations: Current regulations do not address whether parents and eligible students may use their right to opt out of directory information disclosures to prevent school officials from requiring students to disclose ID cards or to wear ID badges.

Proposed Regulations: The proposed regulations would provide in § 99.37(c) that parents or eligible students may not use their right to opt out of directory information disclosures to prevent an educational agency or institution from requiring students to wear or otherwise disclose student ID cards or badges that display information that may be designated as directory information under § 99.3 and that has been properly designated by the educational agency or institution as directory information under § 99.37(a)(1).

Reasons: An increased awareness of school safety and security has prompted some educational agencies and institutions, especially school districts, to require students to wear and openly display a student ID badge that contains identifying information (typically, name, photo, and student ID number) when the student is on school property or participates in extracurricular activities. We have received inquiries about this issue, as well as complaints that the mandatory public display of identifying information on a student ID badge violates the FERPA rights of parents and eligible students who have opted out of directory information disclosures. The proposed regulations are needed to clarify that the right to opt out of directory information disclosures is not a mechanism for students, when in school or at school functions, to refuse to wear student ID badges or to display student ID cards that display information that may be designated as directory information under § 99.3 and that has been properly designated by the educational agency or institution as directory information under § 99.37(a)(1). Because we recognize that the types of ID cards and badges that postsecondary institutions require may differ significantly from those required by elementary and secondary schools, we are requesting comments from postsecondary officials on whether this proposed change raises any particularized concerns for their institutions.

The directory information exception is intended to facilitate communication among school officials, parents, students, alumni, and others, and permits schools to publicize and promote institutional activities to the general public. Many schools do so by publishing paper or electronic directories that contain student names, addresses, telephone listings, e-mail addresses, and other information the institution has designated as directory information. Some schools do not publish a directory but do release directory information on a more selective basis. FERPA allows a parent or eligible student to opt out of these disclosures (under the conditions specified in § 99.37(a)), whether the information is made available to the general public, limited to members of the school community, or released only to specified individuals.

The Secretary believes, however, that the need for schools and college campuses to implement measures to ensure the safety and security of students is of the utmost importance and that FERPA should not be used as an impediment to achieving student safety. Thus, the right to opt out of the disclosure of directory information does not include the right to refuse to wear or otherwise disclose a student ID card or badge that displays directory information and, therefore, may not be used to impede a school's ability to monitor and control who is in school buildings or on school grounds or whether a student is where he or she should be. This proposed change would mean that, even when a parent or eligible student opts out of the disclosure of directory information, an educational agency or institution may nevertheless require the student to wear and otherwise disclose a student ID card or badge that displays information that may be designated as directory information under § 99.3 and that has been properly designated by the educational agency or institution as directory information under § 99.37(a)(1).

Section 99.37(d) (Limited Directory Information Policy) Back to Top

Statute: Under sections (a)(5), (b)(1), and (b)(2) of FERPA (20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2)), an educational agency or institution may disclose directory information without meeting FERPA's written consent requirements provided that it first notifies the parents or eligible students of the types of information that may be disclosed and allows them to opt out of the disclosure. The statute lists a number of items in the definition of directory information, including a student's name, address, and telephone listing. The statute does not otherwise address whether an educational agency or institution may have a limited directory information policy in which it specifies the exact parties who may receive directory information, the specific purposes for which the directory information may be disclosed, or both.

Current Regulations: Section 99.37(a) requires an educational agency or institution to provide public notice to parents of students in attendance and eligible students in attendance of the types of directory information that may be disclosed and the parent's or eligible student's right to opt out.

Proposed Regulations: Proposed § 99.37(d) would clarify that an educational agency or institution may specify in the public notice it provides to parents and eligible students in attendance provided under § 99.37(a) that disclosure of directory information will be limited to specific parties, for specific purposes, or both. We also propose to clarify that an educational agency or institution that adopts a limited directory information policy must limit its directory information disclosures only to those parties and purposes that were specified in the public notice provided under § 99.37(a).

Reasons: Some school officials have advised us that their educational agencies and institutions do not have a directory information policy under FERPA, due to concerns about the potential misuse by members of the public of personally identifiable information about students, including potential identity theft. Clarifying that the regulations permit educational agencies and institutions to have a limited directory information policy would give educational agencies and institutions greater discretion in protecting student privacy by permitting them to limit the release of directory information for specific purposes, to specific parties, or both. This proposed change also would provide a regulatory authority for FPCO to investigate and enforce a violation of a limited directory information policy by an educational agency or institution.

However, in order not to impose additional administrative burdens on educational agencies and institutions, the Department is not proposing changes to the recordkeeping requirement in § 99.32(d)(4), which currently excepts educational agencies and institutions from having to record the disclosure of directory information. For similar reasons, the Department is not proposing to amend the redisclosure provisions in § 99.33(c), which except the redisclosure of directory information from the general prohibition on redisclosure of personally identifiable information. While the Department is not proposing to regulate on the redisclosure of directory information by third parties that receive directory information from educational agencies or institutions under a limited directory information policy, we nevertheless strongly recommend that educational agencies and institutions that choose to adopt a limited directory information policy assess the need to protect the directory information from further disclosure by the third parties to which they disclose directory information; when a need to protect the information from further disclosure is identified, educational agencies and institutions should enter into non-disclosure agreements with the third parties.

Enforcement Procedures With Respect to Any Recipient of Department Funds That Students Do Not Attend (§ 99.60) Back to Top

Statute: Sections (f) and (g) of FERPA (20 U.S.C. 1232g(f) and (g)) authorize the Secretary to take appropriate actions to enforce and address violations of FERPA in accordance with part D of the General Education Provisions Act (20 U.S.C. 1234 through 1234i) and to establish or designate an office and review board within the Department for the purpose of investigating, processing, reviewing, and adjudicating alleged violations of FERPA.

Current Regulations: Current § 99.60(b) designates the FPCO as the office within the Department responsible for investigating, processing, and reviewing alleged violations of FERPA. Current subpart E of the FERPA regulations (§§ 99.60 through 99.67), however, only addresses alleged violations of FERPA committed by an educational agency or institution.

Proposed Regulations: Proposed § 99.60(a)(2) would provide that, solely for purposes of subpart E of the FERPA regulations, which addresses enforcement procedures, an “educational agency or institution” includes any public or private agency or institution to which FERPA applies under § 99.1(a)(2), as well as any State educational authority (e.g., SEAs or postsecondary agency) or local educational authority or any other recipient to which funds have been made available under any program administered by the Secretary (e.g., a nonprofit organization, student loan guaranty agency, or a student loan lender), including funds provided by grant, cooperative agreement, contract, subgrant, or subcontract.

Reasons: With the advent of SLDS, it is necessary for the Department to update our enforcement regulations to clearly set forth the Department's authority to investigate and enforce alleged violations of FERPA by State and local educational authorities or any other recipients of Department funds under a program administered by the Secretary. Current §§ 99.60 through 99.67 only apply the enforcement provisions in FERPA to an “educational agency or institution.” Although the statute and the regulations broadly define the term “educational agency or institution,” the Department generally has not interpreted the term to include entities that students do not attend. The Department's interpretation is based upon the fact that FERPA defines “education records” as information directly related to a “student,” and that “student” is, in turn, defined as excluding a person who has not been in attendance at the educational agency or institution. 20 U.S.C. 1232g(a)(4) and (a)(6). Because students do not attend non-school types of entities the Department has generally not viewed these recipients of Department funds as being “educational agencies or institutions” under FERPA.

Consequently, the current regulations do not clearly authorize FPCO to investigate, review, and process an alleged violation committed by recipients of Department funds under a program administered by the Secretary in which students do not attend. In addition, the regulations do not clearly authorize the Secretary to bring an enforcement action against these recipients. Further, it would not be fair to hold an LEA or institution of higher education (IHE) that originally disclosed the PII to a State or local educational authority responsible for violation of FERPA by the State or local educational authority because the LEA or IHE generally would not have an effective means to prevent such an improper redisclosure by a State or local educational authority.

Therefore, the Department proposes to add a new § 99.60(a)(2) that would clearly authorize the Department to hold State educational authorities(e.g., SEAs and State postsecondary agencies), local educational authorities, as well as other recipients of Department funds under any program administered by the Secretary (e.g., nonprofit organizations, student loan guaranty agencies, and student loan lenders), accountable for compliance with FERPA. The Department believes that this authority is especially important given the disclosures of PII needed to implement SLDS.

Because the Department has generally not viewed these entities as being “educational agencies or institutions” under FERPA and consequently has not viewed most FERPA provisions as applying to them (e.g., the requirement in § 99.7 to annually notify parents and eligible students of their rights under FERPA, and the requirement in § 99.37 to give public notice to parents and eligible students about directory information, if it has a policy of disclosing directory information), we anticipate that most FERPA compliance issues involving these entities will concern whether they have complied with FERPA's redisclosure provision in § 99.33.

We expect that we will face few issues concerning these entities' compliance with the few additional FERPA provisions that may be applicable to them. For example, the FERPA requirements, in addition to those in § 99.33, that may be applicable to entities that are not “educational agencies or institutions” under FERPA include, but are not limited to, the right to inspect and review education records maintained by an SEA or any of its components under § 99.10(a)(2), the requirement that organizations conducting studies under § 99.31(a)(6) must not permit the personal identification of parents and students by anyone other than representatives of that organization with legitimate interests in the information and must destroy or return personally identifiable information from education records when the information is no longer needed for the purposes for which the study was conducted, and the requirement in § 99.35(b)(2) that personally identifiable information from education records that is collected by a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) in connection with an audit or evaluation of Federal or State supported education programs, or to enforce Federal legal requirements related to Federal or State supported education programs, must be destroyed when no longer needed for these purposes.

Executive Order 12866 Back to Top

Under Executive Order 12866, the Secretary must determine whether this regulatory action is “significant” and therefore subject to the requirements of the Executive Order and subject to review by the Office of Management and Budget (OMB). Section 3(f) of Executive Order 12866 defines a “significant regulatory action” as an action likely to result in a rule that may: (1) Have an annual effect on the economy of $100 million or more, or adversely affect a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local or Tribal governments or communities in a material way (also referred to as an “economically significant” rule); (2) create serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impacts of entitlement grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order. The Secretary has determined that this regulatory action is significant under section 3(f) of the Executive order.

In accordance with Executive Order 12866, the Secretary has assessed potential costs and benefits of this regulatory action and determined that the benefits justify the costs.

Need for Federal Regulatory Action Back to Top

These proposed regulations are needed to ensure that the Department's implementation of FERPA continues to protect the privacy of student education records, while allowing for the effective use of data in education records, particularly data in statewide longitudinal data systems.

Summary of Costs and Benefits Back to Top

Following is an analysis of the costs and benefits of the proposed changes to the FERPA regulations, which would make changes to facilitate the disclosure, without written consent, of education records, particularly data in statewide longitudinal data systems, for the purposes of evaluating education programs and ensuring compliance with Federal and State requirements. In conducting this analysis, the Department examined the extent to which the proposed changes would add to or reduce the costs of educational agencies, other agencies, and institutions in complying with the FERPA regulations prior to these changes, and the extent to which the proposed changes are likely to provide educational benefit. Allowing data-sharing across agencies, because it increases the number of individuals who have access to personally identifiable information, may increase the risk of unauthorized disclosure. However, we do not believe that the staff in the additional agencies who will have access to the data are any more likely to violate FERPA than existing users, and the strengthened accountability and enforcement mechanisms will help to ensure better compliance overall. While there will be administrative costs associated with implementing data-sharing protocols, we believe that the relatively minimal administrative costs of establishing data-sharing protocols would be off-set by potential analytic benefits. Based on this analysis, the Secretary has concluded that the proposed modifications would result in savings to entities and have the potential to benefit the Nation by improving capacity to conduct analyses that will provide information needed to improve education.

Authorized Representative Back to Top

The proposed regulations would amend § 99.3 by adding a definition of the term authorized representative that would include any individual or entity designated by an educational authority or certain other officials to carry out audits, evaluations, or enforcement or compliance activities relating to education programs. Under the current regulations, educational authorities may provide to authorized representatives PII for the purposes of conducting audits, evaluations, or enforcement and compliance activities relating to Federal and State supported education programs. The term “authorized representative” is not defined, but the Department's position has been that educational authorities may only disclose education records to entities over which they have direct control, such as an employee or a contractor of the authority. Therefore, SEAs have not been able to disclose PII to other State agencies, even for the purpose of evaluating education programs under the purview of the SEAs. For example, an SEA or LEA could not disclose PII to a State employment agency for the purpose of obtaining data on post-school outcomes such as employment for its former students. Thus, if an SEA or LEA wanted to match education records with State employment records for purposes of evaluating its secondary education programs, it would have to import the entire workforce database and do the match itself (or contract with a third party to do the same analysis). Similarly, if a State workforce agency wanted to use PII maintained by the SEA in its longitudinal educational data system, in combination with data it had on employment outcomes, to evaluate secondary vocational education programs, it would not be able to obtain the SEA's educational data in order to conduct the analyses. It would have to provide the workforce data to the SEA to conduct the analyses or to a third party (e.g., an entity under the direct control of the SEA) to construct the needed longitudinal administrative data systems. While feasible, these strategies force agencies to outsource their analyses to other agencies or entities, adding administrative cost, burden, and complexity. Moreover, preventing agencies from using data directly for conducting their own analytical work increases the likelihood that the work will not meet their expectations or get done at all. Finally, the current interpretation of the regulations exposes greater amounts of PII to risk of disclosure as a result of greater quantities of PII moving across organizations (e.g., the entire workforce database) than would be the case with a more targeted data request (e.g., graduates from a given year who appear in the workforce database). The proposed regulatory changes would permit educational agencies (and other entities listed in § 99.31(a)(3)) to non-consensually disclose PII to other State agencies or to house data in a common State data system, such as a data warehouse administered by a central State authority for the purposes of conducting audits or evaluations of Federal or State supported education programs, or for enforcement of and compliance with Federal legal requirements relating to Federal and State supported education programs (consistent with FERPA and other Federal and State confidentiality and privacy provisions).

The Department also proposes to amend § 99.35 to require that written agreements require PII to be used only to carry out an audit or an evaluation of Federal or State supported education program or for an enforcement or compliance activity in connection with Federal legal requirements that relate to those programs and protect PII from unauthorized disclosure. The cost of entering into such agreements should be minimal in relation to the benefits of being able to share data.

Education Program Back to Top

The proposed regulations would amend § 99.3 by providing a definition of the term education program to clarify that an education program can include a program administered by a non-educational agency, e.g., an early childhood program administered by a human services agency or a career or technical training program administered by a workforce or labor agency. This proposed change, in combination with the proposed definition of the term authorized representative, would allow non-educational agencies to have easier access to PII in student education records that they could use to evaluate the education programs they administer. For example, this proposed change would permit nonconsensual disclosures of PII in elementary and secondary school education records to a non-educational agency that is administering an early childhood education program in order to evaluate the impact of its early childhood education program on its students' long-term educational outcomes. The potential benefits of this proposed change are substantial, including the benefits of non-educational agencies that are administering “education programs” being able to conduct their own analyses without incurring the prohibitive costs of obtaining consent for access to individual student records.

Research Studies Back to Top

Section (b)(1)(F) of FERPA permits educational agencies and institutions non-consensually to disclose PII to organizations conducting research studies for, or on behalf of, educational agencies or institutions that provided the PII, for statutorily-specified purposes. The proposed amendment to § 99.31(a)(6) would permit any of the authorities listed in § 99.31(a)(3), including SEAs, to enter into written agreements that provide for the disclosure of PII to research organizations for studies that would benefit the educational agencies or institutions that provided the PII to the SEA or other educational authorities, whether or not the educational authority has explicit authority to act on behalf of those agencies or institutions. The preamble to the final FERPA regulations published in the Federal Register on December 9, 2008 (73 FR 74806, 74826) took the position that an SEA, for example, cannot re-disclose PII obtained from LEAs to a research organization unless the SEA had separate legal authority to act on an LEA's (or other educational institution's) behalf. Because, in practice, this authority may not be explicit in all States, we propose to amend § 99.31 to specifically allow State educational authorities to enter into agreements with research organizations for studies that are for enumerated purposes under FERPA, such as studies to improve instruction (see proposed § 99.31(a)(6)(ii)). The Department believes that this change will have benefits for education because it would reduce the administrative costs of, and reduce the barriers to, using student data, including data in SLDS, in order to conduct studies to improve education programs.

Authority to Evaluate Back to Top

Under current § 99.35(a)(2), the authority for an SEA or LEA to conduct an audit, evaluation, or compliance or enforcement activity is not conferred by FERPA, but “must be established under other Federal, State, or local authority.” Lack of such explicit State or local authority has hindered the use of data in some States. The proposed amendments would remove the discussion of legal authority in order to clarify that FERPA and its implementing regulations do not require that a State or local educational authority have express legal authority to conduct audits, evaluations, or compliance or enforcement activities, but instead may obtain PII when they have implied authority to conduct evaluation, audit, and compliance activities of their own programs.

This proposed change also would allow an SEA to receive PII from postsecondary institutions as needed to evaluate its own programs and determine whether its schools are adequately preparing students for higher education. The preamble to the final FERPA regulations published in the Federal Register on December 9, 2008 (73 FR 74806, 74822) suggested that PII in the records of postsecondary institutions could only be disclosed to an SEA if the SEA has legal authority to evaluate postsecondary institutions. This interpretation restricts SEAs from conducting analyses to determine how effectively they are preparing students for higher education and from identifying effective programs, and thus has hindered efforts to improve education. The primary benefit of this proposed change is that it would allow SEAs to conduct analyses (consistent with FERPA and other Federal and State confidentiality and privacy provisions) that they previously were unable to undertake, without incurring the prohibitive costs of obtaining consent from students or parents in order to obtain, without prior, written consent, PII for the purpose of program evaluations.

Educational Agency or Institution Back to Top

Sections (f) and (g) of FERPA authorize the Secretary to take appropriate actions to enforce and deal with FERPA violations, but subpart E of the FERPA regulations only addresses alleged violations of FERPA by an “educational agency or institution.” Because the Department has not interpreted that term to include agencies or institutions that students do not attend, the current FERPA regulations do not specifically permit the Secretary to bring an enforcement action against an SEA or other State or local educational authority that does not meet the definition of an “educational agency or institution” under FERPA. Thus, for example, if an SEA improperly redisclosed PII obtained from its LEAs, the Department would pursue enforcement actions against each of the LEAs, and not the SEA. Proposed § 99.60(a)(2), which would define an “educational agency or institution” to include any State or local educational authority or other recipient that has received Department of Education funds, would allow the Department to pursue enforcement against a State agency or other recipient of Department funds that had allegedly disclosed the PII, rather than against the agency or institution that had provided the PII to the State agency or other recipient of Department funds.

This change would result in some administrative savings and improve the efficiency of the enforcement process. Under the current regulations, if, for example, an SEA with 500 LEAs improperly redisclosed PII from its SLDS to an unauthorized party, the Department would need to investigate each of the 500 LEAs, which are unlikely to have knowledge relating to the disclosure. Under the proposed change, the LEAs would be relieved of any administrative costs associated with responding to the Department's request for information about the disclosure and the Department could immediately direct the focus of its investigation on the SEA, the agency most likely to have information on and bear responsibility for the disclosure of PII, without having to waste time and resources contacting the LEAs.

We welcome public input and data to further inform and allow us to quantify the costs and benefits of these proposed changes. We particularly welcome information on the costs encountered by State agencies using education data maintained by SEAs and the impediments to using postsecondary education data.

2. Clarity of the Regulations

Executive Order 12866 and the Presidential memorandum on “Plain Language in Government Writing” require each agency to write regulations that are easy to understand.

The Secretary invites comments on how to make these proposed regulations easier to understand, including answers to questions such as the following:

  • Are the requirements in the proposed regulations clearly stated?
  • Do the proposed regulations contain technical terms or other wording that interferes with their clarity?
  • Does the format of the proposed regulations (grouping and order of sections, use of headings, paragraphing, etc.) aid or reduce their clarity?
  • Would the proposed regulations be easier to understand if we divided them into more (but shorter) sections? (A “section” is preceded by the symbol “§ ” and a numbered heading; for example, § 99.35.)
  • Could the description of the proposed regulations in the Supplementary Information section of this preamble be more helpful in making the proposed regulations easier to understand? If so, how?
  • What else could we do to make the proposed regulations easier to understand?

To send any comments that concern how the Department could make these proposed regulations easier to understand, see the instructions in the ADDRESSES section of this preamble.

Regulatory Flexibility Act Certification Back to Top

The Secretary certifies that this regulatory action will not have a significant economic impact on a substantial number of small entities.

The small entities that this final regulatory action will affect are small LEAs. The Secretary believes that the costs imposed on applicants by these regulations would be limited to paperwork burden related to requirements concerning data-sharing agreements and that the benefits from ensuring that data from education records are collected, stored, and shared appropriately outweigh any costs incurred by applicants.

The U.S. Small Business Administration Size Standards define as “small entities” for-profit or nonprofit institutions with total annual revenue below $7,000,000 or, if they are institutions controlled by small governmental jurisdictions (that are comprised of cities, counties, towns, townships, villages, school districts, or special districts), with a population of less than 50,000.

According to estimates from the U.S. Census Bureau's Small Area Income and Poverty Estimates programs that were based on school district boundaries for the 2007-8 school year, there are 12,484 LEAs in the country that include fewer than 50,000 individuals within their boundaries and for which there is estimated to be at least one school-age child. In its 1997 publication, Characteristics of Small and Rural School Districts, the National Center for Education Statistics defined a small school district as “one having fewer students in membership than the sum of (a) 25 students per grade in the elementary grades it offers (usually K-8) and (b) 100 students per grade in the secondary grades it offers (usually 9-12).” Using this definition, a district would be considered small if it had fewer than 625 students in membership. The Secretary believes that the 4,800 very small LEAs that meet this second definition are highly unlikely to enter into data-sharing agreements directly with outside entities.

The Department does not have reliable data with which to estimate how many of the remaining 7,684 small LEAs would enter into data-sharing agreements. For small LEAs that enter into data-sharing agreements, we estimate that they would spend approximately 4 hours executing each agreement, using a standard data-sharing protocol. Thus, we assume the impact on the entities would be minimal. However, we invite comment from entities familiar with data-sharing in small districts on the number of entities likely to enter into agreements each year, the number of such agreements, and number of hours required to execute each agreement.

Federalism Back to Top

Executive Order 13132 requires us to ensure meaningful and timely input by State and local elected officials in the development of regulatory policies that have federalism implications.

“Federalism implications” means substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. The proposed regulations in §§ 99.3, 99.31(a)(6), and 99.35 may have federalism implications, as defined in Executive Order 13132, in that they will have some effect on the States and the operation of educational agencies and institutions subject to FERPA. We encourage State and local elected officials to review and provide comments on these proposed regulations. To facilitate review and comment by appropriate State and local officials, the Department will, aside from publication in the Federal Register, post the NPRM to the FPCO Web site and to the Privacy Technical Assistance Center (PTAC) Web site and make a specific e-mail posting via a special listserv that is sent to each State department of education superintendent and higher education commission director.

Paperwork Reduction Act of 1995 Back to Top

Proposed §§ 99.31(a)(6)(ii) and 99.35(a)(3) contain information collection requirements. Under the Paperwork Reduction Act of 1995 (44 U.S.C. 3507(d)), the Department of Education has submitted a copy of these sections to the Office of Management and Budget (OMB) for its review. (OMB Control Number 1875-0246.)

The proposed regulations modify the information collection requirements in § 99.31(a)(6)(ii) and § 99.32(b)(2); however, the Department does not believe the proposed changes add any new burden to State or local educational authorities. Burdens associated with §§ 99.31(a)(6)(ii) and 99.32(b)(2) were approved under OMB Control Number 1875-0246 when the December 9, 2008 regulations were published. The proposed change that would clarify that nothing in FERPA prevents a State or local educational authority or Federal agencies and officials listed in § 99.31(a)(3) from entering into written agreements with organizations conducting studies, for or on behalf of educational agencies and institutions does not constitute a change or an increase in burden. This is because the provision would permit an organization conducting a study to enter into one written agreement with a State or local educational authority or Federal agency or official listed in § 99.31(a)(3), rather than making the organization enter into many more written agreements with each school district or school that provided the data to the State or local educational authority or Federal agency or official listed in § 99.31(a)(3). The addition of the definition of the term authorized representative, which would permit a State or local educational authority, the Secretary, the Comptroller General of the United States, or the Attorney General of the United States to designate any entity or individual to conduct—with respect to Federal or State supported education programs—any audit, evaluation, or compliance or enforcement activity in connection with Federal legal requirements that related to those programs also does not constitute a change or an increase in burden because these entities are already required to record disclosures, pursuant to § 99.32(b)(2).

Section 99.35(a)(3) would be a new requirement that requires the agency headed by an official listed in § 99.31(a)(3) to use a written agreement to designate any authorized representative other than an agency employee. Under the proposed regulations, the agreement would need to: (1) Designate the individual or entity as an authorized representative; (2) specify the information to be disclosed and the purpose for which the information is disclosed to the authorized representative (i.e., to carry out an audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs); (3) require the authorized representative to destroy or return to the State or local educational authority or agency headed by an official listed in § 99.31(a)(3) personally identifiable information from education records when the information is no longer needed for the purpose specified; (4) specify the time period in which the information must be returned or destroyed; and (5) establish policies and procedures consistent with FERPA and other Federal and State privacy and confidentiality provisions to protect personally identifiable information from education records from further disclosure (except back to the disclosing entity) and unauthorized use, included limiting use of information by only those authorized representatives of the entity with legitimate interested. The burden for States under this provision is estimated at 40 hours annually for each educational authority (one for K-12 and one for postsecondary).

If you want to comment on the proposed information collection requirements in these proposed regulations, please send your comments to the Office of Information and Regulatory Affairs, OMB, Attention: Desk Officer for the U.S. Department of Education. Send these comments by e-mail to OIRA_DOCKET@omb.eop.gov or by fax to (202) 395-6974. Commenters need only submit comments via one submission medium. You may also send a copy of these comments to the Department contact named in the ADDRESSES section of this preamble.

We consider your comments on these proposed collections of information in—

  • Deciding whether the proposed collections are necessary for the proper performance of our functions, including whether the information will have practical use;
  • Evaluating the accuracy of our estimate of the burden of the proposed collections, including the validity of our methodology and assumptions;
  • Enhancing the quality, usefulness, and clarity of the information we collect; and
  • Minimizing the burden on those who must respond. This includes exploring the use of appropriate automated, electronic, mechanical, or other technological collection techniques or other forms of information technology; e.g., permitting electronic submission of responses.

OMB is required to make a decision concerning the collection of information contained in these proposed regulations between 30 and 60 days after publication of this document in the Federal Register. Therefore, to ensure that OMB gives your comments full consideration, it is important that OMB receives the comments within 30 days of publication. This does not affect the deadline for your comments to us on the proposed regulations.

Intergovernmental Review Back to Top

This program is not subject to Executive Order 12372 and the regulations in 34 CFR part 79.

Assessment of Educational Impact Back to Top

In accordance with section 411 of the General Education Provisions Act, 20 U.S.C. 1221e-4, the Secretary particularly requests comments on whether these proposed regulations would require transmission of information that any other agency or authority of the United States gathers or makes available.

Electronic Access to This Document Back to Top

You may view this document, as well as all other Department of Education documents published in the Federal Register, in text or Adobe Portable Document Format (PDF) on the Internet at the following site: http://www.ed.gov/news/fedregister.

To use PDF, you must have Adobe Acrobat Reader, which is available free at this site.

Note:

The official version of this document is the document published in the Federal Register. Free Internet access to the official edition of the Federal Register and the Code of Federal Regulations is available via the Federal Digital System at http://www.gpo.gov/fdsys.

(Category of Federal Domestic Assistance Number does not apply.)

List of Subjects in 34 CFR Part 99 Back to Top

Dated: April 1, 2011.

Arne Duncan,

Secretary of Education.

For the reasons discussed in the preamble, the Secretary proposes to amend part 99 of title 34 of the Code of Federal Regulations as follows:

begin regulatory text

PART 99—FAMILY EDUCATIONAL RIGHTS AND PRIVACY Back to Top

1. The authority citation for part 99 continues to read as follows:

Authority:

20 U.S.C. 1232g, unless otherwise noted.

2. Section 99.3 is amended by:

A. Adding, in alphabetical order, definitions for “authorized representative” and “education program”.

B. Revising the definition of “directory information”.

The additions and revision read as follows:

§ 99.3 What definitions apply to these regulations?

* * * * *

Authorized representative means any entity or individual designated by a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3) to conduct—with respect to Federal or State supported education programs—any audit, evaluation, or compliance or enforcement activity in connection with Federal legal requirements that relate to those programs.

(Authority: 20 U.S.C. 1232g(b)(1)(C), (3), and (5))

* * * * *

Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.

(a) Directory information includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.

(b) Directory information does not include a student's—

(1) Social security number; or

(2) Student identification (ID) number, except as provided in paragraph (c) of this section.

(c) Directory information includes—

(1) A student ID number, user ID, or other unique personal identifier used by a student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a personal identification number (PIN), password or other factor known or possessed only by the authorized user; and

(2) A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a PIN, password, or other factor known or possessed only by the authorized user.

(Authority: 20 U.S.C. 1232g(a)(5)(A))

* * * * *

Education program means any program that is principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education.

(Authority: 20 U.S.C. 1232g(b)(3), (5))

* * * * *

3. Section 99.31 is amended by:

A. Redesignating paragraphs (a)(6)(ii) through (v) as paragraphs (a)(6)(iii) through (vi), respectively.

B. Adding a new paragraph (a)(6)(ii).

C. Revising the introductory text of newly redesignated paragraph (a)(6)(iii).

D. Revising the introductory text of newly redesignated paragraph (a)(6)(iii)(C).

E. Revising newly redesignated paragraph (a)(6)(iii)(C)(4).

F. Revising newly redesignated paragraph (a)(6)(iv).

G. Revising newly redesignated paragraph (a)(6)(v).

The addition and revisions read as follows:

§ 99.31 Under what conditions is prior consent not required to disclose information?

(a) * * *

(6) * * *

(ii) Nothing in the Act or this part prevents a State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section from entering into agreements with organizations conducting studies under paragraph (a)(6)(i) of this section and redisclosing personally identifiable information from education records on behalf of educational agencies and institutions that disclosed the information to the State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section in accordance with the requirements of § 99.33(b).

(iii) An educational agency or institution may disclose personally identifiable information under paragraph (a)(6)(i) of this section, and a State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section may redisclose personally identifiable information under paragraph (a)(6)(i) and (a)(6)(ii) of this section, only if—

* * * * *

(C) The educational agency or institution or the State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section enters into a written agreement with the organization that—

* * * * *

(4) Requires the organization to destroy or return to the educational agency or institution or the State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section all personally identifiable information when the information is no longer needed for the purposes for which the study was conducted and specifies the time period in which the information must be returned or destroyed.

(iv) An educational agency or institution or State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section is not required to initiate a study or agree with or endorse the conclusions or results of the study.

(v) If the Family Policy Compliance Office determines that a third party, outside the educational agency or institution, or the State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section to which personally identifiable information is disclosed under paragraph (a)(6) of this section, violates paragraph (a)(6)(iii)(B) of this section, then the educational agency or institution, or the State or local educational authority or agency listed in paragraph (a)(3) of this section from which the personally identifiable information originated may not allow the third party responsible for the violation of paragraph (a)(6)(iii)(B) of this section access to personally identifiable information from education records for at least five years.

* * * * *

4. Section 99.35 is amended by:

A. Revising paragraph (a)(2).

B. Adding a new paragraph (a)(3).

C. Revising paragraph (b).

D. Adding a new paragraph (d).

E. Revising the authority citation at the end of the section.

The additions and revisions read as follows:

§ 99.35 What conditions apply to disclosure of information for Federal or State program purposes?

(a) * * *

(2) The State or local educational authority or agency headed by an official listed in § 99.31(a)(3) is responsible for using reasonable methods to ensure that any entity or individual designated as its authorized representative—

(i) Uses personally identifiable information from education records only to carry out an audit, evaluation, or an activity for the purpose of enforcement of, or ensuring compliance with, Federal legal requirements related to Federal or State supported education programs;

(ii) Protects the personally identifiable information from further disclosures or other uses, except as authorized in paragraph (b)(1) of this section; and

(iii) Destroys the personally identifiable information in accordance with the requirements of paragraphs (b) and (c) of this section.

(3) The State or local educational authority or agency headed by an official listed in § 99.31(a)(3) must use a written agreement to designate any authorized representative, other than an employee. The written agreement must—

(i) Designate the individual or entity as an authorized representative;

(ii) Specify the information to be disclosed and that the purpose for which the information is disclosed to the authorized representative is to carry out an audit or evaluation of Federal or State supported education programs, or to enforce or to comply with Federal legal requirements that relate to those programs;

(iii) Require the authorized representative to destroy or return to the State or local educational authority or agency headed by an official listed in § 99.31(a)(3) personally identifiable information from education records when the information is no longer needed for the purpose specified;

(iv) Specify the time period in which the information must be returned or destroyed; and

(v) Establish policies and procedures, consistent with FERPA and other Federal and State confidentiality and privacy provisions, to protect personally identifiable information from education records from further disclosure (except back to the disclosing entity) and unauthorized use, including limiting use of personally identifiable information to only authorized representatives with legitimate interests.

(b) Information that is collected under paragraph (a) of this section must—

(1) Be protected in a manner that does not permit personal identification of individuals by anyone other than the authorities or agencies headed by officials referred to in paragraph (a) of this section and their authorized representatives, except that those authorities and agencies may make further disclosures of personally identifiable information from education records on behalf of the educational agency or institution in accordance with the requirements of § 99.33(b); and

(2) Be destroyed when no longer needed for the purposes listed in paragraph (a) of this section.

* * * * *

(d) If the Family Policy Compliance Office finds that a State or local educational authority, an agency headed by an official listed in § 99.31(a)(3), or an authorized representative of a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3), improperly rediscloses personally identifiable information from education records, the educational agency or institution from which the personally identifiable information originated may not allow the authorized representative, or the State or local educational authority or the agency headed by an official listed in § 99.31(a)(3), or both, access to personally identifiable information from education records for at least five years.

(Authority: 20 U.S.C. 1232g(b)(1)(C), (3), and (5))

5. Section 99.37 is amended by:

A. Revising paragraph (c).

B. Redesignating paragraph (d) as paragraph (e) and adding a new paragraph (d).

The additions and revisions read as follows:

§ 99.37 What conditions apply to disclosing directory information?

* * * * *

(c) A parent or eligible student may not use the right under paragraph (a)(2) of this section to opt out of directory information disclosures to—

(1) Prevent an educational agency or institution from disclosing or requiring a student to disclose the student's name, identifier, or institutional e-mail address in a class in which the student is enrolled; or

(2) Prevent an educational agency or institution from requiring a student to wear, to display publicly, or to disclose a student ID card or badge that exhibits information that may be designated as directory information under § 99.3 and that has been properly designated by the educational agency or institution as directory information in the public notice provided under paragraph (a)(1) of this section.

(d) In its public notice to parents and eligible students in attendance at the agency or institution that is described in paragraph (a) of this section, an educational agency or institution may specify that disclosure of directory information will be limited to specific parties, for specific purposes, or both. When an educational agency or institution specifies that disclosure of directory information will be limited to specific parties, for specific purposes, or both, the educational agency or institution must limit its directory information disclosures to those specified in its public notice that is described in paragraph (a) of this section.

* * * * *

6. Section 99.60 is amended by redesignating paragraph (a) as paragraph (a)(1) and adding a new paragraph (a)(2) to read as follows:

§ 99.60 What functions has the Secretary delegated to the Office and to the Office of Administrative Law Judges?

(a) * * *

(2) Solely for the purposes of this subpart, an “educational agency or institution” includes any public or private agency or institution to which this part applies under § 99.1(a)(2), as well as any State or local educational authority or any other recipient to which funds have been made available under any program administered by the Secretary, including funds provided by grant, cooperative agreement, contract, subgrant, or subcontract.

* * * * *

end regulatory text

[FR Doc. 2011-8205 Filed 4-7-11; 8:45 am]

BILLING CODE 4000-01-P

Footnotes Back to Top

1. We intend for the proposed definition of the term education program to include, but not be limited to, any applicable program, as that term is defined in section 400 of the General Education Provisions Act (20 U.S.C. 1221).

Back to Context
Site Feedback