Family Educational Rights and Privacy, 15574-15602 [E8-5790]

Agencies

• DEPARTMENT OF EDUCATION

[Federal Register Volume 73, Number 57 (Monday, March 24, 2008)]
[Proposed Rules]
[Pages 15574-15602]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-5790]



[[Page 15573]]

-----------------------------------------------------------------------

Part II





Department of Education





-----------------------------------------------------------------------



34 CFR Part 99



Family Educational Rights and Privacy; Proposed Rule

Federal Register / Vol. 73, No. 57 / Monday, March 24, 2008 / 
Proposed Rules

[[Page 15574]]


-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

34 CFR Part 99

RIN 1855-AA05
[Docket ID ED-2008-OPEPD-0002]


Family Educational Rights and Privacy

AGENCY: Office of Planning, Evaluation, and Policy Development, 
Department of Education.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Secretary proposes to amend the regulations governing 
education records maintained by educational agencies and institutions 
under section 444 of the General Education Provisions Act, which is 
also known as the Family Educational Rights and Privacy Act of 1974, as 
amended (FERPA). These proposed regulations are needed to implement 
amendments to FERPA contained in the USA Patriot Act and the Campus Sex 
Crimes Prevention Act, to implement two U.S. Supreme Court decisions 
interpreting FERPA, and to make necessary changes identified as a 
result of the Department's experience administering FERPA and current 
regulations. These changes would clarify permissible disclosures to 
parents of eligible students and conditions that apply to disclosures 
in health and safety emergencies; clarify permissible disclosures of 
student identifiers as directory information; allow disclosures to 
contractors and other outside parties in connection with the 
outsourcing of institutional services and functions; revise the 
definitions of attendance, disclosure, education records, personally 
identifiable information, and other key terms; clarify permissible 
redisclosures by State and Federal officials; and update investigation 
and enforcement provisions.

DATES: We must receive your comments on or before May 8, 2008.

ADDRESSES: Submit your comments through the Federal eRulemaking Portal 
or via postal mail, commercial delivery, or hand delivery. We will not 
accept comments by fax or by e-mail. Please submit your comments only 
one time, in order to ensure that we do not receive duplicate copies. 
In addition, please include the Docket ID at the top of your comments.
    Federal eRulemaking Portal: Go to https://www.regulations.gov. Under 
``Search Documents'' go to ``Optional Step 2'' and select ``Department 
of Education'' from the agency drop-down menu; then click ``Submit.'' 
In the Docket ID column, select ED-2008-OPEPD-0002 to add or view 
public comments and to view supporting and related materials available 
electronically. Information on using Regulations.gov, including 
instructions for submitting comments, accessing documents, and viewing 
the docket after the close of the comment period, is available through 
the site's ``User Tips'' link.
    Postal Mail, Commercial Delivery, or Hand Delivery. If you mail or 
deliver your comments about these proposed regulations, address them to 
LeRoy S. Rooker, U.S. Department of Education, 400 Maryland Avenue, 
SW., room 6W243, Washington, DC 20202-5920.

    Privacy Note: The Department's policy for comments received from 
members of the public (including those comments submitted by mail, 
commercial delivery, or hand delivery) is to make these submissions 
available for public viewing in their entirety on the Federal 
eRulemaking Portal at https://www.regulations.gov. Therefore, 
commenters should be careful to include in their comments only 
information that they wish to make publicly available on the 
Internet.


FOR FURTHER INFORMATION CONTACT: Frances Moran, U.S. Department of 
Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-
8250. Telephone: (202) 260-3887.
    If you use a telecommunications device for the deaf (TDD), you may 
call the Federal Relay Service (FRS) at 1-800-877-8339.
    Individuals with disabilities may obtain this document in an 
alternative format (e.g., Braille, large print, audiotape, or computer 
diskette) on request to the contact person listed under FOR FURTHER 
INFORMATION CONTACT.

Invitation To Comment

    We invite you to submit comments and recommendations regarding 
these proposed regulations. To ensure that your comments have maximum 
effect in developing the final regulations, we urge you to identify 
clearly the specific section or sections of the proposed regulations 
that each of your comments addresses and to arrange your comments in 
the same order as the proposed regulations.
    We invite you to assist us in complying with the specific 
requirements of Executive Order 12866 and its overall requirement of 
reducing regulatory burden that might result from these proposed 
regulations. Please let us know of any further opportunities we should 
take to reduce potential costs or increase potential benefits while 
preserving the effective and efficient administration of the program.
    During and after the comment period, you may inspect all public 
comments about these proposed regulations in room 6W243, 400 Maryland 
Avenue, SW., Washington, DC, between the hours of 8:30 a.m. and 4 p.m. 
Eastern time, Monday through Friday of each week except Federal 
holidays. Public comments may also be inspected at www.regulations.gov.

Assistance to Individuals With Disabilities in Reviewing the Rulemaking 
Record

    On request, we will supply an appropriate aid to an individual with 
a disability who needs assistance to review the comments or other 
documents in the public rulemaking record for these proposed 
regulations. If you want to schedule an appointment for this type of 
aid, please contact the person listed under FOR FURTHER INFORMATION 
CONTACT.

Background

    These proposed regulations would implement section 507 of the 
Uniting and Strengthening America by Providing Appropriate Tools 
Required to Intercept and Obstruct Terrorism (USA Patriot Act) of 2001 
(Pub. L. 107-56), enacted Oct. 26, 2001, and the Campus Sex Crimes 
Prevention Act, section 1601(d) of the Victims of Trafficking and 
Violence Protection Act of 2000 (Pub. L. 106-386), enacted Oct. 28, 
2000, both of which amended FERPA. The proposed regulations also would 
implement the U.S. Supreme Court's decisions in Owasso Independent 
School Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso) and 
Gonzaga University v. Doe, 536 U.S. 273 (2002) (Gonzaga). Finally, the 
proposed regulations respond to changes in information technology and 
address other issues identified through the Department's experience 
administering FERPA, including the need to clarify how postsecondary 
institutions may share information with parents and other parties in 
light of the tragic events at Virginia Tech in April 2007. The 
Department has developed these proposed regulations in accordance with 
its ``Principles for Regulating,'' which are intended to ensure that 
the Department regulates in the most flexible, equitable, and least 
burdensome way possible. These proposed regulations seek to provide the 
greatest flexibility to State and local governments and schools while 
ensuring that personally identifiable information about students 
remains protected from unauthorized disclosure.

Technical Corrections

    The proposed regulations correct Sec.  99.33(e) by adding the 
statutory

[[Page 15575]]

language ``outside the educational agency or institution'' after the 
words ``third party'' in the first sentence. They also correct an error 
in the section number cited in Sec.  99.34(a)(1)(ii).

Significant Proposed Regulations

    We discuss substantive issues under the sections of the proposed 
regulations to which they pertain. Generally, we do not address 
proposed regulatory provisions that are technical or otherwise minor in 
effect.

1. Definitions (Sec.  99.3)

Attendance
    Statute: 20 U.S.C. 1232g(a)(6) defines the term student as any 
person with respect to whom an educational agency or institution 
maintains education records or personally identifiable information but 
does not include a person who has not been in attendance at such agency 
or institution. The statute does not define attendance.
    Current Regulations: As defined in the current regulations, the 
term attendance includes attendance in person or by correspondence, and 
the period during which a person is working under a work-study program. 
The current definition does not address the status of distance learners 
who are taught through the use of electronic information and 
telecommunications technologies.
    Proposed Regulations: The proposed regulations in Sec.  99.3 would 
add attendance by videoconference, satellite, Internet, or other 
electronic information and telecommunications technologies for students 
who are not physically present in the classroom.
    Reasons: The proposed regulations are needed to clarify that 
students who are not physically present in the classroom may attend an 
educational agency or institution not only through traditional 
correspondence courses but through advanced electronic information and 
telecommunications technologies used for distance education, such as 
videoconferencing, satellite, and Internet-based communications.
Directory Information
    Statute: 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2) allows 
disclosure without consent of information such as a student's name and 
address, telephone listing, date and place of birth, major field of 
study, etc., defined as directory information, provided that specified 
notice and opt out conditions have been met.
    Current Regulations: Directory information is defined in Sec.  99.3 
as information contained in an education record of a student that would 
not generally be considered harmful or an invasion of privacy if 
disclosed, and includes information listed in FERPA (e.g., a student's 
name and address, telephone listing) as well as other information, such 
as a student's electronic mail (e-mail) address, enrollment status, and 
photograph. Current regulations do not specify whether a student's 
Social Security Number (SSN), official student identification (ID) 
number, or personal identifier for use in electronic systems may be 
designated and disclosed as directory information.
    Proposed Regulations: The proposed regulations would provide that 
an educational agency or institution may not designate as directory 
information a student's SSN or other student ID number. However, 
directory information may include a student's user ID or other unique 
identifier used by the student to access or communicate in electronic 
systems, but only if the electronic identifier cannot be used to gain 
access to education records except when used in conjunction with one or 
more factors that authenticate the student's identity, such as a 
personal identification number (PIN), password, or other factor known 
or possessed only by the student.
    Reasons: SSNs and other student ID numbers are personal identifiers 
that are typically used for identification purposes in order to 
establish an account, gain access to or confirm private information, 
obtain services, etc. The proposed regulations are needed to ensure 
that educational agencies and institutions do not disclose these 
identifiers as directory information, or include them with other 
personally identifiable information that may be disclosed as directory 
information, because SSNs and other student ID numbers can be used to 
impersonate the owner of the number and obtain information or services 
by fraud. The proposed regulations are also needed to clarify that 
unique personal identifiers used for electronic communications may be 
disclosed as directory information under certain conditions.
    Names and addresses are personal identifiers (and personally 
identifiable information under Sec.  99.3) that have always been 
available for disclosure as directory information under FERPA because 
they are generally known to others and often appear in public 
directories outside the school context. (It is precisely because names 
and addresses are widely available that they may not be used to 
authenticate identity, as discussed below in connection with proposed 
Sec.  99.31(c).) SSNs and other student ID numbers are also personal 
identifiers and personally identifiable information under Sec.  99.3. 
Unlike names and addresses, SSNs and other student ID numbers are 
typically used to obtain a variety of non-public information about an 
individual, such as employment, credit, financial, health, motor 
vehicle, and educational information, that would be harmful or an 
invasion of privacy if disclosed. An SSN or other student ID number can 
also be used in conjunction with commonly available information, such 
as name, address, and date of birth, to establish fraudulent accounts 
and otherwise impersonate an individual. As a result, under the 
proposed regulations, SSNs and other student ID numbers may not be 
designated and disclosed as directory information.
    Educational agencies and institutions have reported to us that in 
addition to needing a traditional student ID number (or SSN used as a 
student ID number), they need to identify or assign to students a 
unique electronic identifier that can be made available publicly. 
(Names are generally not appropriate for these purposes because they 
may not be unique to the population.) Unique electronic identifiers are 
needed, for example, for students to be able to use portals or single 
sign-on approaches to student information systems that provide access 
to class registration, academic records, library resources, and other 
student services. Much of the directory-based software used for these 
systems, as well as protocols for electronic collaboration by students 
and teachers within and among institutions, essentially cannot function 
without making an individual's user ID or other electronic identifier 
publicly available in these kinds of systems.
    Some systems, for example, require users to log on with their e-
mail address or other published user name or account ID. (Note that a 
student's e-mail address was added to the regulatory definition of 
directory information in the final regulations published on July 6, 
2000 (65 FR 41852, 41855). Public key infrastructure (PKI) technology 
for encryption and digital signatures also requires wide dissemination 
of the sender's public key. These are the types of circumstances in 
which educational agencies and institutions may need to publish or 
disclose a student's unique electronic identifier.
    The proposed regulations would permit disclosure of a student's 
user ID or other electronic identifier as directory information, but 
only if the identifier functions essentially as a name; that is, the 
identifier is not used by itself to authenticate identity and cannot be

[[Page 15576]]

used by itself to gain access to education records. A unique electronic 
identifier disclosed as directory information may be used to provide 
access to the student's education records, but only when combined with 
other factors known only to the authorized user (student, parent, or 
school official), such as a secret password or PIN, or some other 
method to authenticate the user's identity and ensure that the user is, 
in fact, a person authorized to access the records.
    Note that eligible students and parents have a right under FERPA to 
opt out of directory information disclosures and refuse to allow the 
student's e-mail address, user ID or other electronic identifier 
disclosed as directory information (except as provided in proposed 
Sec.  99.37(c), discussed elsewhere in this document). This is similar 
to a decision not to participate in an institution's paper-based 
student directory, yearbook, commencement program, etc. In these cases, 
the student or parent will not be able to take advantage of the 
services, such as portals for class registration, academic records, 
etc., provided solely through the electronic communications or software 
that require public disclosure of the student's unique electronic 
identifier.
Disclosure
    Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an 
educational agency or institution subject to FERPA may not have a 
policy or practice of releasing, permitting the release of, or 
providing access to personally identifiable information from education 
records without prior written consent.
    Current Regulations: The regulations in Sec.  99.3 define the term 
disclosure to mean permitting access to or the release, transfer, or 
other communication of personally identifiable information from 
education records to any party by any means. The regulations do not 
address issues relating to the return of records to the party that 
provided or created them.
    Proposed Regulations: The proposed regulations would exclude from 
the definition of disclosure the release or return of an education 
record, or personally identifiable information from an education 
record, to the party identified as the party that provided or created 
the record. This would allow an educational agency or institution 
(School B) to send a transcript, letter of recommendation, or other 
record that appears to have been falsified back to the institution or 
school official identified as the creator or sender of the record 
(School A) for confirmation of its status as an authentic record. 
School A may confirm or deny that the record is accurate and send the 
correct version back to School B under Sec.  99.31(a)(2), which allows 
an institution to disclose education records without prior written 
consent to an institution in which the student seeks or intends to 
enroll, or is already enrolled.
    The proposed regulations would also permit a State or local 
educational authority or other entity to redisclose education records 
or personally identifiable information from education records, without 
consent, to the school district, institution, or other party that 
provided the records or information.
    Reasons: School officials have reported to the Department that they 
are receiving with more frequency what appear to be falsified 
transcripts, letters of recommendation, and other information about 
students from educational agencies and institutions. The proposed 
amendment is needed to verify the accuracy of this type of information 
and to ensure that the privacy protections in FERPA are not used to 
shield or prevent detection of fraud.
    Several State educational agencies (SEAs) that maintain 
consolidated student records systems have also expressed uncertainty 
whether they may allow a local school district to obtain access to 
personally identifiable information from education records provided to 
the SEA by that district. The amendment is needed to clarify that SEAs 
and other parties that maintain education records provided by school 
districts and other educational agencies and institutions may allow a 
party to obtain access to the specific records and information that the 
party provided to the consolidated student records system.
Education Records
    Statute: 20 U.S.C. 1232g(a)(4) provides a broad, general definition 
of education records that includes all records that are directly 
related to a student and maintained by an educational agency or 
institution. Student, in turn, is defined in 20 U.S.C. 1232g(a)(6) to 
exclude individuals who have not been in attendance at the agency or 
institution.
    Current Regulations: The definition of education records in Sec.  
99.3 excludes records that only contain information about an individual 
after he or she is no longer a student.
    Proposed Regulations: The proposed regulations would clarify that, 
with respect to former students, the term education records excludes 
records that are created or received by the educational agency or 
institution after an individual is no longer a student in attendance 
and are not directly related to the individual's attendance as a 
student.
    Reasons: Institutions have told us that there is some confusion 
about the provision in the definition of education records that 
excludes certain alumni records from the definition. Some schools have 
mistakenly interpreted this provision to mean that any record created 
or received after a student is no longer enrolled is not an education 
record under FERPA. The proposed regulations are needed to clarify that 
the exclusion is intended to cover records that concern an individual 
or events that occur after the individual is no longer a student in 
attendance, such as alumni activities. The exclusion is not intended to 
cover records that are created and matters that occur after an 
individual is no longer in attendance but that are directly related to 
his or her previous attendance as a student, such as a settlement 
agreement that concerns matters that arose while the individual was in 
attendance as a student.
    Statute: The statute does not address peer-grading practices in 
relation to FERPA requirements.
    Current Regulations: The definition of education records includes 
records that are maintained by an educational agency or institution, or 
a party acting for the educational agency or institution, but does not 
provide any guidance on the status of student-graded tests and 
assignments before they have been collected and recorded by a teacher.
    Proposed Regulations: Proposed regulations in Sec.  99.3 would 
clarify that peer-graded papers that have not been collected and 
recorded by a teacher are not considered maintained by an educational 
agency or institution and, therefore, are not education records under 
FERPA.
    Reasons: The proposed regulations are needed to implement the U.S. 
Supreme Court's decision on peer-graded papers in Owasso. ``Peer-
grading'' refers to a common educational practice in which students 
exchange and grade one another's papers and then either call out the 
grade or turn in the work to the teacher for recordation. In Owasso, 
the Court held that this practice does not violate FERPA because ``the 
grades on students' papers would not be covered under FERPA at least 
until the teacher has collected them and recorded them in his or her 
grade book.'' Owasso, 534 U.S. at 436.

[[Page 15577]]

Personally Identifiable Information
    Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an 
educational agency or institution may not have a policy or practice of 
permitting the release of or providing access to education records or 
any personally identifiable information other than directory 
information in education records without prior written consent except 
in accordance with statutory exceptions.
    Current Regulations: The term personally identifiable information 
is defined in Sec.  99.3 to include the student's name and other 
personal identifiers, such as the student's social security number or 
student number. Current regulations also include indirect identifiers, 
such as the name of the student's parent or other family members; the 
address of the student or the student's family; and personal 
characteristics or other information that would make the student's 
identity easily traceable.
    Proposed Regulations: The proposed regulations would add biometric 
record to the list of personal identifiers and add other indirect 
identifiers, such as date and place of birth and mother's maiden name, 
to the list of personally identifiable information. The regulations 
would remove language about personal characteristics and other 
information that would make the student's identity easily traceable and 
provide instead that personally identifiable information includes other 
information that, alone or in combination, is linked or linkable to a 
specific student that would allow a reasonable person in the school or 
its community, who does not have personal knowledge of the relevant 
circumstances, to identify the student with reasonable certainty. 
Personally identifiable information would also include information 
requested by a person who the educational agency or institution 
reasonably believes has direct, personal knowledge of the identity of 
the student to whom the education record directly relates.
    Reasons: See the discussion of proposed regulations adding a new 
Sec.  99.31(b) for de-identified education records elsewhere in this 
document.
State Auditor
    Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) allows an 
educational agency or institution to disclose personally identifiable 
information from education records, without prior written consent, to 
State and local educational authorities and officials for the audit or 
evaluation of Federal or State supported education programs, or for the 
enforcement of or compliance with Federal legal requirements that 
relate to those programs.
    Current Regulations: The current regulations do not address the 
disclosure of education records to State auditors.
    Proposed Regulations: The proposed regulations in Sec.  99.3 would 
define State auditor as a party under any branch of government with 
authority and responsibility under State law for conducting audits. We 
propose to add a new paragraph (a)(2) to Sec.  99.35 to clarify that 
State auditors that are not State or local educational authorities may 
have access to education records in connection with an audit of Federal 
or State supported education programs.
    Reasons: 20 U.S.C. 1232g(b)(3) (section (b)(3) of the statute) 
allows disclosure of education records without consent to ``State 
educational authorities'' for audit and evaluation purposes. According 
to the legislative history of FERPA, section (b)(5) of the statute, 
which allows disclosure of education records without consent to ``State 
and local educational officials'' for audit and evaluation purposes, 
was added in 1979 to ``correct an anomaly'' in which the existing 
exception in section (b)(3) was interpreted to preclude State auditors 
from obtaining records in order to conduct State audits of local and 
State-supported programs.
    See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 (1979), 
reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. The amended 
statutory language in section (b)(5) is ambiguous, however, because it 
does not actually mention State auditors and, like section (b)(3), 
refers only to educational officials. Over the years several States 
have questioned whether this exception includes audits conducted by 
legislative branch officials and other parties that may not be 
considered educational authorities or officials.
    The regulations are needed to clarify that State auditors may 
receive personally identifiable information from education records, 
without prior written consent, even if they are not considered State or 
local educational authorities or officials, provided that they are 
auditing a Federal or State supported education program. We are 
interested in receiving comments about whether the definition needs to 
cover local auditors as well. The exception for disclosure of education 
records to State auditors is narrowly limited to audits (defined in 
proposed Sec.  99.35 as testing compliance with applicable laws, 
regulations, and standards) and does not include the broader concept of 
evaluations, for which disclosure of education records remains limited 
to educational authorities or officials.

2. Disclosures to Parents of Eligible Students (Sec. Sec.  99.5, 99.36)

Section 99.5(a) (Rights of Students)
    Statute: 20 U.S.C. 1232g(d) provides that once a student reaches 18 
years of age or attends a postsecondary institution, all rights 
accorded to parents under FERPA, and the consent required to disclose 
education records, transfer from the parents to the student. Under 20 
U.S.C. 1232g(b)(1)(H), an educational agency or institution may 
disclose personally identifiable information from an education record 
without meeting FERPA's written consent requirement to parents of a 
dependent student as defined in 26 U.S.C. 152. Under 20 U.S.C. 
1232g(i), an institution of higher education may disclose personally 
identifiable information from an education record, without meeting 
FERPA's written consent requirement, to a parent or legal guardian of a 
student information regarding the student's violation of any Federal, 
State or local law, or any rule or policy of the institution governing 
the use or possession of alcohol or a controlled substance if the 
student is under the age of 21 and the institution determines that the 
student has committed a disciplinary violation with respect to such use 
or possession. Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or 
institution may disclose personally identifiable information from an 
education record, without meeting FERPA's written consent requirement, 
to appropriate persons in connection with an emergency if the knowledge 
of such information is necessary to protect the health or safety of the 
student or other persons.
    Current Regulations: Section 99.3 defines an eligible student as a 
student who has reached 18 years of age or attends a postsecondary 
institution. Section 99.5(a) states that rights accorded to parents, 
and consent required of parents, to disclose education records under 
FERPA transfer from parents to a student when the student meets the 
definition of an eligible student.
    Section 99.31(a)(8) provides that an educational agency or 
institution may disclose personally identifiable information from 
education records without consent to parents of a dependent student as 
defined in section 152 of the Internal Revenue Code of 1986. Under 
Sec.  99.31(a)(15) written consent is not required, regardless of 
dependency status, to disclose to a

[[Page 15578]]

parent of a student at an institution of postsecondary education 
information regarding the student's violation of any Federal, State or 
local law, or of any rule or policy of the institution, governing the 
use or possession of alcohol or a controlled substance if the 
institution determines that the student has committed a disciplinary 
violation with respect to that use or possession and the student is 
under the age of 21 at the time of the disclosure to the parent.
    Section 99.31(a)(10) provides that an educational agency or 
institution may disclose personally identifiable information from 
education records without consent if the disclosure is in connection 
with a health or safety emergency under the conditions described in 
Sec.  99.36. Section 99.36 provides that an educational agency or 
institution may disclose personally identifiable information from an 
education record to appropriate parties in connection with an emergency 
if knowledge of the information is necessary to protect the health or 
safety of the student or other individuals.
    Proposed Regulations: The proposed regulations in Sec.  99.5 
clarify that even after a student has become an eligible student, an 
educational agency or institution may disclose education records to the 
student's parents, without the consent of the eligible student, if the 
student is a dependent for Federal income tax purposes (Sec.  
99.31(a)(8)); in connection with a health or safety emergency (Sec.  
99.31(a)(10)); if the student is under the age of 21 and has violated 
an institutional rule or policy governing the use or possession of 
alcohol or a controlled substance (Sec.  99.31(a)(15)); and if the 
disclosure falls within any other exception to the consent requirement 
in Sec.  99.31(a) of the regulations, such as the disclosure of 
directory information or in compliance with a court order or lawfully 
issued subpoena. The proposed regulations in Sec.  99.36(a) would 
clarify that an eligible student's parents are appropriate parties to 
whom an educational agency or institution may disclose personally 
identifiable information from education records without consent in a 
health or safety emergency.
    Reasons: The Secretary is concerned that some institutions are 
under the mistaken impression that FERPA prevents them from providing 
parents with any information about a college student. The proposed 
regulations are needed to clarify that FERPA contains exceptions to the 
written consent requirement that permit colleges and other educational 
agencies and institutions to disclose personally identifiable 
information from education records to parents of certain eligible 
students whether or not the student consents.
    Section 99.31(a)(8) permits an educational agency or institution to 
disclose education records, without consent, to either parent if at 
least one of the parents has claimed the student as a dependent on the 
parent's most recent tax return. Because many college students (and 18-
year-old high school students) are tax dependents of their parents, 
this provision allows these institutions to disclose information from 
education records to the students' parents without meeting the written 
consent requirements in Sec.  99.30. (Institutions must first determine 
that a parent has claimed the student as a dependent on the parent's 
Federal income tax return. Institutions can determine that a parent 
claimed a student as a dependent by asking the parent to submit a copy 
of the parent's most recent Federal tax return. Institutions can also 
rely on a student's assertion that he or she is not a dependent unless 
the parent provides contrary evidence.)
    The proposed regulations are also needed to clarify that colleges 
and other institutions may disclose information from education records 
to an eligible student's parents, without consent, under Sec.  
99.31(a)(15) if the institution has determined that the student has 
violated Federal, State, or local law or an institution's rules or 
policies governing alcohol or substance abuse (provided the student is 
under 21 years of age), and in connection with a health or safety 
emergency under Sec. Sec.  99.31(a)(10) and 99.36 (regardless of the 
student's age) if the information is needed to protect the health or 
safety of the student or other individuals. These exceptions apply 
whether or not the student is a dependent of a parent for tax purposes. 
These proposed regulations would clarify the Department's policy with 
respect to an agency's or institution's disclosure of information from 
education records to parents under the health and safety emergency 
exception and do not represent a change in the Department's 
interpretation of who may qualify as an appropriate party under the 
health or safety emergency exception to the consent requirement. While 
institutions may choose to follow a policy of not disclosing education 
records to parents of eligible students in these circumstances, FERPA 
does not mandate such a policy.

3. Authorized Disclosure of Education Records Without Prior Written 
Consent (Sec.  99.31)

Section 99.31(a)(1) (School Officials) Outsourcing
    Statute: 20 U.S.C. 1232g(a)(4)(A) defines education records to 
include records maintained by an educational agency or institution or 
by ``a person acting for'' the agency or institution. Under 20 U.S.C. 
1232g(b)(1)(A), an educational agency or institution may allow teachers 
and other school officials within the institution or agency, without 
prior written consent, to obtain access to education records if the 
institution or agency has determined that they have legitimate 
educational interests in the information.
    Current Regulations: Section 99.31(a)(1) allows disclosure of 
personally identifiable information from education records without 
consent to school officials, including teachers, within the agency or 
institution if the educational agency or institution has determined 
that they have legitimate educational interests in the information. An 
educational agency or institution that discloses information under this 
exception must specify in its annual notification of FERPA rights under 
Sec.  99.7(a)(3)(iii) the criteria it uses to determine who constitutes 
a school official and what constitutes legitimate educational 
interests. The recordkeeping requirements in Sec.  99.32(d) do not 
apply to disclosures to school officials with legitimate educational 
interests. Current regulations do not address disclosure of education 
records without consent to contractors, consultants, volunteers, and 
other outside parties providing institutional services and functions or 
otherwise acting for an agency or institution.
    Proposed Regulations: The proposed regulations in Sec.  
99.31(a)(1)(i)(B) would expand the school official exception to include 
contractors, consultants, volunteers, and other outside parties to whom 
an educational agency or institution has outsourced institutional 
services or functions that it would otherwise use employees to perform. 
The outside party who obtains access to education records without 
consent must be under the direct control of the agency or institution 
and subject to the same conditions governing the use and redisclosure 
of education records that apply to other school officials under Sec.  
99.33(a) of the regulations. These proposed regulations supersede 
previous technical assistance guidance issued by the Family Policy 
Compliance Office (Office) regarding disclosure of

[[Page 15579]]

education records without consent to parties acting for an educational 
agency or institution.
    Educational agencies and institutions that outsource institutional 
services and functions must comply with the annual FERPA notification 
requirements under the current regulations in Sec.  99.7(a)(3)(iii) by 
specifying their contractors, consultants, and volunteers as school 
officials retained to provide various institutional services and 
functions. Failure to comply with the notice requirements for school 
officials in Sec.  99.7(a)(3)(iii) is not excused by recording the 
disclosure under Sec.  99.32. (We note that under current regulations 
disclosures to school officials under Sec.  99.31(a)(1) are 
specifically excluded from the recordation requirements under Sec.  
99.32(d).) As a result, an educational agency or institution that has 
not included contractors and other outside service providers as school 
officials with legitimate educational interests in its annual FERPA 
notification may not disclose any personally identifiable information 
from education records to these parties until it has complied with the 
notice requirements in Sec.  99.7(a)(3)(iii).
    Educational agencies and institutions are responsible for their 
outside service providers' failures to comply with applicable FERPA 
requirements. The agency or institution must ensure that the outside 
party does not use or allow anyone to obtain access to personally 
identifiable information from education records except in strict 
accordance with the requirements established by the educational agency 
or institution that discloses the information.
    All outside parties serving as school officials are subject to 
FERPA's restrictions on the use and redisclosure of personally 
identifiable information from education records. These restrictions 
include current provisions in Sec.  99.33(a), which requires an 
educational agency or institution that discloses personally 
identifiable information from education records to do so only on the 
condition that the recipient, including a teacher or other school 
official, will use the information only for the purpose for which the 
disclosure was made and will not redisclose the information to any 
other party without the prior consent of the parent or eligible student 
unless the educational agency or institution has authorized the 
redisclosure under a FERPA exception and the agency or institution 
records the subsequent disclosure in accordance with the requirements 
in Sec.  99.32(b).
    For example, under the proposed regulations, a party that contracts 
with an educational agency or institution to provide enrollment and 
degree verification services must ensure that only individuals with 
legitimate educational interests obtain access to personally 
identifiable information from education records maintained on behalf of 
the agency or institution. In accordance with current regulations at 
Sec.  99.33(b), a contractor may not redisclose personally identifiable 
information without prior written consent unless the educational agency 
or institution has authorized the redisclosure under a FERPA exception 
and the agency or institution records the subsequent disclosure in 
accordance with the requirements in Sec.  99.32(b). Like other school 
officials, contractors and other outside parties who provide 
institutional services may not decide unilaterally to redisclose 
personally identifiable information from education records, even in 
circumstances that would comply with an exception in Sec.  99.31(a).
    Additionally, records directly related to a student that are 
maintained by a party acting for an educational agency or institution 
are education records subject to all FERPA requirements. This includes 
any new student records created under an outsourcing agreement that are 
maintained by the outside service provider.
    Reasons: The proposed regulations are needed to resolve uncertainty 
about the specific conditions under which educational agencies and 
institutions may disclose personally identifiable information from 
education records, without prior written consent, to contractors, 
consultants, volunteers, and other outside parties performing 
institutional services or functions. While there is no explicit 
statutory exception to the prior written consent requirement for 
disclosures to contractors and other non-employees to whom an 
educational agency or institution has outsourced services, we note that 
the statutory definition of education records protects records that are 
maintained by a party acting for the agency or institution. See 20 
U.S.C. 1232g(a)(4)(A)(ii). Indeed, the Joint Statement in Explanation 
of Buckley/Pell Amendment (120 Cong. Rec. S39862, Dec. 13, 1974) refers 
specifically to materials that are maintained by a school ``or by one 
of its agents'' when describing the meaning of the new term education 
records in the December 1974 amendments to the statute.
    The Department has long recognized in guidance that FERPA does not 
prevent educational agencies and institutions from outsourcing 
institutional services and functions and disclosing education records 
to contractors and other outside parties performing those services and 
functions in appropriate circumstances, such as for legal advice; debt 
collection; transcript distribution; fundraising and alumni 
communications; development and management of information systems; and 
degree and enrollment verification. The Secretary wishes to clarify and 
define the scope of this practice to avoid further confusion and 
prevent weakening of FERPA's privacy protections because of uncertainty 
about the requirements for making these kinds of disclosures.
    One of the most frequently used exceptions to the prior written 
consent requirement allows teachers and other school officials to 
obtain access to education records provided the educational agency or 
institution has determined that the school official has legitimate 
educational interests in the information. This exception covers not 
only teachers and principals, but also school counselors, registrars, 
admissions personnel, attorneys, accountants, human resource staff, 
information systems specialists, and designated support and clerical 
personnel when they need access to personally identifiable information 
from education records in order to perform their official functions and 
duties for their employer. As noted above, an educational agency or 
institution that allows school officials to obtain access to education 
records under this exception must, under Sec.  99.7(a)(3), include in 
its annual notification of FERPA rights a specification of its criteria 
for determining who constitutes a school official and what constitutes 
legitimate educational interests under Sec.  99.31(a)(1). Disclosures 
to school officials under current regulations are subject to the 
restrictions on the use and redisclosure of information in Sec.  99.33 
but are exempt from the FERPA recordkeeping requirements in Sec.  
99.32.
    The proposed regulations are included with the exception for school 
officials in Sec.  99.31(a)(1) because we believe that disclosures made 
for contract, volunteer, and other outsourced services and functions 
should be subject to the same conditions that would apply if the 
outside party were, in fact, providing institutional services or 
functions as an employee or officer of the educational agency or 
institution. In particular, the outside party must be under the direct 
control of the agency or institution with respect to the maintenance 
and use of personally identifiable information from education records. 
The outside party

[[Page 15580]]

must also perform the type of institutional services or functions for 
which the agency or institution would otherwise use its own employees. 
For example, an institution may disclose education records without 
consent under this provision to an outside party retained to provide 
enrollment verification services to student loan holders because the 
institution would otherwise have to use its own employees to conduct 
the required verifications. In contrast, an institution may not use 
this provision to disclose education records, without consent, to a 
financial institution or insurance company that provides a good student 
discount on its services and needs students' ID numbers and grades to 
verify an individual's eligibility, even if the institution enters into 
a contract with these companies to provide the student discount.
Access to Education Records by School Officials
    Statute: 20 U.S.C. 1232g(b)(1)(A) provides that an educational 
agency or institution may allow teachers and other school officials 
within the agency or institution to obtain access to education records, 
without prior written consent, if the agency or institution has 
determined that the school official has legitimate educational 
interests in the information.
    Current Regulations: Section 99.31(a)(1) allows an educational 
agency or institution to disclose personally identifiable information 
from education records without consent to school officials, including 
teachers, within the agency or institution if the educational agency or 
institution has determined that they have legitimate educational 
interests in the information. An educational agency or institution that 
discloses information under this exception must specify in its annual 
notification of FERPA rights under Sec.  99.7(a)(3)(iii) the criteria 
it uses to determine who constitutes a school official and what 
constitutes legitimate educational interests. Current regulations do 
not specify whether the agency or institution must ensure that school 
officials obtain access to only those education records in which they 
have legitimate educational interests.
    Proposed Regulations: The proposed regulations in Sec.  
99.31(a)(1)(ii) would require an educational agency or institution to 
use reasonable methods to ensure that teachers and other school 
officials obtain access to only those education records in which they 
have legitimate educational interests. This requirement would apply to 
education records maintained in either paper or electronic format. 
Agencies and institutions that choose not to use physical or 
technological controls to restrict a school official's access to 
education records must ensure that their administrative policy for 
controlling access to and maintenance of education records is effective 
and that the agency or institution remains in compliance with the 
legitimate educational interests requirement in Sec.  
99.31(a)(1)(i)(A). (These proposed regulations do not address what 
constitutes a legitimate educational interest under the regulations.)
    Reasons: The proposed regulations are needed to ensure that 
teachers and other school officials only gain access to education 
records in which they have a legitimate educational interest. While the 
proposed regulations apply to records in any format (as defined in 
Sec.  99.3), the need to ensure compliance with the legitimate 
educational interest requirement has been driven largely by the 
increased use of computerized or electronic recordkeeping systems in 
which a user may have access to all records.
    Many of the smaller educational agencies and institutions typically 
use a combination of physical and administrative methods to restrict 
access by school officials to paper copy records. For example, paper 
copy records may be maintained in lockable cabinets, desks, or rooms 
with distribution of records to school officials controlled by the 
teacher, registrar, or other authorized custodian as appropriate. With 
the advent of computerized or electronic records, particularly by the 
mid-size and larger agencies and institutions, parents and students 
have complained that school officials may have unrestricted access to 
the records of all students in an institution's or local educational 
agency's (LEA) system. Agencies and institutions establishing or 
upgrading electronic student information systems have also expressed 
uncertainty about what methods they should use to comply with the 
legitimate educational interest requirement in this new environment.
    Under the proposed regulations, an educational agency or 
institution should implement controls to protect student records. These 
controls should consist of a combination of appropriate physical, 
technical, administrative, and operational controls which will allow 
access to be limited when required. (Some examples of possible 
information security controls can be found in ``The National Institute 
of Standards and Technology (NIST) 800-53, Recommended Security 
Controls for Federal Information Systems'' (December 2007). Educational 
institutions and agencies are not required to implement the NIST 800-53 
guidance, but may find it useful when determining possible controls.) 
For example, software used to access electronic records may contain 
role-based security features that allow teachers to view only 
information about students currently enrolled in their classes. 
Similarly, a school principal or registrar may maintain paper records 
in locked cabinets and distribute records to authorized officials on an 
as needed basis.
    An educational agency or institution that does not use some kind of 
physical or technological controls to restrict access and leaves 
education records open to all school officials may rely instead on 
administrative controls, such as an institutional policy that prohibits 
teachers and other school officials from accessing records except when 
they have a legitimate educational interest. However, an agency or 
institution that forgoes physical or technological access controls must 
ensure that its administrative policy for controlling access is 
effective and that it remains in compliance with the legitimate 
educational interest requirement in Sec.  99.31(a)(1). In that regard, 
if a parent or eligible student alleges that a school official obtained 
access to a student's education records without a legitimate 
educational interest, an agency or institution must show that the 
school official possessed a legitimate educational interest in 
obtaining the personally identifiable information from education 
records maintained by the agency or institution. An agency or 
institution may wish to restrict or track school officials who obtain 
access to education records to ensure that it is in compliance with 
Sec.  99.31(a)(1)(i)(A).
    The risk of unauthorized access to education records by school 
officials means the likelihood that records may be targeted for 
compromise and the harm that could result. Methods used by an 
educational agency or institution to ensure compliance with the 
legitimate educational interests requirement are considered reasonable 
under the proposed regulations if they reduce the risk of unauthorized 
access by school officials to a level commensurate with the likely 
threat and potential harm. The greater the harm that would result from 
unauthorized access or disclosure and the greater the likelihood that 
unauthorized access or disclosure will occur, the more protections an 
agency or institution must use to ensure that its methods are 
reasonable. For example, high risk records, such as those that

[[Page 15581]]

contain credit card information, SSNs and other elements used for 
identity theft, immunization and other health records, certain records 
on special education students, and official transcripts and grades 
should generally receive greater and more immediate protection than 
medium or low risk records, such as those containing only publicly 
releasable directory information. Methods that an educational agency or 
institution should use to reduce risk to an acceptable level will 
depend on a variety of factors, including the organization's size and 
resources. In all cases, reasonableness depends ultimately on what are 
the usual and customary good business practices of educational agencies 
and institutions, which requires ongoing review and modification of 
methods and procedures, where appropriate, as standards and 
technologies continue to change.
Section 99.31(a)(2) (Disclosure to a School Where Student Seeks or 
Intends To Enroll)
    Statute: 20 U.S.C. 1232g(b)(1)(B) allows an educational agency or 
institution to disclose, under certain conditions, education records to 
another school or school system in which the student seeks or intends 
to enroll without obtaining the prior written consent of a parent or 
eligible student.
    Current Regulations: Under Sec.  99.31(a)(2), an educational agency 
or institution may disclose education records, without prior written 
consent, to officials of another school, school system, or 
postsecondary institution where the student seeks or intends to enroll, 
provided that the agency or institution complies with the requirements 
in Sec.  99.34(a) regarding notification to the parent or eligible 
student of the disclosure and, upon request, provide a copy of the 
records and an opportunity for a hearing under subpart C of the 
regulations.
    Proposed Regulations: The proposed regulations in Sec.  99.31(a)(2) 
would allow an educational agency or institution to disclose education 
records, without consent, to another institution even after a student 
has already enrolled or transferred, and not just if the student seeks 
or intends to enroll, if the disclosure is for purposes related to the 
student's enrollment or transfer.
    Reasons: The proposed amendments are needed to resolve uncertainty 
about whether consent is required to send a student's records to the 
student's new school after the student has already transferred and 
enrolled. This proposed exception to the consent requirement is 
intended to ease administrative burdens on educational agencies and 
institutions by allowing them to send transcripts and other information 
from education records to schools where a student seeks or intends to 
enroll without meeting the formal consent requirements in Sec.  99.30. 
We have concluded that authority to disclose or transfer information to 
a student's new school under this exception does not cease 
automatically the moment a student has actually enrolled. Rather, an 
educational agency or institution may transfer education records to a 
student's new school, including a postsecondary institution, at any 
point in time if the disclosure is in connection with the student's 
enrollment in the new school.
    Based on these considerations, we have also determined that an 
educational agency or institution may update, correct, or explain 
information it has disclosed to another educational agency or 
institution as part of the original disclosure under Sec.  99.31(a)(2) 
without complying with the written consent requirements in Sec.  99.30. 
That is, a student's previous institution is not required to obtain 
prior written consent under Sec.  99.30 to respond to the new 
institution's request to explain the meaning of education records sent 
to it in connection with a student's new enrollment.
    Finally, in the aftermath of the shooting at Virginia Tech, some 
questions have arisen about whether FERPA prohibits the disclosure of 
certain types of information from students' education records to new 
schools or postsecondary institutions to which they have applied. 
(Further discussion of the tragic events that occurred at Virginia Tech 
in April 2007 is included in the discussion of the proposed amendments 
to Sec.  99.36, which appears later in this document.) Under Sec.  
99.31(a)(2) and Sec.  99.34(a), FERPA permits school officials to 
disclose any and all education records, including health and 
disciplinary records, to another institution where the student seeks or 
intends to enroll.
Section 99.31(a)(6) (Organizations Conducting Studies for or on Behalf 
of an Educational Agency or Institution)
    Statute: 20 U.S.C. 1232g(b)(1)(F) allows an educational agency or 
institution to disclose personally identifiable information from 
education records, without consent, to organizations conducting studies 
for or on behalf of the agency or institution for purposes of testing, 
student aid, and improvement of instruction. The information must be 
protected so that students and their parents cannot be identified by 
anyone other than representatives of the organization that conducts the 
study and must be destroyed when no longer needed for the study. As 
explained in Sec.  99.31(a)(6)(iii), failure to destroy information in 
accordance with this requirement could lead to a five-year ban on 
disclosure of information to that organization.
    Current Regulations: The regulations restate the statutory language 
that the study is conducted ``for, or on behalf of'' the educational 
agency or institution, but do not explain what this language means.
    Proposed Regulations: The proposed regulations require an 
educational agency or institution that discloses education records 
without consent under Sec.  99.31(a)(6) to enter into a written 
agreement with the recipient organization that specifies the purposes 
of the study. The agency or institution that discloses education 
records under this exception does not have to agree with or endorse the 
conclusions or results of the study. The written agreement must specify 
that information from education records may only be used to meet the 
purposes of the study stated in the written agreement and must contain 
the current restrictions on redisclosure and destruction of information 
requirements applicable to information disclosed under this exception.
    Reasons: Research organizations have asked for clarification about 
the circumstances in which an educational agency or institution may 
disclose to them personally identifiable information from education 
records under Sec.  99.31(a)(6)(iii), and educational agencies and 
institutions have asked whether they may provide personally 
identifiable information to organizations for research purposes without 
parental consent even if the educational agency or institution has no 
particular interest in the study.
    This exception to the consent requirement is intended to allow 
educational agencies and institutions to retain the services of outside 
organizations (or individuals) to conduct studies for or on their 
behalf to develop, validate, or administer predictive tests; administer 
student aid programs; or improve instruction. An educational agency or 
institution need not initiate research requests or agree with or 
endorse a study's results and conclusions under this exception. 
However, the statutory language ``for, or on behalf of'' indicates that 
the disclosing agency or institution agrees with the purposes of the 
study and retains control over the information from education records 
that is disclosed.

[[Page 15582]]

The written agreement required under the proposed regulations will help 
ensure that information from education records is used only to meet the 
purposes of the study stated in the written agreement and that all 
applicable requirements are met. (See discussion of Sec.  99.31(b) 
below regarding disclosure of de-identified information to independent 
educational researchers.)
Section 99.31(a)(9) (USA Patriot Act)
    Statute: The USA Patriot Act, Public Law 107-56, amended FERPA by 
providing a new subsection 1232g(j), 20 U.S.C. 1232g(j), that 
authorizes the United States Attorney General (or designee not lower 
than an Assistant Attorney General) to apply for an ex parte court 
order (an order issued by a court without notice to an adverse party) 
allowing the Attorney General (or designee) to collect education 
records from an educational agency or institution, without the consent 
or knowledge of the student or parent, that are relevant to an 
investigation or prosecution of an offense listed in 18 U.S.C. 
2332b(g)(5)(B) or an act of domestic or international terrorism 
specified in 18 U.S.C. 2331. The statute requires the Attorney General 
(or designee not lower than an Assistant Attorney General) to certify 
facts in support of the order and to retain, disseminate, and use the 
records in a manner that is consistent with confidentiality guidelines 
established by the Attorney General in consultation with the Secretary 
of Education. Agencies and institutions are not required to record the 
disclosure and cannot be held liable to anyone for producing education 
records in good faith in accordance with a court order issued under 
this provision.
    Current Regulations: The current regulations do not address the 
amendments made by the USA Patriot Act.
    Proposed Regulations: The proposed regulations add new exceptions 
to the written consent requirement in Sec.  99.31(a)(9)(ii) and the 
recordkeeping requirement in Sec.  99.32(a) allowing disclosure of 
education records without notice in compliance with an ex parte court 
order obtained by the Attorney General (or designee) concerning 
investigations or prosecutions of an offense listed in 18 U.S.C. 
2332b(g)(5)(B) or an act of domestic or international terrorism defined 
in 18 U.S.C. 2331.
    Reasons: The proposed regulations are necessary to implement the 
statutory amendment. An educational agency or institution that is 
served with an ex parte court order from the Attorney General (or 
designee) under this provision should ensure that the order is facially 
valid, just as it does when determining whether to comply with other 
judicial orders and subpoenas under Sec.  99.31(a)(9). An educational 
agency or institution is not, however, required or authorized to 
examine the underlying certification of facts presented to the court in 
the Attorney General's application for the ex parte court order.
    The proposed regulations provide that an educational agency or 
institution may comply with the court order without notice to the 
parent or eligible student. (Note that Sec.  99.31(a)(9)(ii)(B) also 
allows an educational agency or institution to disclose education 
records without notice to representatives of the Attorney General or 
other law enforcement authorities who produce a subpoena that has been 
issued for law enforcement purposes and the court or other issuing 
agency has ordered that the existence or contents of the subpoena or 
information furnished in response to the subpoena not be disclosed.)
Section 99.31(a)(16) (Registered Sex Offenders)
    Statute: The Campus Sex Crimes Prevention Act (CSCPA), section 
1601(d) of the Victims of Trafficking and Violence Protection Act of 
2000, Public Law 106-386, amended FERPA by adding 20 U.S.C. 
1232g(b)(7), which provides that educational agencies and institutions 
may disclose information concerning registered sex offenders provided 
under State sex offender registration and community notification 
programs required by section 170101 of the Violent Crime Control and 
Law Enforcement Act of 1994, Public Law 103-322, 42 U.S.C. 14071. 
Section 170101 contains the Jacob Wetterling Crimes Against Children 
and Sexually Violent Offender Registration Act (Wetterling Act).
    Current Regulations: The current regulations do not