Family Educational Rights and Privacy, 74806-74855 [E8-28864]
Download as PDF
74806
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
DEPARTMENT OF EDUCATION
34 CFR Part 99
RIN 1855–AA05
[Docket ID ED–2008–OPEPD–0002]
Family Educational Rights and Privacy
jlentini on PROD1PC65 with RULES2
AGENCY: Office of Planning, Evaluation,
and Policy Development, Department of
Education.
ACTION: Final regulations.
SUMMARY: The Secretary amends our
regulations implementing the Family
Educational Rights and Privacy Act
(FERPA), which is section 444 of the
General Education Provisions Act.
These amendments are needed to
implement a provision of the USA
Patriot Act and the Campus Sex Crimes
Prevention Act, which added new
exceptions permitting the disclosure of
personally identifiable information from
education records without consent. The
amendments also implement two U.S.
Supreme Court decisions interpreting
FERPA, and make necessary changes
identified as a result of the Department’s
experience administering FERPA and
the current regulations.
These changes clarify permissible
disclosures to parents of eligible
students and conditions that apply to
disclosures in health and safety
emergencies; clarify permissible
disclosures of student identifiers as
directory information; allow disclosures
to contractors and other outside parties
in connection with the outsourcing of
institutional services and functions;
revise the definitions of attendance,
disclosure, education records,
personally identifiable information, and
other key terms; clarify permissible
redisclosures by State and Federal
officials; and update investigation and
enforcement provisions.
DATES: These regulations are effective
January 8, 2009.
FOR FURTHER INFORMATION CONTACT:
Frances Moran, U.S. Department of
Education, 400 Maryland Avenue, SW.,
room 6W243, Washington, DC 20202–
8250. Telephone: (202) 260–3887.
If you use a telecommunications
device for the deaf (TDD), you may call
the Federal Relay Service (FRS) at 1–
800–877–8339.
Individuals with disabilities may
obtain this document in an alternative
format (e.g., Braille, large print,
audiotape, or computer diskette) on
request to the contact person listed
under FOR FURTHER INFORMATION
CONTACT.
SUPPLEMENTARY INFORMATION: On March
24, 2008, the U.S. Department of
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
Education (the Department or we)
published a notice of proposed
rulemaking (NPRM) in the Federal
Register (73 FR 15574). In the preamble
to the NPRM, the Secretary discussed
the major changes proposed in that
document that are necessary to
implement statutory changes made to
FERPA, to implement two U.S. Supreme
Court decisions, to respond to changes
in information technology, and to
address other issues identified through
the Department’s experience in
administering FERPA.
We believe that the regulatory
changes adopted in these final
regulations provide clarification on
many important issues that have arisen
over time with regard to how FERPA
affects decisions that school officials
have to make on an everyday basis.
Educational agencies and institutions
face considerable challenges, especially
with regard to maintaining safe
campuses, protecting personally
identifiable information in students’
education records, and responding to
requests for data on student progress.
These final regulations, as well as the
discussion on various provisions in the
preamble, will assist school officials in
addressing these challenges in a manner
that complies with FERPA and protects
the privacy of students’ education
records.
Notice of Proposed Rulemaking
In the NPRM, we proposed
regulations to implement section 507 of
the USA Patriot Act (Pub. L. 107–56),
enacted October 26, 2001, and the
Campus Sex Crimes Prevention Act,
section 1601(d) of the Victims of
Trafficking and Violence Protection Act
of 2000 (Pub. L. 106–386), enacted
October 28, 2000. Other major changes
proposed in the NPRM included the
following:
• Amending § 99.5 to clarify the
conditions under which an educational
agency or institution may disclose
personally identifiable information from
an eligible student’s education records
to a parent without the prior written
consent of the eligible student;
• Amending § 99.31(a)(1) to authorize
the disclosure of education records
without consent to contractors,
consultants, volunteers, and other
outside parties to whom an educational
agency or institution has outsourced
institutional services or functions;
• Amending § 99.31(a)(1) to ensure
that teachers and other school officials
only gain access to education records in
which they have legitimate educational
interests;
• Amending § 99.31(a)(2) to permit
educational agencies and institutions to
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
disclose education records, without
consent, to another institution even after
the student has enrolled or transferred
so long as the disclosure is for purposes
related to the student’s enrollment or
transfer;
• Amending § 99.31(a)(6) to require
that an educational agency or institution
may disclose personally identifiable
information under this section only if it
enters into a written agreement with the
organization specifying the purposes of
the study and the use and destruction of
the data;
• Amending § 99.31 to include a new
subsection to provide standards for the
release of information from education
records that has been de-identified;
• Amending § 99.35 to permit State
and local educational authorities and
Federal officials listed in § 99.31(a)(3) to
make further disclosures of personally
identifiable information from education
records on behalf of the educational
agency or institution; and
• Amending § 99.36 to remove the
language requiring strict construction of
this exception and add a provision
stating that if an educational agency or
institution determines that there is an
articulable and significant threat to the
health or safety of a student or other
individual, it may disclose the
information to any person, including
parents, whose knowledge of the
information is necessary to protect the
health or safety of the student or other
individuals.
Significant Changes From the NPRM
These final regulations contain
several significant changes from the
NPRM as follows:
• Amending the definition of
personally identifiable information in
§ 99.3 to provide a definition of
biometric record;
• Removing the proposed definition
of State auditor in § 99.3 and provisions
in § 99.35(a)(3) related to State auditors
and audits;
• Revising § 99.31(a)(6) to clarify the
specific types of information that must
be contained in the written agreement
between an educational agency or
institution and an organization
conducting a study for the agency or
institution;
• Removing the statement from
§ 99.31(a)(16) that FERPA does not
require or encourage agencies or
institutions to collect or maintain
information concerning registered sex
offenders;
• Requiring a State or local
educational authority or Federal official
or agency that rediscloses personally
identifiable information from education
records to record that disclosure if the
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
educational agency or institution does
not do so under § 99.32(b); and
• Revising § 99.32(b) to require an
educational agency or institution that
makes a disclosure in a health or safety
emergency to record information
concerning the circumstances of the
emergency.
These changes are explained in
greater detail in the following Analysis
of Comments and Changes.
Analysis of Comments and Changes
In response to the Secretary’s
invitation in the NPRM, 121 parties
submitted comments on the proposed
regulations. An analysis of the
comments and of the changes in the
regulations since publication of the
NPRM follows.
We group major issues according to
subject, with applicable sections of the
regulations referenced in parentheses.
We discuss other substantive issues
under the sections of the regulations to
which they pertain. Generally, we do
not address technical and other minor
changes, or suggested changes that the
law does not authorize the Secretary to
make. We also do not address comments
pertaining to issues that were not within
the scope of the NPRM.
Definitions (§ 99.3)
jlentini on PROD1PC65 with RULES2
(a) Attendance
Comment: We received no comments
objecting to the proposed changes to the
definition of the term attendance. Three
commenters expressed support for the
changes because the availability and use
of alternative instructional formats are
not clearly addressed by the current
regulations. One commenter suggested
that the definition could avoid
obsolescence by referring to the receipt
of instruction leading to a diploma or
certificate instead of listing the types of
instructional formats.
Discussion: We proposed to revise the
definition of attendance because we
received inquiries from some
educational agencies and institutions
asking whether FERPA was applicable
to the records of students receiving
instruction through the use of new
technology methods that do not require
a physical presence in a classroom.
Because the definition of attendance is
key to determining when an
individual’s records at a school are
education records protected by FERPA,
it is essential that schools and
institutions understand the scope of the
term. To prevent the regulations from
becoming out of date as new formats
and methods are developed, the
definition provides that attendance may
also include ‘‘other electronic
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
information and telecommunications
technologies.’’
While most schools are aware of the
various formats distance learning may
take, we believe it is informative to list
the different communications media
that are currently used. Also, we believe
that parents, eligible students, and other
individuals and organizations that use
the FERPA regulations may find the
listing of formats useful.
We do not agree that the definition of
attendance should be limited to receipt
of instruction leading to a diploma or
certificate, because this would
improperly exclude many instructional
formats.
Changes: None.
(b) Directory Information (§§ 99.3 and
99.37)
(1) Definition (§ 99.3)
Comment: We received a number of
comments on our proposal to revise the
definition of directory information to
provide that an educational agency or
institution may not designate as
directory information a student’s social
security number (SSN) or other student
identification (ID) number. The
proposed definition also provided that a
student’s user ID or other unique
identifier used by the student to access
or communicate in electronic systems
could be considered directory
information but only if the electronic
identifier cannot be used to gain access
to education records except when used
in conjunction with one or more factors
that authenticate the student’s identity.
All commenters agreed that student
SSNs should not be disclosed as
directory information. Several
commenters strongly supported the
definition of directory information as
proposed, noting that failure to curtail
the use of SSNs and student ID numbers
as directory information could facilitate
identity theft and other fraudulent
activities.
One commenter said that the
proposed regulations did not go far
enough to prohibit the use of students’
SSNs as a student ID number, placing
SSNs on academic transcripts, and
using SSNs to search an electronic
database. Another commenter expressed
concern that the proposed regulations
could prohibit reporting needed to
enforce students’ financial obligations
and other routine business practices.
According to this commenter,
restrictions on the use of SSNs in
FERPA and elsewhere demonstrate the
need for a single student identifier that
can be tied to the SSN and other
identifying information to use for grade
transcripts, enrollment verification,
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
74807
default prevention, and other activities
that depend on sharing student
information. Another commenter stated
that institutions should not be allowed
to penalize students who opt out of
directory information disclosures by
denying them access to benefits,
services, and required activities.
Several commenters said that the
definition in the proposed regulations
was confusing and unnecessarily
restrictive because it treats a student ID
number as the functional equivalent of
an SSN. They explained that when
providing access to records and
services, many institutions no longer
use an SSN or other single identifier
that both identifies and authenticates
identity. As a result, at many
institutions, the condition specified in
the regulations for treating electronic
identifiers as directory information, i.e.,
that the identifier cannot be used to gain
access to education records except when
used in conjunction with one or more
factors that authenticate the user’s
identity, often applies to student ID
numbers as well because they cannot be
used to gain access to education records
without a personal identification
number (PIN), password, or some other
factor to authenticate the user’s identity.
Some commenters suggested that our
nomenclature is the problem and that
regardless of what it is called, an
identifier that does not allow access to
education records without the use of
authentication factors should be treated
as directory information. According to
one commenter, allowing institutions to
treat student ID numbers as directory
information in these circumstances
would improve business practices and
enhance student privacy by encouraging
institutions to require additional
authentication factors when using
student ID numbers to provide access to
education records.
One commenter strongly opposed
allowing institutions to treat a student’s
electronic identifier as directory
information if the identifier could be
made available to parties outside the
school system. This commenter noted
that electronic identifiers may act as a
key, offering direct access to the
student’s entire file, and that PINs and
passwords alone do not provide
adequate security for education records.
Another commenter said that if
electronic identifiers and ID numbers
can be released as directory information,
then password requirements need to be
more stringent to guard against
unauthorized access to information and
identity theft.
Some commenters recommended
establishing categories of directory
information, with certain information
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74808
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
made available only within the
educational community. One
commenter expressed concern about
Internet safety because the regulations
allow publication of a student’s e-mail
address. Another said that FERPA
should not prevent institutions from
printing the student’s ID number on an
ID card or otherwise restrict its use on
campus but that publication in a
directory should not be allowed.
Two commenters asked the
Department to confirm that the
regulations allow institutions to post
grades using a code known only by the
teacher and the student.
Discussion: We share commenters’
concerns about the use of students’
SSNs. In general, however, there is no
statutory authority under FERPA to
prohibit an educational agency or
institution from using SSNs as a student
ID number, on academic transcripts, or
to search an electronic database so long
as the agency or institution does not
disclose the SSN in violation of FERPA
requirements. As discussed elsewhere
in this preamble, FERPA does prohibit
using a student’s SSN, without consent,
to search records in order to confirm
directory information.
Some States prohibit the use of SSNs
as a student ID number, and some
institutions have voluntarily ceased
using SSNs in this manner because of
concerns about identity theft. Students
are required to provide their SSNs in
order to receive Federal financial aid,
and the regulations do not prevent an
agency or institution from using SSNs
for this purpose. We note that FERPA
does not address, and we do not believe
that there is statutory authority under
FERPA to require, creation of a single
student identifier to replace the SSN. In
any case, the Department encourages
educational agencies and institutions, as
well as State educational authorities, to
follow best practices of the educational
community with regard to protecting
students’ SSNs.
We agree that students should not be
penalized for opting out of directory
information disclosures. Indeed, an
educational agency or institution may
not require parents and students to
waive their rights under FERPA,
including the right to opt out of
directory information disclosures. On
the other hand, we do not interpret
FERPA to require educational agencies
and institutions to ensure that students
can remain anonymous to others in the
school community when using an
institution’s electronic communications
systems. As a result, parents and
students who opt out of directory
information disclosures may not be able
to use electronic communications
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
systems that require the release of the
student’s name or electronic identifier
within the school community. (As
discussed later in this notice in our
discussion of the comments on
§ 99.37(c), the right to opt out of
directory information disclosures may
not be used to allow a student to remain
anonymous in class.)
The regulations allow an educational
agency or institution to designate a
student’s user ID or other electronic
identifier as directory information if the
identifier functions essentially like the
student’s name, and therefore,
disclosure would not be considered
harmful or an invasion of privacy. That
is, the identifier cannot be used to gain
access to education records except when
combined with one or more factors that
authenticate the student’s identity.
We have historically advised that
student ID numbers may not be
disclosed as directory information
because they have traditionally been
used like SSNs, i.e., as both an identifier
and authenticator of identity. We agree,
however, that the proposed definition
was confusing and unnecessarily
restrictive because it failed to recognize
that many institutions no longer use
student ID numbers in this manner. If a
student identifier cannot be used to
access records or communicate
electronically without one or more
additional factors to authenticate the
user’s identity, then the educational
agency or institution may treat it as
directory information under FERPA
regardless of what the identifier is
called. We have revised the definition of
directory information to provide this
flexibility.
We share the commenters’ concerns
about the use of PINs and passwords. In
the preamble to the NPRM, we
explained that PINs or passwords, and
single-factor authentication of any kind,
may not be reasonable for protecting
access to certain kinds of information
(73 FR 15585). We also recognize that
user IDs and other electronic identifiers
may provide greater access and linking
to information than does a person’s
name. Therefore, we remind educational
agencies and institutions that disclose
student ID numbers, user IDs, and other
electronic identifiers as directory
information to examine their
recordkeeping and data sharing
practices and ensure that, when these
identifiers are used, the methods they
select for authenticating identity
provide adequate protection against the
unauthorized disclosure of information
in education records.
We also share the concern of
commenters who stated that students’
e-mail addresses and other identifiers
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
should be disclosed as directory
information only within the school
system and should not be made
available outside the institution. The
disclosure of directory information is
permissive under FERPA, and,
therefore, an agency or institution is not
required to designate and disclose any
student identifier (or any other item) as
directory information. Further, while
FERPA does not expressly recognize
different levels or categories of directory
information, an agency or institution is
not required to make student directories
and other directory information
available to the general public just
because the information is shared
within the institution. For example,
under FERPA, an institution may decide
to make students’ electronic identifiers
and e-mail addresses available within
the institution but not release them to
the general public as directory
information. In fact, the preamble to the
NPRM suggested that agencies and
institutions should minimize the public
release of student directories to mitigate
the risk of re-identifying information
that has been de-identified (73 FR
15584).
With regard to student ID numbers in
particular, an agency or institution may
print an ID number on a student’s ID
card whether or not the number is
treated as directory information because
under FERPA simply printing the ID
number on a card, without more, is not
a disclosure and, therefore, is not
prohibited. See 20 U.S.C. 1232g(b)(2). If
the student ID number is not designated
as directory information, then the
agency or institution may not disclose
the card, or require the student to
disclose the card, except in accordance
with one of the exceptions to the
consent requirement, such as to school
officials with legitimate educational
interests. If the student ID number is
designated as directory information in
accordance with these regulations, then
it may be disclosed. However, the
agency or institution may still decide
against making a directory of student ID
numbers available to the general public.
We discuss codes used by teachers to
post grades in our discussion of the
definition of personally identifiable
information elsewhere in this preamble.
Changes: We have revised the
definition of directory information in
§ 99.3 to provide that directory
information includes a student ID
number if it cannot be used to gain
access to education records except when
used with one or more other factors to
authenticate the user’s identity.
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
(2) Conditions for Disclosing Directory
Information
jlentini on PROD1PC65 with RULES2
(i) 99.37(b)
Comment: All comments on this
provision supported our proposal to
clarify that an educational agency or
institution must continue to honor a
valid request to opt out of directory
information disclosures even after the
student no longer attends the
institution. One commenter stated that
the proposed regulations appropriately
provided former students with the
continuing ability to control the release
of directory information and remarked
that this will benefit students and
families. One commenter asked how
long an opt out from directory
information disclosures must be
honored. Another commenter said that
students may object if their former
schools do not disclose directory
information without their specific
written consent because the school is
unable to determine whether the
student previously opted out. This
could occur, for example, if a school
declined to disclose that a student had
received a degree to a prospective
employer.
Discussion: The regulations clarify
that once a parent or eligible student
opts out of directory information
disclosures, the educational agency or
institution must continue to honor that
election after the student is no longer in
attendance. While this is not a new
interpretation, school districts and
postsecondary institutions have been
unclear about its application and have
not administered it consistently. The
inclusion in the regulations of this
longstanding interpretation is necessary
to ensure that schools clearly
understand their obligation to continue
to honor a decision to opt out of the
disclosure of directory information after
a student stops attending the school,
until the parent or eligible student
rescinds it.
Educational agencies and institutions
are not required under FERPA to
disclose directory information to any
party. Therefore, parents and students
have no basis for objecting if an agency
or institution does not disclose directory
information because it is not certain
whether the parent or student opted out.
The regulations provide an educational
agency or institution with the flexibility
to determine the process it believes is
best suited to serve its population as
long as it honors prior elections to opt
out of directory information disclosures.
Changes: None.
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
(ii) § 99.37(c)
Comment: We received two comments
in support of our proposal to clarify in
this section that parents and students
may not use the right to opt out of
directory information disclosures to
prevent disclosure of the student’s name
or other identifier in the classroom.
Discussion: We appreciate the
commenters’ support.
Changes: None.
(iii) § 99.37(d)
Comment: Two commenters
supported the prohibition on using a
student’s SSN to disclose or confirm
directory information unless a parent or
eligible student provides written
consent. One of these commenters
questioned the statutory basis for this
interpretation.
Several commenters asked whether,
under the proposed regulations, a
school must deny a request for directory
information if the requester supplies the
student’s SSN. One commenter asked
whether a request for directory
information that contains a student’s
SSN may be honored so long as the
school does not use the SSN to locate
the student’s records. One commenter
stated that the regulations could more
effectively protect students’ SSNs but
was concerned that denying a request
for directory information that contains
an SSN may inadvertently confirm the
SSN.
One commenter expressed concern
that the prohibition on using a student’s
SSN to verify directory information
would leave schools with large student
populations unable to locate the
appropriate record because they will
need to rely solely on the student’s
name and other directory information, if
any, provided by the requester, which
may be duplicated in their databases.
This commenter said that students
would object if institutions were unable
to respond quickly to requests by banks
or landlords for confirmation of
enrollment because the request
contained the student’s SSN.
One commenter suggested that the
regulations require an educational
agency or institution to notify a
requester that the release or
confirmation of directory information
does not confirm the accuracy of the
SSN or other non-directory information
submitted with the request. Another
commenter asked whether the
regulations apply to confirmation of
student enrollment and other directory
information by outside service providers
such as the National Student
Clearinghouse.
Discussion: The provision in the
proposed regulations prohibiting an
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
74809
educational agency or institution from
using a student’s SSN when disclosing
or verifying directory information is
based on the statutory prohibition on
disclosing personally identifiable
information from education records
without consent in 20 U.S.C. 1232g(b).
The prohibition applies also to any
party outside the agency or institution
providing degree, enrollment, or other
confirmation services on behalf of an
educational agency or institution, such
as the National Student Clearinghouse.
A school is not required to deny a
request for directory information about
a student, such as confirmation whether
a student is enrolled or has received a
degree, if the requester supplies the
student’s SSN (or other non-directory
information) along with the request.
However, in releasing or confirming
directory information about a student,
the school may not use the student’s
SSN (or other non-directory
information) supplied by the requester
to identify the student or locate the
student’s records unless a parent or
eligible student has provided written
consent. This is because confirmation of
information in education records is
considered a disclosure under FERPA.
See 20 U.S.C. 1232g(b). A school’s use
of a student’s SSN (or other nondirectory information) provided by the
requester to confirm enrollment or other
directory information implicitly
confirms and, therefore, discloses, the
student’s SSN (or other non-directory
information). This is true even if the
requester also provides the school with
the student’s name, date of birth, or
other directory information to help
identify the student.
A school may choose to deny a
request for directory information,
whether or not it contains a student’s
SSN, because only a parent or eligible
student has a right to obtain education
records under FERPA. Denial of a
request for directory information that
contains a student’s SSN is not an
implicit confirmation or disclosure of
the SSN.
These regulations will not adversely
affect the ability of institutions to
respond quickly to requests by parties
such as banks and landlords for
confirmation of enrollment that contain
the student’s SSN because students
generally provide written consent for
schools to disclose information to the
inquiring party in order to obtain
banking and housing services. We note,
however, that if a school wishes to use
the student’s SSN to confirm enrollment
or other directory information about the
student, it must ensure that the written
consent provided by the student
includes consent for the school to
E:\FR\FM\09DER2.SGM
09DER2
74810
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
disclose the student’s SSN to the
requester.
There is no authority in FERPA to
require a school to notify requesters that
it is not confirming the student’s SSN
(or other non-directory information)
when it discloses or confirms directory
information. However, when a party
submits a student’s SSN along with a
request for directory information, in
order to avoid confusion, unless a
parent or eligible student has provided
written consent for the disclosure of the
student’s SSN, the school may indicate
that it has not used the SSN (or other
non-directory information) to locate the
student’s records and that its response
may not and does not confirm the
accuracy of the SSN (or other nondirectory information) supplied with the
request.
We recognize that with a large
database of student information, there
may be some loss of ability to identify
students who have common names if
SSNs are not used to help identify the
individual. However, schools that do
not use SSNs supplied by a party
requesting directory information, either
because the student has not provided
written consent or because the school is
not certain that the written consent
includes consent for the school to
disclose the student’s SSN, generally
may use the student’s address, date of
birth, school, class, year of graduation,
and other directory information to
identify the student or locate the
student’s records.
Changes: None.
(c) Disclosure (§ 99.3)
Comment: Two commenters said that
the proposal to revise the definition of
disclosure to exclude the return of a
document to its source was too broad
and could lead to improper release of
highly sensitive documents, such as an
individualized education program (IEP)
contained in a student’s special
education records, to anyone claiming
to be the creator of a record. One of the
commenters stated that changing the
definition was unnecessary, as schools
already have a means of verifying
documents by requesting additional
copies from the source. Both
commenters also expressed concern
that, because recordation is not
required, a parent or eligible student
will not be aware that the verification
occurred.
We also received comments of strong
support for the proposed change to the
definition of disclosure. The
commenters stated that this change,
targeted to permit the release of records
back to the institution that presumably
created them, will enhance an
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
institution’s ability to identify and
investigate suspected fraudulent records
in a timely manner.
Discussion: For several years now,
school officials have advised us that
problems related to fraudulent records
typically involve a transcript or letter of
recommendation that has been altered
by someone other than the responsible
school official. Under the current
regulations, an educational agency or
institution may ask for a copy of a
record from the presumed source when
it suspects fraudulent activity. However,
simply asking for a copy of a record may
not be adequate, for example, if the
original record no longer exists at the
sending institution. In these
circumstances, an institution will need
to return a record to its identified source
to be able to verify its authenticity. The
final regulations permit a targeted
release of records back to the stated
source for verification purposes in order
to provide schools with the flexibility
needed for this process while preserving
a more general prohibition on the
release of information from education
records.
We do not agree that the term
disclosure as proposed in the NPRM is
too broad and could lead to the
improper release of highly sensitive
documents to anyone claiming to be the
creator of the record. School officials
have not advised us that they have had
problems receiving IEP records and
other highly sensitive materials from
parties who did not in fact create or
provide the record. Therefore, we do not
believe that the proposed definition of
disclosure is too broad.
The commenters are correct that the
return of an education record to its
source does not have to be recorded,
because it is not a disclosure. We do not
consider this problematic, however,
because the information is merely being
returned to the party identified as its
source. This is similar to the situation
in which a school is not required under
the regulations to record disclosures of
education records made to school
officials with legitimate educational
interests. As in that instance, there is no
direct notice to a parent or student of
either the disclosure of the record or the
information in the record. We also
believe that if a questionable document
is deemed to be inauthentic by the
source, the student will be informed of
the results of the authentication process
by means other than seeing a record of
the disclosure in the student’s file.
There appears to be little value in
notifying a parent or student that a
document was suspected of being
fraudulent if the document is found to
be genuine and accurate.
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
Finally, we note that a transcript or
other document does not lose its
protection under FERPA, including the
written consent requirements, when an
educational agency or institution
returns it to the source. The document
and the information in it remains an
‘‘education record’’ under FERPA when
it is returned to its source. As an
education record, it may not be
redisclosed except in accordance with
FERPA requirements, including
§ 99.31(a)(1), which allows the source
institution to disclose the information to
teachers and other school officials with
legitimate educational interests, such as
persons who need to verify the accuracy
or authenticity of the information. If the
source institution makes any further
disclosures of the record or information,
it must record them.
Changes: None.
Additional Changes to the Definition of
Disclosure
Comment: Several commenters
requested additional changes to the
definition of disclosure. One commenter
requested that any transfer of education
records to a State’s longitudinal data
system not be considered a disclosure.
Several commenters requested that
additional changes be made so that a
school could provide current education
records of students back to the students’
former schools or districts. A
commenter recommended excluding
from the definition of disclosure
statistical information that is personally
identifiable because of small cell sizes
when the recipient agrees to maintain
the confidentiality of the information.
Discussion: The revised definition of
disclosure, which excludes the return of
a document to its stated source, clarifies
that information provided by school
districts or postsecondary institutions to
State educational authorities, including
information maintained in a
consolidated student records system,
may be provided back to the original
district or institution without consent.
There is no statutory authority,
however, to exclude from the definition
of disclosure a school district’s or
institution’s release or transfer of
personally identifiable information from
education records to its State
longitudinal data system. (We discuss
the disclosure of education records in
connection with the development of
consolidated, longitudinal data systems
in our response to comments on
redisclosure and recordkeeping
requirements elsewhere in this
preamble.) Likewise, there is no
statutory authority to exclude from the
definition of disclosure the release of
personally identifiable information from
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
education records to parties that agree to
keep the information confidential. (See
our discussion of personally identifiable
information and de-identified records
and information elsewhere in this
preamble.)
The revised regulations do not
authorize the disclosure of education
records to third parties who are not
identified as the provider or creator of
the record. For example, a college may
not send a student’s current college
records to a student’s high school under
the revised definition of disclosure
because the high school is not the stated
source of those records. (We discuss this
issue elsewhere in the preamble under
Disclosure of Education Records to
Students’ Former Schools.)
Changes: None.
(d) Education Records
jlentini on PROD1PC65 with RULES2
(1) Paragraph (b)(5)
Comment: Several commenters
supported our proposal to clarify the
existing exclusion from the definition of
education records for records that only
contain information about an individual
after he or she is no longer a student,
which we referred to as ‘‘alumni
records’’ in the NPRM, 73 FR 15576.
One commenter suggested that the term
‘‘directly related,’’ which is used in the
amended definition in reference to a
student’s attendance, is inconsistent
with the use of the term ‘‘personally
identifiable’’ in other sections of the
regulations and could cause confusion.
One commenter asked whether a
postsecondary school could provide a
student’s education records from the
postsecondary school to a secondary
school that the student attended
previously.
Several commenters objected to the
proposed regulations because, according
to the commenters, the regulations
would expand the records subject to
FERPA’s prohibition on disclosure of
education records without consent. A
journalist stated that the settlement
agreement cited in the NPRM is an
example of a record that should be
excluded from the definition and that
schools already are permitted to protect
too broad a range of documents from
public review because the documents
are education records. The commenter
stated that information from education
records such as a settlement agreement
is newsworthy, unlikely to contain
confidential information, and that
disclosure of such information provides
a benefit to the public. Another
commenter expressed concern that the
regulations allow schools to collect
negative information about a former
student without giving the individual an
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
opportunity to challenge the content
because the information is not an
education record under FERPA.
Discussion: It has long been the
Department’s interpretation that records
created or received by an educational
agency or institution on a former
student that are directly related to the
individual’s attendance as a student are
not excluded from the definition of
education records under FERPA, and
that records created or received on a
former student that are not directly
related to the individual’s attendance as
a student are excluded from the
definition and, therefore, are not
‘‘education records.’’ The proposed
regulations in paragraph (b)(5) were
intended to clarify the use of this
exclusion, not to change or expand its
scope.
Our use of the phrase ‘‘directly related
to the individual’s attendance as a
student’’ to describe records that do not
fall under this exclusion from the
definition of education records is not
inconsistent with the term ‘‘personally
identifiable’’ as used in other parts of
the regulations and should not be
confused. The term ‘‘personally
identifiable information’’ is used in the
statute and regulations to describe the
kind of information from education
records that may not be disclosed
without consent. See 20 U.S.C. 1232g(b);
34 CFR 99.3, 99.30. While ‘‘personally
identifiable information’’ maintained by
an agency or institution is generally
considered an ‘‘education record’’ under
FERPA, personally identifiable
information does not fall under this
exclusion from the definition of
education records if the information is
not directly related to the student’s
attendance as a student. For example,
personally identifiable information
related solely to a student’s activities as
an alumnus of an institution is excluded
from the definition of education records
under this provision. We think that the
term ‘‘directly related’’ is clear in this
context and will not be confused with
‘‘personally identifiable.’’
A postsecondary institution may not
disclose a student’s postsecondary
education records to the secondary
school previously attended by the
student under this provision because
these records are directly related to the
student’s attendance as a student at the
postsecondary institution. (We discuss
this issue further under Disclosure of
Education Records to Students’ Former
Schools.)
We do not agree that documents such
as settlement agreements are unlikely to
contain confidential information. Our
experience has been that these
documents often contain highly
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
74811
confidential information, such as
special education diagnoses,
educational supports, or mental or
physical health and treatment
information. Our changes to the
definition were intended to clarify that
schools may not disclose this
information to the media or other
parties, without consent, simply
because a student is no longer in
attendance at the school at the time the
record was created or received. A parent
or eligible student who wishes to share
the student’s own records with the
media or other parties is free to do so.
Neither FERPA nor the regulations
contains a provision for a parent or
eligible student to challenge information
that is not contained in an education
record. FERPA does not prohibit a
parent or student from using other
venues to seek redress for collection and
release of information in non-education
records.
Changes: None.
(2) Paragraph (b)(6)
Comment: We received several
comments supporting the proposed
changes to the definition of education
records that would exclude from the
definition grades on peer-graded papers
before they are collected and recorded
by a teacher. These commenters
expressed appreciation that this revision
would be consistent with the U.S.
Supreme Court’s decision on peergraded papers in Owasso Independent
School Dist. No. I–011 v. Falvo, 534 U.S.
426 (2002) (Owasso). Two commenters
asked how the provision would be
applied to the use of group projects and
group grading within the classroom.
Discussion: The proposed changes to
the definition of education records in
paragraph (b)(6) are designed to
implement the U.S. Supreme Court’s
2002 decision in Owasso, which held
that peer grading does not violate
FERPA. As noted in the NPRM, 73 FR
15576, the Court held in Owasso that
peer grading does not violate FERPA
because ‘‘the grades on students’ papers
would not be covered under FERPA at
least until the teacher has collected
them and recorded them in his or her
grade book.’’ 534 U.S. at 436.
As suggested by the Supreme Count
in Owasso, 534 U.S. at 435, FERPA is
not intended to interfere with a
teacher’s ability to carry out customary
practices, such as group grading of team
assignments within the classroom. Just
as FERPA does not prevent teachers
from allowing students to grade a test or
homework assignment of another
student or from calling out that grade in
class, even though the grade may
eventually become an education record,
E:\FR\FM\09DER2.SGM
09DER2
74812
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
FERPA does not prohibit the discussion
of group or individual grades on
classroom group projects, so long as
those individual grades have not yet
been recorded by the teacher. The
process of assigning grades or grading
papers falls outside the definition of
education records in FERPA because the
grades are not ‘‘maintained’’ by an
educational agency or institution at least
until the teacher has recorded the
grades.
Changes: None.
jlentini on PROD1PC65 with RULES2
(e) Personally Identifiable Information
Comments on the proposed definition
of personally identifiable information
are discussed elsewhere in this
preamble under the heading Personally
Identifiable Information and Deidentified Records and Information.
(f) State Auditors and Audits (§§ 99.3
and Proposed 99.35(a)(3))
Comment: Several commenters
supported the clarification in proposed
§ 99.35(a)(3) that State auditors may
have access to education records,
without consent, in connection with an
‘‘audit’’ of Federal or State supported
education programs under the exception
to the written consent requirement for
authorized representatives of ‘‘State and
local educational authorities.’’ All but
one of the commenters, however,
disagreed strongly with the proposed
definition of audit in § 99.35(a)(3),
which was limited to testing compliance
with applicable laws, regulations, and
standards and did not include the
broader concept of evaluations.
In general, the commenters said that
the proposed definition of audit was too
narrow and would prevent State
auditors from conducting performance
audits and other services that they
routinely provide in accordance with
professional auditing standards,
including the U.S. Comptroller’s
Government Auditing Standards. See
www.gao.gov/govaud/ybk01.htm. A
State legislative auditor noted, for
example, that 45 State legislatures have
established legislative program
evaluation offices whose express
purpose is to provide research and
evaluation for legislative decision
making, and that these offices regularly
use personally identifiable information
from education records for their work.
Some of the commenters also
questioned whether financial audits and
attestation engagements would be
excluded under the proposed definition.
One commenter said that the State
auditor provisions in proposed §§ 99.3
and 99.35(a)(3) should be expanded to
apply to other non-education State
officials responsible for evaluating
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
publicly funded programs. Another
commenter recommended that the
regulations include examination of
education records by health department
officials to improve compliance with
mandated immunization schedules.
The majority of the comments we
received with respect to the inclusion of
local auditors in the proposed definition
of State auditor in § 99.3 supported
permitting local auditors to have access
to personally identifiable information
for purposes of auditing Federal or State
supported education programs. One
commenter said that local auditors
should not be included in the
definition, while another commenter
stated that auditors for the city health
department need access to FERPAprotected information to determine the
accuracy of claims for payment and
asked for further clarification on the
issue.
Discussion: We explained in the
preamble to the NPRM that the statute
allows disclosure of personally
identifiable information from education
records without consent to authorized
representatives of ‘‘State educational
authorities’’ in connection with an audit
or evaluation of Federal or State
supported education programs. 73 FR
15577. Legislative history indicates that
Congress amended the statute in 1979 to
‘‘correct an anomaly’’ in which the
existing exception to the consent
requirement in 20 U.S.C. 1232g(b)(3)
was interpreted to preclude State
auditors from obtaining access to
education records for audit purposes.
See H.R. Rep. No. 338, 96th Cong., 1st
Sess. at 10 (1979), reprinted in 1979 U.S.
Code Cong. & Admin. News 819, 824.
However, because the amended
statutory language in 20 U.S.C.
1232g(b)(5) refers only to ‘‘State and
local educational officials,’’ the
proposed regulations sought to clarify
that this included ‘‘State auditors’’ or
auditors with authority and
responsibility under State law for
conducting audits. Due to the breadth of
this inclusion, however, the proposed
regulations also sought to limit access to
education records by State auditors by
narrowing the definition of audit.
The Secretary has carefully reviewed
the comments and, based upon further
intradepartmental review, has decided
to remove from the final regulations the
provisions related to State auditors and
audits in §§ 99.3 and 99.35(a)(3). We
share the commenters’ concerns about
preventing State auditors from
conducting activities that they routinely
perform under applicable auditing
standards. However, because our focus
was on the narrow definition of audit,
we proposed a very broad definition of
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
State auditor in § 99.3 and did not
examine which of the various types of
officials, offices, committees, and staff
in executive and legislative branches of
State government should be included in
the definition. We are concerned that
without the narrow definition of audit
as proposed in § 99.35(a)(3), the
proposed definition of State auditor
may allow non-consensual disclosures
of education records to a variety of
officials for purposes not supported by
the statute. The Department will study
the matter further and may issue new
regulations or guidance, as appropriate.
In the interim, the Department will
provide guidance on a case-by-case
basis.
Changes: We are not including the
definition of State auditor in § 99.3 and
the provisions related to State auditors
and audits in § 99.35(a)(3) in these final
regulations.
Disclosures to Parents (§§ 99.5 and
99.36)
Comment: A majority of commenters
approved of the Secretary’s efforts to
clarify that, even after a student has
become an eligible student, an
educational agency or institution may
disclose education records to the
student’s parents, without the consent
of the student, if certain conditions are
met. Those commenters stated that the
clarification was especially helpful,
particularly in light of issues that arose
after the April 2007 shootings at the
Virginia Polytechnic Institute and State
University (Virginia Tech). A
commenter stated that the clarification
will assist emergency management
officials on college and university
campuses and help school officials
know when they can properly share
student information with parents and
students. One commenter expressed
support for the proposed regulations,
because it has been her experience that
colleges do not share information with
parents on their children’s financial aid
or academic status.
Some commenters disagreed with the
proposed changes. One stated that, due
to varying family dynamics, disclosures
should not be limited only to parents,
but should also include other
appropriate family members. Another
commenter objected to the phrase in
§ 99.5(a)(2) that would permit disclosure
to a parent without the student’s
consent if the disclosure meets ‘‘any
other provision in § 99.31(a).’’ The
commenter stated that this ‘‘catch-all
phrase’’ exceeded statutory authority.
Noting the sensitivity of financial
information included in income tax
returns, a few commenters raised
concerns about the discussion in the
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
NPRM in which we explained that an
institution can determine that a parent
claimed a student as a dependent by
asking the parent to supply a copy of the
parent’s most recent Federal tax return.
Another commenter stated that the
NPRM did not go far enough and
recommended specifically requiring an
institution to rely on a copy of a parent’s
most recent Federal tax return to
determine a student’s dependent status,
while another commenter recommended
that we change the regulations to
indicate that only the parent who has
claimed the student as a dependent may
have access to the student’s education
records.
A commenter noted that some States
have high school students who are
concurrently enrolled in secondary
schools and postsecondary institutions
as early as ninth grade and supported
the clarification that postsecondary
institutions may disclose information to
parents of students who are tax
dependents.
Discussion: Parents’ rights under
FERPA transfer to a student when the
student reaches age 18 or enters a
postsecondary institution. 20 U.S.C.
1232g(d). However, under § 99.31(a)(8),
an educational agency or institution
may disclose education records to an
eligible student’s parents if the student
is a dependent as defined in section 152
of the Internal Revenue Code of 1986.
Under § 99.31(a)(8), neither the age of a
student nor the parent’s status as
custodial parent is relevant to the
determination whether disclosure of
information from an eligible student’s
education records to that parent without
written consent is permissible under
FERPA. If a student is claimed as a
dependent for Federal income tax
purposes by either parent, then under
the regulations, either parent may have
access to the student’s education
records without the student’s consent.
The statutory exception to the consent
requirement in FERPA for the disclosure
of records of dependent students applies
only to the parents of the student. 20
U.S.C. 1232g(b)(1)(H). Accordingly, the
Secretary does not have statutory
authority to apply § 99.31(a)(8) to any
other family members. However, under
§ 99.30(b)(3), an eligible student may
provide consent for the school to
disclose information from his or her
education records to another family
member. In some situations, such as
when there is no parent in the student’s
life or the student is married, a spouse
or other family member may be
considered an appropriate party to
whom a disclosure may be made,
without consent, in connection with a
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
health or safety emergency under
§§ 99.31(a)(10) and 99.36.
In most cases, when an educational
agency or institution discloses
education records to parents of an
eligible student, we expect the
disclosure to be made under the
dependent student provision
(§ 99.31(a)(8)), in connection with a
health or safety emergency
(§§ 99.31(a)(10) and 99.36), or if a
student has committed a disciplinary
violation with respect to the use or
possession of alcohol or a controlled
substance (§ 99.31(a)(15)). This is the
reason we mention these provisions
specifically in the regulations. However,
inclusion of the phrase ‘‘of any other
provision in § 99.31(a)’’ in § 99.5(a)(2) is
necessary and within our statutory
authority because there may be other
exceptions to FERPA’s general consent
requirement under which an agency or
institution might disclose education
records to a parent of an eligible
student, such as the directory
information provision in § 99.31(a)(11)
and the provision permitting disclosure
in compliance with a court order or
lawfully issued subpoena in
§ 99.31(a)(9).
As we explained in the NPRM,
institutions can determine that a parent
claims a student as a dependent by
asking the parent to submit a copy of the
parent’s most recent Federal income tax
return. However, we do not think it is
appropriate to require an agency or
institution to rely only on the most
recent tax return to determine the
student’s dependent status because
institutions should have flexibility in
how to reach this determination. For
instance, institutions may rely instead
on a student’s assertion that he or she
is not a dependent unless the parent
provides contrary evidence. We agree
that financial information on a Federal
tax return is sensitive information and,
for that reason, in providing technical
assistance and compliance training to
school officials, we have advised that
parents may redact all financial and
other unnecessary information that
appears on the form, as long as the tax
return clearly shows the parent’s or
parents’ names and the fact that the
student is claimed as a dependent.
In addition, in the fall of 2007, we
developed two model forms that appear
on the Department’s Family Policy
Compliance Office (FPCO or the Office)
Web site that institutions may adapt and
provide to students at orientation to
indicate whether they are a dependent
and, if not, obtaining consent from the
student for disclosure of information to
parents: https://www.ed.gov/policy/gen/
guid/fpco/ferpa/safeschools/
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
74813
modelform.html and https://www.ed.gov/
policy/gen/guid/fpco/ferpa/safeschools/
modelform2.html.
With regard to the comment about
high school students who are
concurrently enrolled in postsecondary
institutions as early as ninth grade,
FERPA not only permits those
postsecondary institutions to disclose
information to parents of the high
school students who are dependents for
Federal income tax purposes, it also
permits high schools and postsecondary
institutions who have dually-enrolled
students to share information. Where a
student is enrolled in both a high school
and a postsecondary institution, the two
schools may share education records
without the consent of either the parents
or the student under § 99.34(b). If the
student is under 18, the parents still
retain the right under FERPA to inspect
and review any education records
maintained by the high school,
including records that the college or
university disclosed to the high school,
even though the student is also
attending the postsecondary institution.
Changes: None.
Outsourcing (§ 99.31(a)(1)(i)(B))
(a) Outside Parties Who Qualify as
School Officials
Comment: A few commenters
disagreed with the proposal to expand
the ‘‘school officials’’ exception in
§ 99.31(a)(1)(i)(B) to include contractors,
consultants, volunteers, and other
outside parties to whom an educational
agency or institution has outsourced
institutional services or functions it
would otherwise use employees to
perform. They believed that the
modifications undermined the plain
language of the statute and
congressional intent. Several other
commenters supported the proposed
regulations, saying that it was helpful to
include in the regulations what has
historically been the Department’s
interpretation of the ‘‘school officials’’
exception. A majority of commenters,
while not agreeing or disagreeing with
the proposed changes in
§ 99.31(a)(1)(i)(B), raised a number of
issues concerning the proposal.
Several commenters expressed
concern that the requirement that an
outside party must perform an
institutional service or function for
which the agency or institution would
otherwise use employees is too
restrictive and impractical. One
commenter noted that some functions
that a contractor performs could not be
performed by a school official.
Some commenters said we should
clarify the regulations to explain the
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74814
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
circumstances under which volunteers
may serve as school officials and have
access to personally identifiable
information from education records in
connection with their services or
responsibilities to the school. One
commenter noted that this clarification
was needed especially for parentvolunteers working at a school attended
by their own children where they are
likely to know other students and their
families.
Several commenters asked that we
clarify in the regulations that
§ 99.31(a)(1) also applies to school
transportation officials, school bus
drivers, and school bus attendants who
need access to education records in
order to safely and efficiently transport
students. Another commenter asked for
clarification whether, under the
proposed regulations, practicum
students, fieldwork students, and
unpaid interns in schools would be
considered ‘‘school officials.’’ One
commenter asked whether § 99.31(a)(1)
permits outsourced medical providers to
be considered ‘‘school officials.’’
One commenter asked how proposed
§ 99.31(a)(1) would apply to parties
other than educational agencies and
institutions. The commenter was
concerned about permitting SEAs to
disclose personally identifiable
information to outside parties under
§ 99.31(a)(1)(i)(B) because SEAs are not
subject to § 99.7, which requires
educational agencies and institutions to
annually notify parents and eligible
students of their rights under FERPA,
including a specific requirement in
§ 99.7(a)(3)(iii) that an educational
agency or institution that has a policy of
disclosing information under
§ 99.31(a)(1) must include in its annual
notice a specification of criteria for
determining who constitutes a school
official and what constitutes a legitimate
educational interest. A number of
commenters requested clarification
about the applicability of
§ 99.31(a)(1)(i)(B) to State authorities
that operate State longitudinal data
systems that maintain records of local
educational agencies (LEAs) or
institutions and are responsible for
certain reporting requirements under
the No Child Left Behind Act. Some of
these commenters believe that State
authorities operating these systems are
‘‘school officials’’ under § 99.31(a)(1)
who should be able to disclose
education records for the purpose of
outsourcing under § 99.31(a)(1)(i)(B).
One commenter recommended that
the regulations permit the disclosure of
education records to non-educational
State agencies for evaluation purposes
under § 99.31(a)(1). Another commenter
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
asked that we revise the regulations to
permit representatives of the Centers for
Disease Control and Prevention to
access education records for the purpose
of public health surveillance under the
‘‘school officials’’ exception.
Another commenter requested further
guidance on how § 99.31(a)(1) would
apply to local law enforcement officers
who work in collaboration with schools
in various capacities and whether
education records could be shared with
these officers in order to ensure safe
campuses.
Discussion: The Secretary does not
agree that the proposed changes to
§ 99.31(a)(1) go beyond the plain
reading of the statute and congressional
intent. As we explained in the NPRM,
FERPA’s broad definition of education
records includes records that are
maintained by ‘‘a person acting for’’ an
educational agency or institution. 20
U.S.C. 1232g(a)(4)(A)(ii); see 34 CFR
99.3. (In floor remarks describing the
meaning of the definition of education
records, Senators James Buckley and
Claiborne Pell, principal sponsors of the
December 1974 FERPA amendments,
specifically referred to materials that are
maintained by a school ‘‘or by one of its
agents.’’ See ‘‘Joint Statement in
Explanation of Buckley/Pell
Amendment’’ (Joint Statement), 120
Cong. Rec. S21488 (Dec. 13, 1974).)
Although the Secretary is concerned
that educational agencies and
institutions not misapply § 99.31(a)(1),
the changes to the regulations are
necessary to clarify the scope of the
‘‘school officials’’ exception in FERPA.
We disagree with commenters that the
requirement in § 99.31(a)(1)(i)(B)(1) that
the outside party must perform an
institutional service or function for
which the agency or institution would
otherwise use employees is too
restrictive or unworkable. The
requirement serves to ensure that the
‘‘school officials’’ exception does not
expand into a general exception to the
consent requirement in FERPA that
would allow disclosure any time a
vendor or other outside party wants
access to education records to provide a
product or service to schools, parents,
and students. As explained in the
preceding paragraphs and in the NPRM,
73 FR 15578–15579, the statutory basis
for expanding the ‘‘school officials’’
exception to outside service providers is
that they are ‘‘acting for’’ the agency or
institution, not selling products and
services. This means, for example, that
a school may not use the ‘‘school
officials’’ exception to disclose
personally identifiable information from
a student’s education record, such as the
student’s SSN or student ID number,
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
without consent, to an insurance
company that wishes to offer students a
discount on auto insurance because the
school is not outsourcing an
institutional service or function for
which it would otherwise use its own
employees.
Further, the requirement that the
outside party must be performing
services or functions an employee
would otherwise perform does not mean
that a school employee must be able to
perform the outsourced service in order
for the outside party to be considered a
school official under
§ 99.31(a)(1)(i)(B)(1). For example, many
school districts outsource their legal
services on an as-needed basis. Even
though these school districts may have
never hired an attorney as an employee,
they may still disclose personally
identifiable information from education
records to outside legal counsel to
whom they have outsourced their legal
services. FERPA does not otherwise
restrict whether a school may outsource
institutional services and functions; it
only addresses to whom and under what
conditions personally identifiable
information from students’ education
records may be disclosed.
Once a school has determined that an
outside party is a ‘‘school official’’ with
a ‘‘legitimate educational interest’’ in
viewing certain education records, that
party may have access to the education
records, without consent, in order to
perform the required institutional
services and functions for the school.
These outside parties may include
parents and other volunteers who assist
schools in various capacities, such as
serving on official committees, serving
as teachers’ aides, and working in
administrative offices, where they need
access to students’ education records to
perform their duties.
The disclosure of education records
under any of the conditions listed in
§ 99.31, including the ‘‘school officials’’
exception, is permissive and not
required. (Only parents and eligible
students have a right under FERPA to
inspect and review their education
records.) Therefore, schools should
always use good judgment in
determining the extent to which
volunteers, as well as other school
officials, need to have access to
education records and to ensure that
school officials, including volunteers,
do not improperly disclose information
from students’ education records.
We decline to adopt commenters’
suggestion that we include in
§ 99.31(a)(1)(i)(B) a list of the types of
parties who may serve as school
officials and receive personally
identifiable information from education
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
records in connection with the
institutional services and functions
outsourced by the school. We think it
would be impossible to provide a
comprehensive listing and believe that
agencies and institutions are in the best
position to make these determinations.
At the discretion of a school, school
officials may include school
transportation officials (including bus
drivers), school nurses, practicum and
fieldwork students, unpaid interns,
consultants, contractors, volunteers, and
other outside parties providing
institutional services and performing
institutional functions, provided that
each of the requirements in
§ 99.31(a)(1)(i)(B) has been met.
Under § 99.31(a)(1), a university could
outsource the practical training of
students. The information disclosed to
the hospital, clinic, or business
conducting the practical training may
only be used for the purposes for which
it was disclosed. In the NPRM, we
discuss in more detail the types of
services and functions covered under
§ 99.31(a)(1)(i)(B). (73 FR 15578–15580.)
In response to the comment about the
applicability of § 99.31(a)(1)(i)(B) to
State educational authorities that
operate State longitudinal data systems,
such officials are not ‘‘school officials’’
under FERPA. Rather, these officials are
generally considered authorized
representatives of a State educational
authority, and LEAs typically disclose
information from students’ education
records to a longitudinal data system
maintained by an SEA or other State
educational authorities under the
exception to the consent requirement for
disclosures to authorized
representatives of State and local
educational authorities,
§ 99.31(a)(3)(iv)), not the ‘‘school
officials’’ exception. This issue is
explained in more detail elsewhere in
this preamble under Educational
research (§§ 99.31(a)(6), 99.31(a)(3). We
also discuss disclosures to noneducational agencies, such as to public
health agencies, in the section of this
preamble entitled Disclosure of
Education Records to Non-Educational
Agencies.
Members of a school’s law
enforcement unit, as defined in § 99.8 of
the regulations, who are employed by
the agency or institution qualify as
school officials under § 99.31(a)(1)(i)(A)
if the school has complied with the
notification requirements in
§ 99.7(a)(3)(iii). As school officials, they
may be given access to personally
identifiable information from those
students’ education records in which
the school has determined they have
legitimate educational interests. The
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
school’s law enforcement unit must
protect the privacy of education records
it receives and may disclose them only
with consent or under one of the
exceptions to consent listed in § 99.31.
For that reason, it is advisable that
officials of a law enforcement unit
maintain education records separately
from law enforcement unit records,
which are not subject to FERPA
requirements. As we explained in
Balancing Student Privacy and School
Safety: A Guide to the Family
Educational Rights and Privacy Act for
Elementary and Secondary Schools,
investigative reports and other records
created by an institution’s law
enforcement unit are excluded from the
definition of education records under
§ 99.3 and, therefore, are not subject to
FERPA requirements. Accordingly,
schools may disclose information from
law enforcement unit records to anyone,
including local police and other outside
law enforcement authorities, without
consent. This brochure can be found on
FPCO’s ‘‘Safe Schools & FERPA’’ Web
page: https://www.ed.gov/policy/gen/
guid/fpco/ferpa/safeschools/.
Outside police officers or other nonemployees to whom the school has
outsourced its safety and security
functions do not qualify as ‘‘school
officials’’ under FERPA unless they
meet each of the requirements of
§ 99.31(a)(1)(i)(B). If these police officers
or other outside parties do not meet the
requirements for being a school official
under FERPA, they may not have access
to students’ education records without
consent, unless there is a health or
safety emergency, a lawfully issued
subpoena or court order, or some other
exception to FERPA’s general consent
requirement under which the disclosure
falls.
With respect to our amendment to the
‘‘school officials’’ exception, we note
that § 99.32(d) excludes from the
recordation requirements disclosures of
education records that educational
agencies and institutions make to school
officials. This exclusion from the
recordation requirement will apply as
well to disclosures to contractors,
consultants, volunteers, and other
outside parties to whom an agency or
institution discloses education records
under § 99.31(a)(1)(i)(B). The
Department has long recognized that
FERPA does not prevent schools from
outsourcing institutional services and
functions; to require schools to record
disclosures to these outside parties
serving as school officials would be
overly burdensome and unworkable.
An educational agency or institution
that complies with the notification
requirements in § 99.7(a)(3)(iii) by
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
74815
specifying its policy regarding the
disclosure of education records to
contractors and other outside parties
serving as school officials provides
legally sufficient notice to parents and
students regarding these disclosures. We
have posted model notifications on our
Web site, one for postsecondary
institutions and one for LEAs. See
https://www.ed.gov/policy/gen/guid/
fpco/ferpa/ps-officials.html and https://
www.ed.gov/policy/gen/guid/fpco/
ferpa/lea-officials.html.
Changes: None.
(b) Direct Control
Comment: Some commenters asked
the Department to clarify what the term
‘‘direct control’’ means as used in
§ 99.31(a)(1)(i)(B)(2). This section
provides that in order to be considered
a ‘‘school official’’ an outside party must
be under the direct control of the agency
or institution. Some commenters asked
if this term means that the school must
monitor the operations of the outside
party, and how it affects an agency’s or
institution’s relationship with
subcontractors or third- or fourth-party
database hosting companies. One
commenter stated that the regulations
should not distinguish between whether
the education records are hosted in a
vendor’s offsite network or within the
institution’s local network servers,
while another commenter asked for
clarification of how § 99.31(a)(1)(i)(B)
applies to outsourcing electronic mail
(e-mail) services to third parties such as
Microsoft or Google.
One commenter stated that
institutions should be required to verify
that parties to whom they outsource
services have the necessary resources to
safeguard education records provided to
them.
A commenter suggested that, instead
of the proposed ‘‘direct control’’
standard, the Department adopt
language similar to the safeguarding
standard found in the Gramm-LeachBliley Act (GLB) (Pub. L. 106–102,
November 12, 1999). The commenter
suggested that, as adapted in FERPA,
the standard would require that for an
outside party, acting on behalf of an
educational institution, to be considered
a ‘‘school official,’’ the institution
would have to: (1) Take reasonable steps
to select and retain contractors,
consultants, volunteers, or other outside
parties that are capable of maintaining
appropriate safeguards with respect to
education records; and (2) mandate by
contract that the outside party
implement and maintain such
safeguards.
Discussion: The term ‘‘direct control’’
in § 99.31(a)(1)(i)(B)(2), is intended to
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74816
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
ensure that an educational agency or
institution does not disclose education
records to an outside service provider
unless it can control that party’s
maintenance, use, and redisclosure of
education records. This could mean, for
example, requiring a contractor to
maintain education records in a
particular manner and to make them
available to parents upon request. We
are revising the regulations, however, to
provide this clarification.
Neither the statute nor the FERPA
regulations specifically requires that
educational agencies and institutions
verify that outside parties to whom
schools outsource services have the
necessary resources to safeguard
education records provided to them.
However, as discussed in the NPRM,
educational agencies and institutions
are responsible under FERPA for
ensuring that they themselves do not
have a policy or practice of releasing,
permitting the release of, or providing
access to personally identifiable
information from education records,
except in accordance with FERPA. This
includes ensuring that outside parties
that provide institutional services or
functions as ‘‘school officials’’ under
§ 99.31(a)(1)(i)(B) do not maintain, use,
or redisclose education records except
as directed by the agency or institution
that disclosed the information.
The ‘‘direct control’’ requirement is
intended to apply only to the outside
party’s provision of specific
institutional services or functions that
have been outsourced and the education
records provided to that outside party to
perform the services or function. It is
not intended to affect an outside service
provider’s status as an independent
contractor or render that party an
employee under State or Federal law.
We believe that the use of the ‘‘direct
control’’ standard strikes an appropriate
balance in identifying the necessary and
proper relationship between the school
and its outside parties that are serving
as ‘‘school officials.’’ The
recommendation that we adopt a
standard more closely aligned with the
GLB standard does not appear workable,
especially with regard to requiring that
schools enter into formal contracts with
each outside party performing services,
including parent-volunteers. However,
one way in which schools can ensure
that parties understand their
responsibilities under FERPA with
respect to education records is to clearly
describe those responsibilities in a
written agreement or contract.
Exercising direct control could prove
more challenging in some situations
than in others. Schools outsourcing
information technology services, such as
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
web-based and e-mail services, should
make clear in their service agreements
or contracts that the outside party may
not use or allow access to personally
identifiable information from education
records, except in accordance with the
requirements established by the
educational agency or institution that
discloses the information.
Changes: We have revised
§ 99.31(a)(1)(B)(2) to clarify that the
outside party must be under the direct
control of the agency or institution with
respect to the use and maintenance of
information from education records.
(c) Protection of Records by Outside
Parties Serving as School Officials
Comment: We received several
comments on proposed
§ 99.31(a)(1)(i)(B)(3), which provides
that an outside party serving as a
‘‘school official’’ is subject to the
requirement in § 99.33(a), regarding the
use and redisclosure of personally
identifiable information from education
records. One commenter stated that,
while he supported and welcomed this
clarification, the proposed regulations
did not go far enough to clarify that
these outside third parties could not use
education records of multiple
institutions for which they serve as a
contractor to engage in activities not
associated with the service or function
they were providing.
Some commenters suggested that the
regulations should require all school
officials who handle education records,
including parties to whom institutional
services and functions are outsourced,
to participate in annual training and to
undergo fingerprint and background
investigations.
Another commenter stated that any
disclosures associated with the
outsourcing of institutional services and
functions should include a record that
will serve as an audit trail. The
commenter noted that both the Health
Insurance Portability and
Accountability Act (HIPAA) and the
Privacy Act of 1974 require the
maintenance of audit trails or an
accounting of disclosures of records.
Discussion: An agency or institution
must ensure that an outside party
providing institutional services or
functions does not use or allow access
to education records except in strict
accordance with the requirements
established by the educational agency or
institution that discloses the
information. Section 99.33(a)(2) of the
FERPA regulations applies to employees
and outside service providers alike and
prohibits the recipient from using
education records for any purpose other
than the purposes for which the
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
disclosure was made. This includes
ensuring that outside parties do not use
education records in their possession for
purposes other than those specified by
the institution that disclosed the
records.
FERPA does not specifically require
that educational agencies and
institutions provide annual training to
school officials that handle education
records, and we decline to establish
such a requirement in these regulations.
Educational agencies and institutions
should have flexibility in determining
the best way to ensure that school
officials are made aware of the
requirements of FERPA. However, for
entities subject to the Individuals with
Disabilities Education Act (IDEA), 34
CFR 300.623(c) provides that all persons
collecting or using personally
identifiable information must receive
training or instruction regarding their
State’s policies and procedures under 34
CFR 300.123 (Confidentiality of
personally identifiable information) and
34 CFR Part 99, the FERPA regulations.
We note that while schools are certainly
free to implement a policy requiring
school officials and parties to whom
services have been outsourced to
undergo fingerprint and background
investigations, there is no statutory
authority in FERPA to include such a
requirement in the regulations.
We note also that the Department
routinely provides compliance training
on FERPA for school officials.
Typically, presentations are made
throughout the year to national,
regional, or State educational
association conference workshops with
numerous institutions in attendance.
Training sessions are also scheduled for
State departments of education and
local school districts in the vicinity of
any conference.
For a discussion of the comment that
recommended that the regulations
require that schools maintain an audit
trail or an accounting of disclosures to
school officials, including outside
providers, see the discussion under the
following section entitled Control of
Access to Education Records by School
Officials.
Changes: None.
Control of Access to Education Records
by School Officials (§ 99.31(a)(1)(ii))
Comment: Many commenters
supported proposed § 99.31(a)(1)(ii),
which requires an educational agency or
institution to use reasonable methods to
ensure that school officials have access
to only those education records in
which the official has a legitimate
educational interest. In this section, we
also proposed that an educational
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
agency or institution that does not use
physical or technological access
controls must ensure that its
administrative policy for controlling
access to education records is effective
and that it remains in compliance with
the ‘‘legitimate educational interest’’
requirement.
One commenter who supported the
proposed regulations expressed concern
that not all districts and institutions
have the financial or technological
resources to create or purchase an
electronic system that provides fully
automated access control and that an
institution using only administrative
controls would be required to
demonstrate that each school official
who accessed education records
possessed a legitimate educational
interest in the education records to
which the official gained access.
According to the commenter, the
regulations seem to omit the
‘‘reasonable methods’’ concept for those
schools that utilize administrative
controls rather than physical or
technological controls. The commenter
was concerned that smaller schools that
lack resources to create or purchase a
system that fully monitors record access
would be disadvantaged by having to
meet a higher standard of ensuring a
legitimate educational interest on the
part of the school officials that access
the records.
One commenter expressed concern
that the standard in § 99.31(a)(1)(ii) is
too restrictive and asked whether the
Department would use flexibility and
deference in taking into consideration
an institution’s efforts in compliance
with the requirement.
Another commenter requested that we
include in the regulations a requirement
that contractors hosting data at offsite
locations must institute effective access
control measures. The commenter stated
that many schools and contractors are
uncertain as to whether the school or
the contractor is responsible for
ensuring that access controls are applied
to data hosted by contractors.
One commenter stated that the
regulations created an unnecessary
burden, as school districts already do
their best to comply with FERPA and an
occasional mistake should be excused.
The commenter, however, was pleased
that the regulations do not require the
use of technological controls. The
commenter was concerned that schools
are unable to pre-assign risk levels to
categories of records in order to
determine appropriate methods to
mitigate improper access. The
commenter supported the use of
effective administrative controls as
determined by a district to ensure that
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
information is available only to those
with a legitimate educational interest.
One commenter expressed concern
that the requirement to use reasonable
methods to ensure appropriate access
was not sufficiently restrictive, because
under the regulations, all volunteers
would be designated as school officials.
The commenter believed that the
regulations would enable volunteers to
gain access more easily to confidential
and sensitive information in education
records.
A commenter who is a parent of a
special education student also
expressed concern that the language in
the regulations was not adequate. The
commenter described a software
package used by her district that permits
all school officials unrestricted access to
the IEPs of all special education
students.
Discussion: Section 99.30 requires
that a parent or eligible student provide
written consent for a disclosure of
personally identifiable information from
education records unless the
circumstances meet one of the
exceptions to consent, such as the
release of information to a school
official with a legitimate educational
interest. Thus, a district or institution
that makes a disclosure solely on the
basis that the individual is a school
official violates FERPA if it does not
also determine that the school official
has a legitimate educational interest.
The regulations in § 99.31(a)(1)(ii) are
designed to clarify the responsibility of
the educational agency or institution to
ensure that access to education records
by school officials is limited to
circumstances in which the school
official possesses a legitimate
educational interest.
We believe that the standard of
‘‘reasonable methods’’ is sufficiently
flexible to permit each educational
agency or institution to select the proper
balance of physical, technological, and
administrative controls to effectively
prevent unauthorized access to
education records, based on their
resources and needs. In order to
establish a system driven by physical or
technological access controls, a school
would generally first determine when a
school official has a legitimate
educational interest in education
records and then determine which
physical or technological access
controls are necessary to ensure that the
official can access only those records.
The regulations require a school that
uses only administrative controls to
ensure that its administrative policy for
controlling access to education records
is effective and that the school is in
compliance with the legitimate
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
74817
educational interest requirement in
§ 99.31(a)(1)(i)(A). However, the
‘‘reasonable methods’’ standard applies
whether the control is physical,
technological, or administrative.
The regulations permit the use of a
variety of methods to protect education
records, in whatever format, from
improper access. The Department
expects that educational agencies and
institutions will generally make
appropriate choices in designing records
access controls, but the Department
reserves the right to evaluate the
effectiveness of those efforts in meeting
statutory and regulatory requirements.
The additional language that one
commenter requested concerning
outsourcing is already included in the
regulations in § 99.31(a)(1). That section
specifically provides that contractors are
subject to the same conditions
governing the access and use of records
that apply to other school officials. As
long as those conditions are met, the
physical location in which the
contractor provides the service is not
relevant.
Because the regulations permit the
use of a variety of methods to effectively
reduce the risk of unauthorized access
to education records, we do not believe
the requirement to establish ‘‘reasonable
methods’’ for controlling access is
unduly burdensome. Schools have the
flexibility to decide the method or
methods best suited to their own
circumstances. For the many schools,
districts, and institutions that already
meet the standard, no operational
changes should be necessary.
The regulations do not designate all
volunteers as school officials. Rather,
the regulations clarify that schools may
designate volunteers as school officials
who may be provided access to
education records only when the
volunteer has a legitimate educational
interest. Schools can and should
carefully assess and limit access by any
school official, including volunteers.
This issue is discussed in more detail
previously in this preamble under the
section entitled Outsourcing.
With regard to the parent who
expressed concern that the language in
the regulations was not adequate to
address the problem of software that
permits all school officials to access the
IEPs of all special education students,
we believe that the language in
§ 99.31(a)(1)(ii) is sufficient. As
previously noted, FERPA prohibits
school officials from having access to
education records unless they have a
legitimate educational interest. The
commenter’s point illustrates the need
for educational agencies and institutions
to ensure that adequate controls are in
E:\FR\FM\09DER2.SGM
09DER2
74818
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
place to restrict access to education
records only to a school official with a
legitimate educational interest.
Changes: None.
Transfer of Education Records to
Student’s New School (§§ 99.31(a)(2)
and 99.34(a))
Comment: All of the comments we
received on proposed §§ 99.31(a)(2) and
99.34(a) supported the clarification that
an educational agency or institution
may disclose a student’s education
records to officials of another school,
school system, or institution of
postsecondary education not just when
the student seeks or intends to enroll,
but after the student is already enrolled,
so long as the disclosure is for purposes
related to the student’s enrollment or
transfer. Some commenters noted that
this clarification reduces legal
uncertainty about how long a school
may continue to send records or
information to a student’s new school;
other commenters noted that this
clarification will be helpful in serving
students who are homeless or in foster
care because these students are often
already enrolled in a new school system
while waiting for records from a
previous enrollment.
A few commenters asked us to clarify
the requirement that the disclosure must
be for purposes related to the student’s
enrollment or transfer. The commenters
asked whether this meant that only
records specifically related to the new
school’s decision to admit the student or
records related to the transfer of course
credit could be disclosed, or whether
the agency or institution could also
disclose information about previously
undisclosed disciplinary actions related
to the student’s ongoing attendance at
the new institution. One commenter
suggested that we remove the
requirement that the disclosure must be
for purposes of the student’s enrollment
or transfer because it was confusing and
unnecessary. Some commenters asked
the Department to provide guidance
about the types of records that may be
sent under the regulations to a student’s
new school, noting that the preamble to
the NPRM stated that the regulations
allow school officials to disclose any
and all education records, including
health and disciplinary records, to the
new school (73 FR 15581).
One commenter asked us to clarify
that any school, not just the school the
student attended most recently, may
disclose information from education
records to the institution that the
student currently attends. Another
commenter asked whether the amended
regulations would permit the disclosure
of education records to an institution in
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
which a student seeks information or
services but not enrollment, such as
when a charter school student requests
an evaluation under the IDEA from the
student’s home school district.
Two commenters asked whether
mental health and other treatment
records of postsecondary students,
which are excluded from the definition
of education records under FERPA,
could be disclosed to the new school.
Other commenters asked whether
FERPA places any limits on the transfer
of information about student
disciplinary actions to colleges and
universities and what information a
postsecondary institution may ask for
and receive regarding a student’s
disciplinary actions. A few commenters
asked us to address the relationship
between these regulations and guidance
issued by the Department’s Office for
Civil Rights (OCR) prohibiting the preadmission release of information about
a student’s disability under section 504
of the Rehabilitation Act of 1973, as
amended, and Title II of the Americans
with Disabilities Act of 1990, as
amended.
Discussion: The regulations are
intended to eliminate uncertainty about
whether, under § 99.31(a)(2), an
educational agency or institution may
send education records to a student’s
new school even after the student is
already enrolled and attending the new
school. The requirement that the
disclosure must be for purposes related
to the student’s enrollment or transfer is
not intended to limit the kind of records
that may be disclosed under this
exception. Instead, the regulations are
intended to clarify that, after a student
has already enrolled in a new school,
the student’s former school may
disclose any records or information,
including health records and
information about disciplinary
proceedings, that it could have
disclosed when the student was seeking
or intending to enroll in the new school.
These regulations apply to any school
that a student previously attended, not
just the school that the student attended
most recently. For example, under
§ 99.31(a)(2), a student’s high school
may send education records directly to
a graduate school in which the student
seeks admission, or is already enrolled.
Section 99.34(b), which explains the
conditions that apply to the disclosure
of information to officials of another
school, school system, or postsecondary
institution, allows a public charter
school or other agency or institution to
disclose the education records of one of
its students in attendance to the
student’s home school district if the
student receives or seeks to receive
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
services from the home school district,
including an evaluation under the IDEA.
We note, however, that the
confidentiality of information
regulations under Part B of the IDEA
contain additional consent requirements
that may also apply in these
circumstances.
Under section 444(a)(4)(B)(iv) of
FERPA, 20 U.S.C. 1232g(a)(4)(B)(iv),
medical and psychological treatment
records of eligible students are excluded
from the definition of education records
if they are made, maintained, and used
only in connection with treatment of the
student and disclosed only to
individuals providing the treatment,
including treatment providers at the
student’s new school. (While the
comment concerned records of
postsecondary students, we note that
the treatment records exception to the
definition of education records applies
also to any student who is 18 years of
age or older, including 18 year old high
school students.) An educational agency
or institution may disclose an eligible
student’s treatment records to the
student’s new school for purposes other
than treatment provided that the records
are disclosed under one of the
exceptions to written consent under
§ 99.31(a), including § 99.31(a)(2), or
with the student’s written consent
under § 99.30. If an educational agency
or institution discloses an eligible
student’s treatment records for purposes
other than treatment, the treatment
records are no longer excluded from the
definition of education records and are
subject to all other FERPA requirements,
including the right of the eligible
student to inspect and review the
records and to seek to have them
amended under certain conditions. In
practical terms, this means that an
agency or institution may disclose an
eligible student’s treatment records to
the student’s new school either with the
student’s written consent, or under one
of the exceptions in § 99.31(a),
including § 99.31(a)(2), which permits
disclosure to a school where a student
seeks or intends to enroll, or where the
student is already enrolled so long as
the disclosure is for purposes related to
the student’s enrollment or transfer.
FERPA does not contain any
particular restrictions on the disclosure
of a student’s disciplinary records.
Further, Congress has enacted
legislation to ensure that schools
transfer disciplinary records to a
student’s new school in certain
circumstances. In particular, section
444(h) of the statute, 20 U.S.C. 1232g(h),
and the implementing regulations in
§ 99.36(b) provide that nothing in
FERPA prevents an educational agency
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
or institution from including in a
student’s records and disclosing to
teachers and school officials, including
those in other schools, appropriate
information about disciplinary actions
taken against the student for conduct
that posed a significant risk to the safety
or well-being of that student, other
students, or other members of the school
community. This authority is in
addition to any other authority in
FERPA for the disclosure of education
records without consent, including the
authority under § 99.36(a) to disclose
education records in connection with a
health or safety emergency. In addition,
section 4155 of the Elementary and
Secondary Education Act of 1965
(ESEA), 20 U.S.C. 7165, as amended by
the No Child Left Behind Act of 2001
(NCLB), requires a State that receives
funds under the ESEA to have a
procedure in place to facilitate the
transfer of disciplinary records, with
respect to a suspension or expulsion, by
LEAs to any private or public
elementary school or secondary school
for any student who is enrolled or seeks,
intends, or is instructed to enroll, on a
full-or part-time basis, in the school.
There are, however, other Federal
laws, such as the IDEA, section 504 of
the Rehabilitation Act of 1973, as
amended (Rehabilitation Act), and Title
II of the Americans with Disabilities Act
of 1990, as amended (ADA), with
different requirements that may affect
the release of student information. For
example, educational agencies and
institutions that are ‘‘public agencies’’
or ‘‘participating agencies’’ under the
IDEA must comply with the
requirements in the Part B
confidentiality of information
regulations. See, e.g., 34 CFR
300.622(b)(2) and (3). By way of further
illustration, because educational
agencies and institutions receive
Federal financial assistance, they must
comply with the regulations
implementing section 504 of the
Rehabilitation Act, which generally
prohibit postsecondary institutions from
making pre-admission inquiries about
an applicant’s disability status. See 34
CFR 104.42(b)(4) and (c). However, after
admission, in connection with an
emergency and if necessary to protect
the health or safety of a student or other
persons as defined under FERPA and its
implementing regulations, section 504
of the Rehabilitation Act and Title II of
the ADA do not prohibit postsecondary
institutions from obtaining information
and education records concerning a
current student, including those with
disabilities, from any school previously
attended by the student. See the
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
discussion in the section entitled Health
or Safety Emergency (§ 99.36).
Changes: None.
Ex Parte Court Orders Under the USA
Patriot Act (§ 99.31(a)(9))
Comment: Two commenters
expressed support for the proposed
regulations, which incorporate statutory
changes that allow an educational
agency or institution to comply with an
ex parte court order issued under the
USA Patriot Act. One commenter said
that it would be helpful to add to the
regulations a statement from the
preamble to the NPRM that an
institution is not responsible for
determining the relevance of the
information sought or the merits of the
underlying claim for the court order.
Several commenters opposed
§ 99.31(a)(9). One commenter said that
the USA Patriot Act is unconstitutional
and that its provisions will sunset in
2009. Another commenter said that the
regulations harm its ability to preserve
the confidentiality of education records,
particularly those of foreign students.
The commenter asked us to change the
regulations to permit institutions to
notify students when records are
requested, unless the ex parte court
order specifically states that the student
should not be notified. Another
commenter said that schools should be
required to notify parents when records
are requested and to record the
disclosure.
Discussion: The USA Patriot Act
amendments to FERPA have not been
ruled unconstitutional, and its
provisions relevant to FERPA do not
sunset in 2009. Therefore, we are
implementing these provisions in our
regulations at this time.
Under the USA Patriot Act, the U.S.
Attorney General, or a designee in a
position not lower than an Assistant
Attorney General, may apply for an ex
parte court order to collect, retain,
disseminate, and use certain education
records in the possession of an
educational agency or institution
without regard to any other FERPA
requirements, including in particular
the recordkeeping requirements. 20
U.S.C. 1232g(j)(3) and (4). The USA
Patriot Act amendments to FERPA also
provide that an educational agency or
institution that complies in good faith
with the court order is not liable to any
person for producing the information.
Nothing in these amendments,
including the ‘‘good faith’’ requirement,
requires an educational agency or
institution to evaluate the underlying
merits or legal sufficiency of the court
order before disclosing the requested
information without consent. As with
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
74819
any court order or subpoena that forms
the basis of a disclosure without consent
under § 99.31(a)(9), the agency or
institution must simply determine
whether the ex parte court order is
facially valid. We see no reason to
include this general requirement in the
regulations.
Section 99.31(a)(9)(ii) requires an
agency or institution to make a
reasonable effort to notify a parent or
eligible student of a judicial order or
lawfully issued subpoena in advance of
compliance, except for certain law
enforcement subpoenas if the court has
ordered the agency or institution not to
disclose the existence or contents of the
subpoena or information disclosed. An
ex parte order is by definition an order
issued without notice to or argument
from the other party, including the party
whose education records are sought,
and the USA Patriot Act amendments
provide that the Attorney General may
collect and use the records without
regard to any FERPA requirements,
including the recordation requirements.
Under this statutory authority, the
regulations properly provide that the
agency or institution is not required to
notify the parent or eligible student
before complying with the order or to
record the disclosure.
We do not agree with the commenter’s
request that we amend the regulations to
allow agencies and institutions to notify
parents and students and record these
disclosures. We note that FERPA does
not prohibit an educational agency or
institution from notifying a parent or
student or recording a disclosure made
in compliance with an ex parte court
order under the USA Patriot Act.
However, an agency or institution that
does so may violate the terms of the
court order itself and may also fail to
meet the good faith requirements in the
USA Patriot Act for avoiding liability for
the disclosure. We would also
recommend that agencies and
institutions consult with legal counsel
before notifying a parent or student or
recording a disclosure of education
records made in compliance with an ex
parte court order under the USA Patriot
Act.
Changes: None.
Registered Sex Offenders
(§ 99.31(a)(16))
Comment: One commenter asked for
clarification whether the proposed
regulations authorizing the disclosure of
personally identifiable information from
education records concerning registered
sex offenders authorize only the
disclosure of information that is
received from local law enforcement
officials, or whether disclosure could
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74820
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
also include other information from a
student’s education records, such as
campus of attendance. A second
commenter expressed appreciation that
the regulations clarify that school
districts are not required or encouraged
to collect or maintain information on
registered sex offenders and that these
disclosures are permissible but not
required.
Discussion: The Campus Sex Crimes
Prevention Act (CSCPA) amendments to
FERPA allow educational agencies and
institutions to disclose any information
concerning registered sex offenders
provided to the agency or institution
under section 170101 of the Violent
Crime Control and Law Enforcement
Act of 1994, 42 U.S.C. 14071, commonly
known as the Wetterling Act. Since
publication of the NPRM, we have
determined that the proposed
regulations were confusing, because
they limited these disclosures to
information that was obtained and
disclosed by an agency or institution in
compliance with a State community
notification program. In fact, the CSCPA
amendments to FERPA cover any
information provided to an educational
agency or institution under the
Wetterling Act, including not only
information provided under general
State community notification programs,
which are required under subsection (e)
of the Wetterling Act, 42 U.S.C.
14071(e), but also information provided
under the more specific campus
community notification programs for
institutions of higher education, which
are required under subsection (j), 42
U.S.C. 14071(j).
The Wetterling Act requires States to
release relevant information about
persons required to register as sex
offenders that is necessary to protect the
public, including specific State
reporting requirements for law
enforcement agencies having
jurisdiction over institutions of higher
education. The exception to the consent
requirement in FERPA allows
educational agencies and institutions to
make available to the school community
any information provided to it under the
Wetterling Act. We interpret this to also
include any additional information
about the student that is relevant to the
purpose for which the information was
provided to the educational agency or
institution—protecting the public. This
could include, for example, the school
or campus at which the student is
enrolled.
The proposed regulations included a
sentence stating that FERPA does not
require or encourage agencies or
institutions to collect or maintain
information about registered sex
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
offenders. We have determined through
further review, however, that this
sentence could be confusing and should
be removed. Participating institutions
are required under section 485(f)(1) of
the Higher Education Act of 1965, as
amended, 20 U.S.C. 1092(f)(1), to advise
the campus community where it may
obtain law enforcement agency
information provided by the State under
42 U.S.C. 14071(j) concerning registered
sex offenders. Further, the Department
does not wish to discourage educational
agencies and institutions from
disclosing relevant information about a
registered sex offender in appropriate
circumstances.
Changes: We have revised the
regulations to remove the reference to
the disclosure of information obtained
by the educational agency or institution
in compliance with a State community
notification program. The regulations
now simply allow disclosure without
consent of any information concerning
registered offenders provided to an
educational agency or institution under
42 U.S.C. 14071 and applicable Federal
guidelines. We also have removed the
sentence stating that neither FERPA nor
the regulations requires or encourages
agencies or institutions to collect or
maintain information about registered
sex offenders.
Redisclosure of Education Records and
Recordkeeping by State and Local
Educational Authorities and Federal
Officials and Agencies (§§ 99.31(a)(3);
99.32(b); 99.33(b); 99.35(a)(2); 99.35(b))
(a) Redisclosure
Comment: We received a number of
comments on the proposed changes in
§ 99.35(b) that would permit State and
local educational authorities and
Federal officials and agencies listed in
§ 99.31(a)(3) to redisclose personally
identifiable information from education
records on behalf of educational
agencies and institutions without
parental consent under the existing
redisclosure authority in § 99.33(b).
(Section 99.33(b) allows an educational
agency or institution to disclose
personally identifiable information from
education records with the
understanding that the recipient may
make further disclosures of the
information on behalf of the agency or
institution if the disclosure falls under
one of the exceptions in § 99.31(a) and
the agency or institution has complied
with the recordation requirements in
§ 99.32(b).) Many commenters said that
the proposed change would ease
administrative burdens on State and
local educational authorities, agencies,
and institutions. For example, under the
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
proposed regulations, a student’s new
school district or institution would be
able to obtain the student’s prior
education records from a single State
agency instead of contacting and
waiting for records from separate
districts or institutions. Commenters
noted, however, that certain issues had
not been addressed in the proposed
regulations and that further clarification
was required. Commenters also
supported the new redisclosure
authority to the extent that it facilitates
the exchange of education records
among State educational authorities,
educational agencies and institutions,
and educational researchers through
consolidated, statewide systems or
separate data sharing arrangements.
Two commenters expressed
substantial concerns that the regulations
inappropriately expanded the situations
in which personally identifiable
information could be redisclosed
without parental or student consent.
One commenter noted that the
theoretical benefits of maintaining large,
consolidated data systems, which allow
users to track individual students over
time, do not outweigh the need to
protect individual privacy. Another
commenter stated that the regulations
should not allow State and local
educational authorities and the Federal
officials and agencies listed in
§ 99.31(a)(3) to set up and operate
record systems containing personally
identifiable information that parents
and students have no right to review or
amend, and may not even know about.
Barring the withdrawal of these
regulations, these commenters urged the
Department to strengthen or at least
preserve the safeguards and protections
that accompany this new data sharing
authority. One commenter asked us to
require any State or Federal entity that
maintains education records to provide
parents and students with annual
notification and the right to review and
amend the students’ records.
Many commenters indicated their
strong support for allowing State
educational authorities to respond to
requests for information from education
records and redisclose personally
identifiable information, whether for
data sharing systems, transferring
records to a student’s new school, or
other purposes authorized under
§ 99.31(a), without involving school
districts and postsecondary institutions.
These commenters generally thought
that State educational authorities and
Federal officials listed in § 99.31(a)(3)
should not be required to consult with
educational agencies and institutions
when redisclosing information from
education records. One commenter
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
asked us to clarify the role of the SEA
or other State educational authority as
the custodian of education records and
its authority to act for educational
agencies and institutions. Several
commenters urged us to revise the
regulations to make clear that the
redisclosing official is authorized to
make further disclosures under
§ 99.31(a) without approval from, or
further consultation with, the original
source of the records and maintain the
appropriate record related to the
redisclosure.
One commenter said that the
regulations must allow State
educational authorities to transfer
records on behalf of LEAs and
postsecondary institutions. One
commenter strongly supported the
changes in § 99.35(b) because they
would allow the State McKinney-Vento
coordinator to control transfer of
education records of abused and
homeless students to their new schools
and prevent potential abusers from
locating the student.
Some commenters believed that
current regulations impede the ability of
States to establish and operate data
sharing systems and that regulatory
changes must allow all educational
agencies, institutions, SEAs, and other
State educational authorities to
exchange data among themselves and
work with researchers. One commenter
recommended that we create a specific
exception in § 99.31(a) that would allow
data sharing across State educational
authorities in order to establish and
operate consolidated, longitudinal data
systems.
Several commenters asked for
clarification of the requirement in
§ 99.35(a)(2) that authority for an agency
or official listed in § 99.31(a)(3) to
conduct an audit, evaluation, or
compliance or enforcement activity is
not conferred by FERPA or the
regulations and must be established
under other Federal, State, or local law,
including valid administrative
regulations. One commenter supported
data sharing among pre-school, K–12,
and postsecondary institutions,
provided that appropriate legal
authority for the underlying audit,
evaluation, or compliance and
enforcement activity is established as
required under § 99.35(a)(2). One
commenter asked whether citation to a
specific law or regulations will be
required, or whether general State laws
that provide joint authority to evaluate
programs at all levels are sufficient for
parties to enter into data sharing
agreements under the regulations.
One commenter indicated that its
State has no laws or regulations that
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
specifically allow the State-level
advisory council to audit or evaluate
education programs, or that allow a K–
12 school district to audit or evaluate
the programs offered by postsecondary
institutions, and vice versa, and the
commenter asked whether general
authority for these entities to act under
State law would be sufficient. Two
commenters whose States do not house
their K–12 and postsecondary systems
within the same agency expressed
concern whether they will be able to
develop consolidated databases under
the regulations if their K–12 and
postsecondary agencies do not have
appropriate authority to audit or
evaluate each other’s programs.
Discussion: We continue to believe
that State and local educational
authorities and Federal officials that
receive education records under
§§ 99.31(a)(3) and 99.35 should be
permitted to redisclose education
records on behalf of educational
agencies and institutions in accordance
with the existing regulations governing
the redisclosure of information in
§ 99.33(b). We agree with the
commenters that this change will ease
administrative burdens at all levels and
facilitate the creation and operation of
statewide data sharing systems that
support the student achievement,
program accountability, transfer of
records, and other objectives of Federal
and State education programs while
protecting the privacy rights of parents
and students in students’ education
records.
We respond first to commenters’
concerns about the requirement in
§ 99.33(b) that any redisclosure of
personally identifiable information from
education records must be made on
behalf of the educational agency or
institution that disclosed the
information to the receiving party,
including any requirement for
consulting with or obtaining approval
from the educational agency or
institution that disclosed the
information. The statutory prohibitions
on the redisclosure of education records
apply to education records that SEAs,
State higher educational authorities, the
Department, and other Federal officials
receive under an exception to the
written consent requirement in FERPA,
such as §§ 99.31(a)(3) and 99.35 (for
audit, evaluation, compliance and
enforcement purposes) and § 99.31(a)(4)
(for financial aid purposes). As
explained in the preamble to the NPRM,
§ 99.33(b) allows an educational agency
or institution to disclose education
records with the understanding that the
recipient may make further disclosures
on its behalf under one of the
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
74821
exceptions in § 99.31 (73 FR 15586–
15587). In that case, the disclosing
agency or institution must record the
names of the additional parties to which
the receiving party may redisclose the
information on behalf of the educational
agency or institution and their
legitimate interests under § 99.31.
Under the regulatory framework for
redisclosing education records in
§ 99.33(b), educational agencies and
institutions retain primary
responsibility for disclosing and
authorizing redisclosure of their
education records without consent. (We
note again that the only disclosures of
education records that are mandatory
under FERPA are those made to parents
and eligible students.) The purpose of
§ 99.33(b), which allows redisclosure of
education records notwithstanding the
general statutory restrictions, has always
been to ease administrative burdens on
educational agencies and institutions
that disclose education records. The
legal basis for this accommodation is
that the recipient is acting ‘‘on behalf
of’’ the agency or institution from which
it received information from education
records and making a further disclosure
that the agency or institution would
otherwise make itself under § 99.31(a).
Section 99.33(b) does not confer on any
recipient of education records
independent authority to redisclose
those records apart from acting ‘‘on
behalf of’’ the disclosing educational
agency or institution.
The Department recognizes that the
State and local educational authorities
and Federal officials that receive
education records without consent
under § 99.31(a)(3) are responsible for
supervising and monitoring educational
agencies and institutions and that many
of them also maintain centralized data
systems that constitute a valuable
resource of information from education
records. The proposed changes to
§ 99.35(b) would allow these State and
Federal authorities and officials to
redisclose information received under
§ 99.31(a)(3) under any of the exceptions
in § 99.31(a), including transferring
education records to a student’s new
school under § 99.31(a)(2), sharing
information among other State and local
educational authorities and Federal
officials for audit or evaluation purposes
under § 99.31(a)(3), and using
researchers to conduct evaluations and
studies under § 99.31(a)(3) or
§ 99.31(a)(6), without violating the
statutory prohibitions on redisclosing
education records provided certain
conditions have been met. In the event
that an educational agency or institution
objects to the redisclosure of
information it has provided, the State or
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74822
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
local educational authority or Federal
official or agency may rely instead on
any independent legal authority it has to
further disclose the information.
We agree that current regulations
were unclear about the ability of States
to establish and operate data sharing
systems with educational agencies and
institutions, which is why we amended
§ 99.35(b). As explained in the NPRM
(73 FR 15587), §§ 99.35(a)(2) and
99.35(b) allow SEAs, higher education
authorities, and educational agencies
and institutions, including local school
districts and postsecondary institutions,
to share education records in personally
identifiable form with one another,
provided that Federal, State, or local
law authorizes the recipient to conduct
the audit, evaluation, or compliance or
enforcement activity in question.
Accordingly, data sharing arrangements
among State and local educational
authorities and educational agencies
and institutions generally must meet
these requirements to be permissible
under FERPA. (Data sharing with
educational researchers is discussed
below under Educational research.)
With respect to the comments
recommending that we create a specific
exception in § 99.31(a) to allow data
sharing across State educational
authorities in order to establish and
operate consolidated, longitudinal data
systems and other data sharing
arrangements, there is no provision in
FERPA that allows disclosure or
redisclosure of education records,
without consent, for the specific
purpose of establishing and operating
consolidated databases and data sharing
systems, and, therefore, we are without
authority to establish one in these
regulations.
In response to the questions
concerning the need for Federal, state,
or local legal authority to disclose
education records for audit or
evaluation purposes, we note that, in
general, FERPA allows educational
agencies and institutions to disclose
(and authorized recipients to redisclose)
education records without consent in
accordance with the exceptions listed in
§ 99.31(a), including for audit or
evaluation purposes under
§§ 99.31(a)(3) and 99.35. It does not,
however, provide the underlying
authority for individuals and
organizations to conduct the various
activities that may allow them to receive
education records without consent
under these exceptions. For example,
§ 99.31(a)(7) does not authorize an
organization to accredit educational
institutions; it allows educational
institutions to disclose personally
identifiable information from education
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
records, without consent, to an
organization to carry out its accrediting
functions. If that organization is not, in
fact, an accreditation authority for that
particular institution, then disclosure
under § 99.31(a)(7) is invalid and
violates FERPA. Likewise, § 99.31(a)(9)
does not authorize a court or Federal
grand jury to issue an order or
subpoena; it allows an educational
agency or institution to comply with a
facially valid order or subpoena,
without consent.
We added the requirement in
§ 99.35(a)(2) that the recipient have
authority under Federal, State, or local
law to conduct the activity for which
the disclosure was made because there
was significant confusion in the
educational community about who may
receive education records without
consent for audit and evaluation
purposes under § 99.35. For example, in
2005 the Pennsylvania Department of
Education (PDOE) asked the Department
whether, in the absence of parental
consent, a charter school LEA
responsible under State law for
providing a free appropriate public
education to students with disabilities
enrolled in the charter school could
send the local school district of
residence the IEP of each student with
a disability. The school districts of
residence claimed that they needed this
information to substantiate the charter
school’s invoices for higher payments
based on the student’s special education
status under the IDEA.
Our January 2006 response to PDOE
explained that in order to meet the
requirements for disclosure of education
records under §§ 99.31(a)(3) and 99.35,
Federal, State, or local law (including
valid administrative regulations) must
authorize the relevant State or local
educational authority to conduct the
audit, evaluation, or compliance or
enforcement activity in question. In
particular, we noted that charter schools
in Pennsylvania could disclose the IEP
cover sheet under §§ 99.31(a)(3) and
99.35 of the regulations if the State law
in question authorized a local school
district to ‘‘audit or evaluate’’ a charter
school’s request for payment of State
funds at the special education rate and
the school district needed personally
identifiable information for that
purpose, and that we would defer to the
State Attorney General’s interpretation
of State law on the matter. We also
explained that there appeared to be no
legal authority that would allow charter
schools in the State to disclose a
student’s entire IEP to the resident
school district, as requested by the
resident school districts.
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
The Department has always
interpreted §§ 99.31(a)(3) and 99.35 to
allow educational agencies and
institutions to disclose personally
identifiable information from education
records to the SEA or State higher
education board or commission
responsible for their supervision based
on the understanding that those entities
are authorized to audit or evaluate (or
enforce Federal legal requirements
related to) the education programs
provided by the agencies and
institutions whose records are
disclosed. Under this reasoning, a K–12
school district (LEA) may disclose
personally identifiable information from
education records to another LEA, or to
a State higher education board or
commission, without consent, if that
LEA, board, or commission has legal
authority to conduct the audit,
evaluation, or compliance or
enforcement activity with regard to the
disclosing district’s programs. States do
not have to house their K–12 or P–12
and postsecondary systems within the
same agency in order to take advantage
of this provision. However, they may
need to review and modify the
supervisory and oversight
responsibilities of various State and
local educational authorities to ensure
that there is valid legal authority for
LEAs, postsecondary institutions, SEAs,
and higher education authorities to
disclose or redisclose personally
identifiable information from education
records to one another under § 99.35(a)
before information is released.
It is not our intention in § 99.35(a)(2)
to require educational agencies and
institutions and other parties to identify
specific statutory authority before they
disclose or redisclose education records
for audit or evaluation purposes but to
ensure that some local, State, or Federal
legal authority exists for the audit or
evaluation, including for example an
Executive Order or administrative
regulation. The Department encourages
State and local educational authorities
and educational agencies and
institutions to seek guidance from their
State attorney general on their legal
authority to conduct a particular audit
or evaluation. The Department may also
provide additional guidance, as
appropriate.
Changes: None.
(b) Recordation Requirements
Comment: In the NPRM, 73 FR 15587,
we invited public comment on whether
an SEA, the Department, or other
official or agency listed in § 99.31(a)(3)
should be allowed to maintain the
record of the redisclosures it makes on
behalf of an educational agency or
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
institution as a means of relieving any
administrative burdens associated with
recording disclosures of education
records. One commenter urged the
Department not to delegate
responsibility for recordkeeping to State
and local educational authorities and
Federal agencies and officials that
redisclose education records under
§ 99.33(b). Another said that if a State or
local educational authority or Federal
agency or official rediscloses
information ‘‘on behalf of’’ an
educational agency or institution under
§ 99.35(b), these further disclosures
should be included in the student’s
record at the educational agency or
institution. All other comments on this
issue supported revising the regulations
to allow State and local educational
authorities and Federal officials and
agencies listed in § 99.31(a)(3) to record
any redisclosures they make under
§ 99.33(b).
Several commenters suggested that
the recordation requirements in
§ 99.32(b) would place an undue burden
on State and local officials when State
educational authorities redisclose
education records because the State
authority would need to return to each
original source of the records to record
the redisclosure. Some commenters
noted that compliance with § 99.32(b) is
practically impossible if an LEA or
postsecondary institution is required to
record all authorized redisclosures at
the time of the initial disclosure of
information to the State or Federal
authority. Two commenters suggested
that we eliminate the recordation
problem by redefining the term
disclosure so that it does not include
disclosing information under
§ 99.31(a)(3) for audit, evaluation, or
compliance and enforcement purposes.
Another commenter suggested that we
define ‘‘educational agency or
institution’’ to include State educational
authorities so that disclosures to State
educational authorities would not be
considered a disclosure under FERPA.
One commenter said that the
regulations should permit State
educational authorities to record
redisclosures as they are made and
without having to identify each student
by name. Another commenter asked for
clarification whether the recordation
requirements apply to redisclosures that
SEAs make to education researchers and
other parties that are not authorized to
make any further disclosures, and what
level of detail is required in the record
regarding who accessed the data and
what specific information was viewed.
One commenter stated that if State
educational authorities and Federal
officials are authorized to record their
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
own redisclosures of information, then
the educational agency or institution
should be required to retrieve these
records in response to a request to
review education records by parents and
eligible students who would otherwise
not know about the redisclosures. Other
commenters suggested that the State
educational authority or Federal official
could either make the redisclosure
record available directly to parents and
students or send it to the LEA or
postsecondary institution for this
purpose.
Discussion: We agree with
commenters that in order to facilitate
the operation of State data systems and
ease administrative burdens on all
parties, the regulations should allow
State educational authorities and
Federal officials and agencies to record
further disclosures they make on behalf
of educational agencies and institutions
under § 99.33(b). We are revising the
provisions of § 99.32 to address
commenters’ concerns and ensure that
these changes will not expand the
redisclosure authority of a State or local
educational authority or Federal official
or agency under § 99.35(b) and that
parents and students will have notice of
and access to any State or Federal
record of further disclosures that is
created.
In response to the commenter’s
suggestion that we define ‘‘educational
agency or institution’’ and the term
disclosure to address recordation issues
associated with the new redisclosure
authority in § 99.35(b), we note that an
educational agency or institution is
required by statute to maintain with
each student’s education records a
record of each request for access to and
each disclosure of personally
identifiable information from the
education records of the student,
including the parties who have
requested or received information and
their legitimate interests in the
information. 20 U.S.C. 1232g(b)(4)(A);
34 CFR 99.32(a). This includes each
disclosure of personally identifiable
information from education records that
an educational agency or institution
makes to an SEA or other State
educational authority and to Federal
officials and agencies, including the
Department, for audit, evaluation, or
compliance and enforcement purposes
under §§ 99.31(a)(3) and 99.35, and
under most other FERPA exceptions,
such as the financial aid exception in
§ 99.31(a)(4). (Regulatory exceptions to
the statutory recordation requirements,
which are set forth in § 99.32(d), cover
disclosures that a parent or eligible
student would generally know about
without the recordation or for which
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
74823
notice is prohibited under court order;
the exceptions do not include
disclosures made to parties outside the
agency or institution for audit,
evaluation, or compliance and
enforcement purposes.)
An educational agency or institution
is required under FERPA to record its
disclosures of personally identifiable
information from education records
even when it discloses information to
another educational agency or
institution, such as occurs under
§ 99.31(a)(2) when a school district
transfers education records to a
student’s new school. See 20 U.S.C.
1232g(b)(4)(A); 34 CFR 99.32(a).
Therefore, even if a State educational
authority were considered an
‘‘educational agency or institution’’
under § 99.1, a school district or
postsecondary institution would still be
required to record its own disclosures to
that State educational authority;
defining a State educational authority as
an educational agency or institution
would not eliminate this requirement.
Therefore, a school district or
postsecondary institution is required to
record its disclosures to any State
educational authority.
The term disclosure is defined in
§ 99.3 to mean to permit access to or the
release, transfer, or other
communication of personally
identifiable information contained in
education records to any party, by any
means, including oral, written, or
electronic means. This includes
releasing or making a student’s
education records available to school
officials within the agency or
institution, for which an exception to
the consent requirement exists under
§ 99.31(a)(1). We see no legal basis for
redefining the term disclosure to
exclude the release of personally
identifiable information to third parties
outside the educational agency or
institution under the audit, evaluation,
or compliance and enforcement
exception to the consent requirement in
§§ 99.31(a)(3) and 99.35.
With regard to the level of detail
required in the record of redisclosures,
current § 99.32(b) requires an
educational agency or institution to
record the ‘‘names of the additional
parties to which the receiving party may
disclose the information’’ on its behalf
and their legitimate interests under
§ 99.31. This means the name of the
individual (if an organization is not
involved) or the organization and the
exception under § 99.31(a) that would
allow the redisclosure to be made
without consent. Under current
§ 99.33(a)(2), the officers, employees,
and agents of a party that receives
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74824
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
information from education records may
use the information for the purposes for
which the disclosure was made without
violating the limitations on redisclosure
in § 99.33(a)(1). Therefore, we interpret
the recordation requirement in
§ 99.32(b) to mean that an educational
agency or institution may record the
name of an organization, including a
research organization, to which a
recipient may make further disclosures
under § 99.33(b) and is not required to
record the name of each individual
within the organization who is
authorized to use that information in
accordance with § 99.33(a)(2).
We also recognize that sometimes an
educational agency or institution does
not know at the time of its disclosure of
education records that the receiving
party may wish to make further
disclosures on its behalf. Therefore, we
interpret § 99.32(b) to allow a receiving
party to ask an educational agency or
institution to record further disclosures
made on its behalf after the initial
receipt of the records or information.
These same policies apply to further
disclosures made by State and local
educational authorities and Federal
officials listed in § 99.31(a)(3) that
redisclose information on behalf of
educational agencies and institutions
under the new authority in § 99.35(b).
Educational agencies and institutions
that disclose education records under
§ 99.31(a)(3) with the understanding
that the State or Federal authority or
official may make further disclosures
may continue to record those further
disclosures as provided in § 99.32(b)(1).
Like any other recipient of education
records, a State or Federal authority or
official may also ask an educational
agency or institution to record further
disclosures made on its behalf after the
initial receipt of the records or
information. It is incumbent upon a
State or Federal authority or official that
makes further disclosures on behalf of
an educational agency or institution
under § 99.33(b) to determine whether
the educational agency or institution
has recorded those further disclosures.
If the educational agency or institution
does not do so, then under the revisions
to § 99.32(b)(2)(i) in the final
regulations, the State and local
educational authority or Federal official
or agency that makes further disclosures
must maintain the record of those
disclosures.
We have also revised § 99.32(a) to
ensure that educational agencies and
institutions maintain a listing in each
student’s record of the State and local
educational authorities and Federal
officials and agencies that may make
further disclosures of the student’s
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
education records without consent
under § 99.33(b). This will help ensure
that parents and students know that the
record of disclosures maintained by an
educational agency or institution as
required under § 99.32(a) may not
contain all further disclosures made on
behalf of the agency or institution by a
State or Federal authority or official and
alert parents and students to the need to
ask for access to this additional
information. We have also revised
§ 99.32(a) to require an educational
agency or institution to obtain a copy of
the record of further disclosures
maintained at the State or Federal level
and make it available for parents and
students to inspect and review upon
request.
In response to commenters’
suggestions, the regulations in new
§ 99.32(b)(2)(ii) allow a State or local
educational authority or Federal official
or agency to identify the redisclosure by
the student’s class, school, district, or
other appropriate grouping rather than
by the name of each student whose
record was redisclosed. For example, an
SEA may record that it disclosed to the
State higher education authority the
scores of each student in grades nine
through 12 on the State mathematics
assessment for a particular year. We
believe that this procedure eases
administrative burdens while ensuring
that a parent or student may access
information about the redisclosure.
We note that the recordation
requirements under § 6401(c)(i)(IV) of
the America COMPETES Act, Public
Law 110–69, 20 U.S.C. 9871(c)(i)(IV),
are more detailed and stringent than
those required under FERPA. In
particular, a State that receives a grant
to establish a statewide P–16 education
data system under § 6401(c)(2), 20
U.S.C. 9871(c)(2), is required to keep an
accurate accounting of the date, nature,
and purpose of each disclosure of
personally identifiable information in
the statewide P–16 education data
system; a description of the information
disclosed; and the name and address of
the person, agency, institution, or entity
to whom the disclosure is made. The
State must also make this accounting
available on request to parents of any
student whose information has been
disclosed. The Department will issue
further guidance on these requirements
if the program is funded and
implemented.
Changes: We have made several
changes to § 99.32, as follows:
• New § 99.32(b)(2)(i) provides that a
State or local educational authority or
Federal official or agency listed in
§ 99.31(a)(3) that makes further
disclosures of information from
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
education records must record the
names of the additional parties to which
it discloses information on behalf of an
educational agency or institution and
their legitimate interests under § 99.31
in the information if the information
was received from an educational
agency or institution that has not
recorded the further disclosures itself or
from another State or local official or
Federal official or agency listed in
§ 99.31(a)(3).
• New § 99.32(b)(2)(ii) provides that a
State or local educational authority or
Federal official or agency that records
further disclosures of information may
maintain the record by the student’s
class, school, district or other
appropriate grouping rather than by the
name of the student.
• New § 99.32(b)(2)(iii) provides that
upon request of an educational agency
or institution, a State or local
educational authority or Federal official
or agency that maintains a record of
further disclosures must provide a copy
of the record of further disclosures to
the educational agency or institution
within a reasonable period of time not
to exceed 30 days.
• Revised § 99.32(a)(1) requires
educational agencies and institutions to
list in each student’s record of
disclosures the names of the State and
local educational authorities and
Federal officials or agencies that may
make further disclosures of the
information on behalf of the educational
agency or institution under § 99.33(b).
• New § 99.32(a)(4) requires an
educational agency or institution to
obtain a copy of the record of further
disclosures maintained by a State or
local educational authority or Federal
official or agency and make it available
in response to a parent’s or student’s
request to review the student’s record of
disclosures.
Educational Research (§§ 99.31(a)(6)
and 99.31(a)(3))
Comment: We received a number of
comments on proposed § 99.31(a)(6)(ii).
In this section, we proposed that an
educational agency or institution that
discloses personally identifiable
information without consent to an
organization conducting studies for, or
on behalf of, the educational agency or
institution must enter into a written
agreement with the organization
specifying the purposes of the study and
containing certain other elements. This
exception to the consent requirement is
often referred to as the ‘‘studies
exception.’’ While all of the comments
on this provision generally supported
the changes, many of the commenters
raised concerns about the scope and
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
applicability of the studies exception
and requested clarification on some of
the proposed changes, particularly with
regard to the provisions relating to
written agreements.
Discussion: We address commenters’
specific concerns about the key portions
of these regulations in the following
sections.
Changes: None.
(a) Scope and Applicability of
§ 99.31(a)(6)
Comment: Several commenters stated
that the proposed regulations did not
clearly indicate that the studies
exception applies to State educational
authorities. Some commenters,
assuming that § 99.31(a)(6) applied to
State educational authorities, noted that
the proposed regulations did not
provide clear authority for State
educational authorities such as an SEA,
or a State longitudinal data system using
State generated data (such as State
assessment results), to enter into
research agreements on behalf of
educational agencies and institutions.
One commenter stated that § 99.31(a)(6)
should not be interpreted to require that
research agreements be entered into by
individual schools or that any resulting
redisclosures be recorded by the
individual schools.
One commenter asked for clarification
regarding whether § 99.31(a)(6)
permitted a school to disclose a
student’s education records to his or her
previous school for the purpose of
evaluating Federal or State-supported
education programs or for improving
instruction.
Another commenter stated that the
Department should further revise the
regulations to provide that only
individuals in the organization
conducting the study who have a
legitimate interest in the information
disclosed be given access to the
information. The commenter also stated
that the Department should specifically
limit § 99.31(a)(6) to bona fide research
projects by prohibiting organizations
conducting studies under this exception
from using record-level data for other
operational or commercial purposes.
The commenter also expressed concern
about the duration of research projects,
noting that significantly more restrictive
access should be required for studies
that track personally identifiable
information for long periods of time.
The commenter stated further that the
Department should consider imposing a
time limit on how long information
obtained through longitudinal studies
can be retained.
Discussion: FERPA permits an
educational agency or institution to
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
disclose personally identifiable
information from an education record of
a student without consent if the
disclosure is to an organization
conducting studies for, or on behalf of,
the educational agency or institution to
(a) develop, validate, or administer
predictive tests; (b) administer student
aid programs; or (c) improve instruction.
20 U.S.C. 1232g(b)(1)(F); 34 CFR
99.31(a)(6). Disclosures made under the
studies exception may only be used by
the receiving party for the purposes for
which the disclosure was made and for
no other purpose or study. As such,
§ 99.31(a)(6) is not a general research
exception to the consent requirement in
FERPA but an exception for studies
limited to the purposes specified in the
statute and regulations.
We first note that it may not be
necessary or even advantageous for
State educational authorities to use the
studies exception in order to conduct or
authorize educational research because
of the limitations in § 99.31(a)(6). In
contrast, § 99.31(a)(3)(iv), under the
conditions set forth in § 99.35, allows
educational agencies and institutions,
such as LEAs and postsecondary
institutions, to disclose education
records without consent to State
educational authorities for audit and
evaluation purposes, which can include
a general range of research studies
beyond the more limited group of
studies specified under § 99.31(a)(6).
Also, as explained more fully elsewhere
in this preamble, while a State
educational authority must have the
underlying legal authority to audit or
evaluate the records it receives from
LEAs or postsecondary institutions
under § 99.35, the LEA or postsecondary
institution is not required to enter into
a written agreement for the audit or
evaluation as it is required to do under
§ 99.31(a)(6). (See Redisclosure of
Education Records and Recordkeeping
by State and Local Educational
Authorities and Federal Officials and
Agencies.) The absence of an
explanation of the authorized
representatives exception (§ 99.31(a)(3))
in the NPRM created confusion,
especially with regard to how State
departments of education may utilize
education records for evaluation
purposes. Therefore, we have included
that explanation here.
The conditions for disclosing
education records without consent
under §§ 99.31(a)(3)(iv) and 99.35 are
discussed in the Department’s
Memorandum from the Deputy
Secretary of Education (January 30,
2003) available at https://www.ed.gov/
policy/gen/guid/secletter/030130.html.
The Deputy Secretary’s memorandum
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
74825
explains that under this exception an
‘‘authorized representative’’ of a State
educational authority is a party under
the direct control of that authority, e.g.,
an employee or a contractor.
In general, the Department has
interpreted FERPA and implementing
regulations to permit the disclosure of
personally identifiable information from
education records, without consent, in
connection with the outsourcing of
institutional services and functions.
Accordingly, the term ‘‘authorized
representative’’ in § 99.31(a)(3) includes
contractors, consultants, volunteers, and
other outside parties (i.e., nonemployees) used to conduct an audit,
evaluation, or compliance or
enforcement activities specified in
§ 99.35, or other institutional services or
functions for which the official or
agency would otherwise use its own
employees. For example, a State
educational authority may disclose
personally identifiable information from
education records, without consent, to
an outside attorney retained to provide
legal services or an outside computer
consultant hired to develop and manage
a data system for education records.
The term ‘‘authorized representative’’
also includes an outside researcher
working as a contractor of a State
educational authority or other official
listed in § 99.31(a)(3) that has
outsourced the evaluation of Federal or
State supported education programs. An
outside researcher may conduct
independent research under this
provision in the sense that the
researcher may propose or initiate
research projects for consideration and
approval by the State educational
authority or other official listed in
§ 99.31(a)(3) either before or after the
parties have negotiated a research
agreement. Likewise, the State
educational authority or official does
not have to agree with or endorse the
researcher’s results or conclusions. In so
doing, an outside researcher retained to
evaluate education programs by a State
educational authority or other official
listed in § 99.31(a)(3) as an ‘‘authorized
representative’’ may be given access to
personally identifiable information from
education records, including statistical
information with unmodified small data
cells. However, the term ‘‘authorized
representative’’ does not include
independent researchers that are not
contractors or other parties under the
direct control of an official or agency
listed in § 99.31(a)(3).
While an educational agency or
institution may not disclose personally
identifiable information from students’
education records to independent
researchers, nothing in FERPA prohibits
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74826
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
them from disclosing information that
has been properly de-identified. Further
discussion of this issue is provided in
the following paragraphs and under the
section entitled Personally Identifiable
Information and De-Identified Records
and Information.
An SEA or other State educational
authority that has legal authority to
enter into agreements for LEAs or
postsecondary institutions under its
jurisdiction may enter into an agreement
with an organization conducting a study
for the LEA or institution under the
studies exception. If the SEA or other
State educational authority does not
have the legal authority to act for or on
behalf of an LEA or institution, then it
would not be permitted to enter into an
agreement with the organization
conducting the study under this
exception. As previously mentioned,
FERPA authorizes certain disclosures
without consent; it does not provide an
SEA or other State educational authority
with the legal authority to act for or on
behalf of an LEA or postsecondary
institution.
With regard to the request for
clarification whether § 99.31(a)(6)
permits a school to disclose a student’s
education records to his or her previous
school for evaluation purposes, the
studies exception only allows
disclosures to organizations conducting
studies for, or on behalf of, the
educational agency or institution that
discloses its records. The ‘‘for, or on
behalf of’’ language from the statute
does not permit disclosures under this
exception so that the receiving
organization can conduct a study for
itself or some other party. This issue is
discussed in more detail under the
section of this preamble entitled
Disclosure of Education Records to
Student’s Former Schools.
We agree with the comment that the
regulations should be revised to provide
that only those individuals in the
organization conducting the study that
have a legitimate interest in the
personally identifiable information from
education records can have access to the
records. The Secretary also shares the
commenter’s concerns about limiting
§ 99.31(a)(6) to bona fide research
projects, prohibiting commercial
utilization of education records, and
limiting the duration of research
projects. We address these issues in
greater detail in the following section
concerning written agreements.
Changes: None.
(b) Written Agreements for Studies
Comment: Several commenters
expressed concern that § 99.31(a)(6) not
be read so broadly as to erode parents’
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
and students’ privacy rights, and,
therefore, supported the restrictions that
the Secretary included in this provision.
Specifically, they supported the new
requirement that educational agencies
and institutions must enter into a
written agreement with the organization
conducting the study that specifies: the
purpose of the study, that the
information from the education records
disclosed be used only for the stated
purpose, that individuals outside the
organization may not have access to
personally identifiable information
about the students being studied, and
that the information be destroyed or
returned when it is no longer needed for
the purpose of the study.
Several commenters said that the
Department should clarify that the
existence of a written agreement is not
a rationale in and of itself for the
disclosure of education records. They
stated that the regulations should
provide explicitly that a written
agreement does not modify the
protections under FERPA or justify the
use of the records transferred other than
as permitted by the statute and the
regulations. Some of these commenters
stated that the written agreement should
include a description of the specific
records to be disclosed for the study.
Several commenters agreed with the
provision in the proposed regulations
that specified that an educational
agency or institution does not need to
agree with or endorse the conclusions or
results of the study. Other commenters
asked that we include in the regulations
the explanation provided in the
preamble to the NPRM that the school
also does not need to initiate the study.
One commenter suggested that we
change the references from ‘‘study’’ to
‘‘studies’’ so that it is clear that an
agency or institution and a research
organization could enter into one
agreement that would cover a variety of
studies that support the State’s or school
district’s educational objectives. One
commenter suggested that the
Department certify agreements between
educational agencies and research
organizations as meeting the
requirements of FERPA.
There were several comments on the
destruction of information requirements
in FERPA. Some suggested that we
include in the regulations the specific
time period by which information
disclosed to a researcher must be
destroyed, while others stated that
ongoing access to data is necessary and
that researchers should be permitted to
retain information indefinitely. Some
commenters suggested that the required
time period for the destruction or return
of education records, as deemed
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
necessary by the parties to support the
purposes of the authorized study or
studies, be established in the written
agreement.
One commenter approved including
the requirements regarding the use and
destruction of data in the written
agreement as a way of improving
compliance with FERPA. However, the
commenter questioned our explanation
that the language in the statute
providing that the study must be
conducted ‘‘for, or on behalf of’’ the
educational agency or institution means
that the disclosing school must retain
control over the information once it has
been given to a third party conducting
a study. The commenter believed that
school districts will not be involved in
how a study is performed and that the
written agreement with the organization
specifying the organization’s obligations
with regard to the use and destruction
of data should be sufficient.
Discussion: The Secretary shares the
concerns raised by commenters that
§ 99.31(a)(6) not be read so broadly as to
erode parents’ and students’ privacy
rights. Accordingly, we have revised
§ 99.31(a)(6) to address some of these
concerns and believe that these changes
will provide adequate protection of
students’ education records that may be
disclosed under the studies exception.
In the NPRM, we proposed to remove
current § 99.31(a)(6)(ii)(A) and (B) and
included these requirements under the
provisions for written agreements.
These paragraphs provide that the study
must be conducted in a manner that
does not permit personal identification
of parents and students by individuals
other than representatives of the
organization and that the information be
destroyed when no longer needed for
the purposes for which the study was
conducted. We are including
§ 99.31(a)(6)(ii)(A) and (B) in the final
regulations. After reviewing comments
on the proposed changes, we concluded
that, by moving these two provisions
into the new paragraph relating to
written agreements, we would have
weakened the statutory requirements
concerning the studies exception. We
believe this correction will alleviate
commenters’ concerns about weakening
parents’ and students’ privacy rights
under FERPA.
We agree with the comments that the
existence of a written agreement is not
a rationale in and of itself for the
disclosure of education records. As a
privacy statute, FERPA requires that
parents and eligible students provide
written consent before educational
agencies and institutions disclose
personally identifiable information from
students’ education records. There are
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
several statutory exceptions to FERPA’s
general consent rule, one of which is
§ 99.31(a)(6), an exception that permits
disclosure of records for studies limited
to the purposes specified in the statute
and regulations. However, a written
agreement, a memorandum of
understanding, or a contract is not a
justification for disclosure of education
records. Rather, a disclosure must meet
the requirements in § 99.31(a)(6) or the
other permitted disclosures under
§ 99.31. If a disclosure meets the
conditions of § 99.31(a)(6), the
disclosure may be made, and the written
agreement sets forth the requirements
that must be followed when entering
into such an agreement.
As noted in our earlier discussion of
the scope and applicability of the
studies exception, the Secretary concurs
that the regulations should be revised to
require that a written agreement
expressly include the purpose, scope,
and duration of the agreed upon study,
as well as the information to be
disclosed. We also agree with
commenters that the regulations should
specifically limit any disclosures of
personally identifiable information from
students’ education records to those
individuals in the organization
conducting the study that have a
legitimate interest in the information.
This requirement is consistent with
§ 99.32(a)(3)(ii), which requires that an
educational agency or institution record
the ‘‘legitimate interests’’ the parties had
in obtaining information under FERPA.
The Secretary strongly recommends
that schools carefully limit the
disclosure of students’ personally
identifiable information under this and
the other exceptions in § 99.31 and
reminds educational agencies and
institutions that disclosures without
consent are subject to § 99.33(a)(2),
which states: ‘‘The officers, employees,
and agents of a party that receives
information under paragraph (a)(1) of
this section may use the information,
but only for the purposes for which the
disclosure was made.’’ The recordation
requirements in § 99.32 also apply to
any disclosures of personally
identifiable information made under the
studies exception. (We note that a
school does not have to record the
disclosure of information that has been
properly de-identified.)
Although FERPA permits schools to
disclose personally identifiable
information under § 99.31(a)(6) to
organizations conducting studies for or
on its behalf, the Secretary recommends
that educational agencies and
institutions release de-identified
information whenever possible under
this exception. Even when schools opt
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
not to release de-identified information
in these circumstances, we recommend
that schools reduce the risk of
unauthorized disclosure by removing
direct identifiers, such as names and
SSNs, from records that don’t require
them, even though these records may
still contain some personally
identifiable information. This is
especially important when a school also
discloses sensitive information about
students, such as type of disability and
special education services received by
the students.
We agree with commenters that
§ 99.31(a)(6) should be revised to
indicate that an educational agency or
institution is not required to initiate a
study. Additionally, we have revised
§ 99.31(a)(6) to include the word
‘‘studies’’ so that an educational agency
or institution may utilize one written
agreement for more than one study, so
long as the requirements concerning
information that must be in the
agreement are met.
While we do not have the authority
under FERPA to officially certify
agreements between educational
agencies and institutions and
organizations conducting studies, FPCO
does provide technical assistance to
educational agencies or institutions on
FERPA. As such, if school officials have
questions about whether an agreement
meets the requirements in § 99.31(a)(6),
they may contact FPCO for assistance.
With regard to the comments that we
include in the regulations a specific
time period by which information
provided under the studies exception
must be destroyed, we believe that the
parties entering into the agreement
should decide when information has to
be destroyed or returned to the
educational agency or institution. As we
have discussed, we have revised
§ 99.31(a)(6) to require that the written
agreement include the duration of the
study and the time period during which
the organization must either destroy or
return the information to the
educational agency or institution.
With regard to the comment that a
written agreement with the organization
conducting the study should be
sufficient for an educational agency or
institution to retain control over
information from education records
once the information is given to an
organization conducting a study, we
agree that a written agreement required
under the regulations will help ensure
that the information is used only to
meet the purposes of the study stated in
the written agreement and that all
applicable requirements are met.
However, similar to the requirement
that an outside service provider serving
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
74827
as a school official is subject to FERPA’s
restrictions on the use and redisclosure
of personally identifiable information
from education records, educational
agencies and institutions must ensure
that organizations with which they have
entered into an agreement to conduct a
study also comply with FERPA’s
restrictions on the use of personally
identifiable information from education
records. (See pages 15578–15580 of the
NPRM.) That is, the school must retain
control over the organization’s access to
and use of personally identifiable
information from education records for
purposes of the study or studies,
including access by the organization’s
own employees and subcontractors, as
well as any school officials whom the
organization permits to have access to
education records.
An educational agency or institution
may need to determine that the
organization conducting the study has
reasonable controls in place to ensure
that personally identifiable information
from education records is protected. We
note that it is common practice for some
data sharing agreements to have a
‘‘controls section’’ that specifies
required controls and how they will be
verified (e.g., surprise inspections). We
recommend that the agreement required
by § 99.31(a)(6) include a section that
sets forth similar requirements. If a
school is unable to verify that these
controls are in place, then it should not
disclose personally identifiable
information from education records to
an organization for the purpose of
conducting a study.
In this regard, it should be noted that
educational agencies and institutions
are responsible for any failures by an
organization conducting a study to
comply with applicable FERPA
requirements. FERPA states that if a
third party outside the educational
agency or institution fails to destroy
information in violation of 20 U.S.C.
1232g(b)(1)(F), the studies exception in
FERPA, the educational agency or
institution shall be prohibited from
permitting access to information from
education records to that third party for
a period of not less than five years. See
20 U.S.C. 1232g(b)(4)(B).
Changes: We have revised
§ 99.31(a)(6) to: (1) Retain
§ 99.31(a)(6)(ii)(A) and (B); (2) amend
§ 99.31(a)(6)(ii)(A) to provide that the
study must be conducted in a manner
that does not permit personal
identification of parents or students by
anyone other than representatives of the
organization that have legitimate
interest in the information; (3) amend
§ 99.31(a)(6)(ii)(C) to require that the
written agreement specify the purpose,
E:\FR\FM\09DER2.SGM
09DER2
74828
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
scope, and duration of the study and the
information to be disclosed; require the
organization to use personally
identifiable information from education
records only to meet the purpose or
purposes of the study as stated in the
written agreement; limit any disclosures
of information to individuals in the
organization conducting the study who
have a legitimate interest in the
information; and require the
organization to destroy or return to the
educational agency all personally
identifiable information when the
information is no longer needed for the
purposes of the study and specify the
time period during which the
organization must either destroy or
return the information to the
educational agency or institution; and
(4) amend § 99.31(a)(6) in new
paragraph (iii) to provide that an
educational agency or institution is not
required to initiate a study.
Disclosure of Education Records to
Non-Educational State Agencies
Comment: Several commenters stated
that the proposed amendments did not
specifically address whether an
educational agency or institution is
permitted to disclose education records
to non-educational State agencies, such
as State health or labor agencies, as part
of an agreement with those agencies,
without first obtaining consent. One
commenter said that because the
Department has taken the position that
education records may be shared with
State auditors who are not educational
officials and who are not, by definition,
under the control of a State educational
authority, there is no legal basis to
prohibit the disclosure of education
records to other non-educational State
and local agencies.
Some officials representing State
health agencies commented that FERPA
should be more closely aligned with the
disclosure provisions of the HIPAA
Privacy Rule. One commenter noted that
there was a critical need for public
health researchers to be able to access,
without consent, personally identifiable
information contained in student health
records to allow for analyses, public
health studies, and research that will
benefit school-aged children, as well as
the general population. One
organization representing school nurses
noted that public health officials need
access to education records for the
purposes of public health reporting,
surveillance, and reimbursement.
Several commenters recommended
that SEAs be authorized to share data
from education records with State social
services, health, juvenile, and
employment agencies, to serve the
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
needs of students, including special
needs, low-income, and at-risk students.
One SEA commented that it did not
support extending access to student data
to non-education State agencies, except
to State auditors, as specified in
proposed § 99.35(a)(3). This commenter
asserted that access to and use of
information from students’ education
records should be controlled by a
limited number of education officials
who are sensitive to the intent of FERPA
and well acquainted with its safeguards.
Discussion: There is no specific
exception to the written consent
requirement in FERPA that permits the
disclosure of personally identifiable
information from students’ education
records to non-educational State
agencies. Educational agencies and
institutions may disclose personally
identifiable information for audit or
evaluation purposes under
§§ 99.31(a)(3) and 99.35 only to
authorized representatives of the
officials or agencies listed in
§ 99.31(a)(3)(i) through (iv). Typically,
LEAs and their constituent schools
disclose education records to State
educational authorities under
§ 99.31(a)(3)(iv), such as the SEA, for
audit, evaluation, or compliance and
enforcement purposes.
There are some exceptions that might
authorize disclosures to noneducational State agencies for specified
purposes. For example, disclosures may
be made in a health or safety emergency
(§§ 99.31(a)(10) and 99.36), in
connection with financial aid
(§ 99.31(a)(4)), or pursuant to a State
statute under the juvenile justice system
exception (§§ 99.31(a)(5) and 99.38), and
any disclosures must meet the specific
requirements of the particular
exception. FERPA, however, does not
contain any specific exceptions to
permit disclosures of personally
identifiable information without
consent for public health or
employment reporting purposes. That
said, nothing in FERPA prohibits an
educational agency or institution from
importing information from another
source to perform its own evaluations.
We believe that any further expansion
of the list of officials and entities in
FERPA that may receive education
records without the consent of the
parent or eligible student must be
authorized by legislation enacted by
Congress.
We explained in the NPRM on page
15577 that, with respect to State
auditors, legislative history for the 1979
FERPA amendment indicates that
Congress specifically intended that
FERPA not preclude State auditors from
obtaining personally identifiable
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
information from education records in
order to audit Federal and State
supported education programs,
notwithstanding that the statutory
language in the amendment refers only
to ‘‘State and local educational
officials.’’ See 20 U.S.C. 1232g(b)(5);
H.R. Rep. No. 338, 96th Cong., 1st Sess.
at 10 (1979), reprinted in 1979 U.S.
Code Cong. & Admin. News 819, 824.
This legislative history provides a basis
for drawing a distinction between State
auditors and officials of other State
agencies that also are not under the
control of the State educational
authority. (As explained more fully
under State auditors, upon further
review, we have removed from the final
regulations the proposed regulations
related to State auditors and audits.)
The 1979 amendment to FERPA does
not apply to other State officials or
agencies, and there is no other
legislative history to indicate that
Congress intended that FERPA be
interpreted to permit educational
agencies and institutions, or State and
local educational authorities or Federal
officials and agencies listed in
§ 99.31(a)(3), to share students’
education records with non-educational
State officials. In fact, Congress has, on
numerous occasions, indicated
otherwise.
As discussed elsewhere in this
preamble under the heading Health or
Safety Emergency, the HIPAA Privacy
Rule specifically excludes from
coverage health care information that is
maintained as an ‘‘education record’’
under FERPA. 45 CFR 160.103,
Protected health information. We
understand that the HIPAA Privacy Rule
allows covered entities to disclose
identifiable health data without written
consent to public health authorities.
However, there is no comparable
exception to the written consent
requirement in FERPA.
As mentioned previously, in
conducting an audit, evaluation, or
compliance or enforcement activity, an
educational authority may collaborate
with other State agencies by importing
data from those sources and conducting
necessary matches. Any reports or other
information created as a result of the
data matches may only be released to
those non-educational officials in nonpersonally identifiable form.
Educational authorities may also release
information on students to noneducational officials that has been
properly de-identified, as described in
§ 99.31(b)(1).
Additionally, many agencies
providing services to low income or atrisk families have parents sign a consent
form authorizing disclosure of
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
information at intake time so that the
agency can receive necessary
information from schools. In 1993, we
amended the FERPA regulations to help
facilitate this practice. In final
regulations published in the Federal
Register on January 7, 1993 (58 FR
3188), we removed the previous
requirement in the regulations that
schools ‘‘obtain’’ consent from parents
and eligible students so that parents and
eligible students may ‘‘provide’’ a
signed and dated consent to third
parties in order for the school to
disclose education records to those
parties.
Therefore, parents can provide
consent at intake time to State and local
social services and other noneducational agencies serving the needs
of students in order to permit their
children’s schools (or the SEA) to
disclose education records to the
agency. For example, parents routinely
provide consent to the Medicaid agency
that permits that agency to collect
information from other agencies on the
family being served. In many cases
those consents are written in a manner
that complies with the consent
requirement in § 99.30, and the
student’s school may disclose
information to the Medicaid agency
necessary for reimbursement purposes
for services provided the student.
Changes: None.
Disclosure of Education Records to
Student’s Former Schools
(§§ 99.31(a)(3), 99.31(a)(6), and
99.35(b))
Comment: One commenter asked for
clarification whether a school could
disclose a student’s education records to
the student’s previous school for the
purpose of evaluating Federal or State
supported education programs or for
improving instruction. Several
commenters said that there is a critical
need for school districts to be able to
access the records of their former
students from the student’s new district
or postsecondary institution so that the
previous institution can evaluate the
effectiveness of its own education
programs. Some commenters said that
§ 99.35(a) clearly allows a K–12 data
system to use postsecondary records to
evaluate its own programs, and that a
K–12 system does not need to have legal
authority to evaluate postsecondary
programs for the disclosure to be valid
under the audit or evaluation exception.
Discussion: Section 99.31(a)(2) allows
an educational agency or institution to
disclose personally identifiable
information from education records,
without consent, to a school where the
student seeks or intends to enroll or is
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
already enrolled if the disclosure relates
to the student’s enrollment or transfer.
There is no specific authority in FERPA
for an educational agency or institution,
or a State or local educational authority,
to disclose or redisclose personally
identifiable information from education
records to a student’s former school
without consent.
As discussed above, §§ 99.31(a)(3) and
99.35 allow educational agencies and
institutions to disclose personally
identifiable information from education
records without consent to State and
local educational authorities that are
legally authorized to audit or evaluate
the disclosing institution’s programs or
records. We encourage State and local
authorities to take advantage of this
exception and establish or modify State
or local legal authority, as necessary, to
allow K–12 and postsecondary
educational authorities to audit or
evaluate one another’s programs. As
noted above, the Department will
generally defer to a State Attorney
General’s interpretation of State or local
law on these matters.
Section 99.31(a)(6) allows an
educational agency or institution to
disclose personally identifiable
information from education records
without consent to an organization
conducting a study for, or on behalf of,
the agency or institution that discloses
its records. The ‘‘for, or on behalf of’’
language from the statute and
regulations, however, does not allow the
educational agency or institution to
disclose personally identifiable
information from education records
under this exception so that the
receiving organization can conduct a
study for itself or some other party.
Further, the Secretary does not as a
policy matter support expanding the
studies exception to permit such a
disclosure because it would result in a
vast increase in the number of parties
gaining access to and maintaining
personally identifiable information on
students. As discussed below,
educational agencies and institution and
other parties, including State
educational authorities, may always
release information from education
records to a student’s former school,
without consent, if all personally
identifiable information has been
removed.
Personally Identifiable Information and
De-Identified Records and Information
(§§ 99.3 and 99.31(b))
(a) Definition of Personally Identifiable
Information
Comment: We received a number of
comments on proposed § 99.3 regarding
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
74829
changes to the definition of personally
identifiable information. One
commenter applauded the Department’s
recognition of the increasing ease of
identifying individuals from redacted
records and statistical information
because of the large amount of detailed
personal information that is maintained
on most Americans by many different
organizations. This commenter and
others, however, stated that the
proposed regulations did not go far
enough to ensure that personally
identifiable information about students
would not be released.
One commenter expressed concern
about our proposal to eliminate
paragraphs (e) and (f) from the existing
definition of personally identifiable
information, which included a list of
personal characteristics and other
information that would make a student’s
identity easily traceable. The
commenter said that this was a change
to long-standing Department policy and
represented an unwarranted invasion of
privacy that exceeds statutory authority.
This commenter also expressed concern
that eliminating the ‘‘easily traceable’’
provisions for determining whether
information was personally identifiable
could prevent parents from accessing
their children’s education records and
might allow school officials to
circumvent FERPA requirements by
using nicknames, initials, and other
personal characteristics to refer to
children.
In contrast, several commenters stated
that the regulations would be
unworkable or were too restrictive and
would prevent or discourage the release
of information from education records
needed for school accountability and
other public purposes. These
commenters stated that paragraphs (f)
and (g) in the proposed definition of
personally identifiable information,
which replaces the ‘‘easily traceable’’
provisions, would provide school
officials too much discretion to conceal
information the public deserves to have
in order to debate public policy.
Proposed paragraph (f) provided that
personally identifiable information
includes other information that, alone or
in combination, is linked or linkable to
a specific student that would allow a
reasonable person in the school or its
community, who does not have personal
knowledge of the relevant
circumstances, to identify the student
with reasonable certainty. Proposed
paragraph (g) provided that personally
identifiable information includes
information requested by a person who
the educational agency or institution
reasonably believes has direct, personal
knowledge of the identity of the student
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74830
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
to whom the education record relates,
sometimes known as a ‘‘targeted
request.’’
Several commenters expressed
support for the provisions in paragraphs
(f) and (g) of the definition of personally
identifiable information. One of these
commenters said that the ‘‘school and
community’’ limitation and the
‘‘reasonable person’’ standard in
paragraph (f) is sufficiently clear for
implementation by parties that release
de-identified records. Another
commenter said that ambiguity in the
terms ‘‘reasonable person’’ and
‘‘reasonable certainty’’ was necessary so
that organizations can develop their
own standards for addressing the
problem of ensuring that information
that is released is not personally
identifiable. This commenter asked the
Department to retain the flexibility in
the proposed language and provide
examples of policies that have been
implemented that meet the
requirements in paragraphs (f) and (g) of
the definition. The commenter said that
most school districts know when they
are receiving a targeted request
(paragraph (g)) but asked that the
Department provide examples to help
districts determine whether a nontargeted request will reveal personally
identifiable information.
Journalism and writers’ associations
expressed concern about the
‘‘reasonable person’’ standard in
paragraph (f) and our statement in the
preamble to the NPRM (73 FR 15583)
that an educational agency or institution
may not be able to release redacted
education records that concern students
or incidents that are well-known in the
school community, including when the
parent or student who is the subject of
the record contacts the media and
causes the publicity that prevents the
release of the record. These commenters
stated that FERPA should not prevent
schools from releasing records from
which all direct and indirect identifiers,
such as name, date of birth, address,
unusual place of birth, mother’s maiden
name, and sibling information, have
been removed without regard to any
outside information, particularly after a
student or parent has waived any
pretense of confidentiality by contacting
the media. They also said that the
proposed definition of personally
identifiable information does not
acknowledge the public interest in
school accountability.
One commenter said that the
‘‘reasonable person in the school or its
community’’ standard in paragraph (f)
was too narrow and inappropriate
because it would allow individuals with
even modest scientific and
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
technological abilities to identify
students based on supposedly deidentified information. Another
commenter said that the reference in
paragraph (f) to a ‘‘reasonable person’’
should be changed to ‘‘ordinary
person.’’ A commenter said that if we
retain the ‘‘reasonable person’’ standard,
we should remove the references to the
school or its community and personal
knowledge of the circumstances and
simply refer to a reasonable person.
Several commenters said the ‘‘school or
its community’’ standard is too vague
and needs to be clarified, particularly in
relation to the provision in paragraph (g)
regarding targeted requests; these
commenters said that school officials
will choose to evaluate a request for
information based on whether a
reasonable person in the community, a
broader standard than a reasonable
person in the school, could identify the
student and automatically find their
own decisions to be reasonable. One
commenter said that the phrase
‘‘relevant circumstances’’ in paragraph
(f) is vague.
One commenter said that the standard
in paragraph (f) about whether the
information requested is ‘‘linked or
linkable’’ to a specific student was too
vague and overly broad and could be
logically extended to cover almost any
information about a student. This
commenter said that the regulations
should focus on preventing the release
of records that in and of themselves
contain unique personal descriptors that
would make the student identifiable in
the school community and not refer to
outside information, including what
members of the public might know
independently of the records
themselves.
Several commenters expressed
concerns that the provision in paragraph
(g) regarding targeted requests will make
FERPA and the regulations
administratively unwieldy and
unnecessarily subjective. One of these
commenters said that paragraph (g) is
unclear and adds more confusion as
opposed to providing clarity; this
commenter said that paragraph (g)
should be removed and that the
requirements in paragraph (f) were
sufficient. Another commenter said that
the standard in paragraph (g) unfairly
holds agencies and institutions
responsible for ascertaining the
requester’s personal knowledge. One
commenter said that we should delete
the words ‘‘direct, personal’’ before
‘‘knowledge’’ because these terms are
unclear. According to this commenter, if
a school reasonably believes that the
requester knows the student’s identity,
the school should not disclose the
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
records, whether the knowledge is
‘‘direct’’ or ‘‘personal.’’
Other commenters expressed a more
general concern that the standard for
targeted requests in paragraph (g) places
an undue burden on school officials to
obtain information about the person
requesting information and creates a
potential conflict with State open
records laws. According to these
commenters, the regulations as
proposed would encourage agencies and
institutions to make illegitimate
inquiries into a requester’s motives for
seeking information and what the
requester intends to do with it, or
require the agency or institution to read
the mind of a party requesting
information. According to the
commenter, this would introduce a
degree of subjective judgment that
would invariably lead to abuse because
the same record that could be
considered a public record to one
requester could be a confidential
document to another. A large university
that has decentralized administrative
operations questioned how it could be
expected to take institutional knowledge
into account in evaluating whether a
request for records is targeted and asked
for confirmation that the Department
will not substitute its judgment for that
of the institution so long as there was a
rational basis for the decision to release
information.
We received a few comments on the
example of a targeted request that we
provided in the preamble to the NPRM
(73 FR 15583–15584), in which rumors
circulate that a candidate running for
political office plagiarized other
students’ work, and a reporter asks the
university for the redacted disciplinary
records of all students who were
disciplined for plagiarism for the year in
which the candidate graduated. We
explained that the university may not
release the records in redacted form
because the circumstances indicate that
the requester had direct, personal
knowledge of the subject of the case.
Two commenters said that confirmation
that one unnamed student was
disciplined in 1978 for plagiarism does
not identify that student or confirm that
the candidate was that student, and our
explanation of the standard with this
example showed that the regulations
would prevent parents and the media
from discharging their vital oversight
responsibilities.
One school district said that the
targeted request provision could impair
due process in some student discipline
cases by limiting the release of redacted
witness statements that concern more
than one student. The commenter
suggested that under its current
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
practice, if four students are involved in
an altercation, the school redacts all
personally identifiable information with
regard to students 2 through 4 when
releasing the statement without parental
consent to student 1, but under the
proposed regulations, student 1’s
request would violate the requirements
in paragraph (g) because of the student’s
knowledge of the identity of the other
students to whom the record relates.
This commenter said that the
regulations should not be adopted if
they do not address these due process
concerns.
Several commenters said they
appreciated the addition of a student’s
date of birth and other indirect
identifiers in the definition of
personally identifiable information.
Another commenter said that a
comprehensive list of indirect
identifiers would be helpful. One
commenter asked us to define the
concept of indirect identifiers. Another
commenter asked us to clarify which
personally identifiable data elements
may be released without consent. A
commenter asked us to define the term
biometric record as used in the
definition of personally identifiable
information.
Discussion: The Joint Statement
explains that the purpose of FERPA is
two-fold: to assure that parents and
eligible students can access the
student’s education records, and to
protect their right to privacy by limiting
the transferability of their education
records without their consent. 120 Cong.
Rec. 39862. As such, FERPA is not an
open records statute or part of an open
records system. The only parties who
have a right to obtain access to
education records under FERPA are
parents and eligible students.
Journalists, researchers, and other
members of the public have no right
under FERPA to gain access to
education records for school
accountability or other matters of public
interest, including misconduct by those
running for public office. Nonetheless,
as explained in the preamble to the
NPRM, 73 FR 15584–15585, we believe
that the regulatory standard for defining
and removing personally identifiable
information from education records
establishes an appropriate balance that
facilitates school accountability and
educational research while preserving
the statutory privacy protections in
FERPA.
The simple removal of nominal or
direct identifiers, such as name and SSN
(or other ID number), does not
necessarily avoid the release of
personally identifiable information.
Other information, such as address, date
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
and place of birth, race, ethnicity,
gender, physical description, disability,
activities and accomplishments,
disciplinary actions, and so forth, can
indirectly identify someone depending
on the combination of factors and level
of detail released. Similarly, and as
noted in the preamble to the NPRM, 73
FR 15584, the existing professional
literature makes clear that public
directories and previously released
information, including local publicity
and even information that has been deidentified, is sometimes linked or
linkable to an otherwise de-identified
record or data set and renders the
information personally identifiable. The
regulations properly require parties that
release information from education
records to address these situations.
We removed the ‘‘easily traceable’’
standard from the definition of
personally identifiable information
because it lacked specificity and clarity.
We were also concerned that the ‘‘easily
traceable’’ standard suggested that a
fairly low standard applied in protecting
education records, i.e., that information
was considered personally identifiable
only if it was easy to identify the
student.
The removal of the ‘‘easily traceable’’
standard and adoption of the standards
in paragraphs (f) and (g) will not affect
a parent’s right under FERPA to inspect
and review his or her child’s education
records. Records that teachers and other
school officials maintain on students
that use only initials, nicknames, or
personal descriptions to identify the
student are education records under
FERPA because they are directly related
to the student.
Further, records that identify a
student by initials, nicknames, or
personal characteristics are personally
identifiable information if, alone or
combined with other information, the
initials are linked or linkable to a
specific student and would allow a
reasonable person in the school
community who does not have personal
knowledge about the situation to
identify the student with reasonable
certainty. For example, if teachers and
other individuals in the school
community generally would not be able
to identify a specific student based on
the student’s initials, nickname, or
personal characteristics contained in the
record, then the information is not
considered personally identifiable and
may be released without consent.
Experience has shown, however, that
initials, nicknames, and personal
characteristics are often sufficiently
unique in a school community that a
reasonable person can identify the
student from this kind of information
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
74831
even without access to any personal
knowledge, such as a key that
specifically links the initials, nickname,
or personal characteristics to the
student.
In contrast, if a teacher uses a special
code known only by the teacher and the
student (or parent) to identify a student,
such as for posting grades, this code is
not considered personally identifiable
information under FERPA because the
only reason the teacher can identify the
student is because of the teacher’s
access to personal knowledge of the
relevant circumstances, i.e., the key that
links the code to the student’s name.
In response to the commenter who
stated that a school should not be
prevented from releasing information
when the subject of the record has
waived any pretense of confidentiality
by contacting the media and making the
incident well-known in the community,
we have found that in limited
circumstances a parent or student may
impliedly waive their privacy rights
under FERPA by disclosing information
to parties in a special relationship with
the institution, such as a licensing or
accreditation organization. However, we
have not found and do not believe that
parents and students generally waive
their privacy rights under FERPA by
sharing information with the media or
other members of the general public.
The fact that information is a matter of
general public interest does not give an
educational agency or institution
permission to release the same or
related information from education
records without consent.
The ‘‘reasonableness’’ standards in
paragraphs (f) and (g) of the new
definition, which replace the ‘‘easily
traceable’’ standard, do not require the
exercise of subjective judgment or
inquiries into a requester’s motives.
Both provisions require the disclosing
party to use legally recognized, objective
standards by referring to identification
not in the mind of the disclosing party
or requester but by a reasonable person
and with reasonable certainty, and by
requiring the disclosing party to
withhold information when it
reasonably believes certain facts to be
present. These are not subjective
standards, and these changes will not
diminish the privacy protections in
FERPA.
The standard proposed in paragraph
(f) regarding the knowledge of a
reasonable person in the school or its
community was not intended to
describe the technological or scientific
skill level of a person who would be
capable of re-identifying statistical
information or redacted records. Rather,
it provided the standard an agency or
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74832
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
institution should use to determine
whether statistical information or a
redacted record will identify a student,
even though certain identifiers have
been removed, because of a wellpublicized incident or some other factor
known in the community. For example,
as explained in the preamble to the
NPRM, 73 FR 15583, a school may not
release statistics on penalties imposed
on students for cheating on a test where
the local media have published
identifiable information about the only
student (or students) who received that
penalty; that statistical information or
redacted record is now personally
identifiable to the student or students
because of the local publicity.
Paragraph (f) in the proposed
definition provided that the agency or
institution must make a determination
about whether information is personally
identifiable information not with regard
to what someone with personal
knowledge of the relevant
circumstances would know, such as the
principal who imposed the penalty, but
with regard to what a reasonable person
in the school or its community would
know, i.e., based on local publicity,
communications, and other ordinary
conditions. We agree with the comment
that the ‘‘school or its community’’
standard was confusing because it was
not clear whether just the school itself
or the larger community in which the
school is located is the relevant group
for determining what a reasonable
person would know.
We are changing this standard in
paragraph (f) to the ‘‘school
community’’ and by this change we
mean that an educational agency or
institution may not select a broader
‘‘community’’ standard when the
information to be released would be
personally identifiable under the
narrower ‘‘school’’ standard. For
example, it might be well known among
students, teachers, administrators,
parents, coaches, volunteers, or others at
the local high school that a student was
caught bringing a gun to class last
month but generally unknown in the
town where the school is located. In
these circumstances, a school district
may not disclose that a high school
student was suspended for bringing a
gun to class last month, even though a
reasonable person in the community
where the school is located would not
be able to identify the student, because
a reasonable person in the high school
would be able to identify the student.
The student’s privacy is further
protected because a reasonable person
in the school community is also
presumed to have at least the knowledge
of a reasonable person in the local
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
community, the region or State, the
United States, and the world in general.
The ‘‘school community’’ standard,
therefore, provides the maximum
privacy protection for students.
We do not agree that the reference to
‘‘reasonable person’’ should be changed
to ‘‘ordinary person.’’ ‘‘Reasonable
person’’ is a legally recognized standard
that represents a hypothetical, rational,
prudent, average individual. It would be
confusing and inappropriate to
introduce a new term ‘‘ordinary’’ in this
context.
The standard in paragraph (f)
excludes from the ‘‘reasonable person in
the school community’’ standard
persons who have personal knowledge
of the ‘‘relevant circumstances,’’ which
one commenter considered vague.
Under this standard, an agency or
institution is not required to take into
consideration when releasing redacted
or statistical information that someone
with special knowledge of the
circumstances could identify the
student. For example, if it is generally
known in the school community that a
particular student is HIV-positive, or
that there is an HIV-positive student in
the school, then the school could not
reveal that the only HIV-positive
student in the school was suspended.
However, if it is not generally known or
obvious that there is an HIV-positive
student in school, then the same
information could be released, even
though someone with special
knowledge of the student’s status as
HIV-positive would be able to identify
the student and learn that he or she had
been suspended.
The provisions in paragraph (g)
regarding targeted requests do not
require an educational agency or
institution to ascertain or guess a
requester’s motives for seeking
information from education records or
what a requester intends to do with the
information. This paragraph addresses a
situation in which a requester seeks
what might generally qualify as a
properly redacted record but the facts
indicate that redaction is a useless
formality because the subject’s identity
is already known.
An educational agency or institution
is not required under paragraph (g) to
make any special inquiries or otherwise
seek information about the person
requesting information from education
records. It must use information that is
obvious on the face of the request or
provided by the requester, such as when
a requester asks for the redacted
transcripts of a particular student.
Paragraph (f) also requires an agency or
institution to use information known to
a reasonable person in the school
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
community, such as when a requester
asks for the redacted transcripts of all
basketball players who were expelled
for accepting bribes after the local
newspaper published a story about the
matter. Paragraphs (f) and (g) do not
require an educational agency or
institution to inquire whether a
requester has special knowledge not
available generally in the school
community that would make the subject
of the record identifiable. We disagree
with the comment that paragraph (f) is
sufficient and paragraph (g) should be
removed. Paragraph (g) addresses the
problem of targeted requests, which is
not addressed under paragraph (f).
We agree with the comment that the
provision in paragraph (g) under which
an agency or institution must determine
whether the information requested is
personally identifiable information
based on its reasonable belief that the
requester has ‘‘direct, personal’’
knowledge of the identity of the student
to whom the record relates is ambiguous
and confusing, especially in relation to
what might be considered indirect
knowledge. Therefore, we have
modified this provision so that an
educational agency or institution must
simply have a reasonable belief that the
requester knows the identity of the
student to whom the record relates.
In reviewing a complaint that an
educational agency or institution
disclosed personally identifiable
information from an education record in
response to a targeted request, the
Department would examine the request
itself, the facts on which the agency or
institution based its decision to release
the information, as well as any
information known generally in the
school community that the agency or
institution failed to take into account.
The Department would also counsel an
agency or institution about the nature of
the violation in connection with the
Department’s responsibility for seeking
voluntary compliance with FERPA
before initiating any enforcement action
under § 99.67.
With regard to the comment that the
standard in paragraph (g) will impair
due process in student discipline cases,
it is unclear what the commenter means
by releasing redacted witness statements
under its current practice. Education
records are defined in FERPA as records
that are directly related to a student and
maintained by an educational agency or
institution, or by a party acting for the
agency or institution. 20 U.S.C.
1232g(a)(4)(A); 34 CFR 99.3. Under this
definition, a parent (or eligible student)
has a right to inspect and review any
witness statement that is directly related
to the student, even if that statement
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
contains information that is also directly
related to another student, if the
information cannot be segregated and
redacted without destroying its
meaning.
For example, parents of both John and
Michael would have a right to inspect
and review the following information in
a witness statement maintained by their
school district because it is directly
related to both students: ‘‘John grabbed
Michael’s backpack and hit him over the
head with it.’’ Further, in this example,
before allowing Michael’s parents to
inspect and review the statement, the
district must also redact any
information about John (or any other
student) that is not directly related to
Michael, such as: ‘‘John also punched
Steven in the stomach and took his
gloves.’’ Since Michael’s parents likely
know from their son about other
students involved in the altercation,
under paragraph (g) the district could
not release any part of this sentence to
Michael’s parents. We note also that the
sanction imposed on a student for
misconduct is not generally considered
directly related to another student, even
the student who was injured or
victimized by the disciplined student’s
conduct, except if a perpetrator has been
ordered to stay away from a victim.
In order to provide maximum
flexibility to educational agencies and
institutions, we did not attempt to
define or list all other ‘‘indirect
identifiers’’. We believe that the
examples listed in paragraph (3) of the
definition of personally identifiable
information—date of birth, place of
birth, and mother’s maiden name—
indicate clearly the kind of information
that could identify a student. Race and
ethnicity, for example, could also be
indirect identifiers. It is not possible,
however, to list all the possible indirect
identifiers and ways in which
information might indirectly identify a
student. Further, unlike the HIPAA
Privacy Rule, these regulations do not
attempt to provide a ‘‘safe harbor’’ by
listing all the information that may be
removed in order to satisfy the deidentification requirements in
§ 99.31(b). We have also added a
definition of biometric record that is
based on National Security Presidential
Directive 59 and Homeland Security
Presidential Directive 24.
Changes: We added a definition of
biometric record, which provides that
the term means a record of one or more
measurable biological or behavioral
characteristics that can be used for
automated recognition of an individual.
Examples include fingerprints, retina
and iris patterns, voiceprints, DNA
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
sequence, facial characteristics, and
handwriting.
We also have revised paragraph (f) in
the definition of personally identifiable
information to change the reference
‘‘school or its community’’ to ‘‘school
community.’’ In paragraph (g) of the
definition of personally identifiable
information, we removed the
requirement that the requester have
‘‘direct, personal knowledge.’’ As
revised, paragraph (g) provides that
personally identifiable information
means information requested by a
person who the educational agency or
institution reasonably believes knows
the identity of the student to whom the
record relates.
(b) De-Identified Records and
Information
Comment: We received a number of
comments on § 99.31(b)(1), which
would allow an educational agency or
institution, or a party that has received
personally identifiable information from
education records, to release the records
or information without parental consent
after the removal of all personally
identifiable information, provided that
the educational agency or institution or
other party has made a reasonable
determination that a student’s identity
is not personally identifiable because of
unique patterns of information about the
student, whether through single or
multiple releases, and taking into
account other reasonably available
information. In order to permit ongoing
educational research with the same
data, § 99.31(b)(2) allows an educational
agency or institution or other party that
releases de-identified, non-aggregated
data (also known as ‘‘microdata’’) from
education records to attach a code to
each record, which may allow the
recipient to match information received
from the same source, under three
conditions—(1) the educational agency
or institution does not disclose any
information about how it generates and
assigns a record code, or that would
allow a recipient to identify a student
based on a record code; (2) the record
code is used for no purpose other than
identifying a de-identified record for
purposes of education research and
cannot be used to ascertain personally
identifiable information about a student;
and (3) the record code is not based on
a student’s social security number or
other personal information.
Several commenters supported these
proposed regulations and said that they
will help facilitate valuable educational
research. One of these commenters said
that the provisions for de-identification
of education records create clear
standards that will allow researchers to
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
74833
conduct necessary research without
compromising student privacy. One
commenter appreciated being able to
attach a code or linking key to records
to facilitate matching students across
data sets while preserving student
confidentiality.
One commenter stated that deidentified data do not support
appropriate analytical research that will
lead to improved educational outcomes.
Further, according to this commenter,
complete de-identification of
systematic, longitudinal data on every
student may not be possible.
Two commenters expressed concern
that agencies and institutions redact too
much information from education
records and said that the Department
should err on the side of disclosure of
disaggregated data so that journalists
and researchers can obtain accurate
information about how students in
every accountability subgroup are
performing. These commenters said that
the regulations should take into account
the real track record of journalists and
researchers in maintaining the
confidentiality of information from
education records.
One commenter said that many
institutions and individuals have the
ability to re-identify seemingly deidentified data and that it is generally
much easier to do than most people
realize because 87 percent of Americans
can be identified uniquely from their
date of birth, five-digit zip code, and
gender. This commenter said that the
regulations need to take into account
that re-identification is a much greater
risk for student data than other kinds of
information because FERPA allows for
the regular publication of student
directories that contain a wealth of
personal information, including address
and date of birth, that can be used with
existing tools and emerging technology
to re-identify statistical data, even by
non-experts.
Another commenter said that because
the de-identification process is so
resource-intensive, the regulations
should allow the research entity to deidentify education records as a
contractor under § 99.31(a)(1) of the
regulations.
We explained in the preamble to the
NPRM (73 FR 15585) that educational
agencies and institutions should
monitor releases of coded, de-identified
microdata from education records to
ensure that overlapping or successive
releases do not result in data sets in
which a student’s personally
identifiable information is disclosed.
One commenter said that this
monitoring requirement was too
burdensome given the vast number of
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74834
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
data requests it receives and asked us to
limit the monitoring requirement to
single or multiple releases it makes to
the same party. An SEA asked
specifically for clarification in the
regulations regarding what steps, if any,
it must take to ensure that multiple
releases of de-identified data to the
same requester over time that the
requester intends to use for a
longitudinal study do not result in small
data cells that may reveal the identity of
the student. A school district said that
the regulations should require the
destruction of de-identified information
from education records by the receiving
party to avoid the problem of combining
successive data releases to identify
students.
Some commenters said that the
regulations should provide objective
standards for the de-identification of
education records. One commenter
asked the Department to prescribe a
method for States to adopt to ensure that
student confidentiality is protected.
Two commenters asked specifically for
guidance on what minimum cell size
should be allowed when releasing
statistical information. Several
commenters said that SEAs and school
districts need specific guidance
regarding the release of student
achievement data under the NCLB,
including, in particular, reporting 100
percent achievement of certain
performance levels on State
assessments. One commenter who
opposed restrictions on the release of
de-identified data referred to instances
in which some States have created
minimum cell sizes of 100 for reporting
disaggregated data under NCLB, which
prevents the release of a great deal of
important information. Another
commenter said that our discussion of
small cell sizes in the preamble to the
NPRM, 73 FR 15584, reflected a
misunderstanding of the problem.
One commenter said that § 99.31(b) is
confusing because it is not clear how
paragraph (b)(2), which is limited to
educational research, relates to
paragraph (b)(1), which is not so
limited. This commenter also said that
the regulations impose an unnecessary
burden on the entity receiving a request
for information and that the
requirements of paragraph (f) in the
definition of personally identifiable
information are sufficient to de-identify
education records. Another commenter
said that the language in § 99.31(b)(1)
that requires consideration of unique
patterns of information about a student
is confusing and creates ambiguity
because the definition of personally
identifiable information itself
incorporates standards for de-
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
identification that appear to differ from
the standard in § 99.31(b).
Discussion: As explained in the
preamble to the NPRM, 73 FR 15584–
15585, we believe that the regulatory
standard for de-identifying information
from education records establishes an
appropriate balance that facilitates the
release of appropriate information for
school accountability and educational
research purposes while preserving the
statutory privacy protections in FERPA.
Unlike the HIPAA Privacy Rule, these
regulations do not attempt to provide a
‘‘safe harbor’’ by listing all the direct
and indirect identifiers that may be
removed to satisfy the de-identification
requirements in § 99.31(b). Rather, they
are intended to provide standards under
which information from education
records may be released without
consent because all personally
identifiable information has been
removed.
The Department recognizes that deidentified data may not be appropriate
for all educational research purposes
and that complete de-identification of
longitudinal student data may not be
possible without sacrificing essential
content and usability. In these
situations, and as discussed elsewhere
in this preamble, FERPA allows the
disclosure and redisclosure of
personally identifiable information from
education records, without consent, to
researchers under the terms and
conditions specified in §§ 99.31(a)(1),
99.31(a)(3), and 99.31(6). We note that a
researcher who receives personally
identifiable information under these
provisions would, however, have to deidentify any report or other information
in accordance with § 99.31(b) before
releasing it to the public or other
parties, including other researchers.
In response to comments that
educational agencies and institutions
may remove too much information from
education records, we note that while
we have attempted to provide a
balanced standard for the release of deidentified data for school accountability
and other purposes, FERPA is a privacy
statute, and no party has a right under
FERPA to obtain information from
education records except parents and
eligible students. Further, there is no
statutory authority in FERPA to modify
the prohibition on disclosure of
personally identifiable information from
education records, or the exceptions to
the written consent requirement, based
on the track record of the party,
including journalists and researchers, in
maintaining the confidentiality of
information from education records that
they have received.
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
In response to the comment about
allowing a researcher to de-identify
education records, educational agencies
and institutions may outsource the deidentification process to any outside
service provider serving as a school
official in accordance with the
requirements in § 99.31(a)(1)(i)(B).
(Those requirements are discussed in
detail in the preamble to the NPRM at
73 FR 15578–15580 and elsewhere in
these final regulations.) State and local
educational authorities and Federal
officials and agencies listed in
§ 99.31(a)(3) may outsource the deidentification process to their
authorized representatives under the
conditions specified in § 99.35.
We agree that the risk of reidentification may be greater for student
data than other information because of
the regular publication of student
directories, commercial databases, and
de-identified but detailed educational
reports by States and researchers that
can be manipulated with increasing ease
by computer technology. As noted in
the preamble to the NPRM, 73 FR
15584, the re-identification risk of any
given release is cumulative, i.e., directly
related to what has previously been
released, and this includes both
publicly-available directory
information, which is personally
identifiable, and de-identified data
releases. For that reason, we advised in
the NPRM that parties should minimize
information released in directories to
the extent possible because, since the
enactment of FERPA in 1974, the risk of
re-identification from such information
has grown as a result of new
technologies and methods.
In response to comments about the
need to monitor releases of coded, deidentified microdata to avoid reidentification of the data, because the
risk of re-identification is cumulative,
when making a new disclosure of coded
data an educational agency or
institution or other party must take into
account all releases of information from
education records it has made, not just
releases it has made to the recipient of
new data. We note that some of the
publicly available directory information
and de-identified data releases that need
to be taken into account have been
produced by the same agency or
institution, State or local educational
authority, or Federal official that wishes
to release newly de-identified
information. In general, FERPA poses no
restrictions on the recipient’s use of
directory information and de-identified
data from education records. Therefore,
it may be unclear whether previous data
releases are available generally, have
been shared with a limited number of
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
parties, or not shared at all. Further,
unlike personally identifiable
information that is disclosed under
§§ 99.31(a)(3) and (a)(6), de-identified
information from education records
does not have to be destroyed when no
longer needed for the purposes for
which it was released. We note,
however, that a releasing party would
reduce its monitoring responsibilities if
it requires destruction or prohibits
redisclosure of coded, de-identified
microdata, because coded, de-identified
microdata has a higher risk of reidentification than de-identified
microdata. In the future the Department
will provide further information on how
to monitor and limit disclosure of
personally identifiable information in
successive statistical data releases.
In response to requests for guidance
on what specific steps and methods
should be used to de-identify
information (and as noted in the
preamble to the NPRM, 73 FR 15584), it
is not possible to prescribe or identify
a single method to minimize the risk of
disclosing personally identifiable
information in redacted records or
statistical information that will apply in
every circumstance, including
determining whether defining a
minimum cell size is an appropriate
means to protect the confidentiality of
aggregated data and, if so, selection of
an appropriate number. This is because
determining whether a particular set of
methods for de-identifying data and
limiting disclosure risk is adequate
cannot be made without examining the
underlying data sets, other data that
have been released, publicly available
directories, and other data that are
linked or linkable to the information in
question. For these reasons, we are
unable to provide examples of rules and
policies that necessarily meet the deidentification requirements in
§ 99.31(b). The releasing party is
responsible for conducting its own
analysis and identifying the best
methods to protect the confidentiality of
information from education records it
chooses to release. We recommend that
State educational authorities,
educational agencies and institutions,
and other parties refer to the examples
and methods described in the NPRM at
page 15584 and refer to the Federal
Committee on Statistical Methodology’s
Statistical Policy Working Paper 22,
www.fcsm.gov/working-papers/
wp22.html, for additional guidance.
With regard to issues with NCLB
reporting in particular, determining the
minimum cell size to ensure statistical
reliability of information is a completely
different analysis than that used to
determine the appropriate minimum
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
cell size to ensure confidentiality.
Further, as noted in the preceding
paragraph and in the preamble to the
NPRM, use of minimum cell sizes or
data suppression is only one of several
ways in which information from
education records may be de-identified
before release. Statistical Policy
Working Paper 22 describes other
disclosure limitation methods, such as
‘‘top coding’’ and ‘‘data swapping,’’
which may be more suitable than simple
data suppression for releasing the
maximum amount of information to the
public without breaching confidentiality
requirements. Decisions regarding
whether to use data suppression or
some other method or combination of
methods to avoid disclosing personally
identifiable information in statistical
information must be made on a case-bycase basis.
We agree with the commenter who
said that the example we provided in
the preamble to the NPRM regarding the
small cell problem in reporting that two
Hispanic females failed to graduate was
misleading and offer the following,
more complete explanation. Simply
knowing that one out of 100 Hispanic
females failed to graduate does not
identify which of the Hispanic females
it might be. But suppose this female is
an English language learner who is also
enrolled in special education classes.
The school also publishes tables on
participation in special education
classes by race, ethnicity, and grade,
and tables that include the graduation
status of Hispanic females disaggregated
in one table by English language
proficiency status, and by participation
in special education classes in another.
Suppose that these three tabulations
each show separately that there is one
12th grade Hispanic female enrolled in
special education classes, that the one
Hispanic female who did not graduate
was enrolled in special education
classes, and that the one Hispanic
female who did not graduate was an
English language learner. With this
information, the discerning observer
knows that the one Hispanic female
who failed to graduate is an English
language learner and that she was the
only 12th grade Hispanic student
enrolled in special education classes.
Any number of people in the school
would be able to identify the Hispanic
female who did not graduate with these
three pieces of information.
Expanding the example to two
individuals, the logic is similar, except
in this case each of the Hispanic females
knows her own characteristics and can
find herself in each of the available
tables, and thus by a process of
elimination identifies the characteristics
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
74835
of the other non-graduate, perhaps
learning something she did not already
know about the other student. The
published tables show that there are two
12th grade Hispanic females enrolled in
special education classes, one with a
learning disability and one with mental
retardation. The tables also show that
the two Hispanic females who did not
graduate were enrolled in special
education classes, and that the two
Hispanic females who did not graduate
were both English language learners.
Others in the school community may be
able to identify the two 12th grade
Hispanic females who are English
language learners enrolled in special
education classes, but not necessarily be
able to distinguish the student with the
learning disability from the student with
mental retardation. However, each girl
knows her own disability and by the
process of elimination now knows the
other girl’s disability. Similarly, anyone
with knowledge of one of the two
Hispanic females who did not graduate
can find that girl in the tables, and then
isolate the characteristics that belong to
the other Hispanic female.
This example can be expanded to an
example with three Hispanic females
who fail to graduate. All three of the
Hispanic females who did not graduate
are English language learners, and two
Hispanic females who did not graduate
are enrolled in special education
classes—one with a learning disability
and the other with mental retardation.
In this case, the one Hispanic female
who is an English language learner and
did not graduate now knows that the
other two Hispanic females in her
English language learner classes and
also did not graduate are in the special
education program, but she does not
know which condition each girl has. By
the same logic, each of the two females
who did not graduate and are in special
education classes knows her own
disability and as a result knows the
disability of the other Hispanic female
who was an English language learner
enrolled in special education classes
who did not graduate. These are some
examples of situations in which small
cell data reveals personally identifiable
information from education records.
The Secretary has no statutory
authority to modify the regulations to
allow LEAs and SEAs to report that 100
percent of students achieved specified
performance levels. In that regard we
note that the Department’s NonRegulatory Guidance for NCLB Report
Cards (2003) provides:
[S]chools must also ensure that the data
they report do not reveal personally
identifiable information about individual
students * * *. States must adopt a strategy
E:\FR\FM\09DER2.SGM
09DER2
74836
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
for dealing with a situation in which all
students in a particular subgroup scored at
the same achievement level. One solution,
referred to as ‘‘masking’’ the data, is to use
the notation of >95% when all students in a
subgroup score at the same achievement
level.
See www.ed.gov/programs/titleiparta/
reportcardsguidance.doc on page 3.
Likewise, LEAs and SEAs must adopt a
strategy for ensuring that they do not
disclose personally identifiable
information about low-performing
students when they release information
about their high-performing students.
In response to the comments that
paragraphs (1) and (2) in § 99.31(b) are
confusing, paragraph (1) establishes a
standard for de-identifying education
records that applies to disclosures made
to any party for any purpose, including,
for example, parents and other members
of the general public who are interested
in school accountability issues, as well
as education policy makers and
researchers. The release of de-identified
information from education records
under § 99.31(b)(1) is not limited to
education research purposes because, by
definition, the information does not
contain any personally identifiable
information.
Paragraph (2) of § 99.31(b) applies
only to parties conducting education
research; it allows an educational
agency or institution, or a party that has
received education records, such as a
State educational authority, to attach a
code to each record that may allow the
researcher to match microdata received
from the same educational source under
the conditions specified. The purpose of
paragraph (2) is to facilitate education
research by authorizing the release of
coded microdata. The requirements in
paragraph (2) that apply to a record code
preclude matching de-identified data
from education records with data from
another source. Therefore, by its terms,
the release of coded microdata under
paragraph (2) is limited to education
research.
We agree with the commenter who
stated that the reference in § 99.31(b)(1)
to ‘‘unique patterns of information about
a student’’ is confusing in relation to the
definition of personally identifiable
information and believe that it
essentially restated the requirements in
paragraph (f) of the definition.
Therefore, we have removed this phrase
from the regulations. We disagree that
the definition of personally identifiable
information and the requirements in
§ 99.31(b) impose an unnecessary
burden on the entity receiving a request
for de-identified information from
education records and that the
requirements in paragraph (f) in the
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
definition are sufficient. As explained
above, paragraph (f) does not address
the problem of targeted requests. It also
does not address the re-identification
risk associated with multiple data
releases and other reasonably available
information, or allow for the coding of
de-identified micro data for educational
research purposes. Section 99.31(b)
provides the additional standards
needed to help ensure that educational
agencies and institutions and other
parties do not identify students when
they release redacted records or
statistical data from education records.
Changes: We have removed the
reference to ‘‘unique patterns of
information’’ in § 99.31(b).
Notification of Subpoena (§ 99.33(b)(2))
Comment: We received a few
comments on our proposal in
§ 99.33(b)(2) to require a party that has
received personally identifiable
information from education records
from an educational agency or
institution to provide the notice to
parents and eligible students under
§ 99.31(a)(9) before it discloses that
information on behalf of an educational
agency or institution in compliance
with a judicial order or lawfully issued
subpoena. One national education
association supported the proposed
amendment.
One commenter asked the Department
to clarify the intent of the proposed
language. This commenter said that,
when an educational agency or
institution requests that a third party
make the disclosure to comply with a
lawfully issued subpoena or court order,
it is reasonable to expect the
educational agency or institution to
send the required notice to the
student(s). The commenter also said that
it was not clear from the proposed
change whether it is sufficient for the
educational agency or institution to
send the notice or whether it must come
from the third party.
Discussion: The Secretary agrees that
there needs to be clarification about
which party is responsible for notifying
parents and eligible students before an
SEA or other third party outside of the
educational agency or institution
discloses education records to comply
with a lawfully issued subpoena or
court order. We have revised the
regulation to provide that the burden to
notify a parent or eligible student rests
with the recipient of the subpoena or
court order. While a third party, such as
an SEA, that is the recipient of a
subpoena or court order is responsible
for notifying the parents and eligible
students before complying with the
order or subpoena, the educational
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
agency or institution could assist the
third party in the notification
requirement, by providing it with
contact information so that it could
provide the notice.
In order to ensure that this new
requirement is enforceable, we have also
revised § 99.33(e) so that if the
Department determines that a third
party, such as an SEA, did not provide
the notification required under
§ 99.31(a)(9)(ii), the educational agency
or institution may not allow that third
party access to education records for at
least five years.
Changes: We have amended
§ 99.33(b)(2) to clarify that the third
party that receives the subpoena or
court order is responsible for meeting
the notification requirements under
§ 99.31(a)(9). We also have revised
§ 99.33(e) to provide that if the
Department determines that a third
party, such as an SEA, did not provide
the notification required under
§ 99.31(a)(9)(ii), the educational agency
or institution may not allow that third
party access to education records for at
least five years.
Health or Safety Emergency (§ 99.36)
Comment: We received many
comments in support of our proposal to
amend § 99.36 regarding disclosures of
personally identifiable information
without consent in a health or safety
emergency. Most of the parties that
commented stated that the proposed
changes demonstrated the right balance
between student privacy and campus
safety. A number of commenters
specifically supported the clarification
regarding the disclosure of information
from an eligible student’s education
records to that student’s parents when a
health or safety emergency occurs. One
commenter said that the proposed
amendment would provide appropriate
protection for sensitive and otherwise
protected information while clarifying
that educational agencies and
institutions may notify parents and
other appropriate individuals in an
emergency so that they may intervene to
help protect the health and safety of
those involved.
Discussion: We appreciate the
commenters’ support for the
amendments to the ‘‘health or safety
emergency’’ exception in § 99.36(b).
Educational agencies and institutions
are permitted to disclose personally
identifiable information from students’
education records, without consent,
under § 99.31(a)(10) in connection with
a health or safety emergency.
Disclosures under § 99.31(a)(10) must
meet the conditions described in
§ 99.36. We address specific comments
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
about the proposed amendments to this
exception in the following paragraphs.
Changes: None.
jlentini on PROD1PC65 with RULES2
(a) Disclosure in Non-Emergency
Situations
Comment: Some commenters
suggested that we interpret § 99.36 to
permit the sharing of information on
reportable diseases to health officials in
non-emergency situations. These
commenters stated that the disclosure of
routine immunization data should be
subject to State, local, and regional
public health laws and regulations and
not FERPA. One of these commenters
noted that the HIPAA Privacy Rule
allows covered entities to disclose
personally identifiable health data,
without consent, to public health
authorities.
Discussion: There is no authority in
FERPA to exclude students’
immunization records from the
definition of education records in
FERPA. Further, the HIPAA Privacy
Rule specifically excludes from
coverage health care information that is
maintained as an ‘‘education record’’
under FERPA. 45 CFR 160.103,
Protected health information. We
understand that the HIPAA Privacy Rule
allows covered entities to disclose
identifiable health data without written
consent to public health authorities.
However, there is no statutory exception
to the written consent requirement in
FERPA to permit this type of disclosure.
As explained in the preamble to the
NPRM (73 FR 15589), the amendment to
the health or safety emergency
exception in § 99.36 does not allow
disclosures on a routine, non-emergency
basis, such as the routine sharing of
student information with the local
police department. Likewise, this
exception does not cover routine, nonemergency disclosures of students’
immunization data to public health
authorities. Consequently, there is no
statutory basis for the Department to
revise the regulatory language as
requested by the commenters.
Changes: None.
(b) Strict Construction Standard
Comment: Several commenters
expressed concern that removing the
language from current § 99.36 requiring
strict construction of the ‘‘health and
safety emergency’’ exception and
substituting the language providing for
a ‘‘rational basis’’ standard would not
require schools to make an individual
assessment to determine if there is an
emergency that warrants a disclosure.
One commenter stated that removal of
the ‘‘strict construction’’ requirement
would severely weaken the
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
Department’s enforcement capabilities
and that schools may see this change as
an excuse to disclose sensitive student
information when there is not a real
emergency.
A commenter stated that the removal
of the ‘‘strict construction’’ requirement
would mean that the Department would
eliminate altogether its review of actions
taken by schools under the health and
safety emergency exception. Another
commenter stated that removing the
requirement that this exception be
strictly construed could erode the
privacy rights of individuals. The
commenter noted that because parents
and eligible students cannot bring suit
in court to enforce FERPA, schools face
virtually no liability if they violate
FERPA requirements.
A commenter asked that the
Department clarify what is meant by an
‘‘emergency’’ and how severe a concern
must be to qualify as an emergency.
Discussion: Section 99.36(c)
eliminates the previous requirement
that paragraphs (a) and (b) of this
section be ‘‘strictly construed’’ and
provides instead that, in making a
determination whether a disclosure may
be made under the ‘‘health or safety
emergency’’ exception, an educational
agency or institution may take into
account the totality of the circumstances
pertaining to a threat to the health or
safety of a student or other individuals.
The new provision states that if there is
an articulable and significant threat to
the health or safety of the student or
other individuals, an educational
agency or institution may disclose
information to appropriate parties.
As we indicated in the preamble to
the NPRM, we believe paragraph (c)
provides greater flexibility and
deference to school administrators so
they can bring appropriate resources to
bear on a circumstance that threatens
the health or safety of individuals. 73
FR 15574, 15589. In that regard,
paragraph (c) provides that the
Department will not substitute its
judgment for that of the agency or
institution if, based on the information
available at the time of the
determination there is a rational basis
for the agency’s or institution’s
determination that a health or safety
emergency exists and that the disclosure
was made to appropriate parties.
We do not agree that removal of the
‘‘strict construction’’ standard weakens
FERPA or erodes privacy protections.
Rather, the changes appropriately
balance the important interests of safety
and privacy by providing school
officials with the flexibility to act
quickly and decisively when
emergencies arise. Schools should not
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
74837
view FERPA’s ‘‘health or safety
emergency’’ exception as a blanket
exception for routine disclosures of
student information but as limited to
disclosures necessary to protect the
health or safety of a student or another
individual in connection with an
emergency.
After consideration of the comments,
we have determined that educational
agencies and institutions should be
required to record the ‘‘articulable and
significant threat to the health or safety
of a student or other individuals’’ so
that they can demonstrate (to parents,
students, and to the Department) what
circumstances led them to determine
that a health or safety emergency existed
and how they justified the disclosure.
Currently, educational agencies and
institutions are required under
§ 99.32(a) to record any disclosure of
personally identifiable information from
education records made under
§ 99.31(a)(10) and § 99.36. We are
revising the recordation requirements in
§ 99.32(a)(5) to require an agency or
institution to record the articulable and
significant threat that formed the basis
for the disclosure. The school must
maintain this record with the education
records of the student for as long as the
student’s education records are
maintained (§ 99.32(a)(2)).
We do not specify in the regulations
a time period in which an educational
agency or institution must record a
disclosure of personally identifiable
information from education records
under § 99.32(a). We interpret this to
mean that an agency or institution must
record a disclosure within a reasonable
period of time after the disclosure has
been made, and not just at the time, if
any, when a parent or student asks to
inspect the student’s record of
disclosures. We will treat the
requirement to record the significant
and articulable threat that forms the
basis for a disclosure under the health
or safety emergency exception no
differently than the recordation of other
disclosures. In determining whether a
period of time for recordation is
reasonable, we would examine the
relevant facts surrounding the
disclosure and anticipate that an agency
or institution would address the health
or safety emergency itself before turning
to recordation of any disclosures and
other administrative matters.
In response to concerns about the
Department’s enforcement of the
provisions of § 99.36, the ‘‘rational
basis’’ test does not eliminate the
Department’s responsibility for
oversight and accountability. Actions
that the Secretary may take in
addressing violations of this and other
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74838
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
FERPA provisions are addressed in the
analysis of comments under the section
in this preamble entitled Enforcement.
While parents and eligible students do
not have a right to sue for violations of
FERPA in a court of law, the statute
provides that the Secretary may not
make funds available to any agency or
institution that has a policy or practice
of violating parents’ and students’ rights
under the statute with regard to consent
to the disclosure of education records.
As such, parents and eligible students
may file a complaint with the Office if
they believe that a school has violated
their rights under FERPA and has
disclosed education records under
§ 99.36 inconsistent with these
regulations. In conducting an
investigation, the Office will require
that schools identify the underlying
facts that demonstrated that there was
an articulable and significant threat
precipitating the disclosure under
§ 99.36.
In response to the comment about
what would constitute an emergency,
FERPA permits disclosure ‘‘* * * in
connection with an emergency * * * to
protect the health or safety of the
student or other persons.’’ 20 U.S.C.
1232g(b)(1)(I). We note that the word
‘‘protect’’ generally means to keep from
harm, attack, or injury. As such, the
statutory text underscores that the
educational agency or institution must
be able to release information from
education records in sufficient time for
the institution to act to keep persons
from harm or injury. Moreover, to be ‘‘in
connection with an emergency’’ means
to be related to the threat of an actual,
impending, or imminent emergency,
such as a terrorist attack, a natural
disaster, a campus shooting, or the
outbreak of an epidemic such as e-coli.
An emergency could also be a situation
in which a student gives sufficient,
cumulative warning signs that lead an
educational agency or institution to
believe the student may harm himself or
others at any moment. It does not mean
the threat of a possible or eventual
emergency for which the likelihood of
occurrence is unknown, such as would
be addressed in emergency
preparedness activities.
Changes: We have amended the
recordkeeping requirements in
§ 99.32(a)(5) to require educational
agencies and institutions to record the
articulable and significant threat that
formed the basis for a disclosure under
the health or safety emergency
exception and the parties to whom the
information was disclosed.
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
(c) Articulable and Significant Threat
Comment: One commenter stated that
the word ‘‘articulable’’ in § 99.36(c) was
confusing in reference to a school’s
determination that there is an
‘‘articulable and significant threat to the
health or safety of a student or other
individuals.’’ This commenter stated
that school officials might interpret the
provision to mean that there must be a
verbal threat or that school officials
must write down the exact wording of
the threat.
Discussion: The requirement that
there must be an ‘‘articulable and
significant threat’’ does not mean that
the threat must be verbal. It simply
means that the institution must be able
to articulate what the threat is under
§ 99.36 when it makes and records the
disclosure.
In that regard, the words ‘‘articulable
and significant’’ are adjectives
modifying the key noun ‘‘threat.’’ As
such, the focus is on the threat, with the
question being whether the threat itself
is articulable and significant. The word
‘‘articulable’’ is defined to mean
‘‘capable of being articulated.’’ https://
www.merriam-webster.com/dictionary/
articulable. This portion of the standard
simply requires that a school official be
able to express in words what leads the
official to conclude that a student poses
a threat. The other half of the standard
is the word ‘‘significant,’’ which means
‘‘of a noticeably or measurably large
amount.’’ https://www.merriamwebster.com/dictionary/significant.
Taken together, the phrase ‘‘articulable
and significant threat’’ means that if a
school official can explain why, based
on all the information then available,
the official reasonably believes that a
student poses a significant threat, such
as a threat of substantial bodily harm, to
any person, including the student, the
school official may disclose education
records to any person whose knowledge
of information from those records will
assist in protecting a person from that
threat.
Changes: None.
(d) Parties That May Receive
Information Under § 99.36
Comment: A commenter
recommended that the Department
adopt a more subjective standard
regarding the persons to whom
education records may be disclosed
under § 99.36, suggesting that we
remove the requirement that the
disclosure must be to a person ‘‘whose
knowledge of the information is
necessary to protect the health or safety
of the student or other individuals.’’
Conversely, another commenter
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
expressed concern that the Department
was sending the wrong message to
educational agencies and institutions
with these changes to § 99.36. The
commenter stated that the health or
safety emergency exception must not be
perceived to permit schools to routinely
disclose education records to parents,
police, or others.
A commenter asked who at a school
may share personally identifiable
information in a health or safety
emergency, and specifically whether a
school secretary would be allowed to
tell parents that a student on campus
made a threat to others.
A commenter stated that school
districts, especially small or rural
districts, may not have the expertise on
staff to determine whether a situation
constitutes an ‘‘articulable and
significant threat.’’ The commenter said
that personally identifiable information
on students may need to be disclosed to
outside law enforcement and mental
health professionals so that they can
help schools determine whether a real
threat exists. The commenter
recommended that the Department
change the proposed regulations to
allow school districts to involve outside
experts in determining whether a health
or safety emergency exists. Noting that
the NPRM addressed the disclosure of
education records to an eligible
student’s parents, the organization also
asked for clarification regarding whether
the parents of a potential perpetrator
and the potential victim at the K–12
level could be told about a threat.
Several commenters stated that our
proposed amendments did not go far
enough and urged the Department to
expand § 99.36 to permit a school to
notify whomever the student has listed
as his or her emergency contact.
Another commenter requested that the
Secretary, through these regulations,
direct institutions to proactively notify
parents of students who are in acute
care situations, such as illness or
accidents, if any institutional official is
aware of the emergency.
Discussion: On its face, FERPA
permits disclosure to ‘‘appropriate
persons if the knowledge of such
information is necessary to protect the
health or safety of the student or other
persons.’’ 20 U.S.C. 1232g(b)(1)(I).
FERPA does not require that the person
receiving the information be responsible
for providing the protection. Rather, the
focus of the statutory provision is on the
information itself: The ‘‘health or safety
emergency’’ exception permits the
institution to disclose information from
education records in order to gather
information from any person who has
information that would be necessary to
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
provide the requisite protection. Thus,
for example, an educational institution
that reasonably believes that a student
poses a threat of bodily harm to any
person may disclose information from
education records to current or prior
peers of the student or mental health
professionals who can provide the
institution with appropriate information
to assist in protecting against the threat.
Moreover, the institution may disclose
records to persons such as law
enforcement officials that it determines
may be helpful in providing appropriate
protection from the threat. An
educational agency or institution may
also generally disclose information
under § 99.36 to a potential victim and
the parents of a potential victim as
‘‘other individuals’’ whose health or
safety may need to be protected.
Similarly, in order to obtain
information that would inform its
judgment on how to address the threat,
the student’s current institution may
disclose information from education
records to other schools or institutions
which the student previously attended.
In that regard, the same set of facts
underlying the current institution’s
determination that an emergency
existed would also permit former
schools and institutions attended by the
student to disclose personally
identifiable information from education
records to the student’s current
institution. That is, a former school
would not need to make a separate
determination regarding the existence of
an articulable and significant threat to
the health or safety of a student or
others, and could rely instead on the
determination made by the school
currently attended by the student in
making the disclosure.
In the discussion on page 15589 of the
NPRM, we noted that the ‘‘health or
safety emergency’’ exception does not
permit a local school district to
routinely share its student information
database with the local police
department. This example was meant to
clarify that FERPA’s health or safety
provisions would not permit a school to
disclose without consent education
records to the local police department
unless there was a health or safety
emergency and the disclosure of the
information was necessary to protect the
health or safety of students or other
individuals. This does not prevent
schools from having working
relationships with local police
authorities and to use local police
officers in maintaining the safety of
their campuses.
In response to the comment about
which school official should be
permitted to disclose information under
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
§ 99.36, an educational agency or
institution will need to make its own
determination about which school
officials may access a student’s
education records and disclose
information to parents or other parties
whose knowledge of the information is
necessary to protect the health or safety
of the student or other individuals.
Under § 99.31(a)(1), an educational
agency or institution may disclose
education records, without consent, to
school officials whom the agency or
institution has determined have
legitimate educational interests in the
information. It may be helpful for
schools to have a policy in place
concerning which school officials will
have access to and the responsibility for
disclosing information in emergency
situations.
We understand that some educational
agencies and institutions may need
assistance in determining whether a
health or safety emergency exists for
purposes of complying with these
regulations. The Department encourages
schools to implement a threat
assessment program, including the
establishment of a threat assessment
team that utilizes the expertise of
representatives from law enforcement
agencies in the community. Schools can
respond to student behavior that raises
concerns about a student’s mental
health and the safety of the student and
others that is chronic or escalating by
using a threat assessment team, and
then make other disclosures under the
health or safety emergency exception, as
appropriate, when an ‘‘articulable and
significant threat’’ exists. Information on
establishing a threat assessment
program and other helpful resources for
emergency situations can be found on
the Department’s Web site: https://
www.ed.gov/admins/lead/safety/
edpicks.jhtml?src=ln.
An educational agency or institution
may disclose education records to threat
assessment team members who are not
employees of the district or institution
if they qualify as ‘‘school officials’’ with
‘‘legitimate educational interests’’ under
§ 99.31(a)(1)(i)(B), which is discussed
elsewhere in this preamble. To receive
the education records under the ‘‘school
officials’’ exception, members of the
threat assessment team must be under
the direct control of the educational
agency or institution with respect to the
maintenance and use of personally
identifiable information from education
records. For example, a representative
from the city police who serves on a
school’s threat assessment team
generally could not redisclose to the city
police personally identifiable
information from a student’s education
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
74839
records to which he or she was privy as
part of the team. As noted above,
however, the institution may disclose
personally identifiable information from
education records when and if the threat
assessment team determines that a
health or safety emergency exists under
§§ 99.31(a)(10) and 99.36.
We believe that § 99.36 does not need
to be expanded to permit a school to
contact whomever an eligible student
has listed as his or her emergency
contact, nor is there authority to do so.
FERPA does not preclude institutions
from contacting other parties, including
parents, in addition to the emergency
contacts provided by the student, if the
school determines these other parties
are ‘‘appropriate parties’’ under this
exception. (An eligible student may
provide consent for the institution to
notify certain individuals in case of an
emergency, should an emergency
occur.)
The regulations would not prevent an
institution from having a policy of
seeking prospective consent from
eligible students for the disclosure of
personally identifiable information or
from having a policy for obtaining
consent for disclosure on a case-by-case
basis. However, FERPA does not require
that a postsecondary institution disclose
information to any party except to the
eligible student, even if the student has
consented to the disclosure. Thus, the
Secretary does not have the statutory
authority to require school officials to
disclose information from a student’s
education records in compliance with a
consent signed by the student or to
otherwise require the institution to
contact a family member.
Changes: None.
(e) Treatment Records
Comment: A commenter stated that
while the amendments to § 99.36
provide needed clarification about when
an educational agency or institution
may disclose students’ education
records to avert tragedies like the one at
Virginia Tech in April 2007, the NPRM
did not provide clarity on the issue of
information sharing between on-campus
and off-campus health care providers.
The commenter also noted that the
Virginia Tech Review Panel
recommended that Congress amend
FERPA to explain how Federal privacy
laws apply to medical records held for
treatment purposes and that the NPRM
did not provide that clarity.
Another commenter stated that if
information about a student related to a
health or safety emergency is part of the
treatment records maintained by a
university’s health clinic, the treatment
records should be treated like education
E:\FR\FM\09DER2.SGM
09DER2
74840
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
records so that they may be disclosed
under the health and safety emergency
exception. A commenter asked that the
Department clarify that college health
and mental health records are not
education records under FERPA and
must be treated like other health and
mental health records in other settings.
Discussion: While we have carefully
considered the comments concerning
‘‘treatment records,’’ the Secretary does
not believe that it is necessary to amend
the regulations to provide clarification
on the handling of health and medical
records. The Departments of Education
and Health and Human Services have
issued joint guidance that explains the
relationship between FERPA and the
HIPAA Privacy Rule. The guidance
addresses this issue for these records at
the elementary and secondary levels, as
well as at the postsecondary level. The
joint guidance, which is on the Web
sites of both agencies, addresses many
of the questions raised by school
administrators, health care
professionals, and others as to how
these two laws apply to records
maintained on students. It also
addresses certain disclosures that are
allowed without consent or
authorization under both laws,
especially those related to health and
safety emergency situations. The
guidance can be found here: https://
www.ed.gov/policy/gen/guid/fpco/
index.html.
As discussed elsewhere in this
preamble with respect to § 99.31(a)(2),
while ‘‘treatment records’’ are excluded
from the definition of education records
under FERPA, if an eligible student’s
treatment records are used for any
purpose other than the student’s
treatment, or if a school wishes to
disclose the treatment records for any
purpose other than the student’s
treatment, they may only be disclosed as
education records subject to FERPA
requirements. Therefore, an eligible
student’s treatment records may be
disclosed to any party, without consent,
as long as the disclosure meets one of
the exceptions to FERPA’s general
consent rule. See 34 CFR 99.31. One of
the permitted disclosures under this
section is the ‘‘health or safety
emergency’’ exception.
Changes: None.
Identification and Authentication of
Identity (§ 99.31(c))
Comment: Several commenters
supported our proposal to require
educational agencies and institutions to
use reasonable methods to identify and
authenticate the identity of parents,
students, school officials, and any other
parties to whom the agency or
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
institution discloses personally
identifiable information from education
records. One commenter supported the
provision but advocated requiring the
use of two-factor identification for
information that could be used to
commit identity theft and financial
fraud. (Two-factor identification
requires the use of two methods to
authenticate identity, such as
fingerprint identification in addition to
a PIN.)
One commenter said that the
identification and authentication
requirement will help protect students
affected by domestic violence who are
living in substitute care situations. The
commenter noted that many parents in
situations involving domestic violence
do not have photo identification (ID)
and would be unable to meet a
requirement to provide photo ID in
order to access their children’s
education records.
One commenter strongly supported
the proposed amendment and said it
will be valuable in aiding the privacy
and protection of homeless children.
Another commenter questioned whether
the identification and authentication
requirement is necessary for staff of
large school districts with centralized
offices.
One commenter did not support the
proposed regulation stating that it will
be an additional burden on school
districts. The commenter agreed with
our statement in the preamble to the
NPRM that the regulations should
permit districts to determine their own
methods of identification and
authentication. However, the
commenter stated that districts should
not be required to have a sliding scale
of control based on the level of potential
threat and harm and that it would not
be practical to give every person
requesting access to education records a
PIN or similar method of authentication.
For example, the commenter stated that
parents might be provided with a PIN,
but districts would not want to provide
a PIN to a reporter or other third party.
The commenter requested additional
examples of how districts may
authenticate requests received by phone
or e-mail. The commenter also stated
that districts are sometimes concerned
that government-issued photo IDs are
fraudulent. As a result, the group
requested that the Department adopt a
‘‘safe harbor’’ provision that requiring a
government-issued photo ID for inperson requests is reasonable.
One commenter expressed concern
that the proposed regulations were too
restrictive and could be too complex to
administer, and that this would cause
an institution to choose not to transfer
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
information even though it is permitted
to do so. This commenter asked whether
the Department will accept an
institution’s efforts at compliance as
sufficient without examining the
effectiveness of those efforts.
Discussion: The identification and
authentication methods discussed in the
NPRM (73 FR 15585) are intended as
examples and should not be considered
to be exhaustive. Because there are
many methods available to provide
secure authentication of identity, and as
more methods continue to be
developed, we do not think it
appropriate at this time to require the
use of two-factor authentication as
requested by the commenter. Two-factor
authentication can be expensive and
cumbersome, and we believe that each
educational agency or institution should
decide whether to use its resources to
implement a two-factor authentication
method or another reasonable method to
ensure that education records are
disclosed only to an authorized party.
The comment that a portion of the
population will be disadvantaged if only
photo ID is permitted to authenticate
identity confirms that we need to retain
flexibility in the regulations.
We do not agree that certain types of
staff should be excepted from the
identification and authentication
requirement. All staff members, whether
in a centralized office, or in separate
administrative offices throughout a
school system, must be cognizant of and
responsible for complying with
identification and authentication
requirements.
Due to the differences in size,
complexity, and access to technology,
we believe that educational agencies
and institutions should have the
flexibility to decide the methods for
identification and authentication of
identity best suited to their own
circumstances. The regulatory
requirement is that agencies and
institutions use ‘‘reasonable’’ methods
to identify and authenticate identity
when disclosing personally identifiable
information from education records.
‘‘Effectiveness’’ is certainly one
measure, but not necessarily a
dispositive measure, of whether the
methods used by an agency or
institution are ‘‘reasonable’’. As we
explained in the NPRM, an agency or
institution is not required to eliminate
all risk of unauthorized disclosure of
education records but to reduce that risk
to a level commensurate with the likely
threat and potential harm. 73 FR 15585.
Further in that regard, we note that a
‘‘sliding scale’’ of protection is not
mandated per se. However, it may not
be ‘‘reasonable’’ to use the same
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
methods to protect students’ SSNs or
credit card numbers from unauthorized
access and disclosure that are used to
protect students’ names and other
directory information. We believe that a
PIN process could be useful to provide
access to education records for parties,
such as parents, students, or school
officials, but that it would not generally
be useful for providing records to
outside parties, such as reporters or
parties seeking directory information.
While the use of government-issued
photo ID may be a reasonable method to
authenticate identity, depending on the
circumstances and the information
being released, we are unable to
conclude at this time that it is
sufficiently secure to constitute a safe
harbor for meeting this requirement.
Changes: None.
jlentini on PROD1PC65 with RULES2
Enforcement (§ 99.64)
(a) § 99.64(a)
Comment: One commenter supported
our proposal to amend § 99.64(a) to
provide that a complaint submitted to
FPCO does not have to allege that a
violation or failure to comply with
FERPA is based on a policy or practice
of the agency or institution. The
commenter stated that parents often are
not aware of legal and technical criteria,
and complaints filed by parents should
not be subject to technical rules
typically applied to filings made by
attorneys.
Another commenter did not support
the proposed amendment and asked
several questions concerning the effects
of the change. The commenter asked
whether this provision means that the
Office will investigate an allegation
concerning a single and perhaps
unintentional action not related to a
policy or practice of the institution. The
commenter also asked whether such an
investigation could result in a finding of
a violation if the finding is not based on
an institution’s policy or practice, and
what enforcement actions can be taken
in those circumstances. The commenter
suggested that we modify the
regulations to provide that, for
complaints not alleging a violation
based on an institution’s policy or
practice, the Office will undertake an
investigation only when it determines
that the allegations are of a sufficiently
serious nature to warrant an inquiry.
Discussion: The changes we proposed
in this section were intended to clarify
that it is sufficient for a complaint to
allege that an educational agency or
institution violated a requirement of
FERPA, and that a complaint does not
need to allege that the violation is a
result of a policy or practice of an
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
agency or institution in order for the
Office to investigate the complaint.
We explain in our discussion of the
proposed changes to § 99.67 that the
Secretary must find that an educational
agency or institution has a policy or
practice in violation of the nondisclosure requirements in FERPA
before seeking to withhold, terminate, or
recover program funds for that violation.
However, FPCO is not limited to
investigating complaints and finding
that an educational agency or institution
violated FERPA only if the allegations
and findings are based on a policy or
practice of an educational agency or
institution.
Moreover, we do not agree that only
conduct that involves a policy or
practice or that affects multiple students
is serious enough to warrant an
investigation of the allegations. An
educational agency or institution may
not even be aware of FERPA violations
committed by its own school officials
until the Office investigates an
allegation of misconduct. These kinds of
investigations often serve the very
important purpose of helping ensure
that single instances of misconduct do
not become policies or practices of an
agency or institution. Further, while an
agency or institution may not think that
a single, unintentional violation of
FERPA is significant, it is often
considered serious by the parent or
student affected by the violation.
Therefore, consistent with its current
practice, the Office may find that an
educational agency or institution
violated FERPA without also finding
that the violation was based on a policy
or practice. Note that under §§ 99.66(c)
and 99.67, the Office may not take any
enforcement action against an agency or
institution that has violated FERPA
until it provides the agency or
institution with a reasonable period of
time to come into compliance
voluntarily.
Changes: None.
(b) § 99.64(b)
Comment: A number of commenters
supported proposed § 99.64(b), which
provided that the Office may investigate
a possible FERPA violation even if it has
not received a timely complaint from a
parent or student or if a valid complaint
is subsequently withdrawn. Several of
these commenters stated that it is
appropriate and important to permit
persons who are not parents or eligible
students, but who have knowledge of
potential FERPA violations, to provide
this information to the Office for
consideration of a possible
investigation.
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
74841
Several commenters objected to the
proposed change. One commenter
expressed serious concern that the
regulations will greatly expand the
authority of the Office to investigate any
potential FERPA violation, even when
no complaint is filed or when a
complaint has been withdrawn. In
particular, the commenter stated that an
institution would not have an
opportunity to review and respond to
specific allegations when the
investigation does not concern a
particular complaint.
Another commenter asserted that the
Department has not demonstrated why
the proposed amendment is necessary.
The commenter said that unless there is
evidence of a widespread problem, the
proposed change will increase
university costs in responding to
investigations without a corresponding
benefit to the public.
Another commenter said that the
Office should not investigate allegations
that are not filed by a parent or eligible
student because an institution must
know the name of the filing party and
the specific circumstances of the
allegation in order to properly defend its
actions. The commenter said that it
should not be unnecessarily burdened
by an investigation by the Office when
it has already dealt with the situation to
the satisfaction of the affected student,
and that any student who is not satisfied
with the institution’s efforts retains the
ability to file a complaint. The
commenter also noted that a complaint
filed by an affected student has more
credibility than allegations made by
other parties. The commenter was
concerned that accepting information
from other parties could result in filings
from persons with grievances unrelated
to FERPA, such as a disgruntled
employee, or an applicant rejected for
admission, or a parent or eligible
student who missed a filing deadline of
some kind.
One commenter said that the
proposed change would result in an
ineffective use of the limited resources
of the Office because it would be
investigating allegations that may not
have a sufficient basis.
Discussion: We proposed the changes
to § 99.64(b) to clarify that the Office
may initiate its own investigation that
an educational agency or institution has
violated FERPA. (The amendment also
clarifies that if the Office determines
that an agency or institution violated
FERPA, it may also determine whether
the violation was based on a policy or
practice of the agency or institution.)
Our experience has shown that
sometimes FERPA violations are
brought to the attention of the Office by
E:\FR\FM\09DER2.SGM
09DER2
74842
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
school officials, officials in other
schools, or by the media. It is important
that the Office have authority to
investigate allegations of noncompliance in these situations.
Consistent with its current practice, a
notice of investigation issued by the
Office will provide sufficient and
specific factual information to permit
the agency or institution to adequately
investigate and respond to the
allegations, whether or not the
investigation is based on a complaint by
a parent or eligible student.
We do not agree that allowing the
Office to initiate its own investigations
of possible FERPA violations will lead
to abuses of the process by persons
seeking to redress other grievances with
an institution. The Office will continue
to be responsible for evaluating the
validity of the information and
allegations that come to its attention by
means other than a valid complaint and
determining whether to initiate an
investigation. We do not anticipate that
the Office will initiate an investigation
of every allegation or information it
receives. We believe, however, that it is
important that the Office be able to
investigate any violation of FERPA for
which it receives notice. As stated in the
NPRM, 73 FR 15591, the Department is
not seeking to expand the scope of
FERPA investigations beyond the
current practices of the Office.
Changes: None.
(c) § 99.66
Comment: We received one comment
on the proposed change to § 99.66(c),
which allows but does not require FPCO
to make a finding that an educational
agency or institution has a policy or
practice in violation of a FERPA
requirement when the Office issues a
notice of findings in § 99.66(b). The
commenter stated that its review of
FERPA and the Supreme Court decision
in Gonzaga University v. Doe, 536 U.S.
273 (2002) (Gonzaga), indicates that the
Office may not issue a finding of a
violation of FERPA and require
corrective action or take any
enforcement action without also finding
that the violation constituted a policy or
practice of the agency or institution.
Discussion: We explain in the
discussion of the changes to § 99.67 that
there are circumstances in which the
Office would be required to find that an
educational agency or institution has a
policy or practice in violation of a
FERPA requirement before taking
certain enforcement actions, such as an
action to terminate funding for a
violation of the non-disclosure
requirements, 20 U.S.C. 1232g(b)(1) and
(b)(2) and 34 CFR 99.30. However, the
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
Office is not required to find a policy or
practice in violation of FERPA before
issuing a notice of findings or taking
other kinds of enforcement actions.
Changes: None.
(d) § 99.67
Comment: One commenter supported
the clarification in proposed § 99.67 that
the Office may not seek to withhold
payments, terminate eligibility for
funding, or take certain other
enforcement actions unless it
determines that the educational agency
or institution has a policy or practice
that violates FERPA. Another
commenter expressed general support
for the proposed change, including the
clarification that the Secretary may take
any legally available enforcement
action, in addition to those specifically
listed in the current regulations. The
commenter expressed concern,
however, that the penalties are not
severe enough to effectively discourage
unintentional or willful violations by
third parties, particularly in areas of
research and data sharing with outside
parties.
Another commenter expressed
concern that the proposed amendment
would unnecessarily broaden the
enforcement options available to the
Secretary. The commenter stated that
educational agencies and institutions
will not be able to assess the risks and
consequences associated with their
actions without a limitation on the
range of enforcement actions available
to the Department when a violation of
FERPA is found.
One commenter asked the Department
to clarify that all methods of enforcing
FERPA that are contained in the current
regulations will be retained in the final
regulations. The commenter said that
the proposed regulations in the NPRM
(73 FR 15602) appear to remove the
Secretary’s ability to terminate funding.
Discussion: We explained in the
preamble to the NPRM (73 FR 15592)
that there were two reasons for the
proposed changes to § 99.67(a). One was
the need to clarify that the Secretary
may take any enforcement action that is
legally available and is not limited to
those specified under the current
regulations, i.e., withholding further
payments under any applicable
program; issuing a complaint to compel
compliance through a cease-and-desist
order; or terminating eligibility to
receive funding under any applicable
program. Other actions the Secretary
may take to enforce FERPA include
entering into a compliance agreement
under 20 U.S.C. 1234f and seeking an
injunction.
PO 00000
Frm 00038
Fmt 4701
Sfmt 4700
This change to § 99.67(a) does not
broaden the Secretary’s enforcement
options, as suggested by one
commenter. The General Education
Provisions Act (GEPA) provides the
Secretary with the authority to take
certain enforcement actions to address
violations of statutory and regulatory
requirements, including general
authority to ‘‘take any other action
authorized by law with respect to the
recipient.’’ 20 U.S.C. 1234c(a)(4). The
change to § 99.67(a) simply includes, for
purposes of clarity, the Secretary’s
existing authority under GEPA to take
any legally available action to enforce
FERPA requirements. (We note that
before taking enforcement action the
Office must determine that the
educational agency or institution is
failing to comply substantially with a
FERPA requirement and provide it with
a reasonable period of time to comply
voluntarily. See 20 U.S.C. 1234c(a); 20
U.S.C. 1232g(f); and 34 CFR 99.66(c).)
We also proposed to amend § 99.67(a)
to clarify that the Office may issue a
notice of violation for failure to comply
with specific FERPA requirements and
require corrective actions but may not
seek to terminate eligibility for funding,
withhold payments, or take other
enforcement actions unless the Office
determined that an agency or institution
has a policy or practice in violation of
FERPA requirements (73 FR 15592).
Upon further review, we have decided
not to adopt this particular change
because we believe it limits the
Secretary’s enforcement authority in a
manner that is not legally required.
In support of its holding in Gonzaga
that FERPA’s non-disclosure provisions
do not create rights that are enforceable
under 42 U.S.C. 1983, the Court
observed that FERPA provides that no
funds shall be made available to an
educational agency or institution that
has a policy or practice of disclosing
education records in violation of FERPA
requirements. 536 U.S. at 288; see also
20 U.S.C. 1232g(b)(1) and (b)(2); 34 CFR
99.30. As such, the statute and Gonzaga
decision suggest that with respect to
violations of FERPA’s non-disclosure
requirements, the Secretary must find
that an educational agency or institution
has a policy or practice in violation of
FERPA requirements before taking
actions to terminate, withhold, or
recover funds for those violations.
However, there is no requirement under
the statute (or the Gonzaga decision) for
the Secretary to find a policy or practice
in violation of FERPA requirements on
the part of an educational agency or
institution before taking other kinds of
enforcement actions for violations of the
non-disclosure requirements, such as
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
seeking an injunction or a cease-anddesist order. We note also that the
Gonzaga opinion does not address
violations of other FERPA requirements,
such as parents’ right to inspect and
review their children’s education
records and the requirement that
educational agencies and institutions
afford parents an opportunity for a
hearing to challenge the content of a
student’s education records under
certain circumstances, which do not
contain the same ‘‘policy or practice’’
language as the non-disclosure
requirements. Because we did not
address enforcement of these other
FERPA requirements in the NPRM, we
have decided not to address in the final
regulations limitations or pre-conditions
that apply solely to actions to terminate,
withhold, or recover program funds for
violations of the non-disclosure
requirements.
In response to the comment that the
available penalties are not severe
enough to discourage FERPA violations,
we note that the Secretary has authority
to terminate, withhold, and recover
program funds and take other
enforcement actions in accordance with
part E of GEPA. The Secretary may not
increase penalties beyond those
authorized under FERPA and GEPA.
Further, the regulations do not remove
the Secretary’s authority to terminate
eligibility for program funding or any
other enforcement authority. The
changes noted by the commenter who
was concerned that the proposed
regulations removed the Secretary’s
authority to terminate funding were
corrections to punctuation and
formatting only, not substantive
changes.
Changes: We have removed the
language in § 99.67(a) that requires the
Office to determine that an educational
agency or institution has a policy or
practice in violation of FERPA
requirements before taking any
enforcement action.
Department Recommendations for
Safeguarding Education Records
Comment: We received a few
comments on the recommendations for
safeguarding education records
included in the NPRM. One commenter
expressed concern that schools and
school districts should exercise
enhanced security for the records of
children receiving special education
services. According to the commenter,
these children often have a large
number of records and may receive
services from a variety of providers,
which can add to the challenge of
ensuring that appropriate privacy
controls are used.
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
One commenter supported the
safeguarding recommendations and
suggested that we revise the
recommendations to list non-Federal
government sources providing guidance
on methods for safeguarding education
records. Another commenter supported
the recommendations, but suggested
that the regulations should require that
a parent or eligible student receive
notification of an unauthorized release
or theft of information.
Discussion: The comments on the
records of students who receive special
education services illustrate the
necessity for educational agencies and
institutions to ensure that adequate
controls are in place so that the
education records of all students are
handled in accordance with FERPA’s
privacy protections. The safeguarding
recommendations that we provided in
the NPRM, and are repeated in these
final regulations, are intended to
provide agencies and institutions
additional information and resources to
assist them in meeting this
responsibility. In addition, educational
agencies and institutions should refer to
the protections required under § 300.623
of the confidentiality of information
requirements in Part B of the IDEA, 34
CFR 300.623 (Safeguards).
We acknowledge that there are many
sources available concerning
information security technology and
processes. The Department does not
wish to appear to endorse the
information or product of any company
or organization; therefore, we have
included only Federal government
sources in this notice.
The Department does not have the
authority under FERPA to require that
agencies or institutions issue a direct
notice to a parent or student upon an
unauthorized disclosure of education
records. FERPA only requires that the
agency or institution record the
disclosure so that a parent or student
will become aware of the disclosure
during an inspection of the student’s
education record.
Changes: None.
We are republishing here, for the
administrative convenience of
educational agencies and institutions
and other parties, the Department
Recommendations for Safeguarding
Education Records that were published
in the preamble to the NPRM (73 FR
15598–15599):
The Department recognizes that
agencies and institutions face significant
challenges in safeguarding educational
records. We are providing the following
information and recommendations to
assist agencies and institutions in
meeting these challenges.
PO 00000
Frm 00039
Fmt 4701
Sfmt 4700
74843
As noted elsewhere in this document,
FERPA provides that no funds
administered by the Secretary may be
made available to any educational
agency or institution that has a policy or
practice of releasing, permitting the
release of, or providing access to
personally identifiable information from
education records without the prior
written consent of a parent or eligible
student except in accordance with
specified exceptions. In light of these
requirements, the Secretary encourages
educational agencies and institutions to
utilize appropriate methods to protect
education records, especially in
electronic data systems.
In recent years the following incidents
have come to the Department’s
attention:
• Students’ grades or financial
information, including SSNs, have been
posted on publicly available Web
servers;
• Laptops and other portable devices
containing similar information from
education records have been lost or
stolen;
• Education records, or devices that
maintain education records, have not
been retrieved from school officials
upon termination of their employment
or service as a contractor, consultant, or
volunteer;
• Computer systems at colleges and
universities have become favored targets
because they hold many of the same
records as banks but are much easier to
access. See ‘‘College Door Ajar for
Online Criminals’’ (May 2006), available
at https://www.uh.edu/ednews/2006/
latimes/200605/20060530hackers.html.
and July 10, 2006, Viewpoint in
Business Week/Online available at
https://www.businessweek.com/
technology/content/jul2006/
tc20060710_558020.htm;
• Nearly 65 percent of postsecondary
educational institutions identified theft
of personal information (SSNs, credit/
debit/ATM card, account or PIN
numbers, etc.) as a high risk area. See
Table 7, Perceived Risks at https://
www.educause.edu/ir/library/pdf/
ecar_so/ers/ers0606/Ekf0606.pdf; and
• In December 2006, a large
postsecondary institution alerted some
800,000 students and others that the
campus computer system containing
their names, addresses, and SSNs had
been compromised.
The Department’s Office of Inspector
General (OIG) noted in Final Inspection
Alert Memorandum dated February 3,
2006, that the Privacy Rights
Clearinghouse reported that between
February 15, 2005, and November 19,
2005, there were 93 documented
computer breaches of electronic files
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
74844
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
involving personal information from
education records such as SSNs, credit
card information, and dates of birth.
According to the reported data, 45
percent of these incidents have occurred
at colleges and universities nationwide.
OIG expressed concern that student
information may be compromised due
to a failure to implement or administer
proper security controls for information
systems at postsecondary institutions.
The Department recognizes that no
system for maintaining and transmitting
education records, whether in paper or
electronic form, can be guaranteed safe
from every hacker and thief,
technological failure, violation of
administrative rules, and other causes of
unauthorized access and disclosure.
Although FERPA does not dictate
requirements for safeguarding education
records, the Department encourages the
holders of personally identifiable
information to consider actions that
mitigate the risk and are reasonably
calculated to protect such information.
Of course, an educational agency or
institution may use any method,
combination of methods, or
technologies it determines to be
reasonable, taking into consideration the
size, complexity, and resources
available to the institution; the context
of the information; the type of
information to be protected (such as
social security numbers or directory
information); and methods used by
other institutions in similar
circumstances. The greater the harm
that would result from unauthorized
access or disclosure and the greater the
likelihood that unauthorized access or
disclosure will be attempted, the more
protections an agency or institution
should consider using to ensure that its
methods are reasonable.
One resource for administrators of
electronic data systems is ‘‘The National
Institute of Standards and Technology
(NIST) 800–100, Information Security
Handbook: A Guide for Managers’’
(October 2006). See https://csrc.nist.gov/
publications/nistpubs/800-100/SP800100-Mar07-2007.pdf. A second resource
is NIST 800–53, Information Security,
which catalogs information security
controls. See https://csrc.nist.gov/
publications/nistpubs/800-53-Rev1/80053-rev1-final-clean-sz.pdf. Similarly, a
May 22, 2007, memorandum to heads of
Federal agencies from the Office of
Management and Budget requires
executive departments and agencies to
ensure that proper safeguards are in
place to protect personally identifiable
information that they maintain,
eliminate the unnecessary use of SSNs,
and develop and implement a ‘‘breach
notification policy.’’ This memorandum,
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
although directed towards Federal
agencies, may also serve as a resource
for educational agencies and
institutions. See https://
www.whitehouse.gov/omb/memoranda/
fy2007/m07-16.pdf.
Finally, if an educational agency or
institution has experienced a theft of
files or computer equipment, hacking or
other intrusion, software or hardware
malfunction, inadvertent release of data
to Internet sites, or other unauthorized
release or disclosure of education
records, the Department suggests
consideration of one or more of the
following steps:
• Report the incident to law
enforcement authorities.
• Determine exactly what information
was compromised, i.e., names,
addresses, SSNs, ID numbers, credit
card numbers, grades, and the like.
• Take steps immediately to retrieve
data and prevent any further
disclosures.
• Identify all affected records and
students.
• Determine how the incident
occurred, including which school
officials had control of and
responsibility for the information that
was compromised.
• Determine whether institutional
policies and procedures were breached,
including organizational requirements
governing access (user names,
passwords, PINS, etc.); storage;
transmission; and destruction of
information from education records.
• Determine whether the incident
occurred because of a lack of monitoring
and oversight.
• Conduct a risk assessment and
identify appropriate physical,
technological, and administrative
measures to prevent similar incidents in
the future.
• Notify students that the
Department’s Office of Inspector
General maintains a Web site describing
steps students may take if they suspect
they are a victim of identity theft at
https://www.ed.gov/about/offices/list/
oig/misused/idtheft.html; and https://
www.ed.gov/about/offices/list/oig/
misused/victim.html.
FERPA does not require an
educational agency or institution to
notify students that information from
their education records was stolen or
otherwise subject to an unauthorized
release, although it does require the
agency or institution to maintain a
record of each disclosure. 34 CFR
99.32(a)(1). (However, student
notification may be required in these
circumstances for postsecondary
institutions under the Federal Trade
Commission’s Standards for Insuring
PO 00000
Frm 00040
Fmt 4701
Sfmt 4700
the Security, Confidentiality, Integrity
and Protection of Customer Records and
Information (‘‘Safeguards Rule’’) in 16
CFR part 314.) In any case, direct
student notification may be advisable if
the compromised data includes student
SSNs and other identifying information
that could lead to identity theft.
Executive Order 12866
Under Executive Order 12866, the
Secretary must determine whether this
regulatory action is ‘‘significant’’ and
therefore subject to the requirements of
the Executive Order and subject to
review by OMB. Section 3(f) of
Executive Order 12866 defines a
‘‘significant regulatory action’’ as an
action likely to result in a rule that may
(1) have an annual effect on the
economy of $100 million or more, or
adversely affect a sector of the economy,
productivity, competition, jobs, the
environment, public health or safety, or
State, local or tribal governments, or
communities in a material way (also
referred to as an ‘‘economically
significant’’ rule); (2) create serious
inconsistency or otherwise interfere
with an action taken or planned by
another agency; (3) materially alter the
budgetary impacts of entitlement grants,
user fees, or loan programs or the rights
and obligations of recipients thereof; or
(4) raise novel legal or policy issues
arising out of legal mandates, the
President’s priorities, or the principles
set forth in the Executive order. The
Secretary has determined that this
regulatory action is significant under
section 3(f)(4) of the Executive order.
1. Summary of Public Comments
The Department did not receive any
comments on the analysis of the costs
and benefits in the NPRM. However,
since the publication of the NPRM, we
have identified several information
collection requirements that were not
identified in the NPRM. We have added
discussions of the costs and benefits of
two information collection requirements
in the following Summary of Costs and
Benefits.
2. Summary of Costs and Benefits
Following is an analysis of the costs
and benefits of the most significant
changes to the FERPA regulations. In
conducting this analysis, the
Department examined the extent to
which the regulations add to or reduce
the costs of educational agencies and
institutions and, where appropriate,
State educational agencies (SEAs) and
other State and local educational
authorities in relation to their costs of
complying with the FERPA regulations
prior to these changes.
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
This analysis is based on data from
the most recent Digest of Education
Statistics (2007) published by the
National Center for Education Statistics
(NCES), which projects total enrollment
for Fall 2008 of 49,812,000 students in
public elementary and secondary
schools and 18,264,000 students in
postsecondary institutions; and a total
of 97,382 public K–12 schools; 14,166
school districts; and 6,463
postsecondary institutions. (Excluded
are data from private institutions that do
not receive Federal funding from the
Department and, therefore, are not
subject to FERPA.) Based on this
analysis, the Secretary has concluded
that the changes in these regulations
will not impose significant net costs on
educational agencies and institutions.
Analyses of specific provisions follow.
Alumni Records
The regulations in § 99.3 clarify the
current exclusion from the definition of
education records for records that only
contain information about an individual
after he or she is no longer a student,
which is intended to cover records of
alumni and similar activities. Some
institutions have applied this exclusion
to records that are created after a
student has ceased attending the
institution but that are directly related
to his or her attendance as a student,
such as investigatory reports and
settlement agreements about incidents
and injuries that occurred during the
student’s enrollment. The amendment
will clarify that this provision applies
only to records created or received by an
educational agency or institution after
an individual is no longer a student in
attendance and that are not directly
related to the individual’s attendance as
a student.
We believe that most of the more than
103,845 K–12 schools and
postsecondary institutions subject to
FERPA already adhere to this revised
interpretation in the regulations and
that for those that do not, the number
of records affected is likely to be very
small. Assuming that each year one half
of one percent of the 68.1 million
students enrolled in these institutions
have one record each affected by the
change, in the year following issuance
of the regulations institutions will be
required to try to obtain written consent
before releasing 350,380 records that
they would otherwise release without
consent. We estimate that for the first
year contacting the affected parent or
student to seek and process written
consent for these disclosures will take
approximately one-half hour per record
at an average cost of $32.67 per hour for
a total cost of $5,562,068.
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
(Compensation for administrative staff
time is based on published estimates for
2005 from the Bureau of Labor
Statistics’ National Compensation
Survey of $23.50 per hour plus an
average 39 percent benefit load for Level
8 administrators in education and
related fields.)
In terms of benefits, the change will
protect the privacy of parents and
students by clarifying the intent of this
regulatory exclusion and help prevent
the unlawful disclosure of these records.
It will also provide greater legal
certainty and therefore some cost
savings for those agencies and
institutions that may be required to
litigate this issue in connection with a
request under a State open records act
or other legal proceeding. For these
reasons, we believe that the overall
benefits outweigh the potential costs of
this change.
Exclusion of SSNs and ID Numbers
From Directory Information
The proposed regulations in § 99.3
clarified that a student’s SSN or student
ID number is personally identifiable
information that may not be disclosed as
directory information under FERPA.
The final regulations allow an
educational agency or institution to
designate and disclose student ID
numbers as directory information if the
number cannot be used by itself to gain
access to education records, i.e. , it is
used like a name. SSNs may never be
disclosed as directory information.
The principal effect of this change is
that educational agencies and
institutions may not post grades by the
student’s SSN or non-directory student
ID number and may not include these
identifiers with directory information
they disclose about a student, such as a
student’s name, school, and grade level
or class, on rosters, or on sign-in sheets
that are made available to students and
others. (Educational agencies and
institutions may continue to include
SSNs and non-directory student ID
numbers on class rosters and schedules
that are disclosed only to teachers and
other school officials who have
legitimate educational interests in this
information.)
A class roster or sign-in sheet that
contains or requires students to affix
their SSN or non-directory student ID
number makes that information
available to every individual who signs
in or sees the document and increases
the risk that the information may be
improperly used for purposes such as
identity theft or to find out a student’s
grades or other confidential educational
information. In regard to posting grades,
an individual who knows which classes
PO 00000
Frm 00041
Fmt 4701
Sfmt 4700
74845
a particular student attends may be able
to ascertain that student’s SSN or nondirectory student ID number by
comparing class lists for repeat
numbers. Because SSNs are not
randomly generated, it may be possible
to identify a student by State of origin
based on the first three (area) digits of
the number, or by date of issuance based
on the two middle digits.
The Department does not have any
actual data on how many class or test
grades are posted by SSN or nondirectory student ID number at this
time, but we believe that the practice is
rare or non-existent below the
secondary level. Although the practice
was once widespread, particularly at the
postsecondary level, anecdotal evidence
suggests that as a result of consistent
training and informal guidance by the
Department over the past several years,
together with the increased attention
States and privacy advocates have given
to the use of SSNs, many institutions
now either require teachers to use a
code known only to the teacher and the
student or prohibit the posting of grades
entirely.
The most recent figures available from
the Bureau of Labor Statistics (2007)
indicate that there are approximately 2.7
million secondary and postsecondary
teachers in the United States. As noted
above, we assume that most of these
teachers either do not post grades at all
or already use a code known only to the
teacher or student. We assume further
that additional costs to deliver grades
personally in the classroom or through
electronic mail, instead of posting, will
be minimal. For purposes of this
analysis, we estimate that no more than
five percent of 2.7 million, or 135,000
teachers, continue to post grades by SSN
or non-directory student ID number and
thus will need to convert to a code,
which will require them to spend an
average of one-half hour each semester
establishing and managing grading
codes for students. Since we do not
know how many teachers at either
education level will continue to post
grades, and wages for postsecondary
teachers are higher than secondary
teacher wages, we use postsecondary
teacher wages to ensure that the
estimate encompasses the upper limit of
possible costs. Using the Bureau of
Labor Statistics’ published estimate of
average hourly wages of $42.98 for
teachers at postsecondary institutions
and an average 39 percent load for
benefits, we estimate an average cost of
$59.74 per teacher per year, for a total
of $8,064,900. Parents and students
should incur no costs except for the
time they might have to spend to
E:\FR\FM\09DER2.SGM
09DER2
74846
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
contact the school official if they forget
the student’s grading code.
This change will benefit parents and
students and educational agencies and
institutions by reducing the risk of
identity theft associated with posting
grades by SSN, and the risk of
disclosing grades and other confidential
educational information caused by
posting grades by a non-directory
student ID number. It is difficult to
quantify the value of reducing the risk
of identity theft. According to the
Federal Trade Commission, however,
for the past few years over one-third of
complaints filed with that agency have
been for identity theft. According to the
Better Business Bureau, identity theft
costs businesses nearly $57 billion in
2006, while victims spent an average of
40 hours resolving identity theft issues.
It is even more difficult to measure the
benefits of enhanced privacy protections
for student grades and other
confidential educational information
from education records because the
value individuals place on the privacy
of this information varies considerably
and because we are unable to determine
how often it happens. Therefore, we
have no basis to estimate the value of
these enhanced privacy protections in
relation to the expected costs to
implement the changes.
Prohibit Use of SSN To Confirm
Directory Information
The regulations will prevent an
educational agency or institution (or a
contractor providing services for an
agency or institution) from using a
student’s SSN (or other non-directory
information) to identify the student
when releasing or confirming directory
information. This occurs, for example,
when a prospective employer or
insurance company telephones an
institution or submits an inquiry
through the institution’s Web site to
find out whether a particular individual
is enrolled in or has graduated from the
institution. While this provision will
apply to educational agencies and
institutions at all grade levels, we
believe that it will affect mainly
postsecondary institutions because K–
12 agencies and institutions typically do
not provide enrollment and degree
verification services.
A survey conducted in March 2002 by
the American Association of Collegiate
Registrars and Admissions Officers
(AACRAO) showed that nearly half of
postsecondary institutions used SSNs as
the primary means to track students in
academic databases. Since then, use of
SSNs as a student identifier has
decreased significantly in response to
public concern about identity theft.
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
While postsecondary institutions may
continue to collect students’ SSNs for
financial aid and tax reporting purposes,
many have ceased using the SSN as a
student identifier either voluntarily or
in compliance with State laws. Also,
over the past several years the
Department has provided training on
this issue and published on the Office
Web site a 2004 letter finding a
postsecondary institution in violation of
FERPA when its agent used a student’s
SSN, without consent, to search its
database to verify that the student had
received a degree. www.ed.gov/policy/
gen/guid/fpco/ferpa/library/
auburnuniv.html. Given these
circumstances, we estimate that
possibly one-quarter of the nearly 6,463
postsecondary institutions in the United
States, or 1,616 institutions, may ask a
requester to provide the student’s SSN
(or non-directory student ID number) in
order to locate the record and respond
to an inquiry for directory information.
Under the regulations an educational
agency or institution that identifies
students by SSN (or non-directory
student ID number) when releasing
directory information will either have to
ensure that the student has provided
written consent to disclose the number
to the requester, or rely solely on a
student’s name and other properly
designated directory information to
identify the student, such as address,
date of birth, dates of enrollment, year
of graduation, major field of study,
degree received, etc. Costs to an
institution of ensuring that students
have provided written consent for these
disclosures, for example by requiring
the requester to fax copies of each
written consent to the institution or its
contractor, or making arrangements to
receive them electronically, could be
substantial for large institutions and
organizations that utilize electronic
recordkeeping systems. Institutions may
choose instead to conduct these
verifications without using SSNs or
non-directory student IDs, which may
make it more difficult to ensure that the
correct student has been identified
because of the known problems in
matching records without the use of a
universal identifier. Increased
institutional costs either to verify that
the student has provided consent or to
conduct a search without use of SSNs or
non-directory student ID numbers
should be less for smaller institutions,
where the chances of duplicate records
are decreased. Parents and students may
incur additional costs if an employer,
insurance company, or other requester
is unable to verify enrollment or
graduation based solely on directory
PO 00000
Frm 00042
Fmt 4701
Sfmt 4700
information, and written consent for
disclosure of the student’s SSN or nondirectory student ID number is required.
Due to the difficulty in ascertaining
actual costs associated with these
transactions, we have no basis to
estimate costs that educational agencies
and institutions and parents and
students will incur as a result of this
change.
The enhanced privacy protections of
this amendment will benefit students
and parents by reducing the risk that
third parties will disclose a student’s
SSN without consent and possibly
confirm a questionable number for
purposes of identity theft. Similarly,
preventing institutions from implicitly
confirming a questionable non-directory
student ID number will help prevent
unauthorized individuals from
obtaining confidential information from
education records. In evaluating the
benefits or value of this change, we note
that this provision does not affect any
activity that an educational agency or
institution is permitted to perform
under FERPA or other Federal law, such
as using SSNs to identify students and
confirm their enrollment status for
student loan purposes, which is
permitted without consent under the
financial aid exception in § 99.31.
User ID for Electronic Communications
The regulations will allow an
educational agency or institution to
disclose as directory information a
student’s ID number, user ID or other
electronic identifier so long as the
identifier functions like a name; that is,
it cannot be used without a PIN,
password, or some other authentication
factor to gain access to education
records. This change will impose no
costs and will provide benefits in the
form of regulatory relief allowing
agencies and institutions to use
directory services in electronic
communications systems without
incurring the administrative costs
associated with obtaining student
consent for these disclosures.
Costs related to honoring a student’s
decision to opt out of these disclosures
will be minimal because we assume that
only a small number of students will
elect not to participate in electronic
communications at their school.
Applying this change to records of both
K–12 and postsecondary students and
assuming that one-tenth of one percent
of parents and eligible students will opt
out of these disclosures, we estimate
that institutions will have to flag the
records of approximately 68,000
students for opt-out purposes. We lack
sufficient data on costs institutions
currently incur to flag records for
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
directory information opt-outs for other
purposes, so we are unable to estimate
the administrative and information
technology costs institutions will incur
to process these new directory
information opt-outs resulting from this
change.
jlentini on PROD1PC65 with RULES2
Student Anonymity in the Classroom
The final regulations will ensure that
parents and students do not use the
right to opt out of directory information
disclosures to remain anonymous in the
classroom, by clarifying that opting out
does not prevent disclosure of the
student’s name, institutional e-mail
address, or electronic identifier in the
student’s physical or electronic
classroom. We estimate that this change
will result in a small net benefit to
educational agencies and institutions
because they will have greater legal
certainty about the element of classroom
administration, and it will reduce the
institutional costs of responding to
complaints from students and parents
about the release of this information.
Disclosing Education Records to New
School and to Party Identified as
Source Record
The final regulations in § 99.31(a)(2)
will allow an educational agency or
institution to disclose education
records, or personally identifiable
information from education records, to
a student’s new school even after the
student is already attending the new
school so long as the disclosure relates
to the student’s enrollment in the new
school. This change will provide
regulatory relief by reducing legal
uncertainty about how long a school
may continue to send records or
information to a student’s new school,
without consent, under the ‘‘seeks or
intends to enroll’’ exception.
The amendment to the definition of
disclosure in § 99.3 will allow a school
that has concerns about the validity of
a transcript, letter of recommendation,
or other record to return these
documents (or personally identifiable
information from these documents) to
the student’s previous school or other
party identified as the source of the
record in order to resolve questions
about their validity. Combined with the
change to § 99.31(a)(2), discussed earlier
in this analysis, this change will also
allow the student’s previous school to
continue to send education records, or
clarification about education records, to
the student’s new school in response to
questions about the validity or meaning
of records sent previously by that party.
We are unable to determine how much
it will cost educational agencies and
institutions to return potentially
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
fraudulent documents to the party
identified as the sender because we do
not have any basis for estimating how
often this occurs. However, we believe
that these changes will provide
significant regulatory relief to
educational agencies and institutions by
helping to reduce transcript and other
educational fraud based on falsified
records.
Outsourcing
The regulations in § 99.31(a)(1)(i) will
allow educational agencies and
institutions to disclose education
records, or personally identifiable
information from education records,
without consent to contractors,
volunteers, and other non-employees
performing institutional services and
functions as school officials with
legitimate educational interests. An
educational agency or institution that
uses non-employees to perform
institutional service and functions will
have to amend its annual notification of
FERPA rights to include these parties as
school officials with legitimate
educational interests.
This change will provide regulatory
relief by permitting, and clarifying the
conditions for, non-consensual
disclosure of education records. Our
experience suggests that virtually all of
the more than 103,000 schools subject to
FERPA will take advantage of this
provision. We have no actual data on
how many school districts publish
annual FERPA notifications for the
97,382 K–12 public schools included in
this total and, therefore, how many
entities will be affected by this
requirement. However, because
educational agencies and institutions
were already required under previous
regulations to publish a FERPA
notification annually, we believe that
costs to include this new information
will be minimal.
Access Control and Tracking
The regulations in § 99.31(a)(1)(ii)
will require an educational agency or
institution to use reasonable methods to
ensure that teachers and other school
officials obtain access to only those
education records in which they have
legitimate educational interests. This
requirement will apply to records in any
format, including computerized or
electronic records and paper, film, and
other hard copy records. An educational
agency or institution that chooses not to
restrict access to education records with
physical or technological controls, such
as locked cabinets and role-based
software security, must ensure that its
administrative policy for controlling
access is effective and that it remains in
PO 00000
Frm 00043
Fmt 4701
Sfmt 4700
74847
compliance with the legitimate
educational interest requirement.
Administrative experience has shown
that schools that allow teachers and
other school officials to have
unrestricted access to education records
tend to have more problems with
unauthorized disclosures, such as
school officials obtaining access to
education records for personal rather
than professional reasons. Preventing
unrestricted access to education records
by teachers and other school officials
will benefit parents and students by
helping to ensure that education records
are used only for legitimate educational
purposes. It will also help ensure that
education records are not accessed or
disclosed inadvertently.
Information gathered by the Director
of the Office at numerous FERPA
training sessions and seminars, along
with recent discussions with software
vendors and educational organizations,
indicates that the vast majority of midand large-size school districts and
postsecondary institutions currently use
commercial software for student
information systems. These systems
generally include role-based security
features that allow administrators to
control access to specific records,
screens, or fields according to a school
official’s duties and responsibilities.
These systems also typically contain
transactional logging features that
document or track a user’s actual access
to particular records, which will help
ensure that an agency’s or institution’s
access control methods are effective.
Educational agencies and institutions
that already have these systems will
incur no additional costs to comply
with the regulations.
For purposes of this analysis we
excluded from a total of 14,166 school
districts and 6,463 postsecondary
institutions those with more than 1,000
students, for a total of 6,887 small K–12
districts and 3,906 small postsecondary
institutions that may not have software
with access control security features.
The discussions that the Director of the
Office has had with numerous SEAs and
local districts suggest that the vast
majority of these small districts and
institutions do not make education
records available to school officials
electronically or by computer but
instead use some system of
administrative and physical controls.
We estimate for this analysis that 15
percent, or 1,619, of these small districts
and institutions use home-built
computerized or electronic systems that
may not have the role-based security
features of commercial software. The
most recent published estimate we have
for software costs comes from the final
E:\FR\FM\09DER2.SGM
09DER2
74848
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
jlentini on PROD1PC65 with RULES2
Standards for Privacy of Individually
Identifiable Health Information under
the Health Insurance Portability and
Accountability Act of 1996 (HIPAA
Privacy Rule) published by the
Department of Health and Human
Services (HHS) on December 28, 2000,
which estimated that the initial perhospital cost of software upgrades to
track the disclosure of medical records
would be $35,000 (65 FR 82768). We
assume that costs will be comparable for
education records, and, as discussed
above, software that tracks disclosure
history can also be used to control or
restrict access to electronic records.
Based on these assumptions, if 1,619
small K–12 districts and postsecondary
institutions decide to purchase student
information software rather than rely on
administrative policies to comply with
the regulations, they will incur
estimated costs of $56,665,000. We
estimate that the remaining 9,174 small
districts and institutions will not
purchase new software because they do
not make education records available
electronically and rely instead on less
costly administrative and physical
methods to control access to records by
school officials. Those that provide
school officials with open access to hard
copy education records may incur new
costs to track actual disclosures to help
ensure that they remain in compliance
with legitimate educational interests
requirements. We assume that these
districts and institutions may devote
some additional administrative staff
time to procedures such as keeping logs
of school officials who access records.
However, no reliable estimates exist for
the average number of teachers and
other school officials who access
education records or the number of
times access is sought, so we are unable
to estimate the cost of restricting or
tracking actual disclosures of hard copy
education records to school officials.
Education Research
The regulations in § 99.31(a)(6)(ii)(C)
require an educational agency or
institution to enter into a written
agreement before disclosing personally
identifiable information from education
records, without consent, to
organizations conducting studies for, or
on behalf of, the educational agency or
institution to: (a) Develop, validate, or
administer predictive tests; (b)
administer student aid programs; or (c)
improve instruction. The written
agreement must specify the purpose or
purposes, scope, and duration of the
study or studies and the information to
be disclosed, require the organization to
conduct the study in a manner that does
not permit personal identification of
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
parents and students by anyone other
than representatives of the organization
with legitimate interests, require the
destruction or return of the information
to the educational agency or institution
when the study is completed, and
specify the time period for destruction
or return of the information. We believe
that the additional cost of entering into
written agreements to comply with this
change is unlikely to be significant
because most educational agencies and
institutions already specify the terms
under which personally identifiable
information can be used when it is
disclosed to organizations for these
types of studies. Although this change
will create an additional information
collection requirement, we believe the
benefits of the written agreement
outweigh the costs, because it will
ensure better compliance with FERPA
and provide clarity for both researchers
and educational agencies and
institutions about the restrictions and
use of personally identifiable
information disclosed under
§ 99.31(a)(6) for studies.
Identification and Authentication of
Identity
The regulations in § 99.31(c) require
educational agencies and institutions to
use reasonable methods to identify and
authenticate the identity of parents,
students, school officials and other
parties to whom the agency or
institution discloses personally
identifiable information from education
records. The use of widely available
information to authenticate identity,
such as the recipient’s name, date of
birth, SSN or student ID number, is not
considered reasonable under the
regulations.
The regulations will impose no new
costs for educational agencies and
institutions that disclose hard-copy
records through the U.S. postal service
or private delivery services with use of
the recipient’s name and last known
official address.
We were unable to find reliable data
that would allow us to estimate the
additional administrative time that
educational agencies and institutions
will spend checking photo ID against
school records or using other reasonable
methods, as appropriate, to identify and
authenticate the identity of students,
parents, and other parties to whom the
agency or institution discloses
education records in person.
Authentication of identity for
electronic or telephonic access to
education records involves a wider
array of security options because of
continuing advances in technologies,
but is not necessarily more costly than
PO 00000
Frm 00044
Fmt 4701
Sfmt 4700
authentication of identity for hard-copy
records. We assume that educational
agencies and institutions that require
users to enter a secret password or PIN
to authenticate identity will deliver the
password or PIN through the U.S. postal
service or in person. We estimate that
no new costs will be associated with
this process because agencies and
institutions already have direct contact
with parents, eligible students, and
school officials for a variety of other
purposes and will use these
opportunities to deliver a secret
authentication factor.
As noted in the preamble to the
NPRM, 73 FR 15585, single-factor
authentication of identity, such as a
standard form user name combined with
a secret password or PIN, may not
provide reasonable protection for access
to all types of education records or
under all circumstances. We lack a basis
for estimating costs of authenticating
identity when educational agencies and
institutions allow authorized users to
access sensitive personal or financial
information in electronic records for
which single-factor authentication
would not be reasonable.
Redisclosure and Recordkeeping
The regulations allow the officials and
agencies listed in § 99.31(a)(3) (the U.S.
Comptroller General, the U.S. Attorney
General, the Secretary, and State and
local educational authorities) to
redisclose education records, or
personally identifiable information from
education records, without consent
under the same conditions that apply
currently to other recipients of
education records under § 99.33(b). This
change provides substantial regulatory
relief to these parties by allowing them
to redisclose information on behalf of
educational agencies and institutions
under any provision in § 99.31(a), which
allows disclosure of education records
without consent. For example, States
will be able to consolidate K–16
education records under the SEA or
State higher educational authority
without having to obtain written
consent under § 99.30. Parties that
currently request access to records from
individual school districts and
postsecondary institutions will in many
instances be able to obtain the same
information in a more cost-effective
manner from the appropriate State
educational authority or the
Department.
In accordance with the current
regulations in § 99.32(b), an educational
agency or institution must record any
redisclosure of education records made
on its behalf under § 99.33(b), including
the names of the additional parties to
E:\FR\FM\09DER2.SGM
09DER2
jlentini on PROD1PC65 with RULES2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
which the receiving party may
redisclose the information and their
legitimate interests or basis for the
disclosure without consent under
§ 99.31 in obtaining the information.
The regulations require SEAs and other
State educational authorities (such as
higher education authorities), the
Secretary, and other officials or agencies
listed in § 99.31(a)(3) that make further
disclosures on behalf of an educational
agency or institution to maintain the
record of redisclosure required under
§ 99.32(b) if the educational agency or
institution has not recorded the
redisclosure or if the information was
obtained from another State or Federal
official or agency listed in § 99.31(a)(3).
The regulations also require the State or
Federal official or agency listed in
§ 99.31(a)(3) to provide a copy of its
record of redisclosures to the
educational agency or institution upon
request. In addition, an educational
agency or institution must maintain
with each student’s record of
disclosures the names of State and local
educational authorities and Federal
officials and agencies that may make
further disclosures from the student’s
records without consent under
§ 99.33(b) and must obtain a copy of the
record of redisclosure, if any,
maintained by the State or Federal
official that redisclosed information on
behalf of the agency or institution.
State educational authorities and
Federal officials listed in § 99.31(a)(3)
will incur new administrative costs if
they maintain the record of redisclosure
for the educational agency or institution
on whose behalf they redisclose
education records under the regulations.
We estimate that two educational
authorities or agencies in each State and
the District of Columbia (one for K–12
and one for postsecondary) and the
Department itself, for a total of 103
authorities, will maintain the required
records of redisclosures. (We anticipate
that educational agencies and
institutions will record under
§ 99.32(b)(1) any further disclosures
made by the other Federal officials
listed in § 99.31(a)(3), the U.S.
Comptroller General and the U.S.
Attorney General.) We estimate further
that these authorities will need to record
two redisclosures per year from their
records and that it will take one hour of
administrative time to record each
redisclosure electronically at an average
hourly rate of $32.67, for a total annual
administrative cost of $6,730.
(Compensation for administrative staff
time is explained earlier in this
analysis.) We also assume for purposes
of this analysis that State educational
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
authorities and the Department already
have software that will allow them to
record these disclosures electronically.
State educational authorities and
Federal officials that maintain records of
redisclosures will also have to make that
information available to the educational
agency or institution whose records
were redisclosed, upon request, so that
the agency or institution can make that
record available to a parent or eligible
student who has asked to inspect and
review the student’s record of
disclosures. We assume that few parents
and students request this information
and, therefore, use an estimate that one
tenth of one percent of a total of 68.1
million students will make such a
request each year, or 68,076 requests. If
it takes one-quarter of an hour to locate
and print a record of disclosures at an
average administrative hourly rate of
$32.67, the average annual
administrative cost for State and Federal
officials and agencies to provide this
service will be $556,011, plus mailing
costs (at $.42 per letter) of $28,592, for
a total of $584,603. We estimate that
educational agencies and institutions
themselves will incur comparable costs
when they ask State and Federal
officials to send them these records of
redisclosure and then make them
available to parents and students. We
note that printing and mailing costs may
be reduced to the extent that e-mail is
used to transmit the record, and if
parents or students pick up the record
on-site, but we do not have information
to estimate these potential savings.
The Department believes that these
changes will result in a net benefit to
educational agencies and institutions
because they will not have to record
further disclosures made by State and
Federal authorities and officials who
redisclose information from education
records on their behalf and will not
have to ask for a copy unless a parent
or eligible student asks to inspect and
review the student’s record of
disclosures. State and Federal
authorities and officials will also benefit
because they will not have to provide
their record of further disclosures to
anyone unless the educational agency or
institution asks for a copy. Overall, the
costs to State and Federal authorities to
record their own redisclosures will be
offset by the savings that educational
agencies and institutions will realize by
not having to record the disclosures
themselves.
Notification of Compliance With Court
Order or Subpoena
The regulations in § 99.33(b)92)
require any party that rediscloses
education records in compliance with a
PO 00000
Frm 00045
Fmt 4701
Sfmt 4700
74849
court order or subpoena under
§ 99.31(a)(9) to provide the notice to
parents and eligible students required
under § 99.31(a)(9)(ii). We anticipate
that this provision will affect mostly
State and local educational authorities,
which maintain education records they
have obtained from their constituent
districts and institutions and, under
§ 99.35(b), may redisclose the
information, without consent, in
compliance with a court order or
subpoena under § 99.31(a)(9).
There is no change in costs as a result
of shifting responsibility for notification
to the disclosing party under this
change. However, we believe that
minimizing or eliminating uncertainty
about which party is legally responsible
for the notification will result in a net
benefit to all parties.
Health or Safety Emergency
The regulations in § 99.32(a)(5)
require that a school that discloses
information under the health and safety
emergency exception in § 99.36 record
the articulable and significant threat
that formed the basis for the disclosure
and the parties to whom the education
records were disclosed. Because
§ 99.32(a) already requires schools to
record disclosures made under § 99.36,
including the legitimate interests the
parties had in requesting or obtaining
the information, we believe these
changes will not create any significant
additional administrative costs for
schools and that the benefit of including
the legitimate interests the parties had
in requesting or obtaining the
information outweighs the costs.
Directory Information Opt Outs
The regulations in § 99.37(b) clarify
that while an educational agency or
institution is not required to notify
former students under § 99.37(a) about
the institution’s directory information
policy or allow former students to opt
out of directory information disclosures,
they must continue to honor a parent’s
or student’s decision to opt out of
directory information disclosures after
the student leaves the institution. Most
agencies and institutions should already
comply with this requirement because
of informal guidance and training
provided by FPCO.
Parents and students will benefit from
this clarification because it will help
ensure that schools do not invalidate the
parent’s or student’s decisions on
directory information disclosures after
the student is no longer in attendance.
It will also benefit schools by
eliminating any uncertainty they may
have about whether they must continue
to honor an opt out once the student is
E:\FR\FM\09DER2.SGM
09DER2
74850
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
no longer in attendance. We have
insufficient information to estimate the
number of institutions affected and the
additional costs involved in changing
systems to maintain opt-out flags on
education records of former students.
jlentini on PROD1PC65 with RULES2
Paperwork Reduction Act of 1995
Following publication of the NPRM,
we provided, through a notice
published in the Federal Register (73
FR 28810, May 19, 2008) opportunity
for the public to comment on
information collections in the current
regulations, and indicated in that notice
the pendency of the NPRM.
Additionally, based on comments
received in response to the NPRM, we
have identified several information
collection requirements associated with
these regulations. We describe these
information collections in the following
paragraphs and will be submitting these
sections to OMB for review and
approval. We note that the Paperwork
Reduction Act of 1995 does not require
a response to these information
collection requirements unless they
display a valid OMB control number. A
valid OMB control number will be
assigned to the information collection
requirements at the end of the affected
sections of the regulations.
(1) § 99.31(a)(6)(ii)
FERPA permits an educational agency
or institution to disclose personally
identifiable information from education
records, without consent, to
organizations conducting studies for or
on behalf of the agency or institution for
purposes of testing, student aid, and
improvement of instruction. In the
NPRM, we proposed to add
§ 99.31(a)(6)(ii) to require that an
educational agency or institution to
disclose personally identifiable
information under § 99.31(a)(6)(i) only if
it enters into a written agreement with
the organization specifying the purposes
of the study. Under these final
regulations, this written agreement must
specify the purpose, scope, and duration
of the study or studies and the
information to be disclosed; require the
organization to use personally
identifiable information from education
records only to meet the purpose or
purposes of the study as stated in the
written agreement; require the
organization to conduct the study in a
manner that does not permit personal
identification of parents and students by
individuals other than representatives
with legitimate interest of the
organization that conducts the study;
require the organization to destroy the
information or return to the educational
agency or institution when it is no
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
longer needed for the purposes for
which the study was conducted; and
specify the time period for the
destruction or return of the information.
The Department did not identify in
the NPRM the requirement in
§ 99.31(a)(6)(ii) as an information
collection requirement under the
Paperwork Reduction Act of 1995 and
did not realize this would be an
information collection requirement until
a commenter brought this matter to our
attention. The commenter pointed out
that, while this change created another
paperwork burden for school districts,
the commenter did not object to the
written agreement requirement because
putting the requirements regarding the
use and destruction of data in writing
may improve compliance with FERPA.
The Department agrees with the
comment.
(2) § 99.32(a)(1)
Under FERPA, an educational agency
or institution is required to record its
disclosures of personally identifiable
information from education records,
even when it discloses information to its
own State educational authority. This
statutory requirement is reflected in the
current FERPA regulations. The final
regulations permit the State and local
educational authorities and Federal
officials listed in § 99.31(a)(3) to make
further discloses of personally
identifiable information from education
records on behalf of the educational
agency or institution in accordance with
the requirements of § 99.33(b) and
require them to record these further
disclosures of § 99.33(b) if the
educational agency or institution does
not do so. We have included provisions
in the final regulations that require
educational agencies and institutions to
maintain a listing in each student’s
record of the State and local educational
authorities and Federal officials and
agencies that may make further
disclosures of the student’s education
records without consent so that parents
and eligible students will be made
aware of these further disclosures.
(3) § 99.32(a)(4)
Under this new provision, parents
and eligible students will be able to
inspect and review any further
disclosures that were made by any of
the parties listed under § 99.31(a)(3) by
asking the educational agency or
institution to obtain a copy of the record
of further disclosures. We believe that
this is only a minor paperwork burden
for schools because it would involve
asking officials to whom they have
disclosed education records for the
record of further disclosure or, in the
PO 00000
Frm 00046
Fmt 4701
Sfmt 4700
case of some SEAs, accessing the State
database for this information. Also, we
do not expect that a large number of
parents and eligible students will ask to
see the record of further disclosures.
(4) § 99.32(a)(5)
During the development of the final
regulations, we identified another
change to the recordation requirements
of § 99.32 that would require the
collection of information. In response to
several comments we received regarding
changes to FERPA’s ‘‘health or safety
emergency exception’’ in § 99.36, we
have amended § 99.32(a) to include a
new recordation requirement.
Specifically, we have added a paragraph
to the recordation requirement that
requires that for any disclosures under
§ 99.36 a school must record the
articulable and significant threat to the
health or safety of a student or other
individuals that formed the basis for the
disclosure and the parties to whom the
agency or institution disclosed
information.
The Secretary believes that this is
only a minor paperwork burden for
schools because schools are already
required to record disclosures made
under § 99.36. The new language in
§ 99.32(a)(5) simply clarifies the type of
information that must be recorded when
a school discloses personally
identifiable information in response to a
health or safety emergency, either for
one student or for all students in a
school.
(5) § 99.32(b)(2)
In the NPRM, we specifically noted
that the Department was interested in
relieving any administrative burdens
associated with recording disclosures of
education records and, therefore,
invited public comment on whether an
SEA, the Department, or other authority
or official listed in § 99.31(a)(3) should
be allowed to maintain the record of the
redisclosures it makes on behalf of an
educational agency or institution under
§ 99.32(b).
Several commenters stated that an
SEA (or other authority or official listed
in § 99.31(a)(3)) should be responsible
for maintaining the record of disclosure
required under § 99.32 when it
rediscloses information on behalf of
educational agencies and institutions.
The commenters stated that requiring
each educational agency or institution,
such as school districts, to record each
redisclosure made by an SEA or other
State educational authority on its behalf
imposes an unacceptable recordkeeping
burden on school districts and is
impractical for State educational
authorities to adhere to in making
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
further disclosures on behalf of the
agency or institution. In response to
these comments, we are revising § 99.32
to require the State and local
educational authorities and Federal
officials listed in § 99.31(a)(3) to
maintain the record of further
disclosures if the educational agency or
institution does not do so and make it
available to the educational agency or
institution upon request. We agree that
by requiring State and Federal
authorities and officials to record their
redisclosures in these circumstances
school districts will have less total
paperwork burden because schools will
not have to comply with the
recordkeeping requirement in these
instances.
In the NPRM, and in accordance with
section 411 of the General Education
Provisions Act, 20 U.S.C. 1221e–4, we
requested comments on whether the
proposed regulations would require
transmission of information that any
other agency or authority of the United
States gathers or makes available.
Based on the response to the NPRM
and on our review, we have determined
that these final regulations do not
require transmission of information that
any other agency or authority of the
United States gathers or makes
available.
Electronic Access to This Document
You may view this document, as well
as all other Department of Education
documents published in the Federal
Register, in text or Adobe Portable
Document Format (PDF) on the Internet
at the following site: www.ed.gov/news/
fedregister.
To use PDF you must have Adobe
Acrobat Reader, which is available free
at this site. If you have questions about
using PDF, call the U.S. Government
Printing Office (GPO), toll free, at 1–
888–293–6498; or in the Washington,
DC area at (202) 512–1530.
Note: The official version of this document
is the document published in the Federal
Register. Free Internet access to the official
edition of the Federal Register and the Code
of Federal Regulations is available on GPO
Access at www.gpoaccess.gov/nara/
index.html.
(Catalog of Federal Domestic Assistance
Number does not apply.)
jlentini on PROD1PC65 with RULES2
List of Subjects in 34 CFR Part 99
Administrative practice and
procedure, Directory information,
Education records, Information, Parents,
Privacy, Records, Social Security
Numbers, Students.
18:13 Dec 08, 2008
Jkt 217001
■
information, means a record of one or
more measurable biological or
behavioral characteristics that can be
used for automated recognition of an
individual. Examples include
fingerprints; retina and iris patterns;
voiceprints; DNA sequence; facial
characteristics; and handwriting.
PART 99—FAMILY EDUCATIONAL
RIGHTS AND PRIVACY
(Authority: 20 U.S.C. 1232g)
For the reasons discussed in the
preamble, the Secretary amends part 99
of title 34 of the Code of Federal
Regulations as follows:
1. The authority citation for part 99
continues to read as follows:
■
Authority: 20 U.S.C. 1232g, unless
otherwise noted.
2. Section 99.2 is amended by revising
the note following the authority citation
to read as follows:
■
§ 99.2 What is the purpose of these
regulations?
Assessment of Educational Impact
VerDate Aug<31>2005
Dated: December 2, 2008.
Margaret Spellings,
Secretary of Education.
74851
*
*
*
*
*
Note to § 99.2: 34 CFR 300.610 through
300.626 contain requirements regarding the
confidentiality of information relating to
children with disabilities who receive
evaluations, services or other benefits under
Part B of the Individuals with Disabilities
Education Act (IDEA). 34 CFR 303.402 and
303.460 identify the confidentiality of
information requirements regarding children
and infants and toddlers with disabilities and
their families who receive evaluations,
services, or other benefits under Part C of
IDEA. 34 CFR 300.610 through 300.627
contain the confidentiality of information
requirements that apply to personally
identifiable data, information, and records
collected or maintained pursuant to Part B of
the IDEA.
3. Section 99.3 is amended by:
A. Adding, in alphabetical order, a
definition of Biometric record.
■ B. Revising the definitions of
Attendance, Directory information,
Disclosure, and Personally identifiable
information.
■ C. In the definition of Education
records, revising paragraph (b)(5) and
adding a new paragraph (b)(6).
These additions and revisions read as
follows:
■
■
§ 99.3 What definitions apply to these
regulations?
*
*
*
*
*
Attendance includes, but is not
limited to—
(a) Attendance in person or by paper
correspondence, videoconference,
satellite, Internet, or other electronic
information and telecommunications
technologies for students who are not
physically present in the classroom; and
(b) The period during which a person
is working under a work-study program.
(Authority: 20 U.S.C. 1232g)
*
Frm 00047
Fmt 4701
Sfmt 4700
*
*
*
*
Directory information means
information contained in an education
record of a student that would not
generally be considered harmful or an
invasion of privacy if disclosed.
(a) Directory information includes,
but is not limited to, the student’s name;
address; telephone listing; electronic
mail address; photograph; date and
place of birth; major field of study;
grade level; enrollment status (e.g.,
undergraduate or graduate, full-time or
part-time); dates of attendance;
participation in officially recognized
activities and sports; weight and height
of members of athletic teams; degrees,
honors and awards received; and the
most recent educational agency or
institution attended.
(b) Directory information does not
include a student’s—
(1) Social security number; or
(2) Student identification (ID)
number, except as provided in
paragraph (c) of this section.
(c) Directory information includes a
student ID number, user ID, or other
unique personal identifier used by the
student for purposes of accessing or
communicating in electronic systems,
but only if the identifier cannot be used
to gain access to education records
except when used in conjunction with
one or more factors that authenticate the
user’s identity, such as a personal
identification number (PIN), password,
or other factor known or possessed only
by the authorized user.
(Authority: 20 U.S.C. 1232g(a)(5)(A))
*
*
*
*
*
Disclosure means to permit access to
or the release, transfer, or other
communication of personally
identifiable information contained in
education records by any means,
including oral, written, or electronic
means, to any party except the party
identified as the party that provided or
created the record.
(Authority: 20 U.S.C. 1232g(b)(1) and (b)(2))
*
*
*
*
*
Education Records
*
*
*
*
*
Biometric record, as used in the
definition of personally identifiable
PO 00000
*
*
*
*
*
(b) * * *
(5) Records created or received by an
educational agency or institution after
E:\FR\FM\09DER2.SGM
09DER2
74852
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
an individual is no longer a student in
attendance and that are not directly
related to the individual’s attendance as
a student.
(6) Grades on peer-graded papers
before they are collected and recorded
by a teacher.
*
*
*
*
*
Personally Identifiable Information
The term includes, but is not limited
to—
(a) The student’s name;
(b) The name of the student’s parent
or other family members;
(c) The address of the student or
student’s family;
(d) A personal identifier, such as the
student’s social security number,
student number, or biometric record;
(e) Other indirect identifiers, such as
the student’s date of birth, place of
birth, and mother’s maiden name;
(f) Other information that, alone or in
combination, is linked or linkable to a
specific student that would allow a
reasonable person in the school
community, who does not have personal
knowledge of the relevant
circumstances, to identify the student
with reasonable certainty; or
(g) Information requested by a person
who the educational agency or
institution reasonably believes knows
the identity of the student to whom the
education record relates.
(Authority: 20 U.S.C. 1232g)
*
*
*
*
*
4. Section 99.5 is amended by
redesignating paragraph (a) as paragraph
(a)(1) and adding a new paragraph (a)(2)
to read as follows:
■
jlentini on PROD1PC65 with RULES2
§ 99.5
What are the rights of students?
(a)(1) * * *
(2) Nothing in this section prevents an
educational agency or institution from
disclosing education records, or
personally identifiable information from
education records, to a parent without
the prior written consent of an eligible
student if the disclosure meets the
conditions in § 99.31(a)(8),
§ 99.31(a)(10), § 99.31(a)(15), or any
other provision in § 99.31(a).
*
*
*
*
*
■ 5. Section 99.31 is amended by:
■ A. Redesignating paragraph (a)(1) as
paragraph (a)(1)(i)(A) and adding new
paragraphs (a)(1)(i)(B) and (a)(1)(ii).
■ B. Revising paragraph (a)(2).
■ C. Redesignating paragraphs (a)(6)(iii)
and (a)(6)(iv) as paragraphs (a)(6)(iv)
and (a)(6)(v), respectively.
■ D. Revising paragraph (a)(6)(ii).
■ E. Adding a new paragraph (a)(6)(iii).
■ F. In paragraph (a)(9)(ii)(A), removing
the word ‘‘or’’ after the punctuation ‘‘;’’.
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
G. In paragraph (a)(9)(ii)(B), removing
the punctuation ‘‘.’’ and adding in its
place the word ‘‘;or’’.
■ H. Adding paragraph (a)(9)(ii)(C).
■ I. Adding paragraph (a)(16).
■ J. Revising paragraph (b).
■ K. Adding paragraphs (c) and (d).
■ L. Revising the authority citation at
the end of the section.
The additions and revisions read as
follows:
■
§ 99.31 Under what conditions is prior
consent not required to disclose
information?
(a) * * *
(1)(i)(A) * * *
(B) A contractor, consultant,
volunteer, or other party to whom an
agency or institution has outsourced
institutional services or functions may
be considered a school official under
this paragraph provided that the outside
party—
(1) Performs an institutional service or
function for which the agency or
institution would otherwise use
employees;
(2) Is under the direct control of the
agency or institution with respect to the
use and maintenance of education
records; and
(3) Is subject to the requirements of
§ 99.33(a) governing the use and
redisclosure of personally identifiable
information from education records.
(ii) An educational agency or
institution must use reasonable methods
to ensure that school officials obtain
access to only those education records
in which they have legitimate
educational interests. An educational
agency or institution that does not use
physical or technological access
controls must ensure that its
administrative policy for controlling
access to education records is effective
and that it remains in compliance with
the legitimate educational interest
requirement in paragraph (a)(1)(i)(A) of
this section.
(2) The disclosure is, subject to the
requirements of § 99.34, to officials of
another school, school system, or
institution of postsecondary education
where the student seeks or intends to
enroll, or where the student is already
enrolled so long as the disclosure is for
purposes related to the student’s
enrollment or transfer.
Note: Section 4155(b) of the No Child Left
Behind Act of 2001, 20 U.S.C. 7165(b),
requires each State to assure the Secretary of
Education that it has a procedure in place to
facilitate the transfer of disciplinary records
with respect to a suspension or expulsion of
a student by a local educational agency to
any private or public elementary or
secondary school in which the student is
subsequently enrolled or seeks, intends, or is
instructed to enroll.
PO 00000
Frm 00048
Fmt 4701
Sfmt 4700
(6)(i) * * *
(ii) An educational agency or
institution may disclose information
under paragraph (a)(6)(i) of this section
only if—
(A) The study is conducted in a
manner that does not permit personal
identification of parents and students by
individuals other than representatives of
the organization that have legitimate
interests in the information;
(B) The information is destroyed
when no longer needed for the purposes
for which the study was conducted; and
(C) The educational agency or
institution enters into a written
agreement with the organization that—
(1) Specifies the purpose, scope, and
duration of the study or studies and the
information to be disclosed;
(2) Requires the organization to use
personally identifiable information from
education records only to meet the
purpose or purposes of the study as
stated in the written agreement;
(3) Requires the organization to
conduct the study in a manner that does
not permit personal identification of
parents and students, as defined in this
part, by anyone other than
representatives of the organization with
legitimate interests;
and
(4) Requires the organization to
destroy or return to the educational
agency or institution all personally
identifiable information when the
information is no longer needed for the
purposes for which the study was
conducted and specifies the time period
in which the information must be
returned or destroyed.
(iii) An educational agency or
institution is not required to initiate a
study or agree with or endorse the
conclusions or results of the study.
*
*
*
*
*
(9) * * *
(ii) * * *
(C) An ex parte court order obtained
by the United States Attorney General
(or designee not lower than an Assistant
Attorney General) concerning
investigations or prosecutions of an
offense listed in 18 U.S.C. 2332b(g)(5)(B)
or an act of domestic or international
terrorism as defined in 18 U.S.C. 2331.
*
*
*
*
*
(16) The disclosure concerns sex
offenders and other individuals required
to register under section 170101 of the
Violent Crime Control and Law
Enforcement Act of 1994, 42 U.S.C.
14071, and the information was
provided to the educational agency or
institution under 42 U.S.C. 14071 and
applicable Federal guidelines.
(b)(1) De-identified records and
information. An educational agency or
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
institution, or a party that has received
education records or information from
education records under this part, may
release the records or information
without the consent required by § 99.30
after the removal of all personally
identifiable information provided that
the educational agency or institution or
other party has made a reasonable
determination that a student’s identity
is not personally identifiable, whether
through single or multiple releases, and
taking into account other reasonably
available information.
(2) An educational agency or
institution, or a party that has received
education records or information from
education records under this part, may
release de-identified student level data
from education records for the purpose
of education research by attaching a
code to each record that may allow the
recipient to match information received
from the same source, provided that—
(i) An educational agency or
institution or other party that releases
de-identified data under paragraph
(b)(2) of this section does not disclose
any information about how it generates
and assigns a record code, or that would
allow a recipient to identify a student
based on a record code;
(ii) The record code is used for no
purpose other than identifying a deidentified record for purposes of
education research and cannot be used
to ascertain personally identifiable
information about a student; and
(iii) The record code is not based on
a student’s social security number or
other personal information.
(c) An educational agency or
institution must use reasonable methods
to identify and authenticate the identity
of parents, students, school officials,
and any other parties to whom the
agency or institution discloses
personally identifiable information from
education records.
(d) Paragraphs (a) and (b) of this
section do not require an educational
agency or institution or any other party
to disclose education records or
information from education records to
any party.
(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h),
(i), and (j)).
6. Section 99.32 is amended by:
A. Revising paragraph (a)(1).
B. Adding new paragraphs (a)(4) and
(a)(5).
■ C. Redesignating paragraphs (b)(1) and
(b)(2) as paragraphs (b)(1)(i) and
(b)(1)(ii) and redesignating paragraph
(b), introductory text, as paragraph
(b)(1).
■ D. Revising newly redesignated
paragraph (b)(1).
jlentini on PROD1PC65 with RULES2
■
■
■
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
E. Adding a new paragraph (b)(2).
F. Revising paragraph (d)(5).
The additions and revisions read as
follows:
■
■
§ 99.32 What recordkeeping requirements
exist concerning requests and disclosures?
(a)(1) An educational agency or
institution must maintain a record of
each request for access to and each
disclosure of personally identifiable
information from the education records
of each student, as well as the names of
State and local educational authorities
and Federal officials and agencies listed
in § 99.31(a)(3) that may make further
disclosures of personally identifiable
information from the student’s
education records without consent
under § 99.33(b).
*
*
*
*
*
(4) An educational agency or
institution must obtain a copy of the
record of further disclosures maintained
under paragraph (b)(2) of this section
and make it available in response to a
parent’s or eligible student’s request to
review the record required under
paragraph (a)(1) of this section.
(5) An educational agency or
institution must record the following
information when it discloses
personally identifiable information from
education records under the health or
safety emergency exception in
§ 99.31(a)(10) and § 99.36:
(i) The articulable and significant
threat to the health or safety of a student
or other individuals that formed the
basis for the disclosure; and
(ii) The parties to whom the agency or
institution disclosed the information.
(b)(1) Except as provided in paragraph
(b)(2) of this section, if an educational
agency or institution discloses
personally identifiable information from
education records with the
understanding authorized under
§ 99.33(b), the record of the disclosure
required under this section must
include:
*
*
*
*
*
(2)(i) A State or local educational
authority or Federal official or agency
listed in § 99.31(a)(3) that makes further
disclosures of information from
education records under § 99.33(b) must
record the names of the additional
parties to which it discloses information
on behalf of an educational agency or
institution and their legitimate interests
in the information under § 99.31 if the
information was received from:
(A) An educational agency or
institution that has not recorded the
further disclosures under paragraph
(b)(1) of this section; or
PO 00000
Frm 00049
Fmt 4701
Sfmt 4700
74853
(B) Another State or local educational
authority or Federal official or agency
listed in § 99.31(a)(3).
(ii) A State or local educational
authority or Federal official or agency
that records further disclosures of
information under paragraph (b)(2)(i) of
this section may maintain the record by
the student’s class, school, district, or
other appropriate grouping rather than
by the name of the student.
(iii) Upon request of an educational
agency or institution, a State or local
educational authority or Federal official
or agency listed in § 99.31(a)(3) that
maintains a record of further disclosures
under paragraph (b)(2)(i) of this section
must provide a copy of the record of
further disclosures to the educational
agency or institution within a
reasonable period of time not to exceed
30 days.
*
*
*
*
*
(d) * * *
(5) A party seeking or receiving
records in accordance with
§ 99.31(a)(9)(ii)(A) through (C).
*
*
*
*
*
■ 7. Section 99.33 is amended by
revising paragraphs (b), (c), (d), and (e)
to read as follows:
*
*
*
*
*
§ 99.33 What limitations apply to the
redisclosure of information?
*
*
*
*
*
(b)(1) Paragraph (a) of this section
does not prevent an educational agency
or institution from disclosing personally
identifiable information with the
understanding that the party receiving
the information may make further
disclosures of the information on behalf
of the educational agency or institution
if—
(i) The disclosures meet the
requirements of § 99.31; and
(ii)(A) The educational agency or
institution has complied with the
requirements of § 99.32(b); or
(B) A State or local educational
authority or Federal official or agency
listed in § 99.31(a)(3) has complied with
the requirements of § 99.32(b)(2).
(2) A party that receives a court order
or lawfully issued subpoena and
rediscloses personally identifiable
information from education records on
behalf of an educational agency or
institution in response to that order or
subpoena under § 99.31(a)(9) must
provide the notification required under
§ 99.31(a)(9)(ii).
(c) Paragraph (a) of this section does
not apply to disclosures under
§§ 99.31(a)(8), (9), (11), (12), (14), (15),
and (16), and to information that
postsecondary institutions are required
E:\FR\FM\09DER2.SGM
09DER2
74854
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
to disclose under the Jeanne Clery
Disclosure of Campus Security Policy
and Campus Crime Statistics Act, 20
U.S.C. 1092(f) (Clery Act), to the accuser
and accused regarding the outcome of
any campus disciplinary proceeding
brought alleging a sexual offense.
(d) An educational agency or
institution must inform a party to whom
disclosure is made of the requirements
of paragraph (a) of this section except
for disclosures made under
§§ 99.31(a)(8), (9), (11), (12), (14), (15),
and (16), and to information that
postsecondary institutions are required
to disclose under the Clery Act to the
accuser and accused regarding the
outcome of any campus disciplinary
proceeding brought alleging a sexual
offense.
(e) If this Office determines that a
third party outside the educational
agency or institution improperly
rediscloses personally identifiable
information from education records in
violation of this section, or fails to
provide the notification required under
paragraph (b)(2) of this section, the
educational agency or institution may
not allow that third party access to
personally identifiable information from
education records for at least five years.
*
*
*
*
*
■ 8. Section 99.34 is amended by
revising paragraph (a)(1)(ii) to read as
follows:
§ 99.34 What conditions apply to
disclosure of information to other
educational agencies and institutions?
(a) * * *
(1) * * *
(ii) The annual notification of the
agency or institution under § 99.7
includes a notice that the agency or
institution forwards education records
to other agencies or institutions that
have requested the records and in which
the student seeks or intends to enroll or
is already enrolled so long as the
disclosure is for purposes related to the
student’s enrollment or transfer;
*
*
*
*
*
■ 9. Section 99.35 is amended by
revising paragraphs (a) and (b)(1) to read
as follows:
jlentini on PROD1PC65 with RULES2
§ 99.35 What conditions apply to
disclosure of information for Federal or
State program purposes?
(a)(1) Authorized representatives of
the officials or agencies headed by
officials listed in § 99.31(a)(3) may have
access to education records in
connection with an audit or evaluation
of Federal or State supported education
programs, or for the enforcement of or
compliance with Federal legal
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
requirements that relate to those
programs.
(2) Authority for an agency or official
listed in § 99.31(a)(3) to conduct an
audit, evaluation, or compliance or
enforcement activity is not conferred by
the Act or this part and must be
established under other Federal, State,
or local authority.
(b) * * *
(1) Be protected in a manner that does
not permit personal identification of
individuals by anyone other than the
officials or agencies headed by officials
referred to in paragraph (a) of this
section, except that those officials and
agencies may make further disclosures
of personally identifiable information
from education records on behalf of the
educational agency or institution in
accordance with the requirements of
§ 99.33(b); and
*
*
*
*
*
■ 10. Section 99.36 is amended by
revising paragraphs (a) and (c) to read as
follows:
§ 99.36 What conditions apply to
disclosure of information in health and
safety emergencies?
(a) An educational agency or
institution may disclose personally
identifiable information from an
education record to appropriate parties,
including parents of an eligible student,
in connection with an emergency if
knowledge of the information is
necessary to protect the health or safety
of the student or other individuals.
*
*
*
*
*
(c) In making a determination under
paragraph (a) of this section, an
educational agency or institution may
take into account the totality of the
circumstances pertaining to a threat to
the health or safety of a student or other
individuals. If the educational agency or
institution determines that there is an
articulable and significant threat to the
health or safety of a student or other
individuals, it may disclose information
from education records to any person
whose knowledge of the information is
necessary to protect the health or safety
of the student or other individuals. If,
based on the information available at
the time of the determination, there is
a rational basis for the determination,
the Department will not substitute its
judgment for that of the educational
agency or institution in evaluating the
circumstances and making its
determination.
*
*
*
*
*
■ 11. Section 99.37 is amended by:
■ A. Revising paragraph (b).
■ B. Adding new paragraphs (c) and (d).
The revision and additions read as
follows:
PO 00000
Frm 00050
Fmt 4701
Sfmt 4700
§ 99.37 What conditions apply to
disclosing directory information?
*
*
*
*
*
(b) An educational agency or
institution may disclose directory
information about former students
without complying with the notice and
opt out conditions in paragraph (a) of
this section. However, the agency or
institution must continue to honor any
valid request to opt out of the disclosure
of directory information made while a
student was in attendance unless the
student rescinds the opt out request.
(c) A parent or eligible student may
not use the right under paragraph (a)(2)
of this section to opt out of directory
information disclosures to prevent an
educational agency or institution from
disclosing or requiring a student to
disclose the student’s name, identifier,
or institutional e-mail address in a class
in which the student is enrolled.
(d) An educational agency or
institution may not disclose or confirm
directory information without meeting
the written consent requirements in
§ 99.30 if a student’s social security
number or other non-directory
information is used alone or combined
with other data elements to identify or
help identify the student or the
student’s records.
*
*
*
*
*
■ 12. Section 99.62 is revised to read as
follows:
§ 99.62 What information must an
educational agency or institution submit to
the Office?
The Office may require an educational
agency or institution to submit reports,
information on policies and procedures,
annual notifications, training materials,
and other information necessary to carry
out its enforcement responsibilities
under the Act or this part.
(Authority: 20 U.S.C. 1232g(f) and (g))
§ 99.63
[Amended]
13. Section 99.63 is amended by
removing the mail code designation
‘‘4605’’ before the punctuation ‘‘.’’
■ 14. Section 99.64 is amended by:
■ A. Revising the section heading.
■ B. Revising paragraphs (a) and (b).
The revisions read as follows:
■
§ 99.64 What is the investigation
procedure?
(a) A complaint must contain specific
allegations of fact giving reasonable
cause to believe that a violation of the
Act or this part has occurred. A
complaint does not have to allege that
a violation is based on a policy or
practice of the educational agency or
institution.
E:\FR\FM\09DER2.SGM
09DER2
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
(b) The Office investigates a timely
complaint filed by a parent or eligible
student, or conducts its own
investigation when no complaint has
been filed or a complaint has been
withdrawn, to determine whether an
educational agency or institution has
failed to comply with a provision of the
Act or this part. If the Office determines
that an educational agency or institution
has failed to comply with a provision of
the Act or this part, it may also
determine whether the failure to comply
is based on a policy or practice of the
agency or institution.
*
*
*
*
*
15. Section 99.65 is revised to read as
follows:
■
§ 99.65 What is the content of the notice of
investigation issued by the Office?
jlentini on PROD1PC65 with RULES2
(a) The Office notifies the
complainant, if any, and the educational
agency or institution in writing if it
initiates an investigation under
§ 99.64(b). The notice to the educational
agency or institution—
(1) Includes the substance of the
allegations against the educational
agency or institution; and
VerDate Aug<31>2005
18:13 Dec 08, 2008
Jkt 217001
(2) Directs the agency or institution to
submit a written response and other
relevant information, as set forth in
§ 99.62, within a specified period of
time, including information about its
policies and practices regarding
education records.
(b) The Office notifies the
complainant if it does not initiate an
investigation because the complaint
fails to meet the requirements of § 99.64.
(Authority: 20 U.S.C. 1232g(g))
16. Section 99.66 is amended by
revising paragraphs (a), (b), and the
introductory text of paragraph (c) to
read as follows:
■
§ 99.66 What are the responsibilities of the
Office in the enforcement process?
(a) The Office reviews a complaint, if
any, information submitted by the
educational agency or institution, and
any other relevant information. The
Office may permit the parties to submit
further written or oral arguments or
information.
(b) Following its investigation, the
Office provides to the complainant, if
any, and the educational agency or
institution a written notice of its
findings and the basis for its findings.
PO 00000
Frm 00051
Fmt 4701
Sfmt 4700
74855
(c) If the Office finds that an
educational agency or institution has
not complied with a provision of the
Act or this part, it may also find that the
failure to comply was based on a policy
or practice of the agency or institution.
A notice of findings issued under
paragraph (b) of this section to an
educational agency or institution that
has not complied with a provision of the
Act or this part—
*
*
*
*
*
17. Section 99.67 is amended by
revising paragraph (a) to read as follows:
■
§ 99.67 How does the Secretary enforce
decisions?
(a) If an educational agency or
institution does not comply during the
period of time set under § 99.66(c), the
Secretary may take any legally available
enforcement action in accordance with
the Act, including, but not limited to,
the following enforcement actions
available in accordance with part E of
the General Education Provisions Act—
*
*
*
*
*
[FR Doc. E8–28864 Filed 12–8–08; 8:45 am]
BILLING CODE 4000–01–P
E:\FR\FM\09DER2.SGM
09DER2
Agencies
[Federal Register Volume 73, Number 237 (Tuesday, December 9, 2008)]
[Rules and Regulations]
[Pages 74806-74855]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-28864]
[[Page 74805]]
-----------------------------------------------------------------------
Part II
Department of Education
-----------------------------------------------------------------------
34 CFR Part 99
Family Educational Rights and Privacy; Final Rule
Federal Register / Vol. 73 , No. 237 / Tuesday, December 9, 2008 /
Rules and Regulations
[[Page 74806]]
-----------------------------------------------------------------------
DEPARTMENT OF EDUCATION
34 CFR Part 99
RIN 1855-AA05
[Docket ID ED-2008-OPEPD-0002]
Family Educational Rights and Privacy
AGENCY: Office of Planning, Evaluation, and Policy Development,
Department of Education.
ACTION: Final regulations.
-----------------------------------------------------------------------
SUMMARY: The Secretary amends our regulations implementing the Family
Educational Rights and Privacy Act (FERPA), which is section 444 of the
General Education Provisions Act. These amendments are needed to
implement a provision of the USA Patriot Act and the Campus Sex Crimes
Prevention Act, which added new exceptions permitting the disclosure of
personally identifiable information from education records without
consent. The amendments also implement two U.S. Supreme Court decisions
interpreting FERPA, and make necessary changes identified as a result
of the Department's experience administering FERPA and the current
regulations.
These changes clarify permissible disclosures to parents of
eligible students and conditions that apply to disclosures in health
and safety emergencies; clarify permissible disclosures of student
identifiers as directory information; allow disclosures to contractors
and other outside parties in connection with the outsourcing of
institutional services and functions; revise the definitions of
attendance, disclosure, education records, personally identifiable
information, and other key terms; clarify permissible redisclosures by
State and Federal officials; and update investigation and enforcement
provisions.
DATES: These regulations are effective January 8, 2009.
FOR FURTHER INFORMATION CONTACT: Frances Moran, U.S. Department of
Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-
8250. Telephone: (202) 260-3887.
If you use a telecommunications device for the deaf (TDD), you may
call the Federal Relay Service (FRS) at 1-800-877-8339.
Individuals with disabilities may obtain this document in an
alternative format (e.g., Braille, large print, audiotape, or computer
diskette) on request to the contact person listed under FOR FURTHER
INFORMATION CONTACT.
SUPPLEMENTARY INFORMATION: On March 24, 2008, the U.S. Department of
Education (the Department or we) published a notice of proposed
rulemaking (NPRM) in the Federal Register (73 FR 15574). In the
preamble to the NPRM, the Secretary discussed the major changes
proposed in that document that are necessary to implement statutory
changes made to FERPA, to implement two U.S. Supreme Court decisions,
to respond to changes in information technology, and to address other
issues identified through the Department's experience in administering
FERPA.
We believe that the regulatory changes adopted in these final
regulations provide clarification on many important issues that have
arisen over time with regard to how FERPA affects decisions that school
officials have to make on an everyday basis. Educational agencies and
institutions face considerable challenges, especially with regard to
maintaining safe campuses, protecting personally identifiable
information in students' education records, and responding to requests
for data on student progress. These final regulations, as well as the
discussion on various provisions in the preamble, will assist school
officials in addressing these challenges in a manner that complies with
FERPA and protects the privacy of students' education records.
Notice of Proposed Rulemaking
In the NPRM, we proposed regulations to implement section 507 of
the USA Patriot Act (Pub. L. 107-56), enacted October 26, 2001, and the
Campus Sex Crimes Prevention Act, section 1601(d) of the Victims of
Trafficking and Violence Protection Act of 2000 (Pub. L. 106-386),
enacted October 28, 2000. Other major changes proposed in the NPRM
included the following:
Amending Sec. 99.5 to clarify the conditions under which
an educational agency or institution may disclose personally
identifiable information from an eligible student's education records
to a parent without the prior written consent of the eligible student;
Amending Sec. 99.31(a)(1) to authorize the disclosure of
education records without consent to contractors, consultants,
volunteers, and other outside parties to whom an educational agency or
institution has outsourced institutional services or functions;
Amending Sec. 99.31(a)(1) to ensure that teachers and
other school officials only gain access to education records in which
they have legitimate educational interests;
Amending Sec. 99.31(a)(2) to permit educational agencies
and institutions to disclose education records, without consent, to
another institution even after the student has enrolled or transferred
so long as the disclosure is for purposes related to the student's
enrollment or transfer;
Amending Sec. 99.31(a)(6) to require that an educational
agency or institution may disclose personally identifiable information
under this section only if it enters into a written agreement with the
organization specifying the purposes of the study and the use and
destruction of the data;
Amending Sec. 99.31 to include a new subsection to
provide standards for the release of information from education records
that has been de-identified;
Amending Sec. 99.35 to permit State and local educational
authorities and Federal officials listed in Sec. 99.31(a)(3) to make
further disclosures of personally identifiable information from
education records on behalf of the educational agency or institution;
and
Amending Sec. 99.36 to remove the language requiring
strict construction of this exception and add a provision stating that
if an educational agency or institution determines that there is an
articulable and significant threat to the health or safety of a student
or other individual, it may disclose the information to any person,
including parents, whose knowledge of the information is necessary to
protect the health or safety of the student or other individuals.
Significant Changes From the NPRM
These final regulations contain several significant changes from
the NPRM as follows:
Amending the definition of personally identifiable
information in Sec. 99.3 to provide a definition of biometric record;
Removing the proposed definition of State auditor in Sec.
99.3 and provisions in Sec. 99.35(a)(3) related to State auditors and
audits;
Revising Sec. 99.31(a)(6) to clarify the specific types
of information that must be contained in the written agreement between
an educational agency or institution and an organization conducting a
study for the agency or institution;
Removing the statement from Sec. 99.31(a)(16) that FERPA
does not require or encourage agencies or institutions to collect or
maintain information concerning registered sex offenders;
Requiring a State or local educational authority or
Federal official or agency that rediscloses personally identifiable
information from education records to record that disclosure if the
[[Page 74807]]
educational agency or institution does not do so under Sec. 99.32(b);
and
Revising Sec. 99.32(b) to require an educational agency
or institution that makes a disclosure in a health or safety emergency
to record information concerning the circumstances of the emergency.
These changes are explained in greater detail in the following
Analysis of Comments and Changes.
Analysis of Comments and Changes
In response to the Secretary's invitation in the NPRM, 121 parties
submitted comments on the proposed regulations. An analysis of the
comments and of the changes in the regulations since publication of the
NPRM follows.
We group major issues according to subject, with applicable
sections of the regulations referenced in parentheses. We discuss other
substantive issues under the sections of the regulations to which they
pertain. Generally, we do not address technical and other minor
changes, or suggested changes that the law does not authorize the
Secretary to make. We also do not address comments pertaining to issues
that were not within the scope of the NPRM.
Definitions (Sec. 99.3)
(a) Attendance
Comment: We received no comments objecting to the proposed changes
to the definition of the term attendance. Three commenters expressed
support for the changes because the availability and use of alternative
instructional formats are not clearly addressed by the current
regulations. One commenter suggested that the definition could avoid
obsolescence by referring to the receipt of instruction leading to a
diploma or certificate instead of listing the types of instructional
formats.
Discussion: We proposed to revise the definition of attendance
because we received inquiries from some educational agencies and
institutions asking whether FERPA was applicable to the records of
students receiving instruction through the use of new technology
methods that do not require a physical presence in a classroom. Because
the definition of attendance is key to determining when an individual's
records at a school are education records protected by FERPA, it is
essential that schools and institutions understand the scope of the
term. To prevent the regulations from becoming out of date as new
formats and methods are developed, the definition provides that
attendance may also include ``other electronic information and
telecommunications technologies.''
While most schools are aware of the various formats distance
learning may take, we believe it is informative to list the different
communications media that are currently used. Also, we believe that
parents, eligible students, and other individuals and organizations
that use the FERPA regulations may find the listing of formats useful.
We do not agree that the definition of attendance should be limited
to receipt of instruction leading to a diploma or certificate, because
this would improperly exclude many instructional formats.
Changes: None.
(b) Directory Information (Sec. Sec. 99.3 and 99.37)
(1) Definition (Sec. 99.3)
Comment: We received a number of comments on our proposal to revise
the definition of directory information to provide that an educational
agency or institution may not designate as directory information a
student's social security number (SSN) or other student identification
(ID) number. The proposed definition also provided that a student's
user ID or other unique identifier used by the student to access or
communicate in electronic systems could be considered directory
information but only if the electronic identifier cannot be used to
gain access to education records except when used in conjunction with
one or more factors that authenticate the student's identity.
All commenters agreed that student SSNs should not be disclosed as
directory information. Several commenters strongly supported the
definition of directory information as proposed, noting that failure to
curtail the use of SSNs and student ID numbers as directory information
could facilitate identity theft and other fraudulent activities.
One commenter said that the proposed regulations did not go far
enough to prohibit the use of students' SSNs as a student ID number,
placing SSNs on academic transcripts, and using SSNs to search an
electronic database. Another commenter expressed concern that the
proposed regulations could prohibit reporting needed to enforce
students' financial obligations and other routine business practices.
According to this commenter, restrictions on the use of SSNs in FERPA
and elsewhere demonstrate the need for a single student identifier that
can be tied to the SSN and other identifying information to use for
grade transcripts, enrollment verification, default prevention, and
other activities that depend on sharing student information. Another
commenter stated that institutions should not be allowed to penalize
students who opt out of directory information disclosures by denying
them access to benefits, services, and required activities.
Several commenters said that the definition in the proposed
regulations was confusing and unnecessarily restrictive because it
treats a student ID number as the functional equivalent of an SSN. They
explained that when providing access to records and services, many
institutions no longer use an SSN or other single identifier that both
identifies and authenticates identity. As a result, at many
institutions, the condition specified in the regulations for treating
electronic identifiers as directory information, i.e., that the
identifier cannot be used to gain access to education records except
when used in conjunction with one or more factors that authenticate the
user's identity, often applies to student ID numbers as well because
they cannot be used to gain access to education records without a
personal identification number (PIN), password, or some other factor to
authenticate the user's identity. Some commenters suggested that our
nomenclature is the problem and that regardless of what it is called,
an identifier that does not allow access to education records without
the use of authentication factors should be treated as directory
information. According to one commenter, allowing institutions to treat
student ID numbers as directory information in these circumstances
would improve business practices and enhance student privacy by
encouraging institutions to require additional authentication factors
when using student ID numbers to provide access to education records.
One commenter strongly opposed allowing institutions to treat a
student's electronic identifier as directory information if the
identifier could be made available to parties outside the school
system. This commenter noted that electronic identifiers may act as a
key, offering direct access to the student's entire file, and that PINs
and passwords alone do not provide adequate security for education
records. Another commenter said that if electronic identifiers and ID
numbers can be released as directory information, then password
requirements need to be more stringent to guard against unauthorized
access to information and identity theft.
Some commenters recommended establishing categories of directory
information, with certain information
[[Page 74808]]
made available only within the educational community. One commenter
expressed concern about Internet safety because the regulations allow
publication of a student's e-mail address. Another said that FERPA
should not prevent institutions from printing the student's ID number
on an ID card or otherwise restrict its use on campus but that
publication in a directory should not be allowed.
Two commenters asked the Department to confirm that the regulations
allow institutions to post grades using a code known only by the
teacher and the student.
Discussion: We share commenters' concerns about the use of
students' SSNs. In general, however, there is no statutory authority
under FERPA to prohibit an educational agency or institution from using
SSNs as a student ID number, on academic transcripts, or to search an
electronic database so long as the agency or institution does not
disclose the SSN in violation of FERPA requirements. As discussed
elsewhere in this preamble, FERPA does prohibit using a student's SSN,
without consent, to search records in order to confirm directory
information.
Some States prohibit the use of SSNs as a student ID number, and
some institutions have voluntarily ceased using SSNs in this manner
because of concerns about identity theft. Students are required to
provide their SSNs in order to receive Federal financial aid, and the
regulations do not prevent an agency or institution from using SSNs for
this purpose. We note that FERPA does not address, and we do not
believe that there is statutory authority under FERPA to require,
creation of a single student identifier to replace the SSN. In any
case, the Department encourages educational agencies and institutions,
as well as State educational authorities, to follow best practices of
the educational community with regard to protecting students' SSNs.
We agree that students should not be penalized for opting out of
directory information disclosures. Indeed, an educational agency or
institution may not require parents and students to waive their rights
under FERPA, including the right to opt out of directory information
disclosures. On the other hand, we do not interpret FERPA to require
educational agencies and institutions to ensure that students can
remain anonymous to others in the school community when using an
institution's electronic communications systems. As a result, parents
and students who opt out of directory information disclosures may not
be able to use electronic communications systems that require the
release of the student's name or electronic identifier within the
school community. (As discussed later in this notice in our discussion
of the comments on Sec. 99.37(c), the right to opt out of directory
information disclosures may not be used to allow a student to remain
anonymous in class.)
The regulations allow an educational agency or institution to
designate a student's user ID or other electronic identifier as
directory information if the identifier functions essentially like the
student's name, and therefore, disclosure would not be considered
harmful or an invasion of privacy. That is, the identifier cannot be
used to gain access to education records except when combined with one
or more factors that authenticate the student's identity.
We have historically advised that student ID numbers may not be
disclosed as directory information because they have traditionally been
used like SSNs, i.e., as both an identifier and authenticator of
identity. We agree, however, that the proposed definition was confusing
and unnecessarily restrictive because it failed to recognize that many
institutions no longer use student ID numbers in this manner. If a
student identifier cannot be used to access records or communicate
electronically without one or more additional factors to authenticate
the user's identity, then the educational agency or institution may
treat it as directory information under FERPA regardless of what the
identifier is called. We have revised the definition of directory
information to provide this flexibility.
We share the commenters' concerns about the use of PINs and
passwords. In the preamble to the NPRM, we explained that PINs or
passwords, and single-factor authentication of any kind, may not be
reasonable for protecting access to certain kinds of information (73 FR
15585). We also recognize that user IDs and other electronic
identifiers may provide greater access and linking to information than
does a person's name. Therefore, we remind educational agencies and
institutions that disclose student ID numbers, user IDs, and other
electronic identifiers as directory information to examine their
recordkeeping and data sharing practices and ensure that, when these
identifiers are used, the methods they select for authenticating
identity provide adequate protection against the unauthorized
disclosure of information in education records.
We also share the concern of commenters who stated that students'
e-mail addresses and other identifiers should be disclosed as directory
information only within the school system and should not be made
available outside the institution. The disclosure of directory
information is permissive under FERPA, and, therefore, an agency or
institution is not required to designate and disclose any student
identifier (or any other item) as directory information. Further, while
FERPA does not expressly recognize different levels or categories of
directory information, an agency or institution is not required to make
student directories and other directory information available to the
general public just because the information is shared within the
institution. For example, under FERPA, an institution may decide to
make students' electronic identifiers and e-mail addresses available
within the institution but not release them to the general public as
directory information. In fact, the preamble to the NPRM suggested that
agencies and institutions should minimize the public release of student
directories to mitigate the risk of re-identifying information that has
been de-identified (73 FR 15584).
With regard to student ID numbers in particular, an agency or
institution may print an ID number on a student's ID card whether or
not the number is treated as directory information because under FERPA
simply printing the ID number on a card, without more, is not a
disclosure and, therefore, is not prohibited. See 20 U.S.C.
1232g(b)(2). If the student ID number is not designated as directory
information, then the agency or institution may not disclose the card,
or require the student to disclose the card, except in accordance with
one of the exceptions to the consent requirement, such as to school
officials with legitimate educational interests. If the student ID
number is designated as directory information in accordance with these
regulations, then it may be disclosed. However, the agency or
institution may still decide against making a directory of student ID
numbers available to the general public.
We discuss codes used by teachers to post grades in our discussion
of the definition of personally identifiable information elsewhere in
this preamble.
Changes: We have revised the definition of directory information in
Sec. 99.3 to provide that directory information includes a student ID
number if it cannot be used to gain access to education records except
when used with one or more other factors to authenticate the user's
identity.
[[Page 74809]]
(2) Conditions for Disclosing Directory Information
(i) 99.37(b)
Comment: All comments on this provision supported our proposal to
clarify that an educational agency or institution must continue to
honor a valid request to opt out of directory information disclosures
even after the student no longer attends the institution. One commenter
stated that the proposed regulations appropriately provided former
students with the continuing ability to control the release of
directory information and remarked that this will benefit students and
families. One commenter asked how long an opt out from directory
information disclosures must be honored. Another commenter said that
students may object if their former schools do not disclose directory
information without their specific written consent because the school
is unable to determine whether the student previously opted out. This
could occur, for example, if a school declined to disclose that a
student had received a degree to a prospective employer.
Discussion: The regulations clarify that once a parent or eligible
student opts out of directory information disclosures, the educational
agency or institution must continue to honor that election after the
student is no longer in attendance. While this is not a new
interpretation, school districts and postsecondary institutions have
been unclear about its application and have not administered it
consistently. The inclusion in the regulations of this longstanding
interpretation is necessary to ensure that schools clearly understand
their obligation to continue to honor a decision to opt out of the
disclosure of directory information after a student stops attending the
school, until the parent or eligible student rescinds it.
Educational agencies and institutions are not required under FERPA
to disclose directory information to any party. Therefore, parents and
students have no basis for objecting if an agency or institution does
not disclose directory information because it is not certain whether
the parent or student opted out. The regulations provide an educational
agency or institution with the flexibility to determine the process it
believes is best suited to serve its population as long as it honors
prior elections to opt out of directory information disclosures.
Changes: None.
(ii) Sec. 99.37(c)
Comment: We received two comments in support of our proposal to
clarify in this section that parents and students may not use the right
to opt out of directory information disclosures to prevent disclosure
of the student's name or other identifier in the classroom.
Discussion: We appreciate the commenters' support.
Changes: None.
(iii) Sec. 99.37(d)
Comment: Two commenters supported the prohibition on using a
student's SSN to disclose or confirm directory information unless a
parent or eligible student provides written consent. One of these
commenters questioned the statutory basis for this interpretation.
Several commenters asked whether, under the proposed regulations, a
school must deny a request for directory information if the requester
supplies the student's SSN. One commenter asked whether a request for
directory information that contains a student's SSN may be honored so
long as the school does not use the SSN to locate the student's
records. One commenter stated that the regulations could more
effectively protect students' SSNs but was concerned that denying a
request for directory information that contains an SSN may
inadvertently confirm the SSN.
One commenter expressed concern that the prohibition on using a
student's SSN to verify directory information would leave schools with
large student populations unable to locate the appropriate record
because they will need to rely solely on the student's name and other
directory information, if any, provided by the requester, which may be
duplicated in their databases. This commenter said that students would
object if institutions were unable to respond quickly to requests by
banks or landlords for confirmation of enrollment because the request
contained the student's SSN.
One commenter suggested that the regulations require an educational
agency or institution to notify a requester that the release or
confirmation of directory information does not confirm the accuracy of
the SSN or other non-directory information submitted with the request.
Another commenter asked whether the regulations apply to confirmation
of student enrollment and other directory information by outside
service providers such as the National Student Clearinghouse.
Discussion: The provision in the proposed regulations prohibiting
an educational agency or institution from using a student's SSN when
disclosing or verifying directory information is based on the statutory
prohibition on disclosing personally identifiable information from
education records without consent in 20 U.S.C. 1232g(b). The
prohibition applies also to any party outside the agency or institution
providing degree, enrollment, or other confirmation services on behalf
of an educational agency or institution, such as the National Student
Clearinghouse.
A school is not required to deny a request for directory
information about a student, such as confirmation whether a student is
enrolled or has received a degree, if the requester supplies the
student's SSN (or other non-directory information) along with the
request. However, in releasing or confirming directory information
about a student, the school may not use the student's SSN (or other
non-directory information) supplied by the requester to identify the
student or locate the student's records unless a parent or eligible
student has provided written consent. This is because confirmation of
information in education records is considered a disclosure under
FERPA. See 20 U.S.C. 1232g(b). A school's use of a student's SSN (or
other non-directory information) provided by the requester to confirm
enrollment or other directory information implicitly confirms and,
therefore, discloses, the student's SSN (or other non-directory
information). This is true even if the requester also provides the
school with the student's name, date of birth, or other directory
information to help identify the student.
A school may choose to deny a request for directory information,
whether or not it contains a student's SSN, because only a parent or
eligible student has a right to obtain education records under FERPA.
Denial of a request for directory information that contains a student's
SSN is not an implicit confirmation or disclosure of the SSN.
These regulations will not adversely affect the ability of
institutions to respond quickly to requests by parties such as banks
and landlords for confirmation of enrollment that contain the student's
SSN because students generally provide written consent for schools to
disclose information to the inquiring party in order to obtain banking
and housing services. We note, however, that if a school wishes to use
the student's SSN to confirm enrollment or other directory information
about the student, it must ensure that the written consent provided by
the student includes consent for the school to
[[Page 74810]]
disclose the student's SSN to the requester.
There is no authority in FERPA to require a school to notify
requesters that it is not confirming the student's SSN (or other non-
directory information) when it discloses or confirms directory
information. However, when a party submits a student's SSN along with a
request for directory information, in order to avoid confusion, unless
a parent or eligible student has provided written consent for the
disclosure of the student's SSN, the school may indicate that it has
not used the SSN (or other non-directory information) to locate the
student's records and that its response may not and does not confirm
the accuracy of the SSN (or other non-directory information) supplied
with the request.
We recognize that with a large database of student information,
there may be some loss of ability to identify students who have common
names if SSNs are not used to help identify the individual. However,
schools that do not use SSNs supplied by a party requesting directory
information, either because the student has not provided written
consent or because the school is not certain that the written consent
includes consent for the school to disclose the student's SSN,
generally may use the student's address, date of birth, school, class,
year of graduation, and other directory information to identify the
student or locate the student's records.
Changes: None.
(c) Disclosure (Sec. 99.3)
Comment: Two commenters said that the proposal to revise the
definition of disclosure to exclude the return of a document to its
source was too broad and could lead to improper release of highly
sensitive documents, such as an individualized education program (IEP)
contained in a student's special education records, to anyone claiming
to be the creator of a record. One of the commenters stated that
changing the definition was unnecessary, as schools already have a
means of verifying documents by requesting additional copies from the
source. Both commenters also expressed concern that, because
recordation is not required, a parent or eligible student will not be
aware that the verification occurred.
We also received comments of strong support for the proposed change
to the definition of disclosure. The commenters stated that this
change, targeted to permit the release of records back to the
institution that presumably created them, will enhance an institution's
ability to identify and investigate suspected fraudulent records in a
timely manner.
Discussion: For several years now, school officials have advised us
that problems related to fraudulent records typically involve a
transcript or letter of recommendation that has been altered by someone
other than the responsible school official. Under the current
regulations, an educational agency or institution may ask for a copy of
a record from the presumed source when it suspects fraudulent activity.
However, simply asking for a copy of a record may not be adequate, for
example, if the original record no longer exists at the sending
institution. In these circumstances, an institution will need to return
a record to its identified source to be able to verify its
authenticity. The final regulations permit a targeted release of
records back to the stated source for verification purposes in order to
provide schools with the flexibility needed for this process while
preserving a more general prohibition on the release of information
from education records.
We do not agree that the term disclosure as proposed in the NPRM is
too broad and could lead to the improper release of highly sensitive
documents to anyone claiming to be the creator of the record. School
officials have not advised us that they have had problems receiving IEP
records and other highly sensitive materials from parties who did not
in fact create or provide the record. Therefore, we do not believe that
the proposed definition of disclosure is too broad.
The commenters are correct that the return of an education record
to its source does not have to be recorded, because it is not a
disclosure. We do not consider this problematic, however, because the
information is merely being returned to the party identified as its
source. This is similar to the situation in which a school is not
required under the regulations to record disclosures of education
records made to school officials with legitimate educational interests.
As in that instance, there is no direct notice to a parent or student
of either the disclosure of the record or the information in the
record. We also believe that if a questionable document is deemed to be
inauthentic by the source, the student will be informed of the results
of the authentication process by means other than seeing a record of
the disclosure in the student's file. There appears to be little value
in notifying a parent or student that a document was suspected of being
fraudulent if the document is found to be genuine and accurate.
Finally, we note that a transcript or other document does not lose
its protection under FERPA, including the written consent requirements,
when an educational agency or institution returns it to the source. The
document and the information in it remains an ``education record''
under FERPA when it is returned to its source. As an education record,
it may not be redisclosed except in accordance with FERPA requirements,
including Sec. 99.31(a)(1), which allows the source institution to
disclose the information to teachers and other school officials with
legitimate educational interests, such as persons who need to verify
the accuracy or authenticity of the information. If the source
institution makes any further disclosures of the record or information,
it must record them.
Changes: None.
Additional Changes to the Definition of Disclosure
Comment: Several commenters requested additional changes to the
definition of disclosure. One commenter requested that any transfer of
education records to a State's longitudinal data system not be
considered a disclosure. Several commenters requested that additional
changes be made so that a school could provide current education
records of students back to the students' former schools or districts.
A commenter recommended excluding from the definition of disclosure
statistical information that is personally identifiable because of
small cell sizes when the recipient agrees to maintain the
confidentiality of the information.
Discussion: The revised definition of disclosure, which excludes
the return of a document to its stated source, clarifies that
information provided by school districts or postsecondary institutions
to State educational authorities, including information maintained in a
consolidated student records system, may be provided back to the
original district or institution without consent. There is no statutory
authority, however, to exclude from the definition of disclosure a
school district's or institution's release or transfer of personally
identifiable information from education records to its State
longitudinal data system. (We discuss the disclosure of education
records in connection with the development of consolidated,
longitudinal data systems in our response to comments on redisclosure
and recordkeeping requirements elsewhere in this preamble.) Likewise,
there is no statutory authority to exclude from the definition of
disclosure the release of personally identifiable information from
[[Page 74811]]
education records to parties that agree to keep the information
confidential. (See our discussion of personally identifiable
information and de-identified records and information elsewhere in this
preamble.)
The revised regulations do not authorize the disclosure of
education records to third parties who are not identified as the
provider or creator of the record. For example, a college may not send
a student's current college records to a student's high school under
the revised definition of disclosure because the high school is not the
stated source of those records. (We discuss this issue elsewhere in the
preamble under Disclosure of Education Records to Students' Former
Schools.)
Changes: None.
(d) Education Records
(1) Paragraph (b)(5)
Comment: Several commenters supported our proposal to clarify the
existing exclusion from the definition of education records for records
that only contain information about an individual after he or she is no
longer a student, which we referred to as ``alumni records'' in the
NPRM, 73 FR 15576. One commenter suggested that the term ``directly
related,'' which is used in the amended definition in reference to a
student's attendance, is inconsistent with the use of the term
``personally identifiable'' in other sections of the regulations and
could cause confusion.
One commenter asked whether a postsecondary school could provide a
student's education records from the postsecondary school to a
secondary school that the student attended previously.
Several commenters objected to the proposed regulations because,
according to the commenters, the regulations would expand the records
subject to FERPA's prohibition on disclosure of education records
without consent. A journalist stated that the settlement agreement
cited in the NPRM is an example of a record that should be excluded
from the definition and that schools already are permitted to protect
too broad a range of documents from public review because the documents
are education records. The commenter stated that information from
education records such as a settlement agreement is newsworthy,
unlikely to contain confidential information, and that disclosure of
such information provides a benefit to the public. Another commenter
expressed concern that the regulations allow schools to collect
negative information about a former student without giving the
individual an opportunity to challenge the content because the
information is not an education record under FERPA.
Discussion: It has long been the Department's interpretation that
records created or received by an educational agency or institution on
a former student that are directly related to the individual's
attendance as a student are not excluded from the definition of
education records under FERPA, and that records created or received on
a former student that are not directly related to the individual's
attendance as a student are excluded from the definition and,
therefore, are not ``education records.'' The proposed regulations in
paragraph (b)(5) were intended to clarify the use of this exclusion,
not to change or expand its scope.
Our use of the phrase ``directly related to the individual's
attendance as a student'' to describe records that do not fall under
this exclusion from the definition of education records is not
inconsistent with the term ``personally identifiable'' as used in other
parts of the regulations and should not be confused. The term
``personally identifiable information'' is used in the statute and
regulations to describe the kind of information from education records
that may not be disclosed without consent. See 20 U.S.C. 1232g(b); 34
CFR 99.3, 99.30. While ``personally identifiable information''
maintained by an agency or institution is generally considered an
``education record'' under FERPA, personally identifiable information
does not fall under this exclusion from the definition of education
records if the information is not directly related to the student's
attendance as a student. For example, personally identifiable
information related solely to a student's activities as an alumnus of
an institution is excluded from the definition of education records
under this provision. We think that the term ``directly related'' is
clear in this context and will not be confused with ``personally
identifiable.''
A postsecondary institution may not disclose a student's
postsecondary education records to the secondary school previously
attended by the student under this provision because these records are
directly related to the student's attendance as a student at the
postsecondary institution. (We discuss this issue further under
Disclosure of Education Records to Students' Former Schools.)
We do not agree that documents such as settlement agreements are
unlikely to contain confidential information. Our experience has been
that these documents often contain highly confidential information,
such as special education diagnoses, educational supports, or mental or
physical health and treatment information. Our changes to the
definition were intended to clarify that schools may not disclose this
information to the media or other parties, without consent, simply
because a student is no longer in attendance at the school at the time
the record was created or received. A parent or eligible student who
wishes to share the student's own records with the media or other
parties is free to do so.
Neither FERPA nor the regulations contains a provision for a parent
or eligible student to challenge information that is not contained in
an education record. FERPA does not prohibit a parent or student from
using other venues to seek redress for collection and release of
information in non-education records.
Changes: None.
(2) Paragraph (b)(6)
Comment: We received several comments supporting the proposed
changes to the definition of education records that would exclude from
the definition grades on peer-graded papers before they are collected
and recorded by a teacher. These commenters expressed appreciation that
this revision would be consistent with the U.S. Supreme Court's
decision on peer-graded papers in Owasso Independent School Dist. No.
I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso). Two commenters asked how
the provision would be applied to the use of group projects and group
grading within the classroom.
Discussion: The proposed changes to the definition of education
records in paragraph (b)(6) are designed to implement the U.S. Supreme
Court's 2002 decision in Owasso, which held that peer grading does not
violate FERPA. As noted in the NPRM, 73 FR 15576, the Court held in
Owasso that peer grading does not violate FERPA because ``the grades on
students' papers would not be covered under FERPA at least until the
teacher has collected them and recorded them in his or her grade
book.'' 534 U.S. at 436.
As suggested by the Supreme Count in Owasso, 534 U.S. at 435, FERPA
is not intended to interfere with a teacher's ability to carry out
customary practices, such as group grading of team assignments within
the classroom. Just as FERPA does not prevent teachers from allowing
students to grade a test or homework assignment of another student or
from calling out that grade in class, even though the grade may
eventually become an education record,
[[Page 74812]]
FERPA does not prohibit the discussion of group or individual grades on
classroom group projects, so long as those individual grades have not
yet been recorded by the teacher. The process of assigning grades or
grading papers falls outside the definition of education records in
FERPA because the grades are not ``maintained'' by an educational
agency or institution at least until the teacher has recorded the
grades.
Changes: None.
(e) Personally Identifiable Information
Comments on the proposed definition of personally identifiable
information are discussed elsewhere in this preamble under the heading
Personally Identifiable Information and De-identified Records and
Information.
(f) State Auditors and Audits (Sec. Sec. 99.3 and Proposed
99.35(a)(3))
Comment: Several commenters supported the clarification in proposed
Sec. 99.35(a)(3) that State auditors may have access to education
records, without consent, in connection with an ``audit'' of Federal or
State supported education programs under the exception to the written
consent requirement for authorized representatives of ``State and local
educational authorities.'' All but one of the commenters, however,
disagreed strongly with the proposed definition of audit in Sec.
99.35(a)(3), which was limited to testing compliance with applicable
laws, regulations, and standards and did not include the broader
concept of evaluations.
In general, the commenters said that the proposed definition of
audit was too narrow and would prevent State auditors from conducting
performance audits and other services that they routinely provide in
accordance with professional auditing standards, including the U.S.
Comptroller's Government Auditing Standards. See www.gao.gov/govaud/
ybk01.htm. A State legislative auditor noted, for example, that 45
State legislatures have established legislative program evaluation
offices whose express purpose is to provide research and evaluation for
legislative decision making, and that these offices regularly use
personally identifiable information from education records for their
work. Some of the commenters also questioned whether financial audits
and attestation engagements would be excluded under the proposed
definition.
One commenter said that the State auditor provisions in proposed
Sec. Sec. 99.3 and 99.35(a)(3) should be expanded to apply to other
non-education State officials responsible for evaluating publicly
funded programs. Another commenter recommended that the regulations
include examination of education records by health department officials
to improve compliance with mandated immunization schedules.
The majority of the comments we received with respect to the
inclusion of local auditors in the proposed definition of State auditor
in Sec. 99.3 supported permitting local auditors to have access to
personally identifiable information for purposes of auditing Federal or
State supported education programs. One commenter said that local
auditors should not be included in the definition, while another
commenter stated that auditors for the city health department need
access to FERPA-protected information to determine the accuracy of
claims for payment and asked for further clarification on the issue.
Discussion: We explained in the preamble to the NPRM that the
statute allows disclosure of personally identifiable information from
education records without consent to authorized representatives of
``State educational authorities'' in connection with an audit or
evaluation of Federal or State supported education programs. 73 FR
15577. Legislative history indicates that Congress amended the statute
in 1979 to ``correct an anomaly'' in which the existing exception to
the consent requirement in 20 U.S.C. 1232g(b)(3) was interpreted to
preclude State auditors from obtaining access to education records for
audit purposes. See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10
(1979), reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824.
However, because the amended statutory language in 20 U.S.C.
1232g(b)(5) refers only to ``State and local educational officials,''
the proposed regulations sought to clarify that this included ``State
auditors'' or auditors with authority and responsibility under State
law for conducting audits. Due to the breadth of this inclusion,
however, the proposed regulations also sought to limit access to
education records by State auditors by narrowing the definition of
audit.
The Secretary has carefully reviewed the comments and, based upon
further intradepartmental review, has decided to remove from the final
regulations the provisions related to State auditors and audits in
Sec. Sec. 99.3 and 99.35(a)(3). We share the commenters' concerns
about preventing State auditors from conducting activities that they
routinely perform under applicable auditing standards. However, because
our focus was on the narrow definition of audit, we proposed a very
broad definition of State auditor in Sec. 99.3 and did not examine
which of the various types of officials, offices, committees, and staff
in executive and legislative branches of State government should be
included in the definition. We are concerned that without the narrow
definition of audit as proposed in Sec. 99.35(a)(3), the proposed
definition of State auditor may allow non-consensual disclosures of
education records to a variety of officials for purposes not supported
by the statute. The Department will study the matter further and may
issue new regulations or guidance, as appropriate. In the interim, the
Department will provide guidance on a case-by-case basis.
Changes: We are not including the definition of State auditor in
Sec. 99.3 and the provisions related to State auditors and audits in
Sec. 99.35(a)(3) in these final regulations.
Disclosures to Parents (Sec. Sec. 99.5 and 99.36)
Comment: A majority of commenters approved of the Secretary's
efforts to clarify that, even after a student has become an eligible
student, an educational agency or institution may disclose education
records to the student's parents, without the consent of the student,
if certain conditions are met. Those commenters stated that the
clarification was especially helpful, particularly in light of issues
that arose after the April 2007 shootings at the Virginia Polytechnic
Institute and State University (Virginia Tech). A commenter stated that
the clarification will assist emergency management officials on college
and university campuses and help school officials know when they can
properly share student information with parents and students. One
commenter expressed support for the proposed regulations, because it
has been her experience that colleges do not share information with
parents on their children's financial aid or academic status.
Some commenters disagreed with the proposed changes. One stated
that, due to varying family dynamics, disclosures should not be limited
only to parents, but should also include other appropriate family
members. Another commenter objected to the phrase in Sec. 99.5(a)(2)
that would permit disclosure to a parent without the student's consent
if the disclosure meets ``any other provision in Sec. 99.31(a).'' The
commenter stated that this ``catch-all phrase'' exceeded statutory
authority.
Noting the sensitivity of financial information included in income
tax returns, a few commenters raised concerns about the discussion in
the
[[Page 74813]]
NPRM in which we explained that an institution can determine that a
parent claimed a student as a dependent by asking the parent to supply
a copy of the parent's most recent Federal tax return. Another
commenter stated that the NPRM did not go far enough and recommended
specifically requiring an institution to rely on a copy of a parent's
most recent Federal tax return to determine a student's dependent
status, while another commenter recommended that we change the
regulations to indicate that only the parent who has claimed the
student as a dependent may have access to the student's education
records.
A commenter noted that some States have high school students who
are concurrently enrolled in secondary schools and postsecondary
institutions as early as ninth grade and supported the clarification
that postsecondary institutions may disclose information to parents of
students who are tax dependents.
Discussion: Parents' rights under FERPA transfer to a student when
the student reaches age 18 or enters a postsecondary institution. 20
U.S.C. 1232g(d). However, under Sec. 99.31(a)(8), an educational
agency or institution may disclose education records to an eligible
student's parents if the student is a dependent as defined in section
152 of the Internal Revenue Code of 1986. Under Sec. 99.31(a)(8),
neither the age of a student nor the parent's status as custodial
parent is relevant to the determination whether disclosure of
information from an eligible student's education records to that parent
without written consent is permissible under FERPA. If a student is
claimed as a dependent for Federal income tax purposes by either
parent, then under the regulations, either parent may have access to
the student's education records without the student's consent.
The statutory exception to the consent requirement in FERPA for the
disclosure of records of dependent students applies only to the parents
of the student. 20 U.S.C. 1232g(b)(1)(H). Accordingly, the Secretary
does not have statutory authority to apply Sec. 99.31(a)(8) to any
other family members. However, under Sec. 99.30(b)(3), an eligible
student may provide consent for the school to disclose information from
his or her education records to another family member. In some
situations, such as when there is no parent in the student's life or
the student is married, a spouse or other family member may be
considered an appropriate party to whom a disclosure may be made,
without consent, in connection with a health or safety emergency under
Sec. Sec. 99.31(a)(10) and 99.36.
In most cases, when an educational agency or institution discloses
education records to parents of an eligible student, we expect the
disclosure to be made under the dependent student provision (Sec.
99.31(a)(8)), in connection with a health or safety emergency
(Sec. Sec. 99.31(a)(10) and 99.36), or if a student has committed a
disciplinary violation with respect to the use or possession of alcohol
or a controlled substance (Sec. 99.31(a)(15)). This is the reason we
mention these provisions specifically in the regulations. However,
inclusion of the phrase ``of any other provision in Sec. 99.31(a)'' in
Sec. 99.5(a)(2) is necessary and within our statutory authority
because there may be other exceptions to FERPA's general consent
requirement under which an agency or institution might disclose
education records to a parent of an eligible student, such as the
directory information provision in Sec. 99.31(a)(11) and the provision
permitting disclosure in compliance with a court order or lawfully
issued subpoena in Sec. 99.31(a)(9).
As we explained in the NPRM, institutions can determine that a
parent claims a student as a dependent by asking the parent to submit a
copy of the parent's most recent Federal income tax return. However, we
do not think it is appropriate to require an agency or institution to
rely only on the most recent tax return to determine the student's
dependent status because institutions should have flexibility in how to
reach this determination. For instance, institutions may rely instead
on a student's assertion that he or she is not a dependent unless the
parent provides contrary evidence. We agree that financial information
on a Federal tax return is sensitive information and, for that reason,
in providing technical assistance and compliance training to school
officials, we have advised that parents may redact all financial and
other unnecessary information that appears on the form, as long as the
tax return clearly shows the parent's or parents' names and the fact
that the student is claimed as a dependent.
In addition, in the fall of 2007, we developed two model forms that
appear on the Department's Family Policy Compliance Office (FPCO or the
Office) Web site that institutions may adapt and provide to students at
orientation to indicate whether they are a dependent and, if not,
obtaining consent from the student for disclosure of information to
parents: https://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/
modelform.html and https://www.ed.gov/policy/gen/guid/fpco/ferpa/
safeschools/modelform2.html.
With regard to the comment about high school students who are
concurrently enrolled in postsecondary institutions as early as ninth
grade, FERPA not only permits those postsecondary institutions to
disclose information to parents of the high school students who are
dependents for Federal income tax purposes, it also permits high
schools and postsecondary institutions who have dually-enrolled
students to share information. Where a student is enrolled in both a
high school and a postsecondary institution, the two schools may share
education records without the consent of either the parents or the
student under Sec. 99.34(b). If the student is under 18, the parents
still retain the right under FERPA to inspect and review any education
records maintained by the high school, including records that the
college or university disclosed to the high school, even though the
student is also attending the postsecondary institution.
Changes: None.
Outsourcing (Sec. 99.31(a)(1)(i)(B))
(a) Outside Parties Who Qualify as School Officials
Comment: A few commenters disagreed with the proposal to expand the
``school officials'' exception in Sec. 99.31(a)(1)(i)(B) to include
contractors, consultants, volunteers, and other outside parties to whom
an educational agency or institution has outsourced institutional
services or functions it would otherwise use employees to perform. They
believed that the modifications undermined the plain language of the
statute and congressional intent. Several other commenters supported
the proposed regulations, saying that it was helpful to include in the
regulations what has historically been the Department's interpretation
of the ``school officials'' exception. A majority of commenters, while
not agreeing or disagreeing with the proposed changes in Sec.
99.31(a)(1)(i)(B), raised a number of issues concerning the proposal.
Several commenters expressed concern that the requirement that an
outside party must perform an institutional service or function for
which the agency or institution would otherwise use employees is too
restrictive and impractical. One commenter noted that some functions
that a contractor performs could not be performed by a school official.
Some commenters said we should clarify the regulations to explain
the
[[Page 74814]]
circumstances under which volunteers may serve as school officials and
have access to personally identifiable information from education
records in connection with their services or responsibilities to the
school. One commenter noted that this clarification was needed
especially for parent-volunteers working at a school attended by their
own children where they are likely to know other students and their
families.
Several commenters asked that we clarify in the regulations that
Sec. 99.31(a)(1) also applies to school transportation officials,
school bus drivers, and school bus attendants who need access to
education records in order to safely and efficiently transport
students. Another commenter asked for clarification whether, under the
proposed regulations, practicum students, fieldwork students, and
unpaid interns in schools would be considered ``school officials.'' One
commenter asked whether Sec. 99.31(a)(1) permits outsourced medical
providers to be considered ``school officials.''
One commenter asked how proposed Sec. 99.31(a)(1) would apply to
parties other than educational agencies and institutions. The commenter
was concerned about permitting SEAs to disclose personally identifiable
information to outside parties under Sec. 99.31(a)(1)(i)(B) because
SEAs are not subject to Sec. 99.7, which requires educational agencies
and institutions to annually notify parents and eligible students of
their rights under FERPA, including a specific requirement in Sec.
99.7(a)(3)(iii) that an educational agency or institution that has a
policy of disclosing information under Sec. 99.31(a)(1) must include
in its annual notice a specification of criteria for determining who
constitutes a school official and what constitutes a legitimate
educational interest. A number of commenters requested clarification
about the applicability of Sec. 99.31(a)(1)(i)(B) to State authorities
that operate State longitudinal data systems that maintain records of
local educational agencies (LEAs) or institutions and are responsible
for certain reporting requirements under the No Child Left Behind Act.
Some of these commenters believe that State authorities operating these
systems are ``school officials'' under Sec. 99.31(a)(1) who should be
able to disclose education records for the purpose of outsourcing under
Sec. 99.31(a)(1)(i)(B).
One commenter recommended that the regulations permit the
disclosure of education records to non-educational State agencies for
evaluation purposes under Sec. 99.31(a)(1). Another commenter asked
that we revise the regulations to permit representatives of the Centers
for Disease Control and Prevention to access education records for the
purpose of public health surveillance under the ``school officials''
exception.
Another commenter requested further guidance on how Sec.
99.31(a)(1) would apply to local law enforcement officers who work in
collaboration with schools in various capacities and whether education
records could be shared with these officers in order to ensure safe
campuses.
Discussion: The Secretary does not agree that the proposed changes
to Sec. 99.31(a)(1) go beyond the plain reading of the statute and
congressional intent. As we explained in the NPRM, FERPA's broad
definition of education records includes records that are maintained by
``a person acting for'' an educational agency or institution. 20 U.S.C.
1232g(a)(4)(A)(ii); see 34 CFR 99.3. (In floor remarks describing the
meaning of the definition of education records, Senators James Buckley
and Claiborne Pell, principal sponsors of the December 1974 FERPA
amendments, specifically referred to materials that are maintained by a
school ``or by one of its agents.'' See ``Joint Statement in
Explanation of Buckley/Pell Amendment'' (Joint Statement), 120 Cong.
Rec. S21488 (Dec. 13, 1974).) Although the Secretary is concerned that
educational agencies and institutions not misapply Sec. 99.31(a)(1),
the changes to the regulations are necessary to clarify the scope of
the ``school officials'' exception in FERPA.
We disagree with commenters that the requirement in Sec.
99.31(a)(1)(i)(B)(1) that the outside party must perform an
institutional service or function for which the agency or institution
would otherwise use employees is too restrictive or unworkable. The
requirement serves to ensure that the ``school officials'' exception
does not expand into a general exce