Family Educational Rights and Privacy, 19726-19739 [2011-8205]

Agencies

• DEPARTMENT OF EDUCATION

[Federal Register Volume 76, Number 68 (Friday, April 8, 2011)]
[Proposed Rules]
[Pages 19726-19739]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-8205]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

34 CFR Part 99

RIN 1880-AA86
[Docket ID ED-2011-OM-0002]


Family Educational Rights and Privacy

AGENCY: Office of Management, Department of Education.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Secretary proposes to amend the regulations implementing 
section 444 of the General Education Provisions Act, which is also 
known as the Family Educational Rights and Privacy Act of 1974, as 
amended (FERPA). These proposed amendments are necessary to ensure that 
the Department's implementation of FERPA continues to protect the 
privacy of education records, as intended by Congress, while allowing 
for the effective use of data in statewide longitudinal data systems 
(SLDS) as envisioned in the America Creating Opportunities to 
Meaningfully Promote Excellence in Technology, Education, and Science 
Act (COMPETES Act) and furthermore supported under the American 
Recovery and Reinvestment Act of 2009 (ARRA). Improved access to data 
contained within an SLDS will facilitate States' ability to evaluate 
education programs, to build upon what works and discard what does not, 
to increase accountability and transparency, and to contribute to a 
culture of innovation and continuous improvement in education. These 
proposed amendments would enable authorized representatives of State 
and local educational authorities, and organizations conducting 
studies, to use SLDS data to achieve these important outcomes while 
protecting privacy under FERPA through an expansion of the requirements 
for written agreements and the Department's enforcement mechanisms.

DATES: We must receive your comments on or before May 23, 2011. 
Comments received after this date will not be considered.

ADDRESSES: Submit your comments through the Federal eRulemaking Portal 
or via postal mail, commercial delivery, or hand delivery. We will not 
accept comments by fax or by e-mail. Please submit your comments only 
one time, in order to ensure that we do not receive duplicate copies. 
In addition, please include the Docket ID at the top of your comments.
     Federal eRulemaking Portal: Go to https://www.regulations.gov to submit your comments electronically. Information 
on using Regulations.gov, including instructions for accessing agency 
documents, submitting comments, and viewing the docket, is available on 
the site under ``How To Use This Site.''
     Postal Mail, Commercial Delivery, or Hand Delivery. If you 
mail or deliver your comments about these proposed regulations, address 
them to Regina Miles, U.S. Department of Education, 400 Maryland 
Avenue, SW., Washington, DC 20202.

    Privacy Note: The Department's policy for comments received from 
members of the public (including those comments submitted by mail, 
commercial delivery, or hand delivery) is to make these submissions 
available for public viewing in their entirety on the Federal 
eRulemaking Portal at https://www.regulations.gov. Therefore, 
commenters should be careful to include in their comments only 
information that they wish to make publicly available on the 
Internet.


FOR FURTHER INFORMATION CONTACT: Ellen Campbell, U.S. Department of 
Education, 400 Maryland Avenue, SW., Washington, DC 20202. Telephone: 
(202) 260-3887 or via Internet: FERPA@ed.gov.
    If you use a telecommunications device for the deaf, call the 
Federal Relay Service (FRS), toll free, at 1-800-877-8339.
    Individuals with disabilities can obtain this document in an 
accessible format (e.g., braille, large print, audiotape, or computer 
diskette) on request to the contact person listed under FOR FURTHER 
INFORMATION CONTACT.

SUPPLEMENTARY INFORMATION:

Invitation to Comment

    We invite you to submit comments regarding these proposed 
regulations. To ensure that your comments have maximum effect in 
developing the final regulations, we urge you to identify clearly the 
specific section or sections of the proposed regulations that each of 
your comments addresses and to arrange your comments in the same order 
as the proposed regulations.
    We invite you to assist us in complying with the specific 
requirements of Executive Order 12866 and its overall requirement of 
reducing regulatory burden that might result from these proposed 
regulations. Please let us know of any further opportunities we should 
take to reduce potential costs or increase potential benefits while 
preserving the effective and efficient administration of the program.
    During and after the comment period, you may inspect all public 
comments about these proposed regulations by accessing https://www.regulations.gov. You may also inspect the comments in person in 
room 6W243, 400 Maryland Avenue, SW., Washington, DC, 20202 between the 
hours of 8:30 a.m. and 4 p.m. Eastern time, Monday through Friday of 
each week except Federal holidays.

Assistance to Individuals With Disabilities in Reviewing the Rulemaking 
Record

    On request, we will supply an appropriate aid, such as a reader or 
print magnifier, to an individual with a disability who needs 
assistance to review the comments or other documents in the public 
rulemaking record for these proposed regulations. If you want to 
schedule an appointment for this type of aid, please contact the person 
listed under FOR FURTHER INFORMATION CONTACT.
    Background: On February 17, 2009, the President signed the ARRA 
(Pub. L.

[[Page 19727]]

111-5) into law. The ARRA includes significant provisions relating to 
the expansion and development of SLDS. Under title XIV of the ARRA, in 
order for a State to receive funding under the State Fiscal 
Stabilization Fund program (SFSF), the State's Governor must provide an 
assurance in the State's application for SFSF funding that the State 
will establish an SLDS that meets the requirements of section 
6401(e)(2)(D) of the COMPETES Act (20 U.S.C. 9871(e)(2)(D)).
    With respect to public preschool through grade 12 and postsecondary 
education, COMPETES requires that the SLDS include: (a) A unique 
statewide student identifier that, by itself, does not permit a student 
to be individually identified by users of the system; (b) student-level 
enrollment, demographic, and program participation information; (c) 
student-level information about the points at which students exit, 
transfer in, transfer out, drop out, or complete P-16 education 
programs; (d) the capacity to communicate with higher education data 
systems; and (e) a State data audit system assessing data quality, 
validity, and reliability.
    With respect to public preschool through grade 12 education, 
COMPETES requires that the SLDS include: (a) Yearly test records of 
individual students with respect to assessments under section 1111(b) 
of the Elementary and Secondary Education Act of 1965, as amended (20 
U.S.C. 6311(b)); (b) information on students not tested by grade and 
subject; (c) a teacher identifier system with the ability to match 
teachers to students; (d) student-level transcript information, 
including information on courses completed and grades earned; and (e) 
student-level college readiness test scores.
    With respect to postsecondary education, COMPETES requires that the 
SLDS include: (a) Information regarding the extent to which students 
transition successfully from secondary school to postsecondary 
education, including whether students enroll in remedial coursework; 
and (b) other information determined necessary to address alignment and 
adequate preparation for success in postsecondary education.
    Separate provisions in title VIII of the ARRA appropriated $250 
million for additional grants to State educational agencies (SEAs) 
under the Statewide Longitudinal Data Systems program, authorized under 
section 208 of the Educational Technical Assistance Act of 2002 (20 
U.S.C. 9601, et seq.) to support the expansion of SLDS to include 
postsecondary and workforce information.
    The extent of data sharing contemplated by these and other Federal 
initiatives prompted the Department to review the impact that its FERPA 
regulations could have on the development and use of SLDS. FERPA is a 
Federal law that protects student privacy by prohibiting educational 
agencies and institutions from having a practice or policy of 
disclosing personally identifiable information in student education 
records (``PII'') unless a parent or eligible student provides prior 
written consent or a statutory exception applies. In those 
circumstances in which educational agencies and institutions may 
disclose PII to third parties without consent, FERPA and its 
implementing regulations limit the redisclosure of PII by the 
recipients, except as set forth in Sec. Sec.  99.33(c) and (d) and 
99.35(c)(2) (see 20 U.S.C. 1232g(b)(3) and (b)(4)(B) and Sec. Sec.  
99.33 and 99.35(c)(2)). For example, State and local educational 
authorities that receive PII without consent from the parent or 
eligible student under the ``audit or evaluation'' exception may not 
make further disclosures of the PII on behalf of the educational agency 
or institution unless prior written consent from the parent or eligible 
student is obtained, Federal law specifically authorized the collection 
of the PII, or a statutory exception applies and the redisclosure and 
recordation requirements are met (see 20 U.S.C. 1232g(b)(3) and (b)(4) 
and Sec. Sec.  99.32(b)(2), 99.33(b)(1)), and 99.35(c)).
    In light of the ARRA, the Department has conducted a review of its 
FERPA regulations in 34 CFR part 99, including changes reflected in the 
final regulations published on December 9, 2008 (73 FR 74806). Further, 
the Department has reviewed its guidance interpreting FERPA, including 
statements made in the preamble discussion to the final regulations 
published on December 9, 2008 (73 FR 74806).
    Based on its review, the Department has determined that the 
Department's December 2008 changes to the FERPA regulations promote the 
development and expansion of robust SLDS in the following ways:
     Expanding the redisclosure authority in FERPA by amending 
Sec.  99.35 to permit State and local educational authorities and other 
officials listed in Sec.  99.31(a)(3) to make further disclosures of 
personally identifiable information from education records, without the 
consent of parents or eligible students, on behalf of the educational 
agency or institution from which the PII was obtained under specified 
conditions (see Sec. Sec.  99.33(b)(1) and 99.35(b)(1)).
     Permitting SEAs and other State educational authorities, 
as well as the other officials listed in Sec.  99.31(a)(3), to record 
their redisclosures at the time they are made and by groups (i.e., by 
the student's class, school district, or other appropriate grouping 
rather than by the name of each student whose record was redisclosed); 
and only requiring them to send these records of redisclosure to the 
educational agencies or institutions from which the PII was obtained 
upon the request of an educational agency or institution (see Sec.  
99.32(b)(2)).
    Notwithstanding these provisions in the Department's FERPA 
regulations and the preamble discussion relating to the December 2008 
changes to the regulations, the Department's review indicates that 
there are a small number of other regulatory provisions and policy 
statements that unnecessarily hinder the development and expansion of 
SLDS consistent with the ARRA. Because the Department has determined 
that these regulatory provisions and policies are not necessary to 
ensure privacy protections for PII, it proposes to amend 34 CFR part 99 
to make the changes described in the following section.

Significant Proposed Regulations

    We discuss substantive issues under the sections of the proposed 
regulations to which they pertain. Generally, we do not address 
proposed regulatory provisions that are technical or otherwise minor in 
effect.

Definitions (Sec.  99.3)

Authorized Representative (Sec. Sec.  99.3, 99.35)

    Statute: Sections (b)(1)(C), (b)(3) and (b)(5) of FERPA (20 U.S.C. 
1232g(b)(1)(C), (b)(3) and (b)(5)) permit educational agencies and 
institutions nonconsensually to disclose PII to ``authorized 
representatives'' of State and local educational authorities, the 
Secretary, the Attorney General of the United States, and the 
Comptroller General of the United States, as may be necessary in 
connection with the audit, evaluation, or the enforcement of Federal 
legal requirements related to Federal or State supported education 
programs. The statute does not define the term authorized 
representative.
    Current Regulations: The term authorized representative, which is 
used in current Sec. Sec.  99.31(a)(3) and 99.35(a)(1), is not defined 
in the current regulations. Current Sec. Sec.  99.31(a)(3) and 
99.35(a)(1), together, implement sections (b)(1)(C), (b)(3) and (b)(5) 
of FERPA (20 U.S.C. 1232g(b)(1)(C), (b)(3) and (b)(5)).

[[Page 19728]]

    Proposed Regulations: We propose to amend Sec.  99.3 to add a 
definition of the term authorized representative. Under the proposed 
definition, an authorized representative would mean any entity or 
individual designated by a State or local educational authority or 
agency headed by an official listed in Sec.  99.31(a)(3) to conduct--
with respect to Federal or State supported education programs--any 
audit, evaluation, or compliance or enforcement activity in connection 
with Federal legal requirements that relate to those programs.
    In order to help ensure proper implementation of FERPA requirements 
that protect student privacy, we also propose to amend Sec.  99.35 
(What conditions apply to disclosure of information for Federal or 
State program purposes?). Specifically, we would provide, in proposed 
Sec.  99.35(a)(2), that responsibility remains with the State or local 
educational authority or agency headed by an official listed in Sec.  
99.31(a)(3) to use reasonable methods to ensure that any entity 
designated as its authorized representative remains compliant with 
FERPA. We are not proposing to define ``reasonable methods'' in the 
proposed regulations in order to provide flexibility for a State or 
local educational authority or an agency headed by an official listed 
in Sec.  99.31(a)(3) to make these determinations. However, we are 
interested in receiving comments on what would be considered reasonable 
methods. The Department anticipates issuing non-regulatory guidance on 
this and other related matters when we issue the final regulations or 
soon thereafter.
    We also would amend Sec.  99.35 to require written agreements 
between a State or local educational authority or agency headed by an 
official listed in Sec.  99.31(a)(3) and its authorized representative, 
other than an employee (see proposed Sec.  99.35(a)(3)). We propose 
that these agreements: designate the individual or entity as an 
authorized representative; specify the information to be disclosed and 
that the purpose for which the PII is disclosed to the authorized 
representative is only to carry out an audit or evaluation of Federal 
or State supported education programs, or to enforce or to comply with 
Federal legal requirements that relate to those programs; require the 
return or destruction of the PII when no longer needed for the 
specified purpose in accordance with the requirements of Sec.  
99.35(b)(2); specify the time period in which the PII must be returned 
or destroyed; and establish policies and procedures (consistent with 
FERPA and other Federal and State confidentiality and privacy 
provisions) to protect the PII from further disclosure (except back to 
the disclosing entity) and unauthorized use, including limiting the use 
of PII to only those authorized representatives with legitimate 
interests (see proposed Sec.  99.35(a)(3)).
    We would propose a minor change to Sec.  99.35(b) to clarify that 
the requirement to protect PII from disclosure applies to authorized 
representatives.
    Finally, proposed Sec.  99.35(d) would clarify that if the 
Department's Family Policy Compliance Office (FPCO) finds that a State 
or local educational authority, an agency headed by an official listed 
in Sec.  99.31(a)(3), or an authorized representative of a State or 
local educational authority or agency headed by an official listed in 
Sec.  99.31(a)(3) improperly rediscloses PII in violation of FERPA, the 
educational agency or institution from which the PII originated would 
be prohibited from permitting the entity responsible for the improper 
redisclosure (i.e., the authorized representative, or the State or 
local educational authority or the agency headed by an officials listed 
in Sec.  99.31(a)(3), or both) access to the PII for at least five 
years (see 20 U.S.C. 1232g(b)(4)(B) and Sec.  99.33(e)).
    Reasons: Under current Sec. Sec.  99.31(a)(3) and 99.35(a)(1) and 
20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5), an educational agency or 
institution may disclose PII to an authorized representative of a State 
or local educational authority or an agency headed by an official 
listed in Sec.  99.31(a)(3), without prior written consent, for the 
purposes of conducting--with respect to Federal or State supported 
education programs--any audit, evaluation, or compliance or enforcement 
activity in connection with Federal legal requirements that relate to 
those education programs, provided that such disclosures are subject to 
the applicable privacy protections in FERPA. Although the term 
authorized representative is not defined in FERPA or the current 
regulations, the Department's longstanding interpretation of this term 
has been that it does not include other State or Federal agencies 
because these agencies are not under the direct control (e.g., they are 
not employees or contractors) of a State educational authority (or 
other agencies headed by officials listed in Sec.  99.31(a)(3)). 
(Memorandum from William D. Hansen, Deputy Secretary of Education, to 
State officials, January 30, 2003, (``Hansen memorandum'')). Under this 
interpretation of the term authorized representative, as it is used in 
current Sec. Sec.  99.31(a)(3) and 99.35(a)(1) (and 1232g(b)(1)(C), 
(b)(3), and (b)(5)), an SEA or other State educational authority may 
not make further disclosures of PII to other State agencies, such as 
State health and human services departments, because these agencies are 
not employees or contractors to which the State educational authority 
has outsourced the audit or evaluation of education programs (or other 
institutional services or functions). (This interpretation was later 
incorporated in the preamble to the final FERPA regulations published 
on December 9, 2008 (73 FR 74806, 74825).)
    As explained in further detail in the following paragraphs, the 
Department has concluded that FERPA does not require that an authorized 
representative be under the educational authority's direct control in 
order to receive PII for purposes of audit or evaluation. We also do 
not believe such a restrictive interpretation is warranted given 
Congress' intent in the ARRA to have States link data across sectors. 
Through these regulations, therefore, we are proposing to rescind the 
policy established in the January 30, 2003, Hansen memorandum and the 
preamble to the final FERPA regulations published on December 9, 2008 
(73 FR 74806, 74825). These proposed regulations also would expressly 
permit State and local educational authorities and other agencies 
headed by officials listed in Sec.  99.31(a)(3) to exercise the 
flexibility and discretion to designate other individuals and entities, 
including other governmental agencies, as their authorized 
representatives for evaluation, audit, or legal enforcement or 
compliance purposes of a Federal or State-supported education program, 
subject to the requirements in FERPA and its implementing regulations.
    We first note that nothing in FERPA prescribes which agencies, 
organizations, or individuals may serve as an authorized representative 
of a State or local educational authority or an agency headed by an 
official listed in Sec.  99.31(a)(3), or whether an authorized 
representative must be a public or private entity or official. 
Moreover, the Department believes that it is unnecessarily restrictive 
to interpret FERPA as prohibiting an individual or entity who is not an 
employee or contractor under the ``direct control'' of a State or local 
educational authority or agency headed by an official listed in Sec.  
99.31(a)(3) from serving as an authorized representative.
    One of the key purposes of FERPA is to ensure the privacy of 
personally identifiable information in student education records. 
Therefore, the determination of who can serve as an authorized 
representative should be

[[Page 19729]]

made in light of that purpose. Accordingly, we believe it is 
appropriate to require that any State or local educational authority or 
agency headed by an official listed in Sec.  99.31(a)(3) that 
designates an individual or entity as an authorized representative--
     Be responsible for using reasonable methods to ensure that 
the designated individual or entity--
    [cir] Uses PII only for purposes of the audit, evaluation, or 
compliance or enforcement activity in question;
    [cir] Destroys or returns PII when no longer needed for these 
purposes; and
    [cir] Protects PII from redisclosure (and use by any other third 
party), except as permitted in Sec.  99.35(b)(1) (i.e., back to the 
disclosing entity) (see proposed Sec.  99.35(a)(2)); and
     Use a written agreement that designates any authorized 
representative other than an employee and includes the privacy 
protections set forth in proposed Sec.  99.35(a)(3) (i.e., to use 
reasonable methods to limit its authorized representative's use of PII 
for these purposes, to require the return or destruction of PII when it 
is no longer needed for these purposes, and to establish policies and 
procedures consistent with FERPA and other Federal and State 
confidentiality and privacy provisions) to protect PII from further 
disclosure (except back to the disclosing entity). If a State or local 
educational authority or agency headed by an official listed in Sec.  
99.31(a)(3) is able to comply with these requirements (i.e., to use 
reasonable methods to limit its authorized representative's use of PII 
for these purposes, to establish policies and procedures to protect PII 
from further disclosure and to require the return or destruction of PII 
when it is no longer needed for these purposes), then there is no 
reason why a State health and human services or labor department, for 
example, should be precluded from serving as the authority's authorized 
representative and receiving non-consensual disclosures of PII to link 
education, workforce, health, family services, and other data for the 
purpose of evaluating, auditing, or enforcing Federal legal 
requirements related to, Federal or State supported education programs.
    Furthermore, under proposed Sec.  99.35(d), we would clarify that 
in the event that the Family Policy Compliance Office finds an improper 
redisclosure, the Department would prohibit the educational agency or 
institution from which the PII originated from permitting the party 
responsible for the improper redisclosure (i.e., the authorized 
representative, or the State or local educational authority or agency 
headed by an official listed in Sec.  99.31(a)(3), or both) access to 
the PII for at least five years.
    With these proposed changes to the privacy provisions in Sec.  
99.35, we believe that PII, including PII in SLDS, will be 
appropriately protected while giving each State the needed flexibility 
to house information in a SLDS that best meets the needs of the 
particular State. FERPA does not constrain State administrative choices 
regarding the data system architecture, data strategy, or technology 
for SLDS as long as the required designation, purpose, and privacy 
protections are in place. The proposed amendments to Sec.  99.35 would 
require that these protections are in place.

Directory Information (Sec.  99.3)

    Statute: Sections (a)(5)(A), (b)(1), and (b)(2) of FERPA (20 U.S.C. 
1232g(a)(5), (b)(1), and (b)(2)) permit educational agencies and 
institutions nonconsensually to disclose information defined as 
directory information, such as a student's name and address, telephone 
listing, date and place of birth, and major field of study, provided 
that specified public notice and opt out conditions have been met.
    Current Regulations: Directory information is defined in current 
Sec.  99.3 as information contained in an education record of a student 
that would not generally be considered harmful or an invasion of 
privacy if disclosed, and includes information listed in section 
(a)(5)(A) of FERPA (20 U.S.C. 1232g(a)(5)(A)) (e.g., a student's name 
and address, telephone listing) as well as other information, such as a 
student's electronic mail (e-mail) address, enrollment status, and 
photograph. Current regulations also specify that a student's Social 
Security Number (SSN) or student identification (ID) number may not be 
designated and disclosed as directory information. However, the current 
regulations state that a student ID number, user ID, or other unique 
personal identifier used by the student for purposes of accessing or 
communicating in electronic systems may be designated and disclosed as 
directory information if the identifier cannot be used to gain access 
to education records except when used in conjunction with one or more 
factors to authenticate the user's identity.
    Proposed Regulations: The proposed regulations would modify the 
definition of directory information to clarify that an educational 
agency or institution may designate as directory information and 
nonconsensually disclose a student ID number or other unique personal 
identifier that is displayed on a student ID card or badge if the 
identifier cannot be used to gain access to education records except 
when used in conjunction with one or more factors that authenticate the 
user's identity, such as a PIN, password, or other factor known or 
possessed only by the authorized user.
    Reasons: Directory information items, such as name, photograph, and 
student ID number, are the types of information that are typically 
displayed on a student ID card or badge. For the reasons outlined in 
our discussion later in this notice regarding the proposed changes in 
Sec.  99.37(c), the proposed change to the definition of directory 
information is needed to clarify that FERPA permits educational 
agencies and institutions to designate student ID numbers as directory 
information in the public notice provided to parents and eligible 
students in attendance at the agency or institution under Sec.  
99.37(a)(1). Including the designation of student ID numbers as a 
directory information item will permit schools to disclose as directory 
information a student ID number on a student ID card or badge if the 
student ID number cannot be used to gain access to education records 
except when used in conjunction with one or more factors that 
authenticate the user's identity. In situations where a student's 
social security number is used as the student's ID number, that number 
may not be designated as directory information, even for purposes of a 
student's ID card or badge.

Education Program (Sec. Sec.  99.3, 99.35)

    Statute: The statute does not define the term education program.
    Current Regulations: The term education program, which is used in 
current Sec.  99.35(a)(1), is not defined in the current regulations. 
Current Sec.  99.35(a)(1) provides that authorized representatives of 
the officials or agencies headed by officials listed in Sec.  
99.31(a)(3) may have non-consensual access to personally identifiable 
information from education records in connection with an audit or 
evaluation of Federal or State supported ``education programs'', or for 
the enforcement of or compliance with Federal legal requirements that 
relate to those programs.
    Proposed Regulations: We propose to define the term education 
program to mean any program that is principally engaged in the 
provision of education, including, but not limited to early childhood 
education, elementary and secondary education, postsecondary education, 
special education, job training, career and technical education,

[[Page 19730]]

and adult education, regardless of whether the program is administered 
by an educational authority.
    Reasons: The proposed definition of education program in Sec.  99.3 
is intended to establish that a program need not be administered by an 
educational agency or institution in order for it to be considered an 
education program for purposes of Sec.  99.35(a)(1) and 20 U.S.C. 
1232g(b)(1). The Secretary recognizes that education may begin before 
kindergarten and may involve learning outside of postsecondary 
institutions. However, in many States, programs that the Secretary 
would regard as education programs are not administered by SEAs or 
LEAs. For example, in many States, State-level health and human 
services departments administer early childhood education programs, 
including early intervention programs authorized under Part C of the 
Individuals with Disabilities Education Act (IDEA). Similarly, agencies 
other than SEAs may administer career and technical education or adult 
education programs. Because all of these programs could benefit from 
the type of rigorous data-driven evaluation that SLDS will facilitate, 
we are proposing to define the term education program to include these 
programs that are not administered by education agencies. This proposed 
change would provide greater access to information on students before 
entering or exiting the P-16 programs. The information could be used to 
evaluate these education programs and provide increased opportunities 
to build upon successful ones and improve less successful ones. In 
order to accomplish these objectives, and to give States the 
flexibility needed to develop and expand the SLDS contemplated under 
the ARRA, the Department proposes to interpret the term education 
program, as used in FERPA and its implementing regulations, to mean any 
program that is principally engaged in the provision of education, 
including, but not limited to, early childhood education, elementary 
and secondary education, postsecondary education, special education, 
job training, career and technical education, and adult education, even 
when agencies other than SEAs administer such a program.\1\ Thus, as an 
example, under the proposed definitions of the terms, authorized 
representative and education program, FERPA would permit a State 
educational authority to designate a State health and human services 
agency as its authorized representative in order to conduct an audit or 
an evaluation of any Federal or State supported education program, such 
as the Head Start program.
---------------------------------------------------------------------------

    \1\ We intend for the proposed definition of the term education 
program to include, but not be limited to, any applicable program, 
as that term is defined in section 400 of the General Education 
Provisions Act (20 U.S.C. 1221).
---------------------------------------------------------------------------

Research Studies (Sec.  99.31(a)(6))

    Statute: Section (b)(1)(F) of FERPA permits educational agencies 
and institutions non-consensually to disclose PII to organizations 
conducting studies for, or on behalf of, educational agencies and 
institutions to improve instruction, to administer student aid 
programs, or to develop, validate, or administer predictive tests.
    Current Regulations: Current Sec.  99.31(a)(6)(ii)(C) requires that 
an educational agency or institution enter into a written agreement 
with the organization conducting the study that specifies the purpose, 
scope, and duration of the study and the information to be disclosed 
and meets certain other requirements. Current regulations do not 
indicate whether State and local educational authorities and agencies 
headed by officials listed in Sec.  99.31(a)(3) that may redisclose PII 
on behalf of educational agencies and institutions under Sec.  99.33(b) 
may also enter into this type of written agreement.
    Proposed Regulations: The Secretary proposes to amend Sec.  99.31 
by redesignating paragraphs (a)(6)(ii) through (a)(6)(v) as paragraphs 
(a)(6)(iii) through (a)(6)(vi) and adding a new paragraph (a)(6)(ii). 
This new paragraph would clarify that nothing in FERPA or its 
implementing regulations prevents a State or local educational 
authority or agency headed by an official listed in Sec.  99.31(a)(3) 
from entering into agreements with organizations conducting studies 
under Sec.  99.31(a)(6)(i) and redisclosing PII on behalf of the 
educational agencies and institutions that provided the information in 
accordance with the requirements of Sec.  99.33(b). We also propose to 
amend Sec.  99.31(a)(6) to require written agreements between a State 
or local educational authority or agency headed by an official listed 
in Sec.  99.31(a)(3) and any organization conducting studies with 
redisclosed PII under this exception (see proposed Sec.  
99.31(a)(6)(iii)(C)). Under this amended regulatory provision, these 
agreements would need to contain the specific provisions currently 
required in agreements between educational agencies or institutions and 
such organizations under current Sec.  99.31(a)(6)(ii)(C). Thus, the 
only differences between proposed Sec.  99.31(a)(6)(iii)(C) and current 
Sec.  99.31(a)(6)(ii)(C) would be to make the written agreement 
requirements apply to State or local educational authorities or 
agencies headed by an official listed in Sec.  99.31(a)(3) as well as 
educational agencies and institutions. Finally, newly redesignated 
Sec.  99.31(a)(6)(iv) and (a)(6)(v) would be revised to ensure that 
these provisions apply to State and local educational authorities or 
agencies headed by an official listed in Sec.  99.31(a)(3)--not only 
educational agencies and institutions.
    Reasons: In the preamble to the FERPA regulations published in the 
Federal Register on December 9, 2008 (73 FR 74806, 74826), the 
Department explained that an SEA or other State educational authority 
that has legal authority to enter into agreements for LEAs or 
postsecondary institutions under its jurisdiction may enter into an 
agreement with an organization conducting a study for the LEA or 
institution under the studies exception in Sec.  99.31(a)(6). The 
preamble explained further that if the SEA or other State educational 
authority does not have the legal authority to act for or on behalf of 
an LEA or institution, then the SEA or other State educational 
authority would not be permitted to enter into an agreement with an 
organization under this exception. The changes reflected in proposed 
Sec.  99.31(a)(6)(ii) are necessary to clarify that while FERPA does 
not confer legal authority on State and Federal agencies to enter into 
agreements and act on behalf of or in place of LEAs and postsecondary 
institutions, nothing in FERPA prevents them from entering into these 
agreements and redisclosing PII on behalf of LEAs and postsecondary 
institutions to organizations conducting studies under Sec.  
99.31(a)(6) in accordance with the redisclosure requirements in Sec.  
99.33(b).
    As explained in the preamble to the December 2008 regulations (see 
73 FR 74806, 74821), the Department recognizes that the State and local 
educational authorities and Federal officials that receive PII without 
consent under Sec.  99.31(a)(3) are generally responsible for 
supervising and monitoring LEAs and postsecondary institutions. SEAs 
and State higher educational agencies, in particular, typically have 
the role and responsibility to perform and support research and 
evaluation of publicly funded education programs for the benefit of 
multiple educational agencies and institutions in their States. We 
understand further that these relationships generally provide 
sufficient authority for a State educational authority to enter into an

[[Page 19731]]

agreement with an organization conducting a study and to redisclose PII 
received from educational agencies and institutions that provided the 
information in accordance with Sec.  99.33(b). The proposed 
regulations, therefore, would clarify that studies supported by these 
State and Federal authorities of publicly funded education programs 
generally may be conducted, while simultaneously ensuring that any PII 
disclosed is appropriately protected by the organizations conducting 
the studies.
    In the event that an educational agency or institution objects to 
the redisclosure of PII it has provided, the State or local educational 
authority or agency headed by an official listed in Sec.  99.31(a)(3) 
may rely instead on any independent authority it has to further 
disclose the information on behalf of the agency or institution. The 
Department recognizes that this authority may be implied and need not 
be explicitly granted.

Authority To Audit or Evaluate (Sec.  99.35)

    Statute: Sections (b)(1)(C), (b)(3) and (b)(5) of FERPA (20 U.S.C. 
1232g(b)(1)(C), (b)(3) and (b)(5)) permit educational agencies and 
institutions non-consensually to disclose PII to authorized 
representatives of State and local educational authorities, the 
Secretary, the Attorney General of the United States, and the 
Comptroller General of the United States, as may be necessary in 
connection with the audit, evaluation, or the enforcement of Federal 
legal requirements related to Federal or State supported education 
programs.
    Current Regulations: Current Sec.  99.35(a)(2) provides that in 
order for a State or local educational authority or other agency headed 
by an official listed in Sec.  99.31(a)(3) to conduct an audit, 
evaluation, or compliance or enforcement activity, its authority to do 
so must be established under other Federal, State, or local authority 
because that authority is not conferred by FERPA.
    Proposed Regulations: The Secretary proposes to amend Sec.  
99.35(a)(2) by removing the provision that a State or local educational 
authority or other agency headed by an official listed in Sec.  
99.31(a)(3) must establish legal authority under other Federal, State 
or local law to conduct an audit, evaluation, or compliance or 
enforcement activity.
    Reasons: Current Sec. Sec.  99.33(b)(1) and 99.35(b)(1) permit 
State and local educational authorities and agencies headed by 
officials listed in Sec.  99.31(a)(3) to further disclose PII from 
education records on behalf of educational agencies or institutions to 
other authorized recipients under Sec.  99.31, including separate State 
educational authorities at different levels of education, provided that 
the redisclosure meets the requirements of Sec.  99.33(b)(1) and the 
recordkeeping requirements in Sec.  99.32(b). However, we believe that 
our prior guidance and statements made in the preambles to the notice 
of proposed rulemaking published on March 24, 2008 (73 FR 15574), and 
the final regulations published on December 9, 2008 (73 FR 74806), may 
have created some confusion about whether a State or local educational 
authority or agency headed by an official listed in Sec.  99.31(a)(3) 
that receives PII under the audit and evaluation exception must be 
authorized to conduct an audit or evaluation of a Federal or State 
supported education program, or enforcement or compliance activity in 
connection with Federal legal requirements related to the education 
program of the disclosing educational agency or institution or whether 
the PII may be disclosed in order for the recipient to conduct an 
audit, evaluation, or enforcement or compliance activity with respect 
to the recipient's own Federal or State supported education programs.
    By removing the language concerning legal authority from current 
Sec.  99.35(a)(2), the Department would clarify two things to eliminate 
this confusion. First, the Department would clarify that the authority 
for a State or local educational authority or Federal agency headed by 
an official listed in Sec.  99.31(a)(3) to conduct an audit, 
evaluation, enforcement or compliance activity may be express or 
implied. And, second, the Department would clarify that FERPA permits 
non-consensual disclosure of PII to a State or local educational 
authority or agency headed by an official listed in Sec.  99.31(a)(3) 
to conduct an audit, evaluation, or compliance or enforcement activity 
with respect to the Federal or State supported education programs of 
the recipient's own Federal or State supported education programs as 
well as those of the disclosing educational agency or the institution.
    The Department intends these clarifications to promote Federal 
initiatives to support the robust use of data by State and local 
educational authorities to evaluate the effectiveness of Federal or 
State supported education programs. The provision of postsecondary 
student data to P-12 data systems is vital to evaluating whether P-12 
schools are effectively preparing students for college. This proposed 
clarification would, for example, establish that FERPA does not 
prohibit a private postsecondary institution from non-consensually 
disclosing to an LEA PII on the LEA's former students who are now in 
attendance at the private postsecondary institution, as may be 
necessary for the LEA to evaluate the Federal or State supported 
education programs that the LEA administers. This proposed 
clarification similarly would establish that FERPA does not prohibit a 
postsecondary data system from non-consensually redisclosing PII to an 
SEA in connection with the SEA's evaluation of whether the State's LEAs 
effectively prepared their graduates to enroll, persist, and succeed in 
postsecondary education.

Directory Information (Sec.  99.37)

Section 99.37(c) (Student ID Cards and ID Badges)

    Statute: The statute does not address whether parents and eligible 
students may use their right to opt out of directory information 
disclosures to prevent school officials from requiring students to 
disclose ID cards or to wear ID badges.
    Current Regulations: Current regulations do not address whether 
parents and eligible students may use their right to opt out of 
directory information disclosures to prevent school officials from 
requiring students to disclose ID cards or to wear ID badges.
    Proposed Regulations: The proposed regulations would provide in 
Sec.  99.37(c) that parents or eligible students may not use their 
right to opt out of directory information disclosures to prevent an 
educational agency or institution from requiring students to wear or 
otherwise disclose student ID cards or badges that display information 
that may be designated as directory information under Sec.  99.3 and 
that has been properly designated by the educational agency or 
institution as directory information under Sec.  99.37(a)(1).
    Reasons: An increased awareness of school safety and security has 
prompted some educational agencies and institutions, especially school 
districts, to require students to wear and openly display a student ID 
badge that contains identifying information (typically, name, photo, 
and student ID number) when the student is on school property or 
participates in extracurricular activities. We have received inquiries 
about this issue, as well as complaints that the mandatory public 
display of identifying information on a student ID

[[Page 19732]]

badge violates the FERPA rights of parents and eligible students who 
have opted out of directory information disclosures. The proposed 
regulations are needed to clarify that the right to opt out of 
directory information disclosures is not a mechanism for students, when 
in school or at school functions, to refuse to wear student ID badges 
or to display student ID cards that display information that may be 
designated as directory information under Sec.  99.3 and that has been 
properly designated by the educational agency or institution as 
directory information under Sec.  99.37(a)(1). Because we recognize 
that the types of ID cards and badges that postsecondary institutions 
require may differ significantly from those required by elementary and 
secondary schools, we are requesting comments from postsecondary 
officials on whether this proposed change raises any particularized 
concerns for their institutions.
    The directory information exception is intended to facilitate 
communication among school officials, parents, students, alumni, and 
others, and permits schools to publicize and promote institutional 
activities to the general public. Many schools do so by publishing 
paper or electronic directories that contain student names, addresses, 
telephone listings, e-mail addresses, and other information the 
institution has designated as directory information. Some schools do 
not publish a directory but do release directory information on a more 
selective basis. FERPA allows a parent or eligible student to opt out 
of these disclosures (under the conditions specified in Sec.  
99.37(a)), whether the information is made available to the general 
public, limited to members of the school community, or released only to 
specified individuals.
    The Secretary believes, however, that the need for schools and 
college campuses to implement measures to ensure the safety and 
security of students is of the utmost importance and that FERPA should 
not be used as an impediment to achieving student safety. Thus, the 
right to opt out of the disclosure of directory information does not 
include the right to refuse to wear or otherwise disclose a student ID 
card or badge that displays directory information and, therefore, may 
not be used to impede a school's ability to monitor and control who is 
in school buildings or on school grounds or whether a student is where 
he or she should be. This proposed change would mean that, even when a 
parent or eligible student opts out of the disclosure of directory 
information, an educational agency or institution may nevertheless 
require the student to wear and otherwise disclose a student ID card or 
badge that displays information that may be designated as directory 
information under Sec.  99.3 and that has been properly designated by 
the educational agency or institution as directory information under 
Sec.  99.37(a)(1).

Section 99.37(d) (Limited Directory Information Policy)

    Statute: Under sections (a)(5), (b)(1), and (b)(2) of FERPA (20 
U.S.C. 1232g(a)(5), (b)(1), and (b)(2)), an educational agency or 
institution may disclose directory information without meeting FERPA's 
written consent requirements provided that it first notifies the 
parents or eligible students of the types of information that may be 
disclosed and allows them to opt out of the disclosure. The statute 
lists a number of items in the definition of directory information, 
including a student's name, address, and telephone listing. The statute 
does not otherwise address whether an educational agency or institution 
may have a limited directory information policy in which it specifies 
the exact parties who may receive directory information, the specific 
purposes for which the directory information may be disclosed, or both.
    Current Regulations: Section 99.37(a) requires an educational 
agency or institution to provide public notice to parents of students 
in attendance and eligible students in attendance of the types of 
directory information that may be disclosed and the parent's or 
eligible student's right to opt out.
    Proposed Regulations: Proposed Sec.  99.37(d) would clarify that an 
educational agency or institution may specify in the public notice it 
provides to parents and eligible students in attendance provided under 
Sec.  99.37(a) that disclosure of directory information will be limited 
to specific parties, for specific purposes, or both. We also propose to 
clarify that an educational agency or institution that adopts a limited 
directory information policy must limit its directory information 
disclosures only to those parties and purposes that were specified in 
the public notice provided under Sec.  99.37(a).
    Reasons: Some school officials have advised us that their 
educational agencies and institutions do not have a directory 
information policy under FERPA, due to concerns about the potential 
misuse by members of the public of personally identifiable information 
about students, including potential identity theft. Clarifying that the 
regulations permit educational agencies and institutions to have a 
limited directory information policy would give educational agencies 
and institutions greater discretion in protecting student privacy by 
permitting them to limit the release of directory information for 
specific purposes, to specific parties, or both. This proposed change 
also would provide a regulatory authority for FPCO to investigate and 
enforce a violation of a limited directory information policy by an 
educational agency or institution.
    However, in order not to impose additional administrative burdens 
on educational agencies and institutions, the Department is not 
proposing changes to the recordkeeping requirement in Sec.  
99.32(d)(4), which currently excepts educational agencies and 
institutions from having to record the disclosure of directory 
information. For similar reasons, the Department is not proposing to 
amend the redisclosure provisions in Sec.  99.33(c), which except the 
redisclosure of directory information from the general prohibition on 
redisclosure of personally identifiable information. While the 
Department is not proposing to regulate on the redisclosure of 
directory information by third parties that receive directory 
information from educational agencies or institutions under a limited 
directory information policy, we nevertheless strongly recommend that 
educational agencies and institutions that choose to adopt a limited 
directory information policy assess the need to protect the directory 
information from further disclosure by the third parties to which they 
disclose directory information; when a need to protect the information 
from further disclosure is identified, educational agencies and 
institutions should enter into non-disclosure agreements with the third 
parties.

Enforcement Procedures With Respect to Any Recipient of Department 
Funds That Students Do Not Attend (Sec.  99.60)

    Statute: Sections (f) and (g) of FERPA (20 U.S.C. 1232g(f) and (g)) 
authorize the Secretary to take appropriate actions to enforce and 
address violations of FERPA in accordance with part D of the General 
Education Provisions Act (20 U.S.C. 1234 through 1234i) and to 
establish or designate an office and review board within the Department 
for the purpose of investigating, processing, reviewing, and 
adjudicating alleged violations of FERPA.
    Current Regulations: Current Sec.  99.60(b) designates the FPCO as 
the office within the Department responsible for investigating, 
processing, and reviewing alleged

[[Page 19733]]

violations of FERPA. Current subpart E of the FERPA regulations 
(Sec. Sec.  99.60 through 99.67), however, only addresses alleged 
violations of FERPA committed by an educational agency or institution.
    Proposed Regulations: Proposed Sec.  99.60(a)(2) would provide 
that, solely for purposes of subpart E of the FERPA regulations, which 
addresses enforcement procedures, an ``educational agency or 
institution'' includes any public or private agency or institution to 
which FERPA applies under Sec.  99.1(a)(2), as well as any State 
educational authority (e.g., SEAs or postsecondary agency) or local 
educational authority or any other recipient to which funds have been 
made available under any program administered by the Secretary (e.g., a 
nonprofit organization, student loan guaranty agency, or a student loan 
lender), including funds provided by grant, cooperative agreement, 
contract, subgrant, or subcontract.
    Reasons: With the advent of SLDS, it is necessary for the 
Department to update our enforcement regulations to clearly set forth 
the Department's authority to investigate and enforce alleged 
violations of FERPA by State and local educational authorities or any 
other recipients of Department funds under a program administered by 
the Secretary. Current Sec. Sec.  99.60 through 99.67 only apply the 
enforcement provisions in FERPA to an ``educational agency or 
institution.'' Although the statute and the regulations broadly define 
the term ``educational agency or institution,'' the Department 
generally has not interpreted the term to include entities that 
students do not attend. The Department's interpretation is based upon 
the fact that FERPA defines ``education records'' as information 
directly related to a ``student,'' and that ``student'' is, in turn, 
defined as excluding a person who has not been in attendance at the 
educational agency or institution. 20 U.S.C. 1232g(a)(4) and (a)(6). 
Because students do not attend non-school types of entities the 
Department has generally not viewed these recipients of Department 
funds as being ``educational agencies or institutions'' under FERPA.
    Consequently, the current regulations do not clearly authorize FPCO 
to investigate, review, and process an alleged violation committed by 
recipients of Department funds under a program administered by the 
Secretary in which students do not attend. In addition, the regulations 
do not clearly authorize the Secretary to bring an enforcement action 
against these recipients. Further, it would not be fair to hold an LEA 
or institution of higher education (IHE) that originally disclosed the 
PII to a State or local educational authority responsible for violation 
of FERPA by the State or local educational authority because the LEA or 
IHE generally would not have an effective means to prevent such an 
improper redisclosure by a State or local educational authority.
    Therefore, the Department proposes to add a new Sec.  99.60(a)(2) 
that would clearly authorize the Department to hold State educational 
authorities(e.g., SEAs and State postsecondary agencies), local 
educational authorities, as well as other recipients of Department 
funds under any program administered by the Secretary (e.g., nonprofit 
organizations, student loan guaranty agencies, and student loan 
lenders), accountable for compliance with FERPA. The Department 
believes that this authority is especially important given the 
disclosures of PII needed to implement SLDS.
    Because the Department has generally not viewed these entities as 
being ``educational agencies or institutions'' under FERPA and 
consequently has not viewed most FERPA provisions as applying to them 
(e.g., the requirement in Sec.  99.7 to annually notify parents and 
eligible students of their rights under FERPA, and the requirement in 
Sec.  99.37 to give public notice to parents and eligible students 
about directory information, if it has a policy of disclosing directory 
information), we anticipate that most FERPA compliance issues involving 
these entities will concern whether they have complied with FERPA's 
redisclosure provision in Sec.  99.33.
    We expect that we will face few issues concerning these entities' 
compliance with the few additional FERPA provisions that may be 
applicable to them. For example, the FERPA requirements, in addition to 
those in Sec.  99.33, that may be applicable to entities that are not 
``educational agencies or institutions'' under FERPA include, but are 
not limited to, the right to inspect and review education records 
maintained by an SEA or any of its components under Sec.  99.10(a)(2), 
the requirement that organizations conducting studies under Sec.  
99.31(a)(6) must not permit the personal identification of parents and 
students by anyone other than representatives of that organization with 
legitimate interests in the information and must destroy or return 
personally identifiable information from education records when the 
information is no longer needed for the purposes for which the study 
was conducted, and the requirement in Sec.  99.35(b)(2) that personally 
identifiable information from education records that is collected by a 
State or local educational authority or agency headed by an official 
listed in Sec.  99.31(a)(3) in connection with an audit or evaluation 
of Federal or State supported education programs, or to enforce Federal 
legal requirements related to Federal or State supported education 
programs, must be destroyed when no longer needed for these purposes.

Executive Order 12866

    Under Executive Order 12866, the Secretary must determine whether 
this regulatory action is ``significant'' and therefore subject to the 
requirements of the Executive Order and subject to review by the Office 
of Management and Budget (OMB). Section 3(f) of Executive Order 12866 
defines a ``significant regulatory action'' as an action likely to 
result in a rule that may: (1) Have an annual effect on the economy of 
$100 million or more, or adversely affect a sector of the economy, 
productivity, competition, jobs, the environment, public health or 
safety, or State, local or Tribal governments or communities in a 
material way (also referred to as an ``economically significant'' 
rule); (2) create serious inconsistency or otherwise interfere with an 
action taken or planned by another agency; (3) materially alter the 
budgetary impacts of entitlement grants, user fees, or loan programs or 
the rights and obligations of recipients thereof; or (4) raise novel 
legal or policy issues arising out of legal mandates, the President's 
priorities, or the principles set forth in the Executive Order. The 
Secretary has determined that this regulatory action is significant 
under section 3(f) of the Executive order.
    In accordance with Executive Order 12866, the Secretary has 
assessed potential costs and benefits of this regulatory action and 
determined that the benefits justify the costs.

Need for Federal Regulatory Action

    These proposed regulations are needed to ensure that the 
Department's implementation of FERPA continues to protect the privacy 
of student education records, while allowing for the effective use of 
data in education records, particularly data in statewide longitudinal 
data systems.

Summary of Costs and Benefits

    Following is an analysis of the costs and benefits of the proposed 
changes to the FERPA regulations, which would make changes to 
facilitate the disclosure, without written consent, of education 
records, particularly data in

[[Page 19734]]

statewide longitudinal data systems, for the purposes of evaluating 
education programs and ensuring compliance with Federal and State 
requirements. In conducting this analysis, the Department examined the 
extent to which the proposed changes would add to or reduce the costs 
of educational agencies, other agencies, and institutions in complying 
with the FERPA regulations prior to these changes, and the extent to 
which the proposed changes are likely to provide educational benefit. 
Allowing data-sharing across agencies, because it increases the number 
of individuals who have access to personally identifiable information, 
may increase the risk of unauthorized disclosure. However, we do not 
believe that the staff in the additional agencies who will have access 
to the data are any more likely to violate FERPA than existing users, 
and the strengthened accountability and enforcement mechanisms will 
help to ensure better compliance overall. While there will be 
administrative costs associated with implementing data-sharing 
protocols, we believe that the relatively minimal administrative costs 
of establishing data-sharing protocols would be off-set by potential 
analytic benefits. Based on this analysis, the Secretary has concluded 
that the proposed modifications would result in savings to entities and 
have the potential to benefit the Nation by improving capacity to 
conduct analyses that will provide information needed to improve 
education.

Authorized Representative

    The proposed regulations would amend Sec.  99.3 by adding a 
definition of the term authorized representative that would include any 
individual or entity designated by an educational authority or certain 
other officials to carry out audits, evaluations, or enforcement or 
compliance activities relating to education programs. Under the current 
regulations, educational authorities may provide to authorized 
representatives PII for the purposes of conducting audits, evaluations, 
or enforcement and compliance activities relating to Federal and State 
supported education programs. The term ``authorized representative'' is 
not defined, but the Department's position has been that educational 
authorities may only disclose education records to entities over which 
they have direct control, such as an employee or a contractor of the 
authority. Therefore, SEAs have not been able to disclose PII to other 
State agencies, even for the purpose of evaluating education programs 
under the purview of the SEAs. For example, an SEA or LEA could not 
disclose PII to a State employment agency for the purpose of obtaining 
data on post-school outcomes such as employment for its former 
students. Thus, if an SEA or LEA wanted to match education records with 
State employment records for purposes of evaluating its secondary 
education programs, it would have to import the entire workforce 
database and do the match itself (or contract with a third party to do 
the same analysis). Similarly, if a State workforce agency wanted to 
use PII maintained by the SEA in its longitudinal educational data 
system, in combination with data it had on employment outcomes, to 
evaluate secondary vocational education programs, it would not be able 
to obtain the SEA's educational data in order to conduct the analyses. 
It would have to provide the workforce data to the SEA to conduct the 
analyses or to a third party (e.g., an entity under the direct control 
of the SEA) to construct the needed longitudinal administrative data 
systems. While feasible, these strategies force agencies to outsource 
their analyses to other agencies or entities, adding administrative 
cost, burden, and complexity. Moreover, preventing agencies from using 
data directly for conducting their own analytical work increases the 
likelihood that the work will not meet their expectations or get done 
at all. Finally, the current interpretation of the regulations exposes 
greater amounts of PII to risk of disclosure as a result of greater 
quantities of PII moving across organizations (e.g., the entire 
workforce database) than would be the case with a more targeted data 
request (e.g., graduates from a given year who appear in the workforce 
database). The proposed regulatory changes would permit educational 
agencies (and other entities listed in Sec.  99.31(a)(3)) to non-
consensually disclose PII to other State agencies or to house data in a 
common State data system, such as a data warehouse administered by a 
central State authority for the purposes of conducting audits or 
evaluations of Federal or State supported education programs, or for 
enforcement of and compliance with Federal legal requirements relating 
to Federal and State supported education programs (consistent with 
FERPA and other Federal and State confidentiality and privacy 
provisions).
    The Department also proposes to amend Sec.  99.35 to require that 
written agreements require PII to be used only to carry out an audit or 
an evaluation of Federal or State supported education program or for an 
enforcement or compliance activity in connection with Federal legal 
requirements that relate to those programs and protect PII from 
unauthorized disclosure. The cost of entering into such agreements 
should be minimal in relation to the benefits of being able to share 
data.

Education Program

    The proposed regulations