Family Educational Rights and Privacy, 75604-75660 [2011-30683]

Agencies

• DEPARTMENT OF EDUCATION

[Federal Register Volume 76, Number 232 (Friday, December 2, 2011)]
[Rules and Regulations]
[Pages 75604-75660]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-30683]



[[Page 75603]]

Vol. 76

Friday,

No. 232

December 2, 2011

Part II





Department of Education





-----------------------------------------------------------------------





34 CFR Part 99





Family Educational Rights and Privacy; Final Rule

Federal Register / Vol. 76 , No. 232 / Friday, December 2, 2011 / 
Rules and Regulations

[[Page 75604]]


-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

34 CFR Part 99

[DOCKET ID ED-2011-OM-0002]
RIN 1880-AA86


Family Educational Rights and Privacy

AGENCY: Office of Management, Department of Education.

ACTION: Final regulations.

-----------------------------------------------------------------------

SUMMARY: The Secretary of Education (Secretary) amends the regulations 
implementing section 444 of the General Education Provisions Act 
(GEPA), which is commonly referred to as the Family Educational Rights 
and Privacy Act (FERPA). These amendments are needed to ensure that the 
U.S. Department of Education (Department or we) continues to implement 
FERPA in a way that protects the privacy of education records while 
allowing for the effective use of data. Improved access to data will 
facilitate States' ability to evaluate education programs, to ensure 
limited resources are invested effectively, to build upon what works 
and discard what does not, to increase accountability and transparency, 
and to contribute to a culture of innovation and continuous improvement 
in education. The use of data is vital to ensuring the best education 
for our children. However, the benefits of using student data must 
always be balanced with the need to protect student privacy. Protecting 
student privacy helps achieve a number of important goals, including 
avoiding discrimination, identity theft, as well as other malicious and 
damaging criminal acts.

DATES: These regulations are effective January 3, 2012. However, State 
and local educational authorities, and Federal agencies headed by 
officials listed in Sec.  99.31(a)(3) with written agreements in place 
prior to January 3, 2012, must comply with the existing requirement in 
Sec.  99.35(a)(3) to use written agreements to designate any authorized 
representatives, other than employees, only upon any renewal of or 
amendment to the written agreement with such authorized representative.

FOR FURTHER INFORMATION CONTACT: Ellen Campbell, U.S. Department of 
Education, 400 Maryland Avenue SW., Room 2E203, Washington, DC 20202-
8520. Telephone: (202) 260-3887.
    If you use a telecommunications device for the deaf (TDD), call the 
Federal Relay Service (FRS), toll-free, at 1-(800) 877-8339.

SUPPLEMENTARY INFORMATION: On April 8, 2011, the Department published a 
notice of proposed rulemaking (NPRM) in the Federal Register (76 FR 
19726). In the preamble to the NPRM, the Secretary stated that the 
proposed changes were necessary to ensure the Department's proper 
implementation of FERPA, while allowing for the effective use of 
student data, and to address other issues identified through the 
Department's experience in administering FERPA.
    Protecting student privacy is paramount to the effective 
implementation of FERPA. All education data holders must act 
responsibly and be held accountable for safeguarding students' 
personally identifiable information (PII) from education records. The 
need for clarity surrounding privacy protections and data security 
continues to grow as statewide longitudinal data systems (SLDS) are 
built and more education records are digitized and shared 
electronically. As States develop and refine their information 
management systems, it is critical that they take steps to ensure that 
student information is protected and that PII from education records is 
disclosed only for authorized purposes and under circumstances 
permitted by law. (When we use the term ``disclose'' in this document, 
we sometimes are referring to redisclosures as well.)
    The amendments reflected in these final regulations establish the 
procedures that State and local educational authorities, and Federal 
agencies headed by officials listed in Sec.  99.31(a)(3) (FERPA-
permitted entities), their authorized representatives, and 
organizations conducting studies must follow to ensure compliance with 
FERPA. The amendments also reduce barriers that have inhibited the 
effective use of SLDS as envisioned in the America Creating 
Opportunities to Meaningfully Promote Excellence in Technology, 
Education, and Science Act (the America COMPETES Act) (Pub. L. 110-69) 
and the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 
111-5). Finally, by expanding the requirements for written agreements 
and the Department's enforcement mechanisms, the amendments help to 
ensure increased accountability on the part of those with access to PII 
from education records.
    These amendments include definitions for two previously undefined 
terms, ``authorized representative'' and ``education program,'' to 
permit greater access by appropriate and authorized parties to 
information on students in order to evaluate the effectiveness of 
education programs. Specifically, we have modified the definition of 
and requirements related to ``directory information'' to clarify (1) 
that the right to opt out of the disclosure of directory information 
under FERPA does not include the right to refuse to wear, or otherwise 
disclose, a student identification (ID) card or badge; (2) that schools 
may implement a limited directory information policy in which they 
specify the parties or purposes for which the information is disclosed; 
and (3) the Department's authority to hold State educational 
authorities and other recipients of Department funds under a program 
administered by the Secretary accountable for compliance with FERPA.
    We believe that the regulatory changes adopted in these final 
regulations provide clarification on many important issues that have 
arisen over time with regard to how FERPA applies to SLDS and to other 
requests for data on student progress. Additionally, educational 
agencies and institutions continue to face considerable challenges 
implementing directory information policies that help them maintain 
safe campuses and protect PII from education records from potential 
misuse, such as identity theft. These final regulations, as well as the 
discussion in the preamble, will assist school officials in addressing 
these challenges in a manner that complies with FERPA. These final 
regulations also respond to the September 2010 U.S. Government 
Accountability Office (GAO) study entitled ``Many States Collect 
Graduates' Employment Information, but Clearer Guidance on Student 
Privacy Requirements Is Needed,'' by clarifying the means by which 
States can collect and share graduates' employment information under 
FERPA.
    Finally, we have discussed with the U.S. Department of Agriculture 
(USDA) the potential effect of these regulations on the use of 
information regarding individual children's eligibility for free or 
reduced price school meals in the National School Lunch and School 
Breakfast Programs (School Meals Programs or SMPs) in connection with 
an audit or evaluation of Federal- or State-supported education 
programs. Congress recognized that sharing of children's eligibility 
information could benefit schools and children participating in the 
SMPs. As a result, section 9(b)(6) of the Richard B. Russell National 
School Lunch Act, as amended (National School Lunch Act) (42 U.S.C. 
1758(b)(6)) permits schools to disclose children's eligibility 
information to persons with a need to know who are associated with a 
Federal or State education program and who will not

[[Page 75605]]

further disclose that information. Because of the importance of 
assuring not only that FERPA requirements are met, but also that all of 
the Federal confidentiality protections in the National School Lunch 
Act are met, the two Departments intend to jointly issue guidance in 
the near future for use by the educational community and by State and 
local administrators of USDA programs.

Notice of Proposed Rulemaking

    In the NPRM, we proposed regulations to:
     Amend Sec.  99.3 to define the term ``authorized 
representative'' to include individuals or entities designated by 
FERPA-permitted entities to carry out an audit or evaluation of 
Federal- or State-supported education programs, or for the enforcement 
of or compliance with Federal legal requirements related to these 
programs (audit, evaluation, or enforcement or compliance activity);
     Amend the definition of ``directory information'' in Sec.  
99.3 to clarify that a unique student identification (ID) number may be 
designated as directory information for the purposes of display on a 
student ID card or badge if the unique student ID number cannot be used 
to gain access to education records except when used in conjunction 
with one or more factors that authenticate the user's identity, such as 
a Personal Identification Number, password, or other factor known or 
possessed only by the authorized user;
     Amend Sec.  99.3 to define the term ``education program'' 
as any program principally engaged in the provision of education, 
including, but not limited to, early childhood education, elementary 
and secondary education, postsecondary education, special education, 
job training, career and technical education, and adult education;
     Amend Sec.  99.31(a)(6) to clarify that FERPA-permitted 
entities are not prevented from redisclosing PII from education records 
as part of agreements with researchers to conduct studies for, or on 
behalf of, educational agencies and institutions;
     Remove the provision in Sec.  99.35(a)(2) that required 
that any FERPA-permitted entity must have legal authority under other 
Federal, State, or local law to conduct an audit, evaluation, or 
enforcement or compliance activity;
     Amend Sec.  99.35(a)(2) to provide that FERPA-permitted 
entities are responsible for using reasonable methods to ensure that 
their authorized representatives comply with FERPA;
     Add a new Sec.  99.35(a)(3) to require that FERPA-
permitted entities must use a written agreement to designate an 
authorized representative (other than an employee) under the provisions 
in Sec. Sec.  99.31(a)(3) and 99.35 that allow the authorized 
representative access to PII from education records without prior 
written consent in connection with any audit, evaluation, or 
enforcement or compliance activity;
     Add a new Sec.  99.35(d) to clarify that in the event that 
the Department's Family Policy Compliance Office (FPCO or Office) finds 
an improper redisclosure in the context of Sec. Sec.  99.31(a)(3) and 
99.35 (the audit or evaluation exception), the Department would 
prohibit the educational agency or institution from which the PII 
originated from permitting the party responsible for the improper 
disclosure (i.e., the authorized representative, or the FERPA-permitted 
entities, or both) access to PII from education records for a period of 
not less than five years (five-year rule);
     Amend Sec.  99.37(c) to clarify that while parents or 
eligible students (students who have reached 18 years of age or are 
attending a postsecondary institution at any age) may opt out of the 
disclosure of directory information, this opt out does not prevent an 
educational agency or institution from requiring a student to wear, 
display, or disclose a student ID card or badge that exhibits directory 
information;
     Amend Sec.  99.37(d) to clarify that educational agencies 
or institutions may develop policies that allow the disclosure of 
directory information only to specific parties, for specific purposes, 
or both; and
     Add Sec.  99.60(a)(2) to authorize the Secretary to take 
appropriate actions to enforce FERPA against any entity that receives 
funds under any program administered by the Secretary, including funds 
provided by grant, cooperative agreement, contract, subgrant, or 
subcontract.

Changes From the NPRM

    These final regulations contain the following substantive changes 
from the NPRM:
     In Sec.  99.3, we have defined the term ``early education 
program'' as that term is used in the definition of education program. 
The definition is based on the definition of ``early childhood 
education program'' in section 103(8) of the Higher Education Act of 
1965, as amended (HEA) (20 U.S.C. 1003(8));
     We have made changes to the definition of ``education 
program'' in Sec.  99.3 to clarify that any program administered by an 
educational agency or institution is considered an education program; 
and
     We have modified the written agreement requirement in 
Sec.  99.35(a)(3) to require that the agreement specify how the work 
falls within the exception of Sec.  99.31(a)(3), including a 
description of the PII from education records that will be disclosed, 
and how the PII from education records will be used.
    We have also made the following minor or non-substantive changes 
from the NPRM:
     We have made minor editorial changes to the definition of 
``authorized representative'' in Sec.  99.3 to ensure greater 
consistency between the language in that definition and the language in 
Sec.  99.35(a)(1);
     We have removed language from Sec. Sec.  
99.31(a)(6)(iii)(C)(4) and 99.35(a)(3)(iii) and (a)(3)(iv) that 
permitted an organization conducting a study or an authorized 
representative to return PII from education records to the FERPA-
permitted entity from which the PII originated, in lieu of destroying 
such information. We made these changes to more closely align the 
regulatory language with the statute and to ensure that the PII from 
education records is destroyed as required by the statute;
     We have made changes to Sec.  99.35(a)(2) to clarify that 
the FERPA-permitted entity from which the PII originated is responsible 
for using reasonable methods to ensure to the greatest extent 
practicable that any entity or individual designated as its authorized 
representative complies with FERPA requirements;
     We have made editorial changes to Sec.  99.35(a)(2) so the 
language in that section is more consistent with the language in Sec.  
99.35(a)(1) regarding the requirements for an audit, evaluation, or 
enforcement or compliance activity;
     We have clarified in Sec.  99.35(a)(3)(v) that the 
required written agreement must establish policies and procedures to 
protect PII from education records from further disclosure, including 
by limiting use of PII to only authorized representatives with 
legitimate interests in the audit, evaluation, or enforcement or 
compliance activity;
     We have revised Sec.  99.35(b)(1) to refer to a State or 
local educational authority or agency headed by an official listed in 
Sec.  99.31(a)(3) rather than ``authority'' or ``agency'', to ensure 
consistency with the language used in Sec.  99.35(a)(2) and (a)(3);
     We have consolidated all regulatory provisions related to 
prohibiting an educational agency or institution from disclosing PII 
from education records to a third party outside of an educational 
agency or institution for at least five years (five-year rule) and 
moved them to subpart E of part 99 (What are the

[[Page 75606]]

Enforcement Procedures?). Specifically, we--
    [cir] Included in Sec.  99.67(c) language from current Sec.  
99.31(a)(6)(iv) concerning the application of the five-year rule when 
the Department determines that a third party outside the educational 
agency or institution fails to destroy PII from education records after 
the information is no longer needed for the study for which it was 
disclosed;
    [cir] Clarified in Sec.  99.67(d) that, in the context of the audit 
or evaluation exception, the five-year rule applies to any FERPA-
permitted entity or its authorized representative if the Department 
determines that either party improperly redisclosed PII from education 
records; and
    [cir] Moved to Sec.  99.67(e) the language from current Sec.  
99.33(e) concerning the application of the five-year rule when the 
Department determines that a third party outside the educational agency 
or institution improperly rediscloses PII from education records in 
violation of Sec.  99.33 or fails to provide the notification required 
under Sec.  99.33(b)(2);
     Throughout subpart E of part 99 (Sec. Sec.  99.60 through 
99.67), we have revised the language regarding enforcement procedures 
to clarify that the Secretary may investigate, process, and review 
complaints and violations of FERPA against an educational agency or 
institution or against any other recipient of Department funds under a 
program administered by the Secretary. This marks a change from the 
current provisions, which refer only to the Department's enforcement 
procedures against ``educational agencies and institutions,'' which are 
defined in Sec.  99.3 as any public or private agency or institution to 
which part 99 applies under Sec.  99.1(a). Section 99.1 describes FERPA 
as applying to an educational agency or institution to which funds have 
been made available under any program administered by the Secretary if 
(1) The educational institution provides educational services or 
instruction, or both, to students; or (2) the educational agency is 
authorized to direct and control public elementary or secondary, or 
postsecondary educational institutions; and
     Throughout subpart E of part 99 (Sec. Sec.  99.60 through 
99.67), we have clarified the procedures that the Office will follow to 
investigate, review, process, and enforce the five-year rule against 
third parties outside of the educational agency or institution.

Analysis of Comments and Changes

    We received a total of 274 comments on the proposed regulations. 
The comments represented a broad spectrum of viewpoints from a number 
of different interested parties, including students, parents, privacy 
advocacy organizations, researchers, numerous associations, and 
representatives from schools, local educational agencies (LEAs) (also 
referred to as ``districts''), and State educational agencies (SEAs).
    We have carefully considered these comments and, as a result of 
this public input, have made several changes to the final regulations 
since publication of the NPRM. An analysis of the comments and changes 
follows. We group major issues according to subject, with applicable 
sections of the regulations referenced in parentheses. Generally, we do 
not address technical and other minor changes that we made, or respond 
to suggested changes that the law does not authorize the Secretary to 
make, or to comments that were outside the scope of the NPRM.

General Comments

Definitions

    Comment: Several commenters stated that the terms used in the 
proposed regulations to refer to the different types of entities 
affected by the regulations were unclear and asked for the Department 
to clarify their meaning. Specifically, they asked if there is a 
difference between an educational agency or institution, on the one 
hand, and a State or local educational authority, on the other. Some 
commenters requested that we clarify whether a State agency, other than 
an SEA, such as a State department of social services, could be 
considered a State educational authority under the regulations. Another 
commenter asked that we also define the term ``school official'' to 
differentiate it from the term ``authorized representative.''
    Discussion: There are differences in meaning between the terms 
``educational agency,'' ``educational institution,'' and ``State and 
local educational authority,'' and we provide the following explanation 
to clarify how these terms are used in the context of FERPA and its 
implementing regulations.
    In general, FERPA applies to an ``educational agency or 
institution'' that receives funds under a program administered by the 
Secretary. 20 U.S.C. 1232g(a)(3). In Sec.  99.3, we define the term 
``educational agency or institution'' as any public or private agency 
or institution to which part 99 applies under Sec.  99.1(a).
    Educational institution. We use the term ``educational 
institution'' to refer to any elementary or secondary school, including 
any school funded or operated by the U.S. Department of the Interior's 
Bureau of Indian Education (BIE),\1\ or to any postsecondary 
institution that receives funds under a program administered by the 
Secretary and that provides educational services or instruction, or 
both, to students (see Sec.  99.1(a)(1)). Additionally, Sec.  99.3 of 
the FERPA regulations defines ``institution of postsecondary 
education'' as an institution that provides education to students 
beyond the secondary school level. We generally use the term 
``institution of postsecondary education'' to refer to colleges and 
universities and, in this document, use it interchangeably with the 
terms ``postsecondary institution'' and ``institution of higher 
education''.
---------------------------------------------------------------------------

    \1\ Under section 9204(a) of the Elementary and Secondary 
Education Act of 1965, as amended (ESEA), the Secretary of Education 
and the Secretary of the Interior are required to reach an agreement 
regarding how the BIE will comply with ESEA requirements. Under a 
2005 Final Agreement between the Department of Education and the 
Department of the Interior, the two Departments agreed, as a general 
matter, that the Department of Education would treat BIE as an SEA 
and each BIE school as an LEA, for purposes of complying with the 
requirements of ESEA.
---------------------------------------------------------------------------

    Educational agency. Under Sec.  99.1(a)(2), an ``educational 
agency'' is an entity that is authorized to direct and control public 
elementary or secondary schools or postsecondary institutions. Thus, we 
consider LEAs (a term that we use interchangeably with school 
districts) to be ``educational agencies'' in the context of FERPA. 
However, we do not generally view SEAs as being ``educational 
agencies'' under Sec.  99.1(a)(2) because we interpret the statutory 
definition of the term ``student'' to mean that an educational agency 
is an agency attended by students. Under paragraph (a)(6) of FERPA, a 
``student includes any person with respect to whom an educational 
agency or institution maintains education records or personally 
identifiable information, but does not include a person who has not 
been in attendance at such agency or institution.'' 20 U.S.C. 
1232g(a)(6). For example, we have generally considered students to be 
in attendance at the Fairfax County Public Schools school district, but 
not at the Virginia Department of Education. Therefore, under this 
framework, the term ``educational agencies or institutions'' generally 
refers to LEAs, elementary and secondary schools, schools operated by 
BIE, and postsecondary institutions.
    State and local educational authorities. The term ``State and local 
educational authority'' is not defined in FERPA. The term ``State and 
local

[[Page 75607]]

educational authority'' is important in the context of FERPA's audit or 
evaluation exception in Sec. Sec.  99.31(a)(3) and 99.35 because State 
and local educational authorities are permitted to access, without 
consent, PII from education records. We generally have interpreted the 
term ``State and local educational authority'' to refer to an SEA, a 
State postsecondary commission, BIE, or any other entity that is 
responsible for and authorized under local, State, or Federal law to 
supervise, plan, coordinate, advise, audit, or evaluate elementary, 
secondary, or postsecondary Federal- or State-supported education 
programs and services in the State. (See https://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/wku071105.html for more information.) While we 
have not generally viewed an SEA as being an educational agency under 
Sec.  99.1(a)(2) for the reasons outlined in the preceding paragraph, 
it is important to note that we do view an SEA as a State educational 
authority for FERPA purposes.
    An LEA can be both an educational agency and a local educational 
authority under FERPA because an LEA is authorized to direct and 
control public elementary and secondary schools and to supervise 
Federal- or State-supported education programs and services in the 
State. Because an LEA is considered to be an educational authority, the 
LEA may conduct an audit or evaluation of a Federal- or State-supported 
education program under the audit or evaluation exception. For example, 
an LEA may wish to evaluate the effectiveness of a particular program 
in the school district.
    Some commenters asked whether a State agency other than an SEA, 
such as a State social services agency, could be considered an 
``educational agency or institution'' or a ``State or local educational 
authority.'' We believe that State agencies other than an SEA could, 
depending on the individual circumstances, be considered to be an 
``educational agency or institution'' or a State educational authority 
under FERPA. The Department generally considers a State postsecondary 
commission to be a State educational authority because such commissions 
are typically responsible for and authorized under State law to 
supervise, plan, coordinate, advise, audit, or evaluate Federal- or 
State-supported postsecondary education programs and services in the 
State. Likewise, a State-administered school that receives funds under 
a program administered by the Secretary, such as a school serving 
hearing-impaired students, is considered an educational institution 
under FERPA because it provides educational services or instruction to 
students. In general, the Department does not consider a State social 
services agency to be an ``educational agency or institution'' under 
FERPA because, although such an agency may provide educational services 
or instruction to students, it is not authorized to direct and control 
public elementary or secondary or postsecondary educational 
institutions, and it does not have students in attendance. In addition, 
the Department does not consider a State social services agency to be a 
State educational authority because such an agency generally is not 
responsible for and authorized under State law to supervise, plan, 
coordinate, advise, audit, or evaluate federally or State-supported 
elementary, secondary, or postsecondary education programs and services 
in the State. However, because States vary widely in how they 
administer programs, the Department would make this determination on a 
case-by-case basis and evaluate the particular responsibilities of that 
agency before giving definitive guidance on whether a particular agency 
would be considered an educational agency or institution or a State or 
local educational authority under FERPA.
    With regard to the request that we define the term ``school 
official'' to avoid confusion with the term ``authorized 
representative,'' we note that current Sec.  99.31(a)(1) in the FERPA 
regulations already describes ``school official.'' This section makes 
clear that school officials are teachers and administrators who work 
within a school, school district, or postsecondary institution. The 
regulations also state in Sec.  99.31(a)(1) that contractors, 
consultants, volunteers, or other parties to whom an educational agency 
or institution has outsourced institutional services or functions under 
the conditions listed in Sec.  99.31(a)(1)(i)(B)(1) through 
(a)(1)(i)(B)(3) may be considered school officials with legitimate 
educational interests in students' education records. We believe that 
this language in Sec.  99.31(a)(1) and the definition of ``authorized 
representative'' are sufficiently clear to ensure that there is no 
confusion between these different categories of individuals.
    Changes: None.
    Comment: Several commenters asked the Department to include 
definitions for, and examples of, the following terms: ``evaluation,'' 
``audit,'' ``research,'' ``legitimate educational interest,'' 
``compliance activities,'' and ``enforcement activities.''
    Discussion: The terms identified by the commenters are not defined 
in FERPA, and the Department did not propose to define them in the NPRM 
because we did not wish to define them in ways that would unnecessarily 
restrict the educational community. Moreover, we do not believe it 
would be appropriate to define these terms in these final regulations 
because the public would not have had an opportunity to comment on 
them.
    Changes: None.

Fair Information Practice Principles

    Comment: Some commenters stated that the proposed amendments to 
part 99 in the NPRM represented a ``wholesale repudiation of the fair 
information practices.'' Others contended that the proposed regulatory 
changes go too far; that the changes would permit the disclosure of 
confidential student records to organizations that have little 
involvement in education, and the data will be used for purposes 
unrelated to education. Others expressed concern that the regulatory 
changes would result in student records being used for a wide range of 
activities under the pretext that some educational result would be 
derived from those activities. Others commented that obtaining parental 
consent to permit the disclosure of PII from education records should 
be the preferred approach.
    Discussion: The Fair Information Practice Principles (FIPPs) are 
the foundation for information privacy in the United States. These 
principles are sometimes referred to just as FIPs (Fair Information 
Practices) and various versions of these principles exist with 
different numbering schemes. These principles include: That there be no 
secret recordkeeping systems; that individuals should have a way to 
find out information about themselves in a record and how it is used; 
that individuals be allowed to prevent information obtained for one 
purpose from being used for another; that individuals be allowed to 
correct records about themselves; and that the organization that 
created the record assure its reliability and take steps to prevent 
misuse. FIPPs form the basis of most State and Federal privacy laws in 
the United States, including FERPA. Like most privacy laws, however, 
the FIPPs must be adapted to fit the educational context of data 
disclosure. For example, one of the FIPPs principles is that 
individuals should have the right to prevent information for one 
purpose from being used for another. FERPA expressly permits the 
redisclosure, without consent, of PII from education

[[Page 75608]]

records for a reason other than the reason for which the PII was 
originally collected, if the redisclosure is made on behalf of the 
educational agency or institution that provided the PII and the 
redisclosure meets the requirements of sec. 99.31.
    The Department is not repudiating FIPPs, but rather is making only 
narrow changes to its regulations that it has determined are necessary 
to allow for the disclosure of PII from education records to improve 
Federal- and State-supported education programs while still preserving 
student privacy. The Department remains committed to FIPPs and believes 
that the final regulations appropriately embody core FIPPs tenets. In 
fact, FIPPs underlay the Department's recent privacy initiatives, 
including creating a Chief Privacy Officer position,\2\ creating the 
Privacy Technical Assistance Center (PTAC),\3\ and issuing a series of 
technical briefs on privacy, confidentiality, and data security.
---------------------------------------------------------------------------

    \2\ The Department established an executive level Chief Privacy 
Officer (CPO) position in early 2011. The CPO oversees a new 
division dedicated to advancing the responsible stewardship, 
collection, use, maintenance, and disclosure of information at the 
national level and for States, LEAS, postsecondary institutions, and 
other education stakeholders.
    \3\ PTAC was established to serve as a one[hyphen]stop resource 
for SEAs, LEAs, the postsecondary community, and other parties 
engaged in building and using education data systems. PTAC's role is 
to provide timely and accurate information and guidance about data 
privacy, confidentiality, and security issues and practices in 
education; disseminate this information to the field and the public; 
and provide technical assistance to key stakeholders. PTAC will 
share lessons learned; provide technical assistance in both group 
settings and in one[hyphen]on[hyphen]one meetings with States; and 
create training materials on privacy, confidentiality, and security 
issues.
---------------------------------------------------------------------------

    We agree that it is preferable to obtain consent before disclosing 
PII from education records, and nothing in these final regulations is 
intended to change the statutory framework for consent. Nonetheless, 
Congress explicitly provided in FERPA that for certain purposes, PII 
from education records may be disclosed without consent. 20 U.S.C. 
1232g(b).
    We recognize that some may fear that these final regulations will 
permit the disclosure of PII from education records to improper 
parties, or for improper purposes, but we firmly believe such fears 
lack foundation. To be clear, these final regulations do not permit PII 
from education records to be disclosed for purposes unrelated to 
education. For example, the statute limits disclosures to those 
organizations that conduct studies for the purposes of ``developing, 
validating, or administering predictive tests, administering student 
aid programs, and improving instruction.'' We believe that the best 
method to prevent misuse of education records is not to bar all 
legitimate uses of education data, but rather to provide guidance and 
technical assistance on how legitimate uses can be implemented while 
properly protecting PII from education records in accordance with 
FERPA.
    Changes: None.
    Comments: Several commenters expressed concern or confusion about 
how the FERPA recordation, review, and correction provisions would work 
at the various school, LEA, or State levels.
    Several commenters raised concerns about ``up-stream data sharing'' 
as it relates to the validity of the information maintained in SLDS. 
They expressed general concern that changes made to education records 
at the local level would not be reflected in the SLDS, so that 
authorized representatives of an SEA would be looking at out-of-date 
information. Some commenters suggested that when schools amend 
education records, they should be required to forward these amendments 
or corrections to their LEA or SEA.
    A few commenters recommended that we require schools to notify 
parents and eligible students when PII from education records is 
disclosed to an outside entity. One commenter suggested that parents 
and students not only be notified, but that they also be given an 
opportunity to opt out of the disclosure. Several commenters expressed 
support for the notion that parents and students should be able to 
inspect and review education records held by authorized 
representatives.
    One commenter asked why the Department did not propose to use its 
``putative enforcement authority'' to create the right for parents and 
eligible students to inspect and seek to correct education records in 
the hands of authorized representatives.
    Discussion: We appreciate the concern that records at State and 
local educational authorities be up-to-date to reflect changes made at 
the school level. We decline, however, to require schools to forward 
every change to ``up-stream'' educational entities, as this would be 
overly burdensome. Schools correct and update student education records 
on a daily basis and requiring daily ``up-stream'' updates is not 
feasible. Rather, we urge LEAs and SEAs to arrange for periodic 
updates. We believe that such an arrangement will help ensure the 
validity and accuracy of PII from education records disclosed to LEAs 
and SEAs and ultimately held in an SLDS.
    We decline to adopt the suggestion that schools be required to 
notify parents and eligible students when PII from education records is 
redisclosed to an outside entity, and to provide parents and eligible 
students with an opportunity to opt out of the disclosure. FERPA 
expressly provides for disclosure without consent in these 
circumstances, a reflection of the importance of those limited 
disclosures.
    Under Sec.  99.7(a), educational agencies and institutions are 
required to annually notify parents and eligible students of their 
rights under FERPA. While FERPA does not require that this notice 
inform parents or eligible students of individual data sharing 
arrangements, we believe that transparency is a best practice. For this 
reason, we have amended our model notifications of rights under FERPA 
to include an explanation of the various exceptions to FERPA's general 
consent disclosure rule. This change to the model notifications should 
help parents and eligible students understand under what circumstances, 
such as the evaluation of a Federal- or State-supported education 
program, PII from education records may be disclosed to third parties 
without prior written consent. The Model Notification of Rights under 
FERPA for Elementary and Secondary Schools is included as Appendix B to 
this notice and the Model Notification of Rights under FERPA for 
Postsecondary Institutions is included as Appendix C to this notice; 
these model notifications are also available on the FPCO Web site at: 
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html and 
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/ps-officials.html.
    With respect to the suggestion that we revise the regulations so 
that parents and eligible students can inspect and review and seek to 
amend education records held by authorized representatives, we note 
that FERPA provides a right for parents and eligible students to 
inspect and review their education records held by SEAs, LEAs, and 
schools. 20 U.S.C. 1232g(a)(1)(A) and (a)(1)(B). The statute does not 
provide any right to inspect and review education records held by 
authorized representatives of FERPA-permitted entities or other third 
parties (other than SEAs). Further, FERPA also provides a right for 
parents and eligible students to seek to amend their education records 
held by LEAs and schools, but not SEAs. 20 U.S.C. 1232g(a)(2). Again, 
however, the statute does not provide any right to seek to amend 
education records held by authorized representatives of FERPA-permitted 
entities or other third parties. For this

[[Page 75609]]

reason, we do not have the authority to expand these statutory 
provisions to apply to authorized representatives of FERPA-permitted 
entities or other third parties (other than the right to inspect and 
review education records maintained by SEAs).
    Parents and eligible students seeking to inspect and review a 
student's education records held by an authorized representative or a 
third party other than the SEA may contact the disclosing school or 
LEA. The school or LEA would then be required to allow them to inspect 
and review and seek to amend the education records that they maintain. 
Additionally, while FERPA does not accord a right to a parent or an 
eligible student to inspect and review and seek to amend education 
records held by authorized representatives, FERPA-permitted entities 
are free to include inspection or amendment requirements in the written 
agreements they enter into with their authorized representatives, 
assuming it is permissible under applicable State and local law to do 
so.
    FERPA does not require parental or student notification of 
individual data sharing arrangements that may utilize PII from 
education records. However, Sec.  99.32(a) does require recordation, 
except as provided in Sec.  99.32(d), of disclosures whenever an 
educational agency or institution or FERPA-permitted entity discloses 
PII from education records under one of the exceptions to the consent 
requirement. Thus, the recordation provisions in Sec.  99.32(a)(3) 
require educational agencies and institutions to record the parties to 
whom they have disclosed PII from education records and the legitimate 
interests the parties had in obtaining the information. This 
recordation must also identify the FERPA-permitted entities that may 
make further disclosures of PII from education records without consent 
(see Sec.  99.32(a)(1)). When requested, FERPA-permitted entities must 
provide pursuant to Sec.  99.32(b)(2)(iii) a copy of their record of 
further disclosures to the requesting educational agency or institution 
where the PII from education records originated within a reasonable 
period of time, not to exceed 30 days. For example, a school may 
request a record of all further disclosures made by its SEA of PII from 
education records from that school. The SEA would be required to comply 
with this request within 30 days.
    Changes: None.

Legal Authority

    Comment: Numerous commenters questioned the Department's legal 
authority to issue the proposed regulations, stating the proposals 
exceed the Department's statutory authority. Enacting the proposed 
changes, many of these commenters argued, would require legislative 
amendments to FERPA that could not be achieved through the rulemaking 
process.
    Several commenters also stated that the America COMPETES Act and 
ARRA do not confer legal authority upon the Department to propose 
regulations that would allow the disclosure of PII from education 
records in the manner envisioned in the NPRM. While acknowledging that 
the America COMPETES Act generally supports the establishment and 
expansion of SLDS, several commenters noted that the America COMPETES 
Act requires States to develop and utilize their SLDS only in ways that 
comply with the existing FERPA regulations. One commenter stated that 
ARRA was merely an appropriations law and did not suggest any shift in 
Congressional intent regarding FERPA's privacy protections, information 
sharing, or the disclosure of student education records, generally.
    Discussion: We disagree with commenters who stated that they 
believe the Department lacks the statutory authority to promulgate the 
proposed regulations contained in the NPRM. As a general matter, the 
Department has broad statutory authority to promulgate regulations to 
implement programs established by statute and administered by the 
Department. Under section 414 of the Department of Education 
Organization Act, 20 U.S.C. 3474, ``[t]he Secretary is authorized to 
prescribe such rules and regulations as the Secretary determines 
necessary or appropriate to administer and manage the functions of the 
Secretary or the Department.'' Similarly, section 410 of GEPA, 20 
U.S.C. 1221e-3, provides that the Secretary may ``make, promulgate, 
issue, rescind, and amend rules and regulations governing the manner of 
operation of, and governing the applicable programs administered by, 
the Department.''
    Neither section 444 of GEPA, which is more commonly known as FERPA, 
nor any other statute, limits the Department's authority to promulgate 
regulations to protect the privacy of PII from education records or to 
interpret its regulations on FERPA consistently with other Federal 
statutes. The proposed regulations in the NPRM fall clearly within the 
commonplace use of the Department's regulatory authority. Adopting 
these provisions is necessary to ensure that the Department's 
implementation of FERPA continues to protect the privacy of PII from 
education records, while allowing for PII from education records to be 
effectively used, particularly in SLDS.
    Moreover, we disagree with the contention that the America COMPETES 
Act and ARRA do not provide evidence of Congressional intent to expand 
and develop SLDS to include early childhood education, postsecondary, 
and workforce information. We believe the America COMPETES Act and ARRA 
should be read consistently with FERPA, where permissible. It is a 
well-established canon of statutory construction that a statute must 
not be interpreted so that it is inconsistent with other statutes where 
an ambiguity exists. Where two statutes appear to be inconsistent with 
one another, it is appropriate to provide an interpretation that 
reconciles them while still preserving their original sense and 
purpose. See, e.g., Lewis v. Lewis & Clark Marine, Inc., 531 U.S. 438 
(2001); Ruckelshaus v. Monsanto Co., 467 U.S. 986, 1017-18 (1984).
    In this case, the Department is interpreting its regulations in a 
manner that is consistent with FERPA, the America COMPETES Act, and 
ARRA. Under section 6401(e)(2)(D) of the America COMPETES Act, Congress 
clearly set forth its desire that States develop SLDS that cover 
students from preschool through postsecondary education by including 
information such as ``the capacity to communicate with higher education 
data systems,'' ``information regarding the extent to which students 
transition successfully from secondary school to postsecondary 
education, including whether students enroll in remedial coursework,'' 
and ``other information determined necessary to address alignment and 
adequate preparation for success in postsecondary education.''
    ARRA provides clear evidence of Congressional intent to support the 
expansion of SLDS, and is not merely an appropriations law, as 
suggested by one commenter. Section 14001(d) of ARRA specified that the 
Governor of a State desiring to receive an allocation under the State 
Fiscal Stabilization Fund was required to include assurances in its 
application that, among other things, the State will establish a 
longitudinal data system that includes the elements described in 
section 6401(e)(2)(D) of the America COMPETES Act. All States received 
grants under the State Fiscal Stabilization Fund. Thus, all States are 
required to include these 12 elements in their SLDS. Through ARRA, 
Congress also provided $250 million for additional State grants to 
support the expansion of SLDS to include postsecondary and workforce

[[Page 75610]]

information, providing further evidence of Congress' intention that 
States include these elements in their SLDS.
    Interpretations of our current FERPA regulations created obstacles 
for States in their efforts to comply with ARRA's requirement that SLDS 
include the 12 elements specified in the America COMPETES Act, and 
thereby allow for the sharing of education data from preschool to 
higher education. The changes that the Department is adopting through 
these regulations should eliminate barriers that may have prevented 
States from complying with the ARRA assurances while still ensuring 
that PII in education records is protected under FERPA. For example, 
under these final regulations, a local or State educational authority 
may designate a postsecondary institution as its ``authorized 
representative,'' in connection with the evaluation of Federal- or 
State-supported education programs. As such, the K-12 local or State 
educational authority may disclose PII from education records to the 
postsecondary institution without consent for purposes of evaluating 
either the K-12 or postsecondary Federal- or State-supported education 
programs.
    If the Department were to make no regulatory changes, as requested 
by several commenters, then Congress' stated intentions behind the 
America COMPETES Act and ARRA regarding the development and expansion 
of SLDS would be significantly impeded. Instead, considering the extent 
of data sharing contemplated by these statutes, the Department is 
amending several regulatory provisions that have unnecessarily hindered 
the development and expansion of SLDS as envisioned by the America 
COMPETES Act and required under ARRA, while still remaining consistent 
with FERPA's underlying purpose of protecting student privacy.
    Changes: None.

FERPA Does Not Provide Authority for Data Collection

    Comment: Several commenters expressed concern about the types of 
student PII described in the NPRM and what they perceived as the 
Department's intent to collect information on individual students. The 
Department received similar comments from multiple parties who inferred 
from the NPRM that the Department sought to collect information on 
students such as ``hair color, blood type or health care history.'' 
These commenters appeared to believe that the Department would collect 
this data and provide it to other Federal agencies, such as Labor and 
Health and Human Services, to ``facilitate social engineering such as 
development of the type of `workforce' deemed necessary by the 
government.''
    Discussion: The Department agrees that it should not collect such 
information or guide students ``toward predetermined workforce 
outcomes,'' as the commenters stated. Moreover, the Department did not 
propose in the NPRM to permit the collection of this information or to 
conduct the activities described by these commenters.
    Commenters mistakenly inferred that the proposed changes to the 
regulations would expand the types of data collections that the 
Department may require as conditions of receiving Federal funds. FERPA 
itself does not establish the authority for any type of data collection 
at any level, whether Federal, State, or local. Likewise, FERPA does 
not authorize the establishment of SLDS. Congress granted the 
Department the authority to provide grants to States for the 
development of SLDS under section 208 of the Educational Technical 
Assistance Act of 2002, 20 U.S.C. 9607. States have invested in SLDS to 
enhance their ability to efficiently and accurately manage, analyze, 
and use education data, which includes PII from education records that 
are protected under FERPA. SLDS for K-12 education often include data 
related to Federal- and State-funded education programs, such as data 
related to assessments, grades, course enrollment and completion, 
attendance, discipline, special education status, homeless status, 
migrant status, graduation or dropout status, demographics, and unique 
student identifiers. Schools and LEAs are the primary collectors of 
these data. LEAs report these individual student-level data to the SEA 
to meet various requirements, and the data is warehoused in the SLDS.
    For Federal K-12 reporting, SEAs report aggregated counts at the 
State, local, and school levels for various indicators that are 
required for participation in Federal education programs, such as the 
number of students participating in and served by Title I. Similarly, 
postsecondary institutions are required to complete Integrated 
Postsecondary Education Data Systems (IPEDS) surveys if they 
participate in or are applicants for participation in any Federal 
student financial aid program (such as Pell grants and Federal student 
loans). While schools, LEAs, SEAs, and postsecondary institutions 
maintain student-level data, what is reported to the Department in 
IPEDS and in Federal K-12 reporting is aggregated, at a minimum, at the 
institutional level. The Department does not collect PII from education 
records outside of its duties that require it, such as administering 
student loans and grants, conducting surveys, and investigating 
individual complaints.
    The Department offers this clarification to address the public 
comments that mistakenly interpreted the Department's proposed 
regulations as a mechanism to collect sensitive personal data on 
individual students at the Federal level, including data elements that 
are not related to education, to be used for non-educational purposes. 
As discussed later in this preamble, the Department is not legally 
authorized to create a national, student-level database, and the 
Department has no desire or intention to create a student record data 
system at the national level. Thus, the SLDS mentioned in these final 
regulations refers to individual States' longitudinal data systems, not 
a Federal database.
    Commenters interested in understanding more about the data 
collections required by the Department should visit the Department's 
Web site at https://edicsweb.ed.gov and select the ``Browse Active 
Collections'' link.
    Changes: None.
    Comment: Several commenters expressed concern that the Department's 
proposal would create a national database of student PII. One commenter 
expressed strong opposition to the establishment of a national database 
because of concern that such a database could be used for non-
educational purposes. Another commenter recommended that the Department 
publicly affirm that it does not support the establishment of a 
national database.
    Several commenters indicated that the proposed changes reflected in 
the NPRM would permit data sharing and linking of SLDS across State 
lines, allowing for the creation of a ``de facto'' national database of 
student PII. These commenters expressed concern that interconnected 
SLDS would invite substantial threats to student privacy. Another 
commenter noted that the prohibition regarding the establishment of a 
national database in the ESEA, demonstrated Congress' intent to 
prohibit Federal funding of an interconnected SLDS.
    Discussion: The Department is not establishing a national database 
of PII from education records and we have no intention to do so. 
Moreover, neither ESEA nor HEA provides the Department with the 
authority to establish a Federal database of PII from education 
records. Specifically, ``[n]othing in [ESEA] * * * shall be construed 
to authorize the development of a nationwide database''

[[Page 75611]]

of PII from education records. 20 U.S.C. 7911. Likewise, ``nothing in 
[HEA] shall be construed to authorize the development, implementation, 
or maintenance of a Federal database'' of PII from education records. 
20 U.S.C. 1015c(a).
    On the other hand, we do not agree with the suggestion that 
Congress intended to prohibit States from developing their own SLDS or 
linking SLDS across State lines. The right to develop SLDS or link SLDS 
across State lines is reserved to the States. Both ESEA and HEA permit 
States or a consortium of States to develop their own State-developed 
databases. In fact, HEA specifically states that it does not prohibit 
``a State or a consortium of States from developing, implementing, or 
maintaining State-developed databases that track individuals over time, 
including student unit record systems that contain information related 
to enrollment, attendance, graduation and retention rates, student 
financial assistance, and graduate employment outcomes.'' 20 U.S.C. 
1015c(c).
    The Department does not agree with those commenters who expressed 
concerns that the linking of SLDS across State lines would allow for 
the creation of a ``de facto'' national database of student PII. First, 
as discussed earlier, States are not prohibited from establishing their 
own SLDS or linking SLDS across State lines provided that they do so in 
compliance with all applicable laws, including FERPA. Second, if a 
consortium of States chose to link their individual SLDS across State 
lines, such a system of interconnected SLDS would not be ``national'' 
because the Federal Government would not play a role in its operation. 
Rather, responsibility for operating such a system would lie entirely 
with the consortium of States.
    Further, Congress made clear in the America COMPETES Act and ARRA 
that it supports the development and expansion of SLDS. For example, 
title VIII of ARRA appropriated $250,000,000 to the Institute of 
Education Sciences to carry out section 208 of the Educational 
Technical Assistance Act to provide competitive grants to State for the 
development of their SLDS that include early childhood through 
postsecondary and workforce information. In addition, section 14005 of 
ARRA provides that in order to receive funds under the State Fiscal 
Stabilization Fund a State was required to provide an assurance that it 
will establish an SLDS that includes the elements described in section 
6401(e)(2)(D) of the America COMPETES Act (20 U.S.C. 9871). Consistent 
with congressional intent, these activities are only being carried out 
at the State level, not through the creation of a Federal database. 
These final regulations will help reduce barriers that have hindered 
States and consortia of States from developing, implementing, and 
maintaining their own SLDS.
    Changes: None.

Use of Social Security Numbers

    Comment: Several commenters requested clarification on whether 
Social Security numbers (SSNs) could be maintained in an SLDS or used 
as a linking variable. These commenters stated that they had been 
hindered in their efforts to build a robust SLDS by limitations on the 
exchange of SSNs. Other commenters suggested that the use of SSNs, 
names, and dates of birth be minimized, and that SLDS should instead 
create a common identifier that would allow the SEA and its authorized 
representative to match student records data without an unnecessary 
transfer of SSNs and other identifying information.
    Discussion: We understand that data contained within an SLDS cannot 
be used effectively without using unique linking variables. Without the 
use of linking variables, States would be unable to monitor the 
educational progress and experiences of individual students as they 
progress through the education system across grade levels, schools, 
institutions, and into the workforce.
    FERPA does not prohibit the use of a SSN as a personal identifier 
or as a linking variable. However, we agree with commenters that the 
use of SSNs should be minimized given that SSNs are often used by 
criminals for identity theft. The Federal Government itself attempts to 
minimize the use of SSNs. See, e.g., Office of Management and Budget 
(OMB) Directive M-07-16, ``Safeguarding Against and Responding to the 
Breach of Personally Identifiable Information,'' and ``Guidance for 
Statewide Longitudinal Data Systems,'' (National Center for Education 
Statistics (NCES) 2011- 602). The importance of limiting SSN use is 
recognized in FERPA, as schools are prohibited from designating SSNs as 
directory information. Hence, while FERPA does not expressly prohibit 
States from using SSNs, best practices dictate that States should limit 
their use of SSNs to instances in which there is no other feasible 
alternative.
    Changes: None.

Disclosures Beyond State Lines

    Comment: Several commenters sought clarification on whether FERPA 
allowed PII from education records to be disclosed across State lines, 
noting that there is increased demand to disclose PII from education 
records to third parties in other States to make comparative 
evaluations of Federal- or State-supported education programs, or to 
connect data on students who may be educated in multiple States. For 
example, one commenter asked the Department to clarify whether FERPA 
would permit postsecondary institutions to disclose PII from education 
records, including outcome data back to high schools in another State.
    Several stakeholders have raised questions about whether the 
proposed regulations would permit the State educational authority in 
one State to designate a State educational authority in another State 
as its authorized representative to disclose PII from education records 
from one authority to the other.
    Another commenter recommended that the Department restrict the 
disclosure of PII from education records under the audit or evaluation 
exception to authorized representatives within a State, or 
alternatively limit out-of-State authorized representatives to only 
other State educational authorities. Another commenter also asked about 
a school's ability to disclose PII from education records to other 
countries.
    Discussion: FERPA makes no distinctions based on State or 
international lines. However, transfers of PII from education records 
across international boundaries, in particular, can raise legal 
concerns about the Department's ability to enforce FERPA requirements 
against parties in foreign countries. It is important to keep in mind 
that for a data disclosure to be made without prior written consent 
under FERPA, the disclosure must meet all of the requirements under the 
exceptions to FERPA's general consent requirement. For example, if the 
conditions under the audit or evaluation exception in FERPA are met, a 
State educational authority could designate an entity in a different 
State as an authorized representative for the purpose of conducting an 
audit or evaluation of the Federal- or State-supported education 
programs in either State. The disclosure of PII from education records 
is not restricted by geographic boundaries. However, disclosure of PII 
from education records for an audit or evaluation of a Federal- or 
State-supported education program is permitted only under the written 
agreement requirements in Sec.  99.35(a)(3) that apply to that 
exception. Under these requirements, the disclosing entity would need 
to take reasonable methods

[[Page 75612]]

to ensure to the greatest extent practicable that its authorized 
representative is in compliance with FERPA, as is explained further 
under the Reasonable Methods (Sec.  99.35(a)(2)) section in this 
preamble. More specifically, an LEA could designate a university in 
another State as an authorized representative in order to disclose, 
without consent, PII from education records on its former students to 
the university. The university then may disclose, without consent, 
transcript data on these former students to the LEA to permit the LEA 
to evaluate how effectively the LEA prepared its students for success 
in postsecondary education.
    Changes: None.

Cloud Computing

    Comment: Several commenters sought clarification on whether the 
proposed regulations would permit cloud computing, where data can be 
hosted in a different State or country. Commenters suggested that the 
final regulations not discriminate based on where data are hosted.
    Discussion: The Department has not yet issued any official guidance 
on cloud computing, as this is an emerging field. We note, however, 
that the Federal Government itself is moving towards a model for secure 
cloud computing. Regardless of whether cloud computing is contemplated, 
States should take care that their security plans adequately protect 
student data, including PII from education records, regardless of where 
the data are hosted.
    Changes: None.

Administrative Burden

    Comment: Several commenters predicted an increase in administrative 
time and resources needed to comply with the proposed regulations, with 
one predicting an ``exponential'' increase. Given the current state of 
State budget deficits, several commenters asked the Department to 
provide guidance for ways to decrease burden, such as offering 
``planning and streamlining administrative processes and tools,'' while 
still ensuring the protection of PII from education records.
    Discussion: The Department appreciates this suggestion and 
acknowledges the current reality of State budget deficits. The 
Department believes, however, that regulating the specifics of data 
sharing would drive up costs, not reduce them. The Department notes 
that the changes reflected in these regulations aim to reduce the 
barriers to data sharing while still protecting student privacy. FERPA 
regulations themselves also do not require any data sharing by 
educational agencies or institutions; these data sharing activities are 
voluntary, and may occur at the discretion of educational agencies or 
institutions. We recognize that some educational agencies and 
institutions may need technical assistance from the Department to help 
ensure that their data sharing activities comply with these 
regulations, and the Department will help meet this potential need for 
SEAs and LEAs.
    See the Potential Costs and Benefits, elsewhere in this preamble, 
for our estimation of costs associate