Proposed Rule: Family Educational Rights and Privacy

Monday,
March 24, 2008
Part II
Department of
Education
34 CFR Part 99
Family Educational Rights and Privacy;
Proposed Rule
pwalker on PROD1PC71 with PROPOSALS2
VerDate Aug<31>2005 16:49 Mar 21, 2008 Jkt 214001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\24MRP2.SGM 24MRP2
15574 Federal Register / Vol. 73, No. 57 / Monday, March 24, 2008 / Proposed Rules
DEPARTMENT OF EDUCATION comments and to view supporting and about these proposed regulations in
related materials available room 6W243, 400 Maryland Avenue,
34 CFR Part 99 electronically. Information on using SW., Washington, DC, between the
RIN 1855–AA05 Regulations.gov, including instructions hours of 8:30 a.m. and 4 p.m. Eastern
for submitting comments, accessing time, Monday through Friday of each
[Docket ID ED–2008–OPEPD–0002] documents, and viewing the docket after week except Federal holidays. Public
the close of the comment period, is comments may also be inspected at
Family Educational Rights and Privacy available through the site’s ‘‘User Tips’’ www.regulations.gov.
AGENCY: Office of Planning, Evaluation, link. Assistance to Individuals With
and Policy Development, Department of Postal Mail, Commercial Delivery, or
Disabilities in Reviewing the
Education. Hand Delivery. If you mail or deliver
Rulemaking Record
ACTION: Notice of proposed rulemaking. your comments about these proposed
regulations, address them to LeRoy S. On request, we will supply an
SUMMARY: The Secretary proposes to Rooker, U.S. Department of Education, appropriate aid to an individual with a
amend the regulations governing 400 Maryland Avenue, SW., room disability who needs assistance to
education records maintained by 6W243, Washington, DC 20202–5920. review the comments or other
educational agencies and institutions documents in the public rulemaking
Privacy Note: The Department’s policy for
under section 444 of the General comments received from members of the
record for these proposed regulations. If
Education Provisions Act, which is also public (including those comments submitted you want to schedule an appointment
known as the Family Educational Rights by mail, commercial delivery, or hand for this type of aid, please contact the
and Privacy Act of 1974, as amended delivery) is to make these submissions person listed under FOR FURTHER
(FERPA). These proposed regulations available for public viewing in their entirety INFORMATION CONTACT.
are needed to implement amendments on the Federal eRulemaking Portal at http://
www.regulations.gov. Therefore, commenters Background
to FERPA contained in the USA Patriot
Act and the Campus Sex Crimes
should be careful to include in their These proposed regulations would
comments only information that they wish to implement section 507 of the Uniting
Prevention Act, to implement two U.S. make publicly available on the Internet.
Supreme Court decisions interpreting and Strengthening America by
FERPA, and to make necessary changes FOR FURTHER INFORMATION CONTACT: Providing Appropriate Tools Required
identified as a result of the Department’s Frances Moran, U.S. Department of to Intercept and Obstruct Terrorism
experience administering FERPA and Education, 400 Maryland Avenue, SW., (USA Patriot Act) of 2001 (Pub. L. 107–
current regulations. These changes room 6W243, Washington, DC 20202– 56), enacted Oct. 26, 2001, and the
would clarify permissible disclosures to 8250. Telephone: (202) 260–3887. Campus Sex Crimes Prevention Act,
parents of eligible students and If you use a telecommunications section 1601(d) of the Victims of
conditions that apply to disclosures in device for the deaf (TDD), you may call Trafficking and Violence Protection Act
health and safety emergencies; clarify the Federal Relay Service (FRS) at 1– of 2000 (Pub. L. 106–386), enacted Oct.
permissible disclosures of student 800–877–8339. 28, 2000, both of which amended
identifiers as directory information; Individuals with disabilities may FERPA. The proposed regulations also
allow disclosures to contractors and obtain this document in an alternative would implement the U.S. Supreme
other outside parties in connection with format (e.g., Braille, large print, Court’s decisions in Owasso
the outsourcing of institutional services audiotape, or computer diskette) on Independent School Dist. No. I–011 v.
and functions; revise the definitions of request to the contact person listed Falvo, 534 U.S. 426 (2002) (Owasso) and
attendance, disclosure, education under FOR FURTHER INFORMATION Gonzaga University v. Doe, 536 U.S. 273
records, personally identifiable CONTACT. (2002) (Gonzaga). Finally, the proposed
information, and other key terms; clarify regulations respond to changes in
Invitation To Comment information technology and address
permissible redisclosures by State and
We invite you to submit comments other issues identified through the
Federal officials; and update
and recommendations regarding these Department’s experience administering
investigation and enforcement
proposed regulations. To ensure that FERPA, including the need to clarify
provisions.
your comments have maximum effect in how postsecondary institutions may
DATES: We must receive your comments developing the final regulations, we share information with parents and
on or before May 8, 2008. urge you to identify clearly the specific other parties in light of the tragic events
ADDRESSES: Submit your comments section or sections of the proposed at Virginia Tech in April 2007. The
through the Federal eRulemaking Portal regulations that each of your comments Department has developed these
or via postal mail, commercial delivery, addresses and to arrange your comments proposed regulations in accordance
or hand delivery. We will not accept in the same order as the proposed with its ‘‘Principles for Regulating,’’
comments by fax or by e-mail. Please regulations. which are intended to ensure that the
submit your comments only one time, in We invite you to assist us in Department regulates in the most
order to ensure that we do not receive complying with the specific flexible, equitable, and least
duplicate copies. In addition, please requirements of Executive Order 12866 burdensome way possible. These
include the Docket ID at the top of your and its overall requirement of reducing proposed regulations seek to provide the
comments. regulatory burden that might result from greatest flexibility to State and local
Federal eRulemaking Portal: Go to these proposed regulations. Please let us governments and schools while
http://www.regulations.gov. Under know of any further opportunities we
ensuring that personally identifiable

‘‘Search Documents’’ go to ‘‘Optional should take to reduce potential costs or information about students remains
Step 2’’ and select ‘‘Department of increase potential benefits while protected from unauthorized disclosure.
Education’’ from the agency drop-down preserving the effective and efficient
menu; then click ‘‘Submit.’’ In the administration of the program. Technical Corrections
Docket ID column, select ED–2008– During and after the comment period, The proposed regulations correct
OPEPD–0002 to add or view public you may inspect all public comments § 99.33(e) by adding the statutory
Federal Register / Vol. 73, No. 57 / Monday, March 24, 2008 / Proposed Rules 15575
language ‘‘outside the educational information contained in an education SSNs and other student ID numbers are
agency or institution’’ after the words record of a student that would not also personal identifiers and personally
‘‘third party’’ in the first sentence. They generally be considered harmful or an identifiable information under § 99.3.
also correct an error in the section invasion of privacy if disclosed, and Unlike names and addresses, SSNs and
number cited in § 99.34(a)(1)(ii). includes information listed in FERPA other student ID numbers are typically
(e.g., a student’s name and address, used to obtain a variety of non-public
Significant Proposed Regulations telephone listing) as well as other information about an individual, such
We discuss substantive issues under information, such as a student’s as employment, credit, financial, health,
the sections of the proposed regulations electronic mail (e-mail) address, motor vehicle, and educational
to which they pertain. Generally, we do enrollment status, and photograph. information, that would be harmful or
not address proposed regulatory Current regulations do not specify an invasion of privacy if disclosed. An
provisions that are technical or whether a student’s Social Security SSN or other student ID number can
otherwise minor in effect. Number (SSN), official student also be used in conjunction with
identification (ID) number, or personal commonly available information, such
1. Definitions (§ 99.3)
identifier for use in electronic systems as name, address, and date of birth, to
Attendance may be designated and disclosed as establish fraudulent accounts and
directory information. otherwise impersonate an individual.
Statute: 20 U.S.C. 1232g(a)(6) defines
Proposed Regulations: The proposed As a result, under the proposed
the term student as any person with regulations would provide that an regulations, SSNs and other student ID
respect to whom an educational agency educational agency or institution may numbers may not be designated and
or institution maintains education not designate as directory information a disclosed as directory information.
records or personally identifiable student’s SSN or other student ID Educational agencies and institutions
information but does not include a number. However, directory information have reported to us that in addition to
person who has not been in attendance may include a student’s user ID or other needing a traditional student ID number
at such agency or institution. The unique identifier used by the student to (or SSN used as a student ID number),
statute does not define attendance. access or communicate in electronic they need to identify or assign to
Current Regulations: As defined in the systems, but only if the electronic students a unique electronic identifier
current regulations, the term attendance identifier cannot be used to gain access that can be made available publicly.
includes attendance in person or by to education records except when used (Names are generally not appropriate for
correspondence, and the period during in conjunction with one or more factors these purposes because they may not be
which a person is working under a that authenticate the student’s identity, unique to the population.) Unique
work-study program. The current such as a personal identification electronic identifiers are needed, for
definition does not address the status of number (PIN), password, or other factor example, for students to be able to use
distance learners who are taught known or possessed only by the student. portals or single sign-on approaches to
through the use of electronic Reasons: SSNs and other student ID student information systems that
information and telecommunications numbers are personal identifiers that are provide access to class registration,
technologies. typically used for identification academic records, library resources, and
Proposed Regulations: The proposed purposes in order to establish an other student services. Much of the
regulations in § 99.3 would add account, gain access to or confirm directory-based software used for these
attendance by videoconference, satellite, private information, obtain services, etc. systems, as well as protocols for
Internet, or other electronic information The proposed regulations are needed to electronic collaboration by students and
and telecommunications technologies ensure that educational agencies and teachers within and among institutions,
for students who are not physically institutions do not disclose these essentially cannot function without
present in the classroom. identifiers as directory information, or making an individual’s user ID or other
Reasons: The proposed regulations include them with other personally electronic identifier publicly available
are needed to clarify that students who identifiable information that may be in these kinds of systems.
are not physically present in the disclosed as directory information, Some systems, for example, require
classroom may attend an educational because SSNs and other student ID users to log on with their e-mail address
agency or institution not only through numbers can be used to impersonate the or other published user name or account
traditional correspondence courses but owner of the number and obtain ID. (Note that a student’s e-mail address
through advanced electronic information or services by fraud. The was added to the regulatory definition
information and telecommunications proposed regulations are also needed to of directory information in the final
technologies used for distance clarify that unique personal identifiers regulations published on July 6, 2000
education, such as videoconferencing, used for electronic communications (65 FR 41852, 41855). Public key
satellite, and Internet-based may be disclosed as directory infrastructure (PKI) technology for
communications. information under certain conditions. encryption and digital signatures also
Names and addresses are personal requires wide dissemination of the
Directory Information identifiers (and personally identifiable sender’s public key. These are the types
Statute: 20 U.S.C. 1232g(a)(5), (b)(1), information under § 99.3) that have of circumstances in which educational
and (b)(2) allows disclosure without always been available for disclosure as agencies and institutions may need to
consent of information such as a directory information under FERPA publish or disclose a student’s unique
student’s name and address, telephone because they are generally known to electronic identifier.
listing, date and place of birth, major others and often appear in public The proposed regulations would
field of study, etc., defined as directory directories outside the school context. permit disclosure of a student’s user ID
information, provided that specified (It is precisely because names and or other electronic identifier as directory
notice and opt out conditions have been addresses are widely available that they information, but only if the identifier
met. may not be used to authenticate functions essentially as a name; that is,
Current Regulations: Directory identity, as discussed below in the identifier is not used by itself to
information is defined in § 99.3 as connection with proposed § 99.31(c).) authenticate identity and cannot be
used by itself to gain access to education status as an authentic record. School A educational agency or institution after
records. A unique electronic identifier may confirm or deny that the record is an individual is no longer a student in
disclosed as directory information may accurate and send the correct version attendance and are not directly related
be used to provide access to the back to School B under § 99.31(a)(2), to the individual’s attendance as a
student’s education records, but only which allows an institution to disclose student.
when combined with other factors education records without prior written Reasons: Institutions have told us that
known only to the authorized user consent to an institution in which the there is some confusion about the
(student, parent, or school official), such student seeks or intends to enroll, or is provision in the definition of education
as a secret password or PIN, or some already enrolled. records that excludes certain alumni
other method to authenticate the user’s The proposed regulations would also records from the definition. Some
identity and ensure that the user is, in permit a State or local educational schools have mistakenly interpreted this
fact, a person authorized to access the authority or other entity to redisclose provision to mean that any record
records. education records or personally created or received after a student is no
Note that eligible students and identifiable information from education longer enrolled is not an education
parents have a right under FERPA to opt records, without consent, to the school record under FERPA. The proposed
out of directory information disclosures district, institution, or other party that
regulations are needed to clarify that the
and refuse to allow the student’s e-mail provided the records or information.
exclusion is intended to cover records
address, user ID or other electronic Reasons: School officials have
reported to the Department that they are that concern an individual or events
identifier disclosed as directory
receiving with more frequency what that occur after the individual is no
information (except as provided in
appear to be falsified transcripts, letters longer a student in attendance, such as
proposed § 99.37(c), discussed
of recommendation, and other alumni activities. The exclusion is not
elsewhere in this document). This is
information about students from intended to cover records that are
similar to a decision not to participate
educational agencies and institutions. created and matters that occur after an
in an institution’s paper-based student
The proposed amendment is needed to individual is no longer in attendance
directory, yearbook, commencement
program, etc. In these cases, the student verify the accuracy of this type of but that are directly related to his or her
or parent will not be able to take information and to ensure that the previous attendance as a student, such
advantage of the services, such as privacy protections in FERPA are not as a settlement agreement that concerns
portals for class registration, academic used to shield or prevent detection of matters that arose while the individual
records, etc., provided solely through fraud. was in attendance as a student.
the electronic communications or Several State educational agencies Statute: The statute does not address
software that require public disclosure (SEAs) that maintain consolidated peer-grading practices in relation to
of the student’s unique electronic student records systems have also FERPA requirements.
identifier. expressed uncertainty whether they may Current Regulations: The definition of
allow a local school district to obtain education records includes records that
Disclosure
access to personally identifiable are maintained by an educational
Statute: 20 U.S.C. 1232g(b)(1) and information from education records agency or institution, or a party acting
(b)(2) provides that an educational provided to the SEA by that district. The for the educational agency or
agency or institution subject to FERPA amendment is needed to clarify that institution, but does not provide any
may not have a policy or practice of SEAs and other parties that maintain guidance on the status of student-graded
releasing, permitting the release of, or education records provided by school tests and assignments before they have
providing access to personally districts and other educational agencies been collected and recorded by a
identifiable information from education and institutions may allow a party to teacher.
records without prior written consent. obtain access to the specific records and
Current Regulations: The regulations Proposed Regulations: Proposed
information that the party provided to regulations in § 99.3 would clarify that
in § 99.3 define the term disclosure to the consolidated student records
mean permitting access to or the release, peer-graded papers that have not been
system. collected and recorded by a teacher are
transfer, or other communication of
personally identifiable information from Education Records not considered maintained by an
education records to any party by any Statute: 20 U.S.C. 1232g(a)(4) educational agency or institution and,
means. The regulations do not address provides a broad, general definition of therefore, are not education records
issues relating to the return of records education records that includes all under FERPA.
to the party that provided or created records that are directly related to a Reasons: The proposed regulations
them. student and maintained by an are needed to implement the U.S.
Proposed Regulations: The proposed educational agency or institution. Supreme Court’s decision on peer-
regulations would exclude from the Student, in turn, is defined in 20 U.S.C. graded papers in Owasso. ‘‘Peer-
definition of disclosure the release or 1232g(a)(6) to exclude individuals who grading’’ refers to a common
return of an education record, or have not been in attendance at the educational practice in which students
personally identifiable information from agency or institution. exchange and grade one another’s
an education record, to the party Current Regulations: The definition of papers and then either call out the grade
identified as the party that provided or education records in § 99.3 excludes or turn in the work to the teacher for
created the record. This would allow an records that only contain information recordation. In Owasso, the Court held
educational agency or institution about an individual after he or she is no that this practice does not violate
(School B) to send a transcript, letter of longer a student. FERPA because ‘‘the grades on students’
recommendation, or other record that Proposed Regulations: The proposed papers would not be covered under
appears to have been falsified back to regulations would clarify that, with FERPA at least until the teacher has
the institution or school official respect to former students, the term collected them and recorded them in his
identified as the creator or sender of the education records excludes records that or her grade book.’’ Owasso, 534 U.S. at
record (School A) for confirmation of its are created or received by the 436.
Personally Identifiable Information education programs, or for the which disclosure of education records
Statute: 20 U.S.C. 1232g(b)(1) and enforcement of or compliance with remains limited to educational
(b)(2) provide that an educational Federal legal requirements that relate to authorities or officials.
agency or institution may not have a those programs.
Current Regulations: The current 2. Disclosures to Parents of Eligible
policy or practice of permitting the Students (§§ 99.5, 99.36)
regulations do not address the
release of or providing access to
disclosure of education records to State Section 99.5(a) (Rights of Students)
education records or any personally
auditors.
identifiable information other than Statute: 20 U.S.C. 1232g(d) provides
Proposed Regulations: The proposed
directory information in education regulations in § 99.3 would define State that once a student reaches 18 years of
records without prior written consent auditor as a party under any branch of age or attends a postsecondary
except in accordance with statutory government with authority and institution, all rights accorded to
exceptions. responsibility under State law for parents under FERPA, and the consent
Current Regulations: The term conducting audits. We propose to add a required to disclose education records,
personally identifiable information is new paragraph (a)(2) to § 99.35 to clarify transfer from the parents to the student.
defined in § 99.3 to include the that State auditors that are not State or Under 20 U.S.C. 1232g(b)(1)(H), an
student’s name and other personal local educational authorities may have educational agency or institution may
identifiers, such as the student’s social access to education records in disclose personally identifiable
security number or student number. connection with an audit of Federal or information from an education record
Current regulations also include indirect State supported education programs. without meeting FERPA’s written
identifiers, such as the name of the Reasons: 20 U.S.C. 1232g(b)(3) consent requirement to parents of a
student’s parent or other family (section (b)(3) of the statute) allows dependent student as defined in 26
members; the address of the student or disclosure of education records without U.S.C. 152. Under 20 U.S.C. 1232g(i), an
the student’s family; and personal consent to ‘‘State educational institution of higher education may
characteristics or other information that authorities’’ for audit and evaluation disclose personally identifiable
would make the student’s identity easily purposes. According to the legislative information from an education record,
traceable. history of FERPA, section (b)(5) of the without meeting FERPA’s written
Proposed Regulations: The proposed statute, which allows disclosure of consent requirement, to a parent or legal
regulations would add biometric record education records without consent to guardian of a student information
to the list of personal identifiers and ‘‘State and local educational officials’’ regarding the student’s violation of any
add other indirect identifiers, such as for audit and evaluation purposes, was Federal, State or local law, or any rule
date and place of birth and mother’s added in 1979 to ‘‘correct an anomaly’’ or policy of the institution governing the
maiden name, to the list of personally in which the existing exception in use or possession of alcohol or a
identifiable information. The section (b)(3) was interpreted to controlled substance if the student is
regulations would remove language preclude State auditors from obtaining under the age of 21 and the institution
about personal characteristics and other records in order to conduct State audits determines that the student has
information that would make the of local and State-supported programs. committed a disciplinary violation with
student’s identity easily traceable and See H.R. Rep. No. 338, 96th Cong., 1st respect to such use or possession. Under
provide instead that personally Sess. at 10 (1979), reprinted in 1979 U.S. 20 U.S.C. 1232g(b)(1)(I), an educational
identifiable information includes other Code Cong. & Admin. News 819, 824. agency or institution may disclose
information that, alone or in The amended statutory language in personally identifiable information from
combination, is linked or linkable to a section (b)(5) is ambiguous, however, an education record, without meeting
specific student that would allow a because it does not actually mention FERPA’s written consent requirement,
reasonable person in the school or its State auditors and, like section (b)(3), to appropriate persons in connection
community, who does not have personal refers only to educational officials. Over with an emergency if the knowledge of
knowledge of the relevant the years several States have questioned such information is necessary to protect
circumstances, to identify the student whether this exception includes audits the health or safety of the student or
with reasonable certainty. Personally conducted by legislative branch officials other persons.
identifiable information would also and other parties that may not be Current Regulations: Section 99.3
include information requested by a considered educational authorities or defines an eligible student as a student
person who the educational agency or officials. who has reached 18 years of age or
institution reasonably believes has The regulations are needed to clarify attends a postsecondary institution.
direct, personal knowledge of the that State auditors may receive Section 99.5(a) states that rights
identity of the student to whom the personally identifiable information from accorded to parents, and consent
education record directly relates. education records, without prior written required of parents, to disclose
Reasons: See the discussion of consent, even if they are not considered education records under FERPA transfer
proposed regulations adding a new State or local educational authorities or from parents to a student when the
§ 99.31(b) for de-identified education officials, provided that they are auditing student meets the definition of an
records elsewhere in this document. a Federal or State supported education eligible student.
program. We are interested in receiving Section 99.31(a)(8) provides that an
State Auditor comments about whether the definition educational agency or institution may
Statute: 20 U.S.C. 1232g(b)(1)(C), needs to cover local auditors as well. disclose personally identifiable
(b)(3), and (b)(5) allows an educational The exception for disclosure of information from education records
agency or institution to disclose education records to State auditors is without consent to parents of a
personally identifiable information from narrowly limited to audits (defined in dependent student as defined in section
education records, without prior written proposed § 99.35 as testing compliance 152 of the Internal Revenue Code of
consent, to State and local educational with applicable laws, regulations, and 1986. Under § 99.31(a)(15) written
authorities and officials for the audit or standards) and does not include the consent is not required, regardless of
evaluation of Federal or State supported broader concept of evaluations, for dependency status, to disclose to a
parent of a student at an institution of records to parents of certain eligible 3. Authorized Disclosure of Education
postsecondary education information students whether or not the student Records Without Prior Written Consent
regarding the student’s violation of any consents. (§ 99.31)
Federal, State or local law, or of any rule Section 99.31(a)(8) permits an Section 99.31(a)(1) (School Officials)
or policy of the institution, governing
educational agency or institution to Outsourcing
the use or possession of alcohol or a
disclose education records, without Statute: 20 U.S.C. 1232g(a)(4)(A)
controlled substance if the institution
determines that the student has consent, to either parent if at least one defines education records to include
committed a disciplinary violation with of the parents has claimed the student records maintained by an educational
respect to that use or possession and the as a dependent on the parent’s most agency or institution or by ‘‘a person
student is under the age of 21 at the time recent tax return. Because many college acting for’’ the agency or institution.
of the disclosure to the parent. students (and 18-year-old high school Under 20 U.S.C. 1232g(b)(1)(A), an
Section 99.31(a)(10) provides that an students) are tax dependents of their educational agency or institution may
educational agency or institution may parents, this provision allows these allow teachers and other school officials
disclose personally identifiable institutions to disclose information from within the institution or agency,
information from education records education records to the students’ without prior written consent, to obtain
without consent if the disclosure is in parents without meeting the written access to education records if the
connection with a health or safety consent requirements in § 99.30. institution or agency has determined
emergency under the conditions (Institutions must first determine that a that they have legitimate educational
described in § 99.36. Section 99.36 parent has claimed the student as a interests in the information.
provides that an educational agency or Current Regulations: Section
dependent on the parent’s Federal
institution may disclose personally 99.31(a)(1) allows disclosure of
income tax return. Institutions can
identifiable information from an personally identifiable information from
determine that a parent claimed a education records without consent to
education record to appropriate parties
student as a dependent by asking the school officials, including teachers,
in connection with an emergency if
parent to submit a copy of the parent’s within the agency or institution if the
knowledge of the information is
necessary to protect the health or safety most recent Federal tax return. educational agency or institution has
of the student or other individuals. Institutions can also rely on a student’s determined that they have legitimate
Proposed Regulations: The proposed assertion that he or she is not a educational interests in the information.
regulations in § 99.5 clarify that even dependent unless the parent provides An educational agency or institution
after a student has become an eligible contrary evidence.) that discloses information under this
student, an educational agency or The proposed regulations are also exception must specify in its annual
institution may disclose education needed to clarify that colleges and other notification of FERPA rights under
records to the student’s parents, without institutions may disclose information § 99.7(a)(3)(iii) the criteria it uses to
the consent of the eligible student, if the from education records to an eligible determine who constitutes a school
student is a dependent for Federal official and what constitutes legitimate
student’s parents, without consent,
income tax purposes (§ 99.31(a)(8)); in educational interests. The
under § 99.31(a)(15) if the institution
connection with a health or safety recordkeeping requirements in
has determined that the student has § 99.32(d) do not apply to disclosures to
emergency (§ 99.31(a)(10)); if the
violated Federal, State, or local law or school officials with legitimate
student is under the age of 21 and has
violated an institutional rule or policy an institution’s rules or policies educational interests. Current
governing the use or possession of governing alcohol or substance abuse regulations do not address disclosure of
alcohol or a controlled substance (provided the student is under 21 years education records without consent to
(§ 99.31(a)(15)); and if the disclosure of age), and in connection with a health contractors, consultants, volunteers, and
falls within any other exception to the or safety emergency under other outside parties providing
consent requirement in § 99.31(a) of the §§ 99.31(a)(10) and 99.36 (regardless of institutional services and functions or
regulations, such as the disclosure of the student’s age) if the information is otherwise acting for an agency or
directory information or in compliance needed to protect the health or safety of institution.
with a court order or lawfully issued the student or other individuals. These Proposed Regulations: The proposed
subpoena. The proposed regulations in exceptions apply whether or not the regulations in § 99.31(a)(1)(i)(B) would
§ 99.36(a) would clarify that an eligible student is a dependent of a parent for expand the school official exception to
student’s parents are appropriate parties tax purposes. These proposed include contractors, consultants,
to whom an educational agency or regulations would clarify the volunteers, and other outside parties to
institution may disclose personally Department’s policy with respect to an whom an educational agency or
identifiable information from education agency’s or institution’s disclosure of institution has outsourced institutional
records without consent in a health or information from education records to services or functions that it would
safety emergency. otherwise use employees to perform.
parents under the health and safety
Reasons: The Secretary is concerned The outside party who obtains access to
emergency exception and do not
that some institutions are under the education records without consent must
mistaken impression that FERPA represent a change in the Department’s be under the direct control of the agency
prevents them from providing parents interpretation of who may qualify as an or institution and subject to the same
with any information about a college appropriate party under the health or conditions governing the use and
student. The proposed regulations are safety emergency exception to the redisclosure of education records that
needed to clarify that FERPA contains consent requirement. While institutions apply to other school officials under
exceptions to the written consent may choose to follow a policy of not § 99.33(a) of the regulations. These
requirement that permit colleges and disclosing education records to parents proposed regulations supersede
other educational agencies and of eligible students in these previous technical assistance guidance
institutions to disclose personally circumstances, FERPA does not issued by the Family Policy Compliance
identifiable information from education mandate such a policy. Office (Office) regarding disclosure of
education records without consent to an educational agency or institution to institutional services and functions and
parties acting for an educational agency provide enrollment and degree disclosing education records to
or institution. verification services must ensure that contractors and other outside parties
Educational agencies and institutions only individuals with legitimate performing those services and functions
that outsource institutional services and educational interests obtain access to in appropriate circumstances, such as
functions must comply with the annual personally identifiable information from for legal advice; debt collection;
FERPA notification requirements under education records maintained on behalf transcript distribution; fundraising and
the current regulations in § 99.7(a)(3)(iii) of the agency or institution. In alumni communications; development
by specifying their contractors, accordance with current regulations at and management of information
consultants, and volunteers as school § 99.33(b), a contractor may not systems; and degree and enrollment
officials retained to provide various redisclose personally identifiable verification. The Secretary wishes to
institutional services and functions. information without prior written clarify and define the scope of this
Failure to comply with the notice consent unless the educational agency practice to avoid further confusion and
requirements for school officials in or institution has authorized the prevent weakening of FERPA’s privacy
§ 99.7(a)(3)(iii) is not excused by redisclosure under a FERPA exception protections because of uncertainty about
recording the disclosure under § 99.32. and the agency or institution records the the requirements for making these kinds
(We note that under current regulations subsequent disclosure in accordance of disclosures.
disclosures to school officials under with the requirements in § 99.32(b). Like One of the most frequently used
§ 99.31(a)(1) are specifically excluded other school officials, contractors and exceptions to the prior written consent
from the recordation requirements other outside parties who provide requirement allows teachers and other
under § 99.32(d).) As a result, an institutional services may not decide school officials to obtain access to
educational agency or institution that unilaterally to redisclose personally education records provided the
has not included contractors and other identifiable information from education educational agency or institution has
outside service providers as school records, even in circumstances that determined that the school official has
officials with legitimate educational would comply with an exception in legitimate educational interests in the
interests in its annual FERPA § 99.31(a). information. This exception covers not
notification may not disclose any Additionally, records directly related only teachers and principals, but also
personally identifiable information from to a student that are maintained by a school counselors, registrars,
education records to these parties until party acting for an educational agency admissions personnel, attorneys,
it has complied with the notice or institution are education records accountants, human resource staff,
requirements in § 99.7(a)(3)(iii). subject to all FERPA requirements. This information systems specialists, and
Educational agencies and institutions includes any new student records designated support and clerical
are responsible for their outside service created under an outsourcing agreement personnel when they need access to
providers’ failures to comply with that are maintained by the outside personally identifiable information from
applicable FERPA requirements. The service provider. education records in order to perform
agency or institution must ensure that Reasons: The proposed regulations their official functions and duties for
the outside party does not use or allow are needed to resolve uncertainty about their employer. As noted above, an
anyone to obtain access to personally the specific conditions under which educational agency or institution that
identifiable information from education educational agencies and institutions allows school officials to obtain access
records except in strict accordance with may disclose personally identifiable to education records under this
the requirements established by the information from education records, exception must, under § 99.7(a)(3),
educational agency or institution that without prior written consent, to include in its annual notification of
discloses the information. contractors, consultants, volunteers, and FERPA rights a specification of its
All outside parties serving as school other outside parties performing criteria for determining who constitutes
officials are subject to FERPA’s institutional services or functions. a school official and what constitutes
restrictions on the use and redisclosure While there is no explicit statutory legitimate educational interests under
of personally identifiable information exception to the prior written consent § 99.31(a)(1). Disclosures to school
from education records. These requirement for disclosures to officials under current regulations are
restrictions include current provisions contractors and other non-employees to subject to the restrictions on the use and
in § 99.33(a), which requires an whom an educational agency or redisclosure of information in § 99.33
educational agency or institution that institution has outsourced services, we but are exempt from the FERPA
discloses personally identifiable note that the statutory definition of recordkeeping requirements in § 99.32.
information from education records to education records protects records that The proposed regulations are
do so only on the condition that the are maintained by a party acting for the included with the exception for school
recipient, including a teacher or other agency or institution. See 20 U.S.C. officials in § 99.31(a)(1) because we
school official, will use the information 1232g(a)(4)(A)(ii). Indeed, the Joint believe that disclosures made for
only for the purpose for which the Statement in Explanation of Buckley/ contract, volunteer, and other
disclosure was made and will not Pell Amendment (120 Cong. Rec. outsourced services and functions
redisclose the information to any other S39862, Dec. 13, 1974) refers should be subject to the same conditions
party without the prior consent of the specifically to materials that are that would apply if the outside party
parent or eligible student unless the maintained by a school ‘‘or by one of its were, in fact, providing institutional
educational agency or institution has agents’’ when describing the meaning of services or functions as an employee or
authorized the redisclosure under a the new term education records in the officer of the educational agency or
FERPA exception and the agency or December 1974 amendments to the institution. In particular, the outside
institution records the subsequent statute. party must be under the direct control
disclosure in accordance with the The Department has long recognized of the agency or institution with respect
requirements in § 99.32(b). in guidance that FERPA does not to the maintenance and use of
For example, under the proposed prevent educational agencies and personally identifiable information from
regulations, a party that contracts with institutions from outsourcing education records. The outside party
must also perform the type of electronic format. Agencies and Federal Information Systems’’
institutional services or functions for institutions that choose not to use (December 2007). Educational
which the agency or institution would physical or technological controls to institutions and agencies are not
otherwise use its own employees. For restrict a school official’s access to required to implement the NIST 800–53
example, an institution may disclose education records must ensure that their guidance, but may find it useful when
education records without consent administrative policy for controlling determining possible controls.) For
under this provision to an outside party access to and maintenance of education example, software used to access
retained to provide enrollment records is effective and that the agency electronic records may contain role-
verification services to student loan or institution remains in compliance based security features that allow
holders because the institution would with the legitimate educational interests teachers to view only information about
otherwise have to use its own requirement in § 99.31(a)(1)(i)(A). students currently enrolled in their
employees to conduct the required (These proposed regulations do not classes. Similarly, a school principal or
verifications. In contrast, an institution address what constitutes a legitimate registrar may maintain paper records in
may not use this provision to disclose educational interest under the locked cabinets and distribute records to
education records, without consent, to a regulations.) authorized officials on an as needed
financial institution or insurance Reasons: The proposed regulations basis.
company that provides a good student are needed to ensure that teachers and An educational agency or institution
discount on its services and needs other school officials only gain access to that does not use some kind of physical
students’ ID numbers and grades to education records in which they have a or technological controls to restrict
verify an individual’s eligibility, even if legitimate educational interest. While access and leaves education records
the institution enters into a contract the proposed regulations apply to open to all school officials may rely
with these companies to provide the records in any format (as defined in instead on administrative controls, such
student discount. § 99.3), the need to ensure compliance as an institutional policy that prohibits
with the legitimate educational interest teachers and other school officials from
Access to Education Records by School requirement has been driven largely by accessing records except when they
Officials the increased use of computerized or have a legitimate educational interest.
Statute: 20 U.S.C. 1232g(b)(1)(A) electronic recordkeeping systems in However, an agency or institution that
provides that an educational agency or which a user may have access to all forgoes physical or technological access
institution may allow teachers and other records. controls must ensure that its
school officials within the agency or Many of the smaller educational administrative policy for controlling
institution to obtain access to education agencies and institutions typically use a access is effective and that it remains in
records, without prior written consent, combination of physical and compliance with the legitimate
if the agency or institution has administrative methods to restrict educational interest requirement in
determined that the school official has access by school officials to paper copy § 99.31(a)(1). In that regard, if a parent
legitimate educational interests in the records. For example, paper copy or eligible student alleges that a school
information. records may be maintained in lockable official obtained access to a student’s
Current Regulations: Section cabinets, desks, or rooms with education records without a legitimate
99.31(a)(1) allows an educational agency distribution of records to school officials educational interest, an agency or
or institution to disclose personally controlled by the teacher, registrar, or institution must show that the school
identifiable information from education other authorized custodian as official possessed a legitimate
records without consent to school appropriate. With the advent of educational interest in obtaining the
officials, including teachers, within the computerized or electronic records, personally identifiable information from
agency or institution if the educational particularly by the mid-size and larger education records maintained by the
agency or institution has determined agencies and institutions, parents and agency or institution. An agency or
that they have legitimate educational students have complained that school institution may wish to restrict or track
interests in the information. An officials may have unrestricted access to school officials who obtain access to
educational agency or institution that the records of all students in an education records to ensure that it is in
discloses information under this institution’s or local educational compliance with § 99.31(a)(1)(i)(A).
exception must specify in its annual agency’s (LEA) system. Agencies and The risk of unauthorized access to
notification of FERPA rights under institutions establishing or upgrading education records by school officials
§ 99.7(a)(3)(iii) the criteria it uses to electronic student information systems means the likelihood that records may
determine who constitutes a school have also expressed uncertainty about be targeted for compromise and the
official and what constitutes legitimate what methods they should use to harm that could result. Methods used by
educational interests. Current comply with the legitimate educational an educational agency or institution to
regulations do not specify whether the interest requirement in this new ensure compliance with the legitimate
agency or institution must ensure that environment. educational interests requirement are
school officials obtain access to only Under the proposed regulations, an considered reasonable under the
those education records in which they educational agency or institution should proposed regulations if they reduce the
have legitimate educational interests. implement controls to protect student risk of unauthorized access by school
Proposed Regulations: The proposed records. These controls should consist officials to a level commensurate with
regulations in § 99.31(a)(1)(ii) would of a combination of appropriate the likely threat and potential harm. The
require an educational agency or physical, technical, administrative, and greater the harm that would result from
institution to use reasonable methods to operational controls which will allow unauthorized access or disclosure and
ensure that teachers and other school access to be limited when required. the greater the likelihood that
officials obtain access to only those (Some examples of possible information unauthorized access or disclosure will
education records in which they have security controls can be found in ‘‘The occur, the more protections an agency or
legitimate educational interests. This National Institute of Standards and institution must use to ensure that its
requirement would apply to education Technology (NIST) 800–53, methods are reasonable. For example,
records maintained in either paper or Recommended Security Controls for high risk records, such as those that
contain credit card information, SSNs on educational agencies and institutions representatives of the organization that
and other elements used for identity by allowing them to send transcripts conducts the study and must be
theft, immunization and other health and other information from education destroyed when no longer needed for
records, certain records on special records to schools where a student seeks the study. As explained in
education students, and official or intends to enroll without meeting the § 99.31(a)(6)(iii), failure to destroy
transcripts and grades should generally formal consent requirements in § 99.30. information in accordance with this
receive greater and more immediate We have concluded that authority to requirement could lead to a five-year
protection than medium or low risk disclose or transfer information to a ban on disclosure of information to that
records, such as those containing only student’s new school under this organization.
publicly releasable directory exception does not cease automatically Current Regulations: The regulations
information. Methods that an the moment a student has actually restate the statutory language that the
educational agency or institution should enrolled. Rather, an educational agency study is conducted ‘‘for, or on behalf of’’
use to reduce risk to an acceptable level or institution may transfer education the educational agency or institution,
will depend on a variety of factors, records to a student’s new school, but do not explain what this language
including the organization’s size and including a postsecondary institution, at means.
resources. In all cases, reasonableness any point in time if the disclosure is in Proposed Regulations: The proposed
depends ultimately on what are the connection with the student’s regulations require an educational
usual and customary good business enrollment in the new school. agency or institution that discloses
practices of educational agencies and Based on these considerations, we education records without consent
institutions, which requires ongoing have also determined that an under § 99.31(a)(6) to enter into a
review and modification of methods and educational agency or institution may written agreement with the recipient
procedures, where appropriate, as update, correct, or explain information organization that specifies the purposes
standards and technologies continue to it has disclosed to another educational of the study. The agency or institution
change. agency or institution as part of the that discloses education records under
original disclosure under § 99.31(a)(2) this exception does not have to agree
Section 99.31(a)(2) (Disclosure to a without complying with the written with or endorse the conclusions or
School Where Student Seeks or Intends consent requirements in § 99.30. That is, results of the study. The written
To Enroll) a student’s previous institution is not agreement must specify that information
Statute: 20 U.S.C. 1232g(b)(1)(B) required to obtain prior written consent from education records may only be
allows an educational agency or under § 99.30 to respond to the new used to meet the purposes of the study
institution to disclose, under certain institution’s request to explain the stated in the written agreement and
conditions, education records to another meaning of education records sent to it must contain the current restrictions on
school or school system in which the in connection with a student’s new redisclosure and destruction of
student seeks or intends to enroll enrollment. information requirements applicable to
without obtaining the prior written Finally, in the aftermath of the information disclosed under this
consent of a parent or eligible student. shooting at Virginia Tech, some exception.
Current Regulations: Under questions have arisen about whether Reasons: Research organizations have
§ 99.31(a)(2), an educational agency or FERPA prohibits the disclosure of asked for clarification about the
institution may disclose education certain types of information from circumstances in which an educational
records, without prior written consent, students’ education records to new agency or institution may disclose to
to officials of another school, school schools or postsecondary institutions to them personally identifiable
system, or postsecondary institution which they have applied. (Further information from education records
where the student seeks or intends to discussion of the tragic events that under § 99.31(a)(6)(iii), and educational
enroll, provided that the agency or occurred at Virginia Tech in April 2007 agencies and institutions have asked
institution complies with the is included in the discussion of the whether they may provide personally
requirements in § 99.34(a) regarding proposed amendments to § 99.36, which identifiable information to organizations
notification to the parent or eligible appears later in this document.) Under for research purposes without parental
student of the disclosure and, upon § 99.31(a)(2) and § 99.34(a), FERPA consent even if the educational agency
request, provide a copy of the records permits school officials to disclose any or institution has no particular interest
and an opportunity for a hearing under and all education records, including in the study.
subpart C of the regulations. health and disciplinary records, to This exception to the consent
Proposed Regulations: The proposed another institution where the student requirement is intended to allow
regulations in § 99.31(a)(2) would allow seeks or intends to enroll. educational agencies and institutions to
an educational agency or institution to retain the services of outside
disclose education records, without Section 99.31(a)(6) (Organizations organizations (or individuals) to
consent, to another institution even after Conducting Studies for or on Behalf of conduct studies for or on their behalf to
a student has already enrolled or an Educational Agency or Institution) develop, validate, or administer
transferred, and not just if the student Statute: 20 U.S.C. 1232g(b)(1)(F) predictive tests; administer student aid
seeks or intends to enroll, if the allows an educational agency or programs; or improve instruction. An
disclosure is for purposes related to the institution to disclose personally educational agency or institution need
student’s enrollment or transfer. identifiable information from education not initiate research requests or agree
Reasons: The proposed amendments records, without consent, to with or endorse a study’s results and
are needed to resolve uncertainty about organizations conducting studies for or conclusions under this exception.
whether consent is required to send a on behalf of the agency or institution for However, the statutory language ‘‘for, or
student’s records to the student’s new purposes of testing, student aid, and on behalf of’’ indicates that the
school after the student has already improvement of instruction. The disclosing agency or institution agrees
transferred and enrolled. This proposed information must be protected so that with the purposes of the study and
exception to the consent requirement is students and their parents cannot be retains control over the information
intended to ease administrative burdens identified by anyone other than from education records that is disclosed.
The written agreement required under General (or designee) under this information about registered sex
the proposed regulations will help provision should ensure that the order offenders.
ensure that information from education is facially valid, just as it does when Reasons: The regulations implement
records is used only to meet the determining whether to comply with the CSCPA amendment to FERPA,
purposes of the study stated in the other judicial orders and subpoenas which allows educational agencies and
written agreement and that all under § 99.31(a)(9). An educational institutions to disclose information
applicable requirements are met. (See agency or institution is not, however, about registered sex offenders without
discussion of § 99.31(b) below regarding required or authorized to examine the consent if the information was received
disclosure of de-identified information underlying certification of facts through and complies with guidelines
to independent educational presented to the court in the Attorney regarding a State community
researchers.) General’s application for the ex parte notification program issued by the U.S.
court order. Attorney General under the Wetterling
Section 99.31(a)(9) (USA Patriot Act) Act. Wetterling Act guidelines issued by
The proposed regulations provide that
Statute: The USA Patriot Act, Public an educational agency or institution the Attorney General were published in
Law 107–56, amended FERPA by may comply with the court order the Federal Register on October 25,
providing a new subsection 1232g(j), 20 without notice to the parent or eligible 2002 (67 FR 65598), and January 5, 1999
U.S.C. 1232g(j), that authorizes the student. (Note that § 99.31(a)(9)(ii)(B) (64 FR 572).
United States Attorney General (or also allows an educational agency or The Wetterling Act sets forth
designee not lower than an Assistant institution to disclose education records minimum national standards for sex
Attorney General) to apply for an ex without notice to representatives of the offender registration and community
parte court order (an order issued by a Attorney General or other law notification programs. Under the
court without notice to an adverse Wetterling Act, States must establish
enforcement authorities who produce a
party) allowing the Attorney General (or programs that require sexually violent
subpoena that has been issued for law
designee) to collect education records predators (and anyone convicted of
enforcement purposes and the court or
from an educational agency or specified criminal offenses against
other issuing agency has ordered that
institution, without the consent or minors) to register their name and
the existence or contents of the
knowledge of the student or parent, that address with the appropriate State
subpoena or information furnished in
are relevant to an investigation or authority where the offender lives,
response to the subpoena not be
prosecution of an offense listed in 18 works, or is enrolled as a student. States
disclosed.)
U.S.C. 2332b(g)(5)(B) or an act of are also required to release relevant
domestic or international terrorism Section 99.31(a)(16) (Registered Sex information necessary to protect the
specified in 18 U.S.C. 2331. The statute Offenders) public concerning persons required to
requires the Attorney General (or register, excluding the identity of any
designee not lower than an Assistant Statute: The Campus Sex Crimes
victim. (This community notification
Attorney General) to certify facts in Prevention Act (CSCPA), section
provision is commonly known as the
support of the order and to retain, 1601(d) of the Victims of Trafficking ‘‘Megan’s Law’’ amendment to the
disseminate, and use the records in a and Violence Protection Act of 2000, Wetterling Act.)
manner that is consistent with Public Law 106–386, amended FERPA CSCPA supplemented the general
confidentiality guidelines established by by adding 20 U.S.C. 1232g(b)(7), which standards for sex offender registration
the Attorney General in consultation provides that educational agencies and and community notification programs in
with the Secretary of Education. institutions may disclose information the Wetterling Act with provisions
Agencies and institutions are not concerning registered sex offenders specifically designed for higher
required to record the disclosure and provided under State sex offender education campus communities. These
cannot be held liable to anyone for registration and community notification include a requirement that States collect
producing education records in good programs required by section 170101 of information about a registered offender’s
faith in accordance with a court order the Violent Crime Control and Law enrollment or employment at an
issued under this provision. Enforcement Act of 1994, Public Law institution of higher education,
Current Regulations: The current 103–322, 42 U.S.C. 14071. Section including any change in enrollment or
regulations do not address the 170101 contains the Jacob Wetterling employment status at the institution,
amendments made by the USA Patriot Crimes Against Children and Sexually and make this information available
Act. Violent Offender Registration Act promptly to a campus police
Proposed Regulations: The proposed (Wetterling Act). department or other appropriate law
regulations add new exceptions to the Current Regulations: The current enforcement agency having jurisdiction
written consent requirement in regulations do not address the where the institution is located. CSCPA
§ 99.31(a)(9)(ii) and the recordkeeping disclosure of information concerning also amended the Higher Education Act
requirement in § 99.32(a) allowing registered sex offenders. of 1965, as amended (HEA), by requiring
disclosure of education records without Proposed Regulations: The proposed institutions of higher education to
notice in compliance with an ex parte regulations add a new exception to the advise the campus community where it
court order obtained by the Attorney consent requirement in § 99.31(a)(16) can obtain information about registered
General (or designee) concerning that permits an educational agency or sex offenders provided by the State
investigations or prosecutions of an institution to disclose information that pursuant to the Wetterling Act, such as
offense listed in 18 U.S.C. 2332b(g)(5)(B) the agency or institution received under the campus law enforcement office, a
or an act of domestic or international a State community notification program local law enforcement agency, or a
terrorism defined in 18 U.S.C. 2331. about a student who is required to computer network address. See 20
Reasons: The proposed regulations register as a sex offender in the State. U.S.C. 1092(f)(1)(I) and 34 CFR
are necessary to implement the statutory Note that nothing in FERPA or these 668.46(b)(12).
amendment. An educational agency or proposed regulations requires or While the FERPA amendment was
institution that is served with an ex encourages an educational agency or made in the context of CSCPA’s
parte court order from the Attorney institution to collect or maintain enhancements to registration and
notification requirements applicable to name, that would allow a reasonable completely eliminated, at least not
the higher education community, the person in the school or its community, without negating the utility of the
Department has determined that all who does not have personal knowledge information, and is always a matter of
educational institutions, including of the relevant circumstance, to identify analyzing and balancing risk so that the
elementary and secondary schools, are the student with reasonable certainty. risk of disclosure is very low. The
covered by this amendment. The The Department does not hold reasonable certainty standard in the
registration and community notification educational agencies and institutions proposed definition of personally
requirements apply in the State where responsible for knowing the status of all identifiable information requires such a
an offender lives, works, or is a student, non-educational records about students balancing test. (Similarly, we are
which is defined as ‘‘a person who is (e.g., law enforcement or hospital proposing here to use the term ‘‘de-
enrolled on a full-time or part-time records). However, the Department identified’’ instead of ‘‘anonymous’’—
basis, in any public or private encourages educational agencies and which appears in previous guidance—
educational institution, including any institutions to be sensitive to publicly because it is more consistent with
secondary school, trade, or professional available data on students and to the terminology used by experts in the field
institution, or institution of higher cumulative effect of disclosures of and reflects more accurately the level of
education.’’ See 42 U.S.C. student data. Additionally, personally disclosure risk that should be achieved.)
14071(a)(3)(G). Because the sex offender identifiable information includes Many educational institutions have
registration and community notification information that is requested by a asked for guidance about how they may
requirements apply broadly to students person who an agency or institution disclose ‘‘redacted’’ education records
enrolled in ‘‘any public or private reasonably believes has direct, personal that concern students or incidents that
educational institution,’’ the knowledge of the identity of the student are well-known in the school or its
Department likewise interprets the to whom the education record directly community. For example, a school has
FERPA amendment to apply to all relates. This is known as a targeted suspended a student from school and
educational agencies and institutions request. given the student a failing grade for
subject to FERPA. Reasons: Disclosure is defined in the cheating on a test. The parent believes
regulations as permitting access to or the discipline is too harsh and
4. De-Identification of Information releasing, transferring, or otherwise inconsistent with discipline given to
(§ 99.31(b)) communicating personally identifiable other students and asks to see the
Statute: 20 U.S.C. 1232g(b)(1) and information contained in education redacted records of other students who
(b)(2) provide that an educational records. Accordingly, there is no have been disciplined for cheating on
agency or institution may not have a ‘‘disclosure’’ under FERPA when tests that year. Only one student has
policy or practice of permitting the education records are released if all been disciplined for this infraction
release of or providing access to identifiers have been removed, along during the year, and the name of that
education records, or personally with other personally identifiable student is widely known because her
identifiable information from education information. The proposed regulations parents went to the media about the
records, without prior written consent are needed to establish this guidance in accusation. The school may not release
except in accordance with statutory a definitive and legally binding the record in redacted form because the
exceptions. interpretation, and to provide standards publicity has made the record
Current Regulations: Personally for ensuring that a student’s personally personally identifiable.
identifiable information under § 99.3 identifiable information is not Additionally, personally identifiable
includes personal identifiers such as a disclosed. information includes information that is
student’s name, address, and The Department’s November 18, 2004, requested by a person who an agency or
identification numbers, as well as letter to the Tennessee Department of institution reasonably believes has
personal characteristics or other Education (TNDOE) explains that an direct, personal knowledge of the
information that would make the educational agency or institution may identity of the student to whom the
student’s identity easily traceable. release for educational research education record directly relates. This is
Proposed Regulations: The proposed purposes (without parental consent) known as a targeted request. In the
regulations would amend § 99.31(b) to anonymous data files, i.e., records from simplest case, if an individual asks for
provide objective standards under which all personally identifiable the disciplinary report for a named
which educational agencies and information has been removed but that student, the institution may not release
institutions may release, without have coded each student’s record with a redacted copy of the report because
consent, education records, or a non-personal identifier as described in the requester knows the identity of the
information from education records, the letter. (Records or data that have student who is the subject of the report.
that has been de-identified through the been stripped of identifiers and coded An individual can also make a targeted
removal of all personally identifiable may be re-identified and, therefore, are request without mentioning the
information. Personally identifiable properly characterized as de-identified.) student’s name. For example, a person
information is defined in § 99.3 to mean Under the guidance in the TNDOE running for local office is known to have
information that can be used to identify letter, a party must ensure that the graduated from a particular university
a student, including direct identifiers, identity of any student cannot be in 1978. Rumors circulate that the
such as the student’s name, SSN, and determined in coded records, including candidate plagiarized other students’
biometric records, alone or combined assurances of sufficient cell and work while in school. A local reporter
with other personal or identifying subgroup size, and the linking key that asks the university for redacted
information that is linked or linkable to connects the code to student disciplinary records for all students who
a specific individual, including indirect information must not be shared with the graduated in 1978 who were disciplined
identifiers such as the name of the requesting entity. for plagiarism. The university may not
student’s parent or other family The Department recognizes that release the records in redacted form
member, the student’s or family’s avoiding the risk of disclosure of because the circumstances indicate that
address, and the student’s date and identity or individual attributes in the requester has made a targeted
place of birth and mother’s maiden statistical information cannot be request, i.e. has direct, personal
knowledge of the subject of the case. In circumstance to minimize risk of and place of birth relevant to others in
another case, a local reporter reviewed disclosing personally identifiable the data release.
law enforcement unit records in October information. This is true for several Second, covered entities should
2007 and learned that a prominent high reasons, including the wide variety of minimize information released in
school athlete was under investigation data compilations and systems directories to the extent possible. The
for use of illegal drugs. The newspaper maintained by different agencies and Department is not attempting to limit
published front-page articles about the institutions and the different types of the statutory authority available to
matter that same month. Thereafter, the search requests they receive and data covered entities in releasing directory
reporter asked the student’s school for a sets they wish to disclose. More information, but recognizes that since
redacted copy of all disciplinary records generally, and as indicated in the the statute’s enactment, the risk of re-
related to illegal drug use by student Federal Committee on Statistical identification from such information has
athletes since October 2007. The school Methodology’s Statistical Policy grown as a result of new technologies
may not release the records in redacted Working Paper 22 (available at http:// and methods.
form because the reporter has made a www.fcsm.gov/working-papers/ Third, covered entities should apply a
targeted request. wp22.html), educational agencies and consistent de-identification strategy for
Clearly, extenuating circumstances institutions may wish to consider all of its data releases of a similar type.
sometimes cause identity to be revealed current statistical, scientific and The two major types of data release are
even after all identifiers have been technological concepts, and standards aggregated data (such as tables showing
removed, whether in aggregated or when making decisions about analyzing numbers of enrolled students by race,
student-level data. In these situations, and minimizing the risk of disclosure in age and sex) and microdata (such as
the key consideration in determining statistical information. Consistent with individual level student assessment
whether the information is personally that view, the Department has results by grade and school). There are
identifiable is whether a reasonable consistently declined to take a several acceptable de-identification
person in the school or its community, categorical approach and advised strategies for each type of data. Major
without personal knowledge of the instead that the parties themselves are methods used by the Department for
relevant circumstances, would be able in the best position to analyze and tabular data include defining a
to identify a student with reasonable identify the best methods to use to minimum cell size (meaning no results
certainty. The Department is interested protect the confidentiality of their own will be released for any cell of a table
in receiving comments on the scope of data. See, for example, the September with a number smaller than ‘‘X’’ or else
the ‘‘school or its community’’ 25, 2003, letter to Board of Regents of cells are aggregated until no cells based
limitation in the reasonable person the University System of Georgia at on one or two cases remain) or
standard, and how it would apply to the controlled rounding (meaning that cells
http://www.ed.gov/policy/gen/guid/
release of redacted records as well as with a number smaller than ‘‘X’’ require
fpco/ferpa/library/georgialtr.html;
statistical information, including that numbers in the affected rows and
October 19, 2004, letter to Miami
information released by State columns be rounded so that the totals
University at http://www.ed.gov/policy/
educational authorities and entities remain unchanged. For microdata
gen/guid/fpco/ferpa/library/
other than local districts and releases, the primary consideration is
unofmiami.html.
institutions. whether the proposed release contains
In regard to numerical or statistical However, the Department recognizes any ‘‘unique’’ individuals whose
information, several educational that there are some practices from the identity can be deduced by the
agencies and institutions have existing professional literature on combination of variables in the file. If
expressed concern about the public disclosure limitation that can assist such a condition exists, there are a
release of information that contains covered entities in developing a sound number of methods that can be
small data sets that may be personally approach to de-identifying data for employed. These include ‘‘top coding’’
identifiable. We have advised States and release, particularly when consultation a variable (e.g., test scores above a
schools generally that they may not with professional statisticians with certain level are recoded to a defined
report publicly on the number of experience in disclosure limitation maximum), converting continuous data
students of a specified race, gender, methods is not feasible. Each of the elements into categorical data elements
disability, English language proficiency, items discussed in the following (e.g., creating categories that subsume
migrant status, or other condition who subsection is elaborated on in Statistical unique cases) or data swapping to
failed to graduate, received financial Working Paper 22 for further reference. introduce uncertainty so that the data
aid, achieved certain test scores, etc., There are several steps that can assist user does not know whether the real
unless there is a sufficient number of with de-identifying any data release. data values correspond to certain
students in the defined category so that The choice of methods depends on the records.
personally identifiable information is nature of the data release that must be The Department seeks public
not released. Some schools have de-identified. First, covered entities comment on whether it needs to
indicated, for example, that they would should recognize that the re- develop further guidance on this topic
not disclose that two Hispanic, female identification risk of any given release is to assist educational agencies and
students failed to graduate, even if there cumulative, i.e., directly related to what institutions.
are several Hispanic females at the has previously been released. Previous Although FERPA does not contain a
institution, because of the likelihood releases include both publicly-available general ‘‘research’’ exception to the
that the students who failed to graduate directory information and de-identified consent requirement, the Department
could easily be identified in such a data releases. For example, if a publicly recognizes that useful and valid
small data set. available directory provides date and educational research may be conducted
A review of data confidentiality place of birth, then a de-identified data using de-identified data where
issues, especially as concerns the release that also contains the same disclosure of personally identifiable
Federal statistical agencies, indicates information for a group of students information from education records
that it is not possible to prescribe a could pose a re-identification risk if one would not be permissible under the
single method to apply in every of those students has an unusual date limited standards of § 99.31(a)(6) or
§ 99.31(a)(3), discussed above. This 5. Identification and Authentication of institutions use widely available
regulation should not be interpreted to Identity (§ 99.31(c)) information, such as name and date of
discourage de-identified data releases, Statute: 20 U.S.C. 1232g(b)(1) and birth, or name and SSN or other student
but rather to clarify how to do so in a (b)(2) provides that an educational ID number, when providing access to
manner that minimizes the risk of re- agency or institution may not have a electronic records or disclosing
identification. Accordingly, the policy or practice of releasing, information about a student by
proposed regulations are also needed to permitting the release of, or providing telephone. This is a failure to properly
provide a method that may be used by access to any personally identifiable authenticate identity. These proposed
a school, school district, state information from education records regulations would address both of these
department of education, postsecondary problems.
without written consent, except in
institution or commission, or another Authentication of identity is a
accordance with specified statutory
party that maintains education records complex subject that continues to
exceptions. advance as new methods and
to release student-level or microdata for Current Regulations: Current
technologies are developed to meet
purposes of education research. We regulations do not address whether an
evolving standards for safeguarding
believe that these standards establish an educational agency or institution must
financial, health, and other types of
appropriate balance that facilitates ensure that it has properly identified a electronic records. The proposed
educational research and accountability party to whom it discloses personally regulations allow an educational agency
while preserving the privacy protections identifiable information from education or institution to use any reasonable
in FERPA. records. method. As discussed above in
In order to permit ongoing Proposed Regulations: The proposed connection with controlling access to
educational research with the same regulations in § 99.31(c) would require education records by school officials,
data, the party that releases the an educational agency or institution to methods are considered reasonable if
use reasonable methods to identify and they reduce the risk of unauthorized
information may attach a unique
authenticate the identity of parents, disclosure to a level that is
descriptor to each de-identified record
students, school officials, and any other commensurate with the likely threat and
that will allow the recipient to match
parties to whom the agency or potential harm and depend on variety of
other de-identified information received
institution discloses personally factors, including the organization’s size
from the same source. However, the
identifiable information from education and resources. The greater the harm that
recipient may not be allowed to have records.
access to any information about how the would result from unauthorized access
Reasons: The proposed regulations or disclosure, and consequently the
descriptor is generated and assigned, or are needed to ensure that educational
that would allow it to match the greater the likelihood that unauthorized
agencies and institutions disclose access or disclosure will be attempted,
information from education records personally identifiable information from
with data from any other source, unless the more protections an agency or
education records only to authorized institution must use to ensure that its
that data is de-identified and coded by recipients. Identification in this context
the party that discloses education methods are reasonable. Again,
means determining who is the intended reasonableness depends ultimately on
records. Furthermore, a record or authorized recipient of the what are the usual and customary good
descriptor assigned for educational information in question; authentication business practices of educational
research purposes under this rule may of identity means ensuring that the agencies and institutions, which
not be based on a student’s social recipient is, in fact, who he or she requires ongoing review and
security number. purports to be. modification of procedures, where
De-identified, student-level data Identification of a party requesting appropriate, as standards and
released for educational research disclosure of hard copy education technologies change.
purposes must still conform to the records is relatively simple—the Authentication of identity generally
requirements discussed above regarding responsible school official can confirm involves requiring a user to provide
small data sets that may lead to personal the name and correct address for records something that only the user knows,
identification of students. However, sent by mail and obtain photo such as a PIN, password, or answer to
unlike information released in identification for personal delivery of a personal question; something that only
personally identifiable form under records to students, parents, school the user has, such as a smart card or
§§ 99.31(a)(3) and 99.31(a)(6), de- officials, and other authorized recipients token; or a biometric factor associated
identified information from education who are not recognized personally by with no one other than the user, such as
records is not subject to any destruction the custodian of the records. a finger, iris, or voice print. Under the
requirements because, by definition, it Identification presents unique proposed regulations an educational
is not ‘‘personally identifiable challenges in an electronic or telephonic agency or institution may determine
information’’ under FERPA. environment, where personal that single-factor authentication, such as
recognition and photo identification a standard form user name combined
The Department cannot specify in cards are irrelevant. with a secret PIN or password, is
general which statistical disclosure Occasionally educational agencies reasonable for protecting access to
limitation (SDL) methods should be and institutions disclose education electronic grades and transcripts.
used in any particular case. However, records to the wrong party because Single-factor authentication may not be
educational agencies and institutions someone misaddresses an envelope, or reasonable, however, for protecting
should monitor releases of coded, de- puts the wrong material in a properly access to SSNs, credit card numbers,
identified microdata and take addressed envelope. This is a failure to and similar information that could be
reasonable measures to ensure that properly identify the authorized used for identity theft and financial
overlapping or successive releases do recipient. More commonly, parents and fraud.
not result in data sets in which a students complain that unauthorized Likewise, an educational agency or
student’s personally identifiable parties obtain access to the student’s institution must ensure that it does not
information is disclosed. education records because agencies and deliver a password, PIN, smart card, or
other factor used to authenticate compliance and enforcement purposes. destruction requirement, that generally
identity in a manner that would allow The Department has interpreted the apply to these disclosures.
access to unauthorized recipients. For term ‘‘evaluation’’ broadly to include all Proposed Regulations: The proposed
example, an agency or institution may manner of studies, assessments, regulations in § 99.35(b)(1) would
not make education records available measurements, appraisals, research, and permit officials and authorities listed in
electronically by using a common form other efforts, including analyses of § 99.31(a)(3)(i) to redisclose personally
user name (e.g., last name and first statistical or numerical data derived identifiable information from education
name initial) with date of birth or SSN, from education records. Section 99.35 records under the same conditions, set
or a portion of the SSN, as an initial provides that information disclosed forth in § 99.33(b), that apply to parties
password to be changed upon first use under this exception to the consent that receive personally identifiable
of the system. requirement must be protected in a information from education records
manner that does not permit personal under other exceptions in § 99.31. For
6. Redisclosure of Education Records by example, this proposed change would
Officials Listed in § 99.31(a)(3) (§ 99.32, identification of individuals by anyone
except the officials listed in § 99.31(a)(3) allow a State educational agency (SEA)
§ 99.35) to use the exception in § 99.31(a)(2) to
and must be destroyed when no longer
Statute: 20 U.S.C. 1232g(b)(1)(C), needed for the audit, evaluation, or transfer a student’s education records to
(b)(3), and (b)(5) permits an educational compliance and enforcement purposes, a student’s new school district on behalf
agency or institution to disclose unless a parent or eligible student of the former district. Similarly, an SEA
education records, without prior written consents to the disclosure or Federal or other official listed in § 99.31(a)(3)
consent, to authorized representatives of law specifically authorizes the would be able to redisclose personally
the United States Comptroller General, collection of personally identifiable identifiable information from education
the Secretary of Education, State and information. Current regulations do not records received under § 99.35 to an
local educational authorities, and the specify any further conditions under accrediting agency under § 99.31(a)(7);
U.S. Attorney General as necessary in which these officials or authorities may in response to a subpoena or court order
connection with the audit or evaluation redisclose personally identifiable under § 99.31(a)(9); or in connection
of Federal and State supported information from education records with a health or safety emergency under
education programs, or in connection without prior written consent. §§ 99.31(a)(10) and 99.36. The proposed
with the enforcement of Federal legal regulations would also apply to the
requirements that relate to those Section 99.33(c) establishes specific redisclosure of education records by an
programs. Except when the collection of exceptions to the general statutory SEA (or other official listed in
personally identifiable information is prohibition on redisclosure of § 99.31(a)(3)) to another listed official,
specifically authorized by Federal law, information from education records such as the Secretary, for audit,
personally identifiable information of under 20 U.S.C. 1232g(b)(4)(B). Section evaluation, or compliance and
parents and students may not be 99.33(b) also allows an educational enforcement purposes under § 99.35.
redisclosed to any other parties and agency or institution to disclose The regulations would also clarify that
must be destroyed when no longer education records with the authority to conduct an audit,
needed for such audit, evaluation or understanding that the recipient may evaluation, or compliance or
enforcement purposes. make further disclosures of the enforcement activity is not conferred by
In contrast, section 1232g(b)(4)(B) information on its behalf if the FERPA and must be established under
contains a general prohibition on the disclosures could be made under § 99.31 other Federal, State, or local law,
redisclosure of information from and the educational agency or including valid administrative
education records. In particular, by institution complies with the regulations. Like redisclosures
statute an educational agency or recordkeeping requirements specified in permitted currently under § 99.33(b),
institution may disclose personal § 99.32(b). Section 99.32(a) requires an redisclosures made by officials listed in
information from education records educational agency or institution to § 99.31(a)(3)(i) under the proposed
only on the condition that the recipient maintain a record of each request for amendment would be subject to the
will not redisclose the information to access to and each disclosure of recordation requirements in § 99.32(b).
any other party without meeting the personally identifiable information from Reasons: School districts and
prior written consent requirement. If a the education records of each student. If postsecondary institutions typically
recipient rediscloses personally a recipient is authorized to make further disclose education records, or
identifiable information from education disclosures of personally identifiable personally identifiable information from
records in violation of the prior written information from education records education records, to their SEA or State
consent requirement, the agency or under § 99.33(b), the educational agency higher education authority, without
institution that disclosed the records or institution must record the names of prior written consent, for audit,
may not permit that recipient to have the additional parties to which the evaluation, or compliance and
access to information from education receiving party may disclose the enforcement purposes subject to the
records for at least five years. There is information on behalf of the educational requirements of § 99.35. Several SEAs
no general destruction requirement agency or institution and their that maintain Statewide, consolidated
similar to the specific requirement for legitimate interests under § 99.31 in systems for school district records
destruction of personally identifiable requesting or obtaining the information. subject to § 99.35 have questioned
information described above for records Each student’s record of disclosures is whether they may allow a student’s new
disclosed for audit, evaluation, and an education record that must be made school district to obtain access to
enforcement purposes under section available to a parent or eligible student personally identifiable information from
1232g(b)(3). under § 99.32(c). The Department has education records submitted to the
Current Regulations: Section not applied the regulatory exception in system by the student’s former district.
99.31(a)(3) lists the four officials or § 99.33(b) to officials or authorities that (Historically, when a student transfers
authorities that may receive education receive information under §§ 99.31(a)(3) to a new school, the former school
records, without consent, for the and 99.35 because of the more specific district sends the student’s education
specified audit, evaluation, or statutory limitations, including the records to the student’s new district,
without consent, under § 99.31(a)(2).) The proposed regulations clarify that the recipient will redisclose information
Others have asked whether records while FERPA permits the disclosure and to specified recipients on its behalf
subject to § 99.35 may be redisclosed in redisclosure of education records subject to the recordation requirements
compliance with a subpoena or court without consent to officials and in § 99.32(b). The Department is
order and, if so, what conditions apply. authorities listed in § 99.31(a)(3)(i) for interested in relieving any
States have also asked about the the purposes specified, it does not administrative burdens associated with
operation of longitudinal data systems confer or establish the underlying recording disclosures of education
that consolidate K–12 and authority for those officials and records and, therefore, invites public
postsecondary education records. authorities to conduct an audit, comment on whether an SEA, the
As noted elsewhere in this notice, evaluation, or compliance or Department, or other official or agency
there are no specific statutory enforcement activity. If Federal, State, listed in § 99.31(a)(3) should be allowed
exceptions to either the prohibition on or local law authorizes a particular to maintain the record of the
redisclosure of education records entity to audit or evaluate the education redisclosures it makes on behalf of an
disclosed under § 99.31 or the more records, then FERPA permits the educational agency or institution under
specific limitations for records disclosed disclosure of personally identifiable § 99.32(b).
under § 99.35. Accordingly, final information for that purpose without
regulations published on June 17, 1976 consent. For example, this exception 7. Limitations on the Redisclosure of
(41 FR 24662) provided in § 99.33(a) allows a school district to disclose Information From Education Records
that educational agencies and education records to its own State (§ 99.33)
institutions must inform a third party to department of education or other SEA Section 99.31(a)(9) (Subpoenas and
whom personally identifiable because that agency is legally Court Orders)
information from education records is authorized to audit or evaluate the
Statute: 20 U.S.C. 1232g(b)(4)(B)
disclosed that it may not redisclose any school district’s education programs, or
enforce Federal legal requirements provides that an educational agency or
personally identifiable information institution may disclose personally
without the written consent of a parent related to those programs. This
exception does not allow a school identifiable information from education
or eligible student. However, these records to a third party only on the
regulations also added a provision in district to disclose education records to
the State higher education authority condition that the recipient will not
§ 99.33(b) that permits the agency or redisclose the information to anyone
institution to disclose without parental consent unless that
agency is empowered under Federal, else without written consent of the
personally identifiable information under parent or eligible student. If a third
§ 99.31 with the understanding that the
State or local law to conduct an audit,
evaluation, or compliance or party outside the educational agency or
information will be redisclosed to other institution permits access to information
parties under that section; Provided, That the enforcement activity with respect to that
school district’s education programs. without written consent of a parent or
recordkeeping requirements of § 99.32 are
met with respect to each of those parties. The legal authority to audit, evaluate, or eligible student as required under 20
enforce education programs does not U.S.C. 1232g(b)(2)(A), the educational
41 FR 24662, 24679. agency or institution may not permit
derive from FERPA itself.
The Secretary recognizes that officials These proposed regulations would access to information from education
and authorities that receive education also ensure that State and local records by that third party for a period
records for audit, evaluation, educational authorities may redisclose of not less than five years. There is no
compliance, or enforcement purposes personally identifiable information from specific statutory exception to the
under §§ 99.31(a)(3) and 99.35 are no education records in order to prohibition on redisclosure of
less capable of protecting the consolidate K–16 education records for personally identifiable information from
information against unauthorized access audit, evaluation, compliance, or education records.
and disclosure than parties that receive enforcement purposes under § 99.35(a). 20 U.S.C. 1232g(b)(2)(B) provides that
education records under other For example, under the proposed an educational agency or institution
exceptions in § 99.31. The proposed regulations, a State’s postsecondary or may disclose personally identifiable
amendment is needed so that SEAs and higher education authority may information without consent if the
other officials and authorities listed in redisclose personally identifiable information is furnished in compliance
§ 99.31(a)(3)(i) may take advantage of information from the education records with a judicial order or any lawfully
the regulatory exception in § 99.33(b) it maintains to a consolidated data issued subpoena, upon the condition
and redisclose personally identifiable system operated by the SEA if the SEA that parents and students are notified in
information from education records is legally authorized to conduct an advance of compliance. Advance notice
directly to a qualified recipient under an audit, evaluation, compliance, or is not required for certain Federal grand
exception in § 99.31 instead of requiring enforcement activity of postsecondary jury subpoenas and subpoenas issued
that party to go to each school district education programs. Likewise, an SEA for law enforcement purposes. 20 U.S.C.
or institution that submitted the records may redisclose personally identifiable 1232g(b)(1)(J).
for audit, evaluation, compliance, or information from K–12 education Current Regulations: Section
enforcement purposes. Similarly, the records to a consolidated database 99.33(a)(1) permits an educational
proposed regulations are needed to operated by a State’s higher education agency or institution to disclose
clarify that an official or authority that authority if the higher education personally identifiable information from
maintains personally identifiable authority is legally authorized to education records only on the condition
information from education records conduct the audit, evaluation, that the recipient will not redisclose the
subject to § 99.35 may redisclose that compliance, or enforcement activity of information to any other party without
information to another authority listed K–12 educational programs. the prior consent of the parent or
in § 99.31(a)(3)(i) for another qualifying As noted above, disclosures under eligible student. Section 99.33(b)
audit, evaluation, compliance, or § 99.33(b) are based on an provides for an exception to this general
enforcement activity, notwithstanding understanding on the part of the rule. Specifically, under § 99.33(b), an
the limitations in § 99.35. educational agency or institution that educational agency or institution may
disclose personally identifiable complies with a judicial order or agency or institution to disclose
information from education records subpoena to redisclose personally personally identifiable information from
with the understanding that the party identifiable information from education education records only on the condition
receiving the information may make records. The Secretary believes that the that the recipient will not redisclose the
further disclosures on behalf of the party that has been ordered to produce information to any other party without
educational agency or institution if the the information should be responsible the prior consent of the parent or
disclosures meet the requirements of for ensuring that the parent or eligible eligible student. Section 99.33(c)
§ 99.31(a) and the educational agency or student has been notified because the excludes from the statutory prohibition
institution complies with the educational agency or institution has no on redisclosure information that an
recordkeeping requirements in control over whether and when that educational agency or institution may
§ 99.32(b). Under § 99.33(e), if the Office party will comply. The penalty in disclose without consent to any member
determines that a third party improperly § 99.33(e) would prohibit an educational of the public, such as directory
rediscloses personally identifiable agency or institution from providing information under § 99.31(a)(11) and the
information from education records in access to any third party that fails to final results of a disciplinary proceeding
violation of the prohibition on provide reasonable notice to parents and for acts constituting crimes of violence
redisclosure in § 99.33(a), subject to the eligible students before complying with or non-forcible sex offenses under
provisions of § 99.33(b), the educational a judicial or lawfully issued subpoena. § 99.31(a)(14) when a postsecondary
agency or institution may not allow that institution has determined that the
Disclosures Required Under the Clery
third party access to personally student committed the violation in
Act
identifiable information from education question. Current regulations in
records for at least five years. Statute: 20 U.S.C. 1232g(b)(4)(B) § 99.33(c) do not exclude from the
Section 99.31(a)(9) permits an provides that an educational agency or redisclosure prohibition disclosures
educational agency or institution to institution may disclose personally made by postsecondary institutions to
disclose personally identifiable identifiable information from education an alleged victim of a crime of violence
information from education records records to a third party only on the or non-forcible sex offense under
without consent in compliance with a condition that the recipient will not § 99.31(a)(13) or disclosures they are
judicial order or lawfully issued redisclose the information to anyone required to make under the Clery Act.
subpoena, provided that the agency or else without written consent of the Proposed Regulations: The proposed
institution makes a reasonable effort to parent or eligible student. 20 U.S.C. regulations would amend § 99.33(c) to
notify the parent or eligible student of 1232g(b)(6)(B) allows a postsecondary exclude from the statutory prohibition
the order or subpoena in advance of institution to disclose to any party, on redisclosure of education records
compliance so that the parent or eligible without consent, the final results of a information that postsecondary
student may seek protective action. disciplinary proceeding against a institutions are required to disclose
Notification is not required for certain student for crimes of violence or non- under the Clery Act to the accuser and
grand jury and law enforcement forcible sex offenses if the institution accused regarding the outcome of any
subpoenas. determines as a result of the campus disciplinary proceeding brought
Proposed Regulations: The proposed disciplinary proceeding that the student
alleging a sexual offense.
regulations in § 99.33(b)(2) would committed the violation in question. 20 Reasons: Some postsecondary
require a party that has received U.S.C. 1232g(b)(6)(A) allows a institutions have required the accuser to
personally identifiable information from postsecondary institution to disclose to execute a non-disclosure agreement
education records from an educational the alleged victim the final results of before they disclose the outcome of a
agency or institution, including an SEA disciplinary proceedings against a disciplinary proceeding for an alleged
or other official listed in § 99.31(a)(3)(i), student for crimes of violence or non- sexual offense as required under the
to provide the notice to parents and forcible sex offenses regardless of the
Clery Act. In analyzing and ruling on
eligible students, if any, required under outcome. The Jeanne Clery Disclosure of
these practices, the Department
§ 99.31(a)(9) before it rediscloses Campus Security Policy and Campus
determined that the statutory
personally identifiable information from Crime Statistics Act (Clery Act), which
prohibition on redisclosure of
the records on behalf of an educational amended the HEA, requires
information from education records in
agency or institution in compliance postsecondary institutions to inform
FERPA does not apply to information
with a judicial order or lawfully issued both the accuser and the accused of the
that a postsecondary institution is
subpoena, as authorized under outcome of a campus disciplinary
required to release to students under the
§ 99.33(b). proceeding brought alleging a sexual
Reasons: Section 99.33(b) allows a Clery Act. The proposed regulations
assault regardless of the outcome. 20
party to redisclose personally U.S.C. 1092(f)(8)(B)(iv)(II); 34 CFR would clarify that postsecondary
identifiable information under § 99.31(a) 668.46(b)(11)(vi)(B). institutions may not require the accuser
on behalf of an educational agency or Current Regulations: Regulations to execute a non-disclosure agreement
institution, including redisclosure in implementing the Clery Act, 34 CFR or otherwise interfere with the
compliance with a judicial order or § 668.46(b)(11)(iv)(B), require redisclosure or other use of information
lawfully issued subpoena under postsecondary institutions to inform disclosed as required under the Clery
§ 99.31(a)(9). (As noted above, the both the accuser and the accused of the Act.
proposed amendments to § 99.35 would outcome of any institutional 8. Health and Safety Emergencies
extend this authority to SEAs and other disciplinary proceeding brought alleging (§ 99.36)
officials and agencies listed in a sex offense. Under this provision the
§ 99.31(a)(3)(i).) The proposed outcome of a disciplinary proceeding Section 99.36(c) (Conditions That Apply
regulations are needed to clarify which means only the institution’s final to Disclosure of Information in Health
party is responsible for notifying parents determination with respect to the and Safety Emergencies)
and eligible students before an SEA or alleged sex offense and any sanction Statute: Under 20 U.S.C.
other third party outside of the that is imposed against the accused. 1232g(b)(1)(I), an educational agency or
educational agency or institution Section 99.33(a) permits an educational institution may disclose personally
identifiable information from education experts, law enforcement and State and Further, the Secretary has carefully
records without prior written consent, local officials to discuss the broader considered the appropriate relationship
subject to regulations by the Secretary, issues raised by the tragedy. On June 13, between conditions associated with
in connection with an emergency to 2007, those officials transmitted a Federal funding and the exigencies of
appropriate persons if the knowledge of ‘‘Report to the President on Issues administering an agency or institution
such information is necessary to protect Raised by the Virginia Tech Tragedy.’’ of education on a daily basis. In
the health or safety of the student or See http://www.hhs.gov/vtreport.html. examining the application of FERPA to
other persons. In relevant part, the report provided: the recipients of Departmental funds,
Current regulations: Under § 99.36(a), A consistent theme and broad perception the Secretary is mindful that the ‘‘health
an educational agency or institution in our meetings was that this confusion and and safety’’ exception does not allow
may disclose personally identifiable differing interpretations about state and
information from education records to disclosures on a routine, non-emergency
federal privacy laws and regulations impede
appropriate parties in connection with appropriate information sharing. In some
basis. For example, the ‘‘health and
an emergency if knowledge of the sessions, there were concerns and confusion safety’’ exception does not permit a
information is necessary to protect the about the potential liability of teachers, school district to routinely share its
health or safety of the student or other administrators, or institutions that could student information database with the
individuals. Under § 99.36(b), arise from sharing information, or from not local police department. The present
sharing information, under privacy laws, as regulation, however, which merely
educational agencies and institutions well as laws designed to protect individuals
may include in a student’s education from discrimination on the basis of mental admonishes that the regulation should
records appropriate information illness. It was almost universally observed be ‘‘strictly construed,’’ does not
concerning disciplinary action taken that these fears and misunderstandings likely provide a standard to determine
against the student for conduct that limit the transfer of information in more whether a particular disclosure
posed a significant risk to the safety or significant ways than is required by law. complies with the statute.
well-being of that student, other Particularly, although participants in each Consequently, the Secretary has decided
students, or other members of the school state meeting were aware of both [the Health
Insurance Portability and Accountability Act to provide a new standard for the
community. Educational agencies and administration of this exception to the
of 1996 (HIPAA)] and FERPA, there was
institutions may also disclose significant misunderstanding about the scope written consent requirement in FERPA.
appropriate information about these and application of these laws and their To assure that there are adequate
kinds of disciplinary actions to teachers interrelation with state laws. In a number of safeguards on this exception, the
and school officials within the agency or discussions, participants reported Secretary requires that, considering the
institution or in other schools who have circumstances in which they incorrectly
believed that they were subject to liability or totality of the circumstances, there must
legitimate educational interests in the
behavior of the student. Under foreclosed from sharing information under be an articulable and significant threat
§ 99.36(c), all of these regulatory federal law. Other participants were unsure to the health or safety of a student or
provisions must be strictly construed. whether and how HIPAA and FERPA other individuals, and that the
actually limit or allow information to be disclosure be to any person whose
Proposed regulations: The
shared and unaware of exceptions that could knowledge of the information is
Department proposes to revise § 99.36(c) allow relevant information to be shared.
to remove the language requiring strict necessary to protect against the threat.
construction of this exception and add Report at page 7. The report went on to
On the other hand, the Secretary has
a provision that in making a charge the Department with certain
specific recommended actions: determined that greater flexibility and
determination under § 99.36(a), an deference should be afforded to
educational agency or institution may The U.S. Departments of Health and administrators so they can bring
take into account the totality of the Human Services and Education should
appropriate resources to bear on a
circumstances pertaining to a threat to develop additional guidance that clarifies
how information can be shared legally under circumstance that threatens the health
the safety or health of a student or other
individuals. If the educational agency or HIPAA and FERPA and disseminate it widely or safety of individuals. To provide for
institution determines that there is an to the mental health, education, and law appropriate flexibility and deference,
enforcement communities. The U.S. the Secretary has determined that if,
articulable and significant threat to the Department of Education should ensure that
health or safety of a student or other based on the information available at
parents and school officials understand how
individuals, it may disclose information the time of the determination, there is
and when post-secondary institutions can
from education records to any person share information on college students with a rational basis for the determination,
whose knowledge of the information is parents. In addition, the U.S. Departments of the Department will not substitute its
necessary to protect the health and Education and Health and Human Services judgment for that of the educational
safety of the student or other should consider whether further actions are agency or institution in evaluating the
individuals. If, based on the information needed to balance more appropriately the circumstances and making its
available at the time of the interests of safety, privacy, and treatment determination.
implicated by FERPA and HIPAA.
determination, there is a rational basis In short, in balancing the interests of
for the determination, the Department Report at page 8 (italics in original). The
safety, privacy, and treatment, the
will not substitute its judgment for that Department of Education and the
Department of Health and Human Secretary proposes to revise the
of the educational agency or institution
Services are currently working together regulation to specify legal standards, but
in evaluating the circumstances and
making its determination. on guidance for our respective to couple those standards with greater
Reasons: In the wake of the tragic communities on these issues. This flexibility and deference to
shootings at Virginia Tech, the President guidance is in addition to compliance administrators so they can bring
directed the Secretary, together with the training and guidance that the two appropriate resources to bear on a
Secretary of Health and Human Services agencies have provided since issuance circumstance that threatens the health
and the Attorney General, to travel to of the HIPAA Privacy Rule in December or safety of individuals.
communities across the nation and to 2000 and, more recently, since the
meet with educators, mental health events in April 2007 at Virginia Tech.
9. Directory Information (§ 99.37) student’s electronic identifier or is held in a specified physical location
institutional e-mail address in class. or on-line through electronic
Section 99.37(b) (Disclosure of Directory Current Regulations: Current communications. This means, for
Information About Former Students) regulations do not address whether example, that regardless of a student’s
Statute: Under 20 U.S.C. 1232g(a)(5), parents and students may use their right block on directory information
(b)(1), and (b)(2), an educational agency to opt out of directory information disclosures, a teacher may call students
or institution may disclose directory disclosures to prevent school officials by first and last name in class and
information without meeting FERPA’s from identifying the student by name or require students to place their names on
written consent requirements provided disclosing the student’s electronic a sign-in sheet circulated in class,
that it first notifies the parents or identifier or institutional e-mail address whether the class is conducted in
eligible student of the types of in class. person or on-line. Because students
information that may be disclosed and Proposed Regulations: The proposed generally do not have face-to-face
allows them to opt out of the disclosure. regulations would provide in § 99.37(c) communications in on-line classes (or in
The statute lists a number of items in that a parent or eligible student may not an on-line component of traditional
the definition of directory information, use their right to opt out of directory classes), schools may also disclose or
including a student’s name, address and information disclosures to prevent an require students to disclose a unique
telephone listing. The statute does not educational agency or institution from electronic identifier or e-mail address
address procedures for disclosing disclosing or requiring a student to used for students to communicate with
directory information about former disclose the student’s name, electronic one another for on-line class work. This
students. identifier, or institutional e-mail address could be either an e-mail address
Current Regulations: Section 99.37(a) in a class in which the student is assigned by the institution or one
requires an educational agency or enrolled. selected by the student for this purpose.
Reasons: Several institutions have Note that this provision is strictly
institution to provide public notice to
asked whether a teacher can include in limited to information needed to
parents of students in attendance and
a classroom roll call or sign-in sheet the identify and enable students to
eligible students in attendance of the
names of students who have opted out communicate in class, i.e., the student’s
types of directory information that may
of directory information disclosures. name, unique electronic identifier, and
be disclosed and the parent’s or eligible
They have also asked whether a institutional e-mail address. It provides
student’s right to opt out. Section student’s e-mail address may be
99.37(b) allows the agency or institution no authority to disclose any directory
disclosed to other students in an on-line information outside of the student’s
to disclose directory information about class if the student has opted out of
former students without providing the class. Further, no other kinds of
directory information disclosures. The directory information, including a
notice required under § 99.37(a). proposed regulations are needed to student’s home or campus address,
Proposed Regulations: Proposed clarify that the right to opt out of telephone listing, or personal e-mail
§ 99.37(b) clarifies that an agency or directory information disclosures is not address not used for class
institution must continue to honor any a tool for students to remain anonymous communications, may be disclosed,
valid request to opt out of directory in class. even within the student’s own class, if
information disclosures made while the The directory information exception the parent or eligible student has
individual was a student unless the is intended to facilitate communication exercised the right to opt out of
parent or eligible student rescinds the among school officials, parents, directory information disclosures.
decision to opt out of directory students, alumni, and others, and
information disclosures. permit schools to publicize and promote Section 99.37(d) (Prohibition on Use of
Reasons: Some institutions have institutional activities to the general SSNs To Identify Students When
indicated that § 99.37(b) creates public. Many institutions do so by Disclosing or Confirming Directory
uncertainty about whether they must publishing paper or electronic Information)
continue to honor a parent’s or eligible directories that contain student names, Statute: The statute does not address
student’s decision to opt out of directory addresses, telephone listings, e-mail the permissibility of using SSNs to
information disclosures once the addresses, and other information the identify students when disclosing or
student no longer attends the institution has designated as directory confirming directory information.
institution. The regulations are needed information. Some institutions do not Current Regulations: Current
to clarify that while an agency or publish a directory but do release regulations do not explicitly prohibit
institution does not have to notify directory information on a more the use of SSNs to identify students
former students about its policy on selective basis. FERPA clearly allows a when disclosing or confirming directory
directory information disclosures and parent or eligible student to opt out of information.
their right to opt out, directory these disclosures (under the conditions Proposed Regulations: Section
information may not be disclosed once specified in paragraph (a)), whether the 99.37(d) would prohibit an educational
an individual is no longer a student if information is made available to the agency or institution from using an SSN,
the individual made a valid request to general public, limited to members of either alone or when combined with
opt out while a student in attendance the school community, or released only other data elements, to identify or help
and has not rescinded that request. to specified individuals. identify a student or the student’s
The Secretary believes, however, that records when disclosing or confirming
Section 99.37(c) (Identification of
the right to opt out of directory directory information unless the student
Students and Communications in Class)
information disclosures does not has provided written consent in
Statute: The statute does not address include a right to remain anonymous in accordance with FERPA.
whether parents and students may use class and, therefore, may not be used to Reasons: Some institutions, along
their right to opt out of directory impede routine classroom with vendors that provide services on
information disclosures to prevent communications and interactions by behalf of institutions, allow employers
school officials from identifying the preventing a teacher from identifying a and others who seek directory
student by name or disclosing the student by name in class, whether class information about a student, such as
whether a student has ever attended the constitutes a policy or practice of the Office may elect to investigate and
institution or received a degree, to agency or institution. determine whether conduct that violates
submit the student’s SSN as a means of a specific FERPA requirement also
Section 99.64 (Complaint and
identifying the individual. These constitutes a policy or practice of the
Investigation Procedure)
regulations are needed to provide a agency or institution. (As explained
legally binding interpretation that this Statute: 20 U.S.C. 1232g(g) provides below in connection with proposed
practice violates FERPA unless the that the Secretary must establish or amendments to § 99.66, the Department
student has provided prior written designate an office and review board to may not seek to withhold funding,
consent for the institution to disclose investigate, process, review, and terminate eligibility to receive funding
the student’s SSN, even if the institution adjudicate FERPA violations and under an applicable program, or take
or vendor only explicitly releases or complaints alleging FERPA violations. other enforcement actions unless it
confirms directory information about The statute does not specify the determines that an educational agency
the student. Use of an SSN to identify requirements of a complaint or or institution has a policy or practice in
a student or the student’s records procedures to be followed by the Office violation of FERPA requirements and
constitutes an implicit confirmation of in investigating and resolving alleged has not come into compliance
the SSN, even if several other data FERPA violations. voluntarily.)
elements are also used to help identify Current Regulations: Section 99.64(a)
provides that a complaint must contain Section 99.65 (Content of Notice of
the student in the process. Investigation)
specific allegations of fact that an
10. Enforcement (§§ 99.62, 99.64, 99.65, educational agency or institution has Statute: The statute does not specify
99.66, and 99.67) violated FERPA. Under § 99.64(b), the what information the Office must
These proposed amendments are Office investigates each timely include in a notice of investigation of a
intended to clarify the Secretary’s complaint to determine whether a FERPA violation.
violation occurred. Current Regulations: Under § 99.65
enforcement authority in light of the
Proposed Regulations: The proposed the Office asks an educational agency or
decision of the U.S. Supreme Court in
regulations provide in § 99.64(a) that a institution to submit a written response
Gonzaga University v. Doe, 536 U.S. 273 complaint does not have to allege that
(2002). They do not reflect an intention to a notice of investigation.
a violation or failure to comply with Proposed Regulations: Proposed
or plan on the part of the Secretary to FERPA is based on a policy or practice § 99.65(a) would allow the Office to ask
initiate FERPA institutional compliance of the agency or institution. Under an educational agency or institution to
reviews or otherwise expand FERPA proposed § 99.64(b), if the Office submit a written response and other
investigations beyond the current determines that the agency or institution relevant information as set forth in
practice of the Office. The Department has violated or failed to comply with a § 99.62.
will exercise its authority to investigate FERPA requirement, the Office may also Reasons: The regulations are needed
a specific agency or institution only seek to determine whether the violation to clarify that the Office may ask an
when possible violations are brought to or failure to comply was based on a agency or institution to submit any
The Department’s attention. policy or practice of the agency or relevant information needed to resolve a
Statute: 20 U.S.C. 1232g(f) and (g) institution. In addition, the Office may complaint or otherwise conduct an
directs the Secretary to take appropriate investigate a possible FERPA violation investigation under FERPA.
actions to enforce FERPA. The statute even if it has not received a timely
does not specify any requirements an Section 99.66 (Enforcement
complaint from a parent or student or if
educational agency or institution must Responsibilities of the Office)
a valid complaint is subsequently
meet in connection with the Office’s withdrawn. Statute: 20 U.S.C. 1232g(a)(1)(A) and
investigation of complaints and Reasons: The proposed regulations (B) provides that no funds shall be made
violations of FERPA. are needed to clarify that the available under any program
Section 99.62 (Information Required for Department’s enforcement administered by the Secretary to an
the Office To Investigate and Resolve responsibilities, as described in educational agency or institution or an
Complaints and Violations) Gonzaga University v. Doe, 536 U.S. 273 SEA that has a policy of denying or
(2002), include the authority to effectively prevents parents from
Current Regulations: Under § 99.62 investigate possible FERPA violations exercising their right to inspect and
the Office may require an educational even if no complaint has been filed or review the student’s education records.
agency or institution to submit reports a complaint has been withdrawn. While 20 U.S.C. 1232g(a)(2) provides that no
containing information needed by the not a widespread problem, the funds shall be made available under any
Office to resolve complaints. Department needs to establish in its program administered by the Secretary
Proposed Regulations: The proposed regulations that the Office may to an educational agency or institution
regulations in § 99.62 would specify investigate allegations of non- unless parents are provided an
materials that the Office may require an compliance provided by a school opportunity for a hearing to challenge
educational agency or institution to official or some other party who is not the content of the student’s education
submit in order to carry out its a parent or eligible student because records under specified conditions. 20
investigation and other enforcement sometimes parents and students are not U.S.C. 1232g(b)(1) and (b)(2) provide
responsibilities, including information aware of an ongoing FERPA problem that no funds shall be made available
on the agency’s or institution’s policies that needs to be addressed. under any program administered by the
and procedures, annual notifications, The proposed amendments to § 99.64 Secretary to an educational agency or
training materials, and other relevant are also needed to clarify that the Office institution that has a policy or practice
information. may investigate a FERPA complaint of permitting the release of, releasing, or
Reasons: The regulations are needed even if the party has not specifically providing access to personally
to clarify the kinds of information that alleged that the agency or institution has identifiable information in education
may be required should the Office seek a policy or practice in violation of records without prior written consent
to determine whether a violation FERPA. In these circumstances, the except as authorized under FERPA. 20
U.S.C. 1232g(f) directs the Secretary to unless parents are provided an compliance agreement under 20 U.S.C.
take appropriate actions to enforce and opportunity for a hearing to challenge 1234f or seeking an injunction.
deal with FERPA violations, except that the content of the student’s education
Executive Order 12866
action to terminate assistance may be records under specified conditions. 20
taken only if the Secretary finds that U.S.C. 1232g(b)(1) and (b)(2) provide Under Executive Order 12866, the
there has been a failure to comply and that no funds shall be made available Secretary must determine whether this
that compliance cannot be secured by under any program administered by the regulatory action is ‘‘significant’’ and
voluntary means. The statute does not Secretary to an educational agency or therefore subject to the requirements of
specify what steps the Secretary should institution that has a policy or practice the Executive Order and subject to
take to conduct investigations and seek of permitting the release of, releasing, or review by the OMB. Section 3(f) of
voluntary compliance. providing access to education records Executive Order 12866 defines a
Current Regulations: Under § 99.66, without prior written consent except as ‘‘significant regulatory action’’ as an
the Office reviews a complaint and authorized under FERPA. 20 U.S.C. action likely to result in a rule that may
response from an educational agency or 1232g(f) directs the Secretary to take (1) have an annual effect on the
institution and may permit the parties to appropriate actions to enforce and deal economy of $100 million or more, or
submit further written or oral arguments with FERPA violations, except that adversely affect a sector of the economy,
or information. Following its action to terminate assistance may be productivity, competition, jobs, the
investigation, the Office provides to the taken only if the Secretary finds that environment, public health or safety, or
complainant and the agency or there has been a failure to comply and State, local or tribal governments or
institution written notice of its findings, that compliance cannot be secured by communities in a material way (also
including the basis for its findings. If the voluntary means. The statute does not referred to as an ‘‘economically
Office finds that the educational agency specify what steps the Secretary should significant’’ rule); (2) create serious
or institution has failed to comply with take to conduct investigations and seek inconsistency or otherwise interfere
a FERPA requirement, its notice voluntary compliance or what with an action taken or planned by
includes a statement of the specific enforcement actions the Secretary may another agency; (3) materially alter the
steps that the agency or institution must take in cases of non-compliance. budgetary impacts of entitlement grants,
take to comply and provides a user fees, or loan programs or the rights
Current Regulations: Under § 99.67(a),
reasonable period of time, given all the and obligations of recipients thereof; or
the Secretary may withhold further
circumstances, during which the agency (4) raise novel legal or policy issues
payments under any applicable
or institution may comply voluntarily. arising out of legal mandates, the
program, issue a complaint to compel
Proposed Regulations: Section President’s priorities, or the principles
compliance through a cease and desist set forth in the Executive order. The
99.66(c) would allow the Office to issue
order, or terminate eligibility to receive Secretary has determined that this
a notice of findings that an educational
funding under any applicable program regulatory action is significant under
agency or institution violated FERPA
only if an educational agency or section 3(f)(4) of the Executive order.
without also finding that the violation
constituted a policy or practice of the institution fails to comply voluntarily
with a notice finding that the agency or 1. Potential Costs and Benefits
agency or institution.
Reasons: In light of the Supreme institution has not complied with the Following is an analysis of the
Court’s ruling in Gonzaga, the proposed Act. potential costs and benefits of the most
regulations are needed to clarify that, Proposed Regulations: Under significant proposed changes to the
consistent with its current practice, the proposed § 99.67(a), the Secretary may FERPA regulations. In conducting this
Office may find that an agency or take enforcement actions if the Office analysis, the Department examined the
institution violated FERPA even if the determines that the educational agency extent to which the regulations add to
Office does not make a further or institution has a policy or practice in or reduce the costs of educational
determination that the violation was violation of FERPA requirements and agencies and institutions and, where
based on a policy or practice of the has failed to come into compliance appropriate, State educational agencies
agency or institution. As explained voluntarily. The proposed regulations (SEAs) and other State and local
below in connection with proposed also clarify that the Secretary may take educational authorities in relation to
amendments to § 99.67(a), however, the any other appropriate enforcement their costs of complying with the
Secretary may not take an enforcement action in addition to those listed FERPA regulations prior to these
action unless the Office has determined specifically in the regulations. changes.
that the educational agency or Reasons: The proposed regulations This analysis is based on data from
institution has a policy or practice in are needed to clarify that the Office may the most recent Digest of Education
violation of FERPA. issue a notice of violation or failure to Statistics (2006) published by the
comply with specific FERPA National Center for Education Statistics
Section 99.67 (Enforcement Actions) requirements, such as a single failure to (NCES), which projects total enrollment
Statute: 20 U.S.C. 1232g(a)(1)(A) and provide a parent with access to of 48,948,000 students in public
(B) provides that no funds shall be made education records, and require elementary and secondary schools and
available under any program corrective action. However, the Office 17,648,000 students in postsecondary
administered by the Secretary to an may not seek to withhold payments, institutions; and a total of 96,513 public
educational agency or institution or an terminate eligibility for funding, or take K–12 schools; 14,315 school districts;
SEA that has a policy of denying or other enforcement actions unless the and 6,585 postsecondary institutions.
effectively prevents parents from Office determines that the agency or (Excluded are data from private
exercising their right to inspect and institution has a policy or practice in institutions that do not receive Federal
review the student’s education records. violation of FERPA requirements. The funding from the Department and,
20 U.S.C. 1232g(a)(2) provides that no proposed regulations are also needed to therefore, are not subject to FERPA.)
funds shall be made available under any clarify that the Secretary may take any Based on this analysis, the Secretary has
program administered by the Secretary other enforcement action that is legally concluded that the changes in these
to an educational agency or institution available, such as entering into a proposed regulations would not impose
significant net costs on educational request under a State open records act The most recent figures available from
agencies and institutions. Analyses of or other legal proceeding. For these the Bureau of Labor Statistics (2004)
specific provisions follow. reasons, we believe that the overall indicate that there are approximately 2.7
benefits outweigh the potential costs of million secondary and postsecondary
Alumni Records
this change. teachers in the United States. As noted
The proposed regulations clarify the above, we assume that most of these
current exclusion from the definition of Exclusion of SSNs and ID Numbers
From Directory Information teachers either do not post grades at all
education records for records that only or already use a code known only to the
contain information about an individual The proposed regulations clarify that teacher or student. We assume further
after he or she is no longer a student, a student’s SSN or student ID number is that additional costs to deliver grades
which is intended to cover records of personally identifiable information that personally in the classroom or through
alumni and similar activities. Some may not be disclosed as directory electronic mail, instead of posting,
institutions have applied this exclusion information under FERPA. The would be minimal. For purposes of this
to records that are created after a principal effect of this change is that analysis, we estimate that no more than
student has ceased attending the educational agencies and institutions 5 percent of 2.7 million, or 135,000
institution but that are directly related may not post grades by SSN or student teachers would continue to post grades
to his or her attendance as a student, ID number and may not include these and need to convert to a code, which
such as investigatory reports and identifiers with directory information would require them to spend an average
settlement agreements about incidents they disclose about a student, such as a of one half hour each semester
and injuries that occurred during the student’s name, school, and grade level
student’s enrollment. The amendment establishing and managing grading
or class, on rosters or sign-in sheets that codes for students. Using the Bureau of
would clarify that this provision applies are made available to students and
only to records created or received by an Labor Statistics’ published estimate of
others. (Educational agencies and average hourly wages of $42.98 for
educational agency or institution after institutions may continue to include
an individual is no longer a student in teachers at postsecondary institutions
SSNs and student ID numbers on class and an average 39 percent load for
attendance and that are not directly rosters and schedules that are disclosed
related to the individual’s attendance as benefits, we estimate an average cost of
only to teachers and other school $59.74 per teacher per year, for a total
a student. officials who have legitimate
We believe that most of the more than of $8,064,900. Parents and students
educational interests in this should incur no costs except for the
102,000 K–12 schools and
information.) time they might have to spend to
postsecondary institutions subject to
FERPA already adhere to this revised A class roster or sign-in sheet that contact the school official if they forget
interpretation in the proposed contains or requires students to affix the student’s grading code.
regulations and that for those that do their SSN or student ID number makes
This proposed change will benefit
not, the number of records affected is that information available to every
parents and students and educational
likely to be very small. Assuming that individual who signs-in or sees the
agencies and institutions by reducing
each year one half of one percent of the document and who may be able to use
it for identity theft or to find out a the risk of identity theft associated with
66,596,000 students enrolled in these posting grades by SSN, and the risk of
institutions have one record each student’s grades or other confidential
educational information. In regard to disclosing grades and other confidential
affected by the proposed change, in the educational information caused by
year following issuance of the posting grades, an individual who
knows which classes a particular posting grades by student ID number. It
regulations institutions would be is difficult to quantify the value of
required to try to obtain written consent student attends may be able to ascertain
that student’s SSN or student ID number reducing the risk of identity theft. We
before releasing 332,980 records that note, however, that for the past few
they would otherwise release without by comparing class lists for repeat
numbers. Because SSNs are not years over one-third of complaints filed
consent. We estimate that for the first with the Federal Trade Commission
year contacting the affected parent or randomly generated, it may be possible
to identify a student by State of origin have been for identity theft. See Federal
student to seek and process written
based on the first three (area) digits of Trade Commission, Consumer Fraud
consent for these disclosures would take
the number, or by date of issuance based and Identity Theft Data, February 2008,
approximately 1⁄2 hour per record at an
on the two middle digits. at page 2.
average cost of $32.67 per hour for a
total cost of $5,439,229. (Compensation The Department does not have any According to the Better Business
for administrative staff time is based on actual data on how many class or test Bureau, identity theft cost businesses
published estimates for 2005 from the grades are posted by SSN or student ID nearly $57 billion in 2006 while victims
Bureau of Labor Statistics’ National number at this time, but we believe that spent an average of 40 hours resolving
Compensation Survey of $23.50 per the practice is rare or non-existent identity theft issues. It is even more
hour plus an average 39 percent benefit below the secondary level. Although the difficult to measure the benefits of
load for Level 8 administrators in practice was once widespread, enhanced privacy protections for
education and related fields.) particularly at the postsecondary level, student grades and other confidential
In terms of benefits, the proposed anecdotal evidence suggests that as a educational information from education
change would protect the privacy of result of consistent training and records because the value individuals
parents and students by clarifying the informal guidance by the Department place on the privacy of this information
intent of this regulatory exclusion and over the past several years, together varies considerably and because we are
help prevent the unlawful disclosure of with the increased attention States and unable to determine how often it
these records. It would also provide privacy advocates have given to the use happens. Therefore, the Secretary seeks
greater legal certainty and therefore of SSNs, many institutions now either public comment on the value of these
some cost savings for those agencies and require teachers to use a code known enhanced privacy protections in relation
institutions that may be required to only to the teacher and the student or to the expected costs to implement the
litigate this issue in connection with a prohibit posting of grades entirely. proposed changes.
Prohibit Use of SSN To Confirm student, such as address, date of birth, information a student’s user ID or other
Directory Information dates of enrollment, year of graduation, electronic identifier so long as it
The proposed regulations would major field of study, degree received, functions like a name, that is, it cannot
prevent an educational agency or etc. Costs to an institution of ensuring be used without a PIN, password, or
institution (or a contractor providing that students have provided written some other authentication factor to gain
services for an agency or institution) consent for these disclosures, for access to education records. This change
from using a student’s SSN (or student example by requiring the requester to would impose no costs and would result
ID number) to identify the student when fax copies of each written consent to the in regulatory relief by allowing agencies
releasing or confirming directory institution or its contractor, or making and institutions to use directory services
information. This occurs, for example, arrangements to receive them in electronic communications systems
when a prospective employer or electronically, could be substantial for without incurring the administrative
insurance company telephones an large institutions and organizations that costs associated with obtaining student
utilize electronic recordkeeping consent for these disclosures.
institution or submits a Web site inquiry
systems. Institutions may choose Costs related to honoring a student’s
to find out whether a particular
instead to conduct these verifications decision to opt out of these disclosures
individual is enrolled in or has should be minimal because of the small
without using SSNs or student IDs,
graduated from the institution. While number of students who would elect not
which may make it more difficult to
this provision would apply to to participate in electronic
ensure that the correct student has been
educational agencies and institutions at communications at their school.
identified because of the known
all grade levels, we believe that it will Applying this proposed change to
problems in matching records without
affect mainly postsecondary institutions records of both K–12 and postsecondary
the use of a universal identifier.
because enrollment and degree students and assuming that one-tenth of
Increased institutional costs either to
verification services typically are not verify that the student has provided a percent of parents and eligible
offered at the K–12 level. consent or to conduct a search without students would opt out of these
A survey conducted in March 2002 by disclosures, we estimate that
use of SSNs or student ID numbers
the American Association of Collegiate institutions would have to flag the
should be less for smaller institutions,
Registrars and Admissions Officers records of approximately 67,000
where the chances of duplicate records
(AACRAO) showed that nearly half of students for opt out purposes.
are decreased. Parents and students may
postsecondary institutions used SSNs as Recognizing that institutions currently
incur additional costs if an employer,
the primary means to track students in insurance company, or other requester flag records for directory information
academic databases. Since then, use of is unable to verify enrollment or opt outs for other purposes, the
SSNs as a student identifier has graduation based solely on directory Secretary seeks public comment on the
decreased significantly in response to information and written consent for administrative and information
public concern about identity theft. disclosure of the student’s SSN or technology costs institutions would
While postsecondary institutions may student ID number is required. Due to incur to process these potential new
continue to collect students SSNs for the difficulty in ascertaining actual costs directory information opt outs.
financial aid and tax reporting purposes, associated with these transactions, the
many have ceased using the SSN as a Student Anonymity in the Classroom
Secretary asks for public comment on
student identifier either voluntarily or costs that educational agencies and The proposed regulations would
in compliance with State laws. Also, institutions and parents and students ensure that parents and students do not
over the past several years the would expect to incur under this use the right to opt out of directory
Department has provided training on proposed change. information disclosures to prevent
this issue and published on the Office The enhanced privacy protections of disclosure of the student’s name,
Web site a 2004 letter finding a this proposed amendment will benefit institutional e-mail address, or
postsecondary institution in violation of students and parents by reducing the electronic identifier in the student’s
FERPA when its agent used a student’s risk that third parties will use a physical or electronic classroom. We
SSN, without consent, to search its student’s SSN without consent and estimate that this change would result
database to verify that the student had possibly confirm a questionable number in a small net benefit to educational
received a degree. http://www.ed.gov/ for purposes of identity theft. Similarly, agencies and institutions because they
policy/gen/guid/fpco/ferpa/library/ preventing institutions from implicitly would have greater legal certainty about
auburnuniv.html. In these confirming a questionable student ID this element of classroom
circumstances, we estimate that number will help prevent unauthorized administration, and it would reduce the
possibly one-quarter of the nearly 6,585 individuals from obtaining confidential institutional costs of responding to
postsecondary institutions in the United information from education records. In complaints from students and parents
States, or 1,646 institutions, may ask a evaluating the benefits or value of this about the release of this information.
requester to provide the student’s SSN proposed change, we note that this FERPA could not be used to allow
(or student ID number) in order to locate provision does not affect any activity students to remain anonymous to their
the record and respond to an inquiry for that an educational agency or institution peers in class, but the safety of students
directory information. is required to perform under FERPA or might be enhanced by allowing them to
Under the proposed amendment an other Federal law, such as using SSNs know the name of every student in their
educational agency or institution that to confirm enrollment for student loan class.
identifies students by SSN (or student purposes, which is permitted without
ID number) when releasing directory Disclosing Education Records to New
consent under the financial aid

information will either have to ensure School and to Party Identified as
exception in § 99.31.
that the student has provided written Source Record
consent to disclose the number to the User ID for Electronic Communications The proposed amendment to
requester, or rely solely on a student’s The proposed regulations would § 99.31(a)(2) would allow an
name and other properly designated allow an educational agency or educational agency or institution to
directory information to identify the institution to disclose as directory disclose education records, or
personally identifiable information from are already required under existing computer but instead use some system
education records, to a student’s new regulations to publish a FERPA of administrative and physical controls.
school even after the student is already notification annually, we believe that We estimate for this analysis that 20
attending the new school so long as the costs to include this new information percent, or 1,400, of these small districts
disclosure relates to the student’s would be minimal. and institutions use home-built
enrollment in the new school. This computerized or electronic systems that
change would provide regulatory relief Access Control and Tracking may not have the role-based security
by reducing legal uncertainty about how The proposed regulations in features of commercial software. The
long a school may continue to send § 99.31(a)(1)(ii) would require an most recent published estimate we have
records or information to a student’s educational agency or institution to use for software costs comes from the final
new school, without consent, under the reasonable methods to ensure that Standards for Privacy of Individually
‘‘seeks or intends to enroll’’ exception. teachers and other school officials Identifiable Health Information under
The proposed amendment to the obtain access to only those education the Health Insurance Portability and
definition of disclosure in § 99.3 would records in which they have legitimate Accountability Act of 1996 (HIPAA
allow a school that has concerns about educational interests. This requirement Privacy Rule) published by the
the validity of a transcript, letter of would apply to both computerized or Department of Health and Human
recommendation, or other record to electronic records and paper, film, and Services (HHS) on December 28, 2000,
return these documents (or personally other hard copy records. Agencies and which estimated that the cost of
identifiable information from these institutions that choose not to restrict software upgrades to track the
documents) to the student’s previous access with physical or technological disclosure of medical records would be
school or other party identified as the controls, such as locked cabinets and $35,000 initially for each hospital. 65
source of the record in order to resolve role-based software security, must FR 82462, 82768. We determined that
questions about their validity. ensure that their policy is effective and use of the cost estimate from the HIPAA
Combined with the proposed change to that school officials gain access to only Privacy Rule was appropriate because,
§ 99.31(a)(2), discussed earlier in this those education records in which they as discussed above, software that tracks
analysis, this change would also allow have legitimate educational interests. disclosure history can also be used to
the student’s previous school to Information gathered by the director control or restrict access to electronic
continue to send education records, or of the Family Policy Compliance Office records. Recent discussions with
clarification about education records, to at numerous FERPA training sessions
information technology (IT) staff in the
the student’s new school in response to Department suggested that it was
and seminars, along with recent
questions about the validity or meaning reasonable to conclude that an
discussions with software vendors and
of records sent previously by that party. institutional license for software that
educational organizations, indicates that
We believe that these changes would controls and tracks access to electronic
the vast majority of mid and large size
provide significant regulatory relief to records would cost approximately
school districts and postsecondary
educational agencies and institutions by $35,000 at this time; adjustments for
institutions currently use commercial
helping to reduce transcript and other inflation were not deemed necessary
software for student information
educational fraud based on falsified because software costs do not track with
systems. We have been advised that
records. inflation in as straightforward a way as
these systems all include role-based do other goods and services. Further,
Outsourcing security features that allow while discussions with HHS staff
The proposed regulations would administrators to control access to indicate that the disclosure tracking
allow educational agencies and specific records, screens, or fields software cost estimates in the HIPAA
institutions to disclose education according to a school official’s duties Privacy Rule preamble were provided
records, or personally identifiable and responsibilities; these systems also primarily with hospitals and larger
information from education records, typically contain transactional logging institutions in mind, the Department’s
without consent to contractors, features that document or track a user’s IT staff found no difference between
volunteers, and other non-employees actual access to particular records, software costs depending on the size of
performing institutional services and which an agency or institution may use the institutions.
functions as school officials. The agency to help ensure the effectiveness of its Based on these determinations and
or institution may have to amend its policies regarding access to education assumptions, if 1,400 small K–12
annual notification of FERPA rights to records. Educational agencies and districts and postsecondary institutions
include these parties as school officials institutions that already have these purchased student information software
with legitimate educational interests. systems would incur no additional costs to comply with the proposed
This change would provide regulatory to comply with the proposed regulations, they would incur estimated
relief by permitting and clarifying the regulations. costs of $49,000,000. We believe that the
conditions for a non-consensual For purposes of this analysis we remaining 5,600 small districts and
disclosure of education records that is excluded from a total of 14,315 school institutions would not purchase new
not allowed under current regulations. districts and 6,585 postsecondary software because they do not make
Our experience suggests that virtually institutions those with more than 1,000 education records available
all of the more than 102,000 schools students, for a total of 6,998 small K–12 electronically and rely instead on less
subject to FERPA will take advantage of districts and 3,933 small postsecondary costly administrative and physical
this provision. We have no actual data institutions that may not have software methods to control access to records by
on how many school districts publish with access control security features. school officials. Districts and
annual FERPA notifications for the The director’s discussions with institutions that provide school officials
96,513 K–12 public schools included in numerous SEAs and local districts with open access to education records
the 102,000 total and, therefore, how suggest that the vast majority of these may need to devote some additional
many entities would be affected by this small districts and institutions do not administrative staff time to ensuring
requirement. However, since make education records available to that their policies are effective and that
educational agencies and institutions school officials electronically or by they remain in compliance with the
legitimate educational interest sensitive personal or financial the District of Columbia (one for K–12
requirement with respect to school information in electronic records for and one for postsecondary) and the
officials who access records. However, which single-factor authentication Department itself, for a total of 103
no reliable estimates exist for the would not be reasonable. authorities will elect to maintain the
average number of teachers and other required records of redisclosures. We
Redisclosure and Recordkeeping
school officials who access education estimate further that these authorities
records or the number of times access is The proposed regulations would will need to record two redisclosures
sought. Accordingly, we are seeking allow the officials and agencies listed in per year from their records and that it
public comment on any potential net § 99.31(a)(3)(i) (the U.S. Comptroller will take one hour of administrative
costs associated with this proposed General; the U.S. Attorney General; the time to record each redisclosure
requirement for ensuring that legitimate Secretary; and State and local electronically at an average hourly rate
educational interest policies are educational authorities) to redisclose of $32.67, for a total annual
effective. education records, or personally administrative cost of $6,730.
identifiable information from education (Compensation for administrative staff
Identification and Authentication of records, without consent under the time is explained above.) We also
Identity same conditions that apply currently to assume for purposes of this analysis that
The proposed regulations in § 99.31(c) other recipients of education records State educational authorities and the
would require educational agencies and under § 99.33(b). This proposed change Department already have software that
institutions to use reasonable methods would provide substantial regulatory would allow them to record these
to identify and authenticate the identity relief to these parties by allowing them disclosures electronically.
of parents, students, school officials and to redisclose information on behalf of State educational authorities and
other parties to whom the agency or educational agencies and institutions other officials that elect to maintain
institution discloses personally under any provision in § 99.31(a), which records of redisclosures would also have
identifiable information from education allows disclosure of education records to make that information available to a
records. They would impose no new without consent. For example, States parent or eligible student, on request, if
costs for educational agencies and would be able to consolidate K–16 the educational agency or institution on
institutions that disclose hard copy education records under the SEA or whose behalf the information was
records through the U.S. postal service State higher educational authority redisclosed does not do so. We assume
or private delivery services with use of without having to obtain written that few parents and students request
the recipient’s name and last known consent under § 99.30. Parties that this information and, therefore, use an
official address. We were unable to find currently request access to records from estimate that one in one thousand of a
reliable data that would allow us to individual school districts and total of 66,596,000 students will make
estimate the additional administrative postsecondary institutions would in such a request each year, or 66,596
time that educational agencies and many instances be able to obtain the requests. If it takes one-quarter of an
institutions would incur to check photo same information in a more cost hour to locate and printout a record of
identification, where appropriate, when effective manner from the appropriate disclosures at an average administrative
releasing education records in person State educational authority, or from the hourly rate of $32.67, the average
and seek public comment on this point. Department. annual administrative cost for this
Authentication of identity for In accordance with existing service would be $543,923, plus mailing
electronic records involves a wider regulations in § 99.32(b), an educational costs (at $.41 per letter) of $27,304, for
array of security options because of agency or institution must record any a total of $571,227. Educational agencies
continuing advances in technologies but redisclosure of education records made and institutions themselves would incur
is not necessarily more costly than on its behalf under § 99.33(b), including these costs if they make these records of
authentication of identity for hard copy the names of the additional parties to redisclosure available to parents and
records. We assume that educational which the receiving party may students instead.
agencies and institutions that require redisclose the information and their The Department believes that the
users to enter a secret password or PIN legitimate interests or basis for the proposed change would result in a net
to authenticate identity will deliver the disclosure without consent under benefit to both educational agencies and
password or PIN through the U.S. postal § 99.31 in obtaining the information. institutions and the officials that
service or in person. We estimate that The proposed regulations would allow redisclose information under this
no new costs would be associated with SEAs and other State educational provision because the redisclosing
this process because agencies and authorities (such as higher education parties would not have to send their
institutions already have direct contact authorities), the Secretary, and other records of redisclosure to the
with parents, eligible students, and officials or agencies listed in educational agencies and institutions
school officials for a variety of other § 99.31(a)(3)(i) to maintain the record of unless a parent or student requests that
purposes and would use these redisclosure required under § 99.32(b), information and the educational agency
opportunities to deliver a secret provided that the educational agency or or institution wishes to make the record
authentication factor. institution makes that record available available itself. Further, the costs to
As noted above, single-factor to parents and eligible students as State authorities and the Department to
authentication of identity, such as a required under § 99.32(c). record their own redisclosures would be
standard form user name combined with SEAs and other officials listed in outweighed by the savings that
a secret password or PIN, may not § 99.31(a)(3)(i) would incur new educational agencies and institutions
provide reasonable protection for access administrative costs if they elect to
would realize by not having to record

to all types of education records or maintain the record of redisclosure for the disclosures themselves.
under all circumstances. The Secretary the educational agency or institution on
invites public comment on the potential whose behalf they redisclose education Notification of Compliance With Court
costs of authenticating identity when records under the proposed regulations. Order or Subpoena
educational agencies and institutions We estimate that two educational The proposed regulations would
allow authorized users to access authorities or agencies in each State and require any party that rediscloses
education records in compliance with a the student leaves the institution. Most However, the regulations would not
court order or subpoena under agencies and institutions should already have a significant economic impact on
§ 99.31(a)(9) to provide the notice to comply with this requirement because these small agencies and institutions
parents and eligible students required of informal guidance and training because the regulations would not
under § 99.31(a)(9)(ii). We anticipate provided by FPCO. We have insufficient impose excessive regulatory burdens or
that this provision will affect mostly information to estimate the number of require unnecessary Federal
State and local educational authorities, institutions affected and the additional supervision. The regulations would
which maintain education records they costs involved in changing systems to impose minimal requirements to ensure
have obtained from their constituent maintain opt out flags on education that LEAs and postsecondary
districts and institutions and, under the records of former students and seek institutions comply with the
proposed regulations discussed above, public comment on the matter. educational privacy protection
may redisclose the information, without
consent, in compliance with a court 2. Clarity of the Regulations requirements in FERPA.
order or subpoena under § 99.31(a)(9). Executive Order 12866 and the Federalism
There is no change in costs as a result Presidential Memorandum on ‘‘Plain
of shifting responsibility for notification Language in Government Writing’’ Executive Order 13132 requires us to
to the disclosing party under this require each agency to write regulations ensure meaningful and timely input by
proposed change. However, we believe that are easy to understand. State and local elected officials in the
that minimizing or eliminating The Secretary invites comments on development of regulatory policies that
uncertainty about which party is legally how to make these proposed regulations have federalism implications.
responsible for the notification would easier to understand, including answers ‘‘Federalism implications’’ means
result in a net benefit to all parties. to questions such as the following: substantial direct effects on the States,
• Are the requirements in the on the relationship between the
State Auditors
proposed regulations clearly stated? National Government and the States, or
The proposed regulations would • Do the proposed regulations contain on the distribution of power and
allow State auditors to have access to technical terms or other wording that
education records without consent responsibilities among the various
interferes with their clarity?
under §§ 99.31(a)(3) and 99.35, which • Does the format of the proposed levels of government. The proposed
allows disclosures in connection with regulations (grouping and order of regulations in §§ 99.3 through 99.67
an audit or evaluation of Federal or sections, use of headings, paragraphing, may have federalism implications, as
State supported education programs, or etc.) aid or reduce their clarity? defined in Executive Order 13132, in
for the enforcement of or compliance • Would the proposed regulations be that they will have some effect on the
with Federal legal requirements related easier to understand if we divided them States and the operation of educational
to those programs. This change would into more (but shorter) sections? (A agencies and institutions subject to
involve no increased costs and provide ‘‘section’’ is preceded by the symbol FERPA. We encourage State and local
regulatory relief by clarifying that these ‘‘§ ’’ and a numbered heading; for elected officials to review and provide
disclosures are permitted even if the example, § 99.30 Under what conditions comments on these proposed
State auditor is not a State educational is prior consent required to disclose regulations. To facilitate review and
authority (or other official listed in information?) comment by appropriate State and local
§ 99.31(a)(3)(i)). • Could the description of the officials, the Department will, aside
The proposed change is limited to proposed regulations in the from publication in the Federal
disclosures for purposes of an audit, SUPPLEMENTARY INFORMATION section of Register, post the NPRM to the FPCO
which is defined as testing compliance this preamble be more helpful in Web site and to the Office of Planning,
with applicable laws, regulations, and making the proposed regulations easier Evaluation, and Policy Development
standards. We believe that this to understand? If so, how? (OPEPD) Web site and make a specific
limitation does not impose additional • What else could we do to make the
e-mail posting via a special listserv that
costs because a State auditor may proposed regulations easier to
is sent to each State department of
conduct activities outside the scope of understand?
an audit, such as evaluate the Send any comments that concern how education superintendent and higher
effectiveness of educational programs, the Department could make these education commission director.
by establishing a contractual proposed regulations easier to Paperwork Reduction Act of 1995
relationship with the State educational understand to the person listed in the
authority or school district or institution ADDRESSES section of the preamble. These proposed regulations do not
in possession of the records that contain any information collection
Regulatory Flexibility Act Certification
qualifies the auditor as an authorized requirements.
representative or school official, The Secretary certifies that these
respectively. proposed regulations would not have a Intergovernmental Review
significant economic impact on a
Directory Information Opt Outs These proposed regulations are not
substantial number of small entities.
subject to Executive Order 12372 and
The proposed regulations clarify that The small entities that would be
while an educational agency or affected by these proposed regulations the regulations in 34 CFR part 79.
institution is not required to notify are small local educational agencies Assessment of Educational Impact
former students under § 99.37(a) about (LEAs) that receive Federal funds from
the institution’s directory information the Department and certain 4- and 2- The Secretary particularly requests
policy or allow former students to opt year colleges and for-profit comments on whether these proposed
out of directory information disclosures, postsecondary trade and technical regulations would require transmission
they must continue to honor a parent’s schools with small enrollments that of information that any other agency or
or student’s decision to opt out of receive Federal funds, such as student authority of the United States gathers or
directory information disclosures after aid programs under Title IV of the HEA. makes available.
Department Recommendations for their names, addresses and SSNs had information that they maintain,
Safeguarding Education Records been compromised. eliminate the unnecessary use of SSNs,
The Department’s Office of Inspector and develop and implement a ‘‘breach
The Department recognizes that
General (OIG) noted in Final Inspection notification policy.’’ This memorandum,
agencies and institutions face significant
Alert Memorandum dated February 3, although directed towards federal
challenges in safeguarding educational
2006, that between February 15, 2005, agencies, may also serve as a resource
records. We are providing the following
and November 19, 2005, there were 93 for educational agencies and
information and recommendations to
documented computer breaches of institutions. See http://
assist agencies and institutions in
electronic files involving personal www.whitehouse.gov/omb/memoranda/
meeting these challenges.
information from education records fy2007/m07–16.pdf.
As noted elsewhere in this document,
such as SSNs, credit card information, Finally, if an educational agency or
FERPA provides that no funds
and dates of birth. According to the institution has experienced a theft of
administered by the Secretary may be
reported data, 45 percent of these files or computer equipment, hacking or
made available to any educational
incidents have occurred at colleges and other intrusion, software or hardware
agency or institution that has a policy or universities nationwide. OIG expressed
practice of releasing, permitting the malfunction, inadvertent release of data
concern that student information may to Internet sites, or other unauthorized
release of, or providing access to be compromised due to a failure to
personally identifiable information from release or disclosure of education
implement or administer proper records, the Department suggests
education records without the prior security controls for information
written consent of a parent or eligible consideration of one or more of the
systems at postsecondary institutions. following steps:
student except in accordance with The Department recognizes that no • Report the incident to law
specified exceptions. In light of these system for maintaining and transmitting enforcement authorities.
requirements, the Secretary encourages education records, whether in paper or • Determine exactly what information
educational agencies and institutions to electronic form, can be guaranteed safe was compromised, i.e., names,
utilize appropriate methods to protect from every hacker and thief, addresses, SSNs, ID numbers, credit
education records, especially in technological failure, violation of card numbers, grades, and the like.
electronic data systems. administrative rules, and other causes of • Take steps immediately to retrieve
In recent months the following unauthorized access and disclosure. data and prevent any further
incidents have come to the Although FERPA does not dictate disclosures.
Department’s attention: requirements for safeguarding education • Identify all affected records and
• Students’ grades or financial records, the Department encourages the students.
information, including SSNs, have been holders of personally identifiable • Determine how the incident
posted on publicly available web information to consider actions that occurred, including which school
servers; mitigate the risk and are reasonably officials had control of and
• Laptops and other portable devices calculated to protect such information. responsibility for the information that
containing similar information from Of course, an educational agency or was compromised.
education records have been lost or institution may use any method, • Determine whether institutional
stolen; combination of methods, or policies and procedures were breached,
• Education records, or devices that technologies it determines to be including organizational requirements
maintain education records, have not reasonable, taking into consideration the governing access (user names,
been retrieved from school officials size, complexity, and resources passwords, PINS, etc.); storage;
upon termination of their employment available to the institution; the context transmission; and destruction of
or service as a contractor, consultant, or of the information; the type of information from education records.
volunteer; information to be protected (such as • Determine whether the incident
• Computer systems at colleges and social security numbers or directory occurred because of a lack of monitoring
universities have become favored targets information); and methods used by and oversight.
because they hold many of the same other institutions in similar • Conduct a risk assessment and
records as banks but are much easier to circumstances. The greater the harm identify appropriate physical,
access. See ‘‘College Door Ajar for that would result from unauthorized technological and administrative
Online Criminals’’ (May 2006), available access or disclosure and the greater the measures for preventing similar
at http://www.uh.edu/ednews/2006/ likelihood that unauthorized access or incidents in the future.
latimes/200605/20060530hackers.html disclosure will be attempted, the more • Notify students that the
and July 10, 2006, Viewpoint in protections an agency or institution Department’s Office of Inspector
BusinessWeek/Online available at should consider using to ensure that its General maintains a Web site describing
http://www.businessweek.com/ methods are reasonable. steps students may take if they suspect
technology/content/jul2006/ One resource for administrators of they are a victim of identity theft at
tc20060710_558020.htm; electronic data systems is ‘‘The National http://www.ed.gov/about/offices/list/
• Nearly 65 percent of postsecondary Institute of Standards and Technology oig/misused/idtheft.html; and http://
educational institutions identified theft (NIST) 800–100, Information Security www.ed.gov/about/offices/list/oig/
of personal information (SSNs, credit/ Handbook: A Guide for Managers’’ misused/victim.html.
debit/ATM card, account or PIN (October 2006). A second resource is FERPA does not require an
numbers, etc.) as a high risk area. See NIST 800–53, which catalogs educational agency or institution to
Table 7, Perceived Risks at http:// information security controls. Similarly, notify students that information from
www.educause.edu/ir/library/pdf/ a May 22, 2007 memorandum to heads their education records was stolen or
ecar_so/ers/ers0606/Ekf0606.pdf; and of federal agencies from the Office of otherwise subject to an unauthorized
• In December 2006, a large Management and Budget requires release, although it does require the
postsecondary institution alerted some executive departments and agencies to agency or institution to maintain a
800,000 students and others that the ensure that proper safeguards are in record of each disclosure. 34 CFR
campus computer system containing place to protect personally identifiable 99.32(a)(1). (However, student
notification may be required in these confidentiality of information relating to education records except when used in
circumstances for postsecondary children with disabilities who receive conjunction with one or more factors
institutions under the Federal Trade evaluations, services or other benefits under that authenticate the user’s identity,
Commission’s Standards for Insuring Part B of the Individuals with Disabilities such as a personal identification
Education Act (IDEA). 34 CFR 303.402 and
the Security, Confidentiality, Integrity 303.460 identify the confidentiality of
number (PIN), password, or other factor
and Protection of Customer Records and information requirements regarding children known or possessed only by the
Information (‘‘Safeguards Rule’’) in 16 and infants and toddlers with disabilities and authorized user.
CFR part 314.) In any case, direct their families who receive evaluations, (Authority: 20 U.S.C. 1232g(a)(5)(A))
student notification may be advisable if services or other benefits under Part C of
IDEA. * * * * *
the compromised data includes student
Disclosure means to permit access to
SSNs and other identifying information 3. Section 99.3 is amended by: or the release, transfer, or other
that could lead to identity theft. A. Adding, in alphabetical order, a communication of personally
Electronic Access to This Document definition for State auditor. identifiable information contained in
B. Revising the definitions of education records by any means,
You may view this document, as well Attendance, Directory information,
as all other Department of Education including oral, written, or electronic
Disclosure, and Personally identifiable means, to any party except the party
documents published in the Federal information.
Register, in text or Adobe Portable identified as the party that provided or
C. In the definition of Education created the record.
Document Format (PDF) on the Internet records, revising paragraph (b)(5) and
at the following site: http://www.ed.gov/ adding a new paragraph (b)(6). (Authority: 20 U.S.C. 1232g(b)(1) and (b)(2))
news/fedregister. These additions and revisions read as * * * * *
To use PDF you must have Adobe follows:
Acrobat Reader, which is available free Education Records
at this site. If you have questions about § 99.3 What definitions apply to these * * * * *
using PDF, call the U.S. Government regulations? (b) * * *
Printing Office (GPO), toll free, at 1– * * * * * (5) Records created or received by an
888–293–6498; or in the Washington, Attendance includes, but is not educational agency or institution after
DC, area at (202) 512–1530. limited to— an individual is no longer a student in
Note: The official version of this document (a) Attendance in person or by paper attendance and that are not directly
is the document published in the Federal correspondence, videoconference, related to the individual’s attendance as
Register. Free Internet access to the official satellite, Internet, or other electronic a student.
edition of the Federal Register and the Code information and telecommunications (6) Grades on peer-graded papers
of Federal Regulations is available on GPO technologies for students who are not before they are collected and recorded
Access at: http://www.gpoaccess.gov/nara/ physically present in the classroom; and by a teacher.
index.html. (b) The period during which a person * * * * *
(Catalog of Federal Domestic Assistance is working under a work-study program.
Number does not apply.) Personally Identifiable Information
(Authority: 20 U.S.C. 1232g)
* * * * * The term includes, but is not limited
List of Subjects in 34 CFR Part 99
Directory information means to
Administrative practice and (a) The student’s name;
procedure, Directory information, information contained in an education
record of a student that would not (b) The name of the student’s parent
Education records, Information, Parents, or other family members;
Privacy, Records, Social Security generally be considered harmful or an
(c) The address of the student or
Numbers, Students. invasion of privacy if disclosed.
(a) Directory information includes, student’s family;
Dated: March 17, 2008. (d) A personal identifier, such as the
but is not limited to, the student’s name;
Margaret Spellings, student’s social security number,
address; telephone listing; electronic
student number, or biometric record;
Secretary of Education. mail address; photograph; date and
(e) Other indirect identifiers, such as
For the reasons discussed in the place of birth; major field of study;
date of birth, place of birth, and
preamble, the Secretary proposes to grade level; enrollment status (e.g.,
mother’s maiden name;
amend part 99 of title 34 of the Code of undergraduate or graduate, full-time or
(f) Other information that, alone or in
Federal Regulations as follows: part-time); dates of attendance;
combination, is linked or linkable to a
participation in officially recognized
specific student that would allow a
PART 99—FAMILY EDUCATIONAL activities and sports; weight and height
reasonable person in the school or its
RIGHTS AND PRIVACY of members of athletic teams; degrees,
community, who does not have personal
honors and awards received; and the
1. The authority citation for part 99 knowledge of the relevant
most recent educational agency or
continues to read as follows: circumstances, to identify the student
institution attended.
Authority: 20 U.S.C. 1232g, unless with reasonable certainty; or
(b) Directory information does not
otherwise noted. (g) Information requested by a person
include a student’s social security
who the educational agency or
2. Section 99.2 is amended by revising number or student identification (ID)
institution reasonably believes has
the note following the authority citation number.
direct, personal knowledge of the
to read as follows: (c) Directory information includes a
identity of the student to whom the

student’s user ID or other unique
§ 99.2 What is the purpose of these education record directly relates.
personal identifier used by the student
regulations? for purposes of accessing or (Authority: 20 U.S.C. 1232g)
* * * * * communicating in electronic systems, * * * * *
Note to § 99.2: 34 CFR 300.610 through but only if the electronic identifier State auditor means a party under any
300.626 contain requirements regarding the cannot be used to gain access to branch of government with authority
and responsibility under State law for educational interests. An educational or an act of domestic or international
conducting audits. agency or institution that does not use terrorism as defined in 18 U.S.C. 2331.
(Authority: 20 U.S.C. 1232g(b)(5)) physical or technological access * * * * *
controls must ensure that its (16) The disclosure concerns an
* * * * *
administrative policy for controlling individual required to register under
4. Section 99.5 is amended by
access to education records is effective section 170101 of the Violent Crime
redesignating paragraph (a) as paragraph
and that it remains in compliance with Control and Law Enforcement Act of
(a)(1) and adding a new paragraph (a)(2)
the legitimate educational interest 1994, 42 U.S.C. 14071, and the
to read as follows:
requirement in paragraph information was obtained and disclosed
§ 99.5 What are the rights of students? 99.31(a)(1)(i)(A). by the educational agency or institution
(a)(1) * * * (2) The disclosure is, subject to the in compliance with a State community
(2) Nothing in this section prevents an requirements of § 99.34, to officials of notification program under 42 U.S.C.
educational agency or institution from another school, school system, or 14071(e) or (j) and applicable Federal
disclosing education records, or institution of postsecondary education guidelines. Nothing in the Act or these
personally identifiable information from where the student seeks or intends to regulations requires or encourages an
education records, to a parent without enroll, or where the student is already educational agency or institution to
the prior written consent of an eligible enrolled so long as the disclosure is for collect or maintain information about
student if the disclosure meets the purposes related to the student’s registered sex offenders.
conditions in § 99.31(a)(8), enrollment or transfer. (b)(1) De-identified records and
§ 99.31(a)(10), § 99.31(a)(15), or any Note: Section 4155(b) of the No Child Left information. An educational agency or
other provision in § 99.31(a). Behind Act of 2001, 20 U.S.C. 7165(b), institution, or a party that has received
* * * * * requires each State to assure the Secretary of education records or information from
5. Section 99.31 is amended by: Education that it has a procedure in place to education records under this part, may
A. Redesignating paragraph (a)(1) as facilitate the transfer of disciplinary records release the records or information
paragraph (a)(1)(i)(A) and adding new of a student who was suspended or expelled without the consent required by § 99.30
by a local educational agency to any private after the removal of all personally
paragraphs (a)(1)(i)(B) and (a)(1)(ii).
or public elementary or secondary school in
B. Revising paragraph (a)(2). which the student is subsequently enrolled
identifiable information provided that
C. Revising paragraph (a)(6)(ii). or seeks, intends, or is instructed to enroll. the educational agency or institution or
D. In paragraph (a)(9)(ii)(A), removing other party has made a reasonable
the word ‘‘ or’’ after the punctuation ‘‘;’’. (6) * * * determination that a student’s identity
E. In paragraph (a)(9)(ii)(B), removing (ii) An educational agency or is not personally identifiable because of
the punctuation ‘‘.’’ and adding in its institution may disclose personally unique patterns of information about
place the word ‘‘; or’’. identifiable information under that student, whether through single or
F. Adding paragraph (a)(9)(ii)(C). paragraph (a)(6)(i) of this section only if multiple releases, and taking into
G. Adding paragraph (a)(16). it enters into a written agreement with account other reasonably available
H. Revising paragraph (b). the organization specifying the purposes information.
I. Adding paragraphs (c) and (d). of the study. An educational agency or (2) An educational agency or
J. Revising the authority citation at the institution is not required to agree with institution, or a party that has received
end of the section. or endorse the conclusions or results of education records or information from
The additions and revisions read as the study. The written agreement education records under this part, may
follows: required under this paragraph must release de-identified student level data
§ 99.31 Under what conditions is prior ensure that— from education records for the purpose
consent not required to disclose (A) Information from education of education research by attaching a
information? records is used only to meet the purpose code to each record that may allow the
(a) * * * or purposes of the study stated in the recipient to match information received
(1)(i)(A) * * * written agreement; from the same source, provided that—
(B) A contractor, consultant, (B) The organization conducts the (i) An educational agency or
volunteer, or other party to whom an study in a manner that does not permit institution or other party that releases
agency or institution has outsourced personal identification of parents and de-identified data under paragraph (b)
institutional services or functions may students, as defined in this part, by of this section does not disclose any
be considered a school official under individuals other than representatives of information about how it generates and
this paragraph provided that the outside the organization that conducts the assigns a record code, or that would
party— study; and allow a recipient to identify a student
(1) Performs an institutional service or (C) The information is destroyed or based on a record code;
function for which the agency or returned to the educational agency or (ii) The record code is used for no
institution would otherwise use institution when it is no longer needed purpose other than identifying a de-
employees; for the purposes for which the study identified record for purposes of
(2) Is under the direct control of the was conducted. education research and cannot be used
agency or institution; and to ascertain personally identifiable
(3) Is subject to the requirements of * * * * * information about a student; and
§ 99.33(a) governing the use and (9) * * * (iii) The record code is not based on
redisclosure of personally identifiable (ii) * * * a student’s social security number or
information from education records. (C) An ex parte court order obtained other personal information.
(ii) An educational agency or by the United States Attorney General (c) An educational agency or
institution must use reasonable methods (or designee not lower than an Assistant institution must use reasonable methods
to ensure that school officials obtain Attorney General) concerning to identify and authenticate the identity
access to only those education records investigations or prosecutions of an of parents, students, school officials,
in which they have legitimate offense listed in 18 U.S.C. 2332b(g)(5)(B) and any other parties to whom the
agency or institution discloses under the Clery Act to the accuser and officials or agencies headed by officials
personally identifiable information from accused regarding the outcome of any referred to in paragraph (a) of this
education records. campus disciplinary proceeding brought section, except that those officials or
(d) Paragraphs (a) and (b) of this alleging a sexual offense. agencies may make further disclosures
section do not require an educational (e) If this Office determines that a of personally identifiable information
agency or institution or any other party third party outside the educational from education records on behalf of the
to disclose education records or agency or institution improperly educational agency or institution in
information from education records to rediscloses personally identifiable accordance with the requirements of
any party. information from education records in § 99.33(b); and
(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h), violation of this section, the educational
* * * * *
(i), and (j)) agency or institution may not allow that
third party access to personally 10. Section 99.36 is amended by
6. Section 99.32 is amended by revising paragraphs (a) and (c) to read as
identifiable information from education
revising paragraph (d)(5) to read as follows:
records for at least five years.
follows:
* * * * * § 99.36 What conditions apply to
§ 99.32 What recordkeeping requirements 8. Section 99.34 is amended by disclosure of information in health and
exist concerning requests and disclosures? revising paragraph (a)(1)(ii) to read as safety emergencies?
* * * * * follows:
(d) * * * (a) An educational agency or
(5) A party seeking or receiving § 99.34 What conditions apply to institution may disclose personally
disclosure of information to other identifiable information from an
records in accordance with
educational agencies and institutions? education record to appropriate parties,
§ 99.31(a)(9)(ii)(A) through (C).
(a) * * * including parents of an eligible student,
* * * * * (1) * * *
7. Section 99.33 is amended by (ii) The annual notification of the in connection with an emergency if
revising paragraphs (b), (c), (d), and (e) agency or institution under § 99.7 knowledge of the information is
to read as follows: includes a notice that the agency or necessary to protect the health or safety
institution forwards education records of the student or other individuals.
§ 99.33 What limitations apply to the
redisclosure of information? to other agencies or institutions that * * * * *
have requested the records and in which (c) In making a determination under
* * * * *
(b)(1) Paragraph (a) of this section the student seeks or intends to enroll; paragraph (a) of this section, an
does not prevent an educational agency * * * * * educational agency or institution may
or institution from disclosing personally 9. Section 99.35 is amended by take into account the totality of the
identifiable information with the revising paragraphs (a) and (b)(1) to read circumstances pertaining to a threat to
understanding that the party receiving as follows: the safety or health of a student or other
the information may make further § 99.35 What conditions apply to individuals. If the educational agency or
disclosures of the information on behalf disclosure of information for Federal or institution determines that there is
of the educational agency or institution State program purposes? articulable and significant threat to the
if: (a)(1) Authorized representatives of health or safety of a student or other
(i) The disclosures meet the the officials or agencies headed by individuals, it may disclose information
requirements of § 99.31; and officials listed in § 99.31(a)(3)(i) may from education records to any person
(ii) The educational agency or have access to education records in whose knowledge of the information is
institution has complied with the connection with an audit or evaluation necessary to protect the health and
requirements of § 99.32(b). of Federal or State supported education safety of the student or other
(2) A party that rediscloses personally programs, or for the enforcement of or individuals. If, based on the information
identifiable information from education compliance with Federal legal available at the time of the
records on behalf of an educational requirements that relate to those determination, there is a rational basis
agency or institution in response to a programs. for the determination, the Department
court order or lawfully issued subpoena (2) Authority for an agency or official will not substitute its judgment for that
under § 99.31(a)(9) must provide the listed in § 99.31(a)(3)(i) to conduct an of the educational agency or institution
notification required under audit, evaluation, or compliance or in evaluating the circumstances and
§ 99.31(a)(9)(ii). enforcement activity is not conferred by making its determination.
(c) Paragraph (a) of this section does the Act or this part and must be
not apply to disclosures under * * * * *
established under other Federal, State,
§ 99.31(a)(8), (9), (11), (12), (14), (15), or local law, including valid 11. Section 99.37 is amended by:
(16), and to information that administrative regulations. A. Revising paragraph (b).
postsecondary institutions are required (3) State auditors that are not B. Adding new paragraphs (c) and (d).
to disclose under the Clery Act to the authorized representatives of State and
accuser and accused regarding the The revision and additions read as
local educational authorities may have
outcome of any campus disciplinary follows:
access to education records in
proceeding brought alleging a sexual connection with an audit of Federal or § 99.37 What conditions apply to
offense. State supported education programs. disclosing directory information?
(d) An educational agency or For purposes of this provision, an audit
institution must inform a party to whom * * * * *
is limited to testing compliance with

disclosure is made of the requirements applicable laws, regulations, and (b) An educational agency or
of paragraph (a) of this section except standards. institution may disclose directory
for disclosures made under § 99.31(a)(8), (b) * * * information about former students
(9), (11), (12), (14), (15), and (16), and (1) Be protected in a manner that does without complying with the notice and
to information that postsecondary not permit personal identification of opt out conditions in paragraph (a) of
institutions are required to disclose individuals by anyone other than the this section. However, the agency or
institution must continue to honor any a violation is based on a policy or § 99.66 What are the responsibilities of the
valid request to opt out of the disclosure practice of the educational agency or Office in the enforcement process?
of directory information made while a institution. (a) The Office reviews a complaint, if
student was in attendance unless the (b) The Office investigates a timely any, information submitted by the
student rescinds the opt out request. complaint filed by a parent or eligible educational agency or institution, and
(c) A parent or eligible student may student, or conducts its own any other relevant information. The
not use the right under paragraph (a)(2) investigation when no complaint has Office may permit the parties to submit
of this section to opt out of directory been filed or a complaint has been further written or oral arguments or
information disclosures to prevent an withdrawn, to determine whether an information.
educational agency or institution from educational agency or institution has (b) Following its investigation, the
disclosing or requiring a student to failed to comply with a provision of the Office provides to the complainant, if
disclose the student’s name, electronic Act or this part. If the Office determines any, and the educational agency or
identifier, or institutional e-mail address that an educational agency or institution institution a written notice of its
in a class in which the student is has failed to comply with a provision of findings and the basis for its findings.
enrolled. the Act or this part, it may also (c) If the Office finds that an
(d) An educational agency or educational agency or institution has
determine whether the failure to comply
institution may not disclose or confirm not complied with a provision of the
is based on a policy or practice of the
directory information without meeting Act or this part, it may also find that the
agency or institution.
the written consent requirements in failure to comply was based on a policy
§ 99.30 if a student’s social security * * * * *
or practice of the agency or institution.
number or other non-directory 14. Section 99.65 is revised to read as A notice of findings issued under
information is used alone or combined follows: paragraph (b) of this section to an
with other data elements to identify or educational agency or institution that
§ 99.65 What is the content of the notice of
help identify the student or the investigation issued by the Office? has not complied with a provision of the
student’s records. Act or this part—
* * * * * (a) The Office notifies the
complainant, if any, and the educational * * * * *
12. Section 99.62 is revised to read as 16. Section 99.67 is amended by:
follows: agency or institution in writing if it
initiates an investigation under A. Revising the introductory text of
§ 99.62 What information must an § 99.64(b). The notice to the educational paragraph (a).
educational agency or institution submit to agency or institution— B. In paragraph (a)(1), removing the
the Office? punctuation ‘‘;’’ and adding, in its place,
(1) Includes the substance of the the punctuation ‘‘.’’.
The Office may require an educational
allegations against the educational C. In paragraph (a)(2) removing the
agency or institution to submit reports,
agency or institution; and word ‘‘; or’’ and adding, in its place, the
information on policies and procedures,
annual notifications, training materials, (2) Directs the agency or institution to punctuation ‘‘.’’.
and other information necessary to carry submit a written response and other The revision reads as follows:
out its enforcement responsibilities relevant information, as set forth in
§ 99.62, within a specified period of § 99.67 How does the Secretary enforce
under the Act or this part. decisions?
time, including information about its
(Authority: 20 U.S.C. 1232g(f) and (g)) (a) If the Office determines that an
policies and practices regarding
13. Section 99.64 is amended by: education records. educational agency or institution has a
A. Revising the section heading. policy or practice in violation of the Act
B. Revising paragraphs (a) and (b). (b) The Office notifies the
complainant if it does not initiate an or this part, the Secretary may take any
The revisions read as follows: legally available enforcement action,
investigation because the complaint
§ 99.64 What is the investigation fails to meet the requirements of § 99.64. including the following enforcement
procedure? actions available in accordance with
(Authority: 20 U.S.C. 1232g(g)) part E of the General Education
(a) A complaint must contain specific
allegations of fact giving reasonable 15. Section 99.66 is amended by Provisions Act:
cause to believe that a violation of the revising paragraphs (a), (b), and the * * * * *
Act or this part has occurred. A introductory text of paragraph (c) to [FR Doc. E8–5790 Filed 3–21–08; 8:45 am]
complaint does not have to allege that read as follows: BILLING CODE 4000–01–P

Proposed Rule: Family Educational Rights and Privacy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Proposed Rule: Family Educational Rights and Privacy

Uploaded by

Copyright:

Available Formats

Monday,

March 24, 2008

ensuring that personally identifiable

consent under the financial aid

would realize by not having to record

identity of the student to whom the

is limited to testing compliance with

You might also like