FERPA December 2008 Regs

Tuesday,
December 9, 2008
Part II
Department of
Education
34 CFR Part 99
Family Educational Rights and Privacy;
Final Rule
jlentini on PROD1PC65 with RULES2
VerDate Aug<31>2005 18:13 Dec 08, 2008 Jkt 217001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\09DER2.SGM 09DER2
74806 Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations
DEPARTMENT OF EDUCATION Education (the Department or we) disclose education records, without
published a notice of proposed consent, to another institution even after
34 CFR Part 99 rulemaking (NPRM) in the Federal the student has enrolled or transferred
RIN 1855–AA05 Register (73 FR 15574). In the preamble so long as the disclosure is for purposes
to the NPRM, the Secretary discussed related to the student’s enrollment or
[Docket ID ED–2008–OPEPD–0002] the major changes proposed in that transfer;
document that are necessary to • Amending § 99.31(a)(6) to require
Family Educational Rights and Privacy implement statutory changes made to that an educational agency or institution
AGENCY: Office of Planning, Evaluation, FERPA, to implement two U.S. Supreme may disclose personally identifiable
and Policy Development, Department of Court decisions, to respond to changes information under this section only if it
Education. in information technology, and to enters into a written agreement with the
ACTION: Final regulations. address other issues identified through organization specifying the purposes of
the Department’s experience in the study and the use and destruction of
SUMMARY: The Secretary amends our administering FERPA. the data;
regulations implementing the Family We believe that the regulatory • Amending § 99.31 to include a new
Educational Rights and Privacy Act changes adopted in these final subsection to provide standards for the
(FERPA), which is section 444 of the regulations provide clarification on release of information from education
General Education Provisions Act. many important issues that have arisen records that has been de-identified;
These amendments are needed to over time with regard to how FERPA • Amending § 99.35 to permit State
implement a provision of the USA affects decisions that school officials and local educational authorities and
Patriot Act and the Campus Sex Crimes have to make on an everyday basis. Federal officials listed in § 99.31(a)(3) to
Prevention Act, which added new Educational agencies and institutions make further disclosures of personally
exceptions permitting the disclosure of face considerable challenges, especially identifiable information from education
personally identifiable information from with regard to maintaining safe records on behalf of the educational
education records without consent. The campuses, protecting personally agency or institution; and
amendments also implement two U.S. identifiable information in students’ • Amending § 99.36 to remove the
Supreme Court decisions interpreting education records, and responding to language requiring strict construction of
FERPA, and make necessary changes requests for data on student progress. this exception and add a provision
identified as a result of the Department’s These final regulations, as well as the stating that if an educational agency or
experience administering FERPA and discussion on various provisions in the institution determines that there is an
the current regulations. preamble, will assist school officials in articulable and significant threat to the
These changes clarify permissible addressing these challenges in a manner health or safety of a student or other
disclosures to parents of eligible that complies with FERPA and protects individual, it may disclose the
students and conditions that apply to the privacy of students’ education information to any person, including
disclosures in health and safety records. parents, whose knowledge of the
emergencies; clarify permissible information is necessary to protect the
Notice of Proposed Rulemaking
disclosures of student identifiers as health or safety of the student or other
directory information; allow disclosures In the NPRM, we proposed individuals.
to contractors and other outside parties regulations to implement section 507 of
the USA Patriot Act (Pub. L. 107–56), Significant Changes From the NPRM
in connection with the outsourcing of
institutional services and functions; enacted October 26, 2001, and the These final regulations contain
revise the definitions of attendance, Campus Sex Crimes Prevention Act, several significant changes from the
disclosure, education records, section 1601(d) of the Victims of NPRM as follows:
personally identifiable information, and Trafficking and Violence Protection Act • Amending the definition of
other key terms; clarify permissible of 2000 (Pub. L. 106–386), enacted personally identifiable information in
redisclosures by State and Federal October 28, 2000. Other major changes § 99.3 to provide a definition of
officials; and update investigation and proposed in the NPRM included the biometric record;
enforcement provisions. following: • Removing the proposed definition
• Amending § 99.5 to clarify the of State auditor in § 99.3 and provisions
DATES: These regulations are effective
conditions under which an educational in § 99.35(a)(3) related to State auditors
January 8, 2009.
agency or institution may disclose and audits;
FOR FURTHER INFORMATION CONTACT: personally identifiable information from • Revising § 99.31(a)(6) to clarify the
Frances Moran, U.S. Department of an eligible student’s education records specific types of information that must
Education, 400 Maryland Avenue, SW., to a parent without the prior written be contained in the written agreement
room 6W243, Washington, DC 20202– consent of the eligible student; between an educational agency or
8250. Telephone: (202) 260–3887. • Amending § 99.31(a)(1) to authorize institution and an organization
If you use a telecommunications the disclosure of education records conducting a study for the agency or
device for the deaf (TDD), you may call without consent to contractors, institution;
the Federal Relay Service (FRS) at 1– consultants, volunteers, and other • Removing the statement from
800–877–8339. outside parties to whom an educational § 99.31(a)(16) that FERPA does not
Individuals with disabilities may require or encourage agencies or
agency or institution has outsourced
obtain this document in an alternative institutions to collect or maintain
institutional services or functions;
format (e.g., Braille, large print, • Amending § 99.31(a)(1) to ensure information concerning registered sex
audiotape, or computer diskette) on that teachers and other school officials offenders;
request to the contact person listed • Requiring a State or local
only gain access to education records in

under FOR FURTHER INFORMATION which they have legitimate educational educational authority or Federal official
CONTACT. interests; or agency that rediscloses personally
SUPPLEMENTARY INFORMATION: On March • Amending § 99.31(a)(2) to permit identifiable information from education
24, 2008, the U.S. Department of educational agencies and institutions to records to record that disclosure if the
Federal Register / Vol. 73, No. 237 / Tuesday, December 9, 2008 / Rules and Regulations 74807
educational agency or institution does information and telecommunications default prevention, and other activities
not do so under § 99.32(b); and technologies.’’ that depend on sharing student
• Revising § 99.32(b) to require an While most schools are aware of the information. Another commenter stated
educational agency or institution that various formats distance learning may that institutions should not be allowed
makes a disclosure in a health or safety take, we believe it is informative to list to penalize students who opt out of
emergency to record information the different communications media directory information disclosures by
concerning the circumstances of the that are currently used. Also, we believe denying them access to benefits,
emergency. that parents, eligible students, and other services, and required activities.
These changes are explained in individuals and organizations that use Several commenters said that the
greater detail in the following Analysis the FERPA regulations may find the definition in the proposed regulations
of Comments and Changes. listing of formats useful. was confusing and unnecessarily
We do not agree that the definition of restrictive because it treats a student ID
Analysis of Comments and Changes number as the functional equivalent of
attendance should be limited to receipt
In response to the Secretary’s of instruction leading to a diploma or an SSN. They explained that when
invitation in the NPRM, 121 parties certificate, because this would providing access to records and
submitted comments on the proposed improperly exclude many instructional services, many institutions no longer
regulations. An analysis of the formats. use an SSN or other single identifier
comments and of the changes in the Changes: None. that both identifies and authenticates
regulations since publication of the identity. As a result, at many
(b) Directory Information (§§ 99.3 and institutions, the condition specified in
NPRM follows.
We group major issues according to 99.37) the regulations for treating electronic
subject, with applicable sections of the (1) Definition (§ 99.3) identifiers as directory information, i.e.,
regulations referenced in parentheses. that the identifier cannot be used to gain
Comment: We received a number of access to education records except when
We discuss other substantive issues comments on our proposal to revise the
under the sections of the regulations to used in conjunction with one or more
definition of directory information to factors that authenticate the user’s
which they pertain. Generally, we do provide that an educational agency or
not address technical and other minor identity, often applies to student ID
institution may not designate as numbers as well because they cannot be
changes, or suggested changes that the directory information a student’s social
law does not authorize the Secretary to used to gain access to education records
security number (SSN) or other student without a personal identification
make. We also do not address comments identification (ID) number. The
pertaining to issues that were not within number (PIN), password, or some other
proposed definition also provided that a factor to authenticate the user’s identity.
the scope of the NPRM. student’s user ID or other unique Some commenters suggested that our
Definitions (§ 99.3) identifier used by the student to access nomenclature is the problem and that
or communicate in electronic systems regardless of what it is called, an
(a) Attendance could be considered directory identifier that does not allow access to
Comment: We received no comments information but only if the electronic education records without the use of
objecting to the proposed changes to the identifier cannot be used to gain access authentication factors should be treated
definition of the term attendance. Three to education records except when used as directory information. According to
commenters expressed support for the in conjunction with one or more factors one commenter, allowing institutions to
changes because the availability and use that authenticate the student’s identity. treat student ID numbers as directory
of alternative instructional formats are All commenters agreed that student information in these circumstances
not clearly addressed by the current SSNs should not be disclosed as would improve business practices and
regulations. One commenter suggested directory information. Several enhance student privacy by encouraging
that the definition could avoid commenters strongly supported the institutions to require additional
obsolescence by referring to the receipt definition of directory information as authentication factors when using
of instruction leading to a diploma or proposed, noting that failure to curtail student ID numbers to provide access to
certificate instead of listing the types of the use of SSNs and student ID numbers education records.
instructional formats. as directory information could facilitate One commenter strongly opposed
Discussion: We proposed to revise the identity theft and other fraudulent allowing institutions to treat a student’s
definition of attendance because we activities. electronic identifier as directory
received inquiries from some One commenter said that the information if the identifier could be
educational agencies and institutions proposed regulations did not go far made available to parties outside the
asking whether FERPA was applicable enough to prohibit the use of students’ school system. This commenter noted
to the records of students receiving SSNs as a student ID number, placing that electronic identifiers may act as a
instruction through the use of new SSNs on academic transcripts, and key, offering direct access to the
technology methods that do not require using SSNs to search an electronic student’s entire file, and that PINs and
a physical presence in a classroom. database. Another commenter expressed passwords alone do not provide
Because the definition of attendance is concern that the proposed regulations adequate security for education records.
key to determining when an could prohibit reporting needed to Another commenter said that if
individual’s records at a school are enforce students’ financial obligations electronic identifiers and ID numbers
education records protected by FERPA, and other routine business practices. can be released as directory information,
it is essential that schools and According to this commenter, then password requirements need to be
institutions understand the scope of the restrictions on the use of SSNs in more stringent to guard against
term. To prevent the regulations from FERPA and elsewhere demonstrate the unauthorized access to information and
becoming out of date as new formats need for a single student identifier that identity theft.
and methods are developed, the can be tied to the SSN and other Some commenters recommended
definition provides that attendance may identifying information to use for grade establishing categories of directory
also include ‘‘other electronic transcripts, enrollment verification, information, with certain information
made available only within the systems that require the release of the should be disclosed as directory
educational community. One student’s name or electronic identifier information only within the school
commenter expressed concern about within the school community. (As system and should not be made
Internet safety because the regulations discussed later in this notice in our available outside the institution. The
allow publication of a student’s e-mail discussion of the comments on disclosure of directory information is
address. Another said that FERPA § 99.37(c), the right to opt out of permissive under FERPA, and,
should not prevent institutions from directory information disclosures may therefore, an agency or institution is not
printing the student’s ID number on an not be used to allow a student to remain required to designate and disclose any
ID card or otherwise restrict its use on anonymous in class.) student identifier (or any other item) as
campus but that publication in a The regulations allow an educational directory information. Further, while
directory should not be allowed. agency or institution to designate a FERPA does not expressly recognize
Two commenters asked the student’s user ID or other electronic different levels or categories of directory
Department to confirm that the identifier as directory information if the information, an agency or institution is
regulations allow institutions to post identifier functions essentially like the
not required to make student directories
grades using a code known only by the student’s name, and therefore,
and other directory information
teacher and the student. disclosure would not be considered
Discussion: We share commenters’ available to the general public just
harmful or an invasion of privacy. That
concerns about the use of students’ is, the identifier cannot be used to gain because the information is shared
SSNs. In general, however, there is no access to education records except when within the institution. For example,
statutory authority under FERPA to combined with one or more factors that under FERPA, an institution may decide
prohibit an educational agency or authenticate the student’s identity. to make students’ electronic identifiers
institution from using SSNs as a student We have historically advised that and e-mail addresses available within
ID number, on academic transcripts, or student ID numbers may not be the institution but not release them to
to search an electronic database so long disclosed as directory information the general public as directory
as the agency or institution does not because they have traditionally been information. In fact, the preamble to the
disclose the SSN in violation of FERPA used like SSNs, i.e., as both an identifier NPRM suggested that agencies and
requirements. As discussed elsewhere and authenticator of identity. We agree, institutions should minimize the public
in this preamble, FERPA does prohibit however, that the proposed definition release of student directories to mitigate
using a student’s SSN, without consent, was confusing and unnecessarily the risk of re-identifying information
to search records in order to confirm restrictive because it failed to recognize that has been de-identified (73 FR
directory information. that many institutions no longer use 15584).
Some States prohibit the use of SSNs student ID numbers in this manner. If a With regard to student ID numbers in
as a student ID number, and some student identifier cannot be used to particular, an agency or institution may
institutions have voluntarily ceased access records or communicate print an ID number on a student’s ID
using SSNs in this manner because of electronically without one or more card whether or not the number is
concerns about identity theft. Students additional factors to authenticate the
treated as directory information because
are required to provide their SSNs in user’s identity, then the educational
order to receive Federal financial aid, under FERPA simply printing the ID
agency or institution may treat it as
and the regulations do not prevent an number on a card, without more, is not
directory information under FERPA
agency or institution from using SSNs regardless of what the identifier is a disclosure and, therefore, is not
for this purpose. We note that FERPA called. We have revised the definition of prohibited. See 20 U.S.C. 1232g(b)(2). If
does not address, and we do not believe directory information to provide this the student ID number is not designated
that there is statutory authority under flexibility. as directory information, then the
FERPA to require, creation of a single We share the commenters’ concerns agency or institution may not disclose
student identifier to replace the SSN. In about the use of PINs and passwords. In the card, or require the student to
any case, the Department encourages the preamble to the NPRM, we disclose the card, except in accordance
educational agencies and institutions, as explained that PINs or passwords, and with one of the exceptions to the
well as State educational authorities, to single-factor authentication of any kind, consent requirement, such as to school
follow best practices of the educational may not be reasonable for protecting officials with legitimate educational
community with regard to protecting access to certain kinds of information interests. If the student ID number is
students’ SSNs. (73 FR 15585). We also recognize that designated as directory information in
We agree that students should not be user IDs and other electronic identifiers accordance with these regulations, then
penalized for opting out of directory may provide greater access and linking it may be disclosed. However, the
information disclosures. Indeed, an to information than does a person’s agency or institution may still decide
educational agency or institution may name. Therefore, we remind educational against making a directory of student ID
not require parents and students to agencies and institutions that disclose numbers available to the general public.
waive their rights under FERPA, student ID numbers, user IDs, and other We discuss codes used by teachers to
including the right to opt out of electronic identifiers as directory post grades in our discussion of the
directory information disclosures. On information to examine their definition of personally identifiable
the other hand, we do not interpret recordkeeping and data sharing
information elsewhere in this preamble.
FERPA to require educational agencies practices and ensure that, when these
and institutions to ensure that students identifiers are used, the methods they Changes: We have revised the
can remain anonymous to others in the select for authenticating identity definition of directory information in
school community when using an provide adequate protection against the § 99.3 to provide that directory
institution’s electronic communications unauthorized disclosure of information information includes a student ID

systems. As a result, parents and in education records. number if it cannot be used to gain
students who opt out of directory We also share the concern of access to education records except when
information disclosures may not be able commenters who stated that students’ used with one or more other factors to
to use electronic communications e-mail addresses and other identifiers authenticate the user’s identity.
(2) Conditions for Disclosing Directory (ii) § 99.37(c) educational agency or institution from
Information Comment: We received two comments using a student’s SSN when disclosing
in support of our proposal to clarify in or verifying directory information is
(i) 99.37(b)
this section that parents and students based on the statutory prohibition on
Comment: All comments on this may not use the right to opt out of disclosing personally identifiable
provision supported our proposal to directory information disclosures to information from education records
clarify that an educational agency or prevent disclosure of the student’s name without consent in 20 U.S.C. 1232g(b).
institution must continue to honor a or other identifier in the classroom. The prohibition applies also to any
valid request to opt out of directory Discussion: We appreciate the party outside the agency or institution
information disclosures even after the commenters’ support. providing degree, enrollment, or other
student no longer attends the Changes: None. confirmation services on behalf of an
educational agency or institution, such
institution. One commenter stated that (iii) § 99.37(d) as the National Student Clearinghouse.
the proposed regulations appropriately A school is not required to deny a
Comment: Two commenters
provided former students with the request for directory information about
supported the prohibition on using a
continuing ability to control the release student’s SSN to disclose or confirm a student, such as confirmation whether
of directory information and remarked directory information unless a parent or a student is enrolled or has received a
that this will benefit students and eligible student provides written degree, if the requester supplies the
families. One commenter asked how consent. One of these commenters student’s SSN (or other non-directory
long an opt out from directory questioned the statutory basis for this information) along with the request.
information disclosures must be interpretation. However, in releasing or confirming
honored. Another commenter said that Several commenters asked whether, directory information about a student,
students may object if their former under the proposed regulations, a the school may not use the student’s
schools do not disclose directory school must deny a request for directory SSN (or other non-directory
information without their specific information if the requester supplies the information) supplied by the requester
written consent because the school is student’s SSN. One commenter asked to identify the student or locate the
unable to determine whether the whether a request for directory student’s records unless a parent or
student previously opted out. This information that contains a student’s eligible student has provided written
could occur, for example, if a school SSN may be honored so long as the consent. This is because confirmation of
declined to disclose that a student had school does not use the SSN to locate information in education records is
received a degree to a prospective the student’s records. One commenter considered a disclosure under FERPA.
employer. stated that the regulations could more See 20 U.S.C. 1232g(b). A school’s use
effectively protect students’ SSNs but of a student’s SSN (or other non-
Discussion: The regulations clarify
was concerned that denying a request directory information) provided by the
that once a parent or eligible student
for directory information that contains requester to confirm enrollment or other
opts out of directory information
an SSN may inadvertently confirm the directory information implicitly
disclosures, the educational agency or confirms and, therefore, discloses, the
SSN.
institution must continue to honor that One commenter expressed concern student’s SSN (or other non-directory
election after the student is no longer in that the prohibition on using a student’s information). This is true even if the
attendance. While this is not a new SSN to verify directory information requester also provides the school with
interpretation, school districts and would leave schools with large student the student’s name, date of birth, or
postsecondary institutions have been populations unable to locate the other directory information to help
unclear about its application and have appropriate record because they will identify the student.
not administered it consistently. The need to rely solely on the student’s A school may choose to deny a
inclusion in the regulations of this name and other directory information, if request for directory information,
longstanding interpretation is necessary any, provided by the requester, which whether or not it contains a student’s
to ensure that schools clearly may be duplicated in their databases. SSN, because only a parent or eligible
understand their obligation to continue This commenter said that students student has a right to obtain education
to honor a decision to opt out of the would object if institutions were unable records under FERPA. Denial of a
disclosure of directory information after to respond quickly to requests by banks request for directory information that
a student stops attending the school, or landlords for confirmation of contains a student’s SSN is not an
until the parent or eligible student enrollment because the request implicit confirmation or disclosure of
rescinds it. contained the student’s SSN. the SSN.
One commenter suggested that the These regulations will not adversely
Educational agencies and institutions
regulations require an educational affect the ability of institutions to
are not required under FERPA to
agency or institution to notify a respond quickly to requests by parties
disclose directory information to any
requester that the release or such as banks and landlords for
party. Therefore, parents and students confirmation of enrollment that contain
confirmation of directory information
have no basis for objecting if an agency the student’s SSN because students
does not confirm the accuracy of the
or institution does not disclose directory generally provide written consent for
SSN or other non-directory information
information because it is not certain schools to disclose information to the
submitted with the request. Another
whether the parent or student opted out. inquiring party in order to obtain
commenter asked whether the
The regulations provide an educational regulations apply to confirmation of banking and housing services. We note,
agency or institution with the flexibility student enrollment and other directory however, that if a school wishes to use
to determine the process it believes is
information by outside service providers the student’s SSN to confirm enrollment

best suited to serve its population as such as the National Student or other directory information about the
long as it honors prior elections to opt Clearinghouse. student, it must ensure that the written
out of directory information disclosures. Discussion: The provision in the consent provided by the student
Changes: None. proposed regulations prohibiting an includes consent for the school to
disclose the student’s SSN to the institution’s ability to identify and Finally, we note that a transcript or
requester. investigate suspected fraudulent records other document does not lose its
There is no authority in FERPA to in a timely manner. protection under FERPA, including the
require a school to notify requesters that Discussion: For several years now, written consent requirements, when an
it is not confirming the student’s SSN school officials have advised us that educational agency or institution
(or other non-directory information) problems related to fraudulent records returns it to the source. The document
when it discloses or confirms directory typically involve a transcript or letter of and the information in it remains an
information. However, when a party recommendation that has been altered ‘‘education record’’ under FERPA when
submits a student’s SSN along with a by someone other than the responsible it is returned to its source. As an
request for directory information, in school official. Under the current education record, it may not be
order to avoid confusion, unless a regulations, an educational agency or redisclosed except in accordance with
parent or eligible student has provided institution may ask for a copy of a FERPA requirements, including
written consent for the disclosure of the record from the presumed source when § 99.31(a)(1), which allows the source
student’s SSN, the school may indicate it suspects fraudulent activity. However, institution to disclose the information to
that it has not used the SSN (or other simply asking for a copy of a record may teachers and other school officials with
non-directory information) to locate the not be adequate, for example, if the legitimate educational interests, such as
student’s records and that its response original record no longer exists at the persons who need to verify the accuracy
may not and does not confirm the sending institution. In these or authenticity of the information. If the
accuracy of the SSN (or other non- circumstances, an institution will need source institution makes any further
directory information) supplied with the to return a record to its identified source disclosures of the record or information,
request. to be able to verify its authenticity. The it must record them.
We recognize that with a large final regulations permit a targeted Changes: None.
database of student information, there release of records back to the stated
may be some loss of ability to identify Additional Changes to the Definition of
source for verification purposes in order
students who have common names if Disclosure
to provide schools with the flexibility
SSNs are not used to help identify the needed for this process while preserving Comment: Several commenters
individual. However, schools that do a more general prohibition on the requested additional changes to the
not use SSNs supplied by a party release of information from education definition of disclosure. One commenter
requesting directory information, either records. requested that any transfer of education
because the student has not provided We do not agree that the term records to a State’s longitudinal data
written consent or because the school is disclosure as proposed in the NPRM is system not be considered a disclosure.
not certain that the written consent too broad and could lead to the Several commenters requested that
includes consent for the school to improper release of highly sensitive additional changes be made so that a
disclose the student’s SSN, generally documents to anyone claiming to be the school could provide current education
may use the student’s address, date of creator of the record. School officials records of students back to the students’
birth, school, class, year of graduation, have not advised us that they have had former schools or districts. A
and other directory information to problems receiving IEP records and commenter recommended excluding
identify the student or locate the other highly sensitive materials from from the definition of disclosure
student’s records. parties who did not in fact create or statistical information that is personally
Changes: None. provide the record. Therefore, we do not identifiable because of small cell sizes
believe that the proposed definition of when the recipient agrees to maintain
(c) Disclosure (§ 99.3) the confidentiality of the information.
disclosure is too broad.
Comment: Two commenters said that The commenters are correct that the Discussion: The revised definition of
the proposal to revise the definition of return of an education record to its disclosure, which excludes the return of
disclosure to exclude the return of a source does not have to be recorded, a document to its stated source, clarifies
document to its source was too broad because it is not a disclosure. We do not that information provided by school
and could lead to improper release of consider this problematic, however, districts or postsecondary institutions to
highly sensitive documents, such as an because the information is merely being State educational authorities, including
individualized education program (IEP) returned to the party identified as its information maintained in a
contained in a student’s special source. This is similar to the situation consolidated student records system,
education records, to anyone claiming in which a school is not required under may be provided back to the original
to be the creator of a record. One of the the regulations to record disclosures of district or institution without consent.
commenters stated that changing the education records made to school There is no statutory authority,
definition was unnecessary, as schools officials with legitimate educational however, to exclude from the definition
already have a means of verifying interests. As in that instance, there is no of disclosure a school district’s or
documents by requesting additional direct notice to a parent or student of institution’s release or transfer of
copies from the source. Both either the disclosure of the record or the personally identifiable information from
commenters also expressed concern information in the record. We also education records to its State
that, because recordation is not believe that if a questionable document longitudinal data system. (We discuss
required, a parent or eligible student is deemed to be inauthentic by the the disclosure of education records in
will not be aware that the verification source, the student will be informed of connection with the development of
occurred. the results of the authentication process consolidated, longitudinal data systems
We also received comments of strong by means other than seeing a record of in our response to comments on
support for the proposed change to the the disclosure in the student’s file. redisclosure and recordkeeping
definition of disclosure. The There appears to be little value in requirements elsewhere in this
commenters stated that this change, notifying a parent or student that a preamble.) Likewise, there is no
targeted to permit the release of records document was suspected of being statutory authority to exclude from the
back to the institution that presumably fraudulent if the document is found to definition of disclosure the release of
created them, will enhance an be genuine and accurate. personally identifiable information from
education records to parties that agree to opportunity to challenge the content confidential information, such as
keep the information confidential. (See because the information is not an special education diagnoses,
our discussion of personally identifiable education record under FERPA. educational supports, or mental or
information and de-identified records Discussion: It has long been the physical health and treatment
and information elsewhere in this Department’s interpretation that records information. Our changes to the
preamble.) created or received by an educational definition were intended to clarify that
The revised regulations do not agency or institution on a former schools may not disclose this
authorize the disclosure of education student that are directly related to the information to the media or other
records to third parties who are not individual’s attendance as a student are parties, without consent, simply
identified as the provider or creator of not excluded from the definition of because a student is no longer in
the record. For example, a college may education records under FERPA, and attendance at the school at the time the
not send a student’s current college that records created or received on a record was created or received. A parent
records to a student’s high school under former student that are not directly or eligible student who wishes to share
the revised definition of disclosure related to the individual’s attendance as the student’s own records with the
because the high school is not the stated a student are excluded from the media or other parties is free to do so.
source of those records. (We discuss this definition and, therefore, are not Neither FERPA nor the regulations
issue elsewhere in the preamble under ‘‘education records.’’ The proposed contains a provision for a parent or
Disclosure of Education Records to regulations in paragraph (b)(5) were eligible student to challenge information
Students’ Former Schools.) intended to clarify the use of this that is not contained in an education
Changes: None. exclusion, not to change or expand its record. FERPA does not prohibit a
scope. parent or student from using other
(d) Education Records Our use of the phrase ‘‘directly related venues to seek redress for collection and
(1) Paragraph (b)(5) to the individual’s attendance as a release of information in non-education
student’’ to describe records that do not records.
Comment: Several commenters fall under this exclusion from the Changes: None.
supported our proposal to clarify the definition of education records is not
existing exclusion from the definition of (2) Paragraph (b)(6)
inconsistent with the term ‘‘personally
education records for records that only identifiable’’ as used in other parts of Comment: We received several
contain information about an individual the regulations and should not be comments supporting the proposed
after he or she is no longer a student, confused. The term ‘‘personally changes to the definition of education
which we referred to as ‘‘alumni identifiable information’’ is used in the records that would exclude from the
records’’ in the NPRM, 73 FR 15576. statute and regulations to describe the definition grades on peer-graded papers
One commenter suggested that the term kind of information from education before they are collected and recorded
‘‘directly related,’’ which is used in the records that may not be disclosed by a teacher. These commenters
amended definition in reference to a without consent. See 20 U.S.C. 1232g(b); expressed appreciation that this revision
student’s attendance, is inconsistent 34 CFR 99.3, 99.30. While ‘‘personally would be consistent with the U.S.
with the use of the term ‘‘personally identifiable information’’ maintained by Supreme Court’s decision on peer-
identifiable’’ in other sections of the an agency or institution is generally graded papers in Owasso Independent
regulations and could cause confusion. considered an ‘‘education record’’ under School Dist. No. I–011 v. Falvo, 534 U.S.
One commenter asked whether a FERPA, personally identifiable 426 (2002) (Owasso). Two commenters
postsecondary school could provide a information does not fall under this asked how the provision would be
student’s education records from the exclusion from the definition of applied to the use of group projects and
postsecondary school to a secondary education records if the information is group grading within the classroom.
school that the student attended not directly related to the student’s Discussion: The proposed changes to
previously. attendance as a student. For example, the definition of education records in
Several commenters objected to the personally identifiable information paragraph (b)(6) are designed to
proposed regulations because, according related solely to a student’s activities as implement the U.S. Supreme Court’s
to the commenters, the regulations an alumnus of an institution is excluded 2002 decision in Owasso, which held
would expand the records subject to from the definition of education records that peer grading does not violate
FERPA’s prohibition on disclosure of under this provision. We think that the FERPA. As noted in the NPRM, 73 FR
education records without consent. A term ‘‘directly related’’ is clear in this 15576, the Court held in Owasso that
journalist stated that the settlement context and will not be confused with peer grading does not violate FERPA
agreement cited in the NPRM is an ‘‘personally identifiable.’’ because ‘‘the grades on students’ papers
example of a record that should be A postsecondary institution may not would not be covered under FERPA at
excluded from the definition and that disclose a student’s postsecondary least until the teacher has collected
schools already are permitted to protect education records to the secondary them and recorded them in his or her
too broad a range of documents from school previously attended by the grade book.’’ 534 U.S. at 436.
public review because the documents student under this provision because As suggested by the Supreme Count
are education records. The commenter these records are directly related to the in Owasso, 534 U.S. at 435, FERPA is
stated that information from education student’s attendance as a student at the not intended to interfere with a
records such as a settlement agreement postsecondary institution. (We discuss teacher’s ability to carry out customary
is newsworthy, unlikely to contain this issue further under Disclosure of practices, such as group grading of team
confidential information, and that Education Records to Students’ Former assignments within the classroom. Just
disclosure of such information provides Schools.) as FERPA does not prevent teachers
a benefit to the public. Another We do not agree that documents such from allowing students to grade a test or
commenter expressed concern that the as settlement agreements are unlikely to homework assignment of another
regulations allow schools to collect contain confidential information. Our student or from calling out that grade in
negative information about a former experience has been that these class, even though the grade may
student without giving the individual an documents often contain highly eventually become an education record,
FERPA does not prohibit the discussion publicly funded programs. Another State auditor in § 99.3 and did not
of group or individual grades on commenter recommended that the examine which of the various types of
classroom group projects, so long as regulations include examination of officials, offices, committees, and staff
those individual grades have not yet education records by health department in executive and legislative branches of
been recorded by the teacher. The officials to improve compliance with State government should be included in
process of assigning grades or grading mandated immunization schedules. the definition. We are concerned that
papers falls outside the definition of The majority of the comments we without the narrow definition of audit
education records in FERPA because the received with respect to the inclusion of as proposed in § 99.35(a)(3), the
grades are not ‘‘maintained’’ by an local auditors in the proposed definition proposed definition of State auditor
educational agency or institution at least of State auditor in § 99.3 supported may allow non-consensual disclosures
until the teacher has recorded the permitting local auditors to have access of education records to a variety of
grades. to personally identifiable information officials for purposes not supported by
Changes: None. for purposes of auditing Federal or State the statute. The Department will study
supported education programs. One the matter further and may issue new
(e) Personally Identifiable Information
commenter said that local auditors regulations or guidance, as appropriate.
Comments on the proposed definition should not be included in the In the interim, the Department will
of personally identifiable information definition, while another commenter provide guidance on a case-by-case
are discussed elsewhere in this stated that auditors for the city health basis.
preamble under the heading Personally department need access to FERPA- Changes: We are not including the
Identifiable Information and De- protected information to determine the definition of State auditor in § 99.3 and
identified Records and Information. accuracy of claims for payment and the provisions related to State auditors
(f) State Auditors and Audits (§§ 99.3 asked for further clarification on the and audits in § 99.35(a)(3) in these final
and Proposed 99.35(a)(3)) issue. regulations.
Discussion: We explained in the
Comment: Several commenters preamble to the NPRM that the statute Disclosures to Parents (§§ 99.5 and
supported the clarification in proposed allows disclosure of personally 99.36)
§ 99.35(a)(3) that State auditors may identifiable information from education Comment: A majority of commenters
have access to education records, records without consent to authorized approved of the Secretary’s efforts to
without consent, in connection with an representatives of ‘‘State educational clarify that, even after a student has
‘‘audit’’ of Federal or State supported authorities’’ in connection with an audit become an eligible student, an
education programs under the exception or evaluation of Federal or State educational agency or institution may
to the written consent requirement for supported education programs. 73 FR disclose education records to the
authorized representatives of ‘‘State and 15577. Legislative history indicates that student’s parents, without the consent
local educational authorities.’’ All but Congress amended the statute in 1979 to of the student, if certain conditions are
one of the commenters, however, ‘‘correct an anomaly’’ in which the met. Those commenters stated that the
disagreed strongly with the proposed existing exception to the consent clarification was especially helpful,
definition of audit in § 99.35(a)(3), requirement in 20 U.S.C. 1232g(b)(3) particularly in light of issues that arose
which was limited to testing compliance was interpreted to preclude State after the April 2007 shootings at the
with applicable laws, regulations, and auditors from obtaining access to Virginia Polytechnic Institute and State
standards and did not include the education records for audit purposes. University (Virginia Tech). A
broader concept of evaluations. See H.R. Rep. No. 338, 96th Cong., 1st commenter stated that the clarification
In general, the commenters said that Sess. at 10 (1979), reprinted in 1979 U.S. will assist emergency management
the proposed definition of audit was too Code Cong. & Admin. News 819, 824. officials on college and university
narrow and would prevent State However, because the amended campuses and help school officials
auditors from conducting performance statutory language in 20 U.S.C. know when they can properly share
audits and other services that they 1232g(b)(5) refers only to ‘‘State and student information with parents and
routinely provide in accordance with local educational officials,’’ the students. One commenter expressed
professional auditing standards, proposed regulations sought to clarify support for the proposed regulations,
including the U.S. Comptroller’s that this included ‘‘State auditors’’ or because it has been her experience that
Government Auditing Standards. See auditors with authority and colleges do not share information with
www.gao.gov/govaud/ybk01.htm. A responsibility under State law for parents on their children’s financial aid
State legislative auditor noted, for conducting audits. Due to the breadth of or academic status.
example, that 45 State legislatures have this inclusion, however, the proposed Some commenters disagreed with the
established legislative program regulations also sought to limit access to proposed changes. One stated that, due
evaluation offices whose express education records by State auditors by to varying family dynamics, disclosures
purpose is to provide research and narrowing the definition of audit. should not be limited only to parents,
evaluation for legislative decision The Secretary has carefully reviewed but should also include other
making, and that these offices regularly the comments and, based upon further appropriate family members. Another
use personally identifiable information intradepartmental review, has decided commenter objected to the phrase in
from education records for their work. to remove from the final regulations the § 99.5(a)(2) that would permit disclosure
Some of the commenters also provisions related to State auditors and to a parent without the student’s
questioned whether financial audits and audits in §§ 99.3 and 99.35(a)(3). We consent if the disclosure meets ‘‘any
attestation engagements would be share the commenters’ concerns about other provision in § 99.31(a).’’ The
excluded under the proposed definition. preventing State auditors from commenter stated that this ‘‘catch-all
One commenter said that the State conducting activities that they routinely phrase’’ exceeded statutory authority.
auditor provisions in proposed §§ 99.3 perform under applicable auditing Noting the sensitivity of financial
and 99.35(a)(3) should be expanded to standards. However, because our focus information included in income tax
apply to other non-education State was on the narrow definition of audit, returns, a few commenters raised
officials responsible for evaluating we proposed a very broad definition of concerns about the discussion in the
NPRM in which we explained that an health or safety emergency under modelform.html and http://www.ed.gov/
institution can determine that a parent §§ 99.31(a)(10) and 99.36. policy/gen/guid/fpco/ferpa/safeschools/
claimed a student as a dependent by In most cases, when an educational modelform2.html.
asking the parent to supply a copy of the agency or institution discloses With regard to the comment about
parent’s most recent Federal tax return. education records to parents of an high school students who are
Another commenter stated that the eligible student, we expect the concurrently enrolled in postsecondary
NPRM did not go far enough and disclosure to be made under the institutions as early as ninth grade,
recommended specifically requiring an dependent student provision FERPA not only permits those
institution to rely on a copy of a parent’s (§ 99.31(a)(8)), in connection with a postsecondary institutions to disclose
most recent Federal tax return to health or safety emergency information to parents of the high
determine a student’s dependent status, (§§ 99.31(a)(10) and 99.36), or if a school students who are dependents for
while another commenter recommended student has committed a disciplinary Federal income tax purposes, it also
that we change the regulations to violation with respect to the use or permits high schools and postsecondary
indicate that only the parent who has possession of alcohol or a controlled institutions who have dually-enrolled
claimed the student as a dependent may substance (§ 99.31(a)(15)). This is the students to share information. Where a
have access to the student’s education reason we mention these provisions student is enrolled in both a high school
records. specifically in the regulations. However, and a postsecondary institution, the two
A commenter noted that some States inclusion of the phrase ‘‘of any other schools may share education records
have high school students who are provision in § 99.31(a)’’ in § 99.5(a)(2) is without the consent of either the parents
concurrently enrolled in secondary necessary and within our statutory or the student under § 99.34(b). If the
schools and postsecondary institutions authority because there may be other student is under 18, the parents still
as early as ninth grade and supported exceptions to FERPA’s general consent retain the right under FERPA to inspect
the clarification that postsecondary requirement under which an agency or and review any education records
institutions may disclose information to institution might disclose education maintained by the high school,
parents of students who are tax records to a parent of an eligible including records that the college or
dependents. student, such as the directory university disclosed to the high school,
information provision in § 99.31(a)(11) even though the student is also
Discussion: Parents’ rights under
and the provision permitting disclosure attending the postsecondary institution.
FERPA transfer to a student when the
in compliance with a court order or Changes: None.
student reaches age 18 or enters a
lawfully issued subpoena in
postsecondary institution. 20 U.S.C. Outsourcing (§ 99.31(a)(1)(i)(B))
§ 99.31(a)(9).
1232g(d). However, under § 99.31(a)(8), As we explained in the NPRM,
an educational agency or institution (a) Outside Parties Who Qualify as
institutions can determine that a parent School Officials
may disclose education records to an claims a student as a dependent by
eligible student’s parents if the student asking the parent to submit a copy of the Comment: A few commenters
is a dependent as defined in section 152 parent’s most recent Federal income tax disagreed with the proposal to expand
of the Internal Revenue Code of 1986. return. However, we do not think it is the ‘‘school officials’’ exception in
Under § 99.31(a)(8), neither the age of a appropriate to require an agency or § 99.31(a)(1)(i)(B) to include contractors,
student nor the parent’s status as institution to rely only on the most consultants, volunteers, and other
custodial parent is relevant to the recent tax return to determine the outside parties to whom an educational
determination whether disclosure of student’s dependent status because agency or institution has outsourced
information from an eligible student’s institutions should have flexibility in institutional services or functions it
education records to that parent without how to reach this determination. For would otherwise use employees to
written consent is permissible under instance, institutions may rely instead perform. They believed that the
FERPA. If a student is claimed as a on a student’s assertion that he or she modifications undermined the plain
dependent for Federal income tax is not a dependent unless the parent language of the statute and
purposes by either parent, then under provides contrary evidence. We agree congressional intent. Several other
the regulations, either parent may have that financial information on a Federal commenters supported the proposed
access to the student’s education tax return is sensitive information and, regulations, saying that it was helpful to
records without the student’s consent. for that reason, in providing technical include in the regulations what has
The statutory exception to the consent assistance and compliance training to historically been the Department’s
requirement in FERPA for the disclosure school officials, we have advised that interpretation of the ‘‘school officials’’
of records of dependent students applies parents may redact all financial and exception. A majority of commenters,
only to the parents of the student. 20 other unnecessary information that while not agreeing or disagreeing with
U.S.C. 1232g(b)(1)(H). Accordingly, the appears on the form, as long as the tax the proposed changes in
Secretary does not have statutory return clearly shows the parent’s or § 99.31(a)(1)(i)(B), raised a number of
authority to apply § 99.31(a)(8) to any parents’ names and the fact that the issues concerning the proposal.
other family members. However, under student is claimed as a dependent. Several commenters expressed
§ 99.30(b)(3), an eligible student may In addition, in the fall of 2007, we concern that the requirement that an
provide consent for the school to developed two model forms that appear outside party must perform an
disclose information from his or her on the Department’s Family Policy institutional service or function for
education records to another family Compliance Office (FPCO or the Office) which the agency or institution would
member. In some situations, such as Web site that institutions may adapt and otherwise use employees is too
when there is no parent in the student’s provide to students at orientation to restrictive and impractical. One
life or the student is married, a spouse indicate whether they are a dependent commenter noted that some functions
or other family member may be and, if not, obtaining consent from the that a contractor performs could not be
considered an appropriate party to student for disclosure of information to performed by a school official.
whom a disclosure may be made, parents: http://www.ed.gov/policy/gen/ Some commenters said we should
without consent, in connection with a guid/fpco/ferpa/safeschools/ clarify the regulations to explain the
circumstances under which volunteers asked that we revise the regulations to without consent, to an insurance
may serve as school officials and have permit representatives of the Centers for company that wishes to offer students a
access to personally identifiable Disease Control and Prevention to discount on auto insurance because the
information from education records in access education records for the purpose school is not outsourcing an
connection with their services or of public health surveillance under the institutional service or function for
responsibilities to the school. One ‘‘school officials’’ exception. which it would otherwise use its own
commenter noted that this clarification Another commenter requested further employees.
was needed especially for parent- guidance on how § 99.31(a)(1) would Further, the requirement that the
volunteers working at a school attended apply to local law enforcement officers outside party must be performing
by their own children where they are who work in collaboration with schools services or functions an employee
likely to know other students and their in various capacities and whether would otherwise perform does not mean
families. education records could be shared with that a school employee must be able to
Several commenters asked that we these officers in order to ensure safe perform the outsourced service in order
clarify in the regulations that campuses. for the outside party to be considered a
§ 99.31(a)(1) also applies to school Discussion: The Secretary does not school official under
transportation officials, school bus agree that the proposed changes to § 99.31(a)(1)(i)(B)(1). For example, many
drivers, and school bus attendants who § 99.31(a)(1) go beyond the plain school districts outsource their legal
need access to education records in reading of the statute and congressional services on an as-needed basis. Even
order to safely and efficiently transport intent. As we explained in the NPRM, though these school districts may have
students. Another commenter asked for FERPA’s broad definition of education never hired an attorney as an employee,
clarification whether, under the records includes records that are they may still disclose personally
proposed regulations, practicum maintained by ‘‘a person acting for’’ an identifiable information from education
students, fieldwork students, and educational agency or institution. 20 records to outside legal counsel to
unpaid interns in schools would be U.S.C. 1232g(a)(4)(A)(ii); see 34 CFR whom they have outsourced their legal
considered ‘‘school officials.’’ One 99.3. (In floor remarks describing the services. FERPA does not otherwise
commenter asked whether § 99.31(a)(1) meaning of the definition of education restrict whether a school may outsource
permits outsourced medical providers to records, Senators James Buckley and institutional services and functions; it
be considered ‘‘school officials.’’ Claiborne Pell, principal sponsors of the only addresses to whom and under what
One commenter asked how proposed December 1974 FERPA amendments, conditions personally identifiable
§ 99.31(a)(1) would apply to parties specifically referred to materials that are information from students’ education
other than educational agencies and maintained by a school ‘‘or by one of its records may be disclosed.
institutions. The commenter was agents.’’ See ‘‘Joint Statement in Once a school has determined that an
concerned about permitting SEAs to Explanation of Buckley/Pell outside party is a ‘‘school official’’ with
disclose personally identifiable Amendment’’ (Joint Statement), 120 a ‘‘legitimate educational interest’’ in
information to outside parties under Cong. Rec. S21488 (Dec. 13, 1974).) viewing certain education records, that
§ 99.31(a)(1)(i)(B) because SEAs are not Although the Secretary is concerned party may have access to the education
subject to § 99.7, which requires that educational agencies and records, without consent, in order to
educational agencies and institutions to institutions not misapply § 99.31(a)(1), perform the required institutional
annually notify parents and eligible the changes to the regulations are services and functions for the school.
students of their rights under FERPA, necessary to clarify the scope of the These outside parties may include
including a specific requirement in ‘‘school officials’’ exception in FERPA. parents and other volunteers who assist
§ 99.7(a)(3)(iii) that an educational We disagree with commenters that the schools in various capacities, such as
agency or institution that has a policy of requirement in § 99.31(a)(1)(i)(B)(1) that serving on official committees, serving
disclosing information under the outside party must perform an as teachers’ aides, and working in
§ 99.31(a)(1) must include in its annual institutional service or function for administrative offices, where they need
notice a specification of criteria for which the agency or institution would access to students’ education records to
determining who constitutes a school otherwise use employees is too perform their duties.
official and what constitutes a legitimate restrictive or unworkable. The The disclosure of education records
educational interest. A number of requirement serves to ensure that the under any of the conditions listed in
commenters requested clarification ‘‘school officials’’ exception does not § 99.31, including the ‘‘school officials’’
about the applicability of expand into a general exception to the exception, is permissive and not
§ 99.31(a)(1)(i)(B) to State authorities consent requirement in FERPA that required. (Only parents and eligible
that operate State longitudinal data would allow disclosure any time a students have a right under FERPA to
systems that maintain records of local vendor or other outside party wants inspect and review their education
educational agencies (LEAs) or access to education records to provide a records.) Therefore, schools should
institutions and are responsible for product or service to schools, parents, always use good judgment in
certain reporting requirements under and students. As explained in the determining the extent to which
the No Child Left Behind Act. Some of preceding paragraphs and in the NPRM, volunteers, as well as other school
these commenters believe that State 73 FR 15578–15579, the statutory basis officials, need to have access to
authorities operating these systems are for expanding the ‘‘school officials’’ education records and to ensure that
‘‘school officials’’ under § 99.31(a)(1) exception to outside service providers is school officials, including volunteers,
who should be able to disclose that they are ‘‘acting for’’ the agency or do not improperly disclose information
education records for the purpose of institution, not selling products and from students’ education records.
outsourcing under § 99.31(a)(1)(i)(B). services. This means, for example, that We decline to adopt commenters’
One commenter recommended that a school may not use the ‘‘school suggestion that we include in
the regulations permit the disclosure of officials’’ exception to disclose § 99.31(a)(1)(i)(B) a list of the types of
education records to non-educational personally identifiable information from parties who may serve as school
State agencies for evaluation purposes a student’s education record, such as the officials and receive personally
under § 99.31(a)(1). Another commenter student’s SSN or student ID number, identifiable information from education
records in connection with the school’s law enforcement unit must specifying its policy regarding the
institutional services and functions protect the privacy of education records disclosure of education records to
outsourced by the school. We think it it receives and may disclose them only contractors and other outside parties
would be impossible to provide a with consent or under one of the serving as school officials provides
comprehensive listing and believe that exceptions to consent listed in § 99.31. legally sufficient notice to parents and
agencies and institutions are in the best For that reason, it is advisable that students regarding these disclosures. We
position to make these determinations. officials of a law enforcement unit have posted model notifications on our
At the discretion of a school, school maintain education records separately Web site, one for postsecondary
officials may include school from law enforcement unit records, institutions and one for LEAs. See
transportation officials (including bus which are not subject to FERPA http://www.ed.gov/policy/gen/guid/
drivers), school nurses, practicum and requirements. As we explained in fpco/ferpa/ps-officials.html and http://
fieldwork students, unpaid interns, Balancing Student Privacy and School www.ed.gov/policy/gen/guid/fpco/
consultants, contractors, volunteers, and Safety: A Guide to the Family ferpa/lea-officials.html.
other outside parties providing Educational Rights and Privacy Act for Changes: None.
institutional services and performing Elementary and Secondary Schools, (b) Direct Control
institutional functions, provided that investigative reports and other records
each of the requirements in created by an institution’s law Comment: Some commenters asked
§ 99.31(a)(1)(i)(B) has been met. enforcement unit are excluded from the the Department to clarify what the term
Under § 99.31(a)(1), a university could definition of education records under ‘‘direct control’’ means as used in
outsource the practical training of § 99.3 and, therefore, are not subject to § 99.31(a)(1)(i)(B)(2). This section
students. The information disclosed to FERPA requirements. Accordingly, provides that in order to be considered
the hospital, clinic, or business schools may disclose information from a ‘‘school official’’ an outside party must
conducting the practical training may law enforcement unit records to anyone, be under the direct control of the agency
only be used for the purposes for which including local police and other outside or institution. Some commenters asked
it was disclosed. In the NPRM, we law enforcement authorities, without if this term means that the school must
discuss in more detail the types of consent. This brochure can be found on monitor the operations of the outside
services and functions covered under FPCO’s ‘‘Safe Schools & FERPA’’ Web party, and how it affects an agency’s or
§ 99.31(a)(1)(i)(B). (73 FR 15578–15580.) page: http://www.ed.gov/policy/gen/ institution’s relationship with
In response to the comment about the guid/fpco/ferpa/safeschools/index.html. subcontractors or third- or fourth-party
applicability of § 99.31(a)(1)(i)(B) to Outside police officers or other non- database hosting companies. One
State educational authorities that employees to whom the school has commenter stated that the regulations
operate State longitudinal data systems, outsourced its safety and security should not distinguish between whether
such officials are not ‘‘school officials’’ functions do not qualify as ‘‘school the education records are hosted in a
under FERPA. Rather, these officials are officials’’ under FERPA unless they vendor’s offsite network or within the
generally considered authorized meet each of the requirements of institution’s local network servers,
representatives of a State educational § 99.31(a)(1)(i)(B). If these police officers while another commenter asked for
authority, and LEAs typically disclose or other outside parties do not meet the clarification of how § 99.31(a)(1)(i)(B)
information from students’ education requirements for being a school official applies to outsourcing electronic mail
records to a longitudinal data system under FERPA, they may not have access (e-mail) services to third parties such as
maintained by an SEA or other State to students’ education records without Microsoft or Google.
educational authorities under the consent, unless there is a health or One commenter stated that
exception to the consent requirement for safety emergency, a lawfully issued institutions should be required to verify
disclosures to authorized subpoena or court order, or some other that parties to whom they outsource
representatives of State and local exception to FERPA’s general consent services have the necessary resources to
educational authorities, requirement under which the disclosure safeguard education records provided to
§ 99.31(a)(3)(iv)), not the ‘‘school falls. them.
officials’’ exception. This issue is With respect to our amendment to the A commenter suggested that, instead
explained in more detail elsewhere in ‘‘school officials’’ exception, we note of the proposed ‘‘direct control’’
this preamble under Educational that § 99.32(d) excludes from the standard, the Department adopt
research (§§ 99.31(a)(6), 99.31(a)(3). We recordation requirements disclosures of language similar to the safeguarding
also discuss disclosures to non- education records that educational standard found in the Gramm-Leach-
educational agencies, such as to public agencies and institutions make to school Bliley Act (GLB) (Pub. L. 106–102,
health agencies, in the section of this officials. This exclusion from the November 12, 1999). The commenter
preamble entitled Disclosure of recordation requirement will apply as suggested that, as adapted in FERPA,
Education Records to Non-Educational well to disclosures to contractors, the standard would require that for an
Agencies. consultants, volunteers, and other outside party, acting on behalf of an
Members of a school’s law outside parties to whom an agency or educational institution, to be considered
enforcement unit, as defined in § 99.8 of institution discloses education records a ‘‘school official,’’ the institution
the regulations, who are employed by under § 99.31(a)(1)(i)(B). The would have to: (1) Take reasonable steps
the agency or institution qualify as Department has long recognized that to select and retain contractors,
school officials under § 99.31(a)(1)(i)(A) FERPA does not prevent schools from consultants, volunteers, or other outside
if the school has complied with the outsourcing institutional services and parties that are capable of maintaining
notification requirements in functions; to require schools to record appropriate safeguards with respect to
§ 99.7(a)(3)(iii). As school officials, they disclosures to these outside parties education records; and (2) mandate by
may be given access to personally serving as school officials would be contract that the outside party
identifiable information from those overly burdensome and unworkable. implement and maintain such
students’ education records in which An educational agency or institution safeguards.
the school has determined they have that complies with the notification Discussion: The term ‘‘direct control’’
legitimate educational interests. The requirements in § 99.7(a)(3)(iii) by in § 99.31(a)(1)(i)(B)(2), is intended to
ensure that an educational agency or web-based and e-mail services, should disclosure was made. This includes
institution does not disclose education make clear in their service agreements ensuring that outside parties do not use
records to an outside service provider or contracts that the outside party may education records in their possession for
unless it can control that party’s not use or allow access to personally purposes other than those specified by
maintenance, use, and redisclosure of identifiable information from education the institution that disclosed the
education records. This could mean, for records, except in accordance with the records.
example, requiring a contractor to requirements established by the FERPA does not specifically require
maintain education records in a educational agency or institution that that educational agencies and
particular manner and to make them discloses the information. institutions provide annual training to
available to parents upon request. We Changes: We have revised school officials that handle education
are revising the regulations, however, to § 99.31(a)(1)(B)(2) to clarify that the records, and we decline to establish
provide this clarification. outside party must be under the direct such a requirement in these regulations.
Neither the statute nor the FERPA control of the agency or institution with Educational agencies and institutions
regulations specifically requires that respect to the use and maintenance of should have flexibility in determining
educational agencies and institutions information from education records. the best way to ensure that school
verify that outside parties to whom officials are made aware of the
(c) Protection of Records by Outside
schools outsource services have the requirements of FERPA. However, for
Parties Serving as School Officials
necessary resources to safeguard entities subject to the Individuals with
education records provided to them. Comment: We received several Disabilities Education Act (IDEA), 34
However, as discussed in the NPRM, comments on proposed CFR 300.623(c) provides that all persons
educational agencies and institutions § 99.31(a)(1)(i)(B)(3), which provides collecting or using personally
are responsible under FERPA for that an outside party serving as a identifiable information must receive
ensuring that they themselves do not ‘‘school official’’ is subject to the training or instruction regarding their
have a policy or practice of releasing, requirement in § 99.33(a), regarding the State’s policies and procedures under 34
permitting the release of, or providing use and redisclosure of personally CFR 300.123 (Confidentiality of
access to personally identifiable identifiable information from education personally identifiable information) and
information from education records, records. One commenter stated that, 34 CFR Part 99, the FERPA regulations.
except in accordance with FERPA. This while he supported and welcomed this We note that while schools are certainly
includes ensuring that outside parties clarification, the proposed regulations free to implement a policy requiring
that provide institutional services or did not go far enough to clarify that school officials and parties to whom
functions as ‘‘school officials’’ under these outside third parties could not use services have been outsourced to
§ 99.31(a)(1)(i)(B) do not maintain, use, education records of multiple undergo fingerprint and background
or redisclose education records except institutions for which they serve as a investigations, there is no statutory
as directed by the agency or institution contractor to engage in activities not authority in FERPA to include such a
that disclosed the information. associated with the service or function requirement in the regulations.
The ‘‘direct control’’ requirement is they were providing. We note also that the Department
intended to apply only to the outside Some commenters suggested that the routinely provides compliance training
party’s provision of specific regulations should require all school on FERPA for school officials.
institutional services or functions that officials who handle education records, Typically, presentations are made
have been outsourced and the education including parties to whom institutional throughout the year to national,
records provided to that outside party to services and functions are outsourced, regional, or State educational
perform the services or function. It is to participate in annual training and to association conference workshops with
not intended to affect an outside service undergo fingerprint and background numerous institutions in attendance.
provider’s status as an independent investigations. Training sessions are also scheduled for
contractor or render that party an Another commenter stated that any State departments of education and
employee under State or Federal law. disclosures associated with the local school districts in the vicinity of
We believe that the use of the ‘‘direct outsourcing of institutional services and any conference.
control’’ standard strikes an appropriate functions should include a record that For a discussion of the comment that
balance in identifying the necessary and will serve as an audit trail. The recommended that the regulations
proper relationship between the school commenter noted that both the Health require that schools maintain an audit
and its outside parties that are serving Insurance Portability and trail or an accounting of disclosures to
as ‘‘school officials.’’ The Accountability Act (HIPAA) and the school officials, including outside
recommendation that we adopt a Privacy Act of 1974 require the providers, see the discussion under the
standard more closely aligned with the maintenance of audit trails or an following section entitled Control of
GLB standard does not appear workable, accounting of disclosures of records. Access to Education Records by School
especially with regard to requiring that Discussion: An agency or institution Officials.
schools enter into formal contracts with must ensure that an outside party Changes: None.
each outside party performing services, providing institutional services or
including parent-volunteers. However, functions does not use or allow access Control of Access to Education Records
one way in which schools can ensure to education records except in strict by School Officials (§ 99.31(a)(1)(ii))
that parties understand their accordance with the requirements Comment: Many commenters
responsibilities under FERPA with established by the educational agency or supported proposed § 99.31(a)(1)(ii),
respect to education records is to clearly institution that discloses the which requires an educational agency or
describe those responsibilities in a information. Section 99.33(a)(2) of the institution to use reasonable methods to
written agreement or contract. FERPA regulations applies to employees ensure that school officials have access
Exercising direct control could prove and outside service providers alike and to only those education records in
more challenging in some situations prohibits the recipient from using which the official has a legitimate
than in others. Schools outsourcing education records for any purpose other educational interest. In this section, we
information technology services, such as than the purposes for which the also proposed that an educational
agency or institution that does not use information is available only to those educational interest requirement in
physical or technological access with a legitimate educational interest. § 99.31(a)(1)(i)(A). However, the
controls must ensure that its One commenter expressed concern ‘‘reasonable methods’’ standard applies
administrative policy for controlling that the requirement to use reasonable whether the control is physical,
access to education records is effective methods to ensure appropriate access technological, or administrative.
and that it remains in compliance with was not sufficiently restrictive, because The regulations permit the use of a
the ‘‘legitimate educational interest’’ under the regulations, all volunteers variety of methods to protect education
requirement. would be designated as school officials. records, in whatever format, from
One commenter who supported the The commenter believed that the improper access. The Department
proposed regulations expressed concern regulations would enable volunteers to expects that educational agencies and
that not all districts and institutions gain access more easily to confidential institutions will generally make
have the financial or technological and sensitive information in education appropriate choices in designing records
resources to create or purchase an records. access controls, but the Department
electronic system that provides fully A commenter who is a parent of a reserves the right to evaluate the
automated access control and that an special education student also effectiveness of those efforts in meeting
institution using only administrative expressed concern that the language in statutory and regulatory requirements.
controls would be required to the regulations was not adequate. The The additional language that one
demonstrate that each school official commenter described a software commenter requested concerning
who accessed education records package used by her district that permits outsourcing is already included in the
possessed a legitimate educational all school officials unrestricted access to regulations in § 99.31(a)(1). That section
interest in the education records to the IEPs of all special education specifically provides that contractors are
which the official gained access. students. subject to the same conditions
According to the commenter, the Discussion: Section 99.30 requires governing the access and use of records
regulations seem to omit the that a parent or eligible student provide that apply to other school officials. As
‘‘reasonable methods’’ concept for those written consent for a disclosure of long as those conditions are met, the
schools that utilize administrative personally identifiable information from physical location in which the
controls rather than physical or education records unless the contractor provides the service is not
technological controls. The commenter circumstances meet one of the relevant.
was concerned that smaller schools that exceptions to consent, such as the Because the regulations permit the
lack resources to create or purchase a release of information to a school use of a variety of methods to effectively
system that fully monitors record access official with a legitimate educational reduce the risk of unauthorized access
would be disadvantaged by having to interest. Thus, a district or institution to education records, we do not believe
meet a higher standard of ensuring a that makes a disclosure solely on the the requirement to establish ‘‘reasonable
legitimate educational interest on the basis that the individual is a school methods’’ for controlling access is
part of the school officials that access official violates FERPA if it does not unduly burdensome. Schools have the
the records. also determine that the school official flexibility to decide the method or
One commenter expressed concern has a legitimate educational interest. methods best suited to their own
that the standard in § 99.31(a)(1)(ii) is The regulations in § 99.31(a)(1)(ii) are circumstances. For the many schools,
too restrictive and asked whether the designed to clarify the responsibility of districts, and institutions that already
Department would use flexibility and the educational agency or institution to meet the standard, no operational
deference in taking into consideration ensure that access to education records changes should be necessary.
an institution’s efforts in compliance by school officials is limited to The regulations do not designate all
with the requirement. circumstances in which the school volunteers as school officials. Rather,
Another commenter requested that we official possesses a legitimate the regulations clarify that schools may
include in the regulations a requirement educational interest. designate volunteers as school officials
that contractors hosting data at offsite We believe that the standard of who may be provided access to
locations must institute effective access ‘‘reasonable methods’’ is sufficiently education records only when the
control measures. The commenter stated flexible to permit each educational volunteer has a legitimate educational
that many schools and contractors are agency or institution to select the proper interest. Schools can and should
uncertain as to whether the school or balance of physical, technological, and carefully assess and limit access by any
the contractor is responsible for administrative controls to effectively school official, including volunteers.
ensuring that access controls are applied prevent unauthorized access to This issue is discussed in more detail
to data hosted by contractors. education records, based on their previously in this preamble under the
One commenter stated that the resources and needs. In order to section entitled Outsourcing.
regulations created an unnecessary establish a system driven by physical or With regard to the parent who
burden, as school districts already do technological access controls, a school expressed concern that the language in
their best to comply with FERPA and an would generally first determine when a the regulations was not adequate to
occasional mistake should be excused. school official has a legitimate address the problem of software that
The commenter, however, was pleased educational interest in education permits all school officials to access the
that the regulations do not require the records and then determine which IEPs of all special education students,
use of technological controls. The physical or technological access we believe that the language in
commenter was concerned that schools controls are necessary to ensure that the § 99.31(a)(1)(ii) is sufficient. As
are unable to pre-assign risk levels to official can access only those records. previously noted, FERPA prohibits
categories of records in order to The regulations require a school that school officials from having access to
determine appropriate methods to uses only administrative controls to education records unless they have a
mitigate improper access. The ensure that its administrative policy for legitimate educational interest. The
commenter supported the use of controlling access to education records commenter’s point illustrates the need
effective administrative controls as is effective and that the school is in for educational agencies and institutions
determined by a district to ensure that compliance with the legitimate to ensure that adequate controls are in
place to restrict access to education which a student seeks information or services from the home school district,
records only to a school official with a services but not enrollment, such as including an evaluation under the IDEA.
legitimate educational interest. when a charter school student requests We note, however, that the
Changes: None. an evaluation under the IDEA from the confidentiality of information
Transfer of Education Records to student’s home school district. regulations under Part B of the IDEA
Two commenters asked whether contain additional consent requirements
Student’s New School (§§ 99.31(a)(2)
mental health and other treatment that may also apply in these
and 99.34(a))
records of postsecondary students, circumstances.
Comment: All of the comments we which are excluded from the definition Under section 444(a)(4)(B)(iv) of
received on proposed §§ 99.31(a)(2) and of education records under FERPA, FERPA, 20 U.S.C. 1232g(a)(4)(B)(iv),
99.34(a) supported the clarification that could be disclosed to the new school. medical and psychological treatment
an educational agency or institution Other commenters asked whether records of eligible students are excluded
may disclose a student’s education FERPA places any limits on the transfer from the definition of education records
records to officials of another school, of information about student if they are made, maintained, and used
school system, or institution of disciplinary actions to colleges and only in connection with treatment of the
postsecondary education not just when universities and what information a student and disclosed only to
the student seeks or intends to enroll, postsecondary institution may ask for individuals providing the treatment,
but after the student is already enrolled, and receive regarding a student’s including treatment providers at the
so long as the disclosure is for purposes disciplinary actions. A few commenters student’s new school. (While the
related to the student’s enrollment or asked us to address the relationship comment concerned records of
transfer. Some commenters noted that between these regulations and guidance postsecondary students, we note that
this clarification reduces legal issued by the Department’s Office for the treatment records exception to the
uncertainty about how long a school Civil Rights (OCR) prohibiting the pre- definition of education records applies
may continue to send records or admission release of information about also to any student who is 18 years of
information to a student’s new school; a student’s disability under section 504 age or older, including 18 year old high
other commenters noted that this of the Rehabilitation Act of 1973, as school students.) An educational agency
clarification will be helpful in serving amended, and Title II of the Americans or institution may disclose an eligible
students who are homeless or in foster with Disabilities Act of 1990, as student’s treatment records to the
care because these students are often amended. student’s new school for purposes other
already enrolled in a new school system Discussion: The regulations are than treatment provided that the records
while waiting for records from a intended to eliminate uncertainty about are disclosed under one of the
previous enrollment. whether, under § 99.31(a)(2), an exceptions to written consent under
A few commenters asked us to clarify educational agency or institution may § 99.31(a), including § 99.31(a)(2), or
the requirement that the disclosure must send education records to a student’s with the student’s written consent
be for purposes related to the student’s new school even after the student is under § 99.30. If an educational agency
enrollment or transfer. The commenters already enrolled and attending the new or institution discloses an eligible
asked whether this meant that only school. The requirement that the student’s treatment records for purposes
records specifically related to the new disclosure must be for purposes related other than treatment, the treatment
school’s decision to admit the student or to the student’s enrollment or transfer is records are no longer excluded from the
records related to the transfer of course not intended to limit the kind of records definition of education records and are
credit could be disclosed, or whether that may be disclosed under this subject to all other FERPA requirements,
the agency or institution could also exception. Instead, the regulations are including the right of the eligible
disclose information about previously intended to clarify that, after a student student to inspect and review the
undisclosed disciplinary actions related has already enrolled in a new school, records and to seek to have them
to the student’s ongoing attendance at the student’s former school may amended under certain conditions. In
the new institution. One commenter disclose any records or information, practical terms, this means that an
suggested that we remove the including health records and agency or institution may disclose an
requirement that the disclosure must be information about disciplinary eligible student’s treatment records to
for purposes of the student’s enrollment proceedings, that it could have the student’s new school either with the
or transfer because it was confusing and disclosed when the student was seeking student’s written consent, or under one
unnecessary. Some commenters asked or intending to enroll in the new school. of the exceptions in § 99.31(a),
the Department to provide guidance These regulations apply to any school including § 99.31(a)(2), which permits
about the types of records that may be that a student previously attended, not disclosure to a school where a student
sent under the regulations to a student’s just the school that the student attended seeks or intends to enroll, or where the
new school, noting that the preamble to most recently. For example, under student is already enrolled so long as
the NPRM stated that the regulations § 99.31(a)(2), a student’s high school the disclosure is for purposes related to
allow school officials to disclose any may send education records directly to the student’s enrollment or transfer.
and all education records, including a graduate school in which the student FERPA does not contain any
health and disciplinary records, to the seeks admission, or is already enrolled. particular restrictions on the disclosure
new school (73 FR 15581). Section 99.34(b), which explains the of a student’s disciplinary records.
One commenter asked us to clarify conditions that apply to the disclosure Further, Congress has enacted
that any school, not just the school the of information to officials of another legislation to ensure that schools
student attended most recently, may school, school system, or postsecondary transfer disciplinary records to a
disclose information from education institution, allows a public charter student’s new school in certain
records to the institution that the school or other agency or institution to circumstances. In particular, section
student currently attends. Another disclose the education records of one of 444(h) of the statute, 20 U.S.C. 1232g(h),
commenter asked whether the amended its students in attendance to the and the implementing regulations in
regulations would permit the disclosure student’s home school district if the § 99.36(b) provide that nothing in
of education records to an institution in student receives or seeks to receive FERPA prevents an educational agency
or institution from including in a discussion in the section entitled Health any court order or subpoena that forms
student’s records and disclosing to or Safety Emergency (§ 99.36). the basis of a disclosure without consent
teachers and school officials, including Changes: None. under § 99.31(a)(9), the agency or
those in other schools, appropriate Ex Parte Court Orders Under the USA institution must simply determine
information about disciplinary actions Patriot Act (§ 99.31(a)(9)) whether the ex parte court order is
taken against the student for conduct facially valid. We see no reason to
that posed a significant risk to the safety Comment: Two commenters include this general requirement in the
or well-being of that student, other expressed support for the proposed regulations.
students, or other members of the school regulations, which incorporate statutory Section 99.31(a)(9)(ii) requires an
community. This authority is in changes that allow an educational agency or institution to make a
addition to any other authority in agency or institution to comply with an reasonable effort to notify a parent or
FERPA for the disclosure of education ex parte court order issued under the eligible student of a judicial order or
records without consent, including the USA Patriot Act. One commenter said lawfully issued subpoena in advance of
authority under § 99.36(a) to disclose that it would be helpful to add to the compliance, except for certain law
education records in connection with a regulations a statement from the enforcement subpoenas if the court has
health or safety emergency. In addition, preamble to the NPRM that an ordered the agency or institution not to
section 4155 of the Elementary and institution is not responsible for disclose the existence or contents of the
Secondary Education Act of 1965 determining the relevance of the subpoena or information disclosed. An
(ESEA), 20 U.S.C. 7165, as amended by information sought or the merits of the ex parte order is by definition an order
the No Child Left Behind Act of 2001 underlying claim for the court order. issued without notice to or argument
Several commenters opposed from the other party, including the party
(NCLB), requires a State that receives
§ 99.31(a)(9). One commenter said that whose education records are sought,
funds under the ESEA to have a
the USA Patriot Act is unconstitutional and the USA Patriot Act amendments
procedure in place to facilitate the
and that its provisions will sunset in provide that the Attorney General may
transfer of disciplinary records, with 2009. Another commenter said that the
respect to a suspension or expulsion, by collect and use the records without
regulations harm its ability to preserve regard to any FERPA requirements,
LEAs to any private or public the confidentiality of education records,
elementary school or secondary school including the recordation requirements.
particularly those of foreign students. Under this statutory authority, the
for any student who is enrolled or seeks, The commenter asked us to change the
intends, or is instructed to enroll, on a regulations properly provide that the
regulations to permit institutions to agency or institution is not required to
full-or part-time basis, in the school. notify students when records are notify the parent or eligible student
There are, however, other Federal requested, unless the ex parte court before complying with the order or to
laws, such as the IDEA, section 504 of order specifically states that the student record the disclosure.
the Rehabilitation Act of 1973, as should not be notified. Another We do not agree with the commenter’s
amended (Rehabilitation Act), and Title commenter said that schools should be request that we amend the regulations to
II of the Americans with Disabilities Act required to notify parents when records allow agencies and institutions to notify
of 1990, as amended (ADA), with are requested and to record the parents and students and record these
different requirements that may affect disclosure. disclosures. We note that FERPA does
the release of student information. For Discussion: The USA Patriot Act not prohibit an educational agency or
example, educational agencies and amendments to FERPA have not been institution from notifying a parent or
institutions that are ‘‘public agencies’’ ruled unconstitutional, and its student or recording a disclosure made
or ‘‘participating agencies’’ under the provisions relevant to FERPA do not in compliance with an ex parte court
IDEA must comply with the sunset in 2009. Therefore, we are order under the USA Patriot Act.
requirements in the Part B implementing these provisions in our However, an agency or institution that
confidentiality of information regulations at this time. does so may violate the terms of the
regulations. See, e.g., 34 CFR Under the USA Patriot Act, the U.S. court order itself and may also fail to
300.622(b)(2) and (3). By way of further Attorney General, or a designee in a meet the good faith requirements in the
illustration, because educational position not lower than an Assistant USA Patriot Act for avoiding liability for
agencies and institutions receive Attorney General, may apply for an ex the disclosure. We would also
Federal financial assistance, they must parte court order to collect, retain, recommend that agencies and
comply with the regulations disseminate, and use certain education institutions consult with legal counsel
implementing section 504 of the records in the possession of an before notifying a parent or student or
Rehabilitation Act, which generally educational agency or institution recording a disclosure of education
prohibit postsecondary institutions from without regard to any other FERPA records made in compliance with an ex
making pre-admission inquiries about requirements, including in particular parte court order under the USA Patriot
an applicant’s disability status. See 34 the recordkeeping requirements. 20 Act.
CFR 104.42(b)(4) and (c). However, after U.S.C. 1232g(j)(3) and (4). The USA Changes: None.
admission, in connection with an Patriot Act amendments to FERPA also
emergency and if necessary to protect provide that an educational agency or Registered Sex Offenders
the health or safety of a student or other institution that complies in good faith (§ 99.31(a)(16))
persons as defined under FERPA and its with the court order is not liable to any Comment: One commenter asked for
implementing regulations, section 504 person for producing the information. clarification whether the proposed
of the Rehabilitation Act and Title II of Nothing in these amendments, regulations authorizing the disclosure of
the ADA do not prohibit postsecondary including the ‘‘good faith’’ requirement, personally identifiable information from
institutions from obtaining information requires an educational agency or education records concerning registered
and education records concerning a institution to evaluate the underlying sex offenders authorize only the
current student, including those with merits or legal sufficiency of the court disclosure of information that is
disabilities, from any school previously order before disclosing the requested received from local law enforcement
attended by the student. See the information without consent. As with officials, or whether disclosure could
also include other information from a offenders. We have determined through proposed regulations, a student’s new
student’s education records, such as further review, however, that this school district or institution would be
campus of attendance. A second sentence could be confusing and should able to obtain the student’s prior
commenter expressed appreciation that be removed. Participating institutions education records from a single State
the regulations clarify that school are required under section 485(f)(1) of agency instead of contacting and
districts are not required or encouraged the Higher Education Act of 1965, as waiting for records from separate
to collect or maintain information on amended, 20 U.S.C. 1092(f)(1), to advise districts or institutions. Commenters
registered sex offenders and that these the campus community where it may noted, however, that certain issues had
disclosures are permissible but not obtain law enforcement agency not been addressed in the proposed
required. information provided by the State under regulations and that further clarification
Discussion: The Campus Sex Crimes 42 U.S.C. 14071(j) concerning registered was required. Commenters also
Prevention Act (CSCPA) amendments to sex offenders. Further, the Department supported the new redisclosure
FERPA allow educational agencies and does not wish to discourage educational authority to the extent that it facilitates
institutions to disclose any information agencies and institutions from the exchange of education records
concerning registered sex offenders disclosing relevant information about a among State educational authorities,
provided to the agency or institution registered sex offender in appropriate educational agencies and institutions,
under section 170101 of the Violent circumstances. and educational researchers through
Crime Control and Law Enforcement Changes: We have revised the consolidated, statewide systems or
Act of 1994, 42 U.S.C. 14071, commonly regulations to remove the reference to separate data sharing arrangements.
known as the Wetterling Act. Since the disclosure of information obtained Two commenters expressed
publication of the NPRM, we have by the educational agency or institution substantial concerns that the regulations
determined that the proposed in compliance with a State community inappropriately expanded the situations
regulations were confusing, because notification program. The regulations in which personally identifiable
they limited these disclosures to now simply allow disclosure without information could be redisclosed
information that was obtained and consent of any information concerning without parental or student consent.
disclosed by an agency or institution in registered offenders provided to an One commenter noted that the
compliance with a State community educational agency or institution under theoretical benefits of maintaining large,
notification program. In fact, the CSCPA 42 U.S.C. 14071 and applicable Federal consolidated data systems, which allow
amendments to FERPA cover any guidelines. We also have removed the users to track individual students over
information provided to an educational sentence stating that neither FERPA nor time, do not outweigh the need to
agency or institution under the the regulations requires or encourages protect individual privacy. Another
Wetterling Act, including not only agencies or institutions to collect or commenter stated that the regulations
information provided under general maintain information about registered should not allow State and local
State community notification programs, sex offenders. educational authorities and the Federal
which are required under subsection (e) officials and agencies listed in
of the Wetterling Act, 42 U.S.C. Redisclosure of Education Records and § 99.31(a)(3) to set up and operate
14071(e), but also information provided Recordkeeping by State and Local record systems containing personally
under the more specific campus Educational Authorities and Federal identifiable information that parents
community notification programs for Officials and Agencies (§§ 99.31(a)(3); and students have no right to review or
institutions of higher education, which 99.32(b); 99.33(b); 99.35(a)(2); 99.35(b)) amend, and may not even know about.
are required under subsection (j), 42 (a) Redisclosure Barring the withdrawal of these
U.S.C. 14071(j). regulations, these commenters urged the
The Wetterling Act requires States to Comment: We received a number of Department to strengthen or at least
release relevant information about comments on the proposed changes in preserve the safeguards and protections
persons required to register as sex § 99.35(b) that would permit State and that accompany this new data sharing
offenders that is necessary to protect the local educational authorities and authority. One commenter asked us to
public, including specific State Federal officials and agencies listed in require any State or Federal entity that
reporting requirements for law § 99.31(a)(3) to redisclose personally maintains education records to provide
enforcement agencies having identifiable information from education parents and students with annual
jurisdiction over institutions of higher records on behalf of educational notification and the right to review and
education. The exception to the consent agencies and institutions without amend the students’ records.
requirement in FERPA allows parental consent under the existing Many commenters indicated their
educational agencies and institutions to redisclosure authority in § 99.33(b). strong support for allowing State
make available to the school community (Section 99.33(b) allows an educational educational authorities to respond to
any information provided to it under the agency or institution to disclose requests for information from education
Wetterling Act. We interpret this to also personally identifiable information from records and redisclose personally
include any additional information education records with the identifiable information, whether for
about the student that is relevant to the understanding that the recipient may data sharing systems, transferring
purpose for which the information was make further disclosures of the records to a student’s new school, or
provided to the educational agency or information on behalf of the agency or other purposes authorized under
institution—protecting the public. This institution if the disclosure falls under § 99.31(a), without involving school
could include, for example, the school one of the exceptions in § 99.31(a) and districts and postsecondary institutions.
or campus at which the student is the agency or institution has complied These commenters generally thought
enrolled. with the recordation requirements in that State educational authorities and
The proposed regulations included a § 99.32(b).) Many commenters said that Federal officials listed in § 99.31(a)(3)
sentence stating that FERPA does not the proposed change would ease should not be required to consult with
require or encourage agencies or administrative burdens on State and educational agencies and institutions
institutions to collect or maintain local educational authorities, agencies, when redisclosing information from
information about registered sex and institutions. For example, under the education records. One commenter
asked us to clarify the role of the SEA specifically allow the State-level exceptions in § 99.31 (73 FR 15586–
or other State educational authority as advisory council to audit or evaluate 15587). In that case, the disclosing
the custodian of education records and education programs, or that allow a K– agency or institution must record the
its authority to act for educational 12 school district to audit or evaluate names of the additional parties to which
agencies and institutions. Several the programs offered by postsecondary the receiving party may redisclose the
commenters urged us to revise the institutions, and vice versa, and the information on behalf of the educational
regulations to make clear that the commenter asked whether general agency or institution and their
redisclosing official is authorized to authority for these entities to act under legitimate interests under § 99.31.
make further disclosures under State law would be sufficient. Two Under the regulatory framework for
§ 99.31(a) without approval from, or commenters whose States do not house redisclosing education records in
further consultation with, the original their K–12 and postsecondary systems § 99.33(b), educational agencies and
source of the records and maintain the within the same agency expressed institutions retain primary
appropriate record related to the concern whether they will be able to responsibility for disclosing and
redisclosure. develop consolidated databases under authorizing redisclosure of their
One commenter said that the the regulations if their K–12 and education records without consent. (We
regulations must allow State postsecondary agencies do not have note again that the only disclosures of
educational authorities to transfer appropriate authority to audit or education records that are mandatory
records on behalf of LEAs and evaluate each other’s programs. under FERPA are those made to parents
postsecondary institutions. One Discussion: We continue to believe and eligible students.) The purpose of
commenter strongly supported the that State and local educational § 99.33(b), which allows redisclosure of
changes in § 99.35(b) because they authorities and Federal officials that education records notwithstanding the
would allow the State McKinney-Vento receive education records under general statutory restrictions, has always
coordinator to control transfer of §§ 99.31(a)(3) and 99.35 should be been to ease administrative burdens on
education records of abused and permitted to redisclose education educational agencies and institutions
homeless students to their new schools records on behalf of educational that disclose education records. The
and prevent potential abusers from agencies and institutions in accordance legal basis for this accommodation is
locating the student. with the existing regulations governing that the recipient is acting ‘‘on behalf
Some commenters believed that the redisclosure of information in of’’ the agency or institution from which
current regulations impede the ability of § 99.33(b). We agree with the it received information from education
States to establish and operate data commenters that this change will ease records and making a further disclosure
sharing systems and that regulatory administrative burdens at all levels and that the agency or institution would
changes must allow all educational facilitate the creation and operation of otherwise make itself under § 99.31(a).
agencies, institutions, SEAs, and other statewide data sharing systems that Section 99.33(b) does not confer on any
State educational authorities to support the student achievement, recipient of education records
exchange data among themselves and program accountability, transfer of independent authority to redisclose
work with researchers. One commenter records, and other objectives of Federal those records apart from acting ‘‘on
recommended that we create a specific and State education programs while behalf of’’ the disclosing educational
exception in § 99.31(a) that would allow protecting the privacy rights of parents agency or institution.
data sharing across State educational and students in students’ education The Department recognizes that the
authorities in order to establish and records. State and local educational authorities
operate consolidated, longitudinal data We respond first to commenters’ and Federal officials that receive
systems. concerns about the requirement in education records without consent
Several commenters asked for § 99.33(b) that any redisclosure of under § 99.31(a)(3) are responsible for
clarification of the requirement in personally identifiable information from supervising and monitoring educational
§ 99.35(a)(2) that authority for an agency education records must be made on agencies and institutions and that many
or official listed in § 99.31(a)(3) to behalf of the educational agency or of them also maintain centralized data
conduct an audit, evaluation, or institution that disclosed the systems that constitute a valuable
compliance or enforcement activity is information to the receiving party, resource of information from education
not conferred by FERPA or the including any requirement for records. The proposed changes to
regulations and must be established consulting with or obtaining approval § 99.35(b) would allow these State and
under other Federal, State, or local law, from the educational agency or Federal authorities and officials to
including valid administrative institution that disclosed the redisclose information received under
regulations. One commenter supported information. The statutory prohibitions § 99.31(a)(3) under any of the exceptions
data sharing among pre-school, K–12, on the redisclosure of education records in § 99.31(a), including transferring
and postsecondary institutions, apply to education records that SEAs, education records to a student’s new
provided that appropriate legal State higher educational authorities, the school under § 99.31(a)(2), sharing
authority for the underlying audit, Department, and other Federal officials information among other State and local
evaluation, or compliance and receive under an exception to the educational authorities and Federal
enforcement activity is established as written consent requirement in FERPA, officials for audit or evaluation purposes
required under § 99.35(a)(2). One such as §§ 99.31(a)(3) and 99.35 (for under § 99.31(a)(3), and using
commenter asked whether citation to a audit, evaluation, compliance and researchers to conduct evaluations and
specific law or regulations will be enforcement purposes) and § 99.31(a)(4) studies under § 99.31(a)(3) or
required, or whether general State laws (for financial aid purposes). As § 99.31(a)(6), without violating the
that provide joint authority to evaluate explained in the preamble to the NPRM, statutory prohibitions on redisclosing
programs at all levels are sufficient for § 99.33(b) allows an educational agency education records provided certain
parties to enter into data sharing or institution to disclose education conditions have been met. In the event
agreements under the regulations. records with the understanding that the that an educational agency or institution
One commenter indicated that its recipient may make further disclosures objects to the redisclosure of
State has no laws or regulations that on its behalf under one of the information it has provided, the State or
local educational authority or Federal records, without consent, to an The Department has always
official or agency may rely instead on organization to carry out its accrediting interpreted §§ 99.31(a)(3) and 99.35 to
any independent legal authority it has to functions. If that organization is not, in allow educational agencies and
further disclose the information. fact, an accreditation authority for that institutions to disclose personally
We agree that current regulations particular institution, then disclosure identifiable information from education
were unclear about the ability of States under § 99.31(a)(7) is invalid and records to the SEA or State higher
to establish and operate data sharing violates FERPA. Likewise, § 99.31(a)(9) education board or commission
systems with educational agencies and does not authorize a court or Federal responsible for their supervision based
institutions, which is why we amended grand jury to issue an order or on the understanding that those entities
§ 99.35(b). As explained in the NPRM subpoena; it allows an educational are authorized to audit or evaluate (or
(73 FR 15587), §§ 99.35(a)(2) and agency or institution to comply with a enforce Federal legal requirements
99.35(b) allow SEAs, higher education facially valid order or subpoena, related to) the education programs
authorities, and educational agencies without consent. provided by the agencies and
and institutions, including local school We added the requirement in institutions whose records are
districts and postsecondary institutions, § 99.35(a)(2) that the recipient have disclosed. Under this reasoning, a K–12
to share education records in personally authority under Federal, State, or local school district (LEA) may disclose
identifiable form with one another, law to conduct the activity for which personally identifiable information from
provided that Federal, State, or local the disclosure was made because there education records to another LEA, or to
law authorizes the recipient to conduct was significant confusion in the a State higher education board or
the audit, evaluation, or compliance or educational community about who may commission, without consent, if that
enforcement activity in question. receive education records without LEA, board, or commission has legal
Accordingly, data sharing arrangements consent for audit and evaluation authority to conduct the audit,
among State and local educational purposes under § 99.35. For example, in evaluation, or compliance or
authorities and educational agencies 2005 the Pennsylvania Department of enforcement activity with regard to the
and institutions generally must meet Education (PDOE) asked the Department disclosing district’s programs. States do
these requirements to be permissible whether, in the absence of parental not have to house their K–12 or P–12
under FERPA. (Data sharing with consent, a charter school LEA and postsecondary systems within the
educational researchers is discussed responsible under State law for same agency in order to take advantage
below under Educational research.) providing a free appropriate public of this provision. However, they may
With respect to the comments need to review and modify the
education to students with disabilities
recommending that we create a specific supervisory and oversight
enrolled in the charter school could
exception in § 99.31(a) to allow data responsibilities of various State and
sharing across State educational send the local school district of
residence the IEP of each student with local educational authorities to ensure
authorities in order to establish and that there is valid legal authority for
operate consolidated, longitudinal data a disability. The school districts of
residence claimed that they needed this LEAs, postsecondary institutions, SEAs,
systems and other data sharing and higher education authorities to
arrangements, there is no provision in information to substantiate the charter
disclose or redisclose personally
FERPA that allows disclosure or school’s invoices for higher payments
identifiable information from education
redisclosure of education records, based on the student’s special education
records to one another under § 99.35(a)
without consent, for the specific status under the IDEA.
before information is released.
purpose of establishing and operating Our January 2006 response to PDOE It is not our intention in § 99.35(a)(2)
consolidated databases and data sharing explained that in order to meet the to require educational agencies and
systems, and, therefore, we are without requirements for disclosure of education institutions and other parties to identify
authority to establish one in these records under §§ 99.31(a)(3) and 99.35, specific statutory authority before they
regulations. Federal, State, or local law (including disclose or redisclose education records
In response to the questions valid administrative regulations) must for audit or evaluation purposes but to
concerning the need for Federal, state, authorize the relevant State or local ensure that some local, State, or Federal
or local legal authority to disclose educational authority to conduct the legal authority exists for the audit or
education records for audit or audit, evaluation, or compliance or evaluation, including for example an
evaluation purposes, we note that, in enforcement activity in question. In Executive Order or administrative
general, FERPA allows educational particular, we noted that charter schools regulation. The Department encourages
agencies and institutions to disclose in Pennsylvania could disclose the IEP State and local educational authorities
(and authorized recipients to redisclose) cover sheet under §§ 99.31(a)(3) and and educational agencies and
education records without consent in 99.35 of the regulations if the State law institutions to seek guidance from their
accordance with the exceptions listed in in question authorized a local school State attorney general on their legal
§ 99.31(a), including for audit or district to ‘‘audit or evaluate’’ a charter authority to conduct a particular audit
evaluation purposes under school’s request for payment of State or evaluation. The Department may also
§§ 99.31(a)(3) and 99.35. It does not, funds at the special education rate and provide additional guidance, as
however, provide the underlying the school district needed personally appropriate.
authority for individuals and identifiable information for that Changes: None.
organizations to conduct the various purpose, and that we would defer to the
activities that may allow them to receive State Attorney General’s interpretation (b) Recordation Requirements
education records without consent of State law on the matter. We also Comment: In the NPRM, 73 FR 15587,
under these exceptions. For example, explained that there appeared to be no we invited public comment on whether
§ 99.31(a)(7) does not authorize an legal authority that would allow charter an SEA, the Department, or other
organization to accredit educational schools in the State to disclose a official or agency listed in § 99.31(a)(3)
institutions; it allows educational student’s entire IEP to the resident should be allowed to maintain the
institutions to disclose personally school district, as requested by the record of the redisclosures it makes on
identifiable information from education resident school districts. behalf of an educational agency or
institution as a means of relieving any own redisclosures of information, then notice is prohibited under court order;
administrative burdens associated with the educational agency or institution the exceptions do not include
recording disclosures of education should be required to retrieve these disclosures made to parties outside the
records. One commenter urged the records in response to a request to agency or institution for audit,
Department not to delegate review education records by parents and evaluation, or compliance and
responsibility for recordkeeping to State eligible students who would otherwise enforcement purposes.)
and local educational authorities and not know about the redisclosures. Other An educational agency or institution
Federal agencies and officials that commenters suggested that the State is required under FERPA to record its
redisclose education records under educational authority or Federal official disclosures of personally identifiable
§ 99.33(b). Another said that if a State or could either make the redisclosure information from education records
local educational authority or Federal record available directly to parents and even when it discloses information to
agency or official rediscloses students or send it to the LEA or another educational agency or
information ‘‘on behalf of’’ an postsecondary institution for this institution, such as occurs under
educational agency or institution under purpose. § 99.31(a)(2) when a school district
§ 99.35(b), these further disclosures Discussion: We agree with transfers education records to a
should be included in the student’s commenters that in order to facilitate student’s new school. See 20 U.S.C.
record at the educational agency or the operation of State data systems and 1232g(b)(4)(A); 34 CFR 99.32(a).
institution. All other comments on this ease administrative burdens on all Therefore, even if a State educational
issue supported revising the regulations parties, the regulations should allow authority were considered an
to allow State and local educational State educational authorities and ‘‘educational agency or institution’’
authorities and Federal officials and Federal officials and agencies to record under § 99.1, a school district or
agencies listed in § 99.31(a)(3) to record further disclosures they make on behalf postsecondary institution would still be
any redisclosures they make under of educational agencies and institutions required to record its own disclosures to
§ 99.33(b). under § 99.33(b). We are revising the that State educational authority;
Several commenters suggested that provisions of § 99.32 to address defining a State educational authority as
the recordation requirements in commenters’ concerns and ensure that an educational agency or institution
§ 99.32(b) would place an undue burden these changes will not expand the would not eliminate this requirement.
on State and local officials when State redisclosure authority of a State or local Therefore, a school district or
educational authorities redisclose educational authority or Federal official postsecondary institution is required to
education records because the State or agency under § 99.35(b) and that record its disclosures to any State
authority would need to return to each parents and students will have notice of educational authority.
original source of the records to record and access to any State or Federal The term disclosure is defined in
the redisclosure. Some commenters record of further disclosures that is § 99.3 to mean to permit access to or the
noted that compliance with § 99.32(b) is created. release, transfer, or other
practically impossible if an LEA or In response to the commenter’s communication of personally
postsecondary institution is required to suggestion that we define ‘‘educational identifiable information contained in
record all authorized redisclosures at agency or institution’’ and the term education records to any party, by any
the time of the initial disclosure of disclosure to address recordation issues means, including oral, written, or
information to the State or Federal associated with the new redisclosure electronic means. This includes
authority. Two commenters suggested authority in § 99.35(b), we note that an releasing or making a student’s
that we eliminate the recordation educational agency or institution is education records available to school
problem by redefining the term required by statute to maintain with officials within the agency or
disclosure so that it does not include each student’s education records a institution, for which an exception to
disclosing information under record of each request for access to and the consent requirement exists under
§ 99.31(a)(3) for audit, evaluation, or each disclosure of personally § 99.31(a)(1). We see no legal basis for
compliance and enforcement purposes. identifiable information from the redefining the term disclosure to
Another commenter suggested that we education records of the student, exclude the release of personally
define ‘‘educational agency or including the parties who have identifiable information to third parties
institution’’ to include State educational requested or received information and outside the educational agency or
authorities so that disclosures to State their legitimate interests in the institution under the audit, evaluation,
educational authorities would not be information. 20 U.S.C. 1232g(b)(4)(A); or compliance and enforcement
considered a disclosure under FERPA. 34 CFR 99.32(a). This includes each exception to the consent requirement in
One commenter said that the disclosure of personally identifiable §§ 99.31(a)(3) and 99.35.
regulations should permit State information from education records that With regard to the level of detail
educational authorities to record an educational agency or institution required in the record of redisclosures,
redisclosures as they are made and makes to an SEA or other State current § 99.32(b) requires an
without having to identify each student educational authority and to Federal educational agency or institution to
by name. Another commenter asked for officials and agencies, including the record the ‘‘names of the additional
clarification whether the recordation Department, for audit, evaluation, or parties to which the receiving party may
requirements apply to redisclosures that compliance and enforcement purposes disclose the information’’ on its behalf
SEAs make to education researchers and under §§ 99.31(a)(3) and 99.35, and and their legitimate interests under
other parties that are not authorized to under most other FERPA exceptions, § 99.31. This means the name of the
make any further disclosures, and what such as the financial aid exception in individual (if an organization is not
level of detail is required in the record § 99.31(a)(4). (Regulatory exceptions to involved) or the organization and the
regarding who accessed the data and the statutory recordation requirements, exception under § 99.31(a) that would
what specific information was viewed. which are set forth in § 99.32(d), cover allow the redisclosure to be made
One commenter stated that if State disclosures that a parent or eligible without consent. Under current
educational authorities and Federal student would generally know about § 99.33(a)(2), the officers, employees,
officials are authorized to record their without the recordation or for which and agents of a party that receives
information from education records may education records without consent education records must record the
use the information for the purposes for under § 99.33(b). This will help ensure names of the additional parties to which
which the disclosure was made without that parents and students know that the it discloses information on behalf of an
violating the limitations on redisclosure record of disclosures maintained by an educational agency or institution and
in § 99.33(a)(1). Therefore, we interpret educational agency or institution as their legitimate interests under § 99.31
the recordation requirement in required under § 99.32(a) may not in the information if the information
§ 99.32(b) to mean that an educational contain all further disclosures made on was received from an educational
agency or institution may record the behalf of the agency or institution by a agency or institution that has not
name of an organization, including a State or Federal authority or official and recorded the further disclosures itself or
research organization, to which a alert parents and students to the need to from another State or local official or
recipient may make further disclosures ask for access to this additional Federal official or agency listed in
under § 99.33(b) and is not required to information. We have also revised § 99.31(a)(3).
record the name of each individual § 99.32(a) to require an educational • New § 99.32(b)(2)(ii) provides that a
within the organization who is agency or institution to obtain a copy of State or local educational authority or
authorized to use that information in the record of further disclosures Federal official or agency that records
accordance with § 99.33(a)(2). maintained at the State or Federal level further disclosures of information may
We also recognize that sometimes an and make it available for parents and maintain the record by the student’s
educational agency or institution does students to inspect and review upon class, school, district or other
not know at the time of its disclosure of request. appropriate grouping rather than by the
education records that the receiving In response to commenters’ name of the student.
party may wish to make further suggestions, the regulations in new • New § 99.32(b)(2)(iii) provides that
disclosures on its behalf. Therefore, we § 99.32(b)(2)(ii) allow a State or local upon request of an educational agency
interpret § 99.32(b) to allow a receiving educational authority or Federal official or institution, a State or local
party to ask an educational agency or or agency to identify the redisclosure by educational authority or Federal official
institution to record further disclosures the student’s class, school, district, or or agency that maintains a record of
made on its behalf after the initial other appropriate grouping rather than further disclosures must provide a copy
receipt of the records or information. by the name of each student whose of the record of further disclosures to
These same policies apply to further record was redisclosed. For example, an the educational agency or institution
disclosures made by State and local SEA may record that it disclosed to the within a reasonable period of time not
educational authorities and Federal State higher education authority the to exceed 30 days.
officials listed in § 99.31(a)(3) that scores of each student in grades nine • Revised § 99.32(a)(1) requires
redisclose information on behalf of through 12 on the State mathematics educational agencies and institutions to
educational agencies and institutions assessment for a particular year. We list in each student’s record of
under the new authority in § 99.35(b). believe that this procedure eases disclosures the names of the State and
Educational agencies and institutions administrative burdens while ensuring local educational authorities and
that disclose education records under that a parent or student may access Federal officials or agencies that may
§ 99.31(a)(3) with the understanding information about the redisclosure. make further disclosures of the
that the State or Federal authority or We note that the recordation information on behalf of the educational
official may make further disclosures requirements under § 6401(c)(i)(IV) of agency or institution under § 99.33(b).
may continue to record those further the America COMPETES Act, Public • New § 99.32(a)(4) requires an
disclosures as provided in § 99.32(b)(1). Law 110–69, 20 U.S.C. 9871(c)(i)(IV), educational agency or institution to
Like any other recipient of education are more detailed and stringent than obtain a copy of the record of further
records, a State or Federal authority or those required under FERPA. In disclosures maintained by a State or
official may also ask an educational particular, a State that receives a grant local educational authority or Federal
agency or institution to record further to establish a statewide P–16 education official or agency and make it available
disclosures made on its behalf after the data system under § 6401(c)(2), 20 in response to a parent’s or student’s
initial receipt of the records or U.S.C. 9871(c)(2), is required to keep an request to review the student’s record of
information. It is incumbent upon a accurate accounting of the date, nature, disclosures.
State or Federal authority or official that and purpose of each disclosure of
Educational Research (§§ 99.31(a)(6)
makes further disclosures on behalf of personally identifiable information in
and 99.31(a)(3))
an educational agency or institution the statewide P–16 education data
under § 99.33(b) to determine whether system; a description of the information Comment: We received a number of
the educational agency or institution disclosed; and the name and address of comments on proposed § 99.31(a)(6)(ii).
has recorded those further disclosures. the person, agency, institution, or entity In this section, we proposed that an
If the educational agency or institution to whom the disclosure is made. The educational agency or institution that
does not do so, then under the revisions State must also make this accounting discloses personally identifiable
to § 99.32(b)(2)(i) in the final available on request to parents of any information without consent to an
regulations, the State and local student whose information has been organization conducting studies for, or
educational authority or Federal official disclosed. The Department will issue on behalf of, the educational agency or
or agency that makes further disclosures further guidance on these requirements institution must enter into a written
must maintain the record of those if the program is funded and agreement with the organization
disclosures. implemented. specifying the purposes of the study and
We have also revised § 99.32(a) to Changes: We have made several containing certain other elements. This
ensure that educational agencies and changes to § 99.32, as follows: exception to the consent requirement is
• New § 99.32(b)(2)(i) provides that a
institutions maintain a listing in each often referred to as the ‘‘studies

student’s record of the State and local State or local educational authority or exception.’’ While all of the comments
educational authorities and Federal Federal official or agency listed in on this provision generally supported
officials and agencies that may make § 99.31(a)(3) that makes further the changes, many of the commenters
further disclosures of the student’s disclosures of information from raised concerns about the scope and
applicability of the studies exception disclose personally identifiable explains that under this exception an
and requested clarification on some of information from an education record of ‘‘authorized representative’’ of a State
the proposed changes, particularly with a student without consent if the educational authority is a party under
regard to the provisions relating to disclosure is to an organization the direct control of that authority, e.g.,
written agreements. conducting studies for, or on behalf of, an employee or a contractor.
Discussion: We address commenters’ the educational agency or institution to In general, the Department has
specific concerns about the key portions (a) develop, validate, or administer interpreted FERPA and implementing
of these regulations in the following predictive tests; (b) administer student regulations to permit the disclosure of
sections. aid programs; or (c) improve instruction. personally identifiable information from
Changes: None. 20 U.S.C. 1232g(b)(1)(F); 34 CFR education records, without consent, in
(a) Scope and Applicability of 99.31(a)(6). Disclosures made under the connection with the outsourcing of
§ 99.31(a)(6) studies exception may only be used by institutional services and functions.
the receiving party for the purposes for Accordingly, the term ‘‘authorized
Comment: Several commenters stated which the disclosure was made and for representative’’ in § 99.31(a)(3) includes
that the proposed regulations did not no other purpose or study. As such, contractors, consultants, volunteers, and
clearly indicate that the studies § 99.31(a)(6) is not a general research other outside parties (i.e., non-
exception applies to State educational exception to the consent requirement in employees) used to conduct an audit,
authorities. Some commenters, FERPA but an exception for studies evaluation, or compliance or
assuming that § 99.31(a)(6) applied to limited to the purposes specified in the enforcement activities specified in
State educational authorities, noted that statute and regulations. § 99.35, or other institutional services or
the proposed regulations did not We first note that it may not be functions for which the official or
provide clear authority for State necessary or even advantageous for agency would otherwise use its own
educational authorities such as an SEA, State educational authorities to use the employees. For example, a State
or a State longitudinal data system using studies exception in order to conduct or educational authority may disclose
State generated data (such as State authorize educational research because personally identifiable information from
assessment results), to enter into of the limitations in § 99.31(a)(6). In education records, without consent, to
research agreements on behalf of contrast, § 99.31(a)(3)(iv), under the an outside attorney retained to provide
educational agencies and institutions. conditions set forth in § 99.35, allows legal services or an outside computer
One commenter stated that § 99.31(a)(6) educational agencies and institutions, consultant hired to develop and manage
should not be interpreted to require that such as LEAs and postsecondary a data system for education records.
research agreements be entered into by institutions, to disclose education The term ‘‘authorized representative’’
individual schools or that any resulting records without consent to State also includes an outside researcher
redisclosures be recorded by the educational authorities for audit and working as a contractor of a State
individual schools. evaluation purposes, which can include educational authority or other official
One commenter asked for clarification a general range of research studies listed in § 99.31(a)(3) that has
regarding whether § 99.31(a)(6) beyond the more limited group of outsourced the evaluation of Federal or
permitted a school to disclose a studies specified under § 99.31(a)(6). State supported education programs. An
student’s education records to his or her Also, as explained more fully elsewhere outside researcher may conduct
previous school for the purpose of in this preamble, while a State independent research under this
evaluating Federal or State-supported educational authority must have the provision in the sense that the
education programs or for improving underlying legal authority to audit or researcher may propose or initiate
instruction. evaluate the records it receives from research projects for consideration and
Another commenter stated that the LEAs or postsecondary institutions approval by the State educational
Department should further revise the under § 99.35, the LEA or postsecondary authority or other official listed in
regulations to provide that only institution is not required to enter into § 99.31(a)(3) either before or after the
individuals in the organization a written agreement for the audit or parties have negotiated a research
conducting the study who have a evaluation as it is required to do under agreement. Likewise, the State
legitimate interest in the information § 99.31(a)(6). (See Redisclosure of educational authority or official does
disclosed be given access to the Education Records and Recordkeeping not have to agree with or endorse the
information. The commenter also stated by State and Local Educational researcher’s results or conclusions. In so
that the Department should specifically Authorities and Federal Officials and doing, an outside researcher retained to
limit § 99.31(a)(6) to bona fide research Agencies.) The absence of an evaluate education programs by a State
projects by prohibiting organizations explanation of the authorized educational authority or other official
conducting studies under this exception representatives exception (§ 99.31(a)(3)) listed in § 99.31(a)(3) as an ‘‘authorized
from using record-level data for other in the NPRM created confusion, representative’’ may be given access to
operational or commercial purposes. especially with regard to how State personally identifiable information from
The commenter also expressed concern departments of education may utilize education records, including statistical
about the duration of research projects, education records for evaluation information with unmodified small data
noting that significantly more restrictive purposes. Therefore, we have included cells. However, the term ‘‘authorized
access should be required for studies that explanation here. representative’’ does not include
that track personally identifiable The conditions for disclosing independent researchers that are not
information for long periods of time. education records without consent contractors or other parties under the
The commenter stated further that the under §§ 99.31(a)(3)(iv) and 99.35 are direct control of an official or agency
Department should consider imposing a discussed in the Department’s listed in § 99.31(a)(3).
time limit on how long information Memorandum from the Deputy While an educational agency or
obtained through longitudinal studies Secretary of Education (January 30, institution may not disclose personally
can be retained. 2003) available at http://www.ed.gov/ identifiable information from students’
Discussion: FERPA permits an policy/gen/guid/secletter/030130.html. education records to independent
educational agency or institution to The Deputy Secretary’s memorandum researchers, nothing in FERPA prohibits
them from disclosing information that and students’ privacy rights, and, necessary by the parties to support the
has been properly de-identified. Further therefore, supported the restrictions that purposes of the authorized study or
discussion of this issue is provided in the Secretary included in this provision. studies, be established in the written
the following paragraphs and under the Specifically, they supported the new agreement.
section entitled Personally Identifiable requirement that educational agencies One commenter approved including
Information and De-Identified Records and institutions must enter into a the requirements regarding the use and
and Information. written agreement with the organization destruction of data in the written
An SEA or other State educational conducting the study that specifies: the agreement as a way of improving
authority that has legal authority to purpose of the study, that the compliance with FERPA. However, the
enter into agreements for LEAs or information from the education records commenter questioned our explanation
postsecondary institutions under its disclosed be used only for the stated that the language in the statute
jurisdiction may enter into an agreement purpose, that individuals outside the providing that the study must be
with an organization conducting a study organization may not have access to conducted ‘‘for, or on behalf of’’ the
for the LEA or institution under the personally identifiable information educational agency or institution means
studies exception. If the SEA or other about the students being studied, and that the disclosing school must retain
State educational authority does not that the information be destroyed or control over the information once it has
have the legal authority to act for or on returned when it is no longer needed for been given to a third party conducting
behalf of an LEA or institution, then it the purpose of the study. a study. The commenter believed that
would not be permitted to enter into an Several commenters said that the school districts will not be involved in
agreement with the organization Department should clarify that the how a study is performed and that the
conducting the study under this existence of a written agreement is not written agreement with the organization
exception. As previously mentioned, a rationale in and of itself for the specifying the organization’s obligations
FERPA authorizes certain disclosures disclosure of education records. They with regard to the use and destruction
without consent; it does not provide an stated that the regulations should of data should be sufficient.
SEA or other State educational authority provide explicitly that a written Discussion: The Secretary shares the
with the legal authority to act for or on agreement does not modify the concerns raised by commenters that
behalf of an LEA or postsecondary protections under FERPA or justify the § 99.31(a)(6) not be read so broadly as to
institution. use of the records transferred other than erode parents’ and students’ privacy
With regard to the request for as permitted by the statute and the rights. Accordingly, we have revised
clarification whether § 99.31(a)(6) regulations. Some of these commenters § 99.31(a)(6) to address some of these
permits a school to disclose a student’s stated that the written agreement should concerns and believe that these changes
education records to his or her previous include a description of the specific will provide adequate protection of
school for evaluation purposes, the records to be disclosed for the study. students’ education records that may be
studies exception only allows Several commenters agreed with the disclosed under the studies exception.
disclosures to organizations conducting provision in the proposed regulations In the NPRM, we proposed to remove
studies for, or on behalf of, the that specified that an educational current § 99.31(a)(6)(ii)(A) and (B) and
educational agency or institution that agency or institution does not need to included these requirements under the
discloses its records. The ‘‘for, or on agree with or endorse the conclusions or provisions for written agreements.
behalf of’’ language from the statute results of the study. Other commenters These paragraphs provide that the study
does not permit disclosures under this asked that we include in the regulations must be conducted in a manner that
exception so that the receiving the explanation provided in the does not permit personal identification
organization can conduct a study for preamble to the NPRM that the school of parents and students by individuals
itself or some other party. This issue is also does not need to initiate the study. other than representatives of the
discussed in more detail under the One commenter suggested that we organization and that the information be
section of this preamble entitled change the references from ‘‘study’’ to destroyed when no longer needed for
Disclosure of Education Records to ‘‘studies’’ so that it is clear that an the purposes for which the study was
Student’s Former Schools. agency or institution and a research conducted. We are including
We agree with the comment that the organization could enter into one § 99.31(a)(6)(ii)(A) and (B) in the final
regulations should be revised to provide agreement that would cover a variety of regulations. After reviewing comments
that only those individuals in the studies that support the State’s or school on the proposed changes, we concluded
organization conducting the study that district’s educational objectives. One that, by moving these two provisions
have a legitimate interest in the commenter suggested that the into the new paragraph relating to
personally identifiable information from Department certify agreements between written agreements, we would have
education records can have access to the educational agencies and research weakened the statutory requirements
records. The Secretary also shares the organizations as meeting the concerning the studies exception. We
commenter’s concerns about limiting requirements of FERPA. believe this correction will alleviate
§ 99.31(a)(6) to bona fide research There were several comments on the commenters’ concerns about weakening
projects, prohibiting commercial destruction of information requirements parents’ and students’ privacy rights
utilization of education records, and in FERPA. Some suggested that we under FERPA.
limiting the duration of research include in the regulations the specific We agree with the comments that the
projects. We address these issues in time period by which information existence of a written agreement is not
greater detail in the following section disclosed to a researcher must be a rationale in and of itself for the
concerning written agreements. destroyed, while others stated that disclosure of education records. As a
Changes: None. ongoing access to data is necessary and privacy statute, FERPA requires that
that researchers should be permitted to parents and eligible students provide

(b) Written Agreements for Studies retain information indefinitely. Some written consent before educational
Comment: Several commenters commenters suggested that the required agencies and institutions disclose
expressed concern that § 99.31(a)(6) not time period for the destruction or return personally identifiable information from
be read so broadly as to erode parents’ of education records, as deemed students’ education records. There are
several statutory exceptions to FERPA’s not to release de-identified information as a school official is subject to FERPA’s
general consent rule, one of which is in these circumstances, we recommend restrictions on the use and redisclosure
§ 99.31(a)(6), an exception that permits that schools reduce the risk of of personally identifiable information
disclosure of records for studies limited unauthorized disclosure by removing from education records, educational
to the purposes specified in the statute direct identifiers, such as names and agencies and institutions must ensure
and regulations. However, a written SSNs, from records that don’t require that organizations with which they have
agreement, a memorandum of them, even though these records may entered into an agreement to conduct a
understanding, or a contract is not a still contain some personally study also comply with FERPA’s
justification for disclosure of education identifiable information. This is restrictions on the use of personally
records. Rather, a disclosure must meet especially important when a school also identifiable information from education
the requirements in § 99.31(a)(6) or the discloses sensitive information about records. (See pages 15578–15580 of the
other permitted disclosures under students, such as type of disability and NPRM.) That is, the school must retain
§ 99.31. If a disclosure meets the special education services received by control over the organization’s access to
conditions of § 99.31(a)(6), the the students. and use of personally identifiable
disclosure may be made, and the written We agree with commenters that information from education records for
agreement sets forth the requirements § 99.31(a)(6) should be revised to purposes of the study or studies,
that must be followed when entering indicate that an educational agency or including access by the organization’s
into such an agreement. institution is not required to initiate a own employees and subcontractors, as
As noted in our earlier discussion of study. Additionally, we have revised well as any school officials whom the
the scope and applicability of the § 99.31(a)(6) to include the word organization permits to have access to
studies exception, the Secretary concurs ‘‘studies’’ so that an educational agency education records.
that the regulations should be revised to or institution may utilize one written An educational agency or institution
require that a written agreement agreement for more than one study, so may need to determine that the
expressly include the purpose, scope, long as the requirements concerning organization conducting the study has
and duration of the agreed upon study, information that must be in the reasonable controls in place to ensure
as well as the information to be agreement are met. that personally identifiable information
disclosed. We also agree with While we do not have the authority from education records is protected. We
commenters that the regulations should under FERPA to officially certify note that it is common practice for some
specifically limit any disclosures of agreements between educational data sharing agreements to have a
personally identifiable information from agencies and institutions and ‘‘controls section’’ that specifies
students’ education records to those organizations conducting studies, FPCO required controls and how they will be
individuals in the organization does provide technical assistance to verified (e.g., surprise inspections). We
conducting the study that have a educational agencies or institutions on recommend that the agreement required
legitimate interest in the information. FERPA. As such, if school officials have by § 99.31(a)(6) include a section that
This requirement is consistent with questions about whether an agreement sets forth similar requirements. If a
§ 99.32(a)(3)(ii), which requires that an meets the requirements in § 99.31(a)(6), school is unable to verify that these
educational agency or institution record they may contact FPCO for assistance. controls are in place, then it should not
the ‘‘legitimate interests’’ the parties had With regard to the comments that we disclose personally identifiable
in obtaining information under FERPA. include in the regulations a specific information from education records to
The Secretary strongly recommends time period by which information an organization for the purpose of
that schools carefully limit the provided under the studies exception conducting a study.
disclosure of students’ personally must be destroyed, we believe that the In this regard, it should be noted that
identifiable information under this and parties entering into the agreement educational agencies and institutions
the other exceptions in § 99.31 and should decide when information has to are responsible for any failures by an
reminds educational agencies and be destroyed or returned to the organization conducting a study to
institutions that disclosures without educational agency or institution. As we comply with applicable FERPA
consent are subject to § 99.33(a)(2), have discussed, we have revised requirements. FERPA states that if a
which states: ‘‘The officers, employees, § 99.31(a)(6) to require that the written third party outside the educational
and agents of a party that receives agreement include the duration of the agency or institution fails to destroy
information under paragraph (a)(1) of study and the time period during which information in violation of 20 U.S.C.
this section may use the information, the organization must either destroy or 1232g(b)(1)(F), the studies exception in
but only for the purposes for which the return the information to the FERPA, the educational agency or
disclosure was made.’’ The recordation educational agency or institution. institution shall be prohibited from
requirements in § 99.32 also apply to With regard to the comment that a permitting access to information from
any disclosures of personally written agreement with the organization education records to that third party for
identifiable information made under the conducting the study should be a period of not less than five years. See
studies exception. (We note that a sufficient for an educational agency or 20 U.S.C. 1232g(b)(4)(B).
school does not have to record the institution to retain control over Changes: We have revised
disclosure of information that has been information from education records § 99.31(a)(6) to: (1) Retain
properly de-identified.) once the information is given to an § 99.31(a)(6)(ii)(A) and (B); (2) amend
Although FERPA permits schools to organization conducting a study, we § 99.31(a)(6)(ii)(A) to provide that the
disclose personally identifiable agree that a written agreement required study must be conducted in a manner
information under § 99.31(a)(6) to under the regulations will help ensure that does not permit personal
organizations conducting studies for or that the information is used only to identification of parents or students by
on its behalf, the Secretary recommends meet the purposes of the study stated in anyone other than representatives of the
that educational agencies and the written agreement and that all organization that have legitimate
institutions release de-identified applicable requirements are met. interest in the information; (3) amend
information whenever possible under However, similar to the requirement § 99.31(a)(6)(ii)(C) to require that the
this exception. Even when schools opt that an outside service provider serving written agreement specify the purpose,
scope, and duration of the study and the needs of students, including special information from education records in
information to be disclosed; require the needs, low-income, and at-risk students. order to audit Federal and State
organization to use personally One SEA commented that it did not supported education programs,
identifiable information from education support extending access to student data notwithstanding that the statutory
records only to meet the purpose or to non-education State agencies, except language in the amendment refers only
purposes of the study as stated in the to State auditors, as specified in to ‘‘State and local educational
written agreement; limit any disclosures proposed § 99.35(a)(3). This commenter officials.’’ See 20 U.S.C. 1232g(b)(5);
of information to individuals in the asserted that access to and use of H.R. Rep. No. 338, 96th Cong., 1st Sess.
organization conducting the study who information from students’ education at 10 (1979), reprinted in 1979 U.S.
have a legitimate interest in the records should be controlled by a Code Cong. & Admin. News 819, 824.
information; and require the limited number of education officials This legislative history provides a basis
organization to destroy or return to the who are sensitive to the intent of FERPA for drawing a distinction between State
educational agency all personally and well acquainted with its safeguards. auditors and officials of other State
identifiable information when the Discussion: There is no specific agencies that also are not under the
information is no longer needed for the exception to the written consent control of the State educational
purposes of the study and specify the requirement in FERPA that permits the authority. (As explained more fully
time period during which the disclosure of personally identifiable under State auditors, upon further
organization must either destroy or information from students’ education review, we have removed from the final
return the information to the records to non-educational State regulations the proposed regulations
educational agency or institution; and agencies. Educational agencies and related to State auditors and audits.)
(4) amend § 99.31(a)(6) in new institutions may disclose personally The 1979 amendment to FERPA does
paragraph (iii) to provide that an identifiable information for audit or not apply to other State officials or
educational agency or institution is not evaluation purposes under agencies, and there is no other
required to initiate a study. §§ 99.31(a)(3) and 99.35 only to legislative history to indicate that
authorized representatives of the Congress intended that FERPA be
Disclosure of Education Records to officials or agencies listed in interpreted to permit educational
Non-Educational State Agencies § 99.31(a)(3)(i) through (iv). Typically, agencies and institutions, or State and
Comment: Several commenters stated LEAs and their constituent schools local educational authorities or Federal
that the proposed amendments did not disclose education records to State officials and agencies listed in
specifically address whether an educational authorities under § 99.31(a)(3), to share students’
educational agency or institution is § 99.31(a)(3)(iv), such as the SEA, for education records with non-educational
permitted to disclose education records audit, evaluation, or compliance and State officials. In fact, Congress has, on
to non-educational State agencies, such enforcement purposes. numerous occasions, indicated
as State health or labor agencies, as part There are some exceptions that might otherwise.
of an agreement with those agencies, authorize disclosures to non- As discussed elsewhere in this
without first obtaining consent. One educational State agencies for specified preamble under the heading Health or
commenter said that because the purposes. For example, disclosures may Safety Emergency, the HIPAA Privacy
Department has taken the position that be made in a health or safety emergency Rule specifically excludes from
education records may be shared with (§§ 99.31(a)(10) and 99.36), in coverage health care information that is
State auditors who are not educational connection with financial aid maintained as an ‘‘education record’’
officials and who are not, by definition, (§ 99.31(a)(4)), or pursuant to a State under FERPA. 45 CFR 160.103,
under the control of a State educational statute under the juvenile justice system Protected health information. We
authority, there is no legal basis to exception (§§ 99.31(a)(5) and 99.38), and understand that the HIPAA Privacy Rule
prohibit the disclosure of education any disclosures must meet the specific allows covered entities to disclose
records to other non-educational State requirements of the particular identifiable health data without written
and local agencies. exception. FERPA, however, does not consent to public health authorities.
Some officials representing State contain any specific exceptions to However, there is no comparable
health agencies commented that FERPA permit disclosures of personally exception to the written consent
should be more closely aligned with the identifiable information without requirement in FERPA.
disclosure provisions of the HIPAA consent for public health or As mentioned previously, in
Privacy Rule. One commenter noted that employment reporting purposes. That conducting an audit, evaluation, or
there was a critical need for public said, nothing in FERPA prohibits an compliance or enforcement activity, an
health researchers to be able to access, educational agency or institution from educational authority may collaborate
without consent, personally identifiable importing information from another with other State agencies by importing
information contained in student health source to perform its own evaluations. data from those sources and conducting
records to allow for analyses, public We believe that any further expansion necessary matches. Any reports or other
health studies, and research that will of the list of officials and entities in information created as a result of the
benefit school-aged children, as well as FERPA that may receive education data matches may only be released to
the general population. One records without the consent of the those non-educational officials in non-
organization representing school nurses parent or eligible student must be personally identifiable form.
noted that public health officials need authorized by legislation enacted by Educational authorities may also release
access to education records for the Congress. information on students to non-
purposes of public health reporting, We explained in the NPRM on page educational officials that has been
surveillance, and reimbursement. 15577 that, with respect to State properly de-identified, as described in
Several commenters recommended auditors, legislative history for the 1979 § 99.31(b)(1).
that SEAs be authorized to share data FERPA amendment indicates that Additionally, many agencies
from education records with State social Congress specifically intended that providing services to low income or at-
services, health, juvenile, and FERPA not preclude State auditors from risk families have parents sign a consent
employment agencies, to serve the obtaining personally identifiable form authorizing disclosure of
information at intake time so that the already enrolled if the disclosure relates changes to the definition of personally
agency can receive necessary to the student’s enrollment or transfer. identifiable information. One
information from schools. In 1993, we There is no specific authority in FERPA commenter applauded the Department’s
amended the FERPA regulations to help for an educational agency or institution, recognition of the increasing ease of
facilitate this practice. In final or a State or local educational authority, identifying individuals from redacted
regulations published in the Federal to disclose or redisclose personally records and statistical information
Register on January 7, 1993 (58 FR identifiable information from education because of the large amount of detailed
3188), we removed the previous records to a student’s former school personal information that is maintained
requirement in the regulations that without consent. on most Americans by many different
schools ‘‘obtain’’ consent from parents As discussed above, §§ 99.31(a)(3) and organizations. This commenter and
and eligible students so that parents and 99.35 allow educational agencies and others, however, stated that the
eligible students may ‘‘provide’’ a institutions to disclose personally proposed regulations did not go far
signed and dated consent to third identifiable information from education enough to ensure that personally
parties in order for the school to records without consent to State and identifiable information about students
disclose education records to those local educational authorities that are would not be released.
parties. legally authorized to audit or evaluate One commenter expressed concern
Therefore, parents can provide the disclosing institution’s programs or about our proposal to eliminate
consent at intake time to State and local records. We encourage State and local paragraphs (e) and (f) from the existing
social services and other non- authorities to take advantage of this definition of personally identifiable
educational agencies serving the needs exception and establish or modify State information, which included a list of
of students in order to permit their or local legal authority, as necessary, to personal characteristics and other
children’s schools (or the SEA) to allow K–12 and postsecondary information that would make a student’s
disclose education records to the educational authorities to audit or identity easily traceable. The
agency. For example, parents routinely evaluate one another’s programs. As commenter said that this was a change
provide consent to the Medicaid agency noted above, the Department will to long-standing Department policy and
that permits that agency to collect generally defer to a State Attorney represented an unwarranted invasion of
information from other agencies on the General’s interpretation of State or local privacy that exceeds statutory authority.
family being served. In many cases law on these matters. This commenter also expressed concern
those consents are written in a manner Section 99.31(a)(6) allows an that eliminating the ‘‘easily traceable’’
that complies with the consent educational agency or institution to provisions for determining whether
requirement in § 99.30, and the disclose personally identifiable information was personally identifiable
student’s school may disclose information from education records could prevent parents from accessing
information to the Medicaid agency without consent to an organization their children’s education records and
necessary for reimbursement purposes conducting a study for, or on behalf of, might allow school officials to
for services provided the student. the agency or institution that discloses circumvent FERPA requirements by
Changes: None. its records. The ‘‘for, or on behalf of’’ using nicknames, initials, and other
Disclosure of Education Records to language from the statute and personal characteristics to refer to
Student’s Former Schools regulations, however, does not allow the children.
educational agency or institution to In contrast, several commenters stated
(§§ 99.31(a)(3), 99.31(a)(6), and
disclose personally identifiable that the regulations would be
99.35(b))
information from education records unworkable or were too restrictive and
Comment: One commenter asked for would prevent or discourage the release
clarification whether a school could under this exception so that the
receiving organization can conduct a of information from education records
disclose a student’s education records to needed for school accountability and
the student’s previous school for the study for itself or some other party.
Further, the Secretary does not as a other public purposes. These
purpose of evaluating Federal or State commenters stated that paragraphs (f)
supported education programs or for policy matter support expanding the
and (g) in the proposed definition of
improving instruction. Several studies exception to permit such a
personally identifiable information,
commenters said that there is a critical disclosure because it would result in a
which replaces the ‘‘easily traceable’’
need for school districts to be able to vast increase in the number of parties
provisions, would provide school
access the records of their former gaining access to and maintaining
officials too much discretion to conceal
students from the student’s new district personally identifiable information on
information the public deserves to have
or postsecondary institution so that the students. As discussed below,
in order to debate public policy.
previous institution can evaluate the educational agencies and institution and
Proposed paragraph (f) provided that
effectiveness of its own education other parties, including State
personally identifiable information
programs. Some commenters said that educational authorities, may always
includes other information that, alone or
§ 99.35(a) clearly allows a K–12 data release information from education in combination, is linked or linkable to
system to use postsecondary records to records to a student’s former school, a specific student that would allow a
evaluate its own programs, and that a without consent, if all personally reasonable person in the school or its
K–12 system does not need to have legal identifiable information has been community, who does not have personal
authority to evaluate postsecondary removed. knowledge of the relevant
programs for the disclosure to be valid Personally Identifiable Information and circumstances, to identify the student
under the audit or evaluation exception. De-Identified Records and Information with reasonable certainty. Proposed
Discussion: Section 99.31(a)(2) allows (§§ 99.3 and 99.31(b)) paragraph (g) provided that personally
an educational agency or institution to identifiable information includes

disclose personally identifiable (a) Definition of Personally Identifiable information requested by a person who
information from education records, Information the educational agency or institution
without consent, to a school where the Comment: We received a number of reasonably believes has direct, personal
student seeks or intends to enroll or is comments on proposed § 99.3 regarding knowledge of the identity of the student
to whom the education record relates, technological abilities to identify records, whether the knowledge is
sometimes known as a ‘‘targeted students based on supposedly de- ‘‘direct’’ or ‘‘personal.’’
request.’’ identified information. Another Other commenters expressed a more
Several commenters expressed commenter said that the reference in general concern that the standard for
support for the provisions in paragraphs paragraph (f) to a ‘‘reasonable person’’ targeted requests in paragraph (g) places
(f) and (g) of the definition of personally should be changed to ‘‘ordinary an undue burden on school officials to
identifiable information. One of these person.’’ A commenter said that if we obtain information about the person
commenters said that the ‘‘school and retain the ‘‘reasonable person’’ standard, requesting information and creates a
community’’ limitation and the we should remove the references to the potential conflict with State open
‘‘reasonable person’’ standard in school or its community and personal records laws. According to these
paragraph (f) is sufficiently clear for knowledge of the circumstances and commenters, the regulations as
implementation by parties that release simply refer to a reasonable person. proposed would encourage agencies and
de-identified records. Another Several commenters said the ‘‘school or institutions to make illegitimate
commenter said that ambiguity in the its community’’ standard is too vague inquiries into a requester’s motives for
terms ‘‘reasonable person’’ and and needs to be clarified, particularly in seeking information and what the
‘‘reasonable certainty’’ was necessary so relation to the provision in paragraph (g) requester intends to do with it, or
that organizations can develop their regarding targeted requests; these require the agency or institution to read
own standards for addressing the commenters said that school officials the mind of a party requesting
problem of ensuring that information will choose to evaluate a request for information. According to the
that is released is not personally information based on whether a commenter, this would introduce a
identifiable. This commenter asked the reasonable person in the community, a degree of subjective judgment that
Department to retain the flexibility in broader standard than a reasonable would invariably lead to abuse because
the proposed language and provide person in the school, could identify the the same record that could be
examples of policies that have been student and automatically find their considered a public record to one
implemented that meet the own decisions to be reasonable. One requester could be a confidential
requirements in paragraphs (f) and (g) of commenter said that the phrase document to another. A large university
the definition. The commenter said that ‘‘relevant circumstances’’ in paragraph that has decentralized administrative
most school districts know when they (f) is vague. operations questioned how it could be
are receiving a targeted request One commenter said that the standard expected to take institutional knowledge
(paragraph (g)) but asked that the in paragraph (f) about whether the into account in evaluating whether a
Department provide examples to help information requested is ‘‘linked or request for records is targeted and asked
districts determine whether a non- linkable’’ to a specific student was too for confirmation that the Department
targeted request will reveal personally vague and overly broad and could be will not substitute its judgment for that
identifiable information. logically extended to cover almost any of the institution so long as there was a
Journalism and writers’ associations information about a student. This rational basis for the decision to release
expressed concern about the commenter said that the regulations information.
‘‘reasonable person’’ standard in should focus on preventing the release We received a few comments on the
paragraph (f) and our statement in the of records that in and of themselves example of a targeted request that we
preamble to the NPRM (73 FR 15583) contain unique personal descriptors that provided in the preamble to the NPRM
that an educational agency or institution would make the student identifiable in (73 FR 15583–15584), in which rumors
may not be able to release redacted the school community and not refer to circulate that a candidate running for
education records that concern students outside information, including what political office plagiarized other
or incidents that are well-known in the members of the public might know students’ work, and a reporter asks the
school community, including when the independently of the records university for the redacted disciplinary
parent or student who is the subject of themselves. records of all students who were
the record contacts the media and Several commenters expressed disciplined for plagiarism for the year in
causes the publicity that prevents the concerns that the provision in paragraph which the candidate graduated. We
release of the record. These commenters (g) regarding targeted requests will make explained that the university may not
stated that FERPA should not prevent FERPA and the regulations release the records in redacted form
schools from releasing records from administratively unwieldy and because the circumstances indicate that
which all direct and indirect identifiers, unnecessarily subjective. One of these the requester had direct, personal
such as name, date of birth, address, commenters said that paragraph (g) is knowledge of the subject of the case.
unusual place of birth, mother’s maiden unclear and adds more confusion as Two commenters said that confirmation
name, and sibling information, have opposed to providing clarity; this that one unnamed student was
been removed without regard to any commenter said that paragraph (g) disciplined in 1978 for plagiarism does
outside information, particularly after a should be removed and that the not identify that student or confirm that
student or parent has waived any requirements in paragraph (f) were the candidate was that student, and our
pretense of confidentiality by contacting sufficient. Another commenter said that explanation of the standard with this
the media. They also said that the the standard in paragraph (g) unfairly example showed that the regulations
proposed definition of personally holds agencies and institutions would prevent parents and the media
identifiable information does not responsible for ascertaining the from discharging their vital oversight
acknowledge the public interest in requester’s personal knowledge. One responsibilities.
school accountability. commenter said that we should delete One school district said that the
One commenter said that the the words ‘‘direct, personal’’ before targeted request provision could impair
‘‘reasonable person in the school or its ‘‘knowledge’’ because these terms are due process in some student discipline
community’’ standard in paragraph (f) unclear. According to this commenter, if cases by limiting the release of redacted
was too narrow and inappropriate a school reasonably believes that the witness statements that concern more
because it would allow individuals with requester knows the student’s identity, than one student. The commenter
even modest scientific and the school should not disclose the suggested that under its current
practice, if four students are involved in and place of birth, race, ethnicity, even without access to any personal
an altercation, the school redacts all gender, physical description, disability, knowledge, such as a key that
personally identifiable information with activities and accomplishments, specifically links the initials, nickname,
regard to students 2 through 4 when disciplinary actions, and so forth, can or personal characteristics to the
releasing the statement without parental indirectly identify someone depending student.
consent to student 1, but under the on the combination of factors and level In contrast, if a teacher uses a special
proposed regulations, student 1’s of detail released. Similarly, and as code known only by the teacher and the
request would violate the requirements noted in the preamble to the NPRM, 73 student (or parent) to identify a student,
in paragraph (g) because of the student’s FR 15584, the existing professional such as for posting grades, this code is
knowledge of the identity of the other literature makes clear that public not considered personally identifiable
students to whom the record relates. directories and previously released information under FERPA because the
This commenter said that the information, including local publicity only reason the teacher can identify the
regulations should not be adopted if and even information that has been de- student is because of the teacher’s
they do not address these due process identified, is sometimes linked or access to personal knowledge of the
concerns. linkable to an otherwise de-identified relevant circumstances, i.e., the key that
Several commenters said they record or data set and renders the links the code to the student’s name.
appreciated the addition of a student’s information personally identifiable. The In response to the commenter who
date of birth and other indirect regulations properly require parties that stated that a school should not be
identifiers in the definition of release information from education prevented from releasing information
personally identifiable information. records to address these situations. when the subject of the record has
Another commenter said that a We removed the ‘‘easily traceable’’ waived any pretense of confidentiality
comprehensive list of indirect standard from the definition of by contacting the media and making the
identifiers would be helpful. One personally identifiable information incident well-known in the community,
commenter asked us to define the because it lacked specificity and clarity. we have found that in limited
concept of indirect identifiers. Another We were also concerned that the ‘‘easily circumstances a parent or student may
commenter asked us to clarify which traceable’’ standard suggested that a impliedly waive their privacy rights
personally identifiable data elements fairly low standard applied in protecting under FERPA by disclosing information
may be released without consent. A education records, i.e., that information to parties in a special relationship with
commenter asked us to define the term was considered personally identifiable the institution, such as a licensing or
biometric record as used in the only if it was easy to identify the accreditation organization. However, we
definition of personally identifiable student. have not found and do not believe that
information. The removal of the ‘‘easily traceable’’ parents and students generally waive
Discussion: The Joint Statement standard and adoption of the standards their privacy rights under FERPA by
explains that the purpose of FERPA is in paragraphs (f) and (g) will not affect sharing information with the media or
two-fold: to assure that parents and a parent’s right under FERPA to inspect other members of the general public.
eligible students can access the and review his or her child’s education The fact that information is a matter of
student’s education records, and to records. Records that teachers and other general public interest does not give an
protect their right to privacy by limiting school officials maintain on students educational agency or institution
the transferability of their education that use only initials, nicknames, or permission to release the same or
records without their consent. 120 Cong. personal descriptions to identify the related information from education
Rec. 39862. As such, FERPA is not an student are education records under records without consent.
open records statute or part of an open FERPA because they are directly related The ‘‘reasonableness’’ standards in
records system. The only parties who to the student. paragraphs (f) and (g) of the new
have a right to obtain access to Further, records that identify a definition, which replace the ‘‘easily
education records under FERPA are student by initials, nicknames, or traceable’’ standard, do not require the
parents and eligible students. personal characteristics are personally exercise of subjective judgment or
Journalists, researchers, and other identifiable information if, alone or inquiries into a requester’s motives.
members of the public have no right combined with other information, the Both provisions require the disclosing
under FERPA to gain access to initials are linked or linkable to a party to use legally recognized, objective
education records for school specific student and would allow a standards by referring to identification
accountability or other matters of public reasonable person in the school not in the mind of the disclosing party
interest, including misconduct by those community who does not have personal or requester but by a reasonable person
running for public office. Nonetheless, knowledge about the situation to and with reasonable certainty, and by
as explained in the preamble to the identify the student with reasonable requiring the disclosing party to
NPRM, 73 FR 15584–15585, we believe certainty. For example, if teachers and withhold information when it
that the regulatory standard for defining other individuals in the school reasonably believes certain facts to be
and removing personally identifiable community generally would not be able present. These are not subjective
information from education records to identify a specific student based on standards, and these changes will not
establishes an appropriate balance that the student’s initials, nickname, or diminish the privacy protections in
facilitates school accountability and personal characteristics contained in the FERPA.
educational research while preserving record, then the information is not The standard proposed in paragraph
the statutory privacy protections in considered personally identifiable and (f) regarding the knowledge of a
FERPA. may be released without consent. reasonable person in the school or its
The simple removal of nominal or Experience has shown, however, that community was not intended to
direct identifiers, such as name and SSN initials, nicknames, and personal describe the technological or scientific
(or other ID number), does not characteristics are often sufficiently skill level of a person who would be
necessarily avoid the release of unique in a school community that a capable of re-identifying statistical
personally identifiable information. reasonable person can identify the information or redacted records. Rather,
Other information, such as address, date student from this kind of information it provided the standard an agency or
institution should use to determine community, the region or State, the community, such as when a requester
whether statistical information or a United States, and the world in general. asks for the redacted transcripts of all
redacted record will identify a student, The ‘‘school community’’ standard, basketball players who were expelled
even though certain identifiers have therefore, provides the maximum for accepting bribes after the local
been removed, because of a well- privacy protection for students. newspaper published a story about the
publicized incident or some other factor We do not agree that the reference to matter. Paragraphs (f) and (g) do not
known in the community. For example, ‘‘reasonable person’’ should be changed require an educational agency or
as explained in the preamble to the to ‘‘ordinary person.’’ ‘‘Reasonable institution to inquire whether a
NPRM, 73 FR 15583, a school may not person’’ is a legally recognized standard requester has special knowledge not
release statistics on penalties imposed that represents a hypothetical, rational, available generally in the school
on students for cheating on a test where prudent, average individual. It would be community that would make the subject
the local media have published confusing and inappropriate to of the record identifiable. We disagree
identifiable information about the only introduce a new term ‘‘ordinary’’ in this with the comment that paragraph (f) is
student (or students) who received that context. sufficient and paragraph (g) should be
penalty; that statistical information or The standard in paragraph (f) removed. Paragraph (g) addresses the
redacted record is now personally excludes from the ‘‘reasonable person in problem of targeted requests, which is
identifiable to the student or students the school community’’ standard not addressed under paragraph (f).
because of the local publicity. persons who have personal knowledge We agree with the comment that the
Paragraph (f) in the proposed of the ‘‘relevant circumstances,’’ which provision in paragraph (g) under which
definition provided that the agency or one commenter considered vague. an agency or institution must determine
institution must make a determination Under this standard, an agency or whether the information requested is
about whether information is personally institution is not required to take into personally identifiable information
identifiable information not with regard consideration when releasing redacted based on its reasonable belief that the
to what someone with personal or statistical information that someone requester has ‘‘direct, personal’’
knowledge of the relevant with special knowledge of the knowledge of the identity of the student
circumstances would know, such as the circumstances could identify the to whom the record relates is ambiguous
principal who imposed the penalty, but student. For example, if it is generally and confusing, especially in relation to
with regard to what a reasonable person known in the school community that a what might be considered indirect
in the school or its community would particular student is HIV-positive, or knowledge. Therefore, we have
know, i.e., based on local publicity, that there is an HIV-positive student in modified this provision so that an
communications, and other ordinary the school, then the school could not educational agency or institution must
conditions. We agree with the comment reveal that the only HIV-positive simply have a reasonable belief that the
that the ‘‘school or its community’’ student in the school was suspended. requester knows the identity of the
standard was confusing because it was However, if it is not generally known or student to whom the record relates.
not clear whether just the school itself obvious that there is an HIV-positive In reviewing a complaint that an
or the larger community in which the student in school, then the same educational agency or institution
school is located is the relevant group information could be released, even disclosed personally identifiable
for determining what a reasonable though someone with special information from an education record in
person would know. knowledge of the student’s status as response to a targeted request, the
We are changing this standard in HIV-positive would be able to identify Department would examine the request
paragraph (f) to the ‘‘school the student and learn that he or she had itself, the facts on which the agency or
community’’ and by this change we been suspended. institution based its decision to release
mean that an educational agency or The provisions in paragraph (g) the information, as well as any
institution may not select a broader regarding targeted requests do not information known generally in the
‘‘community’’ standard when the require an educational agency or school community that the agency or
information to be released would be institution to ascertain or guess a institution failed to take into account.
personally identifiable under the requester’s motives for seeking The Department would also counsel an
narrower ‘‘school’’ standard. For information from education records or agency or institution about the nature of
example, it might be well known among what a requester intends to do with the the violation in connection with the
students, teachers, administrators, information. This paragraph addresses a Department’s responsibility for seeking
parents, coaches, volunteers, or others at situation in which a requester seeks voluntary compliance with FERPA
the local high school that a student was what might generally qualify as a before initiating any enforcement action
caught bringing a gun to class last properly redacted record but the facts under § 99.67.
month but generally unknown in the indicate that redaction is a useless With regard to the comment that the
town where the school is located. In formality because the subject’s identity standard in paragraph (g) will impair
these circumstances, a school district is already known. due process in student discipline cases,
may not disclose that a high school An educational agency or institution it is unclear what the commenter means
student was suspended for bringing a is not required under paragraph (g) to by releasing redacted witness statements
gun to class last month, even though a make any special inquiries or otherwise under its current practice. Education
reasonable person in the community seek information about the person records are defined in FERPA as records
where the school is located would not requesting information from education that are directly related to a student and
be able to identify the student, because records. It must use information that is maintained by an educational agency or
a reasonable person in the high school obvious on the face of the request or institution, or by a party acting for the
would be able to identify the student. provided by the requester, such as when agency or institution. 20 U.S.C.
The student’s privacy is further a requester asks for the redacted 1232g(a)(4)(A); 34 CFR 99.3. Under this
protected because a reasonable person transcripts of a particular student. definition, a parent (or eligible student)
in the school community is also Paragraph (f) also requires an agency or has a right to inspect and review any
presumed to have at least the knowledge institution to use information known to witness statement that is directly related
of a reasonable person in the local a reasonable person in the school to the student, even if that statement
contains information that is also directly sequence, facial characteristics, and conduct necessary research without
related to another student, if the handwriting. compromising student privacy. One
information cannot be segregated and We also have revised paragraph (f) in commenter appreciated being able to
redacted without destroying its the definition of personally identifiable attach a code or linking key to records
meaning. information to change the reference to facilitate matching students across
For example, parents of both John and ‘‘school or its community’’ to ‘‘school data sets while preserving student
Michael would have a right to inspect community.’’ In paragraph (g) of the confidentiality.
and review the following information in definition of personally identifiable One commenter stated that de-
a witness statement maintained by their information, we removed the identified data do not support
school district because it is directly requirement that the requester have appropriate analytical research that will
related to both students: ‘‘John grabbed ‘‘direct, personal knowledge.’’ As lead to improved educational outcomes.
Michael’s backpack and hit him over the revised, paragraph (g) provides that Further, according to this commenter,
head with it.’’ Further, in this example, personally identifiable information complete de-identification of
before allowing Michael’s parents to means information requested by a systematic, longitudinal data on every
inspect and review the statement, the person who the educational agency or student may not be possible.
district must also redact any institution reasonably believes knows Two commenters expressed concern
information about John (or any other the identity of the student to whom the that agencies and institutions redact too
student) that is not directly related to record relates. much information from education
Michael, such as: ‘‘John also punched records and said that the Department
(b) De-Identified Records and should err on the side of disclosure of
Steven in the stomach and took his Information
gloves.’’ Since Michael’s parents likely disaggregated data so that journalists
Comment: We received a number of and researchers can obtain accurate
know from their son about other
comments on § 99.31(b)(1), which information about how students in
students involved in the altercation,
would allow an educational agency or every accountability subgroup are
under paragraph (g) the district could institution, or a party that has received performing. These commenters said that
not release any part of this sentence to personally identifiable information from the regulations should take into account
Michael’s parents. We note also that the education records, to release the records the real track record of journalists and
sanction imposed on a student for or information without parental consent researchers in maintaining the
misconduct is not generally considered after the removal of all personally confidentiality of information from
directly related to another student, even identifiable information, provided that education records.
the student who was injured or the educational agency or institution or One commenter said that many
victimized by the disciplined student’s other party has made a reasonable institutions and individuals have the
conduct, except if a perpetrator has been determination that a student’s identity ability to re-identify seemingly de-
ordered to stay away from a victim. is not personally identifiable because of identified data and that it is generally
In order to provide maximum unique patterns of information about the much easier to do than most people
flexibility to educational agencies and student, whether through single or realize because 87 percent of Americans
institutions, we did not attempt to multiple releases, and taking into can be identified uniquely from their
define or list all other ‘‘indirect account other reasonably available date of birth, five-digit zip code, and
identifiers’’. We believe that the information. In order to permit ongoing gender. This commenter said that the
examples listed in paragraph (3) of the educational research with the same regulations need to take into account
definition of personally identifiable data, § 99.31(b)(2) allows an educational that re-identification is a much greater
information—date of birth, place of agency or institution or other party that risk for student data than other kinds of
birth, and mother’s maiden name— releases de-identified, non-aggregated information because FERPA allows for
indicate clearly the kind of information data (also known as ‘‘microdata’’) from the regular publication of student
that could identify a student. Race and education records to attach a code to directories that contain a wealth of
ethnicity, for example, could also be each record, which may allow the personal information, including address
indirect identifiers. It is not possible, recipient to match information received and date of birth, that can be used with
however, to list all the possible indirect from the same source, under three existing tools and emerging technology
identifiers and ways in which conditions—(1) the educational agency to re-identify statistical data, even by
information might indirectly identify a or institution does not disclose any non-experts.
student. Further, unlike the HIPAA information about how it generates and Another commenter said that because
Privacy Rule, these regulations do not assigns a record code, or that would the de-identification process is so
attempt to provide a ‘‘safe harbor’’ by allow a recipient to identify a student resource-intensive, the regulations
listing all the information that may be based on a record code; (2) the record should allow the research entity to de-
removed in order to satisfy the de- code is used for no purpose other than identify education records as a
identification requirements in identifying a de-identified record for contractor under § 99.31(a)(1) of the
§ 99.31(b). We have also added a purposes of education research and regulations.
definition of biometric record that is cannot be used to ascertain personally We explained in the preamble to the
based on National Security Presidential identifiable information about a student; NPRM (73 FR 15585) that educational
Directive 59 and Homeland Security and (3) the record code is not based on agencies and institutions should
Presidential Directive 24. a student’s social security number or monitor releases of coded, de-identified
Changes: We added a definition of other personal information. microdata from education records to
biometric record, which provides that Several commenters supported these ensure that overlapping or successive
the term means a record of one or more proposed regulations and said that they releases do not result in data sets in
measurable biological or behavioral will help facilitate valuable educational which a student’s personally
characteristics that can be used for research. One of these commenters said identifiable information is disclosed.
automated recognition of an individual. that the provisions for de-identification One commenter said that this
Examples include fingerprints, retina of education records create clear monitoring requirement was too
and iris patterns, voiceprints, DNA standards that will allow researchers to burdensome given the vast number of
data requests it receives and asked us to identification that appear to differ from In response to the comment about
limit the monitoring requirement to the standard in § 99.31(b). allowing a researcher to de-identify
single or multiple releases it makes to Discussion: As explained in the education records, educational agencies
the same party. An SEA asked preamble to the NPRM, 73 FR 15584– and institutions may outsource the de-
specifically for clarification in the 15585, we believe that the regulatory identification process to any outside
regulations regarding what steps, if any, standard for de-identifying information service provider serving as a school
it must take to ensure that multiple from education records establishes an official in accordance with the
releases of de-identified data to the appropriate balance that facilitates the requirements in § 99.31(a)(1)(i)(B).
same requester over time that the release of appropriate information for (Those requirements are discussed in
requester intends to use for a school accountability and educational detail in the preamble to the NPRM at
longitudinal study do not result in small research purposes while preserving the 73 FR 15578–15580 and elsewhere in
data cells that may reveal the identity of statutory privacy protections in FERPA. these final regulations.) State and local
the student. A school district said that Unlike the HIPAA Privacy Rule, these educational authorities and Federal
the regulations should require the regulations do not attempt to provide a officials and agencies listed in
destruction of de-identified information ‘‘safe harbor’’ by listing all the direct § 99.31(a)(3) may outsource the de-
from education records by the receiving and indirect identifiers that may be identification process to their
party to avoid the problem of combining removed to satisfy the de-identification authorized representatives under the
successive data releases to identify requirements in § 99.31(b). Rather, they conditions specified in § 99.35.
students. are intended to provide standards under We agree that the risk of re-
Some commenters said that the which information from education identification may be greater for student
regulations should provide objective records may be released without data than other information because of
standards for the de-identification of consent because all personally the regular publication of student
education records. One commenter identifiable information has been directories, commercial databases, and
asked the Department to prescribe a removed. de-identified but detailed educational
method for States to adopt to ensure that The Department recognizes that de-
reports by States and researchers that
student confidentiality is protected. can be manipulated with increasing ease
identified data may not be appropriate
Two commenters asked specifically for by computer technology. As noted in
for all educational research purposes
guidance on what minimum cell size the preamble to the NPRM, 73 FR
and that complete de-identification of
should be allowed when releasing 15584, the re-identification risk of any
longitudinal student data may not be
statistical information. Several given release is cumulative, i.e., directly
possible without sacrificing essential
commenters said that SEAs and school related to what has previously been
content and usability. In these
districts need specific guidance released, and this includes both
situations, and as discussed elsewhere
regarding the release of student publicly-available directory
in this preamble, FERPA allows the
achievement data under the NCLB, information, which is personally
disclosure and redisclosure of
including, in particular, reporting 100 identifiable, and de-identified data
percent achievement of certain personally identifiable information from releases. For that reason, we advised in
performance levels on State education records, without consent, to the NPRM that parties should minimize
assessments. One commenter who researchers under the terms and information released in directories to
opposed restrictions on the release of conditions specified in §§ 99.31(a)(1), the extent possible because, since the
de-identified data referred to instances 99.31(a)(3), and 99.31(6). We note that a enactment of FERPA in 1974, the risk of
in which some States have created researcher who receives personally re-identification from such information
minimum cell sizes of 100 for reporting identifiable information under these has grown as a result of new
disaggregated data under NCLB, which provisions would, however, have to de- technologies and methods.
prevents the release of a great deal of identify any report or other information In response to comments about the
important information. Another in accordance with § 99.31(b) before need to monitor releases of coded, de-
commenter said that our discussion of releasing it to the public or other identified microdata to avoid re-
small cell sizes in the preamble to the parties, including other researchers. identification of the data, because the
NPRM, 73 FR 15584, reflected a In response to comments that risk of re-identification is cumulative,
misunderstanding of the problem. educational agencies and institutions when making a new disclosure of coded
One commenter said that § 99.31(b) is may remove too much information from data an educational agency or
confusing because it is not clear how education records, we note that while institution or other party must take into
paragraph (b)(2), which is limited to we have attempted to provide a account all releases of information from
educational research, relates to balanced standard for the release of de- education records it has made, not just
paragraph (b)(1), which is not so identified data for school accountability releases it has made to the recipient of
limited. This commenter also said that and other purposes, FERPA is a privacy new data. We note that some of the
the regulations impose an unnecessary statute, and no party has a right under publicly available directory information
burden on the entity receiving a request FERPA to obtain information from and de-identified data releases that need
for information and that the education records except parents and to be taken into account have been
requirements of paragraph (f) in the eligible students. Further, there is no produced by the same agency or
definition of personally identifiable statutory authority in FERPA to modify institution, State or local educational
information are sufficient to de-identify the prohibition on disclosure of authority, or Federal official that wishes
education records. Another commenter personally identifiable information from to release newly de-identified
said that the language in § 99.31(b)(1) education records, or the exceptions to information. In general, FERPA poses no
that requires consideration of unique the written consent requirement, based restrictions on the recipient’s use of
patterns of information about a student on the track record of the party, directory information and de-identified
is confusing and creates ambiguity including journalists and researchers, in data from education records. Therefore,
because the definition of personally maintaining the confidentiality of it may be unclear whether previous data
identifiable information itself information from education records that releases are available generally, have
incorporates standards for de- they have received. been shared with a limited number of
parties, or not shared at all. Further, cell size to ensure confidentiality. of the other non-graduate, perhaps
unlike personally identifiable Further, as noted in the preceding learning something she did not already
information that is disclosed under paragraph and in the preamble to the know about the other student. The
§§ 99.31(a)(3) and (a)(6), de-identified NPRM, use of minimum cell sizes or published tables show that there are two
information from education records data suppression is only one of several 12th grade Hispanic females enrolled in
does not have to be destroyed when no ways in which information from special education classes, one with a
longer needed for the purposes for education records may be de-identified learning disability and one with mental
which it was released. We note, before release. Statistical Policy retardation. The tables also show that
however, that a releasing party would Working Paper 22 describes other the two Hispanic females who did not
reduce its monitoring responsibilities if disclosure limitation methods, such as graduate were enrolled in special
it requires destruction or prohibits ‘‘top coding’’ and ‘‘data swapping,’’ education classes, and that the two
redisclosure of coded, de-identified which may be more suitable than simple Hispanic females who did not graduate
microdata, because coded, de-identified data suppression for releasing the were both English language learners.
microdata has a higher risk of re- maximum amount of information to the Others in the school community may be
identification than de-identified public without breaching confidentiality able to identify the two 12th grade
microdata. In the future the Department requirements. Decisions regarding Hispanic females who are English
will provide further information on how whether to use data suppression or language learners enrolled in special
to monitor and limit disclosure of some other method or combination of education classes, but not necessarily be
personally identifiable information in methods to avoid disclosing personally able to distinguish the student with the
successive statistical data releases. identifiable information in statistical learning disability from the student with
In response to requests for guidance information must be made on a case-by- mental retardation. However, each girl
on what specific steps and methods case basis. knows her own disability and by the
should be used to de-identify We agree with the commenter who process of elimination now knows the
information (and as noted in the said that the example we provided in other girl’s disability. Similarly, anyone
preamble to the NPRM, 73 FR 15584), it the preamble to the NPRM regarding the with knowledge of one of the two
is not possible to prescribe or identify small cell problem in reporting that two Hispanic females who did not graduate
a single method to minimize the risk of Hispanic females failed to graduate was can find that girl in the tables, and then
disclosing personally identifiable misleading and offer the following, isolate the characteristics that belong to
information in redacted records or more complete explanation. Simply the other Hispanic female.
statistical information that will apply in knowing that one out of 100 Hispanic This example can be expanded to an
every circumstance, including females failed to graduate does not example with three Hispanic females
determining whether defining a identify which of the Hispanic females who fail to graduate. All three of the
minimum cell size is an appropriate it might be. But suppose this female is Hispanic females who did not graduate
means to protect the confidentiality of an English language learner who is also are English language learners, and two
aggregated data and, if so, selection of enrolled in special education classes. Hispanic females who did not graduate
an appropriate number. This is because The school also publishes tables on are enrolled in special education
determining whether a particular set of participation in special education classes—one with a learning disability
methods for de-identifying data and classes by race, ethnicity, and grade, and the other with mental retardation.
limiting disclosure risk is adequate and tables that include the graduation In this case, the one Hispanic female
cannot be made without examining the status of Hispanic females disaggregated who is an English language learner and
underlying data sets, other data that in one table by English language did not graduate now knows that the
have been released, publicly available proficiency status, and by participation other two Hispanic females in her
directories, and other data that are in special education classes in another. English language learner classes and
linked or linkable to the information in Suppose that these three tabulations also did not graduate are in the special
question. For these reasons, we are each show separately that there is one education program, but she does not
unable to provide examples of rules and 12th grade Hispanic female enrolled in know which condition each girl has. By
policies that necessarily meet the de- special education classes, that the one the same logic, each of the two females
identification requirements in Hispanic female who did not graduate who did not graduate and are in special
§ 99.31(b). The releasing party is was enrolled in special education education classes knows her own
responsible for conducting its own classes, and that the one Hispanic disability and as a result knows the
analysis and identifying the best female who did not graduate was an disability of the other Hispanic female
methods to protect the confidentiality of English language learner. With this who was an English language learner
information from education records it information, the discerning observer enrolled in special education classes
chooses to release. We recommend that knows that the one Hispanic female who did not graduate. These are some
State educational authorities, who failed to graduate is an English examples of situations in which small
educational agencies and institutions, language learner and that she was the cell data reveals personally identifiable
and other parties refer to the examples only 12th grade Hispanic student information from education records.
and methods described in the NPRM at enrolled in special education classes. The Secretary has no statutory
page 15584 and refer to the Federal Any number of people in the school authority to modify the regulations to
Committee on Statistical Methodology’s would be able to identify the Hispanic allow LEAs and SEAs to report that 100
Statistical Policy Working Paper 22, female who did not graduate with these percent of students achieved specified
www.fcsm.gov/working-papers/ three pieces of information. performance levels. In that regard we
wp22.html, for additional guidance. Expanding the example to two note that the Department’s Non-
With regard to issues with NCLB individuals, the logic is similar, except Regulatory Guidance for NCLB Report
reporting in particular, determining the in this case each of the Hispanic females Cards (2003) provides:
minimum cell size to ensure statistical knows her own characteristics and can [S]chools must also ensure that the data
reliability of information is a completely find herself in each of the available they report do not reveal personally
different analysis than that used to tables, and thus by a process of identifiable information about individual
determine the appropriate minimum elimination identifies the characteristics students * * *. States must adopt a strategy
for dealing with a situation in which all definition are sufficient. As explained agency or institution could assist the
students in a particular subgroup scored at above, paragraph (f) does not address third party in the notification
the same achievement level. One solution, the problem of targeted requests. It also requirement, by providing it with
referred to as ‘‘masking’’ the data, is to use
does not address the re-identification contact information so that it could
the notation of >95% when all students in a
subgroup score at the same achievement risk associated with multiple data provide the notice.
level. releases and other reasonably available In order to ensure that this new
information, or allow for the coding of requirement is enforceable, we have also
See www.ed.gov/programs/titleiparta/ de-identified micro data for educational revised § 99.33(e) so that if the
reportcardsguidance.doc on page 3. research purposes. Section 99.31(b) Department determines that a third
Likewise, LEAs and SEAs must adopt a provides the additional standards party, such as an SEA, did not provide
strategy for ensuring that they do not needed to help ensure that educational the notification required under
disclose personally identifiable agencies and institutions and other § 99.31(a)(9)(ii), the educational agency
information about low-performing parties do not identify students when or institution may not allow that third
students when they release information they release redacted records or party access to education records for at
about their high-performing students. statistical data from education records. least five years.
In response to the comments that Changes: We have removed the Changes: We have amended
paragraphs (1) and (2) in § 99.31(b) are reference to ‘‘unique patterns of § 99.33(b)(2) to clarify that the third
confusing, paragraph (1) establishes a information’’ in § 99.31(b). party that receives the subpoena or
standard for de-identifying education court order is responsible for meeting
records that applies to disclosures made Notification of Subpoena (§ 99.33(b)(2)) the notification requirements under
to any party for any purpose, including, Comment: We received a few § 99.31(a)(9). We also have revised
for example, parents and other members comments on our proposal in § 99.33(e) to provide that if the
of the general public who are interested § 99.33(b)(2) to require a party that has Department determines that a third
in school accountability issues, as well received personally identifiable party, such as an SEA, did not provide
as education policy makers and information from education records the notification required under
researchers. The release of de-identified from an educational agency or § 99.31(a)(9)(ii), the educational agency
information from education records institution to provide the notice to or institution may not allow that third
under § 99.31(b)(1) is not limited to parents and eligible students under party access to education records for at
education research purposes because, by § 99.31(a)(9) before it discloses that least five years.
definition, the information does not information on behalf of an educational
contain any personally identifiable agency or institution in compliance Health or Safety Emergency (§ 99.36)
information. with a judicial order or lawfully issued Comment: We received many
Paragraph (2) of § 99.31(b) applies subpoena. One national education comments in support of our proposal to
only to parties conducting education association supported the proposed amend § 99.36 regarding disclosures of
research; it allows an educational amendment. personally identifiable information
agency or institution, or a party that has One commenter asked the Department without consent in a health or safety
received education records, such as a to clarify the intent of the proposed emergency. Most of the parties that
State educational authority, to attach a language. This commenter said that, commented stated that the proposed
code to each record that may allow the when an educational agency or changes demonstrated the right balance
researcher to match microdata received institution requests that a third party between student privacy and campus
from the same educational source under make the disclosure to comply with a safety. A number of commenters
the conditions specified. The purpose of lawfully issued subpoena or court order, specifically supported the clarification
paragraph (2) is to facilitate education it is reasonable to expect the regarding the disclosure of information
research by authorizing the release of educational agency or institution to from an eligible student’s education
coded microdata. The requirements in send the required notice to the records to that student’s parents when a
paragraph (2) that apply to a record code student(s). The commenter also said that health or safety emergency occurs. One
preclude matching de-identified data it was not clear from the proposed commenter said that the proposed
from education records with data from change whether it is sufficient for the amendment would provide appropriate
another source. Therefore, by its terms, educational agency or institution to protection for sensitive and otherwise
the release of coded microdata under send the notice or whether it must come protected information while clarifying
paragraph (2) is limited to education from the third party. that educational agencies and
research. Discussion: The Secretary agrees that institutions may notify parents and
We agree with the commenter who there needs to be clarification about other appropriate individuals in an
stated that the reference in § 99.31(b)(1) which party is responsible for notifying emergency so that they may intervene to
to ‘‘unique patterns of information about parents and eligible students before an help protect the health and safety of
a student’’ is confusing in relation to the SEA or other third party outside of the those involved.
definition of personally identifiable educational agency or institution Discussion: We appreciate the
information and believe that it discloses education records to comply commenters’ support for the
essentially restated the requirements in with a lawfully issued subpoena or amendments to the ‘‘health or safety
paragraph (f) of the definition. court order. We have revised the emergency’’ exception in § 99.36(b).
Therefore, we have removed this phrase regulation to provide that the burden to Educational agencies and institutions
from the regulations. We disagree that notify a parent or eligible student rests are permitted to disclose personally
the definition of personally identifiable with the recipient of the subpoena or identifiable information from students’
information and the requirements in court order. While a third party, such as education records, without consent,
§ 99.31(b) impose an unnecessary an SEA, that is the recipient of a under § 99.31(a)(10) in connection with
burden on the entity receiving a request subpoena or court order is responsible a health or safety emergency.
for de-identified information from for notifying the parents and eligible Disclosures under § 99.31(a)(10) must
education records and that the students before complying with the meet the conditions described in
requirements in paragraph (f) in the order or subpoena, the educational § 99.36. We address specific comments
about the proposed amendments to this Department’s enforcement capabilities view FERPA’s ‘‘health or safety
exception in the following paragraphs. and that schools may see this change as emergency’’ exception as a blanket
Changes: None. an excuse to disclose sensitive student exception for routine disclosures of
(a) Disclosure in Non-Emergency information when there is not a real student information but as limited to
Situations emergency. disclosures necessary to protect the
A commenter stated that the removal health or safety of a student or another
Comment: Some commenters of the ‘‘strict construction’’ requirement individual in connection with an
suggested that we interpret § 99.36 to would mean that the Department would emergency.
permit the sharing of information on eliminate altogether its review of actions After consideration of the comments,
reportable diseases to health officials in taken by schools under the health and we have determined that educational
non-emergency situations. These safety emergency exception. Another agencies and institutions should be
commenters stated that the disclosure of commenter stated that removing the required to record the ‘‘articulable and
routine immunization data should be requirement that this exception be significant threat to the health or safety
subject to State, local, and regional strictly construed could erode the of a student or other individuals’’ so
public health laws and regulations and privacy rights of individuals. The that they can demonstrate (to parents,
not FERPA. One of these commenters commenter noted that because parents students, and to the Department) what
noted that the HIPAA Privacy Rule and eligible students cannot bring suit circumstances led them to determine
allows covered entities to disclose in court to enforce FERPA, schools face that a health or safety emergency existed
personally identifiable health data, virtually no liability if they violate and how they justified the disclosure.
without consent, to public health FERPA requirements. Currently, educational agencies and
authorities. A commenter asked that the institutions are required under
Discussion: There is no authority in Department clarify what is meant by an § 99.32(a) to record any disclosure of
FERPA to exclude students’ ‘‘emergency’’ and how severe a concern personally identifiable information from
immunization records from the must be to qualify as an emergency. education records made under
definition of education records in Discussion: Section 99.36(c) § 99.31(a)(10) and § 99.36. We are
FERPA. Further, the HIPAA Privacy eliminates the previous requirement revising the recordation requirements in
Rule specifically excludes from that paragraphs (a) and (b) of this § 99.32(a)(5) to require an agency or
coverage health care information that is section be ‘‘strictly construed’’ and institution to record the articulable and
maintained as an ‘‘education record’’ provides instead that, in making a significant threat that formed the basis
under FERPA. 45 CFR 160.103, determination whether a disclosure may for the disclosure. The school must
Protected health information. We be made under the ‘‘health or safety maintain this record with the education
understand that the HIPAA Privacy Rule emergency’’ exception, an educational records of the student for as long as the
allows covered entities to disclose agency or institution may take into student’s education records are
identifiable health data without written account the totality of the circumstances maintained (§ 99.32(a)(2)).
consent to public health authorities. pertaining to a threat to the health or We do not specify in the regulations
However, there is no statutory exception safety of a student or other individuals. a time period in which an educational
to the written consent requirement in The new provision states that if there is agency or institution must record a
FERPA to permit this type of disclosure. an articulable and significant threat to disclosure of personally identifiable
As explained in the preamble to the the health or safety of the student or information from education records
NPRM (73 FR 15589), the amendment to other individuals, an educational under § 99.32(a). We interpret this to
the health or safety emergency agency or institution may disclose mean that an agency or institution must
exception in § 99.36 does not allow information to appropriate parties. record a disclosure within a reasonable
disclosures on a routine, non-emergency As we indicated in the preamble to period of time after the disclosure has
basis, such as the routine sharing of the NPRM, we believe paragraph (c) been made, and not just at the time, if
student information with the local provides greater flexibility and any, when a parent or student asks to
police department. Likewise, this deference to school administrators so inspect the student’s record of
exception does not cover routine, non- they can bring appropriate resources to disclosures. We will treat the
emergency disclosures of students’ bear on a circumstance that threatens requirement to record the significant
immunization data to public health the health or safety of individuals. 73 and articulable threat that forms the
authorities. Consequently, there is no FR 15574, 15589. In that regard, basis for a disclosure under the health
statutory basis for the Department to paragraph (c) provides that the or safety emergency exception no
revise the regulatory language as Department will not substitute its differently than the recordation of other
requested by the commenters. judgment for that of the agency or disclosures. In determining whether a
Changes: None. institution if, based on the information period of time for recordation is
available at the time of the reasonable, we would examine the
(b) Strict Construction Standard determination there is a rational basis relevant facts surrounding the
Comment: Several commenters for the agency’s or institution’s disclosure and anticipate that an agency
expressed concern that removing the determination that a health or safety or institution would address the health
language from current § 99.36 requiring emergency exists and that the disclosure or safety emergency itself before turning
strict construction of the ‘‘health and was made to appropriate parties. to recordation of any disclosures and
safety emergency’’ exception and We do not agree that removal of the other administrative matters.
substituting the language providing for ‘‘strict construction’’ standard weakens In response to concerns about the
a ‘‘rational basis’’ standard would not FERPA or erodes privacy protections. Department’s enforcement of the
require schools to make an individual Rather, the changes appropriately provisions of § 99.36, the ‘‘rational
assessment to determine if there is an balance the important interests of safety basis’’ test does not eliminate the
emergency that warrants a disclosure. and privacy by providing school Department’s responsibility for
One commenter stated that removal of officials with the flexibility to act oversight and accountability. Actions
the ‘‘strict construction’’ requirement quickly and decisively when that the Secretary may take in
would severely weaken the emergencies arise. Schools should not addressing violations of this and other
FERPA provisions are addressed in the (c) Articulable and Significant Threat expressed concern that the Department
analysis of comments under the section Comment: One commenter stated that was sending the wrong message to
in this preamble entitled Enforcement. the word ‘‘articulable’’ in § 99.36(c) was educational agencies and institutions
While parents and eligible students do confusing in reference to a school’s with these changes to § 99.36. The
not have a right to sue for violations of determination that there is an commenter stated that the health or
FERPA in a court of law, the statute ‘‘articulable and significant threat to the safety emergency exception must not be
provides that the Secretary may not health or safety of a student or other perceived to permit schools to routinely
make funds available to any agency or disclose education records to parents,
individuals.’’ This commenter stated
institution that has a policy or practice police, or others.
that school officials might interpret the
of violating parents’ and students’ rights A commenter asked who at a school
provision to mean that there must be a may share personally identifiable
under the statute with regard to consent verbal threat or that school officials information in a health or safety
to the disclosure of education records. must write down the exact wording of emergency, and specifically whether a
As such, parents and eligible students the threat. school secretary would be allowed to
may file a complaint with the Office if Discussion: The requirement that tell parents that a student on campus
they believe that a school has violated there must be an ‘‘articulable and made a threat to others.
their rights under FERPA and has significant threat’’ does not mean that A commenter stated that school
disclosed education records under the threat must be verbal. It simply districts, especially small or rural
§ 99.36 inconsistent with these means that the institution must be able districts, may not have the expertise on
regulations. In conducting an to articulate what the threat is under staff to determine whether a situation
investigation, the Office will require § 99.36 when it makes and records the constitutes an ‘‘articulable and
that schools identify the underlying disclosure. significant threat.’’ The commenter said
facts that demonstrated that there was In that regard, the words ‘‘articulable that personally identifiable information
an articulable and significant threat and significant’’ are adjectives on students may need to be disclosed to
precipitating the disclosure under modifying the key noun ‘‘threat.’’ As outside law enforcement and mental
§ 99.36. such, the focus is on the threat, with the health professionals so that they can
question being whether the threat itself help schools determine whether a real
In response to the comment about is articulable and significant. The word threat exists. The commenter
what would constitute an emergency, ‘‘articulable’’ is defined to mean recommended that the Department
FERPA permits disclosure ‘‘* * * in ‘‘capable of being articulated.’’ http:// change the proposed regulations to
connection with an emergency * * * to www.merriam-webster.com/dictionary/ allow school districts to involve outside
protect the health or safety of the articulable. This portion of the standard experts in determining whether a health
student or other persons.’’ 20 U.S.C. simply requires that a school official be or safety emergency exists. Noting that
1232g(b)(1)(I). We note that the word able to express in words what leads the the NPRM addressed the disclosure of
‘‘protect’’ generally means to keep from official to conclude that a student poses education records to an eligible
harm, attack, or injury. As such, the a threat. The other half of the standard student’s parents, the organization also
statutory text underscores that the is the word ‘‘significant,’’ which means asked for clarification regarding whether
educational agency or institution must ‘‘of a noticeably or measurably large the parents of a potential perpetrator
be able to release information from amount.’’ http://www.merriam- and the potential victim at the K–12
education records in sufficient time for webster.com/dictionary/significant. level could be told about a threat.
the institution to act to keep persons Taken together, the phrase ‘‘articulable Several commenters stated that our
from harm or injury. Moreover, to be ‘‘in and significant threat’’ means that if a proposed amendments did not go far
connection with an emergency’’ means school official can explain why, based enough and urged the Department to
to be related to the threat of an actual, on all the information then available, expand § 99.36 to permit a school to
impending, or imminent emergency, the official reasonably believes that a notify whomever the student has listed
such as a terrorist attack, a natural student poses a significant threat, such as his or her emergency contact.
disaster, a campus shooting, or the as a threat of substantial bodily harm, to Another commenter requested that the
outbreak of an epidemic such as e-coli. any person, including the student, the Secretary, through these regulations,
An emergency could also be a situation school official may disclose education direct institutions to proactively notify
in which a student gives sufficient, records to any person whose knowledge parents of students who are in acute
cumulative warning signs that lead an of information from those records will care situations, such as illness or
educational agency or institution to assist in protecting a person from that accidents, if any institutional official is
believe the student may harm himself or threat. aware of the emergency.
others at any moment. It does not mean Changes: None. Discussion: On its face, FERPA
the threat of a possible or eventual permits disclosure to ‘‘appropriate
(d) Parties That May Receive persons if the knowledge of such
emergency for which the likelihood of Information Under § 99.36 information is necessary to protect the
occurrence is unknown, such as would
Comment: A commenter health or safety of the student or other
be addressed in emergency
recommended that the Department persons.’’ 20 U.S.C. 1232g(b)(1)(I).
preparedness activities.
adopt a more subjective standard FERPA does not require that the person
Changes: We have amended the regarding the persons to whom receiving the information be responsible
recordkeeping requirements in education records may be disclosed for providing the protection. Rather, the
§ 99.32(a)(5) to require educational under § 99.36, suggesting that we focus of the statutory provision is on the
agencies and institutions to record the remove the requirement that the information itself: The ‘‘health or safety
articulable and significant threat that disclosure must be to a person ‘‘whose emergency’’ exception permits the
formed the basis for a disclosure under knowledge of the information is institution to disclose information from
the health or safety emergency necessary to protect the health or safety education records in order to gather
exception and the parties to whom the of the student or other individuals.’’ information from any person who has
information was disclosed. Conversely, another commenter information that would be necessary to
provide the requisite protection. Thus, § 99.36, an educational agency or records to which he or she was privy as
for example, an educational institution institution will need to make its own part of the team. As noted above,
that reasonably believes that a student determination about which school however, the institution may disclose
poses a threat of bodily harm to any officials may access a student’s personally identifiable information from
person may disclose information from education records and disclose education records when and if the threat
education records to current or prior information to parents or other parties assessment team determines that a
peers of the student or mental health whose knowledge of the information is health or safety emergency exists under
professionals who can provide the necessary to protect the health or safety §§ 99.31(a)(10) and 99.36.
institution with appropriate information of the student or other individuals. We believe that § 99.36 does not need
to assist in protecting against the threat. Under § 99.31(a)(1), an educational to be expanded to permit a school to
Moreover, the institution may disclose agency or institution may disclose contact whomever an eligible student
records to persons such as law education records, without consent, to has listed as his or her emergency
enforcement officials that it determines school officials whom the agency or contact, nor is there authority to do so.
may be helpful in providing appropriate institution has determined have FERPA does not preclude institutions
protection from the threat. An legitimate educational interests in the from contacting other parties, including
educational agency or institution may information. It may be helpful for parents, in addition to the emergency
also generally disclose information schools to have a policy in place contacts provided by the student, if the
under § 99.36 to a potential victim and concerning which school officials will school determines these other parties
the parents of a potential victim as have access to and the responsibility for are ‘‘appropriate parties’’ under this
‘‘other individuals’’ whose health or disclosing information in emergency exception. (An eligible student may
safety may need to be protected. situations. provide consent for the institution to
Similarly, in order to obtain We understand that some educational notify certain individuals in case of an
information that would inform its agencies and institutions may need emergency, should an emergency
judgment on how to address the threat, assistance in determining whether a occur.)
the student’s current institution may health or safety emergency exists for The regulations would not prevent an
disclose information from education purposes of complying with these institution from having a policy of
records to other schools or institutions regulations. The Department encourages seeking prospective consent from
which the student previously attended. schools to implement a threat eligible students for the disclosure of
In that regard, the same set of facts assessment program, including the personally identifiable information or
underlying the current institution’s establishment of a threat assessment from having a policy for obtaining
determination that an emergency team that utilizes the expertise of consent for disclosure on a case-by-case
existed would also permit former representatives from law enforcement basis. However, FERPA does not require
schools and institutions attended by the agencies in the community. Schools can that a postsecondary institution disclose
student to disclose personally respond to student behavior that raises information to any party except to the
identifiable information from education concerns about a student’s mental eligible student, even if the student has
records to the student’s current health and the safety of the student and consented to the disclosure. Thus, the
institution. That is, a former school others that is chronic or escalating by Secretary does not have the statutory
would not need to make a separate using a threat assessment team, and authority to require school officials to
determination regarding the existence of then make other disclosures under the disclose information from a student’s
an articulable and significant threat to health or safety emergency exception, as education records in compliance with a
the health or safety of a student or appropriate, when an ‘‘articulable and consent signed by the student or to
others, and could rely instead on the significant threat’’ exists. Information on otherwise require the institution to
determination made by the school establishing a threat assessment contact a family member.
currently attended by the student in program and other helpful resources for Changes: None.
making the disclosure. emergency situations can be found on
(e) Treatment Records
In the discussion on page 15589 of the the Department’s Web site: http://
NPRM, we noted that the ‘‘health or www.ed.gov/admins/lead/safety/ Comment: A commenter stated that
safety emergency’’ exception does not edpicks.jhtml?src=ln. while the amendments to § 99.36
permit a local school district to An educational agency or institution provide needed clarification about when
routinely share its student information may disclose education records to threat an educational agency or institution
database with the local police assessment team members who are not may disclose students’ education
department. This example was meant to employees of the district or institution records to avert tragedies like the one at
clarify that FERPA’s health or safety if they qualify as ‘‘school officials’’ with Virginia Tech in April 2007, the NPRM
provisions would not permit a school to ‘‘legitimate educational interests’’ under did not provide clarity on the issue of
disclose without consent education § 99.31(a)(1)(i)(B), which is discussed information sharing between on-campus
records to the local police department elsewhere in this preamble. To receive and off-campus health care providers.
unless there was a health or safety the education records under the ‘‘school The commenter also noted that the
emergency and the disclosure of the officials’’ exception, members of the Virginia Tech Review Panel
information was necessary to protect the threat assessment team must be under recommended that Congress amend
health or safety of students or other the direct control of the educational FERPA to explain how Federal privacy
individuals. This does not prevent agency or institution with respect to the laws apply to medical records held for
schools from having working maintenance and use of personally treatment purposes and that the NPRM
relationships with local police identifiable information from education did not provide that clarity.
authorities and to use local police records. For example, a representative Another commenter stated that if
officers in maintaining the safety of from the city police who serves on a information about a student related to a
their campuses. school’s threat assessment team health or safety emergency is part of the
In response to the comment about generally could not redisclose to the city treatment records maintained by a
which school official should be police personally identifiable university’s health clinic, the treatment
permitted to disclose information under information from a student’s education records should be treated like education
records so that they may be disclosed institution discloses personally information even though it is permitted
under the health and safety emergency identifiable information from education to do so. This commenter asked whether
exception. A commenter asked that the records. One commenter supported the the Department will accept an
Department clarify that college health provision but advocated requiring the institution’s efforts at compliance as
and mental health records are not use of two-factor identification for sufficient without examining the
education records under FERPA and information that could be used to effectiveness of those efforts.
must be treated like other health and commit identity theft and financial Discussion: The identification and
mental health records in other settings. fraud. (Two-factor identification authentication methods discussed in the
Discussion: While we have carefully requires the use of two methods to NPRM (73 FR 15585) are intended as
considered the comments concerning authenticate identity, such as examples and should not be considered
‘‘treatment records,’’ the Secretary does fingerprint identification in addition to to be exhaustive. Because there are
not believe that it is necessary to amend a PIN.) many methods available to provide
the regulations to provide clarification One commenter said that the secure authentication of identity, and as
on the handling of health and medical identification and authentication more methods continue to be
records. The Departments of Education requirement will help protect students developed, we do not think it
and Health and Human Services have affected by domestic violence who are appropriate at this time to require the
issued joint guidance that explains the living in substitute care situations. The use of two-factor authentication as
relationship between FERPA and the commenter noted that many parents in requested by the commenter. Two-factor
HIPAA Privacy Rule. The guidance situations involving domestic violence authentication can be expensive and
addresses this issue for these records at do not have photo identification (ID) cumbersome, and we believe that each
the elementary and secondary levels, as and would be unable to meet a educational agency or institution should
well as at the postsecondary level. The requirement to provide photo ID in decide whether to use its resources to
joint guidance, which is on the Web order to access their children’s implement a two-factor authentication
sites of both agencies, addresses many education records. method or another reasonable method to
of the questions raised by school One commenter strongly supported ensure that education records are
administrators, health care the proposed amendment and said it disclosed only to an authorized party.
professionals, and others as to how will be valuable in aiding the privacy The comment that a portion of the
these two laws apply to records and protection of homeless children. population will be disadvantaged if only
maintained on students. It also Another commenter questioned whether photo ID is permitted to authenticate
addresses certain disclosures that are the identification and authentication identity confirms that we need to retain
allowed without consent or requirement is necessary for staff of flexibility in the regulations.
authorization under both laws, large school districts with centralized We do not agree that certain types of
especially those related to health and offices. staff should be excepted from the
safety emergency situations. The One commenter did not support the identification and authentication
guidance can be found here: http:// proposed regulation stating that it will requirement. All staff members, whether
www.ed.gov/policy/gen/guid/fpco/ be an additional burden on school in a centralized office, or in separate
index.html. districts. The commenter agreed with administrative offices throughout a
As discussed elsewhere in this our statement in the preamble to the school system, must be cognizant of and
preamble with respect to § 99.31(a)(2), NPRM that the regulations should responsible for complying with
while ‘‘treatment records’’ are excluded permit districts to determine their own identification and authentication
from the definition of education records methods of identification and requirements.
under FERPA, if an eligible student’s authentication. However, the Due to the differences in size,
treatment records are used for any commenter stated that districts should complexity, and access to technology,
purpose other than the student’s not be required to have a sliding scale we believe that educational agencies
treatment, or if a school wishes to of control based on the level of potential and institutions should have the
disclose the treatment records for any threat and harm and that it would not flexibility to decide the methods for
purpose other than the student’s be practical to give every person identification and authentication of
treatment, they may only be disclosed as requesting access to education records a identity best suited to their own
education records subject to FERPA PIN or similar method of authentication. circumstances. The regulatory
requirements. Therefore, an eligible For example, the commenter stated that requirement is that agencies and
student’s treatment records may be parents might be provided with a PIN, institutions use ‘‘reasonable’’ methods
disclosed to any party, without consent, but districts would not want to provide to identify and authenticate identity
as long as the disclosure meets one of a PIN to a reporter or other third party. when disclosing personally identifiable
the exceptions to FERPA’s general The commenter requested additional information from education records.
consent rule. See 34 CFR 99.31. One of examples of how districts may ‘‘Effectiveness’’ is certainly one
the permitted disclosures under this authenticate requests received by phone measure, but not necessarily a
section is the ‘‘health or safety or e-mail. The commenter also stated dispositive measure, of whether the
emergency’’ exception. that districts are sometimes concerned methods used by an agency or
Changes: None. that government-issued photo IDs are institution are ‘‘reasonable’’. As we
fraudulent. As a result, the group explained in the NPRM, an agency or
Identification and Authentication of requested that the Department adopt a institution is not required to eliminate
Identity (§ 99.31(c)) ‘‘safe harbor’’ provision that requiring a all risk of unauthorized disclosure of
Comment: Several commenters government-issued photo ID for in- education records but to reduce that risk
supported our proposal to require person requests is reasonable. to a level commensurate with the likely
educational agencies and institutions to One commenter expressed concern threat and potential harm. 73 FR 15585.
use reasonable methods to identify and that the proposed regulations were too Further in that regard, we note that a
authenticate the identity of parents, restrictive and could be too complex to ‘‘sliding scale’’ of protection is not
students, school officials, and any other administer, and that this would cause mandated per se. However, it may not
parties to whom the agency or an institution to choose not to transfer be ‘‘reasonable’’ to use the same
methods to protect students’ SSNs or agency or institution in order for the Several commenters objected to the
credit card numbers from unauthorized Office to investigate the complaint. proposed change. One commenter
access and disclosure that are used to We explain in our discussion of the expressed serious concern that the
protect students’ names and other proposed changes to § 99.67 that the regulations will greatly expand the
directory information. We believe that a Secretary must find that an educational authority of the Office to investigate any
PIN process could be useful to provide agency or institution has a policy or potential FERPA violation, even when
access to education records for parties, practice in violation of the non- no complaint is filed or when a
such as parents, students, or school disclosure requirements in FERPA complaint has been withdrawn. In
officials, but that it would not generally before seeking to withhold, terminate, or particular, the commenter stated that an
be useful for providing records to recover program funds for that violation. institution would not have an
outside parties, such as reporters or However, FPCO is not limited to opportunity to review and respond to
parties seeking directory information. investigating complaints and finding specific allegations when the
While the use of government-issued that an educational agency or institution investigation does not concern a
photo ID may be a reasonable method to violated FERPA only if the allegations particular complaint.
authenticate identity, depending on the and findings are based on a policy or Another commenter asserted that the
circumstances and the information practice of an educational agency or Department has not demonstrated why
being released, we are unable to institution. the proposed amendment is necessary.
conclude at this time that it is Moreover, we do not agree that only The commenter said that unless there is
sufficiently secure to constitute a safe conduct that involves a policy or evidence of a widespread problem, the
harbor for meeting this requirement. practice or that affects multiple students proposed change will increase
Changes: None. is serious enough to warrant an university costs in responding to
investigation of the allegations. An investigations without a corresponding
Enforcement (§ 99.64) benefit to the public.
educational agency or institution may
(a) § 99.64(a) Another commenter said that the
not even be aware of FERPA violations
Office should not investigate allegations
Comment: One commenter supported committed by its own school officials
that are not filed by a parent or eligible
our proposal to amend § 99.64(a) to until the Office investigates an
student because an institution must
provide that a complaint submitted to allegation of misconduct. These kinds of
know the name of the filing party and
FPCO does not have to allege that a investigations often serve the very
the specific circumstances of the
violation or failure to comply with important purpose of helping ensure allegation in order to properly defend its
FERPA is based on a policy or practice that single instances of misconduct do actions. The commenter said that it
of the agency or institution. The not become policies or practices of an should not be unnecessarily burdened
commenter stated that parents often are agency or institution. Further, while an by an investigation by the Office when
not aware of legal and technical criteria, agency or institution may not think that it has already dealt with the situation to
and complaints filed by parents should a single, unintentional violation of the satisfaction of the affected student,
not be subject to technical rules FERPA is significant, it is often and that any student who is not satisfied
typically applied to filings made by considered serious by the parent or with the institution’s efforts retains the
attorneys. student affected by the violation. ability to file a complaint. The
Another commenter did not support Therefore, consistent with its current commenter also noted that a complaint
the proposed amendment and asked practice, the Office may find that an filed by an affected student has more
several questions concerning the effects educational agency or institution credibility than allegations made by
of the change. The commenter asked violated FERPA without also finding other parties. The commenter was
whether this provision means that the that the violation was based on a policy concerned that accepting information
Office will investigate an allegation or practice. Note that under §§ 99.66(c) from other parties could result in filings
concerning a single and perhaps and 99.67, the Office may not take any from persons with grievances unrelated
unintentional action not related to a enforcement action against an agency or to FERPA, such as a disgruntled
policy or practice of the institution. The institution that has violated FERPA employee, or an applicant rejected for
commenter also asked whether such an until it provides the agency or admission, or a parent or eligible
investigation could result in a finding of institution with a reasonable period of student who missed a filing deadline of
a violation if the finding is not based on time to come into compliance some kind.
an institution’s policy or practice, and voluntarily. One commenter said that the
what enforcement actions can be taken Changes: None. proposed change would result in an
in those circumstances. The commenter ineffective use of the limited resources
(b) § 99.64(b)
suggested that we modify the of the Office because it would be
regulations to provide that, for Comment: A number of commenters investigating allegations that may not
complaints not alleging a violation supported proposed § 99.64(b), which have a sufficient basis.
based on an institution’s policy or provided that the Office may investigate Discussion: We proposed the changes
practice, the Office will undertake an a possible FERPA violation even if it has to § 99.64(b) to clarify that the Office
investigation only when it determines not received a timely complaint from a may initiate its own investigation that
that the allegations are of a sufficiently parent or student or if a valid complaint an educational agency or institution has
serious nature to warrant an inquiry. is subsequently withdrawn. Several of violated FERPA. (The amendment also
Discussion: The changes we proposed these commenters stated that it is clarifies that if the Office determines
in this section were intended to clarify appropriate and important to permit that an agency or institution violated
that it is sufficient for a complaint to persons who are not parents or eligible FERPA, it may also determine whether
allege that an educational agency or students, but who have knowledge of the violation was based on a policy or
institution violated a requirement of potential FERPA violations, to provide practice of the agency or institution.)
FERPA, and that a complaint does not this information to the Office for Our experience has shown that
need to allege that the violation is a consideration of a possible sometimes FERPA violations are
result of a policy or practice of an investigation. brought to the attention of the Office by
school officials, officials in other Office is not required to find a policy or This change to § 99.67(a) does not
schools, or by the media. It is important practice in violation of FERPA before broaden the Secretary’s enforcement
that the Office have authority to issuing a notice of findings or taking options, as suggested by one
investigate allegations of non- other kinds of enforcement actions. commenter. The General Education
compliance in these situations. Changes: None. Provisions Act (GEPA) provides the
Consistent with its current practice, a Secretary with the authority to take
notice of investigation issued by the (d) § 99.67 certain enforcement actions to address
Office will provide sufficient and Comment: One commenter supported violations of statutory and regulatory
specific factual information to permit the clarification in proposed § 99.67 that requirements, including general
the agency or institution to adequately the Office may not seek to withhold authority to ‘‘take any other action
investigate and respond to the payments, terminate eligibility for authorized by law with respect to the
allegations, whether or not the funding, or take certain other recipient.’’ 20 U.S.C. 1234c(a)(4). The
investigation is based on a complaint by enforcement actions unless it change to § 99.67(a) simply includes, for
a parent or eligible student. determines that the educational agency purposes of clarity, the Secretary’s
We do not agree that allowing the or institution has a policy or practice existing authority under GEPA to take
Office to initiate its own investigations that violates FERPA. Another any legally available action to enforce
of possible FERPA violations will lead commenter expressed general support FERPA requirements. (We note that
to abuses of the process by persons for the proposed change, including the before taking enforcement action the
seeking to redress other grievances with clarification that the Secretary may take Office must determine that the
an institution. The Office will continue any legally available enforcement educational agency or institution is
to be responsible for evaluating the action, in addition to those specifically failing to comply substantially with a
validity of the information and listed in the current regulations. The FERPA requirement and provide it with
allegations that come to its attention by commenter expressed concern, a reasonable period of time to comply
means other than a valid complaint and however, that the penalties are not voluntarily. See 20 U.S.C. 1234c(a); 20
determining whether to initiate an severe enough to effectively discourage U.S.C. 1232g(f); and 34 CFR 99.66(c).)
investigation. We do not anticipate that unintentional or willful violations by We also proposed to amend § 99.67(a)
the Office will initiate an investigation third parties, particularly in areas of to clarify that the Office may issue a
of every allegation or information it research and data sharing with outside notice of violation for failure to comply
receives. We believe, however, that it is parties. with specific FERPA requirements and
important that the Office be able to Another commenter expressed require corrective actions but may not
investigate any violation of FERPA for concern that the proposed amendment
seek to terminate eligibility for funding,
which it receives notice. As stated in the withhold payments, or take other
would unnecessarily broaden the
NPRM, 73 FR 15591, the Department is enforcement actions unless the Office
enforcement options available to the
not seeking to expand the scope of determined that an agency or institution
Secretary. The commenter stated that
FERPA investigations beyond the has a policy or practice in violation of
educational agencies and institutions
current practices of the Office. FERPA requirements (73 FR 15592).
Changes: None. will not be able to assess the risks and
Upon further review, we have decided
consequences associated with their
(c) § 99.66 not to adopt this particular change
actions without a limitation on the
because we believe it limits the
Comment: We received one comment range of enforcement actions available
Secretary’s enforcement authority in a
on the proposed change to § 99.66(c), to the Department when a violation of manner that is not legally required.
which allows but does not require FPCO FERPA is found. In support of its holding in Gonzaga
to make a finding that an educational One commenter asked the Department that FERPA’s non-disclosure provisions
agency or institution has a policy or to clarify that all methods of enforcing do not create rights that are enforceable
practice in violation of a FERPA FERPA that are contained in the current under 42 U.S.C. 1983, the Court
requirement when the Office issues a regulations will be retained in the final observed that FERPA provides that no
notice of findings in § 99.66(b). The regulations. The commenter said that funds shall be made available to an
commenter stated that its review of the proposed regulations in the NPRM educational agency or institution that
FERPA and the Supreme Court decision (73 FR 15602) appear to remove the has a policy or practice of disclosing
in Gonzaga University v. Doe, 536 U.S. Secretary’s ability to terminate funding. education records in violation of FERPA
273 (2002) (Gonzaga), indicates that the Discussion: We explained in the requirements. 536 U.S. at 288; see also
Office may not issue a finding of a preamble to the NPRM (73 FR 15592) 20 U.S.C. 1232g(b)(1) and (b)(2); 34 CFR
violation of FERPA and require that there were two reasons for the 99.30. As such, the statute and Gonzaga
corrective action or take any proposed changes to § 99.67(a). One was decision suggest that with respect to
enforcement action without also finding the need to clarify that the Secretary violations of FERPA’s non-disclosure
that the violation constituted a policy or may take any enforcement action that is requirements, the Secretary must find
practice of the agency or institution. legally available and is not limited to that an educational agency or institution
Discussion: We explain in the those specified under the current has a policy or practice in violation of
discussion of the changes to § 99.67 that regulations, i.e., withholding further FERPA requirements before taking
there are circumstances in which the payments under any applicable actions to terminate, withhold, or
Office would be required to find that an program; issuing a complaint to compel recover funds for those violations.
educational agency or institution has a compliance through a cease-and-desist However, there is no requirement under
policy or practice in violation of a order; or terminating eligibility to the statute (or the Gonzaga decision) for
FERPA requirement before taking receive funding under any applicable the Secretary to find a policy or practice
certain enforcement actions, such as an program. Other actions the Secretary in violation of FERPA requirements on
action to terminate funding for a may take to enforce FERPA include the part of an educational agency or
violation of the non-disclosure entering into a compliance agreement institution before taking other kinds of
requirements, 20 U.S.C. 1232g(b)(1) and under 20 U.S.C. 1234f and seeking an enforcement actions for violations of the
(b)(2) and 34 CFR 99.30. However, the injunction. non-disclosure requirements, such as
seeking an injunction or a cease-and- One commenter supported the As noted elsewhere in this document,
desist order. We note also that the safeguarding recommendations and FERPA provides that no funds
Gonzaga opinion does not address suggested that we revise the administered by the Secretary may be
violations of other FERPA requirements, recommendations to list non-Federal made available to any educational
such as parents’ right to inspect and government sources providing guidance agency or institution that has a policy or
review their children’s education on methods for safeguarding education practice of releasing, permitting the
records and the requirement that records. Another commenter supported release of, or providing access to
educational agencies and institutions the recommendations, but suggested personally identifiable information from
afford parents an opportunity for a that the regulations should require that education records without the prior
hearing to challenge the content of a a parent or eligible student receive written consent of a parent or eligible
student’s education records under notification of an unauthorized release student except in accordance with
certain circumstances, which do not or theft of information. specified exceptions. In light of these
contain the same ‘‘policy or practice’’ Discussion: The comments on the requirements, the Secretary encourages
language as the non-disclosure records of students who receive special educational agencies and institutions to
requirements. Because we did not education services illustrate the utilize appropriate methods to protect
address enforcement of these other necessity for educational agencies and education records, especially in
FERPA requirements in the NPRM, we institutions to ensure that adequate electronic data systems.
have decided not to address in the final controls are in place so that the In recent years the following incidents
regulations limitations or pre-conditions education records of all students are have come to the Department’s
that apply solely to actions to terminate, handled in accordance with FERPA’s attention:
withhold, or recover program funds for privacy protections. The safeguarding • Students’ grades or financial
violations of the non-disclosure recommendations that we provided in information, including SSNs, have been
requirements. the NPRM, and are repeated in these posted on publicly available Web
In response to the comment that the final regulations, are intended to servers;
available penalties are not severe provide agencies and institutions • Laptops and other portable devices
enough to discourage FERPA violations, additional information and resources to containing similar information from
we note that the Secretary has authority assist them in meeting this education records have been lost or
to terminate, withhold, and recover responsibility. In addition, educational stolen;
program funds and take other agencies and institutions should refer to • Education records, or devices that
enforcement actions in accordance with the protections required under § 300.623 maintain education records, have not
part E of GEPA. The Secretary may not of the confidentiality of information been retrieved from school officials
increase penalties beyond those requirements in Part B of the IDEA, 34 upon termination of their employment
authorized under FERPA and GEPA. CFR 300.623 (Safeguards). or service as a contractor, consultant, or
Further, the regulations do not remove We acknowledge that there are many volunteer;
the Secretary’s authority to terminate sources available concerning • Computer systems at colleges and
eligibility for program funding or any information security technology and universities have become favored targets
other enforcement authority. The processes. The Department does not because they hold many of the same
changes noted by the commenter who wish to appear to endorse the records as banks but are much easier to
was concerned that the proposed information or product of any company access. See ‘‘College Door Ajar for
regulations removed the Secretary’s or organization; therefore, we have Online Criminals’’ (May 2006), available
authority to terminate funding were included only Federal government at http://www.uh.edu/ednews/2006/
corrections to punctuation and sources in this notice. latimes/200605/20060530hackers.html.
formatting only, not substantive The Department does not have the and July 10, 2006, Viewpoint in
changes. authority under FERPA to require that Business Week/Online available at
Changes: We have removed the agencies or institutions issue a direct http://www.businessweek.com/
language in § 99.67(a) that requires the notice to a parent or student upon an technology/content/jul2006/
Office to determine that an educational unauthorized disclosure of education tc20060710_558020.htm;
agency or institution has a policy or records. FERPA only requires that the • Nearly 65 percent of postsecondary
practice in violation of FERPA agency or institution record the educational institutions identified theft
requirements before taking any disclosure so that a parent or student of personal information (SSNs, credit/
enforcement action. will become aware of the disclosure debit/ATM card, account or PIN
during an inspection of the student’s numbers, etc.) as a high risk area. See
Department Recommendations for
education record. Table 7, Perceived Risks at http://
Safeguarding Education Records
Changes: None. www.educause.edu/ir/library/pdf/
Comment: We received a few We are republishing here, for the ecar_so/ers/ers0606/Ekf0606.pdf; and
comments on the recommendations for administrative convenience of • In December 2006, a large
safeguarding education records educational agencies and institutions postsecondary institution alerted some
included in the NPRM. One commenter and other parties, the Department 800,000 students and others that the
expressed concern that schools and Recommendations for Safeguarding campus computer system containing
school districts should exercise Education Records that were published their names, addresses, and SSNs had
enhanced security for the records of in the preamble to the NPRM (73 FR been compromised.
children receiving special education 15598–15599): The Department’s Office of Inspector
services. According to the commenter, The Department recognizes that General (OIG) noted in Final Inspection
these children often have a large agencies and institutions face significant Alert Memorandum dated February 3,
number of records and may receive challenges in safeguarding educational 2006, that the Privacy Rights
services from a variety of providers, records. We are providing the following Clearinghouse reported that between
which can add to the challenge of information and recommendations to February 15, 2005, and November 19,
ensuring that appropriate privacy assist agencies and institutions in 2005, there were 93 documented
controls are used. meeting these challenges. computer breaches of electronic files
involving personal information from although directed towards Federal the Security, Confidentiality, Integrity
education records such as SSNs, credit agencies, may also serve as a resource and Protection of Customer Records and
card information, and dates of birth. for educational agencies and Information (‘‘Safeguards Rule’’) in 16
According to the reported data, 45 institutions. See http:// CFR part 314.) In any case, direct
percent of these incidents have occurred www.whitehouse.gov/omb/memoranda/ student notification may be advisable if
at colleges and universities nationwide. fy2007/m07-16.pdf. the compromised data includes student
OIG expressed concern that student Finally, if an educational agency or SSNs and other identifying information
information may be compromised due institution has experienced a theft of that could lead to identity theft.
to a failure to implement or administer files or computer equipment, hacking or
Executive Order 12866
proper security controls for information other intrusion, software or hardware
systems at postsecondary institutions. malfunction, inadvertent release of data Under Executive Order 12866, the
The Department recognizes that no to Internet sites, or other unauthorized Secretary must determine whether this
system for maintaining and transmitting release or disclosure of education regulatory action is ‘‘significant’’ and
education records, whether in paper or records, the Department suggests therefore subject to the requirements of
electronic form, can be guaranteed safe consideration of one or more of the the Executive Order and subject to
from every hacker and thief, following steps: review by OMB. Section 3(f) of
technological failure, violation of • Report the incident to law Executive Order 12866 defines a
administrative rules, and other causes of enforcement authorities. ‘‘significant regulatory action’’ as an
unauthorized access and disclosure. • Determine exactly what information action likely to result in a rule that may
Although FERPA does not dictate was compromised, i.e., names, (1) have an annual effect on the
requirements for safeguarding education addresses, SSNs, ID numbers, credit economy of $100 million or more, or
records, the Department encourages the card numbers, grades, and the like. adversely affect a sector of the economy,
holders of personally identifiable • Take steps immediately to retrieve productivity, competition, jobs, the
information to consider actions that data and prevent any further environment, public health or safety, or
mitigate the risk and are reasonably disclosures. State, local or tribal governments, or
calculated to protect such information. • Identify all affected records and communities in a material way (also
Of course, an educational agency or students. referred to as an ‘‘economically
institution may use any method, • Determine how the incident significant’’ rule); (2) create serious
combination of methods, or occurred, including which school inconsistency or otherwise interfere
technologies it determines to be officials had control of and with an action taken or planned by
reasonable, taking into consideration the responsibility for the information that another agency; (3) materially alter the
size, complexity, and resources was compromised. budgetary impacts of entitlement grants,
available to the institution; the context • Determine whether institutional user fees, or loan programs or the rights
of the information; the type of policies and procedures were breached, and obligations of recipients thereof; or
information to be protected (such as including organizational requirements (4) raise novel legal or policy issues
social security numbers or directory governing access (user names, arising out of legal mandates, the
information); and methods used by passwords, PINS, etc.); storage; President’s priorities, or the principles
other institutions in similar transmission; and destruction of set forth in the Executive order. The
circumstances. The greater the harm information from education records. Secretary has determined that this
that would result from unauthorized • Determine whether the incident regulatory action is significant under
access or disclosure and the greater the occurred because of a lack of monitoring section 3(f)(4) of the Executive order.
likelihood that unauthorized access or and oversight.
disclosure will be attempted, the more • Conduct a risk assessment and 1. Summary of Public Comments
protections an agency or institution identify appropriate physical, The Department did not receive any
should consider using to ensure that its technological, and administrative comments on the analysis of the costs
methods are reasonable. measures to prevent similar incidents in and benefits in the NPRM. However,
One resource for administrators of the future. since the publication of the NPRM, we
electronic data systems is ‘‘The National • Notify students that the have identified several information
Institute of Standards and Technology Department’s Office of Inspector collection requirements that were not
(NIST) 800–100, Information Security General maintains a Web site describing identified in the NPRM. We have added
Handbook: A Guide for Managers’’ steps students may take if they suspect discussions of the costs and benefits of
(October 2006). See http://csrc.nist.gov/ they are a victim of identity theft at two information collection requirements
publications/nistpubs/800-100/SP800- http://www.ed.gov/about/offices/list/ in the following Summary of Costs and
100-Mar07-2007.pdf. A second resource oig/misused/idtheft.html; and http:// Benefits.
is NIST 800–53, Information Security, www.ed.gov/about/offices/list/oig/
which catalogs information security misused/victim.html. 2. Summary of Costs and Benefits
controls. See http://csrc.nist.gov/ FERPA does not require an Following is an analysis of the costs
publications/nistpubs/800-53-Rev1/800- educational agency or institution to and benefits of the most significant
53-rev1-final-clean-sz.pdf. Similarly, a notify students that information from changes to the FERPA regulations. In
May 22, 2007, memorandum to heads of their education records was stolen or conducting this analysis, the
Federal agencies from the Office of otherwise subject to an unauthorized Department examined the extent to
Management and Budget requires release, although it does require the which the regulations add to or reduce
executive departments and agencies to agency or institution to maintain a the costs of educational agencies and
ensure that proper safeguards are in record of each disclosure. 34 CFR institutions and, where appropriate,
place to protect personally identifiable 99.32(a)(1). (However, student State educational agencies (SEAs) and
information that they maintain, notification may be required in these other State and local educational
eliminate the unnecessary use of SSNs, circumstances for postsecondary authorities in relation to their costs of
and develop and implement a ‘‘breach institutions under the Federal Trade complying with the FERPA regulations
notification policy.’’ This memorandum, Commission’s Standards for Insuring prior to these changes.
This analysis is based on data from (Compensation for administrative staff a particular student attends may be able
the most recent Digest of Education time is based on published estimates for to ascertain that student’s SSN or non-
Statistics (2007) published by the 2005 from the Bureau of Labor directory student ID number by
National Center for Education Statistics Statistics’ National Compensation comparing class lists for repeat
(NCES), which projects total enrollment Survey of $23.50 per hour plus an numbers. Because SSNs are not
for Fall 2008 of 49,812,000 students in average 39 percent benefit load for Level randomly generated, it may be possible
public elementary and secondary 8 administrators in education and to identify a student by State of origin
schools and 18,264,000 students in related fields.) based on the first three (area) digits of
postsecondary institutions; and a total In terms of benefits, the change will the number, or by date of issuance based
of 97,382 public K–12 schools; 14,166 protect the privacy of parents and on the two middle digits.
school districts; and 6,463 students by clarifying the intent of this The Department does not have any
postsecondary institutions. (Excluded regulatory exclusion and help prevent actual data on how many class or test
are data from private institutions that do the unlawful disclosure of these records. grades are posted by SSN or non-
not receive Federal funding from the It will also provide greater legal directory student ID number at this
Department and, therefore, are not certainty and therefore some cost time, but we believe that the practice is
subject to FERPA.) Based on this savings for those agencies and rare or non-existent below the
analysis, the Secretary has concluded institutions that may be required to secondary level. Although the practice
that the changes in these regulations litigate this issue in connection with a was once widespread, particularly at the
will not impose significant net costs on request under a State open records act postsecondary level, anecdotal evidence
educational agencies and institutions. or other legal proceeding. For these suggests that as a result of consistent
Analyses of specific provisions follow. reasons, we believe that the overall training and informal guidance by the
benefits outweigh the potential costs of Department over the past several years,
Alumni Records this change. together with the increased attention
The regulations in § 99.3 clarify the
Exclusion of SSNs and ID Numbers States and privacy advocates have given
current exclusion from the definition of
From Directory Information to the use of SSNs, many institutions
education records for records that only
The proposed regulations in § 99.3 now either require teachers to use a
contain information about an individual
clarified that a student’s SSN or student code known only to the teacher and the
after he or she is no longer a student,
ID number is personally identifiable student or prohibit the posting of grades
which is intended to cover records of
alumni and similar activities. Some information that may not be disclosed as entirely.
institutions have applied this exclusion directory information under FERPA. The most recent figures available from
to records that are created after a The final regulations allow an the Bureau of Labor Statistics (2007)
student has ceased attending the educational agency or institution to indicate that there are approximately 2.7
institution but that are directly related designate and disclose student ID million secondary and postsecondary
to his or her attendance as a student, numbers as directory information if the teachers in the United States. As noted
such as investigatory reports and number cannot be used by itself to gain above, we assume that most of these
settlement agreements about incidents access to education records, i.e. , it is teachers either do not post grades at all
and injuries that occurred during the used like a name. SSNs may never be or already use a code known only to the
student’s enrollment. The amendment disclosed as directory information. teacher or student. We assume further
will clarify that this provision applies The principal effect of this change is that additional costs to deliver grades
only to records created or received by an that educational agencies and personally in the classroom or through
educational agency or institution after institutions may not post grades by the electronic mail, instead of posting, will
an individual is no longer a student in student’s SSN or non-directory student be minimal. For purposes of this
attendance and that are not directly ID number and may not include these analysis, we estimate that no more than
related to the individual’s attendance as identifiers with directory information five percent of 2.7 million, or 135,000
a student. they disclose about a student, such as a teachers, continue to post grades by SSN
We believe that most of the more than student’s name, school, and grade level or non-directory student ID number and
103,845 K–12 schools and or class, on rosters, or on sign-in sheets thus will need to convert to a code,
postsecondary institutions subject to that are made available to students and which will require them to spend an
FERPA already adhere to this revised others. (Educational agencies and average of one-half hour each semester
interpretation in the regulations and institutions may continue to include establishing and managing grading
that for those that do not, the number SSNs and non-directory student ID codes for students. Since we do not
of records affected is likely to be very numbers on class rosters and schedules know how many teachers at either
small. Assuming that each year one half that are disclosed only to teachers and education level will continue to post
of one percent of the 68.1 million other school officials who have grades, and wages for postsecondary
students enrolled in these institutions legitimate educational interests in this teachers are higher than secondary
have one record each affected by the information.) teacher wages, we use postsecondary
change, in the year following issuance A class roster or sign-in sheet that teacher wages to ensure that the
of the regulations institutions will be contains or requires students to affix estimate encompasses the upper limit of
required to try to obtain written consent their SSN or non-directory student ID possible costs. Using the Bureau of
before releasing 350,380 records that number makes that information Labor Statistics’ published estimate of
they would otherwise release without available to every individual who signs average hourly wages of $42.98 for
consent. We estimate that for the first in or sees the document and increases teachers at postsecondary institutions
year contacting the affected parent or the risk that the information may be and an average 39 percent load for
student to seek and process written improperly used for purposes such as benefits, we estimate an average cost of
consent for these disclosures will take identity theft or to find out a student’s $59.74 per teacher per year, for a total
approximately one-half hour per record grades or other confidential educational of $8,064,900. Parents and students
at an average cost of $32.67 per hour for information. In regard to posting grades, should incur no costs except for the
a total cost of $5,562,068. an individual who knows which classes time they might have to spend to
contact the school official if they forget While postsecondary institutions may information, and written consent for
the student’s grading code. continue to collect students’ SSNs for disclosure of the student’s SSN or non-
This change will benefit parents and financial aid and tax reporting purposes, directory student ID number is required.
students and educational agencies and many have ceased using the SSN as a Due to the difficulty in ascertaining
institutions by reducing the risk of student identifier either voluntarily or actual costs associated with these
identity theft associated with posting in compliance with State laws. Also, transactions, we have no basis to
grades by SSN, and the risk of over the past several years the estimate costs that educational agencies
disclosing grades and other confidential Department has provided training on and institutions and parents and
educational information caused by this issue and published on the Office students will incur as a result of this
posting grades by a non-directory Web site a 2004 letter finding a change.
student ID number. It is difficult to postsecondary institution in violation of The enhanced privacy protections of
quantify the value of reducing the risk FERPA when its agent used a student’s this amendment will benefit students
of identity theft. According to the SSN, without consent, to search its and parents by reducing the risk that
Federal Trade Commission, however, database to verify that the student had third parties will disclose a student’s
for the past few years over one-third of received a degree. www.ed.gov/policy/ SSN without consent and possibly
complaints filed with that agency have gen/guid/fpco/ferpa/library/ confirm a questionable number for
been for identity theft. According to the auburnuniv.html. Given these purposes of identity theft. Similarly,
Better Business Bureau, identity theft circumstances, we estimate that preventing institutions from implicitly
costs businesses nearly $57 billion in possibly one-quarter of the nearly 6,463 confirming a questionable non-directory
2006, while victims spent an average of postsecondary institutions in the United student ID number will help prevent
40 hours resolving identity theft issues. States, or 1,616 institutions, may ask a unauthorized individuals from
It is even more difficult to measure the requester to provide the student’s SSN obtaining confidential information from
benefits of enhanced privacy protections (or non-directory student ID number) in education records. In evaluating the
for student grades and other order to locate the record and respond benefits or value of this change, we note
confidential educational information to an inquiry for directory information. that this provision does not affect any
from education records because the activity that an educational agency or
Under the regulations an educational
value individuals place on the privacy institution is permitted to perform
agency or institution that identifies
of this information varies considerably under FERPA or other Federal law, such
students by SSN (or non-directory
and because we are unable to determine as using SSNs to identify students and
how often it happens. Therefore, we student ID number) when releasing confirm their enrollment status for
have no basis to estimate the value of directory information will either have to student loan purposes, which is
these enhanced privacy protections in ensure that the student has provided permitted without consent under the
relation to the expected costs to written consent to disclose the number financial aid exception in § 99.31.
implement the changes. to the requester, or rely solely on a
student’s name and other properly User ID for Electronic Communications
Prohibit Use of SSN To Confirm designated directory information to The regulations will allow an
Directory Information identify the student, such as address, educational agency or institution to
The regulations will prevent an date of birth, dates of enrollment, year disclose as directory information a
educational agency or institution (or a of graduation, major field of study, student’s ID number, user ID or other
contractor providing services for an degree received, etc. Costs to an electronic identifier so long as the
agency or institution) from using a institution of ensuring that students identifier functions like a name; that is,
student’s SSN (or other non-directory have provided written consent for these it cannot be used without a PIN,
information) to identify the student disclosures, for example by requiring password, or some other authentication
when releasing or confirming directory the requester to fax copies of each factor to gain access to education
information. This occurs, for example, written consent to the institution or its records. This change will impose no
when a prospective employer or contractor, or making arrangements to costs and will provide benefits in the
insurance company telephones an receive them electronically, could be form of regulatory relief allowing
institution or submits an inquiry substantial for large institutions and agencies and institutions to use
through the institution’s Web site to organizations that utilize electronic directory services in electronic
find out whether a particular individual recordkeeping systems. Institutions may communications systems without
is enrolled in or has graduated from the choose instead to conduct these incurring the administrative costs
institution. While this provision will verifications without using SSNs or associated with obtaining student
apply to educational agencies and non-directory student IDs, which may consent for these disclosures.
institutions at all grade levels, we make it more difficult to ensure that the Costs related to honoring a student’s
believe that it will affect mainly correct student has been identified decision to opt out of these disclosures
postsecondary institutions because K– because of the known problems in will be minimal because we assume that
12 agencies and institutions typically do matching records without the use of a only a small number of students will
not provide enrollment and degree universal identifier. Increased elect not to participate in electronic
verification services. institutional costs either to verify that communications at their school.
A survey conducted in March 2002 by the student has provided consent or to Applying this change to records of both
the American Association of Collegiate conduct a search without use of SSNs or K–12 and postsecondary students and
Registrars and Admissions Officers non-directory student ID numbers assuming that one-tenth of one percent
(AACRAO) showed that nearly half of should be less for smaller institutions, of parents and eligible students will opt
postsecondary institutions used SSNs as where the chances of duplicate records out of these disclosures, we estimate
the primary means to track students in are decreased. Parents and students may that institutions will have to flag the
academic databases. Since then, use of incur additional costs if an employer, records of approximately 68,000
SSNs as a student identifier has insurance company, or other requester students for opt-out purposes. We lack
decreased significantly in response to is unable to verify enrollment or sufficient data on costs institutions
public concern about identity theft. graduation based solely on directory currently incur to flag records for
directory information opt-outs for other fraudulent documents to the party compliance with the legitimate
purposes, so we are unable to estimate identified as the sender because we do educational interest requirement.
the administrative and information not have any basis for estimating how Administrative experience has shown
technology costs institutions will incur often this occurs. However, we believe that schools that allow teachers and
to process these new directory that these changes will provide other school officials to have
information opt-outs resulting from this significant regulatory relief to unrestricted access to education records
change. educational agencies and institutions by tend to have more problems with
helping to reduce transcript and other unauthorized disclosures, such as
Student Anonymity in the Classroom school officials obtaining access to
educational fraud based on falsified
The final regulations will ensure that records. education records for personal rather
parents and students do not use the than professional reasons. Preventing
right to opt out of directory information Outsourcing unrestricted access to education records
disclosures to remain anonymous in the The regulations in § 99.31(a)(1)(i) will by teachers and other school officials
classroom, by clarifying that opting out allow educational agencies and will benefit parents and students by
does not prevent disclosure of the institutions to disclose education helping to ensure that education records
student’s name, institutional e-mail records, or personally identifiable are used only for legitimate educational
address, or electronic identifier in the information from education records, purposes. It will also help ensure that
student’s physical or electronic without consent to contractors, education records are not accessed or
classroom. We estimate that this change volunteers, and other non-employees disclosed inadvertently.
will result in a small net benefit to performing institutional services and Information gathered by the Director
educational agencies and institutions functions as school officials with of the Office at numerous FERPA
because they will have greater legal legitimate educational interests. An training sessions and seminars, along
certainty about the element of classroom educational agency or institution that with recent discussions with software
administration, and it will reduce the uses non-employees to perform vendors and educational organizations,
institutional costs of responding to institutional service and functions will indicates that the vast majority of mid-
complaints from students and parents have to amend its annual notification of and large-size school districts and
about the release of this information. FERPA rights to include these parties as postsecondary institutions currently use
school officials with legitimate commercial software for student
Disclosing Education Records to New
educational interests. information systems. These systems
School and to Party Identified as This change will provide regulatory generally include role-based security
Source Record relief by permitting, and clarifying the features that allow administrators to
The final regulations in § 99.31(a)(2) conditions for, non-consensual control access to specific records,
will allow an educational agency or disclosure of education records. Our screens, or fields according to a school
institution to disclose education experience suggests that virtually all of official’s duties and responsibilities.
records, or personally identifiable the more than 103,000 schools subject to These systems also typically contain
information from education records, to FERPA will take advantage of this transactional logging features that
a student’s new school even after the provision. We have no actual data on document or track a user’s actual access
student is already attending the new how many school districts publish to particular records, which will help
school so long as the disclosure relates annual FERPA notifications for the ensure that an agency’s or institution’s
to the student’s enrollment in the new 97,382 K–12 public schools included in access control methods are effective.
school. This change will provide this total and, therefore, how many Educational agencies and institutions
regulatory relief by reducing legal entities will be affected by this that already have these systems will
uncertainty about how long a school requirement. However, because incur no additional costs to comply
may continue to send records or educational agencies and institutions with the regulations.
information to a student’s new school, were already required under previous For purposes of this analysis we
without consent, under the ‘‘seeks or regulations to publish a FERPA excluded from a total of 14,166 school
intends to enroll’’ exception. notification annually, we believe that districts and 6,463 postsecondary
The amendment to the definition of costs to include this new information institutions those with more than 1,000
disclosure in § 99.3 will allow a school will be minimal. students, for a total of 6,887 small K–12
that has concerns about the validity of districts and 3,906 small postsecondary
a transcript, letter of recommendation, Access Control and Tracking institutions that may not have software
or other record to return these The regulations in § 99.31(a)(1)(ii) with access control security features.
documents (or personally identifiable will require an educational agency or The discussions that the Director of the
information from these documents) to institution to use reasonable methods to Office has had with numerous SEAs and
the student’s previous school or other ensure that teachers and other school local districts suggest that the vast
party identified as the source of the officials obtain access to only those majority of these small districts and
record in order to resolve questions education records in which they have institutions do not make education
about their validity. Combined with the legitimate educational interests. This records available to school officials
change to § 99.31(a)(2), discussed earlier requirement will apply to records in any electronically or by computer but
in this analysis, this change will also format, including computerized or instead use some system of
allow the student’s previous school to electronic records and paper, film, and administrative and physical controls.
continue to send education records, or other hard copy records. An educational We estimate for this analysis that 15
clarification about education records, to agency or institution that chooses not to percent, or 1,619, of these small districts
the student’s new school in response to restrict access to education records with and institutions use home-built
questions about the validity or meaning physical or technological controls, such computerized or electronic systems that
of records sent previously by that party. as locked cabinets and role-based may not have the role-based security
We are unable to determine how much software security, must ensure that its features of commercial software. The
it will cost educational agencies and administrative policy for controlling most recent published estimate we have
institutions to return potentially access is effective and that it remains in for software costs comes from the final
Standards for Privacy of Individually parents and students by anyone other authentication of identity for hard-copy
Identifiable Health Information under than representatives of the organization records. We assume that educational
the Health Insurance Portability and with legitimate interests, require the agencies and institutions that require
Accountability Act of 1996 (HIPAA destruction or return of the information users to enter a secret password or PIN
Privacy Rule) published by the to the educational agency or institution to authenticate identity will deliver the
Department of Health and Human when the study is completed, and password or PIN through the U.S. postal
Services (HHS) on December 28, 2000, specify the time period for destruction service or in person. We estimate that
which estimated that the initial per- or return of the information. We believe no new costs will be associated with
hospital cost of software upgrades to that the additional cost of entering into this process because agencies and
track the disclosure of medical records written agreements to comply with this institutions already have direct contact
would be $35,000 (65 FR 82768). We change is unlikely to be significant with parents, eligible students, and
assume that costs will be comparable for because most educational agencies and school officials for a variety of other
education records, and, as discussed institutions already specify the terms purposes and will use these
above, software that tracks disclosure under which personally identifiable opportunities to deliver a secret
history can also be used to control or information can be used when it is authentication factor.
restrict access to electronic records. disclosed to organizations for these As noted in the preamble to the
Based on these assumptions, if 1,619 types of studies. Although this change NPRM, 73 FR 15585, single-factor
small K–12 districts and postsecondary will create an additional information authentication of identity, such as a
institutions decide to purchase student collection requirement, we believe the standard form user name combined with
information software rather than rely on benefits of the written agreement a secret password or PIN, may not
administrative policies to comply with outweigh the costs, because it will provide reasonable protection for access
the regulations, they will incur ensure better compliance with FERPA to all types of education records or
estimated costs of $56,665,000. We and provide clarity for both researchers under all circumstances. We lack a basis
estimate that the remaining 9,174 small and educational agencies and for estimating costs of authenticating
districts and institutions will not institutions about the restrictions and identity when educational agencies and
purchase new software because they do use of personally identifiable institutions allow authorized users to
not make education records available information disclosed under access sensitive personal or financial
electronically and rely instead on less § 99.31(a)(6) for studies. information in electronic records for
costly administrative and physical which single-factor authentication
Identification and Authentication of would not be reasonable.
methods to control access to records by
Identity
school officials. Those that provide Redisclosure and Recordkeeping
school officials with open access to hard The regulations in § 99.31(c) require
copy education records may incur new educational agencies and institutions to The regulations allow the officials and
costs to track actual disclosures to help use reasonable methods to identify and agencies listed in § 99.31(a)(3) (the U.S.
ensure that they remain in compliance authenticate the identity of parents, Comptroller General, the U.S. Attorney
with legitimate educational interests students, school officials and other General, the Secretary, and State and
requirements. We assume that these parties to whom the agency or local educational authorities) to
districts and institutions may devote institution discloses personally redisclose education records, or
some additional administrative staff identifiable information from education personally identifiable information from
time to procedures such as keeping logs records. The use of widely available education records, without consent
of school officials who access records. information to authenticate identity, under the same conditions that apply
However, no reliable estimates exist for such as the recipient’s name, date of currently to other recipients of
the average number of teachers and birth, SSN or student ID number, is not education records under § 99.33(b). This
other school officials who access considered reasonable under the change provides substantial regulatory
education records or the number of regulations. relief to these parties by allowing them
times access is sought, so we are unable The regulations will impose no new to redisclose information on behalf of
to estimate the cost of restricting or costs for educational agencies and educational agencies and institutions
tracking actual disclosures of hard copy institutions that disclose hard-copy under any provision in § 99.31(a), which
education records to school officials. records through the U.S. postal service allows disclosure of education records
or private delivery services with use of without consent. For example, States
Education Research the recipient’s name and last known will be able to consolidate K–16
The regulations in § 99.31(a)(6)(ii)(C) official address. education records under the SEA or
require an educational agency or We were unable to find reliable data State higher educational authority
institution to enter into a written that would allow us to estimate the without having to obtain written
agreement before disclosing personally additional administrative time that consent under § 99.30. Parties that
identifiable information from education educational agencies and institutions currently request access to records from
records, without consent, to will spend checking photo ID against individual school districts and
organizations conducting studies for, or school records or using other reasonable postsecondary institutions will in many
on behalf of, the educational agency or methods, as appropriate, to identify and instances be able to obtain the same
institution to: (a) Develop, validate, or authenticate the identity of students, information in a more cost-effective
administer predictive tests; (b) parents, and other parties to whom the manner from the appropriate State
administer student aid programs; or (c) agency or institution discloses educational authority or the
improve instruction. The written education records in person. Department.
agreement must specify the purpose or Authentication of identity for In accordance with the current
purposes, scope, and duration of the electronic or telephonic access to regulations in § 99.32(b), an educational
study or studies and the information to education records involves a wider agency or institution must record any
be disclosed, require the organization to array of security options because of redisclosure of education records made
conduct the study in a manner that does continuing advances in technologies, on its behalf under § 99.33(b), including
not permit personal identification of but is not necessarily more costly than the names of the additional parties to
which the receiving party may authorities and the Department already court order or subpoena under
redisclose the information and their have software that will allow them to § 99.31(a)(9) to provide the notice to
legitimate interests or basis for the record these disclosures electronically. parents and eligible students required
disclosure without consent under State educational authorities and under § 99.31(a)(9)(ii). We anticipate
§ 99.31 in obtaining the information. Federal officials that maintain records of that this provision will affect mostly
The regulations require SEAs and other redisclosures will also have to make that State and local educational authorities,
State educational authorities (such as information available to the educational which maintain education records they
higher education authorities), the agency or institution whose records have obtained from their constituent
Secretary, and other officials or agencies were redisclosed, upon request, so that districts and institutions and, under
listed in § 99.31(a)(3) that make further the agency or institution can make that § 99.35(b), may redisclose the
disclosures on behalf of an educational record available to a parent or eligible information, without consent, in
agency or institution to maintain the student who has asked to inspect and compliance with a court order or
record of redisclosure required under review the student’s record of subpoena under § 99.31(a)(9).
§ 99.32(b) if the educational agency or disclosures. We assume that few parents There is no change in costs as a result
institution has not recorded the and students request this information of shifting responsibility for notification
redisclosure or if the information was and, therefore, use an estimate that one to the disclosing party under this
obtained from another State or Federal tenth of one percent of a total of 68.1 change. However, we believe that
official or agency listed in § 99.31(a)(3). million students will make such a minimizing or eliminating uncertainty
The regulations also require the State or request each year, or 68,076 requests. If about which party is legally responsible
Federal official or agency listed in it takes one-quarter of an hour to locate for the notification will result in a net
§ 99.31(a)(3) to provide a copy of its and print a record of disclosures at an benefit to all parties.
record of redisclosures to the average administrative hourly rate of
Health or Safety Emergency
educational agency or institution upon $32.67, the average annual
administrative cost for State and Federal The regulations in § 99.32(a)(5)
request. In addition, an educational
officials and agencies to provide this require that a school that discloses
agency or institution must maintain
service will be $556,011, plus mailing information under the health and safety
with each student’s record of
costs (at $.42 per letter) of $28,592, for emergency exception in § 99.36 record
disclosures the names of State and local
a total of $584,603. We estimate that the articulable and significant threat
educational authorities and Federal
educational agencies and institutions that formed the basis for the disclosure
officials and agencies that may make
themselves will incur comparable costs and the parties to whom the education
further disclosures from the student’s
when they ask State and Federal records were disclosed. Because
records without consent under
officials to send them these records of § 99.32(a) already requires schools to
§ 99.33(b) and must obtain a copy of the
redisclosure and then make them record disclosures made under § 99.36,
record of redisclosure, if any,
available to parents and students. We including the legitimate interests the
maintained by the State or Federal
note that printing and mailing costs may parties had in requesting or obtaining
official that redisclosed information on
be reduced to the extent that e-mail is the information, we believe these
behalf of the agency or institution.
used to transmit the record, and if changes will not create any significant
State educational authorities and parents or students pick up the record additional administrative costs for
Federal officials listed in § 99.31(a)(3) on-site, but we do not have information schools and that the benefit of including
will incur new administrative costs if to estimate these potential savings. the legitimate interests the parties had
they maintain the record of redisclosure The Department believes that these in requesting or obtaining the
for the educational agency or institution changes will result in a net benefit to information outweighs the costs.
on whose behalf they redisclose educational agencies and institutions
education records under the regulations. Directory Information Opt Outs
because they will not have to record
We estimate that two educational further disclosures made by State and The regulations in § 99.37(b) clarify
authorities or agencies in each State and Federal authorities and officials who that while an educational agency or
the District of Columbia (one for K–12 redisclose information from education institution is not required to notify
and one for postsecondary) and the records on their behalf and will not former students under § 99.37(a) about
Department itself, for a total of 103 have to ask for a copy unless a parent the institution’s directory information
authorities, will maintain the required or eligible student asks to inspect and policy or allow former students to opt
records of redisclosures. (We anticipate review the student’s record of out of directory information disclosures,
that educational agencies and disclosures. State and Federal they must continue to honor a parent’s
institutions will record under authorities and officials will also benefit or student’s decision to opt out of
§ 99.32(b)(1) any further disclosures because they will not have to provide directory information disclosures after
made by the other Federal officials their record of further disclosures to the student leaves the institution. Most
listed in § 99.31(a)(3), the U.S. anyone unless the educational agency or agencies and institutions should already
Comptroller General and the U.S. institution asks for a copy. Overall, the comply with this requirement because
Attorney General.) We estimate further costs to State and Federal authorities to of informal guidance and training
that these authorities will need to record record their own redisclosures will be provided by FPCO.
two redisclosures per year from their offset by the savings that educational Parents and students will benefit from
records and that it will take one hour of agencies and institutions will realize by this clarification because it will help
administrative time to record each not having to record the disclosures ensure that schools do not invalidate the
redisclosure electronically at an average themselves. parent’s or student’s decisions on
hourly rate of $32.67, for a total annual directory information disclosures after
Notification of Compliance With Court
administrative cost of $6,730. the student is no longer in attendance.

(Compensation for administrative staff Order or Subpoena It will also benefit schools by
time is explained earlier in this The regulations in § 99.33(b)92) eliminating any uncertainty they may
analysis.) We also assume for purposes require any party that rediscloses have about whether they must continue
of this analysis that State educational education records in compliance with a to honor an opt out once the student is
no longer in attendance. We have longer needed for the purposes for case of some SEAs, accessing the State
insufficient information to estimate the which the study was conducted; and database for this information. Also, we
number of institutions affected and the specify the time period for the do not expect that a large number of
additional costs involved in changing destruction or return of the information. parents and eligible students will ask to
systems to maintain opt-out flags on The Department did not identify in see the record of further disclosures.
education records of former students. the NPRM the requirement in
§ 99.31(a)(6)(ii) as an information (4) § 99.32(a)(5)
Paperwork Reduction Act of 1995 collection requirement under the During the development of the final
Following publication of the NPRM, Paperwork Reduction Act of 1995 and regulations, we identified another
we provided, through a notice did not realize this would be an change to the recordation requirements
published in the Federal Register (73 information collection requirement until of § 99.32 that would require the
FR 28810, May 19, 2008) opportunity a commenter brought this matter to our collection of information. In response to
for the public to comment on attention. The commenter pointed out several comments we received regarding
information collections in the current that, while this change created another changes to FERPA’s ‘‘health or safety
regulations, and indicated in that notice paperwork burden for school districts, emergency exception’’ in § 99.36, we
the pendency of the NPRM. the commenter did not object to the have amended § 99.32(a) to include a
Additionally, based on comments written agreement requirement because new recordation requirement.
received in response to the NPRM, we putting the requirements regarding the Specifically, we have added a paragraph
have identified several information use and destruction of data in writing to the recordation requirement that
collection requirements associated with may improve compliance with FERPA. requires that for any disclosures under
these regulations. We describe these The Department agrees with the § 99.36 a school must record the
information collections in the following comment. articulable and significant threat to the
paragraphs and will be submitting these health or safety of a student or other
sections to OMB for review and (2) § 99.32(a)(1) individuals that formed the basis for the
approval. We note that the Paperwork Under FERPA, an educational agency disclosure and the parties to whom the
Reduction Act of 1995 does not require or institution is required to record its agency or institution disclosed
a response to these information disclosures of personally identifiable information.
collection requirements unless they information from education records, The Secretary believes that this is
display a valid OMB control number. A even when it discloses information to its only a minor paperwork burden for
valid OMB control number will be own State educational authority. This schools because schools are already
assigned to the information collection statutory requirement is reflected in the required to record disclosures made
requirements at the end of the affected current FERPA regulations. The final under § 99.36. The new language in
sections of the regulations. regulations permit the State and local § 99.32(a)(5) simply clarifies the type of
educational authorities and Federal information that must be recorded when
(1) § 99.31(a)(6)(ii) officials listed in § 99.31(a)(3) to make a school discloses personally
FERPA permits an educational agency further discloses of personally identifiable information in response to a
or institution to disclose personally identifiable information from education health or safety emergency, either for
identifiable information from education records on behalf of the educational one student or for all students in a
records, without consent, to agency or institution in accordance with school.
organizations conducting studies for or the requirements of § 99.33(b) and
on behalf of the agency or institution for require them to record these further (5) § 99.32(b)(2)
purposes of testing, student aid, and disclosures of § 99.33(b) if the In the NPRM, we specifically noted
improvement of instruction. In the educational agency or institution does that the Department was interested in
NPRM, we proposed to add not do so. We have included provisions relieving any administrative burdens
§ 99.31(a)(6)(ii) to require that an in the final regulations that require associated with recording disclosures of
educational agency or institution to educational agencies and institutions to education records and, therefore,
disclose personally identifiable maintain a listing in each student’s invited public comment on whether an
information under § 99.31(a)(6)(i) only if record of the State and local educational SEA, the Department, or other authority
it enters into a written agreement with authorities and Federal officials and or official listed in § 99.31(a)(3) should
the organization specifying the purposes agencies that may make further be allowed to maintain the record of the
of the study. Under these final disclosures of the student’s education redisclosures it makes on behalf of an
regulations, this written agreement must records without consent so that parents educational agency or institution under
specify the purpose, scope, and duration and eligible students will be made § 99.32(b).
of the study or studies and the aware of these further disclosures. Several commenters stated that an
information to be disclosed; require the SEA (or other authority or official listed
organization to use personally (3) § 99.32(a)(4) in § 99.31(a)(3)) should be responsible
identifiable information from education Under this new provision, parents for maintaining the record of disclosure
records only to meet the purpose or and eligible students will be able to required under § 99.32 when it
purposes of the study as stated in the inspect and review any further rediscloses information on behalf of
written agreement; require the disclosures that were made by any of educational agencies and institutions.
organization to conduct the study in a the parties listed under § 99.31(a)(3) by The commenters stated that requiring
manner that does not permit personal asking the educational agency or each educational agency or institution,
identification of parents and students by institution to obtain a copy of the record such as school districts, to record each
individuals other than representatives of further disclosures. We believe that redisclosure made by an SEA or other
with legitimate interest of the this is only a minor paperwork burden State educational authority on its behalf
organization that conducts the study; for schools because it would involve imposes an unacceptable recordkeeping
require the organization to destroy the asking officials to whom they have burden on school districts and is
information or return to the educational disclosed education records for the impractical for State educational
agency or institution when it is no record of further disclosure or, in the authorities to adhere to in making
further disclosures on behalf of the Dated: December 2, 2008. information, means a record of one or
agency or institution. In response to Margaret Spellings, more measurable biological or
these comments, we are revising § 99.32 Secretary of Education. behavioral characteristics that can be
to require the State and local ■ For the reasons discussed in the used for automated recognition of an
educational authorities and Federal preamble, the Secretary amends part 99 individual. Examples include
officials listed in § 99.31(a)(3) to of title 34 of the Code of Federal fingerprints; retina and iris patterns;
maintain the record of further Regulations as follows: voiceprints; DNA sequence; facial
disclosures if the educational agency or characteristics; and handwriting.
institution does not do so and make it PART 99—FAMILY EDUCATIONAL (Authority: 20 U.S.C. 1232g)
available to the educational agency or RIGHTS AND PRIVACY * * * * *
institution upon request. We agree that
■ 1. The authority citation for part 99 Directory information means
by requiring State and Federal
continues to read as follows: information contained in an education
authorities and officials to record their
Authority: 20 U.S.C. 1232g, unless record of a student that would not
redisclosures in these circumstances
otherwise noted. generally be considered harmful or an
school districts will have less total
invasion of privacy if disclosed.
paperwork burden because schools will ■ 2. Section 99.2 is amended by revising (a) Directory information includes,
not have to comply with the the note following the authority citation but is not limited to, the student’s name;
recordkeeping requirement in these to read as follows: address; telephone listing; electronic
instances. mail address; photograph; date and
§ 99.2 What is the purpose of these
Assessment of Educational Impact regulations? place of birth; major field of study;
grade level; enrollment status (e.g.,
In the NPRM, and in accordance with * * * * *
undergraduate or graduate, full-time or
section 411 of the General Education Note to § 99.2: 34 CFR 300.610 through part-time); dates of attendance;
Provisions Act, 20 U.S.C. 1221e–4, we 300.626 contain requirements regarding the participation in officially recognized
requested comments on whether the confidentiality of information relating to
activities and sports; weight and height
proposed regulations would require children with disabilities who receive
evaluations, services or other benefits under of members of athletic teams; degrees,
transmission of information that any honors and awards received; and the
Part B of the Individuals with Disabilities
other agency or authority of the United most recent educational agency or
Education Act (IDEA). 34 CFR 303.402 and
States gathers or makes available. 303.460 identify the confidentiality of institution attended.
Based on the response to the NPRM information requirements regarding children (b) Directory information does not
and on our review, we have determined and infants and toddlers with disabilities and include a student’s—
that these final regulations do not their families who receive evaluations, (1) Social security number; or
require transmission of information that services, or other benefits under Part C of
IDEA. 34 CFR 300.610 through 300.627 (2) Student identification (ID)
any other agency or authority of the number, except as provided in
contain the confidentiality of information
United States gathers or makes requirements that apply to personally paragraph (c) of this section.
available. identifiable data, information, and records (c) Directory information includes a
Electronic Access to This Document collected or maintained pursuant to Part B of student ID number, user ID, or other
the IDEA. unique personal identifier used by the
You may view this document, as well student for purposes of accessing or
■ 3. Section 99.3 is amended by:
as all other Department of Education ■ A. Adding, in alphabetical order, a communicating in electronic systems,
documents published in the Federal definition of Biometric record. but only if the identifier cannot be used
Register, in text or Adobe Portable ■ B. Revising the definitions of to gain access to education records
Document Format (PDF) on the Internet Attendance, Directory information, except when used in conjunction with
at the following site: www.ed.gov/news/ Disclosure, and Personally identifiable one or more factors that authenticate the
fedregister. information. user’s identity, such as a personal
To use PDF you must have Adobe ■ C. In the definition of Education identification number (PIN), password,
Acrobat Reader, which is available free records, revising paragraph (b)(5) and or other factor known or possessed only
at this site. If you have questions about adding a new paragraph (b)(6). by the authorized user.
using PDF, call the U.S. Government These additions and revisions read as (Authority: 20 U.S.C. 1232g(a)(5)(A))
Printing Office (GPO), toll free, at 1– follows:
888–293–6498; or in the Washington, * * * * *
DC area at (202) 512–1530. § 99.3 What definitions apply to these Disclosure means to permit access to
regulations? or the release, transfer, or other
Note: The official version of this document communication of personally
is the document published in the Federal
* * * * *
Attendance includes, but is not identifiable information contained in
Register. Free Internet access to the official
edition of the Federal Register and the Code limited to— education records by any means,
of Federal Regulations is available on GPO (a) Attendance in person or by paper including oral, written, or electronic
Access at www.gpoaccess.gov/nara/ correspondence, videoconference, means, to any party except the party
index.html. satellite, Internet, or other electronic identified as the party that provided or
(Catalog of Federal Domestic Assistance
information and telecommunications created the record.
Number does not apply.) technologies for students who are not (Authority: 20 U.S.C. 1232g(b)(1) and (b)(2))
physically present in the classroom; and
List of Subjects in 34 CFR Part 99 * * * * *
(b) The period during which a person
is working under a work-study program. Education Records
Administrative practice and

procedure, Directory information, (Authority: 20 U.S.C. 1232g) * * * * *
Education records, Information, Parents, * * * * * (b) * * *
Privacy, Records, Social Security Biometric record, as used in the (5) Records created or received by an
Numbers, Students. definition of personally identifiable educational agency or institution after
an individual is no longer a student in ■ G. In paragraph (a)(9)(ii)(B), removing (6)(i) * * *

attendance and that are not directly the punctuation ‘‘.’’ and adding in its (ii) An educational agency or
related to the individual’s attendance as place the word ‘‘;or’’. institution may disclose information
a student. ■ H. Adding paragraph (a)(9)(ii)(C). under paragraph (a)(6)(i) of this section
(6) Grades on peer-graded papers ■ I. Adding paragraph (a)(16). only if—
before they are collected and recorded ■ J. Revising paragraph (b). (A) The study is conducted in a
by a teacher. ■ K. Adding paragraphs (c) and (d). manner that does not permit personal
■ L. Revising the authority citation at identification of parents and students by
* * * * * the end of the section. individuals other than representatives of
Personally Identifiable Information The additions and revisions read as the organization that have legitimate
follows: interests in the information;
The term includes, but is not limited
to— § 99.31 Under what conditions is prior (B) The information is destroyed
(a) The student’s name; consent not required to disclose when no longer needed for the purposes
(b) The name of the student’s parent information? for which the study was conducted; and
or other family members; (a) * * * (C) The educational agency or
(c) The address of the student or (1)(i)(A) * * * institution enters into a written
student’s family; (B) A contractor, consultant, agreement with the organization that—
(d) A personal identifier, such as the volunteer, or other party to whom an (1) Specifies the purpose, scope, and
student’s social security number, agency or institution has outsourced duration of the study or studies and the
student number, or biometric record; institutional services or functions may information to be disclosed;
(e) Other indirect identifiers, such as be considered a school official under (2) Requires the organization to use
the student’s date of birth, place of this paragraph provided that the outside personally identifiable information from
birth, and mother’s maiden name; party— education records only to meet the
(f) Other information that, alone or in (1) Performs an institutional service or purpose or purposes of the study as
combination, is linked or linkable to a function for which the agency or stated in the written agreement;
institution would otherwise use (3) Requires the organization to
specific student that would allow a
employees; conduct the study in a manner that does
reasonable person in the school
(2) Is under the direct control of the not permit personal identification of
community, who does not have personal
agency or institution with respect to the parents and students, as defined in this
knowledge of the relevant
use and maintenance of education part, by anyone other than
circumstances, to identify the student
records; and representatives of the organization with
with reasonable certainty; or
(g) Information requested by a person (3) Is subject to the requirements of legitimate interests;
who the educational agency or § 99.33(a) governing the use and and
institution reasonably believes knows redisclosure of personally identifiable (4) Requires the organization to
the identity of the student to whom the information from education records. destroy or return to the educational
education record relates. (ii) An educational agency or agency or institution all personally
institution must use reasonable methods identifiable information when the
(Authority: 20 U.S.C. 1232g) to ensure that school officials obtain information is no longer needed for the
* * * * * access to only those education records purposes for which the study was
■ 4. Section 99.5 is amended by in which they have legitimate conducted and specifies the time period
redesignating paragraph (a) as paragraph educational interests. An educational in which the information must be
(a)(1) and adding a new paragraph (a)(2) agency or institution that does not use returned or destroyed.
to read as follows: physical or technological access (iii) An educational agency or
controls must ensure that its institution is not required to initiate a
§ 99.5 What are the rights of students? administrative policy for controlling study or agree with or endorse the
(a)(1) * * * access to education records is effective conclusions or results of the study.
(2) Nothing in this section prevents an and that it remains in compliance with * * * * *
educational agency or institution from the legitimate educational interest (9) * * *
disclosing education records, or requirement in paragraph (a)(1)(i)(A) of (ii) * * *
personally identifiable information from this section. (C) An ex parte court order obtained
education records, to a parent without (2) The disclosure is, subject to the by the United States Attorney General
the prior written consent of an eligible requirements of § 99.34, to officials of (or designee not lower than an Assistant
student if the disclosure meets the another school, school system, or Attorney General) concerning
conditions in § 99.31(a)(8), institution of postsecondary education investigations or prosecutions of an
§ 99.31(a)(10), § 99.31(a)(15), or any where the student seeks or intends to offense listed in 18 U.S.C. 2332b(g)(5)(B)
other provision in § 99.31(a). enroll, or where the student is already or an act of domestic or international
* * * * * enrolled so long as the disclosure is for terrorism as defined in 18 U.S.C. 2331.
■ 5. Section 99.31 is amended by: purposes related to the student’s * * * * *
■ A. Redesignating paragraph (a)(1) as enrollment or transfer. (16) The disclosure concerns sex
paragraph (a)(1)(i)(A) and adding new Note: Section 4155(b) of the No Child Left offenders and other individuals required
paragraphs (a)(1)(i)(B) and (a)(1)(ii). Behind Act of 2001, 20 U.S.C. 7165(b), to register under section 170101 of the
■ B. Revising paragraph (a)(2). requires each State to assure the Secretary of Violent Crime Control and Law
■ C. Redesignating paragraphs (a)(6)(iii) Education that it has a procedure in place to Enforcement Act of 1994, 42 U.S.C.
and (a)(6)(iv) as paragraphs (a)(6)(iv) facilitate the transfer of disciplinary records 14071, and the information was
with respect to a suspension or expulsion of
and (a)(6)(v), respectively. a student by a local educational agency to

provided to the educational agency or
■ D. Revising paragraph (a)(6)(ii). any private or public elementary or institution under 42 U.S.C. 14071 and
■ E. Adding a new paragraph (a)(6)(iii). secondary school in which the student is applicable Federal guidelines.
■ F. In paragraph (a)(9)(ii)(A), removing subsequently enrolled or seeks, intends, or is (b)(1) De-identified records and
the word ‘‘or’’ after the punctuation ‘‘;’’. instructed to enroll. information. An educational agency or
institution, or a party that has received ■ E. Adding a new paragraph (b)(2). (B) Another State or local educational
education records or information from ■ F. Revising paragraph (d)(5). authority or Federal official or agency
education records under this part, may The additions and revisions read as listed in § 99.31(a)(3).
release the records or information follows: (ii) A State or local educational
without the consent required by § 99.30 authority or Federal official or agency
after the removal of all personally § 99.32 What recordkeeping requirements that records further disclosures of
identifiable information provided that exist concerning requests and disclosures? information under paragraph (b)(2)(i) of
the educational agency or institution or (a)(1) An educational agency or this section may maintain the record by
other party has made a reasonable institution must maintain a record of the student’s class, school, district, or
determination that a student’s identity each request for access to and each other appropriate grouping rather than
is not personally identifiable, whether disclosure of personally identifiable by the name of the student.
through single or multiple releases, and information from the education records (iii) Upon request of an educational
taking into account other reasonably of each student, as well as the names of agency or institution, a State or local
available information. State and local educational authorities educational authority or Federal official
(2) An educational agency or and Federal officials and agencies listed or agency listed in § 99.31(a)(3) that
institution, or a party that has received in § 99.31(a)(3) that may make further maintains a record of further disclosures
education records or information from disclosures of personally identifiable under paragraph (b)(2)(i) of this section
education records under this part, may information from the student’s must provide a copy of the record of
release de-identified student level data education records without consent further disclosures to the educational
from education records for the purpose under § 99.33(b). agency or institution within a
of education research by attaching a * * * * * reasonable period of time not to exceed
code to each record that may allow the (4) An educational agency or 30 days.
recipient to match information received institution must obtain a copy of the * * * * *
from the same source, provided that— record of further disclosures maintained (d) * * *
(i) An educational agency or (5) A party seeking or receiving
under paragraph (b)(2) of this section
institution or other party that releases records in accordance with
and make it available in response to a
de-identified data under paragraph § 99.31(a)(9)(ii)(A) through (C).
parent’s or eligible student’s request to
(b)(2) of this section does not disclose * * * * *
review the record required under
any information about how it generates
paragraph (a)(1) of this section. ■ 7. Section 99.33 is amended by
and assigns a record code, or that would
allow a recipient to identify a student (5) An educational agency or revising paragraphs (b), (c), (d), and (e)
based on a record code; institution must record the following to read as follows:
(ii) The record code is used for no information when it discloses * * * * *
purpose other than identifying a de- personally identifiable information from
education records under the health or § 99.33 What limitations apply to the
identified record for purposes of redisclosure of information?
education research and cannot be used safety emergency exception in
§ 99.31(a)(10) and § 99.36: * * * * *
to ascertain personally identifiable
(i) The articulable and significant (b)(1) Paragraph (a) of this section
information about a student; and
(iii) The record code is not based on threat to the health or safety of a student does not prevent an educational agency
a student’s social security number or or other individuals that formed the or institution from disclosing personally
other personal information. basis for the disclosure; and identifiable information with the
(c) An educational agency or (ii) The parties to whom the agency or understanding that the party receiving
institution must use reasonable methods institution disclosed the information. the information may make further
to identify and authenticate the identity disclosures of the information on behalf
(b)(1) Except as provided in paragraph
of parents, students, school officials, of the educational agency or institution
(b)(2) of this section, if an educational
and any other parties to whom the if—
agency or institution discloses
agency or institution discloses (i) The disclosures meet the
personally identifiable information from
personally identifiable information from requirements of § 99.31; and
education records with the
education records. (ii)(A) The educational agency or
understanding authorized under
(d) Paragraphs (a) and (b) of this institution has complied with the
§ 99.33(b), the record of the disclosure
section do not require an educational requirements of § 99.32(b); or
required under this section must
agency or institution or any other party (B) A State or local educational
include:
to disclose education records or authority or Federal official or agency
* * * * * listed in § 99.31(a)(3) has complied with
information from education records to (2)(i) A State or local educational
any party. the requirements of § 99.32(b)(2).
authority or Federal official or agency (2) A party that receives a court order
(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h), listed in § 99.31(a)(3) that makes further or lawfully issued subpoena and
(i), and (j)). disclosures of information from rediscloses personally identifiable
■ 6. Section 99.32 is amended by: education records under § 99.33(b) must information from education records on
■ A. Revising paragraph (a)(1). record the names of the additional behalf of an educational agency or
■ B. Adding new paragraphs (a)(4) and parties to which it discloses information institution in response to that order or
(a)(5). on behalf of an educational agency or subpoena under § 99.31(a)(9) must
■ C. Redesignating paragraphs (b)(1) and institution and their legitimate interests provide the notification required under
(b)(2) as paragraphs (b)(1)(i) and in the information under § 99.31 if the § 99.31(a)(9)(ii).
(b)(1)(ii) and redesignating paragraph information was received from: (c) Paragraph (a) of this section does
(b), introductory text, as paragraph (A) An educational agency or not apply to disclosures under
(b)(1). institution that has not recorded the §§ 99.31(a)(8), (9), (11), (12), (14), (15),
■ D. Revising newly redesignated further disclosures under paragraph and (16), and to information that
paragraph (b)(1). (b)(1) of this section; or postsecondary institutions are required
to disclose under the Jeanne Clery requirements that relate to those § 99.37 What conditions apply to
Disclosure of Campus Security Policy programs. disclosing directory information?
and Campus Crime Statistics Act, 20 (2) Authority for an agency or official * * * * *
U.S.C. 1092(f) (Clery Act), to the accuser listed in § 99.31(a)(3) to conduct an (b) An educational agency or
and accused regarding the outcome of audit, evaluation, or compliance or institution may disclose directory
any campus disciplinary proceeding enforcement activity is not conferred by information about former students
brought alleging a sexual offense. the Act or this part and must be without complying with the notice and
(d) An educational agency or established under other Federal, State, opt out conditions in paragraph (a) of
institution must inform a party to whom or local authority. this section. However, the agency or
disclosure is made of the requirements (b) * * * institution must continue to honor any
of paragraph (a) of this section except (1) Be protected in a manner that does valid request to opt out of the disclosure
for disclosures made under not permit personal identification of of directory information made while a
§§ 99.31(a)(8), (9), (11), (12), (14), (15), individuals by anyone other than the student was in attendance unless the
and (16), and to information that officials or agencies headed by officials student rescinds the opt out request.
postsecondary institutions are required referred to in paragraph (a) of this (c) A parent or eligible student may
to disclose under the Clery Act to the section, except that those officials and not use the right under paragraph (a)(2)
accuser and accused regarding the agencies may make further disclosures of this section to opt out of directory
outcome of any campus disciplinary of personally identifiable information information disclosures to prevent an
proceeding brought alleging a sexual from education records on behalf of the educational agency or institution from
offense. educational agency or institution in disclosing or requiring a student to
accordance with the requirements of disclose the student’s name, identifier,
(e) If this Office determines that a
§ 99.33(b); and or institutional e-mail address in a class
third party outside the educational
agency or institution improperly * * * * * in which the student is enrolled.
rediscloses personally identifiable ■ 10. Section 99.36 is amended by (d) An educational agency or
information from education records in revising paragraphs (a) and (c) to read as institution may not disclose or confirm
violation of this section, or fails to follows: directory information without meeting
provide the notification required under § 99.36 What conditions apply to
the written consent requirements in
paragraph (b)(2) of this section, the disclosure of information in health and § 99.30 if a student’s social security
educational agency or institution may safety emergencies? number or other non-directory
not allow that third party access to (a) An educational agency or information is used alone or combined
personally identifiable information from institution may disclose personally with other data elements to identify or
education records for at least five years. identifiable information from an help identify the student or the
* * * * * education record to appropriate parties, student’s records.
■ 8. Section 99.34 is amended by including parents of an eligible student, * * * * *
revising paragraph (a)(1)(ii) to read as in connection with an emergency if ■ 12. Section 99.62 is revised to read as
follows: knowledge of the information is follows:
necessary to protect the health or safety
§ 99.34 What conditions apply to of the student or other individuals. § 99.62 What information must an
disclosure of information to other educational agency or institution submit to
educational agencies and institutions?
* * * * * the Office?
(c) In making a determination under
(a) * * * paragraph (a) of this section, an The Office may require an educational
(1) * * * educational agency or institution may agency or institution to submit reports,
(ii) The annual notification of the take into account the totality of the information on policies and procedures,
agency or institution under § 99.7 circumstances pertaining to a threat to annual notifications, training materials,
includes a notice that the agency or the health or safety of a student or other and other information necessary to carry
institution forwards education records individuals. If the educational agency or out its enforcement responsibilities
to other agencies or institutions that institution determines that there is an under the Act or this part.
have requested the records and in which articulable and significant threat to the (Authority: 20 U.S.C. 1232g(f) and (g))
the student seeks or intends to enroll or health or safety of a student or other
is already enrolled so long as the individuals, it may disclose information § 99.63 [Amended]
disclosure is for purposes related to the from education records to any person ■ 13. Section 99.63 is amended by
student’s enrollment or transfer; whose knowledge of the information is removing the mail code designation
* * * * * necessary to protect the health or safety ‘‘4605’’ before the punctuation ‘‘.’’
■ 9. Section 99.35 is amended by
of the student or other individuals. If, ■ 14. Section 99.64 is amended by:
revising paragraphs (a) and (b)(1) to read based on the information available at ■ A. Revising the section heading.
as follows: the time of the determination, there is ■ B. Revising paragraphs (a) and (b).
a rational basis for the determination, The revisions read as follows:
§ 99.35 What conditions apply to the Department will not substitute its
disclosure of information for Federal or judgment for that of the educational § 99.64 What is the investigation
State program purposes? agency or institution in evaluating the procedure?
(a)(1) Authorized representatives of circumstances and making its (a) A complaint must contain specific
the officials or agencies headed by determination. allegations of fact giving reasonable
officials listed in § 99.31(a)(3) may have * * * * * cause to believe that a violation of the
access to education records in ■ 11. Section 99.37 is amended by: Act or this part has occurred. A
connection with an audit or evaluation ■ A. Revising paragraph (b). complaint does not have to allege that
of Federal or State supported education ■ B. Adding new paragraphs (c) and (d). a violation is based on a policy or
programs, or for the enforcement of or The revision and additions read as practice of the educational agency or
compliance with Federal legal follows: institution.
(b) The Office investigates a timely (2) Directs the agency or institution to (c) If the Office finds that an
complaint filed by a parent or eligible submit a written response and other educational agency or institution has
student, or conducts its own relevant information, as set forth in not complied with a provision of the
investigation when no complaint has § 99.62, within a specified period of Act or this part, it may also find that the
been filed or a complaint has been time, including information about its failure to comply was based on a policy
withdrawn, to determine whether an policies and practices regarding or practice of the agency or institution.
educational agency or institution has education records. A notice of findings issued under
failed to comply with a provision of the (b) The Office notifies the paragraph (b) of this section to an
Act or this part. If the Office determines complainant if it does not initiate an educational agency or institution that
that an educational agency or institution investigation because the complaint has not complied with a provision of the
has failed to comply with a provision of fails to meet the requirements of § 99.64.
Act or this part—
the Act or this part, it may also (Authority: 20 U.S.C. 1232g(g))
determine whether the failure to comply * * * * *
is based on a policy or practice of the ■ 16. Section 99.66 is amended by
■ 17. Section 99.67 is amended by
agency or institution. revising paragraphs (a), (b), and the
revising paragraph (a) to read as follows:
introductory text of paragraph (c) to
* * * * * read as follows: § 99.67 How does the Secretary enforce
■ 15. Section 99.65 is revised to read as decisions?
§ 99.66 What are the responsibilities of the
follows: Office in the enforcement process? (a) If an educational agency or
§ 99.65 What is the content of the notice of (a) The Office reviews a complaint, if institution does not comply during the
investigation issued by the Office? any, information submitted by the period of time set under § 99.66(c), the
educational agency or institution, and Secretary may take any legally available
(a) The Office notifies the any other relevant information. The
complainant, if any, and the educational enforcement action in accordance with
Office may permit the parties to submit the Act, including, but not limited to,
agency or institution in writing if it further written or oral arguments or
initiates an investigation under the following enforcement actions
information. available in accordance with part E of
§ 99.64(b). The notice to the educational (b) Following its investigation, the
agency or institution— the General Education Provisions Act—
Office provides to the complainant, if
(1) Includes the substance of the any, and the educational agency or * * * * *
allegations against the educational institution a written notice of its [FR Doc. E8–28864 Filed 12–8–08; 8:45 am]
agency or institution; and findings and the basis for its findings. BILLING CODE 4000–01–P

FERPA December 2008 Regs

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FERPA December 2008 Regs

Uploaded by

Copyright:

Available Formats

Tuesday,

only gain access to education records in

institution’s electronic communications unauthorized disclosure of information information includes a student ID

information by outside service providers the student’s SSN to confirm enrollment

institutions maintain a listing in each often referred to as the ‘‘studies

that researchers should be permitted to parents and eligible students provide

an educational agency or institution to identifiable information includes

administrative cost of $6,730. the student is no longer in attendance.

Administrative practice and

an individual is no longer a student in ■ G. In paragraph (a)(9)(ii)(B), removing (6)(i) * * *

and (a)(6)(v), respectively. a student by a local educational agency to

You might also like