Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment

Environment

FERPA
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

GLB/Security

Harassment

HIPAA

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar       Compliance Partners        Links

Welcome to the FERPA section of our webpage.  This front page will reflect our most current information on federal student records law affecting educational institutions.

 


Data Security Terms for a Contract with an Outside Party: Suggestions for meeting the Direct Control Standard in the Dec. 2008 FERPA regulations

Changes in Institutional Policy and Practice to meet terms of December 2008 regulations

 

Final FERPA Regulations, 73 Fed. Reg. 74805 Dec. 9th, 2008
In a very lengthy document the Department of Education issued the final FERPA regulations which put into code a number of changes and clarifications to the law on student education record privacy.  Some of the guidance is simply a clarification of best practices, and a reiteration of stances already taken by the Family Policy Compliance Office in Dear Colleague Letters. The changes clarify disclosures in a health and safety emergency, removing strict construction of this exception, and allowing disclosure if there is an articulable and significant threat to the health or safety of a student or other individual. If so, the information necessary may be disclosed to parents or any person whose knowledge of the information is necessary to protect the health or safety of the student or other individuals. Schools must record information concerning the circumstance of the emergency.

 

The definition of *attendance* is clarified to include new technology methods of attending, and now reads: Attendance includes, but is not limited to--    (a) Attendance in person or by paper correspondence, videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom; and     (b) The period during which a person is working under a work-study program.

 

In a change that will make life easier for information technology personnel, among others, the Dept. of Education clarified that a unique student identifier (but not an SSN) may be treated as directory information under the FERPA regulations as long as the identifier cannot be used to access records or communicate electronically without one or more additional factors to authenticate the user's identity. The guidance notes that an institution may decide to make students' electronic identifiers and email addresses available within the institution but not release them to the general public as directory info.

 

The regulations incorporate the Supreme Court decision in Owasso v. Falvo and clarify that education record does not include grades on peer graded papers before they are collected and recorded by a teacher (i.e. maintained by the institution). The department reiterates earlier guidance on how to ascertain whether or not a student is a dependent. The school may rely upon the student's assertion as to dependent status and a model form has been developed to assist the school in obtaining this information. 

Of special interest to many schools will be the new text and preamble on outsourcing. Prior consent is not required to disclose education record information to a contractor, consultant, volunteer, or other party to whom an agency or institution has outsourced institutional services or functions. The contractor, consultant or volunteer may be considered a school official under this paragraph provided that the outside party--

    (1) Performs an institutional service or function for which the agency or institution would otherwise use employees;
    (2) Is under the direct control of the agency or institution with respect to the use and maintenance of education records; and
    (3) Is subject to the requirements of Sec.  99.33(a) governing the use and redisclosure of personally identifiable information from education records.

The preamble notes "Exercising direct control could prove more challenging in some situations than others." While the phrase *direct control* was kept in the final regulations, the Dept. does seem to aim to strike a balance when discussing direct control in the preamble.  Best practices in this area will likely develop over time.

 

Schools will need to look at how they plan to document decisions on sharing information under the health and safety emergency. Schools should note that they must put in each student's record the list of State and local educational authorities and Federal officials and agencies that may make further disclosure of the student's education record without consent.

The regulations take effect January 8th, 2009. For a full write up of the regulations, see the article titled Education Dept. Releases New Rules on Student-Privacy Law, Giving Colleges More Room for Judgment by Sara Lipka published in the December 9th, 2008 Chronicle of Higher Education. (note to reader: The above link is good for five days, then you need a subscription or access to LEXIS NEXIS to pull up the article. )

 

 

 

Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA) to Student Health Records Issued November 2008.  The guidance addresses the interplay between FERPA and the HIPAA Privacy Rule at elementary and secondary levels, as well as at the postsecondary level and addresses many of the questions raised by school officials, health care professionals, and others regarding the applicability of these two laws to records maintained on students.  It also addresses certain disclosures that are allowed without consent or authorization under both laws, especially those related to health and safety emergency situations.

 

Changes in Institutional Practices: This document was prepared for the NACUA Annual Conference June 2008 and contains suggested changes schools can make in FERPA policy/practice both prior to and after the final FERPA regulations are adopted.

 

Data Security Addendum: This is a sample data security addendum that can be used with outside vendors who will have access to education records.

 

ACE Comments on Proposed FERPA regs (dated May 8th, 2008)

 

Chart on Proposed Regulations: George Washington University Office of General Counsel

This chart summarizes current regulations, key changes to the regulations, and the reasons for the proposed changes. Provided courtesy of Office of General Counsel at GW.


 

 Proposed FERPA Regulations: March 24, 2008

 

University of North Carolina Safety Task Force Report: November 2007 Report from the UNC Campus Safety Task Force. There is an excellent discussion of FERPA, HIPAA and local law in Appendix A to the Working Group Appendices titled Sharing Information Concerning University Students when there is a Perceived Risk of Danger to Self or Others, Summary of Applicable Law.

 

FPCO/Dept of Education: Guidance on FERPA and Health or Safety Emergencies : This web page includes brochures and other resources on release of education records in emergency situations. The brochure for postsecondary includes clarification of when disclosure may be made to parents.  

 

Sept. 7, 2007 letter from Dept. of Education: Information for Financial Aid Professionals
Letter re FERPA, Open Records, and Student Lending Associations. Clarifies FERPA non-disclosure rules in light of attempts by student lending associations to obtain student information under Open Records law.

FERPA and Campus Safety: NACUANOTE August 2007  NACUA members Steve McDonald and Nancy Tribbensee have prepared an excellent Q&A on the topic of FERPA and Campus Safety to assist Student Life and other personnel on campus who seek clarity on the issue. See also the Inside Higher Ed article dated August 7th, 2007 and titled FERPA Allows More than You May Realize. This article is the on the same topic by the same authors.

Clarification by FPCO on Disclosure of Information from Education Records to Parents of Postsecondary Students: Posted Summer 2007: Guidance Clarifying that FERPA does allow release of information to parents of college students when the student is a dependent for tax purposes; in a health or safety emergency, in certain drug and alcohol incidents, and in addition, may disclose law enforcement records to anyone when the records kept by the campus security office are kept solely for law enforcement purposes. The guidance also notes as follows:

 

Nothing in FERPA prohibits a school official from sharing with parents information that is based on that official's personal knowledge or observation and that is not based on information contained in an education record. Therefore, FERPA would not prohibit a teacher or other school official from letting a parent know of their concern about their son or daughter that is based on their personal knowledge or observation.

 

FPCO Letters from 2002 through June 2007: This page indexes and contains links to technical assistance letters issued by the Family Policy Compliance Office. The letters were obtained by a Freedom of Information request made by the Office of General Counsel at the Catholic University of America.

 

Guidelines to Responding to Compulsory Legal Requests for Information:  By Steven McDonald and Andrea Nixon
Includes information on responding to subpoenas, search warrants, court orders, National Security Letters, and Public Records Requests.




links updated 6/27/08 rab

 



Last Revised 05-Feb-09 10:41 AM.