The Catholic University of America

Family Educational Rights and Privacy; Proposed Rule, 73 Fed. Reg. 15573 (March 24, 2008)

These proposed regulations summarize and bring together changes necessitated by statute as well as Supreme Court decisions in Owasso Independent School District v. Falvo, and Gonzaga University v. Doe. In addition, the proposed regulations seek to codify positions that the Family Policy Compliance Office has addressed in informal guidance over the past few years. Comments are due on or before May 8, 2008. The regulations address changes brought about by information technology, and clarify when information may be shared with parents and other parties, in response to the shootings in April 2007 at Virginia Tech.

Short summary of proposed changes

Attendance: The proposed regulations in Sec. 99.3 would add attendance by videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students
who are not physically present in the classroom.

Directory Information: The proposed regulations would provide that an educational agency or institution may not designate as directory information a student's SSN or other student ID number. However, directory information may include a student's user ID or other unique identifier used by the student to access or communicate in electronic systems, but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the student. (see November 5, 2004 FPCO Letter to UW River Falls.) The FPCO recognizes that directory based software used for student record systems, as well as electronic collaboration by students and teachers for collaboration necessitates this approach. The identifier cannot be disclosed as directory info if it can be used by itself to authenticate identity or to gain access to education records.

Disclosure: The proposed regulations would exclude from the definition of disclosure the release or return of an education record, or personally identifiable information from an education record, to the party identified as the party that provided or created the record. This clarifies that an school can send back a letter of recommendation that appears to have been falsified back to the school official identified as the creator of the record, for confirmation of official status.

Education Records: The proposed regulations would clarify that, with respect to former students, the term education records excludes records that are created or received by the educational agency or
institution after an individual is no longer a student in attendance and are not directly related to the individual's attendance as a student. The proposed regulations are needed to clarify that the exclusion is intended to cover records that concern an individual or events that occur after the individual is no longer a student in attendance, such as alumni activities. The exclusion is not intended to cover records that are created and matters that occur after an individual is no longer in attendance but that are directly related to his or her previous attendance as a student, such as a settlement agreement that concerns matters that arose while the individual was in attendance as a student.

Proposed regulations in Sec. 99.3 would clarify that peer-graded papers that have not been collected and recorded by a teacher are not considered maintained by an educational agency or institution and, therefore, are not education records under FERPA. See Owasso v. Falvo.

Personally Indentifiable Information: The proposed regulations would add biometric record to the list of personal identifiers and add other indirect identifiers, such as date and place of birth and mother's maiden name, to the list of personally identifiable information. The regulations would remove language about personal characteristics and other information that would make the student's identity easily traceable and provide instead that personally identifiable information includes other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. PII would also include info requested by a person who the school reasonably believes has direct knowledge of the identity of the student to whom the record directly relates.

State Auditor: The proposed regulations in Sec. 99.3 would define State auditor as a party under any branch of government with authority and responsibility under State law for conducting audits, and clarify that State auditors that are not State or local educational authorities may have access to education records in connection with an audit of Federal or State supported education programs.

Disclosure to Parents: The proposed regulations in Sec. 99.36(a) would clarify that an eligible student's parents are appropriate parties to whom an educational agency or institution may disclose personally identifiable information from education records without consent in a health or safety emergency. There is also a reiteration that schools can rely on parents' tax returns (showing the student is a dependent) in order to disclose info to parents when the student has not given consent. Institutions can also rely on a student's assertion that he or she is not a dependent unless
the parent provides contrary evidence.) See CUA OGC Q and A on this. The Dept. of Education is making it clear that FERPA does not mandate a policy of non-disclosure to parents (or other necessary parties) in health and safety emergencies.

Authorized Disclosure of Education Records Without Prior Written Consent
The proposed regulations in Sec. 99.31(a)(1)(i)(B) would expand the school official exception to include contractors, consultants, volunteers, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions that it would otherwise use employees to perform. The outside party who obtains access to education records without consent must be under the direct control of the agency or institution and subject to the same conditions governing the use and redisclosure of education records that apply to other school officials under Sec. 99.33(a) of the regulations. These proposed regulations supersede previous technical assistance guidance issued by the Family Policy Compliance Office (Office) regarding disclosure of education records without consent to parties acting for an educational agency or institution.

Educational agencies and institutions that outsource institutional services and functions must comply with the annual FERPA notification requirements under the current regulations in Sec. 99.7(a)(3)(iii) by
specifying their contractors, consultants, and volunteers as school officials retained to provide various institutional services and functions. An educational agency or institution that has not included contractors and other outside service providers as school officials with legitimate educational interests in its annual FERPA notification may not disclose any personally identifiable information from education records to these parties until it has complied with the notice requirements in Sec. 99.7(a)(3)(iii).

Educational agencies and institutions are responsible for their outside service providers' failures to comply with applicable FERPA requirements. The agency or institution must ensure that the outside
party does not use or allow anyone to obtain access to personally identifiable information from education records except in strict accordance with the requirements established by the educational agency or institution that discloses the information. (Editor's note: Query if this goes beyond having a contract in place addressing this concern; (i.e. not allowing NSLC to use SSN as a prompt) but also would require an audit of the contractor's practices.)

Access to Education Records by School Officials: The proposed regulations in Sec. 99.31(a)(1)(ii) would require an educational agency or institution to use reasonable methods to ensure that teachers and other school officials obtain access to only those education records in which they have legitimate educational interests. These controls should consist of a combination of appropriate physical, technical, administrative, and operational controls which will allow access to be limited when required.

The proposed regulations reference but do not require compliance with The National Institute of Standards and Technology (NIST) 800-53, Recommended Security Controls for Federal Information Systems (December 2007). An agency or institution may wish to restrict or track school officials who obtain access to education records to ensure that it is in compliance with Sec. 99.31(a)(1)(i)(A).
Methods used by an educational agency or institution to ensure compliance with the legitimate educational interests requirement are considered reasonable under the proposed regulations if they reduce the risk of unauthorized access by school officials to a level commensurate with the likely threat and potential harm. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will occur, the more protections an agency or institution must use to ensure that its methods are reasonable. In all cases, reasonableness depends ultimately on what are the usual and customary good business practices of educational agencies and institutions, which requires ongoing review and modification of methods and procedures, where appropriate, as standards and technologies continue to change.

Disclosure to a School Where Student Seeks or Intends To Enroll: The proposed regulations in Sec. 99.31(a)(2) would allow an educational agency or institution to disclose education records, without consent, to another institution even after a student has already enrolled or transferred, and not just if the student seeks or intends to enroll, if the disclosure is for purposes related to the student's enrollment or transfer. An educational agency or institution may update, correct, or explain information it has disclosed to another educational agency or institution as part of the original disclosure under Sec. 99.31(a)(2) without complying with the written consent requirements in Sec. 99.30.

In the aftermath of the shooting at Virginia Tech, some questions have arisen about whether FERPA prohibits the disclosure of certain types of information from students' education records to new schools or postsecondary institutions to which they have applied. The proposed regs clarify that FERPA permits school officials to disclose any and all education records, including health and disciplinary records, to another institution where the student seeks or intends to enroll.

Organizations Conducting Studies for or on Behalf of an Educational Agency or Institution
The proposed regulations require an educational agency or institution that discloses education records
without consent under Sec. 99.31(a)(6) to enter into a written agreement with the recipient organization that specifies the purposes of the study. This exception to the consent requirement is intended to allow educational agencies and institutions to retain the services of outside organizations (or individuals) to conduct studies for or on their behalf to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction. An educational agency or institution need not initiate research requests or agree with or endorse a study's results and conclusions under this exception. However, the statutory language ``for, or on behalf of'' indicates that the disclosing agency or institution agrees with the purposes of the study and retains control over the information from education records that is disclosed.

USA Patriot Act
The proposed regulations add new exceptions to the written consent requirement in Sec. 99.31(a)(9)(ii) and the recordkeeping requirement in Sec. 99.32(a) allowing disclosure of education records without notice in compliance with an ex parte court order obtained by the Attorney General (or designee) concerning investigations or prosecutions of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism defined in 18 U.S.C. 2331.

The Campus Sex Crimes Prevention Act (CSCPA)
The proposed regulations add a new exception to the consent requirement in Sec. 99.31(a)(16) that permits an educational agency or institution to disclose information that the agency or institution received under a State community notification program about a student who is required to register as a sex offender in the State. Note that nothing in FERPA or these proposed regulations requires or encourages an educational agency or institution to collect or maintain information about registered sex offenders.

De-Identification of Information
The proposed regulations would amend Sec. 99.31(b) to provide objective standards under which educational agencies and institutions may release, without consent, education records, or information from education records, that has been de-identified through the removal of all personally identifiable
information. Accordingly, there is no ``disclosure'' under FERPA when education records are released if all identifiers have been removed, along with other personally identifiable information. The proposed regulations are needed to establish this guidance in a definitive and legally binding interpretation, and to provide standards for ensuring that a student's personally identifiable information is not disclosed.

The Department's November 18, 2004, letter to the Tennessee Department of Education (TNDOE) explains that an educational agency or institution may release for educational research purposes (without parental consent) anonymous data files, i.e., records from which all personally identifiable information has been removed but that have coded each student's record with a non-personal identifier as described in the letter. (Records or data that have been stripped of identifiers and coded may be re-identified and, therefore, are properly characterized as de-identified.) Under the guidance in the TNDOE letter, a party must ensure that the identity of any student cannot be determined in coded records, including assurances of sufficient cell and subgroup size, and the linking key that connects the code to student information must not be shared with the requesting entity.

Additionally, personally identifiable information includes information that is requested by a person who an agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates. This is known as a targeted request. In the simplest case, if an individual asks for the disciplinary report for a named student, the institution may not release a redacted copy of the report because the requester knows the identity of the student who is the subject of the report.

There are several steps that can assist with de-identifying any data release. The choice of methods depends on the nature of the data release that must be de-identified. First, covered entities should recognize that the re-identification risk of any given release is cumulative, i.e., directly related to what has previously been released. Second, covered entities should minimize information released in directories to the extent possible. Third, covered entities should apply a consistent de-identification strategy for all of its data releases of a similar type. The two major types of data release are aggregated data (such as tables showing numbers of enrolled students by race, age and sex) and microdata (such as individual level student assessment results by grade and school). There are several acceptable de-identification strategies for each type of data.

Major methods used by the Department for tabular data include defining a minimum cell size (meaning no results will be released for any cell of a table with a number smaller than ``X'' or else cells are aggregated until no cells based on one or two cases remain) or controlled rounding (meaning that cells with a number smaller than ``X'' require that numbers in the affected rows and columns be rounded so that the totals remain unchanged. For microdata releases, the primary consideration is whether the proposed release contains any ``unique'' individuals whose identity can be deduced by the combination of variables in the file.

In order to permit ongoing educational research with the same data, the party that releases the information may attach a unique descriptor to each de-identified record that will allow the recipient to match other de-identified information received from the same source. However, the recipient may not be allowed to have access to any information about how the descriptor is generated and assigned, or that would allow it to match the information from education records with data from any other source, unless that data is de-identified and coded by the party that discloses education records. Furthermore, a record descriptor assigned for educational research purposes under this rule may not be based on a student's social security number. educational agencies and institutions should monitor releases of coded, de-identified microdata and take reasonable measures to ensure that overlapping or successive releases do not result in data sets in which a student's personally identifiable information is disclosed.

Identification and Authentication of Identity
The proposed regulations in Sec. 99.31(c) would require an educational agency or institution to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the agency or institution discloses personally identifiable information from education records.

Authentication of identity generally involves requiring a user to provide something that only the user knows, such as a PIN, password, or answer to a personal question; something that only the user has, such as a smart card or token; or a biometric factor associated with no one other than the user, such as a finger, iris, or voice print. Under the proposed regulations an educational agency or institution may determine that single-factor authentication, such as a standard form user name combined with a secret PIN or password, is reasonable for protecting access to electronic grades and transcripts. Single-factor authentication may not be reasonable, however, for protecting access to SSNs, credit card numbers, and similar information that could be used for identity theft and financial fraud.

Redisclosure of Education Records by Officials Listed in Sec. 99.31(a)(3) (Sec. 99.32, Sec. 99.35)
The proposed regulations in Sec. 99.35(b)(1) would permit officials and authorities listed in Sec. 99.31(a)(3)(i) to redisclose personally identifiable information from education records under the same conditions, set forth in Sec. 99.33(b), that apply to parties that receive personally identifiable information from education records under other exceptions in Sec. 99.31. The proposed amendment is needed so that SEAs and other officials and authorities listed in Sec. 99.31(a)(3)(i) may take advantage of the regulatory exception in Sec. 99.33(b) and redisclose personally identifiable information from education records directly to a qualified recipient under an exception in Sec. 99.31
instead of requiring that party to go to each school district or institution that submitted the records for audit, evaluation, compliance, or enforcement purposes. These proposed regulations would also ensure that State and local educational authorities may redisclose personally identifiable information from education records in order to consolidate K-16 education records for audit, evaluation, compliance, or enforcement purposes under Sec. 99.35(a). For example, under the proposed regulations, a State's postsecondary or higher education authority may redisclose personally identifiable information from the education records it maintains to a consolidated data system operated by the SEA if the SEA is legally authorized to conduct an audit, evaluation, compliance, or enforcement activity of postsecondary education programs. As noted above, disclosures under Sec. 99.33(b) are based on an understanding on the part of the educational agency or institution that the recipient will redisclose information to specified recipients on its behalf subject to the recordation requirements in Sec. 99.32(b). The Dept. seeks comment on this provision.

Limitations on the Redisclosure of Information From Education Records
The proposed regulations in Sec. 99.33(b)(2) would require a party that has received personally identifiable information from education records from an educational agency or institution, including an SEA or other official listed in Sec. 99.31(a)(3)(i), to provide the notice to parents and eligible students, if any, required under Sec. 99.31(a)(9) before it rediscloses personally identifiable information from the records on behalf of an educational agency or institution in compliance with a judicial order or lawfully issued subpoena, as authorized under Sec. 99.33(b). The Secretary believes that the party that has been ordered to produce the information should be responsible for ensuring that the parent or eligible student has been notified because the educational agency or institution has no control over whether and when that party will comply.

Disclosures Required Under the Clery Act
The proposed regulations would amend Sec. 99.33(c) to exclude from the statutory prohibition on redisclosure of education records information that postsecondary institutions are required to disclose under the Clery Act to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense.
In analyzing and ruling on these practices, the Department determined that the statutory prohibition on redisclosure of information from education records in FERPA does not apply to information that a postsecondary institution is required to release to students under the Clery Act. The proposed regulations would clarify that postsecondary institutions may not require the accuser to execute a non-disclosure agreement or otherwise interfere with the redisclosure or other use of information disclosed as required under the Clery Act.

Health and Safety Emergencies
The Department proposes to revise Sec. 99.36(c) to remove the language requiring strict construction of this exception and add a provision that in making a determination under Sec. 99.36(a), an educational agency or institution may take into account the totality of the circumstances pertaining to a threat to the safety or health of a student or other individuals. If the educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health and safety of the student or other individuals. If, based on the information available at the time of the determination, there is a
rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination.

Directory Information
Proposed Sec. 99.37(b) clarifies that an agency or institution must continue to honor any valid request to opt out of directory information disclosures made while the individual was a student unless the parent or eligible student rescinds the decision to opt out of directory information disclosures.

Identification of Students and Communications in Class
The proposed regulations would provide in Sec. 99.37(c) that a parent or eligible student may not use their right to opt out of directory information disclosures to prevent an educational agency or institution from disclosing or requiring a student to disclose the student's name, electronic identifier, or institutional e-mail address in a class in which the student is enrolled.

Prohibition on Use of SSNs To Identify Students When Disclosing or Confirming Directory Information
Section 99.37(d) would prohibit an educational agency or institution (or a vendor acting for the school) from using an SSN, either alone or when combined with other data elements, to identify or help identify a student or the student's records when disclosing or confirming directory information unless the student has provided written consent in accordance with FERPA. Some institutions, along with vendors that provide services on behalf of institutions, allow employers and others who seek directory information about a student, such as whether a student has ever attended the institution or received a degree, to submit the student's SSN as a means of identifying the individual. These regulations are needed to provide a legally binding interpretation that this practice violates FERPA unless the student has provided prior written consent for the institution to disclose the student's SSN, even if the institution or vendor only explicitly releases or confirms directory information about the student. Use of an SSN to identify a student or the student's records constitutes an implicit confirmation of the SSN, even if several other data elements are also used to help identify the student in the process.

Enforcement
The proposed regulations in Sec. 99.62 would specify materials that the Office may require an educational agency or institution to submit in order to carry out its investigation and other enforcement responsibilities, including information on the agency's or institution's policies and procedures, annual notifications, training materials, and other relevant information. The proposed regulations are needed to clarify that the Department's enforcement responsibilities, as described in Gonzaga University v. Doe, 536 U.S. 273 (2002), include the authority to investigate possible FERPA violations even if no complaint has been filed or a complaint has been withdrawn. While not a widespread problem, the Department needs to establish in its regulations that the Office may investigate allegations of non-compliance provided by a school official or some other party who is not a parent or eligible student because sometimes parents and students are not aware of an ongoing FERPA problem that needs to be addressed. The proposed amendments to Sec. 99.64 are also needed to clarify that the Office may investigate a FERPA complaint even if the party has not specifically alleged that the agency or institution has a policy or practice in violation of FERPA.

Proposed Sec. 99.65(a) would allow the Office to ask an educational agency or institution to submit a written response and other relevant information as set forth in Sec. 99.62. Proposed Regulations: Section 99.66(c) would allow the Office to issue a notice of findings that an educational agency or institution violated FERPA without also finding that the violation constituted a policy or practice of the agency or institution. In light of the Supreme Court's ruling in Gonzaga, the proposed regulations are needed to clarify that, consistent with its current practice, the Office may find that an agency or institution violated FERPA even if the Office does not make a further determination that the violation was based on a policy or practice of the agency or institution. The Secretary may not take an enforcement action unless the Office has determined that the educational agency or institution has a policy or practice in violation of FERPA.

Under proposed Sec. 99.67(a), the Secretary may take enforcement actions if the Office determines that the educational agency or institution has a policy or practice in violation of FERPA requirements and has failed to come into compliance voluntarily. The proposed regulations also clarify that the Secretary may take any other appropriate enforcement action in addition to those listed specifically in the regulations. The proposed regulations are needed to clarify that the Office may issue a notice of violation or failure to comply with specific FERPA requirements, such as a single failure to provide a parent with access to education records, and require corrective action. The proposed regulations are also needed to clarify that the Secretary may take any other enforcement action that is legally available, such as entering into a compliance agreement under 20 U.S.C. 1234f or seeking an injunction.



CFR links updated 10/27/08 RAB
links updated 6/17/08 rab
Links checked July 1st, 2010, FJL.