Click for Text-Only version
Back to CUA Home
The Catholic University of America - Campus Legal Clearinghouse
 
 
Collage of Pictures

Affirmative Action

ADA Compliance

Copyright

Employment

Environment

FERPA
Quick Clicks
FedLaw
Publications, Video, & Web Tutorials
Q & A
Resources, Forms, & Checklists 		 

GLB/Security

Harassment

HIPAA

Immigration

Religious Issues

Research & Patents

Student Life Issues

IDEA Scholarships

Campus Security

Tax
CLIC Home        CUA Policies        Text-Only        FedLaw        DC Law        Compliance Calendar        Links

Summary of Federal Laws

 

Students

 

Miscellaneous Laws Affecting Students

 

The Family Educational Rights and Privacy Act of 1974 (FERPA) (also known as the Buckley Amendment)

 

20 U.S.C. § 1232g34 C.F.R. § 99.1 et seq.

Regulates the keeping and dissemination of student records at all institutions that receive federal funds or who have students receiving federal funds.  Procedures must be in place to allow a student or the parents of dependent students access to student records.  Consent must be obtained to release student records to a third party, with certain exceptions contained in the law.  Directory information may be released without permission of the student unless the student has specifically requested that said information not be released.  Types of information that may be disclosed as directory information include:  student's name, degrees and awards received, address, most recent previous institution attended, phone number, participation in officially recognized sports, activities, date and place of birth, dates of attendance, major fields of study, e-mail address, class schedule, full- or part-time status, and photograph.  Information which may not be released as directory information includes social security number, race/ethnicity or gender.  Each institution must have its own policy as to what constitutes directory information, and notify students of same.  Students must be granted a hearing to challenge information in a record they believe is incorrect.  Students must be informed of their rights under this law.  For a model notification policy for postsecondary schools see the Model Notification of Rights under FERPA for Postsecondary Institutions. College officials with a legitimate educational interest in the record may have access to it.  Records of disclosures and requests for disclosure must be kept, as well as indicate specifically the legitimate interest that each such person has in obtaining the information.  Records need not be kept when the request was from the student or accompanied by written consent from the student, from a faculty or school official who was granted access, a subpoena prohibiting disclosure to the student, or for directory information.

 

 Proposed FERPA Regulations: March 24, 2008

 

ACE Comments on Proposed FERPA regs (dated May 8th, 2008)

 

Chart on Proposed Regulations: George Washington University Office of General Counsel

This chart summarizes current regulations, key changes to the regulations, and the reasons for the proposed changes. Provided courtesy of Office of General Counsel at GW.

 

Clarification by FPCO on Disclosure of Information from Education Records to Parents of Postsecondary Students: Posted Summer 2007: Guidance Clarifying that FERPA does allow release of information to parents of college students when the student is a dependent for tax purposes; in a health or safety emergency, in certain drug and alcohol incidents, and in addition, may disclose law enforcement records to anyone when the records kept by the campus security office are kept solely for law enforcement purposes. The guidance also notes as follows:

 

Nothing in FERPA prohibits a school official from sharing with parents information that is based on that official's personal knowledge or observation and that is not based on information contained in an education record. Therefore, FERPA would not prohibit a teacher or other school official from letting a parent know of their concern about their son or daughter that is based on their personal knowledge or observation.

 

Final Regulations on FERPA and Electronic Signatures 

69 Fed. Reg. 21670, April 21, 2004

 

Over the years the Department of Education has received numerous inquiries as to whether some form of electronic consent and signature, including email, satisfies FERPA's written consent requirement. These final  regulations are technology neutral and offer some guidance on when schools may accept electronic signatures from students for release of education records to third parties. The DOE plans to issue further guidance that will include examples of what might be an acceptable process under the regulations. The final regulations adopted by the Department of Education on electronic signatures provide as follows:

 

Sec.  99.30  Under what conditions is prior consent required to
disclose information?

* * * * *
    (d) ``Signed and dated written consent'' under this part may include a record and signature in electronic form that--
    (1) Identifies and authenticates a particular person as the source of the electronic consent; and
    (2) Indicates such person's approval of the information contained in the electronic consent.

 

This languages differs from the proposed regulations issued in July of 2003 to some extent. The difference in the final rule is due to the rapidly changing nature of technology, the desire to grant as much flexibility as possible to educational institutions in light of changing technology, the need to not impose standards on elementary and secondary schools that are more suitable only to postsecondary schools, and the need to conform the defintion to other recent federal government publications on electronic signatures. Schools should not assume that the deletion of language to secure and verify the integrity of the consent in transmission and upon receipt does away with this requirement, which might be said to be implicit in any sound systemt for electronic signatures. The regulation was issued by the Office of Innovation and Improvement of the Department of Education, the Office that oversees the Family Policy Compliance Office.

 

The process used for electronic student loan transactions (FSA standards) is maintained as a safe harbor even though there were complaints that use of this standard was confusing as the two transactions in question are very different. The appendix to the regulations states as follows:

We agree that some circumstances within the FSA Standards do not relate directly to FERPA. While schools are not required by FERPA to follow the FSA Standards, we believe that schools may use the set-up and security measures described in the FSA Standards, particularly sections 3 through 7, as guidance for security measures in a system using electronic records and signatures under FERPA. We do not plan to issue a separate FERPA standards document, but we will clarify these items in additional guidance.

The final rule also notes that schools are not bound to use the safe harbor system. A cautionary note (below) is inserted about Gramm Leach Bliley (GLB) and the additional privacy restrictions imposed on postsecondary institutions under GLB.

 

Thus, while schools have the maximum flexibility in choosing a system that meets FSA's ``safe harbor'' provisions or another process for authenticating Personal Identification Number (PIN) numbers under FERPA, postsecondary institutions should keep these other Federal requirements in mind when implementing such systems.

 

HIPAA and FERPA: An FPCO letter clarifies the exemption

 

Feb. 25, 2004 letter from Family Policy Compliance Office  affirming that health information in education records covered by FERPA are excluded from coverage of the HIPAA Privacy Rule (45 C.F.R Parts 160, 164, Subparts A,E. The question arose in the context of release of student immunization records to the the Alabama Department of Public Health. Under HIPAA, a student's health records, maintained by an educational institution, are protected under FERPA rather than falling under the purview of HIPAA, therefore HIPAA neither authorizes or prohibits the release of immunization records, and release to a state agency must come under an exemption in FERPA, such as the health and safety emergency provision.

   

The Campus Sex Crimes Prevention Act and FERPA

 

FERPA is amended  (§ 1232g(b)(7)(A)) by the Campus Sex Crimes Prevention Act (Pub. L. No. 106-386; 42 U.S.C. § 14071) to make it clear that FERPA does not prohibit release of data on registered sex offenders under this law. The Campus Sex Crimes Prevention Act requires sex offenders who must register under state law to provide notice of enrollment or employment at any institution of higher education (IHE) in that state where the offender resides, as well as notice of each change of enrollment or employment status at the IHE.  In turn, this information will be made available by the state authorities to the local law enforcement agency that has jurisdiction where the IHE is located. As of October 27, 2002, the IHE must issue a statement (under the reporting requirements in 20 U.S.C. § 1092(f)(1)) advising the campus community as to where information concerning registered sex offenders can be obtained.  FERPA is amended to make it clear that FERPA does not prohibit release of data on registered sex offenders under this law.

 

See the Family Policy Compliance Office guidance entitled Disclosure of Education Records Concerning Registered Sex Offenders. The guidance states in relevant part:

 

"Thus, nothing in FERPA prevents an educational institution from disclosing information provided to the institution under the Wetterling Act concerning registered sex offenders, including personally identifiable, non-directory information from education records that is disclosed without prior written consent or other consent from the person. The authority of educational institutions to make such disclosures extends both to information about registered sex offenders made available by a State in carrying out the specific requirements of the CSCPA (42 U.S.C. § 14071(j)), and information about registered sex offenders that may otherwise become available to educational institutions through the operation of State sex offender registration and community notification programs."

 

 

  Selected Case Law Under FERPA


 

Resources:

 

 

FPCO Letters from 2002 through June 2007: This page indexes and contains links to technical assistance letters issued by the Family Policy Compliance Office. The letters were obtained by a Freedom of Information request made by the Office of General Counsel at the Catholic University of America.

 

 

Guidelines to Responding to Compulsory Legal Requests for Information:  By Steven McDonald and Andrea Nixon
Includes information on responding to subpoenas, search warrants, court orders, National Security Letters, and Public Records Requests.

 

The Department of Education's Family Policy Compliance Office.  School officials who have routine questions regarding FERPA may contact the Family Compliance Office via e-mail at FERPA@ed.gov

 

Students who wish to contact the office may call (202) 260-3887 or write to:
    Family Policy Compliance Office
    U.S. Department of Education
    400 Maryland Avenue, SW
    Washington, DC  20202-4605

 

CUA Office of General Counsel Publication: November 1997 - Student Records

 

Privacy and the Handling of Student Information in the Electronic Networked Environments of Colleges and Universities 
A wonderful 1997 White Paper by Cause (now Educause) in conjunction with AACRAO.  It is probably the best help there is for universities trying to implement new student administration systems that are in compliance with FERPA.

 

 

 

 

 

 

 

 

updated 3/28/05 to add FPCO letter to Cal State

links updated 1/30/06 pth
updated 7/14/07 to Add Guidelines for Responding to Compulsory Legal Requests and FPCO Letters and to create a separate page for FERPA cases and to add recent FPCO guidance on disclosure to parents

3/27/08 added link to FERPA proposed regs

4/17/08 added GW chart
6/12/08 added ACE comments
links updated 6/26/08 rab

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



Last Revised 26-Jun-08 03:06 PM.