The Secretary of the Department of Education issued final FERPA regulations on December 9, 2008. The regulations took effect on January 8, 2009. The regulations include changes needed to comply with amendments to FERPA under the USA PATRIOT Act and the Campus Sex Crimes Prevention Act. Additionally, the regulations incorporate the Supreme Court’s decisions in Owasso Independent School District v. Falvo, 534 U.S. 426 (2002) and Gonzaga University v. Doe, 536 U.S. 273 (2002). Other changes are a response to developments in information technology and responses to the Department’s experience administering FERPA.
1.Definitions
Former Regulations / Key Changes in New Regulations / ReasonsAttendance is not defined in the authorizing statute. The former regulation is silent toward distance learning – that is, those taught through use of electronic information and telecommunications technology for students who are not physically present. / Attendance will be defined to include attendance by telecommuting for those not physically present in a classroom. / To clarify that students may attend a University despite not being physically present.
“Directory information” was loosely defined and did not speak of SSN or student ID numbers. / Institution may not designate as “directory information” a student’s SSN. Student ID numbers may be disclosed as directory information if they qualify as “electronic identifiers” as defined in this section—it must truly function as a name, and cannot be used alone (but may be used in conjunction with a PIN or password) to gain access to education records. / SSNs and Student ID numbers that are not “electronic identifiers” can be used on their own to obtain non-public information and possibly perpetuate fraud. It is important to keep them outside of the public domain.
Definition of “disclosure” did not address issues relating to return of records to a party that provided or created them. / Under the new definition, School B could send a transcript that appears to have been falsified back to School for confirmation of its status without effecting a “disclosure.” / Growing concern about falsified documents and the lack of a proper authentication system.
The definition of “education records” excluded records that only contain information about an individual after he or she is no longer a student / Clarify that, with respect to former students, the term “education records” excludes records that are created or received by the organization after an individual is no longer a student in attendance and are not directly related to the individual’s attendance / Confusion as to what alumni records count as “education records”. The Dept. wants to clarify that the exclusion is not meant to cover records created after a student’s attendance ends, but is directly related to his or her previous attendance.
Ex.: Settlement agreement that concerns matters arising while individual was a student in attendance.
Silent as to student-graded assignments before collection and recordation by teacher / Such papers would not be considered “education records” / Owaddo opinion requires this reading of the authorizing statute.
“Personally Identifiable Information” may not be given except for directory information. Current regs include a list of some items that constitute PII / Expand PII to include: biometric records, date and place of birth, mother’s maiden name and other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. PII also includes “information requested by a person who . . . the institution reasonably believes knows the identity of the student to whom the education record relates.” / Same as need for new § 99.31(b)
(heading 4 below)
2.Disclosures to Parents of Eligible Students (§§ 99.5, 99.36)
Former Regulations / Key Changes in New Regulations / ReasonsDoes not seem like a substantive change / Clarify that even after a student has become an eligible student, an institution may disclose personal information, without consent, to parents or guardian, if the student is a Dependent where there is a health and safety emergency; if the student is under the age of 21 and has violated an institutional rule or policy governing use of alcohol or a controlled substance; and if the disclosure falls within any other exception to the consent requirement.
Also, the new rules clarify that parents are an appropriate party to whom an institution may disclose personally identifiable information from educational records without consent in a health or safety emergency. / Some schools are under the mistaken impression that FERPA prevents them from providing parents with any information about a college student. This change clarifies that FERPA contains exceptions to the written consent requirement that allow a college to disclose information to parents of certain eligible students, with or without consent.
3.Authorized Disclosures of Education Records Without Prior Written Consent (§ 99.31)
Former Regulation / Key Changes in New Regulations / ReasonsThe former regulations allowed the disclosure of records without consent to school officials, including teachers where there are legitimate educational interests in the information. This is narrower than the statute which allows such disclosure to “a person acting for the agency” institution. Also, an institution that disclosed information pursuant to this section had to include the criteria it used to determine who constitutes a school official and what constitutes a legitimate education interest. / Expand the school official exception to include contractors, consultants, volunteers and other outside parties to whom the institution has outsourced institutional services or functions that it would otherwise use employees to perform. State educational authoritiesoperating data systems fall under the exception for auditors, not school officials.
The outside party must be under the direct control of the institution and subject to the same conditions governing use and re-disclosure. “Direct control” under this section means control of the outside service provider’s maintenance and use of information from education records, and the requirement is not meant to affect the party’s status as an independent contractor.
Also, institutions may disclose education records without consent to its own law enforcement unit under this exception, but not to outside police officers
Institution would be responsible for outsider service providers’ failure to comply with FERPA / Resolve uncertainty about the specific conditions under which institutions could disclose PII from education records without prior written consent to outside parties performing institutional services or functions.
Also, the statutory definition of education records protects records that are maintained by a party acting for the agency or institution.
The Dept. has long recognized in guidance that FERPA does not prevent educational agencies and institutions from outsourcing
institutional services and functions; The Sec’y wishes to clarify and define the scope of this practice to avoid further confusion and prevent weakening of FERPA's privacy protections because of uncertainty about the requirements for making these kinds of disclosures.
Institution could disclose personally identifiable information from education records w/o consent to school officials, whenlegitimate educational interests in the information existed. There needed to be a predetermined method for who is included and what counts. But, former regulations did not specify whether institutions must ensure that school officials obtain access to only those education records in which they have legitimate educational interests. / Require an institution to use reasonable methods to ensure that teachers and other school officials obtain access to only those education records in which they have legitimate educational interests. This requirement applies whether an institution uses physical, technological, or administrative controls to restrict access to education records by school officials. / Needed to ensure that teachers and other school officials only gain access to education records in which they have a legitimate educational interest.
Could disclose education records, without prior written consent, to officials of another school, school system, or postsecondary institution where the student seeks or intends to enroll. Some regulatory compliance applies re: notice to parents. / Allow disclosure even after a student has already enrolled or transferred, and not just if the student seeks or intends to enroll, if the disclosure is for purposes related to the student's enrollment or transfer. / Resolve uncertainty about whether consent is required to send a student's records to the student's new school after the student has already transferred and enrolled.
Also, the agency determined that an
institution may update, correct, or explain
information it has disclosed to another educational agency or institution as part of the original disclosure
Finally, FERPA permits school officials to disclose any and all education records, including health and disciplinary records, to another institution where the student seeks or intends to enroll. (Response to VA Tech questions)
Disclosure was permissible to organizations conducting studies for or on behalf of the institution for purposes of testing, student aid and improvement of instruction. Information must be protected so students cannot be identified by anyone other than reps of the organization that conducts the study and must be destroyed at the conclusion of the study. “For or on behalf” was not explained or defined. / Requires the institution to enter into a written agreement with the recipient organization that specifies the purposes of the study.
The agreement must specify that information from education records may only be used to meet the purposes of the study stated in the agreement and must contain the current restrictions on redisclosure and destruction of information
requirements applicable to information disclosed under this exception.
An institution is not required to initiate research requests or agree with or endorse the conclusions of the study when disclosing information under this section. Also, although disclosure of PII without consent is allowed in this instance, it is recommended that institutions release de-identified information whenever possible to reduce the risk of unauthorized disclosure. / Research organizations have asked for clarification about the circumstances in which an educational agency or institution may disclose to them PII from education records.
Regulations were silent to the Patriot Act provisions which allow US AG to apply for an ex parte court order, to collect education records from an educational agency or institution, without the consent or knowledge of the student or parent that are relevant to an investigation or prosecution of an offense. Agencies and institutions were not required to record the
disclosure and could not be held liable to anyone for producing education records in good faith in accordance with a court order issued under the former provision. / New exceptions allowing disclosure of
education records without notice in compliance with an ex parte court
order obtained by the Attorney General (or designee) concerning investigations or prosecutions of an offense under certain laws. / New regulations implement the statutory amendment by the USA PATRIOT Act.
Former regulations did not address the
disclosure of information concerning registered sex offenders, while the law provided that educational agencies and institutions may disclose information concerning registered sex offenders provided under State sex offender registration and required community notification programs. / A new exception permits an institution to disclose information that the agency or institution received under a State community notification program about a student who is required to register as a sex offender in the State. / The regulations implement the CSCPA amendment to FERPA, which allows educational agencies and institutions to disclose information about registered sex offenders without consent if the
information was received through and complies with guidelines regarding
a State community notification program issued by the U.S. Attorney General
4.De-Identification of Information (§ 99.31(b))
Former Regulations / Key Changes in New Regulations / ReasonsProvided that an institution may not have a policy or practice of permitting the release of education records or personally identifiable information from records without prior written consent.
Personally identifiable information under
Sec. 99.3 included personal identifiers such as a student's name, address, and identification numbers, as well as personal characteristics or other information that would make the student's identity easily traceable. / Amend § to provide objective standards under which institutions may release, without consent, education records, or information from education records, that have been de-identified through the removal of all personally identifiable information (PII).
Changes to PII mentioned above under “Definitions.” / Disclosure is defined in the regulations as permitting access to or releasing, transferring, or otherwise communicating personally identifiable information contained in education records.
So, no “disclosure” under FERPA when education records are released if all identifiers have been removed, along with other personally identifiable information. The proposed regulations are needed to establish this guidance in a definitive and legally binding interpretation, and to provide standards for ensuring that a student’s personally identifiable information is not disclosed.
5.Identification and Authentication of Identity (§99.31(c))
Former Regulations / Key Changes in New Regulations / ReasonsFormer regulations did not address whether an institution must ensure that it has properly identified a party to whom it discloses personally identifiable information from ed. records. / Requires an institutions to use reasonable
methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the institution discloses personally identifiable information from education records. / Ensure that institutions disclose information only to authorized recipients.
Identification in this context means determining who is the intended or authorized recipient of the information in question; authentication of identity means ensuring that the recipient is, in fact, who he or she purports to be.
6.Redisclosure of Education Records by Officials Listed in § 99.31(a) (§§ 99.32, 99.35)
Former Regulations / Key Changes in New Regulations / ReasonsFour officials or authorities were named that may receive education records, without consent, for a specified audit, evaluation, or compliance and enforcement purposes. Evaluation was interpreted broadly.
Information disclosed under this exception must be protected in a manner that does not permit personal identification of individuals by anyone except the officials
listed and must be destroyed when no longer needed for the purpose it was distributed for, unless a parent or eligible student consents to the disclosure or
Federal law specifically authorizes the collection of personally identifiable information.
Former regulations were silent on further conditions under which these officials or authorities may redisclose PII from education records without prior written consent.
Existing regulations on redisclosure were not applied in the context of officials or authorities receiving under this reg. b/c of the more specific statutory limitations. / State or Federal officials that redisclose education records on behalf of an agency or institution are required to comply with the recordation requirements if the institution does not do so, and to make the record available to an institution upon request within a reasonable period of time not exceeding 30 days. The institution must obtain a copy of the State or Federal official’s record of further disclosures and make it available in response to a parent’s or eligible student’s request to review the student’s record of disclosures. / Several SEAs that maintain Statewide, consolidated systems for school
district records have questioned whether they may allow a student's new school district to obtain access to personally identifiable information from education records submitted to the system by the student's former district.
New regs recognize that officials and authorities that receive education records under §§ 99.31(a)(3) and 99.35 are capable of protecting the information against unauthorized access and disclosure. The amendment allows SEAs and other officials and authorities to redisclose PII from education records directly to a qualified recipient under an exception in § 99.31 instead of requiring that party to go to each school district or institution that submitted the records for audit, evaluation, compliance, or enforcement purposes.
7.Limitations on the Redisclosure of Information from Education Records (§ 99.33)
Former Regulations / Key Changes in New Regulations / ReasonsAn institution could disclose PII from education records only on the condition that the recipient would not redisclose the information to any other party without prior consent of the required party, except that the receiving partycould make further disclosures on behalf of the institution if the disclosures met the requirements of the regulations.
If a 3rd party improperly redisclosed
PII from education records in violation of the prohibition on redisclosure, the institution could not allow them access to PII from education records for at least five years. / Require a party that has received personally identifiable information from education records from an educational agency or institution to provide the notice to parents and eligible students before it rediscloses personally identifiable information from the records on behalf of an educational agency or institution in compliance with a judicial order or lawfully issued subpoena.
If the Department determines that a third party does not notify the parent as required, the institution may not allow that third party access to education records for at least five years. / Needed to clarify which party is responsible for notifying parents and eligible students before an SEA or other third party outside of the educational
agency or institution complies with a judicial order or subpoena to
redisclose personally identifiable information from education records.
The Sec’y believes that the party that has been ordered to produce the information should be responsible for ensuring that the parent or eligible student has been notified because the educational agency or institution has no control over whether and when that party will comply.
Required postsecondary institutions to inform both the accuser and the accused of the outcome of any institutional disciplinary proceeding brought alleging a sex offense. Under this provision the outcome of a disciplinary proceeding means only the institution's final determination with respect to the alleged sex offense and any sanction that is imposed against the accused.
An educational agency or institution could disclose PII from education records only on the condition that the recipient would not redisclose the information to any other party without the prior consent of the parent or eligible student.
Former regulations in § 99.33(c) did not exclude from the redisclosure prohibition disclosures made by postsecondary institutions to an alleged victim of a crime of violence or non-forcible sex offense under Sec. 99.31(a)(13) or required Clery Act disclosures.. / Amend Sec. 99.33(c) to exclude from the statutory prohibition on redisclosure of education records information that postsecondary institutions are required to disclose under the Clery Act to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense. / Some postsecondary institutions have required the accuser to execute a non-disclosure agreement before they disclose the outcome of a disciplinary proceeding for an alleged sexual offense as required
under the Clery Act. In analyzing and ruling on these practices, the Dept. determined that the statutory prohibition on redisclosure of information from education records in FERPA does not apply to information that a postsecondary institution is required to release to students under the Clery Act.
8.Health and Safety Emergencies (§ 99.36)