-
Start Preamble
Start Printed Page 75604
AGENCY:
Office of Management, Department of Education.
ACTION:
Final regulations.
SUMMARY:
The Secretary of Education (Secretary) amends the regulations implementing section 444 of the General Education Provisions Act (GEPA), which is commonly referred to as the Family Educational Rights and Privacy Act (FERPA). These amendments are needed to ensure that the U.S. Department of Education (Department or we) continues to implement FERPA in a way that protects the privacy of education records while allowing for the effective use of data. Improved access to data will facilitate States' ability to evaluate education programs, to ensure limited resources are invested effectively, to build upon what works and discard what does not, to increase accountability and transparency, and to contribute to a culture of innovation and continuous improvement in education. The use of data is vital to ensuring the best education for our children. However, the benefits of using student data must always be balanced with the need to protect student privacy. Protecting student privacy helps achieve a number of important goals, including avoiding discrimination, identity theft, as well as other malicious and damaging criminal acts.
DATES:
These regulations are effective January 3, 2012. However, State and local educational authorities, and Federal agencies headed by officials listed in § 99.31(a)(3) with written agreements in place prior to January 3, 2012, must comply with the existing requirement in § 99.35(a)(3) to use written agreements to designate any authorized representatives, other than employees, only upon any renewal of or amendment to the written agreement with such authorized representative.
Start Further InfoFOR FURTHER INFORMATION CONTACT:
Ellen Campbell, U.S. Department of Education, 400 Maryland Avenue SW., Room 2E203, Washington, DC 20202-8520. Telephone: (202) 260-3887.
If you use a telecommunications device for the deaf (TDD), call the Federal Relay Service (FRS), toll-free, at 1-(800) 877-8339.
End Further Info End Preamble Start Supplemental InformationSUPPLEMENTARY INFORMATION:
On April 8, 2011, the Department published a notice of proposed rulemaking (NPRM) in the Federal Register (76 FR 19726). In the preamble to the NPRM, the Secretary stated that the proposed changes were necessary to ensure the Department's proper implementation of FERPA, while allowing for the effective use of student data, and to address other issues identified through the Department's experience in administering FERPA.
Protecting student privacy is paramount to the effective implementation of FERPA. All education data holders must act responsibly and be held accountable for safeguarding students' personally identifiable information (PII) from education records. The need for clarity surrounding privacy protections and data security continues to grow as statewide longitudinal data systems (SLDS) are built and more education records are digitized and shared electronically. As States develop and refine their information management systems, it is critical that they take steps to ensure that student information is protected and that PII from education records is disclosed only for authorized purposes and under circumstances permitted by law. (When we use the term “disclose” in this document, we sometimes are referring to redisclosures as well.)
The amendments reflected in these final regulations establish the procedures that State and local educational authorities, and Federal agencies headed by officials listed in § 99.31(a)(3) (FERPA-permitted entities), their authorized representatives, and organizations conducting studies must follow to ensure compliance with FERPA. The amendments also reduce barriers that have inhibited the effective use of SLDS as envisioned in the America Creating Opportunities to Meaningfully Promote Excellence in Technology, Education, and Science Act (the America COMPETES Act) (Pub. L. 110-69) and the American Recovery and Reinvestment Act of 2009 (ARRA) (Pub. L. 111-5). Finally, by expanding the requirements for written agreements and the Department's enforcement mechanisms, the amendments help to ensure increased accountability on the part of those with access to PII from education records.
These amendments include definitions for two previously undefined terms, “authorized representative” and “education program,” to permit greater access by appropriate and authorized parties to information on students in order to evaluate the effectiveness of education programs. Specifically, we have modified the definition of and requirements related to “directory information” to clarify (1) that the right to opt out of the disclosure of directory information under FERPA does not include the right to refuse to wear, or otherwise disclose, a student identification (ID) card or badge; (2) that schools may implement a limited directory information policy in which they specify the parties or purposes for which the information is disclosed; and (3) the Department's authority to hold State educational authorities and other recipients of Department funds under a program administered by the Secretary accountable for compliance with FERPA.
We believe that the regulatory changes adopted in these final regulations provide clarification on many important issues that have arisen over time with regard to how FERPA applies to SLDS and to other requests for data on student progress. Additionally, educational agencies and institutions continue to face considerable challenges implementing directory information policies that help them maintain safe campuses and protect PII from education records from potential misuse, such as identity theft. These final regulations, as well as the discussion in the preamble, will assist school officials in addressing these challenges in a manner that complies with FERPA. These final regulations also respond to the September 2010 U.S. Government Accountability Office (GAO) study entitled “Many States Collect Graduates' Employment Information, but Clearer Guidance on Student Privacy Requirements Is Needed,” by clarifying the means by which States can collect and share graduates' employment information under FERPA.
Finally, we have discussed with the U.S. Department of Agriculture (USDA) the potential effect of these regulations on the use of information regarding individual children's eligibility for free or reduced price school meals in the National School Lunch and School Breakfast Programs (School Meals Programs or SMPs) in connection with an audit or evaluation of Federal- or State-supported education programs. Congress recognized that sharing of children's eligibility information could benefit schools and children participating in the SMPs. As a result, section 9(b)(6) of the Richard B. Russell National School Lunch Act, as amended (National School Lunch Act) (42 U.S.C. 1758(b)(6)) permits schools to disclose children's eligibility information to persons with a need to know who are associated with a Federal or State education program and who will not Start Printed Page 75605further disclose that information. Because of the importance of assuring not only that FERPA requirements are met, but also that all of the Federal confidentiality protections in the National School Lunch Act are met, the two Departments intend to jointly issue guidance in the near future for use by the educational community and by State and local administrators of USDA programs.
Notice of Proposed Rulemaking
In the NPRM, we proposed regulations to:
- Amend § 99.3 to define the term “authorized representative” to include individuals or entities designated by FERPA-permitted entities to carry out an audit or evaluation of Federal- or State-supported education programs, or for the enforcement of or compliance with Federal legal requirements related to these programs (audit, evaluation, or enforcement or compliance activity);
- Amend the definition of “directory information” in § 99.3 to clarify that a unique student identification (ID) number may be designated as directory information for the purposes of display on a student ID card or badge if the unique student ID number cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a Personal Identification Number, password, or other factor known or possessed only by the authorized user;
- Amend § 99.3 to define the term “education program” as any program principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education;
- Amend § 99.31(a)(6) to clarify that FERPA-permitted entities are not prevented from redisclosing PII from education records as part of agreements with researchers to conduct studies for, or on behalf of, educational agencies and institutions;
- Remove the provision in § 99.35(a)(2) that required that any FERPA-permitted entity must have legal authority under other Federal, State, or local law to conduct an audit, evaluation, or enforcement or compliance activity;
- Amend § 99.35(a)(2) to provide that FERPA-permitted entities are responsible for using reasonable methods to ensure that their authorized representatives comply with FERPA;
- Add a new § 99.35(a)(3) to require that FERPA-permitted entities must use a written agreement to designate an authorized representative (other than an employee) under the provisions in §§ 99.31(a)(3) and 99.35 that allow the authorized representative access to PII from education records without prior written consent in connection with any audit, evaluation, or enforcement or compliance activity;
- Add a new § 99.35(d) to clarify that in the event that the Department's Family Policy Compliance Office (FPCO or Office) finds an improper redisclosure in the context of §§ 99.31(a)(3) and 99.35 (the audit or evaluation exception), the Department would prohibit the educational agency or institution from which the PII originated from permitting the party responsible for the improper disclosure (i.e., the authorized representative, or the FERPA-permitted entities, or both) access to PII from education records for a period of not less than five years (five-year rule);
- Amend § 99.37(c) to clarify that while parents or eligible students (students who have reached 18 years of age or are attending a postsecondary institution at any age) may opt out of the disclosure of directory information, this opt out does not prevent an educational agency or institution from requiring a student to wear, display, or disclose a student ID card or badge that exhibits directory information;
- Amend § 99.37(d) to clarify that educational agencies or institutions may develop policies that allow the disclosure of directory information only to specific parties, for specific purposes, or both; and
- Add § 99.60(a)(2) to authorize the Secretary to take appropriate actions to enforce FERPA against any entity that receives funds under any program administered by the Secretary, including funds provided by grant, cooperative agreement, contract, subgrant, or subcontract.
Changes From the NPRM
These final regulations contain the following substantive changes from the NPRM:
- In § 99.3, we have defined the term “early education program” as that term is used in the definition of education program. The definition is based on the definition of “early childhood education program” in section 103(8) of the Higher Education Act of 1965, as amended (HEA) (20 U.S.C. 1003(8));
- We have made changes to the definition of “education program” in § 99.3 to clarify that any program administered by an educational agency or institution is considered an education program; and
- We have modified the written agreement requirement in § 99.35(a)(3) to require that the agreement specify how the work falls within the exception of § 99.31(a)(3), including a description of the PII from education records that will be disclosed, and how the PII from education records will be used.
We have also made the following minor or non-substantive changes from the NPRM:
- We have made minor editorial changes to the definition of “authorized representative” in § 99.3 to ensure greater consistency between the language in that definition and the language in § 99.35(a)(1);
- We have removed language from §§ 99.31(a)(6)(iii)(C)(4) and 99.35(a)(3)(iii) and (a)(3)(iv) that permitted an organization conducting a study or an authorized representative to return PII from education records to the FERPA-permitted entity from which the PII originated, in lieu of destroying such information. We made these changes to more closely align the regulatory language with the statute and to ensure that the PII from education records is destroyed as required by the statute;
- We have made changes to § 99.35(a)(2) to clarify that the FERPA-permitted entity from which the PII originated is responsible for using reasonable methods to ensure to the greatest extent practicable that any entity or individual designated as its authorized representative complies with FERPA requirements;
- We have made editorial changes to § 99.35(a)(2) so the language in that section is more consistent with the language in § 99.35(a)(1) regarding the requirements for an audit, evaluation, or enforcement or compliance activity;
- We have clarified in § 99.35(a)(3)(v) that the required written agreement must establish policies and procedures to protect PII from education records from further disclosure, including by limiting use of PII to only authorized representatives with legitimate interests in the audit, evaluation, or enforcement or compliance activity;
- We have revised § 99.35(b)(1) to refer to a State or local educational authority or agency headed by an official listed in § 99.31(a)(3) rather than “authority” or “agency”, to ensure consistency with the language used in § 99.35(a)(2) and (a)(3);
- We have consolidated all regulatory provisions related to prohibiting an educational agency or institution from disclosing PII from education records to a third party outside of an educational agency or institution for at least five years (five-year rule) and moved them to subpart E of part 99 (What are the Start Printed Page 75606Enforcement Procedures?). Specifically, we—
○ Included in § 99.67(c) language from current § 99.31(a)(6)(iv) concerning the application of the five-year rule when the Department determines that a third party outside the educational agency or institution fails to destroy PII from education records after the information is no longer needed for the study for which it was disclosed;
○ Clarified in § 99.67(d) that, in the context of the audit or evaluation exception, the five-year rule applies to any FERPA-permitted entity or its authorized representative if the Department determines that either party improperly redisclosed PII from education records; and
○ Moved to § 99.67(e) the language from current § 99.33(e) concerning the application of the five-year rule when the Department determines that a third party outside the educational agency or institution improperly rediscloses PII from education records in violation of § 99.33 or fails to provide the notification required under § 99.33(b)(2);
- Throughout subpart E of part 99 (§§ 99.60 through 99.67), we have revised the language regarding enforcement procedures to clarify that the Secretary may investigate, process, and review complaints and violations of FERPA against an educational agency or institution or against any other recipient of Department funds under a program administered by the Secretary. This marks a change from the current provisions, which refer only to the Department's enforcement procedures against “educational agencies and institutions,” which are defined in § 99.3 as any public or private agency or institution to which part 99 applies under § 99.1(a). Section 99.1 describes FERPA as applying to an educational agency or institution to which funds have been made available under any program administered by the Secretary if (1) The educational institution provides educational services or instruction, or both, to students; or (2) the educational agency is authorized to direct and control public elementary or secondary, or postsecondary educational institutions; and
- Throughout subpart E of part 99 (§§ 99.60 through 99.67), we have clarified the procedures that the Office will follow to investigate, review, process, and enforce the five-year rule against third parties outside of the educational agency or institution.
Analysis of Comments and Changes
We received a total of 274 comments on the proposed regulations. The comments represented a broad spectrum of viewpoints from a number of different interested parties, including students, parents, privacy advocacy organizations, researchers, numerous associations, and representatives from schools, local educational agencies (LEAs) (also referred to as “districts”), and State educational agencies (SEAs).
We have carefully considered these comments and, as a result of this public input, have made several changes to the final regulations since publication of the NPRM. An analysis of the comments and changes follows. We group major issues according to subject, with applicable sections of the regulations referenced in parentheses. Generally, we do not address technical and other minor changes that we made, or respond to suggested changes that the law does not authorize the Secretary to make, or to comments that were outside the scope of the NPRM.
General Comments
Definitions
Comment: Several commenters stated that the terms used in the proposed regulations to refer to the different types of entities affected by the regulations were unclear and asked for the Department to clarify their meaning. Specifically, they asked if there is a difference between an educational agency or institution, on the one hand, and a State or local educational authority, on the other. Some commenters requested that we clarify whether a State agency, other than an SEA, such as a State department of social services, could be considered a State educational authority under the regulations. Another commenter asked that we also define the term “school official” to differentiate it from the term “authorized representative.”
Discussion: There are differences in meaning between the terms “educational agency,” “educational institution,” and “State and local educational authority,” and we provide the following explanation to clarify how these terms are used in the context of FERPA and its implementing regulations.
In general, FERPA applies to an “educational agency or institution” that receives funds under a program administered by the Secretary. 20 U.S.C. 1232g(a)(3). In § 99.3, we define the term “educational agency or institution” as any public or private agency or institution to which part 99 applies under § 99.1(a).
Educational institution. We use the term “educational institution” to refer to any elementary or secondary school, including any school funded or operated by the U.S. Department of the Interior's Bureau of Indian Education (BIE),[1] or to any postsecondary institution that receives funds under a program administered by the Secretary and that provides educational services or instruction, or both, to students (see § 99.1(a)(1)). Additionally, § 99.3 of the FERPA regulations defines “institution of postsecondary education” as an institution that provides education to students beyond the secondary school level. We generally use the term “institution of postsecondary education” to refer to colleges and universities and, in this document, use it interchangeably with the terms “postsecondary institution” and “institution of higher education”.
Educational agency. Under § 99.1(a)(2), an “educational agency” is an entity that is authorized to direct and control public elementary or secondary schools or postsecondary institutions. Thus, we consider LEAs (a term that we use interchangeably with school districts) to be “educational agencies” in the context of FERPA. However, we do not generally view SEAs as being “educational agencies” under § 99.1(a)(2) because we interpret the statutory definition of the term “student” to mean that an educational agency is an agency attended by students. Under paragraph (a)(6) of FERPA, a “student includes any person with respect to whom an educational agency or institution maintains education records or personally identifiable information, but does not include a person who has not been in attendance at such agency or institution.” 20 U.S.C. 1232g(a)(6). For example, we have generally considered students to be in attendance at the Fairfax County Public Schools school district, but not at the Virginia Department of Education. Therefore, under this framework, the term “educational agencies or institutions” generally refers to LEAs, elementary and secondary schools, schools operated by BIE, and postsecondary institutions.
State and local educational authorities. The term “State and local educational authority” is not defined in FERPA. The term “State and local Start Printed Page 75607educational authority” is important in the context of FERPA's audit or evaluation exception in §§ 99.31(a)(3) and 99.35 because State and local educational authorities are permitted to access, without consent, PII from education records. We generally have interpreted the term “State and local educational authority” to refer to an SEA, a State postsecondary commission, BIE, or any other entity that is responsible for and authorized under local, State, or Federal law to supervise, plan, coordinate, advise, audit, or evaluate elementary, secondary, or postsecondary Federal- or State-supported education programs and services in the State. (See http://www2.ed.gov/policy/gen/guid/fpco/ferpa/library/wku071105.html for more information.) While we have not generally viewed an SEA as being an educational agency under § 99.1(a)(2) for the reasons outlined in the preceding paragraph, it is important to note that we do view an SEA as a State educational authority for FERPA purposes.
An LEA can be both an educational agency and a local educational authority under FERPA because an LEA is authorized to direct and control public elementary and secondary schools and to supervise Federal- or State-supported education programs and services in the State. Because an LEA is considered to be an educational authority, the LEA may conduct an audit or evaluation of a Federal- or State-supported education program under the audit or evaluation exception. For example, an LEA may wish to evaluate the effectiveness of a particular program in the school district.
Some commenters asked whether a State agency other than an SEA, such as a State social services agency, could be considered an “educational agency or institution” or a “State or local educational authority.” We believe that State agencies other than an SEA could, depending on the individual circumstances, be considered to be an “educational agency or institution” or a State educational authority under FERPA. The Department generally considers a State postsecondary commission to be a State educational authority because such commissions are typically responsible for and authorized under State law to supervise, plan, coordinate, advise, audit, or evaluate Federal- or State-supported postsecondary education programs and services in the State. Likewise, a State-administered school that receives funds under a program administered by the Secretary, such as a school serving hearing-impaired students, is considered an educational institution under FERPA because it provides educational services or instruction to students. In general, the Department does not consider a State social services agency to be an “educational agency or institution” under FERPA because, although such an agency may provide educational services or instruction to students, it is not authorized to direct and control public elementary or secondary or postsecondary educational institutions, and it does not have students in attendance. In addition, the Department does not consider a State social services agency to be a State educational authority because such an agency generally is not responsible for and authorized under State law to supervise, plan, coordinate, advise, audit, or evaluate federally or State-supported elementary, secondary, or postsecondary education programs and services in the State. However, because States vary widely in how they administer programs, the Department would make this determination on a case-by-case basis and evaluate the particular responsibilities of that agency before giving definitive guidance on whether a particular agency would be considered an educational agency or institution or a State or local educational authority under FERPA.
With regard to the request that we define the term “school official” to avoid confusion with the term “authorized representative,” we note that current § 99.31(a)(1) in the FERPA regulations already describes “school official.” This section makes clear that school officials are teachers and administrators who work within a school, school district, or postsecondary institution. The regulations also state in § 99.31(a)(1) that contractors, consultants, volunteers, or other parties to whom an educational agency or institution has outsourced institutional services or functions under the conditions listed in § 99.31(a)(1)(i)(B)(1) through (a)(1)(i)(B)(3) may be considered school officials with legitimate educational interests in students' education records. We believe that this language in § 99.31(a)(1) and the definition of “authorized representative” are sufficiently clear to ensure that there is no confusion between these different categories of individuals.
Changes: None.
Comment: Several commenters asked the Department to include definitions for, and examples of, the following terms: “evaluation,” “audit,” “research,” “legitimate educational interest,” “compliance activities,” and “enforcement activities.”
Discussion: The terms identified by the commenters are not defined in FERPA, and the Department did not propose to define them in the NPRM because we did not wish to define them in ways that would unnecessarily restrict the educational community. Moreover, we do not believe it would be appropriate to define these terms in these final regulations because the public would not have had an opportunity to comment on them.
Changes: None.
Fair Information Practice Principles
Comment: Some commenters stated that the proposed amendments to part 99 in the NPRM represented a “wholesale repudiation of the fair information practices.” Others contended that the proposed regulatory changes go too far; that the changes would permit the disclosure of confidential student records to organizations that have little involvement in education, and the data will be used for purposes unrelated to education. Others expressed concern that the regulatory changes would result in student records being used for a wide range of activities under the pretext that some educational result would be derived from those activities. Others commented that obtaining parental consent to permit the disclosure of PII from education records should be the preferred approach.
Discussion: The Fair Information Practice Principles (FIPPs) are the foundation for information privacy in the United States. These principles are sometimes referred to just as FIPs (Fair Information Practices) and various versions of these principles exist with different numbering schemes. These principles include: That there be no secret recordkeeping systems; that individuals should have a way to find out information about themselves in a record and how it is used; that individuals be allowed to prevent information obtained for one purpose from being used for another; that individuals be allowed to correct records about themselves; and that the organization that created the record assure its reliability and take steps to prevent misuse. FIPPs form the basis of most State and Federal privacy laws in the United States, including FERPA. Like most privacy laws, however, the FIPPs must be adapted to fit the educational context of data disclosure. For example, one of the FIPPs principles is that individuals should have the right to prevent information for one purpose from being used for another. FERPA expressly permits the redisclosure, without consent, of PII from education Start Printed Page 75608records for a reason other than the reason for which the PII was originally collected, if the redisclosure is made on behalf of the educational agency or institution that provided the PII and the redisclosure meets the requirements of sec. 99.31.
The Department is not repudiating FIPPs, but rather is making only narrow changes to its regulations that it has determined are necessary to allow for the disclosure of PII from education records to improve Federal- and State-supported education programs while still preserving student privacy. The Department remains committed to FIPPs and believes that the final regulations appropriately embody core FIPPs tenets. In fact, FIPPs underlay the Department's recent privacy initiatives, including creating a Chief Privacy Officer position,[2] creating the Privacy Technical Assistance Center (PTAC),[3] and issuing a series of technical briefs on privacy, confidentiality, and data security.
We agree that it is preferable to obtain consent before disclosing PII from education records, and nothing in these final regulations is intended to change the statutory framework for consent. Nonetheless, Congress explicitly provided in FERPA that for certain purposes, PII from education records may be disclosed without consent. 20 U.S.C. 1232g(b).
We recognize that some may fear that these final regulations will permit the disclosure of PII from education records to improper parties, or for improper purposes, but we firmly believe such fears lack foundation. To be clear, these final regulations do not permit PII from education records to be disclosed for purposes unrelated to education. For example, the statute limits disclosures to those organizations that conduct studies for the purposes of “developing, validating, or administering predictive tests, administering student aid programs, and improving instruction.” We believe that the best method to prevent misuse of education records is not to bar all legitimate uses of education data, but rather to provide guidance and technical assistance on how legitimate uses can be implemented while properly protecting PII from education records in accordance with FERPA.
Changes: None.
Comments: Several commenters expressed concern or confusion about how the FERPA recordation, review, and correction provisions would work at the various school, LEA, or State levels.
Several commenters raised concerns about “up-stream data sharing” as it relates to the validity of the information maintained in SLDS. They expressed general concern that changes made to education records at the local level would not be reflected in the SLDS, so that authorized representatives of an SEA would be looking at out-of-date information. Some commenters suggested that when schools amend education records, they should be required to forward these amendments or corrections to their LEA or SEA.
A few commenters recommended that we require schools to notify parents and eligible students when PII from education records is disclosed to an outside entity. One commenter suggested that parents and students not only be notified, but that they also be given an opportunity to opt out of the disclosure. Several commenters expressed support for the notion that parents and students should be able to inspect and review education records held by authorized representatives.
One commenter asked why the Department did not propose to use its “putative enforcement authority” to create the right for parents and eligible students to inspect and seek to correct education records in the hands of authorized representatives.
Discussion: We appreciate the concern that records at State and local educational authorities be up-to-date to reflect changes made at the school level. We decline, however, to require schools to forward every change to “up-stream” educational entities, as this would be overly burdensome. Schools correct and update student education records on a daily basis and requiring daily “up-stream” updates is not feasible. Rather, we urge LEAs and SEAs to arrange for periodic updates. We believe that such an arrangement will help ensure the validity and accuracy of PII from education records disclosed to LEAs and SEAs and ultimately held in an SLDS.
We decline to adopt the suggestion that schools be required to notify parents and eligible students when PII from education records is redisclosed to an outside entity, and to provide parents and eligible students with an opportunity to opt out of the disclosure. FERPA expressly provides for disclosure without consent in these circumstances, a reflection of the importance of those limited disclosures.
Under § 99.7(a), educational agencies and institutions are required to annually notify parents and eligible students of their rights under FERPA. While FERPA does not require that this notice inform parents or eligible students of individual data sharing arrangements, we believe that transparency is a best practice. For this reason, we have amended our model notifications of rights under FERPA to include an explanation of the various exceptions to FERPA's general consent disclosure rule. This change to the model notifications should help parents and eligible students understand under what circumstances, such as the evaluation of a Federal- or State-supported education program, PII from education records may be disclosed to third parties without prior written consent. The Model Notification of Rights under FERPA for Elementary and Secondary Schools is included as Appendix B to this notice and the Model Notification of Rights under FERPA for Postsecondary Institutions is included as Appendix C to this notice; these model notifications are also available on the FPCO Web site at: http://www2.ed.gov/policy/gen/guid/fpco/ferpa/lea-officials.html and http://www2.ed.gov/policy/gen/guid/fpco/ferpa/ps-officials.html.
With respect to the suggestion that we revise the regulations so that parents and eligible students can inspect and review and seek to amend education records held by authorized representatives, we note that FERPA provides a right for parents and eligible students to inspect and review their education records held by SEAs, LEAs, and schools. 20 U.S.C. 1232g(a)(1)(A) and (a)(1)(B). The statute does not provide any right to inspect and review education records held by authorized representatives of FERPA-permitted entities or other third parties (other than SEAs). Further, FERPA also provides a right for parents and eligible students to seek to amend their education records held by LEAs and schools, but not SEAs. 20 U.S.C. 1232g(a)(2). Again, however, the statute does not provide any right to seek to amend education records held by authorized representatives of FERPA-permitted entities or other third parties. For this Start Printed Page 75609reason, we do not have the authority to expand these statutory provisions to apply to authorized representatives of FERPA-permitted entities or other third parties (other than the right to inspect and review education records maintained by SEAs).
Parents and eligible students seeking to inspect and review a student's education records held by an authorized representative or a third party other than the SEA may contact the disclosing school or LEA. The school or LEA would then be required to allow them to inspect and review and seek to amend the education records that they maintain. Additionally, while FERPA does not accord a right to a parent or an eligible student to inspect and review and seek to amend education records held by authorized representatives, FERPA-permitted entities are free to include inspection or amendment requirements in the written agreements they enter into with their authorized representatives, assuming it is permissible under applicable State and local law to do so.
FERPA does not require parental or student notification of individual data sharing arrangements that may utilize PII from education records. However, § 99.32(a) does require recordation, except as provided in § 99.32(d), of disclosures whenever an educational agency or institution or FERPA-permitted entity discloses PII from education records under one of the exceptions to the consent requirement. Thus, the recordation provisions in § 99.32(a)(3) require educational agencies and institutions to record the parties to whom they have disclosed PII from education records and the legitimate interests the parties had in obtaining the information. This recordation must also identify the FERPA-permitted entities that may make further disclosures of PII from education records without consent (see § 99.32(a)(1)). When requested, FERPA-permitted entities must provide pursuant to § 99.32(b)(2)(iii) a copy of their record of further disclosures to the requesting educational agency or institution where the PII from education records originated within a reasonable period of time, not to exceed 30 days. For example, a school may request a record of all further disclosures made by its SEA of PII from education records from that school. The SEA would be required to comply with this request within 30 days.
Changes: None.
Legal Authority
Comment: Numerous commenters questioned the Department's legal authority to issue the proposed regulations, stating the proposals exceed the Department's statutory authority. Enacting the proposed changes, many of these commenters argued, would require legislative amendments to FERPA that could not be achieved through the rulemaking process.
Several commenters also stated that the America COMPETES Act and ARRA do not confer legal authority upon the Department to propose regulations that would allow the disclosure of PII from education records in the manner envisioned in the NPRM. While acknowledging that the America COMPETES Act generally supports the establishment and expansion of SLDS, several commenters noted that the America COMPETES Act requires States to develop and utilize their SLDS only in ways that comply with the existing FERPA regulations. One commenter stated that ARRA was merely an appropriations law and did not suggest any shift in Congressional intent regarding FERPA's privacy protections, information sharing, or the disclosure of student education records, generally.
Discussion: We disagree with commenters who stated that they believe the Department lacks the statutory authority to promulgate the proposed regulations contained in the NPRM. As a general matter, the Department has broad statutory authority to promulgate regulations to implement programs established by statute and administered by the Department. Under section 414 of the Department of Education Organization Act, 20 U.S.C. 3474, “[t]he Secretary is authorized to prescribe such rules and regulations as the Secretary determines necessary or appropriate to administer and manage the functions of the Secretary or the Department.” Similarly, section 410 of GEPA, 20 U.S.C. 1221e-3, provides that the Secretary may “make, promulgate, issue, rescind, and amend rules and regulations governing the manner of operation of, and governing the applicable programs administered by, the Department.”
Neither section 444 of GEPA, which is more commonly known as FERPA, nor any other statute, limits the Department's authority to promulgate regulations to protect the privacy of PII from education records or to interpret its regulations on FERPA consistently with other Federal statutes. The proposed regulations in the NPRM fall clearly within the commonplace use of the Department's regulatory authority. Adopting these provisions is necessary to ensure that the Department's implementation of FERPA continues to protect the privacy of PII from education records, while allowing for PII from education records to be effectively used, particularly in SLDS.
Moreover, we disagree with the contention that the America COMPETES Act and ARRA do not provide evidence of Congressional intent to expand and develop SLDS to include early childhood education, postsecondary, and workforce information. We believe the America COMPETES Act and ARRA should be read consistently with FERPA, where permissible. It is a well-established canon of statutory construction that a statute must not be interpreted so that it is inconsistent with other statutes where an ambiguity exists. Where two statutes appear to be inconsistent with one another, it is appropriate to provide an interpretation that reconciles them while still preserving their original sense and purpose. See, e.g., Lewis v. Lewis & Clark Marine, Inc., 531 U.S. 438 (2001); Ruckelshaus v. Monsanto Co., 467 U.S. 986, 1017-18 (1984).
In this case, the Department is interpreting its regulations in a manner that is consistent with FERPA, the America COMPETES Act, and ARRA. Under section 6401(e)(2)(D) of the America COMPETES Act, Congress clearly set forth its desire that States develop SLDS that cover students from preschool through postsecondary education by including information such as “the capacity to communicate with higher education data systems,” “information regarding the extent to which students transition successfully from secondary school to postsecondary education, including whether students enroll in remedial coursework,” and “other information determined necessary to address alignment and adequate preparation for success in postsecondary education.”
ARRA provides clear evidence of Congressional intent to support the expansion of SLDS, and is not merely an appropriations law, as suggested by one commenter. Section 14001(d) of ARRA specified that the Governor of a State desiring to receive an allocation under the State Fiscal Stabilization Fund was required to include assurances in its application that, among other things, the State will establish a longitudinal data system that includes the elements described in section 6401(e)(2)(D) of the America COMPETES Act. All States received grants under the State Fiscal Stabilization Fund. Thus, all States are required to include these 12 elements in their SLDS. Through ARRA, Congress also provided $250 million for additional State grants to support the expansion of SLDS to include postsecondary and workforce Start Printed Page 75610information, providing further evidence of Congress' intention that States include these elements in their SLDS.
Interpretations of our current FERPA regulations created obstacles for States in their efforts to comply with ARRA's requirement that SLDS include the 12 elements specified in the America COMPETES Act, and thereby allow for the sharing of education data from preschool to higher education. The changes that the Department is adopting through these regulations should eliminate barriers that may have prevented States from complying with the ARRA assurances while still ensuring that PII in education records is protected under FERPA. For example, under these final regulations, a local or State educational authority may designate a postsecondary institution as its “authorized representative,” in connection with the evaluation of Federal- or State-supported education programs. As such, the K-12 local or State educational authority may disclose PII from education records to the postsecondary institution without consent for purposes of evaluating either the K-12 or postsecondary Federal- or State-supported education programs.
If the Department were to make no regulatory changes, as requested by several commenters, then Congress' stated intentions behind the America COMPETES Act and ARRA regarding the development and expansion of SLDS would be significantly impeded. Instead, considering the extent of data sharing contemplated by these statutes, the Department is amending several regulatory provisions that have unnecessarily hindered the development and expansion of SLDS as envisioned by the America COMPETES Act and required under ARRA, while still remaining consistent with FERPA's underlying purpose of protecting student privacy.
Changes: None.
FERPA Does Not Provide Authority for Data Collection
Comment: Several commenters expressed concern about the types of student PII described in the NPRM and what they perceived as the Department's intent to collect information on individual students. The Department received similar comments from multiple parties who inferred from the NPRM that the Department sought to collect information on students such as “hair color, blood type or health care history.” These commenters appeared to believe that the Department would collect this data and provide it to other Federal agencies, such as Labor and Health and Human Services, to “facilitate social engineering such as development of the type of `workforce' deemed necessary by the government.”
Discussion: The Department agrees that it should not collect such information or guide students “toward predetermined workforce outcomes,” as the commenters stated. Moreover, the Department did not propose in the NPRM to permit the collection of this information or to conduct the activities described by these commenters.
Commenters mistakenly inferred that the proposed changes to the regulations would expand the types of data collections that the Department may require as conditions of receiving Federal funds. FERPA itself does not establish the authority for any type of data collection at any level, whether Federal, State, or local. Likewise, FERPA does not authorize the establishment of SLDS. Congress granted the Department the authority to provide grants to States for the development of SLDS under section 208 of the Educational Technical Assistance Act of 2002, 20 U.S.C. 9607. States have invested in SLDS to enhance their ability to efficiently and accurately manage, analyze, and use education data, which includes PII from education records that are protected under FERPA. SLDS for K-12 education often include data related to Federal- and State-funded education programs, such as data related to assessments, grades, course enrollment and completion, attendance, discipline, special education status, homeless status, migrant status, graduation or dropout status, demographics, and unique student identifiers. Schools and LEAs are the primary collectors of these data. LEAs report these individual student-level data to the SEA to meet various requirements, and the data is warehoused in the SLDS.
For Federal K-12 reporting, SEAs report aggregated counts at the State, local, and school levels for various indicators that are required for participation in Federal education programs, such as the number of students participating in and served by Title I. Similarly, postsecondary institutions are required to complete Integrated Postsecondary Education Data Systems (IPEDS) surveys if they participate in or are applicants for participation in any Federal student financial aid program (such as Pell grants and Federal student loans). While schools, LEAs, SEAs, and postsecondary institutions maintain student-level data, what is reported to the Department in IPEDS and in Federal K-12 reporting is aggregated, at a minimum, at the institutional level. The Department does not collect PII from education records outside of its duties that require it, such as administering student loans and grants, conducting surveys, and investigating individual complaints.
The Department offers this clarification to address the public comments that mistakenly interpreted the Department's proposed regulations as a mechanism to collect sensitive personal data on individual students at the Federal level, including data elements that are not related to education, to be used for non-educational purposes. As discussed later in this preamble, the Department is not legally authorized to create a national, student-level database, and the Department has no desire or intention to create a student record data system at the national level. Thus, the SLDS mentioned in these final regulations refers to individual States' longitudinal data systems, not a Federal database.
Commenters interested in understanding more about the data collections required by the Department should visit the Department's Web site at http://edicsweb.ed.gov and select the “Browse Active Collections” link.
Changes: None.
Comment: Several commenters expressed concern that the Department's proposal would create a national database of student PII. One commenter expressed strong opposition to the establishment of a national database because of concern that such a database could be used for non-educational purposes. Another commenter recommended that the Department publicly affirm that it does not support the establishment of a national database.
Several commenters indicated that the proposed changes reflected in the NPRM would permit data sharing and linking of SLDS across State lines, allowing for the creation of a “de facto” national database of student PII. These commenters expressed concern that interconnected SLDS would invite substantial threats to student privacy. Another commenter noted that the prohibition regarding the establishment of a national database in the ESEA, demonstrated Congress' intent to prohibit Federal funding of an interconnected SLDS.
Discussion: The Department is not establishing a national database of PII from education records and we have no intention to do so. Moreover, neither ESEA nor HEA provides the Department with the authority to establish a Federal database of PII from education records. Specifically, “[n]othing in [ESEA] * * * shall be construed to authorize the development of a nationwide database” Start Printed Page 75611of PII from education records. 20 U.S.C. 7911. Likewise, “nothing in [HEA] shall be construed to authorize the development, implementation, or maintenance of a Federal database” of PII from education records. 20 U.S.C. 1015c(a).
On the other hand, we do not agree with the suggestion that Congress intended to prohibit States from developing their own SLDS or linking SLDS across State lines. The right to develop SLDS or link SLDS across State lines is reserved to the States. Both ESEA and HEA permit States or a consortium of States to develop their own State-developed databases. In fact, HEA specifically states that it does not prohibit “a State or a consortium of States from developing, implementing, or maintaining State-developed databases that track individuals over time, including student unit record systems that contain information related to enrollment, attendance, graduation and retention rates, student financial assistance, and graduate employment outcomes.” 20 U.S.C. 1015c(c).
The Department does not agree with those commenters who expressed concerns that the linking of SLDS across State lines would allow for the creation of a “de facto” national database of student PII. First, as discussed earlier, States are not prohibited from establishing their own SLDS or linking SLDS across State lines provided that they do so in compliance with all applicable laws, including FERPA. Second, if a consortium of States chose to link their individual SLDS across State lines, such a system of interconnected SLDS would not be “national” because the Federal Government would not play a role in its operation. Rather, responsibility for operating such a system would lie entirely with the consortium of States.
Further, Congress made clear in the America COMPETES Act and ARRA that it supports the development and expansion of SLDS. For example, title VIII of ARRA appropriated $250,000,000 to the Institute of Education Sciences to carry out section 208 of the Educational Technical Assistance Act to provide competitive grants to State for the development of their SLDS that include early childhood through postsecondary and workforce information. In addition, section 14005 of ARRA provides that in order to receive funds under the State Fiscal Stabilization Fund a State was required to provide an assurance that it will establish an SLDS that includes the elements described in section 6401(e)(2)(D) of the America COMPETES Act (20 U.S.C. 9871). Consistent with congressional intent, these activities are only being carried out at the State level, not through the creation of a Federal database. These final regulations will help reduce barriers that have hindered States and consortia of States from developing, implementing, and maintaining their own SLDS.
Changes: None.
Use of Social Security Numbers
Comment: Several commenters requested clarification on whether Social Security numbers (SSNs) could be maintained in an SLDS or used as a linking variable. These commenters stated that they had been hindered in their efforts to build a robust SLDS by limitations on the exchange of SSNs. Other commenters suggested that the use of SSNs, names, and dates of birth be minimized, and that SLDS should instead create a common identifier that would allow the SEA and its authorized representative to match student records data without an unnecessary transfer of SSNs and other identifying information.
Discussion: We understand that data contained within an SLDS cannot be used effectively without using unique linking variables. Without the use of linking variables, States would be unable to monitor the educational progress and experiences of individual students as they progress through the education system across grade levels, schools, institutions, and into the workforce.
FERPA does not prohibit the use of a SSN as a personal identifier or as a linking variable. However, we agree with commenters that the use of SSNs should be minimized given that SSNs are often used by criminals for identity theft. The Federal Government itself attempts to minimize the use of SSNs. See, e.g., Office of Management and Budget (OMB) Directive M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” and “Guidance for Statewide Longitudinal Data Systems,” (National Center for Education Statistics (NCES) 2011- 602). The importance of limiting SSN use is recognized in FERPA, as schools are prohibited from designating SSNs as directory information. Hence, while FERPA does not expressly prohibit States from using SSNs, best practices dictate that States should limit their use of SSNs to instances in which there is no other feasible alternative.
Changes: None.
Disclosures Beyond State Lines
Comment: Several commenters sought clarification on whether FERPA allowed PII from education records to be disclosed across State lines, noting that there is increased demand to disclose PII from education records to third parties in other States to make comparative evaluations of Federal- or State-supported education programs, or to connect data on students who may be educated in multiple States. For example, one commenter asked the Department to clarify whether FERPA would permit postsecondary institutions to disclose PII from education records, including outcome data back to high schools in another State.
Several stakeholders have raised questions about whether the proposed regulations would permit the State educational authority in one State to designate a State educational authority in another State as its authorized representative to disclose PII from education records from one authority to the other.
Another commenter recommended that the Department restrict the disclosure of PII from education records under the audit or evaluation exception to authorized representatives within a State, or alternatively limit out-of-State authorized representatives to only other State educational authorities. Another commenter also asked about a school's ability to disclose PII from education records to other countries.
Discussion: FERPA makes no distinctions based on State or international lines. However, transfers of PII from education records across international boundaries, in particular, can raise legal concerns about the Department's ability to enforce FERPA requirements against parties in foreign countries. It is important to keep in mind that for a data disclosure to be made without prior written consent under FERPA, the disclosure must meet all of the requirements under the exceptions to FERPA's general consent requirement. For example, if the conditions under the audit or evaluation exception in FERPA are met, a State educational authority could designate an entity in a different State as an authorized representative for the purpose of conducting an audit or evaluation of the Federal- or State-supported education programs in either State. The disclosure of PII from education records is not restricted by geographic boundaries. However, disclosure of PII from education records for an audit or evaluation of a Federal- or State-supported education program is permitted only under the written agreement requirements in § 99.35(a)(3) that apply to that exception. Under these requirements, the disclosing entity would need to take reasonable methods Start Printed Page 75612to ensure to the greatest extent practicable that its authorized representative is in compliance with FERPA, as is explained further under the Reasonable Methods (§ 99.35(a)(2)) section in this preamble. More specifically, an LEA could designate a university in another State as an authorized representative in order to disclose, without consent, PII from education records on its former students to the university. The university then may disclose, without consent, transcript data on these former students to the LEA to permit the LEA to evaluate how effectively the LEA prepared its students for success in postsecondary education.
Changes: None.
Cloud Computing
Comment: Several commenters sought clarification on whether the proposed regulations would permit cloud computing, where data can be hosted in a different State or country. Commenters suggested that the final regulations not discriminate based on where data are hosted.
Discussion: The Department has not yet issued any official guidance on cloud computing, as this is an emerging field. We note, however, that the Federal Government itself is moving towards a model for secure cloud computing. Regardless of whether cloud computing is contemplated, States should take care that their security plans adequately protect student data, including PII from education records, regardless of where the data are hosted.
Changes: None.
Administrative Burden
Comment: Several commenters predicted an increase in administrative time and resources needed to comply with the proposed regulations, with one predicting an “exponential” increase. Given the current state of State budget deficits, several commenters asked the Department to provide guidance for ways to decrease burden, such as offering “planning and streamlining administrative processes and tools,” while still ensuring the protection of PII from education records.
Discussion: The Department appreciates this suggestion and acknowledges the current reality of State budget deficits. The Department believes, however, that regulating the specifics of data sharing would drive up costs, not reduce them. The Department notes that the changes reflected in these regulations aim to reduce the barriers to data sharing while still protecting student privacy. FERPA regulations themselves also do not require any data sharing by educational agencies or institutions; these data sharing activities are voluntary, and may occur at the discretion of educational agencies or institutions. We recognize that some educational agencies and institutions may need technical assistance from the Department to help ensure that their data sharing activities comply with these regulations, and the Department will help meet this potential need for SEAs and LEAs.
See the Potential Costs and Benefits, elsewhere in this preamble, for our estimation of costs associated with these regulations.
Changes: None.
Audit or Evaluation Exception (§ 99.35)
General Discussion
Comment: We received many comments supporting the proposed changes to the audit or evaluation exception. A comment co-signed by two dozen organizations supported the proposed regulations as the revised interpretations would permit more opportunities for data analysis by States, LEAs, schools, and research organizations.
Other commenters generally expressed support for the proposed changes, asserting that they would increase the ability to evaluate and improve education programs.
Supporters of the proposed regulations noted that, by reducing barriers to data sharing, more States would be able to connect their data systems to drive improvement in K-12 schools. Commenters noted several specific evaluations that would be possible with the proposed amendments to the audit or evaluation exception. For example, an evaluation of college freshmen, who all graduated from the same high school, may reveal the students needed postsecondary remediation in math. This information could help the high school improve its math program.
Likewise, career and technical education (CTE) agencies would be able to improve program effectiveness by accessing more data with their collaborative partners in workforce development and other non-educational agencies that prepare students for college and careers. Several commenters noted that these changes would allow State departments of education to assess their CTE programs and meet Federal accountability requirements in the Carl D. Perkins Vocational and Technical Education Act of 2006 (Pub. L. 109-270). Those that were supportive of these amendments stated that the written agreement requirements were reasonable and would help protect the confidentiality of the data.
Discussion: The Department agrees with these commenters that these activities would be permissible under these final regulations.
Changes: None.
Comment: One commenter stated that the Department's proposed change to remove the requirement in § 99.35(a)(2) that express authority is required under Federal, State, or local law to conduct an audit, evaluation, or enforcement or compliance activity would turn a narrow exception to consent into a “magic incantation” that would allow “unfettered access” to PII from education records for purposes other than what Congress intended. Several commenters objected on the grounds that the proposed change would result in confusion, with educational institutions struggling to separate real claims of authority from frivolous or false ones. Finally, a few commenters contended that the Department lacks the legal authority to make this proposed change.
Discussion: In 2008, we amended § 99.35(a)(2) of the Department's FERPA regulations to specifically require that legal authority exist under Federal, State, or local law to conduct an audit, evaluation, or enforcement or compliance activity. While we imposed no requirement to identify legal authority for other exceptions, we explained that we added this requirement to the audit or evaluation exception because we viewed the educational community as being significantly confused about who may receive education records without consent for audit or evaluation purposes under § 99.35. We explained that “[i]t [was] not our intention in § 99.35(a)(2) to require educational agencies or institutions and other parties to identify specific statutory authority before they disclose or redisclose PII from education records for audit or evaluation purposes but to ensure that some local, State or Federal authority exists for the audit or evaluation, including for example an Executive Order or an administrative regulation.” 73 FR 74806, 74822 (December 9, 2008).
In the NPRM, we proposed removing the language regarding legal authority in § 99.35(a)(2) due to confusion caused by the 2008 regulations. We explained in the preamble of the NPRM that the authority for a FERPA-permitted entity to conduct an audit, evaluation, or enforcement or compliance activity may be express or implied. The intent behind this proposed change was to make clear that Federal, State, and local Start Printed Page 75613law determine whether a given audit or evaluation is permitted, not FERPA.
Based on the comments, however, we are concerned that our explanation in the NPRM was not sufficiently clear. Certainly, if an educational agency or institution is concerned that a third party seeking access to PII from education records is not authorized under Federal, State, or local law to conduct an audit, evaluation, or enforcement or compliance activity, that educational agency or institution should seek guidance from its attorneys or from the State attorney general if the concern involves the interpretation of State law. If the concern involves the interpretation of Federal law, the educational agency or institution should seek guidance from its attorneys or from the Federal agency that administers the law in question. FERPA itself does not confer the authority to conduct an audit, evaluation, or enforcement or compliance activity.
We disagree with the commenters' contention that the Department lacks legal authority to amend the 2008 regulations. Because the statute itself does not specifically require that legal authority is necessary under Federal, State, or local law before an audit, evaluation, or enforcement or compliance activity may be conducted—and is, in fact, entirely silent on this issue—we retain the authority, subject to rulemaking requirements, to remove the language we added in 2008, effectively clarifying that the authority may be either express or implied. This deletion makes § 99.35(a)(2) consistent with the rest of the regulations, which do not address legal authority beyond FERPA.
Changes: None.
Comment: One commenter stated that the Department lacked the authority to regulate how education records are shared with respect to programs that are funded by the U.S. Department of Health and Human Services (HHS). Specifically, this commenter stated the authority to regulate education records maintained by Early Head Start and Head Start programs (collectively, “Head Start”) fell within the exclusive jurisdiction of HHS and could not be regulated by the Department of Education. This commenter relied upon a provision in the Head Start Act that states the:
Secretary [of HHS], through regulation, shall ensure the confidentiality of any personally identifiable data, information, and records collected or maintained under this subchapter by the Secretary or any Head Start agency. Such regulations shall provide the policies, protections, and rights equivalent to those provided to a parent, student, or educational agency or institution under [FERPA].
42 U.S.C. 9836a(b)(4)(A). This commenter also suggested that the Department and HHS work together to minimize the financial burden of the proposed regulations on Head Start agencies.
Discussion: We disagree with the commenter's contention that proposed §§ 99.3 and 99.35 would supplant the authority of HHS as those provisions relate to Head Start; these proposed changes would not overreach into HHS' “sphere of activity.” First, we note that FERPA applies directly to LEAs that receive funding under a program administered by the Department, including the Head Start programs that they operate. Concurrent jurisdiction exists between the Department and HHS for these Head Start programs. The Department did not propose in the NPRM that FERPA requirements would apply to Head Start programs not under the concurrent jurisdiction of the Department and HHS.
Further, under current regulations, SEAs and LEAs receiving funding under a program administered by the Department—and, therefore, falling under the Department's exclusive jurisdiction—are unable to disclose PII from educational records, such as the kindergarten grades of former Head Start students, to Head Start programs in order to evaluate the effectiveness of the Head Start programs. These final regulations permit State and local educational agencies and BIE funded and operated schools to disclose PII from education records to Head Start programs for an audit, evaluation, or enforcement or compliance activity. We believe this change aligns with Congress' stated intention in the America COMPETES Act and ARRA to link data across all sectors. Permitting access to student longitudinal data also builds upon the Department's and HHS' commitment to coordinate programs administered by State and local educational agencies and BIE funded and operated schools with early learning programs administered by non-educational agencies.
Finally, the Department believes that any potential financial burden on Head Start agencies that may result from these regulations is outweighed by the elimination of unnecessary barriers to the evaluation of their programs and the increased flexibility in the operation of their programs. Nonetheless, the Department is committed to working with HHS to minimize the financial burden of these regulations should such an increase in burden actually occur.
Changes: None.
Comment: One commenter asked whether the proposed regulations would allow an entity that receives PII from education records under the audit or evaluation exception to redisclose the PII from education records over the original disclosing entity's objection.
Discussion: In 2008, we amended the FERPA regulations to expressly permit FERPA-permitted entities to redisclose PII from education records received under the audit or evaluation exception in certain conditions. See § 99.33(b)(1) and (b)(2). For example, this change permitted an SEA to redisclose PII “on behalf of” the LEA if the redisclosure is to another school where the student seeks or intends to enroll, under §§ 99.31(a)(2) and 99.34 and the recordkeeping requirements in § 99.32(b)(1) or (b)(2) are met.
However, in 2008 we did not clarify that a redisclosure under the studies exception would be on behalf of an educational agency or institution if the SEA or other FERPA-permitted entity believed it would benefit the educational agency or institution.
In the NPRM, we specifically proposed that FERPA-permitted entities that receive PII from education records under the audit or evaluation exception be able to redisclose the PII from education records under the studies exception if all requirements to that exception are met. For example, a FERPA-permitted entity would be permitted to redisclose PII from education records under the studies exception in § 99.31(a)(6) if: (1) The FERPA-permitted entity has the express or implied legal authority to have the study in question conducted, and (2) the educational agency or institution either agrees to the redisclosure, in which case the redisclosure would be “for” the educational agency or institution, or the study is designed to improve instruction, in which case the redisclosure would be “on behalf of” the educational agency or institution. Accordingly, a redisclosure may be “for” or “on behalf of” of the original disclosing entity even if that entity objects to the redisclosure. For instance, an SEA receiving PII from an LEA may redisclose PII “on behalf of” the LEA if the redisclosure is for a study designed to improve the LEA's instruction. In this example, it would be irrelevant if the LEA objected to the SEA's redisclosure. FERPA-permitted entities that make further disclosures of PII from education records under the studies exception also must comply with the conditions specified in § 99.31(a)(6) and ensure that the recordkeeping requirements in § 99.32(b)(1) or (b)(2) have been met.Start Printed Page 75614
Changes: None.
Definition of “Education Program” (§§ 99.3 and 99.35)
Comment: Many commenters were supportive of the proposal to define the term “education program.” Many of these commenters commended the Department's proposal to adopt a broad definition of “education program” because doing so recognizes the fact that education begins prior to kindergarten and involves programs not administered by State or local educational agencies. While some commenters expressed concern that an overly broad definition of “education program” would result in extraneous programs being wrongly allowed access to student PII from education records, others expressed concern that an overly narrow definition would hinder legitimate data sharing needed to improve education programs. One commenter was concerned that the definition would omit programs many believe are necessary for students to succeed but may not be “principally engaged in the provision of education.” The commenter gave several examples including substance abuse, anti-bullying, and suicide prevention programs.
Numerous commenters provided other examples of specific programs and asked the Department to identify if those programs would be considered an education program under the proposed definition. Commenters specifically requested clarity about what types of early childhood programs would be considered education programs. A few commenters suggested that the Department utilize the HEA definition of “early childhood education program.”
One commenter suggested that we change “principally” to “primarily” in the definition of “education program.” Another recommended that the definition include “transitions from secondary to postsecondary education.” We also received the suggestion that we amend the definition of “education program” to specify that the program must be principally engaged in the provision of education to students in early childhood through postsecondary.
One commenter requested further clarity regarding who determines whether a program meets the definition of “education program” and how to handle any potential disputes regarding that determination.
Another commenter suggested that the Department was acting outside of its legal authority to expand the use of PII from education records to programs not administered by an educational agency or institution, and termed it an “unreasonable interpretation.”
Discussion: The Department has decided to make several changes to the definition as a result of the comments received. Whether a program is determined to be an education program should be based on the totality of the program, and not on whether the program contains a specific “incidental educational or training activity within a broader non-education program,” as suggested by one commenter. The number of commenters requesting clarity on which early childhood programs would be considered education programs under FERPA suggested a real need for the Department to define the term in the regulations to support faithful implementation of the FERPA amendments in the field. We agree with those commenters who suggested that the Department utilize the HEA definition of “early childhood education program” and are adopting this definition for several key reasons. By adopting a definition already established by Congress, we are confident that it will provide the requested clarity. This definition also provides greater consistency across Federal programs, resulting in more transparency and less burden.
The final regulations provide that any program administered by an educational agency or institution is considered to be an education program. We have made this change to ensure that, in addition to programs dedicated to improving academic outcomes, this definition includes programs, such as bullying prevention, cyber-security education, and substance abuse and violence prevention, when administered by an educational agency or institution.
It is the Department's intent that the following types of programs, regardless of where or by whom they are administered, fall under the new definition of “education program”: The educational programs conducted by correctional and juvenile justice facilities or alternative long-term facilities such as hospitals, dropout prevention and recovery programs, afterschool programs dedicated to enhancing the academic achievement of its enrollees, schools for the hearing and visually impaired, college test tutoring services, and high school equivalency programs. The following are examples of the types of programs that will generally be excluded from the definition of “education program”: Programs that are principally engaged in recreation or entertainment (such as programs designed to teach hunting, boating safety, swimming, or exercise), programs administered by direct marketers, and neighborhood book clubs. These are not all-inclusive lists; each program will need to be assessed to determine if it meets this regulatory definition of “education program” because it is principally engaged in the provision of education.
The Department declines to change the word “principally” to “primarily” in the definition of “education program” because we view these terms as being synonymous and interchangeable. The Department also declines to explicitly state that transitions from secondary to postsecondary education are included in the definition, because any transition program must meet the definition of “education program,” and it may be misleading to list some types of these programs and not others. The Department further declines to amend the definition of “education program” to require that the education program be principally engaged in the provision of education to “students” in early childhood through postsecondary education. Explicitly adding “students” to the definition would potentially exclude certain programs that would otherwise fit under this definition and that the Department intends to include. For example, this change would be particularly problematic for early childhood education programs, such as Head Start and IDEA Part C, which refer to their participants as children and infants or toddlers, respectively, not students. Head Start and IDEA Part C are explicitly included in the definition of “early childhood education program,” and the Department refrains from adding language that would contradict this definition and create confusion for implementation.
FERPA-permitted entities may disclose PII from education records without obtaining consent in order to conduct an audit, evaluation, or enforcement or compliance activity. FERPA permits these disclosures to occur without consent, but FERPA-permitted entities have the discretion to set their own policies and practices for implementing these disclosures, including any resolution processes that may be necessary to handle disputes regarding whether a program meets the definition of education program.
Finally, we disagree with the commenters who suggested that the Department lacks the legal authority to define “education program” in a way that would allow authorized representatives to use PII from education records to evaluate programs not administered by an educational agency or institution. As discussed elsewhere in greater detail, the Start Printed Page 75615Department has broad authority under GEPA to promulgate regulations that implement programs established by statute and administered by the Department, including FERPA. In this case, nothing in the statute itself or its legislative history limits the Department's authority to define “education program,” a previously undefined term.
The new definition of “education program” helps to ensure that the FERPA regulations do not impede States' ability to comply with ARRA. As discussed in the NPRM, in order to ensure that the Department's regulations do not create obstacles to States' compliance with ARRA, the Department sought to find a solution that would give effect to both FERPA and this more recent legislation by defining the term “education program” to include programs that are not administered by an educational agency or institution.
The Department's definition of the term “education program” is intended to facilitate the disclosure of PII from education records, as necessary, to evaluate a broad category of education programs.
The Department's definition of “education program” is also intended to harmonize FERPA and ARRA so as to protect PII from education records, even where the Department may not have a direct funding relationship with the recipient of PII from education records. We believe that the definition of the term “education program” sufficiently recognizes those common elements among entities that need to evaluate education programs and services, regardless of whether the education programs are funded by the Department.
Changes: In § 99.3, we have added a definition of the term “early childhood education program.” In addition, we have revised the definition of “education program” to include any program that is administered by an educational agency or institution.
Comment: One commenter requested that the Department clarify that PII from education records disclosed without obtaining consent under the audit or evaluation exception must be limited to PII related to educational data, given the wider variety of health information and other PII included in the school records of students with disabilities.
Discussion: Under the audit or evaluation exception, PII from education records may be disclosed without consent only to audit or evaluate Federal- or State-supported education programs, or to enforce or to comply with Federal legal requirements related to such programs. If PII from education records related to a student's health is necessary to evaluate an education program, this information may be disclosed without obtaining consent, provided all other requirements in the regulations are met. However, the same information would not be permitted to be disclosed without obtaining consent to evaluate the effectiveness of a health program.
Changes: None.
Definition of Authorized Representative (§§ 99.3 and 99.35)
Comment: Numerous commenters expressed support for our proposed definition of the term “authorized representative.” Among other reasons given for support, commenters stated that they were confident that the definition would facilitate better evaluations or would lead to an increased ability to conduct evaluations of Federal- and State-supported education programs. One commenter stated that the proposed definition was appropriate and necessary and reasonable in scope. One commenter was especially pleased that an SEA or LEA would have the ability to designate an individual or entity under the new definition for the purposes of conducting evaluations. Multiple commenters stated that the proposed definition would assist SEAs in handling PII disclosed from education records and in linking it across sectors, including the education and workforce sectors for the purposes of an audit, evaluation, or enforcement or compliance activity.
Finally, one commenter stated that FERPA-permitted entities under § 99.31 should include tribal education agencies (TEAs). This commenter contended that because FERPA regulations allow for the disclosure, without consent, of PII from education records to “State and local educational authorities” for audit or evaluation of Federal- and State-funded education programs, TEAs—the education arms of sovereign tribal governments—should also be allowed to access PII from education records without consent.
Discussion: The Department agrees with these commenters that the definition of the term “authorized representative” in the final regulations will increase the ability of FERPA-permitted entities to conduct audits or evaluations of Federal- and State-funded education programs, including those that link PII from education records across the education and workforce sectors.
As for TEAs, the Department's current interpretation of “State and local educational authorities” does not include them. Although the Department, as part of its proposal for the reauthorization of ESEA, supports strengthening the role of TEAs in coordinating and implementing services and programs for Indian students within their jurisdiction, we did not propose to define the term “State and local educational authorities” in the NPRM and, therefore, decline to regulate on it without providing the public with notice and the opportunity to comment. The Department's interpretation of the term “State and local educational authorities” does, however, include BIE.
Changes: None.
Comment: One commenter requested that we clarify the proposed definition of the term “authorized representative” to make it more similar to the regulatory language currently used in § 99.35(a)(1). This commenter expressed concern that, in our proposed definition, an authorized representative could be interpreted to mean an individual or entity who is engaged only in activities connected to Federal legal requirements related to Federal or State supported education programs. The commenter noted that § 99.35(a)(1) addresses both audit or evaluation activities associated with a Federal- or State-supported education program, and activities associated with enforcement of, or compliance with, Federal legal requirements that relate to those programs. The commenter recommended that we clarify the definition of the term “authorized representative” to align it with § 99.35(a)(1) and make clear that the Federal legal requirement only modifies the compliance or enforcement activity. Specifically, when describing the activities an authorized representative can carry out, the commenter requested we add an “or” between the words “audit” and “evaluation,” as opposed to a comma, and the word “any” before the term “compliance or enforcement activity.”
Discussion: We intend for our definition of the term “authorized representative” to cover both an individual or an entity engaged in the enforcement of or compliance with Federal legal requirements related to Federal- or State-supported education programs, and also to cover an individual or an entity conducting an audit or evaluation of a Federal- or State-supported education program. Accordingly, we are making this clarification in the definition.
Changes: We have made the minor changes suggested by the commenter to the definition of “authorized representative”.
Comment: Multiple commenters suggested that the Department exceeded Start Printed Page 75616its legal authority by proposing to define the term “authorized representative.” While acknowledging that FERPA does not define this term, these commenters stated that authorized representatives should only consist of the Comptroller General, the Attorney General, the Secretary, and State and local educational authorities since FERPA specifically allows for the disclosure of PII from education records to these entities. The commenters contended that expanding the definition beyond the four entities specifically identified in FERPA would be impermissible and that such a change would require congressional action. A few commenters pointed to a statement from the preamble to the final FERPA regulations (73 FR 74806, 74828) published in the Federal Register on December 9, 2008, in which the Department stated that “any further expansion of the list of officials and entities in FERPA that may receive education records without the consent of the parent or the eligible student must be authorized by legislation enacted by Congress.”
Other commenters objected to the rescission of the “direct control” requirement contained in the policy guidance on authorized representatives issued by then-Deputy Secretary of Education William D. Hansen in a memorandum dated January 30, 2003 (Hansen Memorandum). The Hansen Memorandum required that under the “audit or evaluation exception,” an authorized representative of a State educational authority must be a party under the direct control of that authority, e.g., an employee or a contractor. Under the Hansen Memorandum, an SEA or other State educational authority could not disclose PII without consent from education records to other State agencies, such as a State health and human services department, a State unemployment insurance department, or a State department of labor because these State agencies were not under the SEA's direct control.
Commenters further cited the conclusion in the Hansen Memorandum that the two references to the word “officials” in paragraph (b)(3) of FERPA reflect a congressional concern that the authorized representatives of a State educational authority be under the direct control of that authority. Specifically, commenters relied upon a December 13, 1974, joint statement in explanation of the Buckley/Pell Amendment (Joint Statement) that suggested that FERPA “restricts transfer, without the consent of parents or students, of PII concerning a student to * * * auditors from the General Accounting Office and the Department of Health, Education, and Welfare.” From this Joint Statement, these commenters suggested that Congress did not intend for “authorized representative” to be defined as broadly.
Commenters also cited several policy reasons for precluding other entities from serving as authorized representatives of FERPA-permitted entities, including that this definition would weaken the accountability of State or local educational authorities and would allow criminals, repeated privacy violators, and those with dubious standing to serve as authorized representatives. One commenter questioned whether individual State politicians or private companies could be authorized representatives.
One commenter, though supporting our definition of the term “authorized representative,” suggested that the definition of the term was too narrow and should be broadened to include child welfare agencies and their obligations to monitor the education outcomes of the children in their care. One commenter challenged the Department's proposed definition of “authorized representative” on the grounds that it constituted an unlawful sub-delegation of the Department's statutory authority by vesting the interpretation of FERPA in non-Federal entities. This commenter cited U.S. Telecom Ass'n v. F.C.C., 359 F.3d 554, 565 (DC Cir., cert. denied, 543 U.S. 925 (2004), in support of the position that such delegations are “improper absent an affirmative showing of congressional authorization.”
Discussion: It is important to note that FERPA does not define the term “authorized representative.” In the absence of a statutory definition, the Supreme Court has made it clear that it is appropriate to “construe a statutory term in accordance with its ordinary or natural meaning.” See, e.g., FDIC v. Meyer, 510 U.S. 471, 476 (1994).
In this case, “authorize” is commonly understood to mean to: “Invest especially with legal authority: EMPOWER * * *.” “Representative” is commonly understood to mean: “* * * standing or acting for another especially through delegated authority * * *.” Merriam-Webster's Collegiate Dictionary (11th Ed. 2011).
Following these standard definitions of “authorize” and “representative,” it is entirely appropriate that we permit State educational authorities, the Secretary, the Comptroller General, and the Attorney General to have the flexibility and discretion to determine who would best be able to represent them in connection with audits, evaluations, or enforcement or compliance activities. Restricting their discretion to select only their own officers and employees or those under their “direct control” is not required by the term's plain, dictionary meaning.
Additionally, we do not find the policy concerns for precluding other entities from serving as authorized representatives offered by commenters to be persuasive. While nothing in the final regulations specifically prohibits a State politician or private company, for example, from being designated as an authorized representative, the full requirements under FERPA must be met before PII from education records may be disclosed to any party. These regulations do not expand any of the reasons an individual or an entity can be designated as an authorized representative. As before, it may only be done to conduct an audit, evaluation, or enforcement or compliance activity. For example, to authorize a representative to conduct an evaluation, there must be a written agreement specifying the terms of the disclosure, and PII from education records may only be used for the purposes specified in the written agreement; the FERPA-permitted entity authorizing the evaluation must also take reasonable methods to ensure to the greatest extent practicable that its authorized representative complies with FERPA, as is explained in the “Reasonable Methods (§ 99.35(a)(2)),” section later in this preamble. If an individual or organization sought access to PII from education records for its own purpose, disclosure of the PII from education records without consent would not be permitted under FERPA, and the FERPA-permitted entity must not authorize the representative or permit the disclosure of PII from education records without consent. The written agreement operates as a contract between the FERPA-permitted entity and the authorized representative, so in the event that an individual or entity misuses PII from education records for purposes other than those that are authorized, there would be recourse according to the terms specified in the written agreement, in addition to any enforcement actions the Department may take.
Also, we continue to believe that there are good policy reasons to allow other agencies to serve as authorized representatives of FERPA-permitted entities. As we explained in the NPRM, we believe that our prior interpretation of the term “authorized representative” unduly restricted State and local educational authorities from disclosing PII from education records for the purpose of obtaining data on post-Start Printed Page 75617school outcomes, such as employment of their former students, in order to evaluate the effectiveness of education programs. Accordingly, we believe that our interpretation reflected in these final regulations reasonably permits State and local educational authorities, the Secretary, the Comptroller General, and the Attorney General of the United States to have the necessary flexibility and discretion to determine who may represent them with respect to audits and evaluations of Federal- or State-supported education programs and to enforce and to comply with Federal legal requirements that relate to such programs, subject to the requirements in FERPA.
Some commenters also appear to have misunderstood the Department's previous interpretation of the term “authorized representative” and mistakenly assumed that the Department has historically only permitted employees and contractors of FERPA-permitted entities to serve as authorized representatives. This is not the case. For instance, prior to the issuance of the Hansen Memorandum in 2003, the Department entered into a memorandum of agreement with the Centers for Disease Control and Prevention (CDC) in which the Department designated the CDC to serve as its authorized representative for purposes of collecting information under the Metropolitan Atlanta Developmental Disabilities Surveillance Program.
Further, prior to the Hansen Memorandum, the Department had provided guidance that State educational authorities could designate a State Unemployment Insurance agency as an authorized representative for the purpose of conducting wage record matches to carry out the performance reporting requirements of the Workforce Investment Act (WIA). Memorandum on Application of FERPA to Reporting for Eligible Training Providers under Title I of WIA from Judith A. Winston, Undersecretary of the Department of Education, (January 19, 2001).
Further, in the 2008 FERPA regulations, the term “authorized representative” was not limited to employees and contractors of the FERPA-permitted entities. In the preamble to those regulations, we wrote:
In general, the Department has interpreted FERPA and implementing regulations to permit the disclosure of personally identifiable information from education records, without consent, in connection with the outsourcing of institutional services and functions. Accordingly, the term “authorized representative” in § 99.31(a)(3) includes contractors, consultants, volunteers, and other outside parties (i.e., nonemployees) used to conduct an audit, evaluation, or compliance or enforcement activities specified in § 99.35, or other institutional services or functions for which the official or agency would otherwise use its own employees. For example, a State educational authority may disclose personally identifiable information from education records, without consent, to an outside attorney retained to provide legal services or an outside computer consultant hired to develop and manage a data system for education records.
73 FR 74806, 74825 (Dec. 9, 2008).
In other words, since 2008, we have included within the definition of “authorized representative” any outside party used to conduct an audit, evaluation, or enforcement or compliance activity specified in § 99.35, or other institutional services or functions for which the official or agency would otherwise use its own employees. These outside parties were required to be under the direct control of an SEA pursuant to the Hansen Memorandum; however, as we discuss in further detail in the following paragraphs, the Department has decided to eliminate the Hansen Memorandum's direct control requirement in these final regulations.
The statement in the preamble to the 2008 final regulations that “any further expansion of the list of officials and entities in FERPA that may receive education records without the consent of the parent or the eligible student must be authorized by legislation enacted by Congress,” means that any expansion of the current statutory exceptions to the consent requirement must be authorized by Congress. Today's change is not an expansion of the statutory exceptions to the consent requirement; rather it is a modification of the Department's interpretation of a term used in one of FERPA's existing statutory exceptions to consent so as to be consistent with recent developments in the law.
Moreover, the 2008 FERPA amendments did not provide an exhaustive or comprehensive list of the exceptions to the written consent requirement that would permit disclosure to non-educational State agencies. Rather, we noted that there are “some exceptions that might authorize disclosures to non-educational State agencies for specified purposes” and listed as examples disclosures made under the health or safety emergency exception (§§ 99.31(a)(10) and 99.36), the financial aid exception (§ 99.31(a)(4)), or pursuant to a State statute under the juvenile justice exception (§§ 99.31(a)(5) and 99.38). This was not an exhaustive listing of FERPA exceptions to the general consent requirement that would permit disclosure to non-educational State agencies. For example, a disclosure without consent also may be made to non-educational State agencies pursuant to the exception for lawfully issued subpoenas (§ 99.31(a)(9)), but this was not included in the 2008 preamble.
Even if the preamble to the 2008 final regulations clearly stated that the officials and agencies listed under § 99.31(a)(3)(i) through (a)(3)(iv) could not designate non-educational State agencies as their authorized representatives—which it did not—the Department still retains the authority to change its interpretation through notice-and-comment rulemaking, especially in light of recent legislation. Accordingly, because the term “authorized representative” is not defined in the statute, and the America COMPETES Act and ARRA have provided evidence of Congressional intent to expand and develop SLDS to include early childhood, postsecondary, and workforce information, the Department has decided to change its interpretation of the term “authorized representative” in order to permit State and local educational authorities, the Secretary of Education, the Comptroller General, and the Attorney General of the United States to have greater flexibility and discretion to designate authorized representatives who may access PII from education records as needed to conduct an audit, evaluation, or enforcement or compliance activity specified in § 99.35.
In response to commenters who objected to the rescission of the Hansen Memorandum's direct control requirement, the direct control requirement is not found in FERPA and is inconsistent with requirements of the America COMPETES Act and ARRA. We do not interpret the two references to the word “officials” in paragraph (b)(3) of FERPA as defining who may serve as an authorized representative of the officials listed in the exception. This would, in fact, limit those who could serve as an authorized representative to officials of the heads of agencies listed, which is inconsistent with the position adopted by the Hansen Memorandum. Rather, we interpret the word “officials” in paragraph (b)(3) of FERPA as simply a reference back to the four officials who are listed in the exception: the Secretary, the Comptroller General, the Attorney General of the United States, and State educational authorities.
The 1974 Joint Statement stated that “existing law restricts transfer, without the consent of parents or students, of personally identifiable information Start Printed Page 75618concerning a student to * * * auditors from the General Accounting Office and the Department of Health, Education, and Welfare * * *” 120 Cong. Rec. at 39863 (December 13, 1974). FERPA, however, was originally enacted on August 21, 1974. Thus, the Joint Statement provides little more than a retrospective narrative background regarding the exception to consent in 20 U.S.C. 1232g(b)(1)(C) and (b)(3), which already was in existing law and was not being amended in December 1974. Further, the Joint Statement only provides a short-hand and incomplete summary of this exception to consent. Significantly, the Joint Statement omits many aspects of this then-existing exception, which in addition to permitting disclosure of PII from education records without consent to “authorized representatives of” the Comptroller General and the Secretary of Health, Education, and Welfare (as referred to in the Joint Statement) also permitted disclosure without consent to “authorized representatives of” “State educational authorities” and “an administrative head of an education agency.” See section 513 of Pub. L. 93-380 (August 21, 1974). Further, this then existing exception to consent permitted disclosure of PII from education records without consent not only for the conduct of audits by auditors (as referred to in the Joint Statement), but also for the conduct of evaluations and the enforcement of Federal legal requirements. Id.
While we support the efforts in the Hansen Memorandum to protect student privacy, the Hansen Memorandum's direct control requirement resulted in State and local educational authorities engaging in convoluted processes to conduct an audit, evaluation, or enforcement or compliance activity that may serve only to increase costs and lessen privacy protection. Student privacy can be protected without having to prohibit disclosure of PII from education records to other entities in order to conduct an audit, evaluation, or enforcement or compliance activity. Although increased data sharing may result from our definition of “authorized representative,” it still would only be permitted under the terms of the exception. To disclose PII from education records without consent to an authorized representative (other than an employee), the exception requires written agreements and the use of reasonable methods to ensure to the greatest extent practicable FERPA compliance by an authorized representative. Further, an authorized representative's use of PII from education records is restricted to audits, evaluations, or enforcement or compliance activities.
The Department also disagrees that its definition of “authorized representative” constitutes an unlawful sub-delegation of authority to non-Federal entities. Although U.S. Telecom stands for the proposition that certain Federal agency sub-delegations are improper, its holding is inapposite when applied to the Department's definition of the term “authorized representative” in § 99.3. Unlike the statutory language in 20 U.S.C. 1232g(b)(1)(C) and (b)(3) that specifically identifies authorized representatives of the designated entities as potential recipients to whom PII from education records may be disclosed without consent, the authorizing statute at issue in U.S. Telecom assigned the FCC the specific responsibility of making impairment determinations:
“* * * the Commission shall consider, at a minimum, whether—(A) access to such network elements as are proprietary in nature is necessary; and (B) the failure to provide access to such network elements would impair the ability of the telecommunications carrier seeking access to provide the services that it seeks to offer”.
See 47 U.S.C. 251(d)(2). The U.S. Telecom court rejected the FCC's argument that it possessed the presumptive authority to sub-delegate its statutory decisionmaking responsibilities to any party absent congressional intent to the contrary. In this case, however, the Department is not attempting to delegate its decisionmaking authority and is only permitting authority for an audit, evaluation, or enforcement or compliance activity to be delegated to authorized representatives of FERPA-permitted entities, as Congress specifically identified in FERPA.
U.S. Telecom is similarly distinguished in Fund for Animals v. Norton, 365 F. Supp. 2d 394 (S.D.N.Y. 2005), which held that the Fish and Wildlife Service (FWS) did not act unlawfully by delegating limited authority over management of cormorant populations to regional FWS and State wildlife services directors, State agencies, and federally recognized Indian Tribes. Fund for Animals emphasized that FWS' delegation was not inconsistent with the statutory requirements and thus was entitled to deference under the Supreme Court's decision in Chevron U.S.A. Inc. v. NRDC, 467 U.S. 837 (1984). Id. at 410-11. Unlike the FCC's wholesale delegation to State commissioners of its statutory responsibility to make access determinations under 47 U.S.C. 251(d)(2), the FWS retained ultimate control over the delegates' determinations.
Likewise, in adopting the definition of the term “authorized representative,” the Department is not delegating its statutory authority to address violations of FERPA under 20 U.S.C. 1232g(f). The Department is simply delegating the authority to the entities specified in 20 U.S.C. 1232g(b)(1)(C) and (b)(3) to determine who may serve as their authorized representatives to conduct an audit, evaluation, or enforcement or compliance activity. This delegation is premised on compliance with other statutory and regulatory conditions, in connection with audits, evaluations, or enforcement or compliance activities.
Some commenters asked that we expand the definition of the term “authorized representative” to include child welfare agencies, to allow these agencies to monitor the educational outcomes of children under their care and responsibility. Paragraph (b)(3) of FERPA, however, does not allow this expansion of the purposes for which PII from education records may be used by authorized representatives. While we agree that authorized representatives of State educational authorities may generally include child welfare agencies, authorized representatives may only access PII from education records under paragraph (b)(3) of FERPA in order to conduct audits, evaluations, or enforcement or compliance activities.
Changes: None.
Comment: One commenter expressed concern about being held responsible for the disclosure of PII from education records to an authorized representative over which it does not have direct control, such as another State agency, if the authorized representative improperly rediscloses that information. This commenter, therefore, recommended that the FERPA regulations provide that a State or local educational authority is not required to comply with FERPA in regard to PII from education records that it discloses to an authorized representative over which it does not have direct control. In the alternative, this commenter requested that the regulations clarify that a State or local educational authority retains control over the entity or individual designated as its authorized representative through the required written agreement to ensure PII from education records is protected from unauthorized redisclosure.
Discussion: Like any disclosing entity, State or local educational authorities have an important responsibility to Start Printed Page 75619protect the privacy of PII from education records. To carry out this responsibility, a State or local educational authority must use reasonable methods to ensure to the greatest extent practicable that its authorized representative is complying with FERPA. A disclosing State or local educational authority, such as an SEA, also must enter into a written agreement with its authorized representative that details the responsibilities of both parties to protect the PII from education records disclosed to the authorized representative by the educational authority. If the State or local educational authority, such as an SEA, does not have confidence that the authorized representative will meet its responsibilities under the written agreement to protect PII from education records, the State or local educational authority should not authorize the individual or entity as a representative. The Department would be abdicating its responsibility under FERPA to protect the privacy of PII from education records if we released a State or local educational authority from responsibility when it discloses PII from education records to an authorized representative that is not under its direct control, such as another State agency.
Changes: None.
Comment: One commenter stated that, because the definition of “authorized representative” would allow “any individual or entity” to be designated as an authorized representative, the Department appears to be adopting a position under which an authorized representative is not required to have a “legitimate educational interest” to receive PII from education records under the audit or evaluation exception.
Discussion: We believe the regulations clearly articulate that a FERPA-permitted entity may only disclose PII from education records to an authorized representative under the audit or evaluation exception if the authorized representative will use PII from education records for one of the statutorily-specified purposes, i.e., if it is needed to conduct audits, evaluations, or enforcement or compliance activities. We have revised the regulations regarding written agreements between FERPA-permitted entities and their authorized representatives to include a requirement that the written agreement establish the policies and procedures that limit the use of PII from education records to only authorized representatives for statutorily-specified purposes. If an authorized representative receives PII from education records for one of these statutorily-specified purposes, then this constitutes a legitimate interest in receiving PII from education records. We have not required that authorized representatives have “legitimate educational interests” in receiving PII from education records, as suggested by the commenter, because we already require in § 99.31(a)(1) of the current regulations that educational agencies and institutions must determine that school officials have legitimate educational interests. Because authorized representatives differ from school officials and may receive PII from education records only for statutorily-specified purposes, we refer to the interests of authorized representatives in receiving PII from education records as “legitimate interests.”
Changes: We have revised § 99.35(a)(3)(v) to substitute the phrase “authorized representatives with legitimate interests in the audit or evaluation of a Federal- or State-supported education program or for compliance or enforcement of Federal legal requirements related to these programs” for the phrase “authorized representatives with legitimate interests.”
Comment: Some commenters indicated that the proposed definition of “authorized representative” should be amended so that authorized representatives may use PII from education records for any compliance or enforcement activity in connection with State legal requirements that relate to Federal- or State-supported education programs, as opposed to just Federal legal requirements.
Discussion: The Department lacks the statutory authority to make the requested change to expand the disclosures of PII from education records permitted without consent to include compliance or enforcement activity in connection with State legal requirements that relate to Federal- or State-supported education programs. Specifically, section (b)(3) and (b)(5) of FERPA only permit the disclosure of PII from education records, without consent, “in connection with the enforcement of the Federal legal requirements” that relate to Federal- or State-supported education programs. Accordingly, the Department is unable to expand the permitted disclosures of PII from education records to include a compliance or enforcement activity in connection with State legal requirements.
Changes: None.
Comment: One commenter also requested that, in lieu of the proposed definition of “authorized representative,” we provide that State agencies or other entities responsible for an education program, as that term was defined in the NPRM, are educational authorities for the limited purpose of the administration of their Federal- or State-supported education programs and that such entities are subject to the enforcement powers of the Department.
Discussion: We did not propose in the NPRM to define the term “State and local educational authorities,” which is used in § 99.31(a)(3). Therefore, we do not believe it is appropriate to define this term without providing the public with notice and the opportunity to comment on a proposed definition. Further, we do not agree that every entity that is responsible for an “education program” would be considered a State or local educational authority. As explained earlier in the preamble, the Department has generally interpreted the term “State and local educational authorities” to mean LEAs, SEAs, State postsecondary commissions, BIE, or entities that are responsible for and authorized under State or Federal law to supervise, plan, coordinate, advise, audit, or evaluate elementary, secondary, or postsecondary education programs and services in the State. Thus, we would not consider individual schools or early learning centers to be State or local educational authorities. Finally, the Department's enforcement powers with respect to a State or local educational authority are dependent on whether the educational authority receives funding under a program administered by the Secretary. If an educational authority does not receive such funding, then the Department's only FERPA enforcement measure would be the five-year rule.
Changes: None.
Comment: Several commenters stated that the Department should adopt additional remedies or sanctions to hold authorized representatives accountable.
Discussion: FERPA authorizes the Secretary to pursue specific remedies against recipients of funds under programs administered by the Secretary. Congress expressly directed the Secretary to “take appropriate actions” to “enforce” FERPA and “to deal with violations” of its terms “in accordance with [GEPA].” 20 U.S.C. 1232g(f). In GEPA, Congress provided the Secretary with the authority and discretion to take enforcement actions against any recipient of funds under any program administered by the Secretary for failures to comply substantially with FERPA (or other requirements of applicable law). 20 U.S.C. 1221 and 1234c(a). GEPA's enforcement methods expressly permit the Secretary to issue a complaint to compel compliance Start Printed Page 75620through a cease and desist order, to recover funds improperly spent, to withhold further payments, to enter into a compliance agreement, or to “take any other action authorized by law,” including suing for enforcement of FERPA's requirements. 20 U.S.C. 1234a, 1234c(a), 1234d, 1234e; 1234f; 34 CFR 99.67(a); see also United States v. Miami Univ., 294 F.3d 797 (6th Cir. 2002) (affirming district court's decision that the United States may bring suit to enforce FERPA). Thus, if an authorized representative receives funds under a program administered by the Secretary, the Department has the authority to enforce failures to comply with FERPA under any of GEPA's enforcement methods. If an authorized representative does not receive funds under a program administered by the Secretary and improperly rediscloses PII from education records, then the only remedy available under FERPA against the authorized representative would be for the Department to prohibit the disclosing educational agency or institution from permitting the authorized representative from accessing PII from education records for a period of not less than five years. 20 U.S.C. 1232g(b)(4)(B). These are the only remedies available to the Department to enforce FERPA. Remedies, such as assessing fines against any entity that violates FERPA, are not within the Department's statutory authority.
Under the FERPA regulations, and in accordance with its longstanding practice, the Department only will take an enforcement action if voluntary compliance and corrective actions cannot first be obtained. If the violating entity refuses to come into voluntary compliance, the Department can take the above listed enforcement actions. However, in addition to these statutorily authorized remedies, we encourage FERPA-permitted entities to consider specifying additional remedies or sanctions as part of the written agreements with their authorized representatives under § 99.35 in order to protect PII from education records. Written agreements can be used to permit increased flexibility in sanctions, to the extent that the desired sanction is permitted under law.
Changes: None.
Reasonable Methods (§ 99.35(a)(2))
Comment: Commenters were split on whether it was appropriate to define “reasonable methods” in the regulations. Some commenters agreed that the Department should not prescribe reasonable methods in the regulations and welcomed the additional flexibility offered by the proposed regulations. Others criticized the failure of the proposed regulations to require specific reasonable methods, contending that the Department was taking steps to allow more access to PII from education records but was not taking commensurate steps to prevent misuse of PII from education records being disclosed. One commenter requested further clarification on the expected enforcement actions the Department would take if an LEA or SEA did not use reasonable methods to ensure that its authorized representatives were in compliance with FERPA before disclosing PII from education records to them.
Discussion: The Department proposed the reasonable methods requirement to increase accountability so that FERPA-permitted entities disclosing PII from education records hold their authorized representatives accountable for complying with FERPA. FERPA-permitted entities must monitor the data handling practices of their own employees. They must also use reasonable methods to ensure FERPA compliance to the greatest extent practicable by their authorized representatives. The Department believes that FERPA-permitted entities should be accorded substantial flexibility to determine the most appropriate reasonable methods for their particular circumstances. In other words, what constitutes a reasonable method for ensuring compliance is not a one-size-fits-all solution; there are numerous actions a FERPA-permitted entity may take to ensure to the greatest extent practicable FERPA compliance by its authorized representatives. Nonetheless, while the Department is granting more flexibility to determine appropriate reasonable methods given the specific circumstances of the data disclosure, the Department will consider a FERPA-permitted entity disclosing PII from education records to its authorized representative without taking any reasonable methods to be in violation of FERPA and subject to enforcement actions by the Department.
It is worth noting that the FERPA regulations already require that educational agencies and institutions use reasonable methods such as access controls so that school officials only may access those education records in which they have a legitimate educational interest. See § 99.31(a)(1)(ii). The lack of specificity in § 99.31(a)(1)(ii) is appropriate, given variations in conditions from school-to-school. The Department believes similar flexibility is appropriate when FERPA-permitted entities disclose PII from education records to authorized representatives.
While the Department declines to impose specific requirements for reasonable methods, we are issuing non-regulatory guidance on best practices for reasonable methods as Appendix A. Variations of the elements appear in Appendix A as best practices for written agreements. In the following paragraphs, we provide a summary and discussion of the various suggestions for reasonable methods the Department received in response to the NRPM, and discuss whether we consider them best practices. Please note that Appendix A may also include best practices that were not mentioned by commenters, but that the Department believes would result in both increased data and privacy protection.
Reasonable methods are those actions the disclosing FERPA-permitted entity would take to ensure to the greatest extent practicable that its authorized representative complies with FERPA. The disclosing FERPA-permitted entity should generally take most of these actions by requiring them in its written agreement with its authorized representative. Many commenters discussed how reasonable methods could ensure FERPA compliance, but some commenters suggested that these techniques be required for FERPA-permitted entities in addition to their authorized representatives. While this is beyond the scope of the reasonable methods contemplated in the regulations, the best practices that the Department provides apply equally to other entities as a starting point for good data governance, the responsible use of data, and the protection of student privacy.
The Department has already produced several technical briefs that address many of the suggestions the Department received on reasonable methods and written agreements: “Basic Concepts and Definitions for Privacy and Confidentiality in Student Education Records,” “Data Stewardship: Managing Personally Identifiable Information in Electronic Student Education Records,” and “Statistical Methods for Protecting Personally Identifiable Information in Aggregate Reporting.” The briefs can be found at http://nces.ed.gov/programs/ptac/Toolkit.aspx?section=Technical%20Briefs. The Department is continually looking to improve the best practices information found in the briefs and encourages comments and suggestions to be emailed to the Department at SLDStechbrief@ed.gov. As with the best practices in Appendix A to this document, these briefs serve as resources for practitioners to consider Start Printed Page 75621adopting or adapting to complement the work they are already doing; they are not one-size-fits-all solutions.
Changes: None.
Comment: One commenter objected to the use of the word “ensure,” as it was proposed in § 99.35(a)(2), stating the term was “unrealistic and misleading” as nothing could definitively ensure that FERPA violations would not happen.
Discussion: The Department agrees with the commenter and is changing the language concerning reasonable methods in § 99.35(a)(2) to clarify that we expect FERPA-permitted entities to be responsible for using reasonable methods to ensure to the greatest extent practicable that their authorized representatives protect PII from education records in accordance with FERPA.
Changes: Section 99.35(a)(2) has been revised to state that FERPA-permitted entities are “responsible for using reasonable methods to ensure to the greatest extent practicable that any entity or individual designated as its authorized representative” protects PII from education records.
Comment: The Department received multiple suggestions on actions a FERPA-permitted entity should take to verify that its authorized representative is trustworthy and has a demonstrated track record of protecting data responsibly. Several comments suggested the need to verify that an authorized representative has disciplinary policies and procedures in place to ensure that employees who violate FERPA are dealt with appropriately, including possible termination of employment. Others suggested that individuals accessing PII from education records as authorized representatives should be required to undergo criminal background checks. A number of commenters suggested that the Department require verification that the authorized representative has a training program to teach employees who will have access to PII from education records about their responsibilities under FERPA. A common suggestion was to require the authorized representative to verify that it has no previous record of improperly disclosing PII from education records. One possible method of corroboration included requiring the authorized representative to divulge under penalty of perjury, both to the entity disclosing the data and to the general public, parents, and students, whether it has violated any written agreements or otherwise inappropriately disclosed FERPA-protected data. Another suggested receiving assurances that the authorized representative has no previous record of improperly disclosing PII from education records and that it is not currently “under suspension” from any State or local educational authority for inappropriate disclosure of student data. Multiple commenters also suggested that the Department publish a list of individuals or entities we found to have violated FERPA and against which we have taken enforcement actions. Some commenters stated that reasonable methods should include verifying that the authorized representative is not on that list published by the Department, while others suggested that individuals and entities on the list should be prevented from entering into future written agreements with all other FERPA-permitted entities, not just the FERPA-permitted entity whose data were mishandled.
Discussion: The Department agrees that it is vital to verify that the individual or entity acting as an authorized representative has proven that it is trustworthy and has policies and procedures in place to continue that record. While the Department will not mandate any specific requirements, the best practices for reasonable methods in Appendix A include:
- Verify the existence of disciplinary policies to protect data. The FERPA-permitted entity may want to verify that its authorized representative has appropriate disciplinary policies for employees that violate FERPA. This can include termination in appropriate instances.
- Know to whom you are disclosing data. The FERPA-permitted entity may want to require its authorized representative to conduct background investigations of employees who will have access to PII from education records, or it may want to conduct these investigations itself. Additionally, the FERPA-permitted entity may want to require its authorized representative to disclose past FERPA or data management violations. If the FERPA-permitted entity discovers past violations, it would want to explore the circumstances behind the violation, and discover all information that would allow it to make an informed judgment on whether the individual or entity is likely to be a responsible data steward. This may include discovering whether the violation was covered up, including if it was voluntarily reported to affected students or FPCO, and whether appropriate breach response procedures were followed.
- Verify training. The FERPA-permitted entity may want to verify that its authorized representative has a training program to teach its employees about FERPA and how to protect PII from education records, or the FERPA-permitted entity may want to train its authorized representatives itself.
As these are best practices, it is up to the FERPA-permitted entities to determine which actions are appropriate based on the circumstances; it is their responsibility to determine whether their authorized representatives understand their obligations under FERPA and whether they are likely to comply with FERPA's requirements. For example, even if an authorized representative discloses a past FERPA violation, a FERPA-permitted entity may nonetheless determine that the circumstances are such that it is still appropriate to disclose PII from education records to that individual or entity. The disclosing entity should take all factors into account, including the length of time since the violation, subsequent good behavior, corrective actions taken to negate the possibility of any similar future violations, etc.
For the time being, the Department has decided not to implement the idea of compiling a list of FERPA violators. The Department believes that a public list of entities that have violated FERPA is an intriguing idea and will continue to keep this idea in mind and possibly implement it at a later date.
The Department declines to broaden the requirement that, under the five-year rule, the authorized representative is prevented only from receiving PII from education records from the educational agency or institution that originally disclosed the PII from education records. The statutory language is clear that the five-year rule only permits the Department to prohibit further disclosures from the educational agenc(ies) or institution(s) which maintained the original education records from which PII was improperly redisclosed.
If an authorized representative is alleged to have violated FERPA, the Department will also investigate the complaint to determine the extent to which the disclosing FERPA-permitted entity employed reasonable methods. The Department's investigation will consider the reasonable methods taken and the specific circumstances of the disclosure.
Changes: None.
Comment: Numerous commenters suggested that FERPA-permitted entities should require their authorized representatives to use specific data security methods in order to ensure FERPA compliance. Many commenters provided suggestions for data security methods, including: Requiring strong encryption, publishing security Start Printed Page 75622guidelines, instituting dual-key login, preparing formal security assessments, instituting a security audit program, completing formal risk assessments, monitoring security events, creating data disposal procedures, implementing access controls, and monitoring physical security controls, including what people keep on their desks and printers. Several commenters stated that the Department should specifically regulate data security, as HHS does in the Health Insurance Portability and Accountability Act of 1996 Security Rule, 45 CFR 164.306 et seq.
Discussion: The Department does not believe it is appropriate to regulate specific data security requirements under FERPA. The Department believes it is more appropriate to allow for flexibility based on individual circumstances. In addition, rapid changes in technology may potentially make any regulations related to data security quickly obsolete. With the increasing move toward mobile computing, evolving hacking techniques, and the push toward ever stronger encryption standards, we believe that it is inadvisable to establish specific regulations in this area.
Still, the Department recognizes the important need, especially with the development of SLDS, for authorized representatives to have strong data security policies and programs in place. Data security is also an essential part of complying with FERPA as violations of the law can occur due to weak or nonexistent data security protocols. As such, the Department is adding the following to its best practices, which are included as Appendix A to this document:
- Verify the existence of a sound data security plan.
The FERPA-permitted entity may wish to verify before disclosing PII from education records that its authorized representative has a sound data security program, one that protects both data at rest and data in transmission. A FERPA-permitted entity has a responsibility to determine if its authorized representative's data security plan is adequate to prevent FERPA violations. The steps that the disclosing entity may need to take in order to verify a sound data security program are likely to vary with each situation. In some cases, it may suffice to add language to the written agreement that states what data security measures are required. In other cases, it may be more prudent for the FERPA-permitted entity to take a hands-on approach and complete a physical inspection. Additionally, the FERPA-permitted entity's written agreements could specify required data security elements, including requirements related to encryption, where the data can be hosted, transmission methodologies, and provisions to prevent unauthorized access.
Changes: None.
Comment: Some commenters suggested that the Department mandate that FERPA-permitted entities require their authorized representatives to implement various practices that fall under the rubric of data governance. Several commenters suggested the addition of various staff positions as part of a proper data governance strategy. One commenter suggested that the Department require LEAs to appoint formal FERPA compliance liaisons who would develop FERPA policies and procedures and provide professional development to those at the LEA who handle PII from education records. Another commenter suggested that the FERPA-permitted entity require the authorized representative to create an information security office. One commenter recommended, that as data governance is ultimately the responsibility of everyone in an organization, that the FERPA-permitted entity should require its authorized representative to adopt a formal governance plan that includes all levels of stakeholders, such as management, the policy team, data providers, and data consumers. The same commenter recommended that the Department require FERPA-permitted entities to have a formal communications plan so expectations regarding the governance plan are known to everyone.
Discussion: The Department declines to regulate specific data governance requirements, as we prefer to grant FERPA-permitted entities the flexibility to determine the appropriate elements for their authorized representatives to include in a comprehensive governance plan. The Department is adding the following element to the best practices for reasonable methods in Appendix A:
Verify the existence of a data stewardship program. The FERPA-permitted entity may want to examine its authorized representative's data stewardship program. Data stewardship should involve internal control procedures that protect PII from education records and include all aspects of data collection—from planning to maintenance to use and dissemination. The Department believes that a good data stewardship plan would have support and participation from across the organization, including the head of the organization, management, legal counsel, and data administrators, providers, and users. The plan should detail the organization's policies and procedures to protect privacy and data security, including the ongoing management of data collection, processing, storage, maintenance, use, and destruction. The plan could also include designating an individual to oversee the privacy and security of the PII from the education records it maintains.
As with data security, it is up to the FERPA-permitted entities to determine if the authorized representative's data stewardship plan is sufficient. Depending on the circumstances of the disclosure, this may include simply adding a description of the data governance plan to the written agreement or conducting an on-site inspection to ensure the authorized representative is properly implementing its plan.
Changes: None.
Comment: Multiple commenters suggested ways that reasonable methods could be used to prevent the authorized representative from improperly redisclosing PII from education records. Some commenters expressed concern that there is no bright line rule for how long PII from education records could be maintained by an authorized representative before it was required to be destroyed or returned. One commenter suggested a period of five years should be mandated as the maximum time PII from education records could be kept. Others expressed the view that exact timelines for keeping data were not warranted. Some requested that the Department clarify how PII from education records can be retained for purposes of long-term analysis.
Several commenters asked the Department to require a formal process to document the destruction or return of the disclosed PII from education records, such as a notarized letter, to ensure that both the disclosing FERPA-permitted entity and the authorized representative are upholding their responsibilities. Some commenters argued that this type of process would be ideal as it is often too difficult for the disclosing FERPA-permitted entity to verify that PII from education records has in fact been fully destroyed, and that the authorized representative did not maintain some electronic copy of the PII. If such a notarized statement were required, one commenter then asserted that the FERPA-permitted entity making the disclosure be held harmless if its authorized representative nonetheless maintained a copy of the data. Others stated that there should be more flexibility, such as permitting the storage of PII from education records in Start Printed Page 75623secure archives as opposed to fully returning or destroying it.
The Department also received comments suggesting that we limit the number or nature of data elements in PII from education records that can be disclosed or included in an SLDS, including how that data could potentially be linked to other information. The Department received comments stating that FERPA-permitted entities should be given the right to review any document being published by the authorized representative that uses the disclosed PII from education records to ensure that proper disclosure avoidance techniques were used to prevent an unauthorized disclosure. Finally, several commenters requested that reasonable methods include a provision that would allow the disclosing FERPA-permitted entity access to the authorized representative's policies, procedures, and systems to conduct monitoring and audit activities to ensure the authorized representative is taking all necessary steps to protect the PII from education records. Some commenters stated that these audits should be completed by independent third parties. Other commenters requested that the results of the audits be disclosed to the public.
Discussion: The Department believes that outlining the time period that an authorized representative can maintain data for the purpose of an audit, evaluation, or enforcement or compliance activity is extremely important, which is why it is one of the minimum required components of the written agreement (see § 99.35(a)(3)(iv)). Nonetheless, the Department declines to specify a set period of time in the regulations for data retention, as the necessary amount of retention time is highly fact specific. For example, if an SEA is disclosing PII from education records to an authorized representative for an evaluation that is expected to take six months, it may be, depending on the circumstances of the evaluation, reasonable to require that the authorized representative to destroy the disclosed PII in six months. If, however, an SEA is disclosing PII from education records to a regional entity for a longitudinal, multi-year evaluation, the written agreement might specify that data retention would be reviewed annually, with data elements being retained or destroyed as appropriate. The Department believes it is important to leave the determination of the appropriate time period up to the parties to the agreement.
The comments about methods for destruction do, however, point out a potential inconsistency in the NPRM that should be corrected. The NPRM provided that in some instances data must be destroyed when no longer needed, and that the data must be returned or destroyed in other instances. We believe the reference to returning data was more appropriate in a paper-based environment, and that destroying data is the more appropriate action when discussing electronic records. An entity could elect to destroy the data in question by returning the original file and erasing all versions of the data from its servers.
Accordingly, we have decided to remove the proposed requirements in § 99.35(a)(3)(iii) and (a)(3)(iv) that permitted an authorized representative to return PII from education records to the FERPA-permitted entity, in lieu of destroying such information, in order to correct the inconsistency.
While the Department is not regulating on this particular process, when assessing responsibility, if the Department finds that PII from education records has not been appropriately destroyed by an authorized representative, the Department would review all of the reasonable methods taken by the disclosing FERPA-permitted entity, such as if the written agreement included a formal process to verify the destruction of PII from education records.
The Department is not addressing through the FERPA regulations the number or nature of elements that can be disclosed, included in an SLDS, or linked to other elements. As stated earlier, FERPA is not a data collection statute, and it is beyond the scope of the statute to address these issues in these regulations. So long as all requirements of FERPA are met, the parties to the agreement have the flexibility to determine what elements should be disclosed and how they can be combined with other elements. Still, the FERPA regulations require that PII from education records may not be used for any purpose other than the audit, evaluation, or enforcement or compliance activity that prompted the original disclosure.
It is important that the authorized representative not purposely or inadvertently redisclose PII from education records inappropriately. For example, the written agreement could reflect the expectations that the FERPA-permitted entities have of the authorized representatives when it comes to making the data public. Methods, such as using disclosure avoidance techniques or exercising the right to review and approve any reports using the data before release, can be detailed in the written agreement to help ensure that unauthorized redisclosures do not happen.
In addition, the FERPA-permitted entities might wish to maintain the right to conduct monitoring and audits of the authorized representative's processes, procedures, and systems. If the FERPA-permitted entities decide to exercise this right, they should be free to choose who should conduct the audits or monitoring activities, whether it is themselves or an external third party, and if the results should be made public. The Department declines to regulate on this issue as we do not believe that it will always be necessary to conduct such audits or monitoring activities. The parties to the data disclosure agreement can determine if such activity is warranted based on criteria, such as the scope or duration of the audit, evaluation, or enforcement or compliance activity.
Based on the discussion in this section, we are including the following elements in Appendix A as best practices for FERPA-permitted entities to consider when implementing reasonable methods.
- Convey the limitations on the data. A FERPA-permitted entity should take steps to ensure that its authorized representative knows the limitations on the use of the data (i.e., that the data is only to carry out the audit or evaluation of Federal- or State-supported education programs, or to enforce or to comply with Federal legal requirements that relate to those programs).
- Obtain assurances against redisclosure. A FERPA-permitted entity should obtain assurances from its authorized representative that the data will not be redisclosed without permission, including such assurances that the authorized representative will provide the FERPA-permitted entity (the disclosing entity) the right to review any data prior to publication and to verify proper disclosure avoidance techniques have been used.
- Be clear about destruction. A FERPA-permitted entity should set clear expectations so its authorized representative knows what process needs to be followed for the proper destruction of PII from education records.
- Maintain a right to audit. A FERPA-permitted entity should maintain the right to conduct audits or other monitoring activities of the authorized representative's policies, procedures, and systems.
- Disclose only PII from education records that is needed. When the FERPA-permitted entity considers disclosing PII from education records to an authorized representative for an Start Printed Page 75624audit, evaluation, or enforcement or compliance activity, it may want to explore which specific data elements are necessary for that activity and provide only those elements. FERPA-permitted entities should take care to ensure that they are not disclosing more PII from education records than needed for the stated activity and purpose. FERPA-permitted entities should also explore whether PII from education records is actually required, or whether de-identified data would suffice.
Changes: The Department has removed the proposed requirement in § 99.35(a)(3)(iii) and (a)(3)(iv) that permitted an authorized representative to return PII from education records to the FERPA-permitted entity, in lieu of destroying such information, in order to be more consistent with the statute and to correct an inconsistency in the NPRM.
Written Agreements (§ 99.35(a)(3))
Comment: As with reasonable methods, the Department received mixed comments on the value of the proposed written agreement requirement and suggestions for how to improve it. One commenter, while approving of the written agreement provision, expressed concern that the proposed changes would relieve data recipients of responsibility for actually implementing protections, theorizing that the agreements would require only that “policies and procedures” be established, rather than the inclusion of any provisions providing true accountability. Other commenters requested that the Department provide the flexibility to FERPA-permitted entities to draft agreements that meet the needs and requirements of the circumstances of the data disclosures and the requirements of the relevant State and local laws. One requester asked the Department to add the phrase “including but not limited to” when referring to the specific requirements of written agreements as laid out in the NPRM. Several commenters requested further guidance on written agreements, including asking the Department to provide a model template. One commenter asked the Department to provide clarity around why the “other than an employee” language is included in the written agreement requirement. Another commenter requested that the Department replace the term “written agreement” with “data exchange agreement” because the commenter believed the “written agreement” term is too vague and “data exchange agreement” is the standard information security term.
Discussion: The Department proposed adding a new § 99.35(a)(3) to require written agreements when FERPA-permitted entities designate an authorized representative (other than an employee) under the audit or evaluation exception. The proposal included several specific provisions that must be included in written agreements: (1) Designate the individual or entity as an authorized representative; (2) specify the information to be disclosed and that the purpose for which the information is disclosed to the authorized representative is to carry out an audit or evaluation of Federal- or State-supported education programs, or to enforce or to comply with Federal legal requirements that relate to those programs; (3) require the authorized representative to destroy or return to the State or local educational authority or agency headed by an official listed in § 99.31(a)(3) personally identifiable information from education records when the information is no longer needed for the purpose specified; (4) specify the time period in which the information must be returned or destroyed; and (5) establish policies and procedures consistent with FERPA and other Federal and State confidentiality and privacy provisions to protect personally identifiable information from education records from further disclosure (except back to the disclosing entity) and unauthorized use, including limiting use of personally identifiable information to only authorized representatives with legitimate interests.
While the Department agrees that it is vital that written agreements clearly set forth all parties' obligations with respect to PII from education records, the Department believes that it would be inappropriate to be more prescriptive than the specific safeguards and provisions we are including in these regulations. The Department believes that it is more appropriate to provide the parties to the agreements with the flexibility to draft written agreements that meet the specific needs of the circumstances surrounding the data disclosure. In addition, the Department defers to State law governing contracts and written agreements, including the imposition of allowable sanctions.
While the Department declines to impose additional requirements for written agreements, the Department is including in Appendix A a summary of best practices for written agreements. In the following discussion, we address comments and suggestions the Department received and whether the Department considers these best practices. Appendix A also includes best practices that have not been mentioned in the comments, but the adoption of which the Department believes would result in increased accountability for all parties to the agreement. At this time the Department is not providing a model template for a written agreement but intends to issue one as additional non-regulatory guidance at a later date. It is also worth noting that the studies exception has had a requirement for written agreements since 2008. The matters discussed here logically apply to PII from education records disclosed under both the studies and audit or evaluation exceptions. It is only through the use of written agreements that parties can establish legally binding roles and responsibilities.
We specifically carve out employees from the written agreement requirements reflected in § 99.35(a)(3) because the Department is not requiring written agreements when FERPA-permitted entities use their own employees to conduct audits, evaluations, or compliance or enforcement activities. Agreements under the audit or evaluation exception are only necessary when an authorized representative is selected that is outside of the organization disclosing the data. Employees have an inherently different relationship with their employing organization than does an outside entity. It is important that any organization with access to PII from education records train its employees about their responsibilities under FERPA, including proper data governance and data security procedures. We would expect, therefore, that organizations would establish conditions of employment for their employees that are consistent with the components required of written agreements under § 99.35(a)(3) and that violations of those conditions would result in disciplinary actions, up to and including termination.
The Department declines to add the suggested “including but not limited to” language when referring to the minimum written agreement provisions specified in the regulations. The language in the final regulations, as proposed in the NPRM, reads that the written agreement must include these provisions but does not indicate that these are the only provisions that can be included in the written agreement. As such, the Department believes that the “including but not limited to” language is implied and therefore unnecessary.
Likewise, the Department declines to change the term “written agreement” to “data exchange agreement.” “Written agreement” is a general term that would include the more specific “data Start Printed Page 75625exchange agreement.” The Department is leaving it up to the discretion of the parties to the agreement to decide how the agreement may be termed, whether that be written agreement, contract, memorandum of understanding, data exchange agreement, or some other term.
Changes: None.
Comment: Several commenters seemed to misinterpret one of the Department's proposed required components of the written agreement: “Specify the information to be disclosed and that the purpose for which the information is disclosed to the authorized representative is to carry out an audit or evaluation of Federal or State supported education programs, or to enforce or to comply with Federal legal requirements that relate to those programs.” These commenters stated that the Department was requiring the written agreement to include “the purposes for which the information is being disclosed.” Others noted that anytime PII from education records is shared through one of the exceptions to the general consent rule under FERPA, the specific reasons for that disclosure should be clearly stated.
Discussion: The Department originally only proposed that a written agreement include a statement that the purpose of the disclosure was for an audit, evaluation, or enforcement or compliance activity. The NPRM did not include a requirement to describe the details of the activity or why PII from education records was a necessary component to the activity. Based on the comments we received, the Department is revising the regulations to require that written agreements include a description of the audit, evaluation, or enforcement or compliance activity.
Changes: Section 99.35(a)(3)(ii)(C) is added to require that the written agreement include a description of the activity with sufficient specificity to make clear that the work falls within the exception of § 99.31(a)(3), including a description of how the personally identifiable information from education records will be used.
Comment: Several commenters suggested that FERPA-permitted entities should be required to provide information about PII from education records being disclosed, such as the data elements being shared and the purpose of the disclosure, to parents and other stakeholders. Use of a Web site for this purpose was specifically recommended, particularly for posting the information on the minimum provisions required for written agreements. One commenter noted that it was important for the written agreements to be made available in order for the public to provide oversight regarding the appropriateness of the data disclosures.
Discussion: The Department concurs that transparency is important to ensuring the accountability of all parties. While we decline to issue regulations requiring it, we suggest that FERPA-permitted entities post substantive information on their Web sites or in other public locations about the disclosure of PII from education records, including the written agreements governing data disclosures and information about specific projects and uses. As such, we have added the following to Appendix A as a best practice:
- Inform the public about written agreements. Transparency is a best practice. The FERPA-permitted entity might want to post its data sharing agreements on its Web site, or provide some equivalent method to let interested parties know what data it is sharing, the reasons it is being disclosed, and how it is being protected. While the Department generally recommends public posting of written agreements, parties are encouraged to review their contractual data security provisions carefully and redact, prior to publication, any provisions that may aid those seeking unauthorized access to systems. In certain instances a separate confidential IT Security Plan may be appropriate.
Changes: None.
Comment: The Department received multiple suggestions on ways to increase the legal protections offered by the written agreements. Several commenters requested that the Department explicitly require that the written agreements comply with all applicable laws, whether at the Federal, State, or local level. One commenter specifically mentioned ensuring compliance with State data security laws and policies. Several commenters requested the inclusion of provisions that would ensure that Institutional Review Board (IRB) protocols are in place and properly implemented. Another commenter requested that the Department require the written agreement to include a provision specifying the legal authority for the data disclosure in order to ensure that anyone disclosing or receiving PII from education records has the authority to do so. Finally, the Department received many comments stating that increased accountability over authorized representatives could be achieved if the Department required that written agreements have the force of a contract under applicable State law. Specifically, these commenters strongly urged the Department to mandate, as a condition of data disclosure, that the written agreements include contractual safeguards such as liquidated damage provisions for breach of the agreement and third party beneficiary status for individuals whose PII from education records is disclosed.
Discussion: The Department agrees with many of the suggestions included in these comments; however, we decline to incorporate them as regulatory requirements. Rather, many suggestions have been included as best practices for written agreements in order to provide FERPA-permitted entities with the flexibility to craft provisions in the written agreements that meet their specific needs and the circumstances of the data disclosures. The Department agrees that the written agreements must comply with all applicable laws at the Federal, State, and local levels. This would include any State data security laws. The Department cannot regulate through FERPA on whether IRB review and approval is necessary or prudent. On the other hand, if the circumstances surrounding the audit, evaluation, or enforcement or compliance activity dictate that IRB involvement is required, it would be a best practice for the written agreement to reflect that. It should be noted, however, that the amendments are not intended to supersede the research regulations under the Common Rule that apply to Federally funded research of educational data that qualifies as human subject research. This includes the requirement that the researcher receive a waiver from an IRB if they intend to conduct research with identifiable information without consent of the participants.
The Department also agrees that it is sensible to list the express or implied legal authority that permits the data disclosure and the audit, evaluation, or enforcement or compliance activity. As stated elsewhere in this document, FERPA itself does not grant the authority for these activities, and the existence of this authority is generally a matter of other Federal, State, and local laws.
In general, the Department agrees with the view that written agreements should be used, to the extent permissible under applicable State law, to ensure that authorized representatives (other than employees) comply with FERPA to the greatest extent practicable. While the Department believes that there is merit in having written agreements that clearly set forth all parties' obligations with respect to FERPA-protected information, the Department believes Start Printed Page 75626that it would be inappropriate to require that the parties include specific contractual safeguards. The fact that the authority to enforce FERPA lies with the Department should not be taken to abrogate the responsibility that FERPA-permitted entities have to protect PII from education records. FERPA-permitted entities that are disclosing PII from education records to authorized representatives (other than employees) are encouraged to provide for sanctions in their written agreements, and to enforce those sanctions. The Department believes that it is appropriate to defer to applicable State laws governing contracts and written agreements for purposes of safeguarding FERPA-protected information.
Based on these suggestions, the following is being added to the best practices listed in Appendix A:
- Identify and comply with all legal requirements. It is important to remember that FERPA may not be the only law that governs a data sharing agreement. The agreement could broadly require compliance with all applicable Federal, State, and local laws and regulations, and identify the legal authority (whether express or implied) that permits the audit, evaluation, or enforcement or compliance activity.
- Mention Institutional Review Board (IRB) review and approval. While FERPA does not mention IRBs, research proposals involving human subjects may have to be reviewed and approved by IRBs, if required under protection of human subject regulations of the Department and other Federal agencies. If IRB review and approval is required or expected, this may be noted in the written agreement.
- Identify penalties. The agreement could include penalties under State contract law such as liquidated damages, data bans of varying length, and any other penalties the parties to the agreement deem appropriate. The FERPA-permitted entity may want its agreement to create third-party beneficiary rights, e.g., allowing parties injured by a data breach to sue for damages. While FERPA itself has little flexibility for sanctions, the FERPA-permitted entity can include a wide range of appropriate sanctions in its written agreements.
Changes: None.
Comment: Several commenters suggested that because the disclosure of PII from education records may create serious risks such as identify theft, the proposed regulations should require timely notification to parents and eligible students when their data has been disclosed as a result of a data security breach. Commenters also suggested that the written agreement include provisions for the handling of the breach, such as who would bear the costs associated with notifying those affected.
Discussion: The Department takes seriously the suggestion that parents and eligible students should be notified when PII from education records has been disclosed in violation of FERPA and agrees that notice should be given when there is a data security breach. However, the Department declines to impose through the FERPA regulations specific requirements for breach notification. This will allow FERPA-permitted entities the requisite flexibility to ascertain the appropriate responses and approaches to their particular situations and to comply with any existing Federal, State, or local laws or regulations governing breach notification.
Good data governance also includes breach notification; every organization responsible for managing education records that contain PII should maintain a breach response plan. These plans should provide specific guidelines for an appropriate and timely response to a breach, including a clear description of what constitutes a breach, and a description of the immediate steps to be taken in the event that a breach is suspected. In particular, there should be a designated person in the management chain who will be notified in the event of actual or suspected breaches. When a breach occurs, the designated authority should conduct an analysis of the likelihood of exposure and potential harm to affected individuals. This analysis will inform whether notification is warranted and what its content may be. There should also be an analysis of the circumstances that resulted in the breach, so that the system or procedures can be modified as quickly as possible to avoid further breaches through the same mechanism.
Although the Department is not regulating on breach notification, the following is being added to the best practices listed in Appendix A:
- Have plans to handle a data breach. While no one anticipates a data breach, data loss may occur. The FERPA-permitted entity may wish to include specific procedures in its written agreements detailing the parties' expectations in the event that PII from education records is lost, including specifying the parties' responsibilities with regard to breach response and notification and financial responsibility.
Changes: None.
Comment: The Department received requests to clarify to whom breaches of written agreements should be reported.
Discussion: As discussed earlier in this preamble, it is not only the FERPA regulations that govern what can be included in a written agreement. As such, it is important to address any remedies that are also available under State law. Nonetheless, a breach of the provisions in a written agreement may also constitute a violation of FERPA and should therefore be reported to FPCO.
Changes: None.
Comment: None.
Discussion: The Department wishes to reduce the implementation burden of the new written agreement requirement in § 99.35(a)(3) on FERPA-permitted entities by only requiring that new, renewed, or amended written agreements with authorized representatives that are entered into on or after the effective date of the regulations comply with the new requirement. The written agreement requirement in § 99.35(a)(3) must be adhered to for any new designation of an authorized representative that is not an employee as of the effective date of these regulations. As provided in the DATES section of the preamble, for written agreements that are in place with authorized representatives prior to the effective date of the regulations, FERPA-permitted entities must comply with the written agreement requirements in § 99.35(a)(3) when they renew or amend their agreements.
Changes: None.
Protection of PII From Education Records By FERPA-Permitted Entities (§ 99.35(b)(1))
Comment: None.
Discussion: The Department wishes to make the language used to refer to FERPA-permitted entities in § 99.35(b)(1) consistent with the language used to refer to FERPA-permitted entities in §§ 99.35(a)(2) and (a)(3).
Changes: We have revised § 99.35(b)(1) so that it uses the term, “State or local educational authority or agency headed by an official listed in § 99.31(a)(3),” which is used in §§ 99.35(a)(2) and (a)(3).
Disclosures to Organizations Conducting Studies (§ 99.31(a)(6))
Comment: A few commenters suggested that FERPA's “for, or on behalf of” requirement in the studies exception contains a significant limitation. Specifically, these commenters suggested that the exception prohibits FERPA-permitted entities, such as an SEA, from redisclosing PII from education records that they received under one of FERPA's exceptions to the general consent rule, Start Printed Page 75627for, or on behalf of, the original disclosing educational agency or institution, such as an LEA, if the original agency or institution objected to the disclosure. Another commenter asked that we further amend § 99.31(a)(6) to permit disclosures to organizations conducting studies for, on behalf of, or in partnership with, or in the interest of, educational agencies or institutions, as determined by those agencies or institutions.
Discussion: We disagree that the phrase “for, or on behalf of” prohibits a disclosure to which the original disclosing educational agency or institution objects. Historically, the Department has viewed the “for, or on behalf of” requirement as being based on the unstated premise that some form of agreement by the original disclosing educational agency or institution, such as an LEA or postsecondary institution, was a necessary prerequisite for these types of disclosure. However, it has become necessary for the Department to consider whether its interpretation concerning the “for, or on behalf of” language was fully consistent with recently enacted laws.
We have concluded that “for, or on behalf of” does not require the assent of or express approval by the original disclosing educational agency or institution. For example, it is not necessary for an SEA to secure the approval of an LEA prior to making disclosures for, or on behalf of the LEA, so long as the SEA is acting with express or implied legal authority and for the benefit of the LEA.
The changes to § 99.31(a)(6)(ii) are necessary to clarify that while FERPA does not confer legal authority on FERPA-permitted entities to enter into agreements and act as representatives of LEAs or postsecondary institutions, nothing in FERPA prevents them from entering into agreements and redisclosing PII from education records related to studies conducted on behalf of LEAs or postsecondary institutions under § 99.31(a)(6), provided that the redisclosure requirements in § 99.33(b) are met. Permissive disclosures of this type may be made notwithstanding the objection of the LEA or postsecondary institution so long as the disclosing FERPA-permitted entity has independent authority to have the study conducted, whether expressly stated or implied, and makes the disclosure on behalf of the LEA or postsecondary institution.
We anticipate that the majority of redisclosures made by FERPA-permitted entities will be made for, or with the approval of, the original disclosing educational agency or institution. Nevertheless, we can reasonably foresee instances in which these FERPA-permitted entities would make redisclosures on behalf of an LEA or postsecondary institution without obtaining its approval.
For instance, an SEA must have the authority to enter into agreements with researchers to conduct studies to improve instruction across LEAs within its own State. Studies such as these can help States save money and improve student outcomes by identifying effective practices and targeting limited resources accordingly, while simultaneously increasing the transparency of taxpayer investments. Therefore, in order to provide greater flexibility to FERPA-permitted entities, we interpret the phrase “for, or on behalf of” to recognize both disclosures for the LEA or postsecondary institution that are made with the approval of the LEA or postsecondary institution and disclosures made on behalf of the LEA or postsecondary institution that are made for their benefit in the absence of their approval.
This approach ensures that FERPA-permitted entities have the necessary latitude to fulfill their statutory and regulatory mandates. They may conduct studies of publicly funded education programs while still ensuring that any PII from education records is appropriately protected. FERPA permits disclosure without consent to an organization conducting a study “for, or on behalf of, educational agencies or institutions” for statutorily enumerated purposes. 20 U.S.C. 1232g(b)(1)(F). We see no need to deviate from the statutory language in the regulations and agree that § 99.31(a)(6) permits disclosure without consent to organizations conducting studies in partnership with educational agencies or institutions, in which case we would view the study as being “for” the educational agencies or institutions. Similarly, as explained earlier in this discussion, we also view § 99.31(a)(6) as permitting disclosure without consent to organizations conducting studies for the benefit of educational agencies or institutions, in which case we would consider the study to be “on behalf of” educational agencies or institutions.
However, we disagree with the contention that only an educational agency or institution may make the determination regarding whether a study is for or on its behalf. Rather, FERPA-permitted entities may also make the determination that a study is for the benefit of the original disclosing educational agency or institution. For example, an SEA may conduct a study that compares program outcomes across its LEAs to further assess what programs provide the best instruction and then duplicate those results in other LEAs.
Changes: None.
Comment: None.
Discussion: Upon further review, we decided to remove the proposed requirement in § 99.31(a)(6)(iii)(C)(4) and the requirement in § 99.31(a)(6)(ii)(C)(4) of the current regulations that permitted an organization conducting a study to return PII from education records to the FERPA-permitted entity, in lieu of destroying such information. We made these changes so that the regulations are more consistent with the statute, which requires the destruction of such information, and to correct an inconsistency in the current and proposed regulations, which required both the destruction of such information and the return or destruction of such information. While returning the information to the originating entity can be a form of destruction so long as the organization conducting the study also properly erases all PII from education records that is maintained in electronic format, returning the information would be insufficient if the PII from education records is continued to be maintained in electronic format by the organization conducting the study.
Changes: We have removed the proposed requirement in § 99.31(a)(6)(iii)(C)(4) and the requirement in § 99.31(a)(6)(ii)(C)(4) of the current regulations that permitted an organization conducting a study to return PII from education records, in lieu of destroying such information, in order to be more consistent with the statute and to correct an inconsistency in the current and proposed regulations.
Directory Information (§§ 99.3 and 99.37)
Definition of Directory Information (§ 99.3)
Comment: One commenter supported the proposed change to the definition of “directory information,” which clarifies that an educational agency or institution may designate and disclose as directory information a student's ID number, or other unique personal identifier that is displayed on a student's ID card or badge, if the identifier cannot be used to gain access to education records, except when used in conjunction with one or more factors that authenticate the student's identity. We also received numerous comments from a variety of parties that expressed support for this change.
One commenter suggested that we remove from the definition of “directory Start Printed Page 75628information” the items “address,” “telephone listing,” and “date and place of birth,” noting that the availability of directory information jeopardizes students' right to privacy and makes identity theft easier. Another commenter raised a number of concerns about how directory information might affect a student who is homeless and recommended that a student's address not be included in the definition of “directory information” for a student who meets the definition of “homeless child or youth” under the McKinney-Vento Homeless Assistance Act. For a number of reasons, the commenter stated that disclosing a homeless student's address would be harmful or an invasion of privacy. A few commenters raised concerns about what they mistakenly thought was an expansion of the definition of “directory information” by including any student ID number, user ID, or other unique personal identifier used by a student for purposes of accessing or communicating in electronic systems.
Discussion: We appreciate the support that we received from those parties who agreed with the clarification we proposed to the definition of “directory information,” and we regret any confusion caused by including the entire definition in the NPRM. As we explained in the preamble to the NPRM, we proposed to modify the definition of “directory information” only to clarify that under § 99.37(c)(2), an educational agency or institution may require students to wear or display ID badges or identity cards that display directory information, even if the parent or the eligible student opted out of directory information. The inclusion of a student ID number or other unique identifier in the definition of “directory information” is not new; we made this amendment in 2008. The NPRM merely proposed to establish that the student ID number or other unique identifier that we allowed to be designated as directory information in 2008 could also be displayed on a student ID card or badge.
With regard to the concerns about including in the definition of “directory information” such items as “address,” “telephone listing,” and “date and place of birth,” we note that these items have been in the FERPA statute since its enactment in 1974, and any change to remove these items would require congressional action. We include these and other items in the regulations, explaining in § 99.37 that an educational agency or institution may disclose directory information under certain conditions, including the condition that it notify parents and eligible students of the types of PII from education records it has designated as directory information. If a school has the administrative capacity, it may permit parents or eligible students to opt out of specific items it has designated. However, it has been our understanding that most schools do not have the administrative capacity to permit parents and eligible students to opt out of some, but not all, directory information. Because the disclosure of directory information is permissive, we have advised schools that they can employ an all-or-nothing approach to the disclosure of directory information. That is, a school may provide public notice of the items that it has designated as directory information and permit parents and eligible students to opt out of the disclosure of the items as a whole.
With regard to the comment about not designating an address as “directory information” for a student who is homeless, as explained elsewhere, FERPA provides schools with the authority to include or exclude any items within the definition of “directory information.”
The definition of “directory information” in FERPA is generally a guideline for schools to use in designating types of information as directory information. A school is not required to designate all of the types of information given as examples in FERPA as directory information. The decision to designate certain types of information as directory information, such as the student's address, is left to the discretion of the individual educational agency or institution.
We share the concerns raised by commenters that certain directory information items may make identity theft easier in our modern information age. We encourage school officials to be cognizant of this fact and, if feasible, to work hand-in-hand with parents and eligible students in their community to develop a directory information policy that specifically meets their needs and addresses legitimate concerns.
Changes: None.
Student ID Cards and ID Badges (§ 99.37)
Comment: Several commenters expressed support for the proposed amendment in § 99.37(c)(2), which provides that parents and eligible students may not use their right to opt out of directory information disclosures in order to prevent an educational agency or institution from requiring students to wear or otherwise disclose student ID cards or badges that display information that may be directory information. One commenter noted that schools can embed student ID numbers in bar codes or magnetic stripes, as needed, to avoid any privacy conflicts. A student stated that a university should be able to require that students wear ID badges on campus in order to better protect students.
Another commenter recommended that we specify which directory information can be displayed on a student ID card or badge. Some commenters asked if there would be any situations in which a student might be exempted from wearing an ID badge, such as where a student is the victim of stalking at a large postsecondary institution. Another commenter expressed concern that including a student ID number as directory information would have a negative effect on students receiving services under the Individuals with Disabilities Education Act (IDEA) and raised concerns about physical safety and protection from identity theft. The commenter suggested that a student ID number or other unique identifier that may be displayed on a student ID card and is designated as directory information should not be used—even in conjunction with one or more factors that authenticate the user's identity—to gain access to education records. The same commenter supported permitting a school to require a student to wear or publicly display a student ID card or badge that exhibits directory information, as long as the student ID number cannot be used to gain access to education records.
A commenter also suggested that we amend this provision to include other activities for which parents and eligible students cannot opt out, such as participation in education activities that require sign-in access to electronic systems. Specifically, the commenter requested that we add a new requirement stating that a parent or eligible student could not opt out of directory information disclosures to prevent an educational agency or institution from disclosing or requiring a student to disclose the student's name, identifier, or institutional email address in a class in which the student is enrolled. This would include access to instruction, curriculum, courses, or other administrative functions provided online. The commenter stated that the increased use of electronic systems for both instructional and administrative activities dictates that the Secretary not differentiate between these types of activities in which students may opt out. The commenter asked for these changes to ensure that students are not allowed to opt out of participation in various classroom or other instructional activities simply because they have to Start Printed Page 75629sign on to an electronic system. Another commenter asked that we not permit the student's picture to be on the student ID. This commenter also expressed support for permitting parents and eligible students to have the right to opt out of wearing a student ID badge.
Discussion: We appreciate the support we received concerning this proposed change. With regard to the comment that we specify the directory information that can or cannot be displayed on an ID card or badge (e.g., a student's picture), we do not believe this is appropriate or necessary. Rather, we believe that educational agencies and institutions should have the flexibility to make these determinations best suited to their particular situations. Similarly, we do not believe that we should require that information displayed on a student ID card or badge contain only information that cannot be used to gain access to education records. Student ID numbers, user IDs, and any other unique personal identifiers may only be included as directory information if they cannot be used to gain access to education records except when used in conjunction with one or more other factors that authenticate the user's identity.
For the same reasons school administrators need the flexibility to determine what type of information is directory information, they need to have the flexibility to determine what directory information should be included on a student ID card or badge. Smaller schools may know their student population well enough that they may not need to have an ID number or other unique identifier, while larger LEAs, colleges, and universities may need to include more information. As one school official noted, educational agencies and institutions can embed student ID numbers in bar codes or magnetic stripes to address privacy concerns, including identity theft. This practice would also address the apprehension of some commenters that some students may have special reasons for not wearing ID badges, such as special education students, younger children, or students who are the victims of stalking. This amendment to FERPA permits, but does not require, schools to include directory information on student ID cards and badges or to require students to wear or display ID cards and badges.
With regard to the request that we include other activities for which parents and student cannot opt out, such as activities that require sign-in access to electronic systems for instructional and administrative activities, we note that this is outside the scope of the NRPM and, therefore, do not believe it is appropriate to address in these final regulations.
Additionally, in 2008, we expanded the definition of “directory information” in § 99.3 of the FERPA regulations to include a student ID number, user ID, or other unique personal identifier used by the student for purposes of accessing or communication in electronic systems, if the identifier could not be used to gain access to education records, except when used in conjunction with one or more factors to authenticate the user's identity. Further, the 2008 regulation changes clarified the definition of “attendance” to clarify that students who are not physically present in the classroom may attend an educational agency or institution via videoconference, satellite, Internet, or other electronic information and telecommunications technologies.
In 2008, we also amended § 99.37(c) to state that parents or eligible students may not use their right to opt out of directory information to prevent a school from disclosing, or requiring the disclosure of, a student's name, identifier, or institutional email address in a class in which the student is enrolled. 73 FR 74806 (December 9, 2008). These three provisions are read together to permit directory information to be used to access online electronic systems and to prevent opt-out rights from being used to prevent an educational agency or institution from disclosing or requiring a student to disclose the student's name, identifier, or institutional email address in a class in which the student is attending, in either a traditional or non-traditional classroom setting.
Changes: None.
Limited Directory Information Policy (§ 99.37(d))
Comment: A number of commenters expressed support for the proposal clarifying that an educational agency or institution may have a limited directory information policy. One commenter stated that this clarification will provide educational agencies and institutions with more certainty and control in using directory information for their own purposes. A few commenters stated that it would be helpful if the regulations clarified that institutions can have different policies based on each specific type or subset of directory information, such as being able to institute a policy that only certain directory information may be disclosed to specific parties. Some pointed out that the proposed regulations did not specify whether a school could put into effect a policy that specifically limits who may not receive directory information. Two commenters recommended that the regulations explicitly state that directory information designated by a school may not be disclosed, except for the limited disclosure to specific parties, or for specific purposes, or both.
One commenter supported the amendment to permit schools to have a limited directory information policy, believing this change would help ensure that school officials do not contact landlords, employers, or other third parties to discuss a child's housing situation. One commenter stated that he opposed any changes to the FERPA regulations that would restrict access to directory information. Another commenter said that adopting § 99.37(d) as proposed would add confusion and may raise unnecessary allegations of improper disclosure of directory information from parents and eligible students. This commenter pointed out that there is no requirement in FERPA that a school adopt a directory information policy or disclose directory information even if it has a policy. One commenter expressed concern that the proposed changes to the definition of “directory information” do not adequately address the capacity of marketers and other commercial enterprises to obtain, use, and re-sell student information. The commenter stated that few parents are aware, for example, that anyone can request and receive a student directory from a school. The commenter also stated that States may take action, through legislation, to tighten restrictions on the use of directory information, perhaps restricting the disclosure of directory information for marketing purposes.
A few commenters expressed concern that the proposal to permit schools to have a limited directory information policy would prevent the release of information about students to those who have a legitimate reason for obtaining the information, including the media. The commenters also expressed concern that withholding directory information could become a tool for schools to engage in retribution against disfavored media outlets, social or political causes, or parental activist groups. The commenters stated that the Secretary should give detailed guidance to educational agencies and institutions concerning this change in order to diminish any negative effect that such policies could have on the free flow of information to the public. These commenters stated that the effect of the regulatory changes will be that schools will decide not to disclose directory information to the media for any reason, Start Printed Page 75630including publicity or investigations. One of these commenters said that it was not clear how recipients of directory information would be chosen, whether the specific parties would be selected by the institution or by each individual student. This commenter noted that a limited directory information policy might make it difficult for a party that was not included in the policy at the beginning of a year but that needed to do business with the school mid-year to have fair access to directory information.
A commenter stated that the ability to disclose directory information for some purposes, but not others, might prove more useful to educational agencies and institutions that are not subject to a State open records law than to those that are. Educational agencies and institutions that are subject to open records laws would be required to disclose all directory information and would not benefit from a limited directory information policy. The commenter requested clarification whether the ability to limit directory information is optional and whether a failure to institute such a policy would subject the institution to enforcement proceedings by the Department. Similarly, another commenter asked for clarification as to whether a school that chose not to adopt a limited directory information policy may under the proposed regulations still limit the disclosure of directory information to whomever they want, and for whatever reason they want, even though State law may require disclosure.
Finally, a few commenters pointed out that even under a limited directory information policy, it would not be a violation of FERPA for a party that received directory information to redisclose it. To address that issue, some of the commenters supported the idea of a non-disclosure agreement so that the disclosing school could control any redisclosures of directory information. However, one commenter stated that our suggestion in the preamble to the NPRM that schools adopt a non-disclosure agreement is unrealistic; schools may have difficulty identifying who may redisclose the information, and schools have no authority and limited resources to enforce such agreements. This commenter also stated that making recipients sign such agreements could be a significant administrative burden for LEAs that receive many requests for directory information, even if they have adopted a limited directory information policy.
Discussion: Under FERPA, educational agencies and institutions are only required to provide access to education records to parents and eligible students. All other disclosures listed in § 99.31 are optional. This includes the disclosure of directory information under § 99.31(a)(11), under the conditions specified in § 99.37. However, some educational agencies and institutions have advised, and administrative experience has shown, that State open records laws have required disclosure of student directory information because, in most cases, FERPA does not specifically prohibit the disclosure of this information. It is our understanding that many, if not most, State open records or sunshine laws require that public entities, such as public schools, LEAs, and State colleges and universities, disclose information to the public unless the disclosure is specifically prohibited by another State law or by a Federal law such as FERPA. Thus, in practice, while FERPA only requires schools to disclose PII from education records to parents or eligible students, State sunshine laws may require the public release of properly designated directory information from which parents and eligible students have not opted out.
With regard to the commenter who asked whether a school that chooses not to adopt a limited directory information policy could still limit the disclosure of directory information if its State law required the disclosure, FERPA permits the disclosure of directory information but it does not require it. Some States have State open records laws that may require the disclosure of directory information if a school has a directory information policy and the parent or eligible student has not opted out.
We believe that the FERPA regulations will better assist educational agencies and institutions in protecting directory information if an educational agency or institution that adopts a limited directory information policy limits its directory information disclosures only to those parties and purposes that were specified in the policy. To clarify, this regulatory scheme gives each school the option of limiting its directory information disclosures and does not subject a school to enforcement proceedings by FPCO if the school elects not to limit disclosure to specific parties or for specific purposes, or both.
With regard to the recommendations by commenters that the regulations explicitly state that directory information not be disclosed except to specific parties or for specific purposes, we do not believe this change is necessary. As noted, neither the disclosure of directory information nor the adoption of a limited directory information policy is required by the regulations. The regulations make clear that if a school chooses to adopt a limited directory information policy, then it must limit its directory information disclosures to those specified in its public notice.
With regard to concerns expressed by commenters about directory information being released to entities for marketing purposes, a school has the flexibility to allow or restrict disclosure to any potential recipient. For example, a limited directory information policy may be expressed in a negative fashion, indicating that the school does not disclose directory information for marketing purposes. While Congress has not amended FERPA to specifically address disclosure of directory information to companies for marketing purposes, Congress amended section 445 of GEPA, commonly referred to as the Protection of Pupil Rights Amendment (PPRA) in 2001 to address this issue. Public Law 107-110, § 1061.
Under PPRA, LEAs are required to work in consultation with parents to develop and adopt a policy governing the collection, disclosure, or use of personal information collected from students for the purpose of marketing or for selling that information (or otherwise providing that information to others for those purposes). The policy must include arrangements to protect student privacy in the event of such collection, disclosure, or use. LEAs are also required to notify parents of students of any activities that involve the collection, disclosure, or use of personal information collected from students for the purpose of marketing or selling that information (or otherwise providing that information to others for those purposes) so that parents may opt their child out of participation in those activities. 20 U.S.C. 1232h(c)(1)(E) and (c)(2). While PPRA does not generally apply to postsecondary institutions, understanding and complying with its requirements for LEAs should address some of the commenters' concerns about this matter.
With regard to the fact that we did not propose to amend the FERPA regulations to prevent third parties that receive directory information from further disclosing it, we do not believe that it is realistic to make such a change. By its nature, directory information is intended to be publicly shared. Congress included the disclosure of properly designated directory information as an exception to the general consent requirement in FERPA so that schools may make disclosures of the type of information generally not Start Printed Page 75631considered harmful or an invasion of privacy, such as information on students that would normally be found in a school yearbook or directory. It is not administratively practicable to take action against a third party that rediscloses directory information. For example, it would be virtually impossible to control how student information contained in a yearbook is distributed to others. Therefore, we believe that schools are in the best position to determine who should receive directory information and, should they choose, implement a limited directory information policy.
With regard to the commenter who stated that adopting the limited directory information provision in the regulations would add confusion and possibly raise unnecessary allegations of improper disclosure from parents and eligible students, we do not believe this is the case. On the contrary, the option to have a limited directory information policy should better protect against improper disclosures of PII from education records and reduce the number of complaints in this regard.
With regard to our recommendation that schools adopting a limited directory information policy consider entering into non-disclosure agreements to restrict the information from being further disclosed, we agree that this will not always be feasible. Clearly there are situations in which a school could not have a non-disclosure agreement, such as when it publishes directory information in a school yearbook, a sports event program, or a program for a school play. Schools will have to exercise judgment with respect to whether to utilize non-disclosure agreements to prevent further disclosure of directory information by assessing the circumstances surrounding the disclosure of the directory information.
Finally, we note that the regulatory change to allow educational agencies and institutions to implement a limited directory information policy was not specifically intended to address how schools interact with or disclose directory information to members of the media. Rather, we were addressing concerns raised by school officials who, alarmed about the increase in identity theft, expressed a need to protect the privacy of students' directory information. We encourage school officials to act responsibly in developing a limited directory information policy and to keep in mind routine disclosures that schools need to make in the normal course of business, including providing properly designated directory information to the media about various student activities and extracurricular pursuits of students.
Changes: None.
General Enforcement Issue (§ 99.67)
Comment: Several commenters stated that the Department lacks the legal authority to investigate, review, process, or enforce an alleged FERPA violation committed by recipients of Department funds under a program administered by the Secretary that students do not attend. These recipients include but are not limited to, SEAs, nonprofit organizations, student loan lenders, and guaranty agencies. Specifically, the commenters stated that nonprofit organizations, guaranty agencies, and lenders could not be considered educational agencies or institutions under FERPA because these organizations have no students in attendance. In addition, some commenters argued that as financial institutions, student loan lenders, servicers, and guaranty agencies are already subject to numerous Federal laws that require them to protect PII from education records, making them subject to FERPA would not effectively increase protection.
Discussion: The Department disagrees with the comment that it does not have the legal authority to take enforcement actions against entities that receive Department funding under a program administered by the Secretary that students do not attend. Section (f) of FERPA provides that the Department shall take appropriate actions to enforce and deal with violations of provisions in FERPA in accordance with GEPA. 20 U.S.C. 1232g(f). However, as we discussed in the preamble to the NPRM (76 FR at 19733), the current regulations do not clearly describe the entities against which we may take actions under section (f) of FERPA. Accordingly, the Department believes that it is necessary to clarify in these new regulations that FPCO has the authority to hold these entities responsible for FERPA compliance, given the disclosures of PII from education records that are needed to implement SLDS. We believe this clarification is necessary in light of recent developments in the law.
In addition, in order for the Department to appropriately investigate, process, and review complaints and alleged violations of FERPA, the Department proposed in § 99.60(a)(2) to take a more expansive view of the term “educational agency or institution.” The expanded definition would include entities that do not necessarily have students in attendance but still receive Department funding under a program administered by the Secretary and which, nevertheless, are in possession and control of PII from education records.
The Department continues to believe that it is necessary to use its broad enforcement powers to ensure that FERPA's protections apply to these recipients. The Department has decided, however, not to define in § 99.60(a)(2) all recipients of Department funding under a program administered by the Secretary as “educational agencies and institutions” in the context of the enforcement provisions, as was reflected in proposed § 99.60(a)(2), because it is evident from the comments that the terminology is confusing. We have decided instead to revise §§ 99.61 through 99.67, which set out FERPA's enforcement procedures. These amendments authorize the Department to investigate, process, and review complaints and violations of FERPA alleged to have been committed by educational agencies and institutions, as well as other recipients of Department funds under any program administered by the Secretary (e.g., State educational authorities, such as SEAs, and State postsecondary agencies, local educational authorities, nonprofit organizations, student loan guaranty agencies, and student loan lenders). Because these entities receive PII from education records, we believe that this change is justified in order to protect against improper redisclosure of PII from education records.
In the case of an improper redisclosure of PII from education records by a non-profit organization, lender, servicer, or guaranty agency that is a recipient of Department funds under a program administered by the Secretary and that received PII from education records from an institution of higher education, the Department will enforce sanctions against the responsible party, whether that be the non-profit organization, lender, servicer, or guaranty agency. The Department, however, may also pursue enforcement measures against the institution of higher education, depending on the circumstances. In addition, we are not convinced that other confidentiality laws that apply to financial institutions provide the same protections as FERPA. Although the confidentiality laws cited by the commenters address privacy generally, they are not specifically designed to protect the confidentiality of student education records. Moreover, while the Secretary can take steps to enforce FERPA directly, we may need to rely on other Federal and State agencies to enforce these other confidentiality laws identified by the commenters.Start Printed Page 75632
Changes: The Department has decided not to adopt the change proposed in § 99.60(a)(2), which would have provided, solely for purposes of enforcement of FERPA under 34 CFR part 99, subpart E, all recipients of Department funds under a program administered by the Secretary as “educational agencies and institutions.” Rather, the Department has decided to amend §§ 99.61 through 99.67 to clarify FPCO's enforcement responsibilities. Specifically, we revised these sections to clarify that FPCO may investigate, review, and process complaints filed against, or alleged violations of FERPA committed by, any recipient of Department funds under a program administered by the Secretary—not just educational agencies and institutions—and may hold any such recipient accountable for compliance with FERPA.
Comment: One commenter asked that we clarify which enforcement tools legally available to the Secretary would be utilized in actions against State and local educational authorities and other recipients of Department funding under a program administered by the Secretary.
Four commenters requested that the Department adopt more significant penalties, including incarceration and substantial fines, for FERPA violations caused by authorized representatives. Another commenter stated that the Department should sanction an entity that makes an unauthorized disclosure by requiring the entity to surrender all PII from education records already in its possession. Several commenters stated that other privacy statutes include significant sanctions and that FERPA requires a similar deterrent to prevent violations of student privacy.
Discussion: In FERPA, Congress expressly directed the Secretary to “take appropriate actions” to “enforce” FERPA and “to deal with violations” of its terms “in accordance with [GEPA].” 20 U.S.C. 1232g(f).
In GEPA, Congress provided the Secretary with the authority and discretion to take enforcement actions against any recipient of funds under any program administered by the Secretary for failures to comply substantially with any requirement of applicable law, including FERPA. 20 U.S.C. 1234c(a). GEPA's enforcement methods expressly permit the Secretary to issue a complaint to compel compliance through a cease and desist order, to recover funds improperly spent, to withhold further payments, to enter into a compliance agreement, or to “take any other action authorized by law,” including suing for enforcement of FERPA's requirements. 20 U.S.C. 1234a, 1234c(a), 1234d; 1234e; 1234f; 34 CFR 99.67(a); see also United States v. Miami Univ., 294 F.3d 797 (6th Cir. 2002) (affirming the district court's decision that the United States may bring suit to enforce FERPA). Therefore, the Secretary will use one or a combination of these enforcement tools as is appropriate given the circumstances. Additionally, the Department has the authority to impose the five-year rule against any entity that FPCO determines has violated FERPA either through an improper redisclosure of PII from education records or through its failure to destroy PII from education records under the studies exception. (See discussion of five-year rule later in this preamble).
With respect to the suggestion that we create additional penalties, the Department lacks the statutory authority to incarcerate violators, impose fines, or force a third party to surrender all PII from education records currently in its possession because the Department lacks the statutory authority to do so.
Changes: None.
Comment: One commenter requested that the Department clarify that “non-school entities” are only required to comply with FERPA to the extent they have received FERPA-protected PII from education records from an educational agency or institution.
Discussion: The Department would only take actions against “non-school entities” that have not complied with FERPA requirements that relate to PII from education records they received under one of the exceptions to FERPA's general consent requirement. The Department has no authority under FERPA to take actions for other PII these entities may possess.
Changes: None.
Comment: A commenter suggested that other parties beyond those enumerated in the statute (i.e., eligible parents and students) should have standing to file complaints with FPCO. Further, this commenter suggested that the Department should increase the amount of time a complainant has to file a complaint with FPCO.
Discussion: We decline to expand the entities eligible to file complaints with FPCO beyond parents and eligible students and decline to increase the amount of time a complainant has to file a complaint with FPCO beyond 180 days of the date of the alleged violation (or of the date that the complainant knew or reasonably should have known of the alleged violation). We did not propose these changes in the NPRM and therefore cannot make these changes in these final regulations without allowing an opportunity for further public comment and review. Still, it is important to note that FPCO can initiate an investigation on its own, without receiving a complaint, to address other violations.
Changes: None.
Comment: One commenter asked us to consider expanding the scope of our enforcement procedures to apply to tax exempt organizations under 26 U.S.C. 501(c) that students do not attend and that are not the recipients of Department funds but that have PII from education records.
Discussion: If a tax exempt organization under 26 U.S.C. 501(c) has PII from education records, but is not a recipient of funds under a program administered by the Secretary, then the Department would not have the authority under GEPA to take enforcement measures against such an organization. FPCO, however, may impose, under 20 U.S.C. 1232g(b)(4)(B) and new § 99.67(c), (d), and (e), the five-year rule against any entity that FPCO determines has violated FERPA either through an improper redisclosure of PII from education records received under any of the exceptions to the general consent rule or through the failure to destroy PII from education records under the studies exception. (See discussion of five-year rule later in this preamble.)
For instance, if an LEA's authorized representative does not receive funding from the Department and violates FERPA due to poor data security practices, FPCO could apply the five-year rule by prohibiting the disclosing LEA from providing PII from education records to the authorized representative for at least five years. If the disclosing LEA refuses to comply and continues its relationship with the authorized representative, FPCO could, under GEPA, terminate funding to the LEA.
Changes: None.
Comment: One commenter asked that we clarify how the enforcement measures would apply if a contractor of an entity that received funding under a program administered by the Department violated FERPA's requirements. The commenter wanted to know, for example, what the liability of a school would be if its contractor violated FERPA.
Discussion: Whether the Department would take enforcement action against a contractor that violates FERPA under a program administered by the Secretary, depends upon the exception to FERPA under which the contractor received the PII from education records, if the contractor was a recipient of Department funds, and the Start Printed Page 75633circumstances of the violation. If the contractor was a recipient of Department funds and violated FERPA, the Department could take sanctions as permissible under GEPA. If the contractor was not a recipient of Department funds and improperly disclosed PII from education records received under any of the exceptions to the general consent rule or failed to destroy PII from education records in accordance with the requirements of the studies exception, the Department could implement the five-year rule. (See discussion of the five-year rule later in this preamble.)
Likewise, the Department may also take enforcement action against the entity that disclosed PII from education records to the contractor. For example, if the contractor was acting as an authorized representative of a FERPA-permitted entity and violated FERPA, FPCO would investigate and review whether the disclosing entity met all of its obligations under FERPA, such as taking reasonable methods to ensure to the greatest extent practicable the FERPA compliance of the contractor. FPCO could take applicable GEPA enforcement actions against the disclosing entity, if it did not meet its responsibilities.
If the contractor received PII from education records while acting as a school official under § 99.31(a)(1)(i)(B), then the educational agency or institution would be liable for the contractor's FERPA violation and is subject to GEPA enforcement actions by the Department. In any of these instances, FPCO would initiate an investigation and seek voluntary compliance before imposing any sanctions.
Changes: None.
Five-Year Rule (§ 99.67)
Comments: Many commenters raised questions about the provision in FERPA that prohibits an educational agency or institution from disclosing PII from education records to a third party “for a period of not less than five years” if that third party improperly rediscloses PII from education records received under any of the exceptions to the general consent rule or fails to destroy PII from education records under the studies exception. 20 U.S.C. 1232g(b)(4)(B).
Multiple commenters appeared to believe that the Department was proposing the five-year rule for the first time in the NPRM and questioned whether the Department had the legal authority to implement such a rule. One commenter specifically opposed the rule on the grounds that it was inconsistent with the statute and that changes in the law should be made through a legislative amendment and not rulemaking.
Discussion: To clarify, the Department did not propose the five-year rule for the first time in the NPRM; rather, Congress amended FERPA in the Improving America's Schools Act of 1994, § 249, Public Law 103-382, to provide that if a “third party outside the educational agency or institution” improperly rediscloses FERPA-protected data that it received under any of the exceptions to the general consent rule or fails to destroy information under the studies exception, then the educational agency or institution “shall be prohibited from permitting access to information * * * to that third party for a period of not less than five years.” 20 U.S.C. 1232g(b)(4)(B).
The Department amended its regulations to implement this statutory change in 1996. 61 FR 59292 (November 21, 1996). The Department's current regulations in § 99.31(a)(6)(iv) and § 99.33(e), taken together, provide that if FPCO determines that a third party outside the educational agency or institution improperly rediscloses PII from education records in violation of § 99.33 or fails to destroy PII from education records in violation of § 99.31(a)(6)(ii)(B), then the educational agency or institution may not provide that third party access for a minimum period of five years.
Still, based upon the confusion expressed by commenters regarding the five-year rule, we are changing the final regulations to consolidate all regulatory provisions relating to the five-year rule into one section of the regulations, § 99.67. This is not a substantive change, but it is one intended to improve comprehension and promote ease of use because we believe it will be helpful for readers to see all of the regulatory language concerning the five-year rule in a single regulatory section.
Changes: We are removing the existing two provisions in § 99.31(a)(6)(iv) and § 99.33(e) regarding the five-year rule and consolidating all provisions relating to the five-year rule into § 99.67.
In addition, we are changing the language that we proposed in § 99.35(d) that stated that in the event that FPCO finds an improper re-disclosure of PII from education records, “* * * the educational agency or institution from which the [PII] originated may not allow the authorized representative, or the State or local educational authority or the agency headed by an official listed in § 99.31(a)(3), or both, access to [PII] from education records for at least five years.” 65 FR 19738 (April 8, 2011). Specifically, we are replacing “authorized representative, or the State or local educational authority or the agency headed by an official” in proposed § 99.35(d) with “the third party” in the final regulation. Similarly, we are also consolidating the text of proposed § 99.35(d) into § 99.67, the enforcement section.
Comment: Many commenters asked which entities were subject to the five-year rule. Some of these commenters expressed concern that the rule would be enforced against an entire educational agency or institution acting as a third party, such as a State university system, and asked whether the rule could be applied in a more limited manner against an individual researcher or department within the educational agency or institution, arguing, for example, that if an individual researcher is at fault, it would be excessive to prohibit an entire organization from receiving PII from education records for a period of not less than five years.
At the same time, others were equally emphatic that the rule must apply to the entire educational agency or institution acting as a third party to have any enforcement effect or to deter potential violations. Consequently, many of these commenters asked how the Department would define an educational agency or institution acting as a third party.
One commenter recommended that the five-year rule only be applied against an educational agency or institution acting as a third party that was expressly responsible for the unauthorized redisclosure of PII from education records. Another commenter wanted the Department to clarify whether FERPA-permitted entities could be subjected to the five-year rule due to an unauthorized redisclosure of PII from education records made by the FERPA-permitted entity's authorized representative.
Discussion: The statute and current §§ 99.31(a)(6)(iv) and 99.33(e), taken together, are clear that any third party outside of the educational agency or institution that improperly rediscloses PII from education records received under any of the exceptions to the general consent rule or fails to destroy PII from education records as required under current § 99.31(a)(6)(ii)(B) may be subjected to the five-year rule. We understand a “third party” to refer broadly to any entity outside of the educational agency or institution from which the PII from education records was originally disclosed and may include an authorized representative. In other words, authorized representatives Start Printed Page 75634make up a subset of the larger set of third parties outside the educational agency or institution from which the PII from education records was originally disclosed. Any individual or entity to which PII from education records is disclosed without consent by an educational agency or institution under § 99.31(a), except for disclosures under § 99.31(a)(1) to school officials because they are within the educational institution or agency, is a third party.
The NPRM proposed adding a third regulatory provision to § 99.35 in order to implement the five-year rule more specifically in the context of an improper redisclosure of PII from education records by FERPA-permitted entities or by their authorized representatives (which are third parties). As explained in the NPRM, the Department sought to clarify that FPCO could impose the five-year rule against FERPA-permitted entities, their authorized representatives, or both. Under the final regulations, the provisions of the five-year rule apply to all improper redisclosures by third parties outside of the educational agency or institution from which PII from education records was originally disclosed. These third parties include FERPA-permitted entities or their authorized representatives, whether they obtained PII from education records under the studies exception, the audit or evaluation exception, or any other exception to the requirement of consent in § 99.31(a) (other than § 99.31(a)(1), which applies to disclosures to school officials who are within the educational institution or agency).
The five-year rule also applies to all third parties that fail to destroy PII from education records in violation of the studies exception in § 99.31(a)(6). By contrast, the statute does not specifically authorize the Department to apply the rule against a third party for failure to destroy PII from education records under the audit or evaluation exception or for other inappropriate activities that affect privacy beyond the improper redisclosure and the failure to destroy PII from education records in violation of the studies exception in § 99.31(a)(6), as discussed earlier. However, FERPA-permitted entities are free to include sanctions for other inappropriate activities that affect privacy as part of their written agreements with third parties and authorized representatives.
Changes: None.
Comment: Many commenters requested clarification regarding how the five-year rule would be implemented and specifically requested a detailed explanation regarding who could enforce the rule, how the rule would be applied, and whether those sanctioned would have a right to appeal. Several commenters asked how much discretion educational agencies and institutions would have to either bar third parties or authorized representatives under the five-year rule or to modify the length of the debarment depending upon the circumstances.
Several commenters asked how much discretion the Department would have when applying the five-year rule. Some expressed concern that the Department would apply the five-year rule automatically after a single unauthorized redisclosure of PII from education records by a third party. One commenter expressed concern that the Department would apply the rule like a “zero tolerance” policy.
Concerned about the severity of the five-year rule, many commenters requested an opportunity to come into compliance with approved best practices and methods for data protection as an alternative to an immediate application of the five-year rule. One commenter suggested remediation as an alternative to the five-year rule to help a third party with the process of voluntary compliance.
Another commenter asked the Department to amend the regulations to apply the five-year rule only when there are repeated, unauthorized redisclosures of PII from education records or when the parties responsible for the unauthorized disclosure are grossly negligent. Some of these commenters suggested that we take into account the level or magnitude of the improper redisclosure. One commenter suggested that the regulations should be modified to recognize that in today's technological environment, it is not feasible to require absolute compliance.
Finally, a few commenters asked whether debarment under the five-year rule “follows” an individual who has been debarred from one employer to the individual's next employer. These commenters also asked whether debarment attaches to a third party even if the individual who is found to be responsible for an improper redisclosure of PII from education records leaves the employment of that third party.
Discussion: Some commenters appeared to have misunderstood the NPRM as proposing that an individual school or LEA would have the authority to impose the five-year rule against a third party, such as an SEA or a Federal agency headed by an official listed in § 99.31(a)(3), in the event of an improper redisclosure by that third party. This is incorrect—only FPCO has the authority to impose the five-year rule against third parties that FPCO determines have violated either the redisclosure provisions of § 99.33 or the destruction requirements of § 99.31(a)(6)(iii)(B). In other words, only FPCO has the authority to implement the five-year rule to prohibit an educational agency or institution from providing a third party with access to FERPA-protected data.
When making such a determination, FPCO, consistent with its longstanding practice, will investigate allegations of third parties improperly redisclosing PII from education records under § 99.33 or failing to destroy data under § 99.31(a)(6)(iii)(B). If FPCO were to find a FERPA violation, then it would first attempt to bring the offending third party into voluntary compliance. As suggested by one commenter, FPCO may use remediation as a tool to bring the third party into voluntary compliance. For instance, if FPCO were to investigate and determine that a third party had failed to timely destroy data, FPCO could work with the third party conducting the study to implement an appropriate destruction policy. If FPCO were unable to bring the offending third party into voluntary compliance, then FPCO would have the discretion to prohibit the educational agency or institution from allowing that third party access to PII from education records for a period of at least five years. In deciding whether to exercise this discretion and which third parties should be banned, FPCO will consider the nature of the violation and the attendant circumstances. One factor FPCO will consider is whether the third party has repeatedly redisclosed PII from education records improperly, which will make it more likely that the FPCO will apply the five-year rule. The Department believes that outlining this detailed process here provides adequate clarification of FPCO's enforcement procedures.
Moreover, as discussed in more detail earlier in this preamble, FPCO is not limited to the five-year rule in the enforcement actions it may take; it also has the discretion to consider whether it would be more appropriate to apply GEPA enforcement mechanisms against those third parties receiving Department funds. Accordingly, the five-year rule is not a “zero tolerance” policy, as suggested by one commenter, and FPCO would not apply the rule without considering the facts of each particular situation, as some commenters feared.
As for whether a third party would be able to appeal a decision made by FPCO to prohibit an educational agency or institution from disclosing PII from Start Printed Page 75635education records to that third party, no such appeal right exists. Under current § 99.60(b)(1), only FPCO has the authority to “[i]nvestigate, process, and review complaints and violations under the Act * * *.” FPCO also retains complete authority to enforce the five-year rule, and its decisions are final. However, FPCO's investigative process would provide ample opportunity for the party being investigated to have FPCO consider all relevant facts and circumstances before making a decision.
Importantly, the fact that FPCO must find a violation before the five-year rule may be enforced does not relieve educational agencies and institutions or FERPA-permitted entities of their responsibility to protect PII from education records. As discussed earlier, we encourage FERPA-permitted entities that are redisclosing PII from education records to third parties to include sanctions in their written agreements with their third parties and authorized representatives, and to enforce those sanctions. FERPA-permitted entities, and their authorized representatives, may agree to any sanctions permissible under applicable law. For instance, written agreements could call for monetary penalties, data bans of varying length, or any of the range of civil penalties that the disclosing entity believes is appropriate. The Department encourages the use of these agreed-upon sanctions to ensure control and proper use of PII from education records.
Finally, depending upon the specific facts of the situation, debarment may “follow” an individual who has been sanctioned under the five-year rule from one employer to another. Further, debarment would likely not remain attached to a third party if it is determined that only the debarred individual was responsible for the improper redisclosure of PII from education records, the debarred individual leaves the third party's employment, and the improper redisclosure was not caused by a policy of the third party. It is important to note, however, that such determinations are highly fact specific and the Department will review each situation case by case.
Changes: We are amending §§ 99.61, 99.62, 99.64, 99.65, 99.66 and 99.67 of the FERPA regulations. These changes provide more detailed procedures governing the investigation, processing, and review of complaints and violations against third parties outside of an educational agency or institution for failing to destroy PII from education records in violation of § 99.31(a)(6)(iii)(B) or for improperly redisclosing PII from education records in violation of § 99.33.
Comment: Several commenters provided general support for the five-year rule as a means to enforce FERPA. One commenter stated that five years is an appropriate time period for such a violation, and another stated that substantial consequences are a must and that debarment would be an appropriate remedy for FERPA violations.
Other commenters found this sanction insufficient to adequately protect privacy and called for more extensive and harsher penalties. One commenter requested that other penalties be developed out of a concern that the five-year rule would not be used frequently enough to deter egregious and flagrant violations of FERPA. Several commenters requested that the Department apply the rule more broadly. For example, one commenter stated that the Department should sanction other inappropriate activities that affect privacy besides improper redisclosures, including, but not limited to, “using records for an improper purpose; examining individual records without justification * * * and not allowing access to or correction of records when appropriate.”
Still others expressed concern that the Department would apply the five-year rule too broadly. One commenter suggested limiting the scope of the prohibition to PII from education records used for the purposes of conducting studies and not necessarily for other purposes related to the provision of products, services, and other functions.
Discussion: The Department lacks the legal authority to expand the enforcement mechanisms available under FERPA beyond those discussed in this preamble and therefore declines to include harsher penalties such as those requested by a number of commenters. For the same reason, we cannot expand the list of “inappropriate activities” that may be sanctioned under the five-year rule beyond improper redisclosures under § 99.33 and the failure to destroy PII in violation of § 99.31(a)(6)(iii)(B). The five-year rule is clear that it only applies to improper redisclosures of PII received under any of the exceptions to the general consent rule and the failure to destroy PII from education records under the studies exception.
The Department also declines to limit the scope of the prohibition to the purpose of conducting studies and not necessarily for other purposes related to the provision of products, services, and other functions. Section (b)(4)(B) of FERPA (20 U.S.C. 1232g(b)(4)(B)) provides that the five-year rule applies to any improper redisclosure made by any third party and not just to an improper redisclosure made by a third party conducting research under the studies exception. Thus, the final regulations include a third regulatory provision, reflected in § 99.67(d), that describes the five-year rule as it applies specifically in the context of the audit or evaluation exception. Section 99.67 states that in the context of the audit or evaluation exception, where the FERPA-permitted entities and any of their authorized representatives are third parties, the five-year rule could be applied against the FERPA-permitted entities, an authorized representative thereof, or both.
Changes: None.
Comment: Another commenter requested that the regulations be changed to prohibit the offending third party from requesting PII from education records from the disclosing educational agency or institution in the future rather than placing the burden on the educational agency or institution to deny access.
Discussion: The Department cannot prohibit a third party who has violated FERPA from requesting PII from education records from an educational agency or institution. The five-year rule clearly states that it is the duty of the educational agency or institution that originally disclosed the PII from education records to the third party to prevent further disclosure to the same third party. Still, the five-year rule does not prohibit all educational agencies and institutions from disclosing PII from education records to the offending third party; as made clear by the statute, the prohibition only applies to the educational agency or institution that originally disclosed PII from education records to that third party.
Changes: None.
Comments: Some expressed concern that under the five-year rule, educational agencies and institutions, such as LEAs, would be prohibited from disclosing PII from education records to third parties, such as SEAs, if these third parties improperly redisclosed FERPA-protected data that they received from the educational agency or institution. The commenters expressed concern that Federal and State education laws require LEAs to share data with SEAs in order to qualify for Federal and State education funds.
Another commenter expressed a similar concern that an institution of higher education might be prohibited from offering Federal financial aid to its students if the Department itself were responsible for the improper redisclosure. In the commenter's example, the institution of higher education would be unable to make data Start Printed Page 75636disclosures needed to process Federal and State loans, if the five-year rule were applied to the Department.
Discussion: The Department would interpret the five-year rule consistently with other Federal laws to the greatest extent possible in order to avoid a conflict between Federal laws. If imposition of the five-year rule would prevent an LEA from complying with other legal requirements, FPCO may sanction the offending SEA using an enforcement mechanism that is available to the Department under GEPA, such as issuing a cease and desist order, thereby allowing the LEA to meet its other legal obligations.
Similarly, in response to those commenters who expressed a concern that subjecting the Department to the five-year rule would prevent institutions of higher education from providing student information to the Department's Federal Student Aid (FSA) office, the Department will administer FERPA in a reasonable manner and read it consistently with Federal laws governing student financial aid. Like any other third party outside of an educational agency or institution, FSA, or any other office in the Department that receives PII from education records, must also comply with FERPA; if FPCO found that FSA, or any other third party, violated the redisclosure provisions in FERPA, FPCO would then work with that third party to obtain voluntary compliance with FERPA, potentially eliminating the need to impose the five-year ban.
Changes: None.
Comment: One commenter expressed concern about existing contracts and written agreements being violated because of an application of the five-year rule regarding a separate and unrelated improper redisclosure of PII from education records by an authorized representative.
Discussion: The Department disagrees that application of the five-year rule will automatically result in a debarred third party from complying with its obligations under other pre-existing contracts or written agreements. If FPCO were to find that application of the rule was warranted, the regulations would prohibit only the original, disclosing educational agency or institution from providing PII from education records to the third party. Furthermore, this prohibition would only occur if the third party refused to work with FPCO to voluntarily comply with FERPA.
Changes: None.
Comment: Two commenters noted what they perceived to be a conflict between the language used in the statute (and the preamble of the NPRM) regarding the five-year rule and the language in current regulations. Although the statute states that the original, disclosing educational agency or institution “shall be prohibited” from permitting an offending third party to access PII from education records for at least five years, the regulations state that the disclosing educational agency or institution “may not” allow the third party access to PII from education records. One commenter preferred to use the terms “may not” instead of “shall be prohibited” because “may not” suggested greater flexibility in how the five-year rule would be applied.
Discussion: We disagree that a conflict exists between the language contained in the statute and current regulations regarding the five-year rule. Specifically, we consider the terms used in the regulations (“may not” allow access) to have the same meaning as the language used in the statute (“shall be prohibited” from permitting access).
Changes: None.
Executive Order 12866 and 13563
Regulatory Impact Analysis
Under Executive Order 12866, the Secretary must determine whether the regulatory action is “significant” and therefore subject to the requirements of the Executive Order and subject to review by OMB. Section 3(f) of Executive Order 12866 defines a “significant regulatory action” as an action likely to result in regulations that may (1) have an annual effect on the economy of $100 million or more, or adversely affect a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local or tribal governments or communities in a material way (also referred to as “economically significant” regulations); (2) create serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impacts of entitlement grants, user fees, or loan programs or the rights and obligations of recipients thereof; or (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive order.
Pursuant to the terms of the Executive Order, we have determined this regulatory action is significant and subject to OMB review under section 3(f)(4) of Executive Order 12866. Notwithstanding this determination, we have assessed the potential costs and benefits—both quantitative and qualitative—of this regulatory action. The Department believes that the benefits justify the costs.
The Department has also reviewed these regulations pursuant to Executive Order 13563, published on January 21, 2011 (76 FR 3821). Executive Order 13563 is supplemental to and explicitly reaffirms the principles, structures, and definitions governing regulatory review established in Executive Order 12866. To the extent permitted by law, agencies are required by Executive Order 13563 to: (1) Propose or adopt regulations only upon a reasoned determination that their benefits justify their costs (recognizing that some benefits and costs are difficult to quantify); (2) tailor their regulations to impose the least burden on society, consistent with obtaining regulatory objectives, taking into account, among other things, and to the extent practicable, the costs of cumulative regulations; (3) select, in choosing among alternative regulatory approaches, those approaches that maximize net benefits (including potential economic, environmental, public health and safety, and other advantages; distributive impacts; and equity); (4) specify, to the extent feasible, performance objectives, rather than specifying the behavior or manner of compliance that regulated entities must adopt; and (5) identify and assess available alternatives to direct regulation, including providing economic incentives to encourage the desired behavior, such as user fees or marketable permits, or providing information upon which choices can be made by the public.
We emphasize as well that Executive Order 13563 requires agencies “to use the best available techniques to quantify anticipated present and future benefits and costs as accurately as possible.” In its February 2, 2011, memorandum (M-11-10) on Executive Order 13563, improving regulation and regulatory review, the Office of Information and Regulatory Affairs in OMB has emphasized that such techniques may include “identifying changing future compliance costs that might result from technological innovation or anticipated behavioral changes.”
We are issuing these regulations only upon a reasoned determination that their benefits justify their costs, and we selected, in choosing among alternative regulatory approaches, those approaches that maximize net benefits. Based on the following analysis, the Department believes that these final regulations are consistent with the principles in Executive Order 13563.
We also have determined that this regulatory action would not unduly interfere with State, local, and tribal governments in the exercise of their governmental functions.Start Printed Page 75637
Potential Costs and Benefits
Following is an analysis of the costs and benefits of the changes reflected in these final FERPA regulations. These changes facilitate the disclosure, without written consent, of PII from education records for the purposes of auditing or evaluating Federal- or State-supported education programs and enforcing or ensuring compliance with Federal legal requirements related to these programs. In conducting this analysis, the Department examined the extent to which the changes add to or reduce the costs of educational agencies, other agencies, and institutions in complying with the FERPA regulations prior to these changes, and the extent to which the changes are likely to provide educational benefit. Allowing data-sharing across agencies, because it increases the number of individuals who have access to PII from education records, may increase the risk of unauthorized disclosure of PII from education records. However, we do not believe that the staff in the additional agencies who will have access to PII from education records are any more likely to violate FERPA than existing users, and the strengthened accountability and enforcement mechanisms reflected in these regulations will help to ensure better compliance overall. While there will be administrative costs associated with implementing data-sharing protocols that ensure that PII from education records is disclosed in accordance with the limitations in FERPA, we believe that the relatively minimal administrative costs of establishing these protocols will be off-set by potential analytic benefits. Based on this analysis, the Secretary has concluded that the amendments reflected in these final regulations will result in savings to entities and have the potential to benefit the Nation by improving capacity to conduct analyses that will provide information needed to improve education.
Authorized Representative
These regulations amend § 99.3 by adding a definition of the term “authorized representative;” an authorized representative is any individual or entity designated by a State or local educational authority or a Federal agency headed by the Secretary, the Comptroller General, or the Attorney General to carry out audits, evaluations, or enforcement or compliance activities relating to education programs. FERPA permits educational authorities to provide to authorized representatives PII from education records for the purposes of conducting audits, evaluations, or enforcement and compliance activities relating to Federal- and State-supported education programs. However, in the past, we had not defined the term “authorized representative” in our regulations. The Department's position had been that educational authorities may only disclose education records to entities over which they have direct control, such as an employee or a contractor. Therefore, under the Department's interpretation of its regulations, SEAs were not able to disclose PII from education records to many State agencies, even for the purpose of evaluating education programs under the purview of the SEAs. For example, an SEA or LEA could not disclose PII from education records to a State employment agency for the purpose of obtaining data on post-school outcomes such as employment for its former students. Thus, if an SEA or LEA wanted to match education records with State employment records for purposes of evaluating its secondary education programs, it would have to import the entire workforce database and do the match itself (or contract with a third party to do the same analysis). Similarly, if a State workforce agency wanted to use PII from education records maintained by the SEA in its SLDS, in combination with data it had on employment outcomes, to evaluate secondary vocational education programs, it would not be able to obtain PII from the education records in the SEA's SLDS to conduct the analyses. It would have to provide the workforce data to the SEA so that the SEA could conduct the analyses or to a third party (e.g., an entity under the direct control of the SEA) to construct the needed longitudinal administrative data systems. While feasible, these strategies force agencies to outsource their analyses to other agencies or entities, adding administrative cost, burden, and complexity. Moreover, preventing agencies from using PII from education records directly for conducting their own analytical work increases the likelihood that the work will not meet their expectations or get done at all. Finally, the previous interpretation of the current regulations exposed greater amounts of PII from education records to risk of disclosure as a result of greater quantities of PII from education records moving across organizations (e.g., the entire workforce database) than would be the case with a more targeted data request (e.g., disclosure of PII from education records for graduates from a given year who appear in the workforce database). These final regulations allow FERPA-permitted entities to disclose PII from education records without consent to authorized representatives, which may include other State agencies, or to house data in a common State data system, such as a data warehouse administered by a central State authority for the purposes of conducting audits or evaluations of Federal- or State-supported education programs, or for enforcement of and ensuring compliance with Federal legal requirements relating to Federal- and State-supported education programs (consistent with FERPA and other Federal and State confidentiality and privacy provisions).
The Department also amends § 99.35 to require that FERPA-permitted entities use written agreements with an authorized representative (other than employees) when they agree to disclose PII from education records without consent to the authorized representative under the audit or evaluation exception. The cost of entering into such agreements should be minimal in relation to the benefits of being able to disclose this information. Section § 99.35(a)(3) requires that the written agreement specify that the information is being disclosed for the purpose of carrying out an allowable audit, evaluation, or enforcement or compliance activity, as well as a description of the activity and how the disclosed information is to be used.
Education Program
The final regulations amend § 99.3 by adding a definition for the term “education program.” This definition clarifies that an education program can include a program administered by a non-educational agency (e.g., an early childhood program administered by a human services agency or a career and technical education program administered by a workforce or labor agency) and any program administered by an educational agency or institution. These final regulations also define the term “early childhood education program,” because that term is used in the definition of “education program.” For the definition of the “early education program,” we use the definition of that term from HEA.
These definitions, in combination with the addition of the definition of the term “authorized representative,” results in a regulatory framework for FERPA that allows non-educational agencies to have easier access to PII in student education records that they can use to evaluate the education programs they administer. For example, these changes permit disclosures of PII in Start Printed Page 75638elementary and secondary school education records without consent to a non-educational agency that is administering an early childhood education program in order to evaluate the impact of its early childhood education program on its students' long-term educational outcomes. The potential benefits of these regulatory changes are substantial, including the benefits of non-educational agencies that are administering education programs, as that term is defined in these regulations, being able to conduct their own analyses without incurring the prohibitive costs of obtaining consent for access to individual students' PII from education records.
Research Studies
Section (b)(1)(F) of FERPA permits educational agencies and institutions to disclose PII from education records without consent to organizations conducting research studies for, or on behalf of, educational agencies or institutions from which the PII from education records originated, for statutorily-specified purposes. The amendment to § 99.31(a)(6) permits any of the authorities listed in § 99.31(a)(3), including SEAs, to enter into written agreements that provide for the disclosure of PII from education records to research organizations for studies that would benefit the educational agencies or institutions that disclosed the PII to the SEA or other educational authorities. The preamble to the final FERPA regulations published in the Federal Register on December 9, 2008 (73 FR 74806, 74826) took the position that an SEA, for example, could not redisclose PII from education records that it obtained from an LEA to a research organization unless the SEA had separate legal authority to act for, or on behalf of, the LEA (or other educational institution. Because, in practice, this authority may not be explicit in all States, we are amending § 99.31 to specifically allow State educational authorities, which include SEAs, to enter into agreements with research organizations for studies that are for one or more of the enumerated purposes under FERPA, such as studies to improve instruction (see § 99.31(a)(6)(ii)). The Department believes that this regulatory change will be beneficial because it will reduce the administrative costs of, and reduce the barriers to, using PII from education records, including PII from education records in SLDS, in order to conduct studies to improve instruction in education programs.
Authority To Evaluate
Current § 99.35(a)(2) provides that the authority for a FERPA-permitted entity to conduct an audit, evaluation, or enforcement or compliance activity must be established under a Federal, State, or local authority other than FERPA. Lack of such explicit State or local authority has hindered the use of PII from education records in some States. These final regulations remove this language about legal authority because we believe that the language unnecessarily caused confusion in the field. This is because FERPA does not require that a State or local educational authority have express legal authority to conduct audits, evaluations, or compliance or enforcement activities. Rather, we believe FERPA permits disclosure of PII from education records to a State or local educational authority if that entity also has implied authority to conduct audit, evaluation, or enforcement or compliance activities with respect to its own programs.
This regulatory change also allows an SEA to receive PII from education records originating at postsecondary institutions as needed to evaluate its own programs and determine whether its schools are adequately preparing students for higher education. The preamble to the final FERPA regulations published in the Federal Register on December 9, 2008 (73 FR 74806, 74822) suggested that PII in education records maintained by postsecondary institutions could only be disclosed to an SEA if the SEA had legal authority to evaluate postsecondary institutions. This interpretation restricted SEAs from conducting analyses to determine how effectively their own programs are preparing students for higher education and from identifying effective programs. As a result, this interpretation resulted in a regulatory framework for FERPA that has hindered efforts to improve education. The primary benefit of this change is that it will allow SEAs to conduct analyses of data that includes PII from education records for the purpose of program evaluations (consistent with FERPA and other Federal and State confidentiality and privacy provisions) without incurring the prohibitive costs of obtaining prior written consent from eligible students or parents.
Educational Agency or Institution
Sections (f) and (g) of FERPA authorize the Secretary to take appropriate actions to enforce the law and address FERPA violations, but subpart E of the current FERPA regulations only addressed alleged violations of FERPA by an “educational agency or institution.” Because the Department had not interpreted the term “educational agency or institution” to include agencies or institutions that students do not attend (such as an SEA), the current FERPA regulations do not specifically permit the Secretary to bring an enforcement action against an SEA or other State or local educational authority or any other recipient of Department funds under a program administered by the Secretary that did not meet the definition of an “educational agency or institution” under FERPA. Thus, for example, if an SEA improperly redisclosed PII from education records obtained from its LEAs, the Department could pursue enforcement actions against each of the LEAs (because the Department views an LEA as an educational agency attended by students), but not the SEA. These final regulations amend the regulatory provisions in subpart E to clarify that the Secretary may investigate, process, review, and enforce complaints and violations of FERPA against an educational agency or institution, any other recipient of Department funds under a program administered by the Secretary, or other third parties.
This change will result in some administrative savings and improve the efficiency of the enforcement process. Under the current regulations, if, for example, an SEA with 500 LEAs improperly redisclosed PII from its SLDS to an unauthorized party, the Department would have had to investigate each of the 500 LEAs, which are unlikely to have had knowledge relating to the disclosure. Under the final regulations, the LEAs will be relieved of any administrative costs associated with responding to the Department's request for information about the disclosure and the Department will immediately direct the focus of its investigation on the SEA, the agency most likely to have information on and bear responsibility for the disclosure of PII, without having to spend time and resources contacting the LEAs.
Regulatory Flexibility Act Certification
The Secretary certifies that this regulatory action will not have a significant economic impact on a substantial number of small entities.
The small entities that this final regulatory action will affect are small LEAs. The Secretary believes that the costs imposed by these regulations will be limited to paperwork burden related to requirements concerning data-sharing agreements and that the benefits from ensuring that PII from education records are collected, stored, and shared Start Printed Page 75639appropriately outweigh any costs incurred by these small LEAs. In addition, it is possible that State and local educational authorities may enter into agreements with small institutions of higher education or other small entities that will serve as their authorized representatives to conduct evaluations or other authorized activities. Entering into such agreements would be entirely voluntary on the part of the institutions of higher education or other entities, would be of minimal cost, and presumably would be for the benefit of the institution of higher education or other entity.
The U.S. Small Business Administration Size Standards define as “small entities” for-profit or nonprofit institutions with total annual revenue below $7,000,000 or, if they are institutions controlled by small governmental jurisdictions (that are comprised of cities, counties, towns, townships, villages, school districts, or special districts), with a population of less than 50,000.
According to estimates from the U.S. Census Bureau's Small Area Income and Poverty Estimates programs that were based on school district boundaries for the 2007-2008 school year, there are 12,484 LEAs in the country that include fewer than 50,000 individuals within their boundaries and for which there is estimated to be at least one school-age child. In its 1997 publication, Characteristics of Small and Rural School Districts, the NCES defined a small school district as “one having fewer students in membership than the sum of (a) 25 students per grade in the elementary grades it offers (usually K-8) and (b) 100 students per grade in the secondary grades it offers (usually 9-12).” Using this definition, a district would be considered small if it had fewer than 625 students in membership. The Secretary believes that the 4,800 very small LEAs that meet this second definition are highly unlikely to enter into data-sharing agreements directly with outside entities.
In the NPRM, the Department solicited comments from entities familiar with data sharing in small districts on the number of entities likely to enter into agreements each year, the number of such agreements, and the number of hours required to execute each agreement, but we received no comments and do not have reliable data with which to estimate how many of the remaining 7,684 small LEAs will enter into data-sharing agreements. For small LEAs that enter into data-sharing agreements, we estimate that they will spend approximately 4 hours executing each agreement, using a standard data-sharing protocol. Thus, we assume the impact on the entities will be minimal.
Federalism
Executive Order 13132 requires us to ensure meaningful and timely input by State and local elected officials in the development of regulatory policies that have federalism implications. “Federalism implications” means substantial direct effects on the States, on the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government. Among other requirements, the Executive order requires us to consult with State and local elected officials respecting any regulations that have federalism implications and either preempt State law or impose substantial direct compliance costs on State and local governments, and are not required by statute, unless the Federal government provides the funds for those costs.
The Department has reviewed these final regulations in accordance with Executive Order 13132. We have concluded that these final regulations do not have federalism implications, as defined in the Executive order. The regulations do not have substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government.
In the NPRM we explained that the proposed regulations in §§ 99.3, 99.31(a)(6), and 99.35 may have federalism implications, as defined in Executive Order 13132, and we asked that State and local elected officials make comments in this regard. One commenter stated that it believed that some of the proposed changes would increase burdens on SEAs, especially with respect to enforcing the destruction of PII from education records once a study or an audit or evaluation has ended.
The FERPA requirements that PII from education records be destroyed when no longer needed for both the studies exception and the audit or evaluation exception are statutory (20 U.S.C. 1232g(b)(1)(F) and 1232g(b)(3)). Further, the regulatory provisions concerning destruction for these two exceptions (§§ 99.31(a)(6) and 99.35) are not new. Therefore, these final regulations do not include additional burden.
After giving careful consideration to the comment, we conclude that these final regulations do not have federalism implications as defined in Executive Order 13132.
Paperwork Reduction Act of 1995
As part of its continuing effort to reduce paperwork and respondent burden, the Department conducts a preclearance consultation program to provide the general public and Federal agencies with an opportunity to comment on proposed and continuing collections of information in accordance with the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3506(c)(2)(A)). This helps ensure that: the public understands the Department's collection instructions; respondents can provide the requested data in the desired format; reporting burden (time and financial resources) is minimized; collection instruments are clearly understood; and the Department can properly assess the impact of collection requirements on respondents. The term “collections of information” under the PRA includes regulatory requirements that parties must follow concerning paperwork, e.g., the requirement that educational agencies and institutions annually notify parents and eligible students of their rights under FERPA. It does not necessarily mean that information is being collected by a government entity.
Sections 99.7, 99.31(a)(6)(ii), 99.35(a)(3), and 99.37(d) contain information collection requirements. In the NPRM published on April 8, 2011, we requested public comments on the information collection requirements in proposed §§ 99.31(a)(6)(ii) and 99.35(a)(3). Since publication of the NPRM, we have determined that § 99.37(d) also has an information collection associated with it. In addition, since publication of the NPRM, we decided to make changes to the model notification, which we provide to assist entities to comply with the annual notification of rights requirement in § 99.7. Therefore, this section discusses the information collections associated with these four regulatory provisions. These information collections will be submitted to OMB for review and approval. A valid OMB control number will be assigned to the information collection requirements at the end of the affected sections of the regulations.
Section 99.7—Annual Notification of Rights Requirement (OMB Control Number 1875-0246)
Although we did not propose any changes to § 99.7, which requires that educational agencies and institutions annually notify parents and eligible students of their rights under FERPA, we did make some modifications to our Start Printed Page 75640model notification associated with this requirement. Specifically, to allow parents and eligible students to more fully understand the circumstances under which disclosures may occur without their consent, we have amended the model annual notifications to include a listing of the various exceptions to the general consent rule in the regulations. The model notices (one for elementary and secondary schools and another one for postsecondary institutions) are included as Appendix B and Appendix C to this notice. We also post the model notifications on our Web site and have indicated the site address in the preamble. We do not believe that this addition to the model notification increases the currently approved burden of .25 hours (15 minutes) we previously estimated for the annual notification of rights requirement.
Section 99.31(a)(6)(ii)—Written Agreements for Studies (OMB Control Number 1875-0246)
The final regulations modify the information collection requirements in § 99.31(a)(6)(ii); however, the Department does not believe these regulatory changes result in any new burden to State or local educational authorities. As amended, § 99.31(a)(6)(ii) clarifies that FERPA-permitted entities may enter into written agreements with organizations conducting studies for, or on behalf of, educational agencies and institutions. We do not believe this will result in a change or an increase in burden because the provision would permit an organization conducting a study to enter into one written agreement with a FERPA-permitted entity, rather than making the organization enter into multiple written agreements with a variety of schools and school districts.
Section 99.35(a)(3)—Written Agreements for Audits, Evaluations, Compliance or Enforcement Activities (OMB Control Number 1875-0246)
Section 99.35(a)(3) requires FERPA-permitted entities to use a written agreement to designate authorized representatives other than agency employees. Under the final regulations, the agreement must: (1) Designate the individual or entity as an authorized representative; (2) specify the PII from education records to be disclosed; (3) specify that the purpose for which the PII from education records is disclosed to the authorized representative is to carry out an audit or evaluation of Federal- or State-supported education programs, or to enforce or to comply with Federal legal requirements that relate to those programs; (4) describe the activity to make clear that it legitimately fits within the exception of § 99.31; (5) require the authorized representative to destroy PII from education records when the information is no longer needed for the purpose specified; (6) specify the time period in which the PII from education records must be destroyed; and (7) establish policies and procedures, consistent with FERPA and other Federal and State confidentiality and privacy provisions, to protect PII from education records from further disclosure (except back to the disclosing entity) and unauthorized use. The total estimated burden under this provision is 9,928 hours. Specifically, the burden for States under this provision is estimated to be 40 hours annually for each of the 103 State educational authorities in the various States and territories subject to FERPA (one for K-12 and one for postsecondary in each SEA). Assuming that each State authority handles the agreements up to 10 times per year with an estimated 4 hours per agreement, the total anticipated increase in annual burden would be 4,120 hours for this new requirement in OMB Control Number 1875-0246. In addition, the burden for large LEAs and postsecondary institutions (1,452 educational agencies and institutions with a student population of over 10,000) is estimated to be 4 hours annually. Assuming each large LEA and postsecondary institution handles the agreements up to 1 time per year with an estimated 4 hours per agreement, the total anticipated increase in annual burden for large LEAs and postsecondary institutions would be 5,808 hours for this requirement.
Note:
For purposes of the burden analysis for § 99.35(a)(3), we estimate the burden on large LEAs and postsecondary institutions because we believe that estimating burden for these institutions captures the high-end of the burden estimate. We expect that burden for smaller LEAs and postsecondary institutions under § 99.35(a)(3) would be much less than estimated here.
Section 99.37(d)—Parental Notice of Disclosure of Directory Information (OMB Control Number 1875-0246)
Section 99.37(d) requires any educational agency or institution that elects to implement a limited directory information policy to specify its policy in the public notice to parents and eligible students in attendance at the educational agency or institution. We do not expect this requirement to result in an additional burden for most educational agencies and institutions because educational agencies and institutions are already required under § 99.37(a) to provide public notice of its directory information policy. However, the change reflected in amended § 99.37(d) could result in a burden increase for an educational agency or institution that currently has a policy of disclosing all directory information and elects, under the new regulations, to limit the disclosure of directory information. The agency or institution would now be required to inform parents and eligible students that it has a limited directory information policy. The notice provides parents and eligible students with the opportunity to opt out of the disclosure of directory information. Additionally, many educational agencies and institutions include their directory information notice as part of the required annual notification of rights under § 99.7, which is already listed as a burden and approved under OMB Control Number 1875-0246. These educational agencies and institutions, therefore, would not experience an increase in burden associated with the changes reflected in § 99.37(d).
Assessment of Educational Impact
In the NPRM, and in accordance with section 441 of the General Education Provisions Act, 20 U.S.C. 1221e-4, we requested comments on whether the proposed regulations would require transmission of information that any other agency or authority of the United States gathers or makes available.
Based on the response to the NPRM and on our review, we have determined that these final regulations do not require transmission of information that any other agency or authority of the United States gathers or makes available.
Accessible Format: Individuals with disabilities can obtain this document in an accessible format (e.g., braille, large print, audiotape, or compact disc) on request to the program contact person listed under FOR FURTHER INFORMATION CONTACT.' TAG FOUND; PLEASE REVIEW ALL TAGGING IN PREVIOUS PARAGRAPH -->
Electronic Access to This Document: The official version of this document is the document published in the Federal Register. Free Internet access to the official edition of the Federal Register and the Code of Federal Regulations is available via the Federal Digital System at: http://www.gpo.gov/fdsys. At this site you can view this document, as well as all other documents of this Department published in the Federal Register, in text or Adobe Portable Document Format (PDF). To use PDF you must have Adobe Acrobat Reader, which is available free at the site.
You may also access documents of the Department published in the Federal Start Printed Page 75641Register by using the article search feature at: http://www.federalregister.gov. Specifically, through the advanced search feature at this site, you can limit your search to documents published by the Department.
(Catalog of Federal Domestic Assistance Number does not apply.)
Start List of SubjectsList of Subjects in 34 CFR Part 99
- Administrative practice and procedure
- Directory information
- Education records
- Information
- Parents
- Privacy
- Records
- Social Security numbers
- Students
Dated: November 23, 2011.
Arne Duncan,
Secretary of Education.
For the reasons discussed in the preamble, the Secretary amends part 99 of title 34 of the Code of Federal Regulations as follows:
Start PartPART 99—FAMILY EDUCATIONAL RIGHTS AND PRIVACY
End Part Start Amendment Part1. The authority citation for part 99 continues to read as follows:
End Amendment Part Start Amendment Part2. Section 99.3 is amended by:
End Amendment Part Start Amendment PartA. Adding, in alphabetical order, definitions for authorized representative, early childhood education program, and education program.
End Amendment Part Start Amendment PartB. Revising the definition of directory information. The additions and revision read as follows:
End Amendment PartWhat definitions apply to these regulations?* * * * *Authorized representative means any entity or individual designated by a State or local educational authority or an agency headed by an official listed in § 99.31(a)(3) to conduct—with respect to Federal- or State-supported education programs—any audit or evaluation, or any compliance or enforcement activity in connection with Federal legal requirements that relate to these programs.
(Authority: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5))* * * * *Directory information means information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed.
(a) Directory information includes, but is not limited to, the student's name; address; telephone listing; electronic mail address; photograph; date and place of birth; major field of study; grade level; enrollment status (e.g., undergraduate or graduate, full-time or part-time); dates of attendance; participation in officially recognized activities and sports; weight and height of members of athletic teams; degrees, honors, and awards received; and the most recent educational agency or institution attended.
(b) Directory information does not include a student's—
(1) Social security number; or
(2) Student identification (ID) number, except as provided in paragraph (c) of this definition.
(c) In accordance with paragraphs (a) and (b) of this definition, directory information includes—
(1) A student ID number, user ID, or other unique personal identifier used by a student for purposes of accessing or communicating in electronic systems, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a personal identification number (PIN), password or other factor known or possessed only by the authorized user; and
(2) A student ID number or other unique personal identifier that is displayed on a student ID badge, but only if the identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the user's identity, such as a PIN, password, or other factor known or possessed only by the authorized user.
(Authority: 20 U.S.C. 1232g(a)(5)(A))* * * * *Early childhood education program means—
(a) A Head Start program or an Early Head Start program carried out under the Head Start Act (42 U.S.C. 9831 et seq.), including a migrant or seasonal Head Start program, an Indian Head Start program, or a Head Start program or an Early Head Start program that also receives State funding;
(b) A State licensed or regulated child care program; or
(c) A program that—
(1) Serves children from birth through age six that addresses the children's cognitive (including language, early literacy, and early mathematics), social, emotional, and physical development; and
(2) Is—
(i) A State prekindergarten program;
(ii) A program authorized under section 619 or part C of the Individuals with Disabilities Education Act; or
(iii) A program operated by a local educational agency.
* * * * *Education program means any program that is principally engaged in the provision of education, including, but not limited to, early childhood education, elementary and secondary education, postsecondary education, special education, job training, career and technical education, and adult education, and any program that is administered by an educational agency or institution.
(Authority: 20 U.S.C. 1232g(b)(3), (b)(5))* * * * *3. Section 99.31 is amended by:
End Amendment Part Start Amendment PartA. Removing paragraph (a)(6)(iii).
End Amendment Part Start Amendment PartB. Redesignating paragraph (a)(6)(ii) as paragraph (a)(6)(iii).
End Amendment Part Start Amendment PartC. Adding a new paragraph (a)(6)(ii).
End Amendment Part Start Amendment PartD. Revising the introductory text of newly redesignated paragraph (a)(6)(iii).
End Amendment Part Start Amendment PartE. Revising the introductory text of newly redesignated paragraph (a)(6)(iii)(C).
End Amendment Part Start Amendment PartF. Revising newly redesignated paragraph (a)(6)(iii)(C)(4).
End Amendment Part Start Amendment PartG. Revising paragraph (a)(6)(iv).
End Amendment PartThe addition and revisions read as follows:
Under what conditions is prior consent not required to disclose information?(a) * * *
(6) * * *
(ii) Nothing in the Act or this part prevents a State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section from entering into agreements with organizations conducting studies under paragraph (a)(6)(i) of this section and redisclosing personally identifiable information from education records on behalf of educational agencies and institutions that disclosed the information to the State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section in accordance with the requirements of § 99.33(b).
(iii) An educational agency or institution may disclose personally identifiable information under paragraph (a)(6)(i) of this section, and a State or local educational authority or agency headed by an official listed in paragraph (a)(3) of this section may redisclose personally identifiable information under paragraph (a)(6)(i) and (a)(6)(ii) of this section, only if—
* * * * *(C) The educational agency or institution or the State or local educational authority or agency headed by an official listed in paragraph (a)(3) Start Printed Page 75642of this section enters into a written agreement with the organization that—
* * * * *(4) Requires the organization to destroy all personally identifiable information when the information is no longer needed for the purposes for which the study was conducted and specifies the time period in which the information must be destroyed.
(iv) An educational agency or institution or State or local educational authority or Federal agency headed by an official listed in paragraph (a)(3) of this section is not required to initiate a study or agree with or endorse the conclusions or results of the study.
* * * * *[Amended]4. Section 99.33 is amended by removing paragraph (e).
End Amendment Part Start Amendment Part5. Section 99.35 is amended by:
End Amendment Part Start Amendment PartA. Revising paragraph (a)(2).
End Amendment Part Start Amendment PartB. Adding a new paragraph (a)(3).
End Amendment Part Start Amendment PartC. Revising paragraph (b).
End Amendment Part Start Amendment PartD. Revising the authority citation at the end of the section.
End Amendment PartThe addition and revisions read as follows:
What conditions apply to disclosure of information for Federal or State program purposes?(a) * * *
(2) The State or local educational authority or agency headed by an official listed in § 99.31(a)(3) is responsible for using reasonable methods to ensure to the greatest extent practicable that any entity or individual designated as its authorized representative—
(i) Uses personally identifiable information only to carry out an audit or evaluation of Federal- or State-supported education programs, or for the enforcement of or compliance with Federal legal requirements related to these programs;
(ii) Protects the personally identifiable information from further disclosures or other uses, except as authorized in paragraph (b)(1) of this section; and
(iii) Destroys the personally identifiable information in accordance with the requirements of paragraphs (b) and (c) of this section.
(3) The State or local educational authority or agency headed by an official listed in § 99.31(a)(3) must use a written agreement to designate any authorized representative, other than an employee. The written agreement must—
(i) Designate the individual or entity as an authorized representative;
(ii) Specify—
(A) The personally identifiable information from education records to be disclosed;
(B) That the purpose for which the personally identifiable information from education records is disclosed to the authorized representative is to carry out an audit or evaluation of Federal- or State-supported education programs, or to enforce or to comply with Federal legal requirements that relate to those programs; and
(C) A description of the activity with sufficient specificity to make clear that the work falls within the exception of § 99.31(a)(3), including a description of how the personally identifiable information from education records will be used;
(iii) Require the authorized representative to destroy personally identifiable information from education records when the information is no longer needed for the purpose specified;
(iv) Specify the time period in which the information must be destroyed; and
(v) Establish policies and procedures, consistent with the Act and other Federal and State confidentiality and privacy provisions, to protect personally identifiable information from education records from further disclosure (except back to the disclosing entity) and unauthorized use, including limiting use of personally identifiable information from education records to only authorized representatives with legitimate interests in the audit or evaluation of a Federal- or State-supported education program or for compliance or enforcement of Federal legal requirements related to these programs.
(b) Information that is collected under paragraph (a) of this section must—
(1) Be protected in a manner that does not permit personal identification of individuals by anyone other than the State or local educational authority or agency headed by an official listed in § 99.31(a)(3) and their authorized representatives, except that the State or local educational authority or agency headed by an official listed in § 99.31(a)(3) may make further disclosures of personally identifiable information from education records on behalf of the educational agency or institution in accordance with the requirements of § 99.33(b); and
(2) Be destroyed when no longer needed for the purposes listed in paragraph (a) of this section.
* * * * *(Authority: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5))5. Section 99.37 is amended by:
End Amendment Part Start Amendment PartA. Revising paragraph (c).
End Amendment Part Start Amendment PartB. Redesignating paragraph (d) as paragraph (e).
End Amendment Part Start Amendment PartC. Adding a new paragraph (d).
End Amendment PartThe addition and revision read as follows:
What conditions apply to disclosing directory information?* * * * *(c) A parent or eligible student may not use the right under paragraph (a)(2) of this section to opt out of directory information disclosures to—
(1) Prevent an educational agency or institution from disclosing or requiring a student to disclose the student's name, identifier, or institutional email address in a class in which the student is enrolled; or
(2) Prevent an educational agency or institution from requiring a student to wear, to display publicly, or to disclose a student ID card or badge that exhibits information that may be designated as directory information under § 99.3 and that has been properly designated by the educational agency or institution as directory information in the public notice provided under paragraph (a)(1) of this section.
(d) In its public notice to parents and eligible students in attendance at the agency or institution that is described in paragraph (a) of this section, an educational agency or institution may specify that disclosure of directory information will be limited to specific parties, for specific purposes, or both. When an educational agency or institution specifies that disclosure of directory information will be limited to specific parties, for specific purposes, or both, the educational agency or institution must limit its directory information disclosures to those specified in its public notice that is described in paragraph (a) of this section.
* * * * *6. Section 99.61 is revised to read as follows:
End Amendment PartWhat responsibility does an educational agency or institution, a recipient of Department funds, or a third party outside of an educational agency or institution have concerning conflict with State or local laws?If an educational agency or institution determines that it cannot comply with the Act or this part due to a conflict with State or local law, it must notify the Office within 45 days, giving the text and citation of the conflicting law. If another recipient of Department funds under any program administered by the Secretary or a third party to which personally identifiable information from education records has been non-Start Printed Page 75643consensually disclosed determines that it cannot comply with the Act or this part due to a conflict with State or local law, it also must notify the Office within 45 days, giving the text and citation of the conflicting law.
(Authority: 20 U.S.C. 1232g(f))7. Section 99.62 is revised to read as follows:
End Amendment PartWhat information must an educational agency or institution or other recipient of Department funds submit to the Office?The Office may require an educational agency or institution, other recipient of Department funds under any program administered by the Secretary to which personally identifiable information from education records is non-consensually disclosed, or any third party outside of an educational agency or institution to which personally identifiable information from education records is non-consensually disclosed to submit reports, information on policies and procedures, annual notifications, training materials, or other information necessary to carry out the Office's enforcement responsibilities under the Act or this part.
(Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and (g))8. Section 99.64 is amended by:
End Amendment Part Start Amendment PartA. Revising paragraphs (a) and (b).
End Amendment Part Start Amendment PartB. Revising the authority citation at the end of the section.
End Amendment PartThe revisions read as follows:
What is the investigation procedure?(a) A complaint must contain specific allegations of fact giving reasonable cause to believe that a violation of the Act or this part has occurred. A complaint does not have to allege that a violation is based on a policy or practice of the educational agency or institution, other recipient of Department funds under any program administered by the Secretary, or any third party outside of an educational agency or institution.
(b) The Office investigates a timely complaint filed by a parent or eligible student, or conducts its own investigation when no complaint has been filed or a complaint has been withdrawn, to determine whether an educational agency or institution or other recipient of Department funds under any program administered by the Secretary has failed to comply with a provision of the Act or this part. If the Office determines that an educational agency or institution or other recipient of Department funds under any program administered by the Secretary has failed to comply with a provision of the Act or this part, it may also determine whether the failure to comply is based on a policy or practice of the agency or institution or other recipient. The Office also investigates a timely complaint filed by a parent or eligible student, or conducts its own investigation when no complaint has been filed or a complaint has been withdrawn, to determine whether a third party outside of the educational agency or institution has failed to comply with the provisions of § 99.31(a)(6)(iii)(B) or has improperly redisclosed personally identifiable information from education records in violation of § 99.33.
* * * * *(Authority: 20 U.S.C. 1232g(b)(4)(B), (f) and (g))9. Section 99.65 is amended by revising paragraph (a) to read as follows:
End Amendment PartWhat is the content of the notice of investigation issued by the Office?(a) The Office notifies in writing the complainant, if any, and the educational agency or institution, the recipient of Department funds under any program administered by the Secretary, or the third party outside of an educational agency or institution if it initiates an investigation under § 99.64(b). The written notice—
(1) Includes the substance of the allegations against the educational agency or institution, other recipient, or third party; and
(2) Directs the agency or institution, other recipient, or third party to submit a written response and other relevant information, as set forth in § 99.62, within a specified period of time, including information about its policies and practices regarding education records.
* * * * *10. Section 99.66 is revised to read as follows:
End Amendment PartWhat are the responsibilities of the Office in the enforcement process?(a) The Office reviews a complaint, if any, information submitted by the educational agency or institution, other recipient of Department funds under any program administered by the Secretary, or third party outside of an educational agency or institution, and any other relevant information. The Office may permit the parties to submit further written or oral arguments or information.
(b) Following its investigation, the Office provides to the complainant, if any, and the educational agency or institution, other recipient, or third party a written notice of its findings and the basis for its findings.
(c) If the Office finds that an educational agency or institution or other recipient has not complied with a provision of the Act or this part, it may also find that the failure to comply was based on a policy or practice of the agency or institution or other recipient. A notice of findings issued under paragraph (b) of this section to an educational agency or institution, or other recipient that has not complied with a provision of the Act or this part—
(1) Includes a statement of the specific steps that the agency or institution or other recipient must take to comply; and
(2) Provides a reasonable period of time, given all of the circumstances of the case, during which the educational agency or institution or other recipient may comply voluntarily.
(d) If the Office finds that a third party outside of an educational agency or institution has not complied with the provisions of § 99.31(a)(6)(iii)(B) or has improperly redisclosed personally identifiable information from education records in violation of § 99.33, the Office's notice of findings issued under paragraph (b) of this section—
(1) Includes a statement of the specific steps that the third party outside of the educational agency or institution must take to comply; and
(2) Provides a reasonable period of time, given all of the circumstances of the case, during which the third party may comply voluntarily.
(Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and (g))11. Section 99.67 is revised to read as follows:
End Amendment PartHow does the Secretary enforce decisions?(a) If an educational agency or institution or other recipient of Department funds under any program administered by the Secretary does not comply during the period of time set under § 99.66(c), the Secretary may take any legally available enforcement action in accordance with the Act, including, but not limited to, the following enforcement actions available in accordance with part D of the General Education Provisions Act—
(1) Withhold further payments under any applicable program;
(2) Issue a complaint to compel compliance through a cease and desist order; or
(3) Terminate eligibility to receive funding under any applicable program.
(b) If, after an investigation under § 99.66, the Secretary finds that an educational agency or institution, other Start Printed Page 75644recipient, or third party has complied voluntarily with the Act or this part, the Secretary provides the complainant and the agency or institution, other recipient, or third party with written notice of the decision and the basis for the decision.
(c) If the Office finds that a third party, outside the educational agency or institution, violates § 99.31(a)(6)(iii)(B), then the educational agency or institution from which the personally identifiable information originated may not allow the third party found to be responsible for the violation of § 99.31(a)(6)(iii)(B) access to personally identifiable information from education records for at least five years.
(d) If the Office finds that a State or local educational authority, a Federal agency headed by an official listed in § 99.31(a)(3), or an authorized representative of a State or local educational authority or a Federal agency headed by an official listed in § 99.31(a)(3), improperly rediscloses personally identifiable information from education records, then the educational agency or institution from which the personally identifiable information originated may not allow the third party found to be responsible for the improper redisclosure access to personally identifiable information from education records for at least five years.
(e) If the Office finds that a third party, outside the educational agency or institution, improperly rediscloses personally identifiable information from education records in violation of § 99.33 or fails to provide the notification required under § 99.33(b)(2), then the educational agency or institution from which the personally identifiable information originated may not allow the third party found to be responsible for the violation access to personally identifiable information from education records for at least five years.
(Authority: 20 U.S.C. 1232g(b)(4)(B) and (f); 20 U.S.C. 1234c)Note:
The following appendices will not appear in the Code of Federal Regulations.
Start Printed Page 75645 Start Printed Page 75646 Start Printed Page 75647 Start Printed Page 75648 Start Printed Page 75649 Start Printed Page 75650 Start Printed Page 75651 Start Printed Page 75652 Start Printed Page 75653 Start Printed Page 75654 Start Printed Page 75655 Start Printed Page 75656 Start Printed Page 75657 Start Printed Page 75658 Start Printed Page 75659 Start Printed Page 75660 End Supplemental InformationFootnotes
1. Under section 9204(a) of the Elementary and Secondary Education Act of 1965, as amended (ESEA), the Secretary of Education and the Secretary of the Interior are required to reach an agreement regarding how the BIE will comply with ESEA requirements. Under a 2005 Final Agreement between the Department of Education and the Department of the Interior, the two Departments agreed, as a general matter, that the Department of Education would treat BIE as an SEA and each BIE school as an LEA, for purposes of complying with the requirements of ESEA.
Back to Citation2. The Department established an executive level Chief Privacy Officer (CPO) position in early 2011. The CPO oversees a new division dedicated to advancing the responsible stewardship, collection, use, maintenance, and disclosure of information at the national level and for States, LEAS, postsecondary institutions, and other education stakeholders.
Back to Citation3. PTAC was established to serve as a one‐stop resource for SEAs, LEAs, the postsecondary community, and other parties engaged in building and using education data systems. PTAC's role is to provide timely and accurate information and guidance about data privacy, confidentiality, and security issues and practices in education; disseminate this information to the field and the public; and provide technical assistance to key stakeholders. PTAC will share lessons learned; provide technical assistance in both group settings and in one‐on‐one meetings with States; and create training materials on privacy, confidentiality, and security issues.
Back to Citation
Document Information
- Effective Date:
- 1/3/2012
- Published:
- 12/02/2011
- Department:
- Education Department
- Entry Type:
- Rule
- Action:
- Final regulations.
- Document Number:
- 2011-30683
- Dates:
- These regulations are effective January 3, 2012. However, State and local educational authorities, and Federal agencies headed by officials listed in Sec. 99.31(a)(3) with written agreements in place prior to January 3, 2012, must comply with the existing requirement in Sec. 99.35(a)(3) to use written agreements to designate any authorized representatives, other than employees, only upon any renewal of or amendment to the written agreement with such authorized representative.
- Pages:
- 75603-75660 (58 pages)
- Docket Numbers:
- DOCKET ID ED-2011-OM-0002
- RINs:
- 1880-AA86: Family Educational Rights and Privacy
- RIN Links:
- https://www.federalregister.gov/regulations/1880-AA86/family-educational-rights-and-privacy
- Topics:
- Administrative practice and procedure, Information, Privacy, Students
- PDF File:
- 2011-30683.pdf
- CFR: (11)
- 34 CFR 99.3
- 34 CFR 99.31
- 34 CFR 99.33
- 34 CFR 99.35
- 34 CFR 99.37
- More ...