Federal Register: Part II [34 CFR Part 99]

DEPARTMENT OF EDUCATION

Western Area Power Administration

CFR Citation: 34 CFR Part 99

Docket ID: [Docket ID ED-2008-OPEPD-0002]

RIN ID: RIN 1855-AA05

NOTICE: Part II

DOCUMENT ACTION: Notice of proposed rulemaking.

SUBJECT CATEGORY: Family Educational Rights and Privacy

DATES: We must receive your comments on or before May 8, 2008.

DOCUMENT SUMMARY: The Secretary proposes to amend the regulations governing education records maintained by educational agencies and institutions under section 444 of the General Education Provisions Act, which is also known as the Family Educational Rights and Privacy Act of 1974, as amended (FERPA). These proposed regulations are needed to implement amendments to FERPA contained in the USA Patriot Act and the Campus Sex Crimes Prevention Act, to implement two U.S. Supreme Court decisions interpreting FERPA, and to make necessary changes identified as a result of the Department's experience administering FERPA and current regulations. These changes would clarify permissible disclosures to parents of eligible students and conditions that apply to disclosures in health and safety emergencies; clarify permissible disclosures of student identifiers as directory information; allow disclosures to contractors and other outside parties in connection with the outsourcing of institutional services and functions; revise the definitions of attendance, disclosure, education records, personally identifiable information, and other key terms; clarify permissible redisclosures by State and Federal officials; and update investigation and enforcement provisions.

SUMMARY: Education Department,

FOR FURTHER INFORMATION CONTACT Frances Moran, U.S. Department of Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202 8250. Telephone: (202) 2603887.

If you use a telecommunications device for the deaf (TDD), you may call the Federal Relay Service (FRS) at 18008778339.

Individuals with disabilities may obtain this document in an alternative format (e.g., Braille, large print, audiotape, or computer diskette) on request to the contact person listed under FOR FURTHER INFORMATION CONTACT.

Invitation To Comment

We invite you to submit comments and recommendations regarding these proposed regulations. To ensure that your comments have maximum effect in developing the final regulations, we urge you to identify clearly the specific section or sections of the proposed regulations that each of your comments addresses and to arrange your comments in the same order as the proposed regulations.

We invite you to assist us in complying with the specific requirements of Executive Order 12866 and its overall requirement of reducing regulatory burden that might result from these proposed regulations. Please let us know of any further opportunities we should take to reduce potential costs or increase potential benefits while preserving the effective and efficient administration of the program.

During and after the comment period, you may inspect all public comments about these proposed regulations in room 6W243, 400 Maryland Avenue, SW., Washington, DC, between the hours of 8:30 a.m. and 4 p.m. Eastern time, Monday through Friday of each week except Federal holidays. Public comments may also be inspected at www.regulations.gov. Assistance to Individuals With Disabilities in Reviewing the Rulemaking Record

On request, we will supply an appropriate aid to an individual with a disability who needs assistance to review the comments or other documents in the public rulemaking record for these proposed regulations. If you want to schedule an appointment for this type of aid, please contact the person listed under FOR FURTHER INFORMATION CONTACT.

Background

These proposed regulations would implement section 507 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) of 2001 (Pub. L. 10756), enacted Oct. 26, 2001, and the Campus Sex Crimes Prevention Act, section 1601(d) of the Victims of Trafficking and Violence Protection Act of 2000 (Pub. L. 106386), enacted Oct. 28, 2000, both of which amended FERPA. The proposed regulations also would implement the U.S. Supreme Court's decisions in Owasso Independent School Dist. No. I011 v. Falvo, 534 U.S. 426 (2002) (Owasso) and Gonzaga University v. Doe, 536 U.S. 273 (2002) (Gonzaga). Finally, the proposed regulations respond to changes in information technology and address other issues identified through the Department's experience administering FERPA, including the need to clarify how postsecondary institutions may share information with parents and other parties in light of the tragic events at Virginia Tech in April 2007. The Department has developed these proposed regulations in accordance with its ``Principles for Regulating,'' which are intended to ensure that the Department regulates in the most flexible, equitable, and least burdensome way possible. These proposed regulations seek to provide the greatest flexibility to State and local governments and schools while ensuring that personally identifiable information about students remains protected from unauthorized disclosure.

Technical Corrections

The proposed regulations correct Sec. 99.33(e) by adding the statutory
[[Page 15575]]
language ``outside the educational agency or institution'' after the words ``third party'' in the first sentence. They also correct an error in the section number cited in Sec. 99.34(a)(1)(ii).

Significant Proposed Regulations

We discuss substantive issues under the sections of the proposed regulations to which they pertain. Generally, we do not address proposed regulatory provisions that are technical or otherwise minor in effect.
1. Definitions (Sec. 99.3)

Attendance

Statute: 20 U.S.C. 1232g(a)(6) defines the term student as any person with respect to whom an educational agency or institution maintains education records or personally identifiable information but does not include a person who has not been in attendance at such agency or institution. The statute does not define attendance.

Current Regulations: As defined in the current regulations, the term attendance includes attendance in person or by correspondence, and the period during which a person is working under a workstudy program. The current definition does not address the status of distance learners who are taught through the use of electronic information and telecommunications technologies.

Proposed Regulations: The proposed regulations in Sec. 99.3 would add attendance by videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom.

Reasons: The proposed regulations are needed to clarify that students who are not physically present in the classroom may attend an educational agency or institution not only through traditional correspondence courses but through advanced electronic information and telecommunications technologies used for distance education, such as videoconferencing, satellite, and Internetbased communications. Directory Information

Statute: 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2) allows disclosure without consent of information such as a student's name and address, telephone listing, date and place of birth, major field of study, etc., defined as directory information, provided that specified notice and opt out conditions have been met.

Current Regulations: Directory information is defined in Sec. 99.3 as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed, and includes information listed in FERPA (e.g., a student's name and address, telephone listing) as well as other information, such as a student's electronic mail (email) address, enrollment status, and photograph. Current regulations do not specify whether a student's Social Security Number (SSN), official student identification (ID) number, or personal identifier for use in electronic systems may be designated and disclosed as directory information.

Proposed Regulations: The proposed regulations would provide that an educational agency or institution may not designate as directory information a student's SSN or other student ID number. However, directory information may include a student's user ID or other unique identifier used by the student to access or communicate in electronic systems, but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the student.

Reasons: SSNs and other student ID numbers are personal identifiers that are typically used for identification purposes in order to establish an account, gain access to or confirm private information, obtain services, etc. The proposed regulations are needed to ensure that educational agencies and institutions do not disclose these identifiers as directory information, or include them with other personally identifiable information that may be disclosed as directory information, because SSNs and other student ID numbers can be used to impersonate the owner of the number and obtain information or services by fraud. The proposed regulations are also needed to clarify that unique personal identifiers used for electronic communications may be disclosed as directory information under certain conditions.

Names and addresses are personal identifiers (and personally identifiable information under Sec. 99.3) that have always been available for disclosure as directory information under FERPA because they are generally known to others and often appear in public directories outside the school context. (It is precisely because names and addresses are widely available that they may not be used to authenticate identity, as discussed below in connection with proposed Sec. 99.31(c).) SSNs and other student ID numbers are also personal identifiers and personally identifiable information under Sec. 99.3. Unlike names and addresses, SSNs and other student ID numbers are typically used to obtain a variety of nonpublic information about an individual, such as employment, credit, financial, health, motor vehicle, and educational information, that would be harmful or an invasion of privacy if disclosed. An SSN or other student ID number can also be used in conjunction with commonly available information, such as name, address, and date of birth, to establish fraudulent accounts and otherwise impersonate an individual. As a result, under the proposed regulations, SSNs and other student ID numbers may not be designated and disclosed as directory information.

Educational agencies and institutions have reported to us that in addition to needing a traditional student ID number (or SSN used as a student ID number), they need to identify or assign to students a unique electronic identifier that can be made available publicly. (Names are generally not appropriate for these purposes because they may not be unique to the population.) Unique electronic identifiers are needed, for example, for students to be able to use portals or single signon approaches to student information systems that provide access to class registration, academic records, library resources, and other student services. Much of the directorybased software used for these systems, as well as protocols for electronic collaboration by students and teachers within and among institutions, essentially cannot function without making an individual's user ID or other electronic identifier publicly available in these kinds of systems.

Some systems, for example, require users to log on with their e mail address or other published user name or account ID. (Note that a student's email address was added to the regulatory definition of directory information in the final regulations published on July 6, 2000 (65 FR 41852, 41855). Public key infrastructure (PKI) technology for encryption and digital signatures also requires wide dissemination of the sender's public key. These are the types of circumstances in which educational agencies and institutions may need to publish or disclose a student's unique electronic identifier.

The proposed regulations would permit disclosure of a student's user ID or other electronic identifier as directory information, but only if the identifier functions essentially as a name; that is, the identifier is not used by itself to authenticate identity and cannot be [[Page 15576]]
used by itself to gain access to education records. A unique electronic identifier disclosed as directory information may be used to provide access to the student's education records, but only when combined with other factors known only to the authorized user (student, parent, or school official), such as a secret password or PIN, or some other method to authenticate the user's identity and ensure that the user is, in fact, a person authorized to access the records.

Note that eligible students and parents have a right under FERPA to opt out of directory information disclosures and refuse to allow the student's email address, user ID or other electronic identifier disclosed as directory information (except as provided in proposed Sec. 99.37(c), discussed elsewhere in this document). This is similar to a decision not to participate in an institution's paperbased student directory, yearbook, commencement program, etc. In these cases, the student or parent will not be able to take advantage of the services, such as portals for class registration, academic records, etc., provided solely through the electronic communications or software that require public disclosure of the student's unique electronic identifier.

Disclosure

Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an educational agency or institution subject to FERPA may not have a policy or practice of releasing, permitting the release of, or providing access to personally identifiable information from education records without prior written consent.

Current Regulations: The regulations in Sec. 99.3 define the term disclosure to mean permitting access to or the release, transfer, or other communication of personally identifiable information from education records to any party by any means. The regulations do not address issues relating to the return of records to the party that provided or created them.

Proposed Regulations: The proposed regulations would exclude from the definition of disclosure the release or return of an education record, or personally identifiable information from an education record, to the party identified as the party that provided or created the record. This would allow an educational agency or institution (School B) to send a transcript, letter of recommendation, or other record that appears to have been falsified back to the institution or school official identified as the creator or sender of the record (School A) for confirmation of its status as an authentic record. School A may confirm or deny that the record is accurate and send the correct version back to School B under Sec. 99.31(a)(2), which allows an institution to disclose education records without prior written consent to an institution in which the student seeks or intends to enroll, or is already enrolled.

The proposed regulations would also permit a State or local educational authority or other entity to redisclose education records or personally identifiable information from education records, without consent, to the school district, institution, or other party that provided the records or information.

Reasons: School officials have reported to the Department that they are receiving with more frequency what appear to be falsified transcripts, letters of recommendation, and other information about students from educational agencies and institutions. The proposed amendment is needed to verify the accuracy of this type of information and to ensure that the privacy protections in FERPA are not used to shield or prevent detection of fraud.

Several State educational agencies (SEAs) that maintain consolidated student records systems have also expressed uncertainty whether they may allow a local school district to obtain access to personally identifiable information from education records provided to the SEA by that district. The amendment is needed to clarify that SEAs and other parties that maintain education records provided by school districts and other educational agencies and institutions may allow a party to obtain access to the specific records and information that the party provided to the consolidated student records system.

Education Records

Statute: 20 U.S.C. 1232g(a)(4) provides a broad, general definition of education records that includes all records that are directly related to a student and maintained by an educational agency or institution. Student, in turn, is defined in 20 U.S.C. 1232g(a)(6) to exclude individuals who have not been in attendance at the agency or institution.

Current Regulations: The definition of education records in Sec. 99.3 excludes records that only contain information about an individual after he or she is no longer a student.

Proposed Regulations: The proposed regulations would clarify that, with respect to former students, the term education records excludes records that are created or received by the educational agency or institution after an individual is no longer a student in attendance and are not directly related to the individual's attendance as a student.

Reasons: Institutions have told us that there is some confusion about the provision in the definition of education records that excludes certain alumni records from the definition. Some schools have mistakenly interpreted this provision to mean that any record created or received after a student is no longer enrolled is not an education record under FERPA. The proposed regulations are needed to clarify that the exclusion is intended to cover records that concern an individual or events that occur after the individual is no longer a student in attendance, such as alumni activities. The exclusion is not intended to cover records that are created and matters that occur after an individual is no longer in attendance but that are directly related to his or her previous attendance as a student, such as a settlement agreement that concerns matters that arose while the individual was in attendance as a student.

Statute: The statute does not address peergrading practices in relation to FERPA requirements.

Current Regulations: The definition of education records includes records that are maintained by an educational agency or institution, or a party acting for the educational agency or institution, but does not provide any guidance on the status of studentgraded tests and assignments before they have been collected and recorded by a teacher.

Proposed Regulations: Proposed regulations in Sec. 99.3 would clarify that peergraded papers that have not been collected and recorded by a teacher are not considered maintained by an educational agency or institution and, therefore, are not education records under FERPA.

Reasons: The proposed regulations are needed to implement the U.S. Supreme Court's decision on peergraded papers in Owasso. ``Peer grading'' refers to a common educational practice in which students exchange and grade one another's papers and then either call out the grade or turn in the work to the teacher for recordation. In Owasso, the Court held that this practice does not violate FERPA because ``the grades on students' papers would not be covered under FERPA at least until the teacher has collected them and recorded them in his or her grade book.'' Owasso, 534 U.S. at 436.
[[Page 15577]]

Personally Identifiable Information

Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an educational agency or institution may not have a policy or practice of permitting the release of or providing access to education records or any personally identifiable information other than directory information in education records without prior written consent except in accordance with statutory exceptions.

Current Regulations: The term personally identifiable information is defined in Sec. 99.3 to include the student's name and other personal identifiers, such as the student's social security number or student number. Current regulations also include indirect identifiers, such as the name of the student's parent or other family members; the address of the student or the student's family; and personal characteristics or other information that would make the student's identity easily traceable.

Proposed Regulations: The proposed regulations would add biometric record to the list of personal identifiers and add other indirect identifiers, such as date and place of birth and mother's maiden name, to the list of personally identifiable information. The regulations would remove language about personal characteristics and other information that would make the student's identity easily traceable and provide instead that personally identifiable information includes other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Personally identifiable information would also include information requested by a person who the educational agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates.

Reasons: See the discussion of proposed regulations adding a new Sec. 99.31(b) for deidentified education records elsewhere in this document.

State Auditor

Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) allows an educational agency or institution to disclose personally identifiable information from education records, without prior written consent, to State and local educational authorities and officials for the audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs.

Current Regulations: The current regulations do not address the disclosure of education records to State auditors.

Proposed Regulations: The proposed regulations in Sec. 99.3 would define State auditor as a party under any branch of government with authority and responsibility under State law for conducting audits. We propose to add a new paragraph (a)(2) to Sec. 99.35 to clarify that State auditors that are not State or local educational authorities may have access to education records in connection with an audit of Federal or State supported education programs.

Reasons: 20 U.S.C. 1232g(b)(3) (section (b)(3) of the statute) allows disclosure of education records without consent to ``State educational authorities'' for audit and evaluation purposes. According to the legislative history of FERPA, section (b)(5) of the statute, which allows disclosure of education records without consent to ``State and local educational officials'' for audit and evaluation purposes, was added in 1979 to ``correct an anomaly'' in which the existing exception in section (b)(3) was interpreted to preclude State auditors from obtaining records in order to conduct State audits of local and Statesupported programs.

See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 (1979), reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. The amended statutory language in section (b)(5) is ambiguous, however, because it does not actually mention State auditors and, like section (b)(3), refers only to educational officials. Over the years several States have questioned whether this exception includes audits conducted by legislative branch officials and other parties that may not be considered educational authorities or officials.

The regulations are needed to clarify that State auditors may receive personally identifiable information from education records, without prior written consent, even if they are not considered State or local educational authorities or officials, provided that they are auditing a Federal or State supported education program. We are interested in receiving comments about whether the definition needs to cover local auditors as well. The exception for disclosure of education records to State auditors is narrowly limited to audits (defined in proposed Sec. 99.35 as testing compliance with applicable laws, regulations, and standards) and does not include the broader concept of evaluations, for which disclosure of education records remains limited to educational authorities or officials.
2. Disclosures to Parents of Eligible Students (Sec. Sec. 99.5, 99.36) Section 99.5(a) (Rights of Students)

Statute: 20 U.S.C. 1232g(d) provides that once a student reaches 18 years of age or attends a postsecondary institution, all rights accorded to parents under FERPA, and the consent required to disclose education records, transfer from the parents to the student. Under 20 U.S.C. 1232g(b)(1)(H), an educational agency or institution may disclose personally identifiable information from an education record without meeting FERPA's written consent requirement to parents of a dependent student as defined in 26 U.S.C. 152. Under 20 U.S.C. 1232g(i), an institution of higher education may disclose personally identifiable information from an education record, without meeting FERPA's written consent requirement, to a parent or legal guardian of a student information regarding the student's violation of any Federal, State or local law, or any rule or policy of the institution governing the use or possession of alcohol or a controlled substance if the student is under the age of 21 and the institution determines that the student has committed a disciplinary violation with respect to such use or possession. Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or institution may disclose personally identifiable information from an education record, without meeting FERPA's written consent requirement, to appropriate persons in connection with an emergency if the knowledge of such information is necessary to protect the health or safety of the student or other persons.

Current Regulations: Section 99.3 defines an eligible student as a student who has reached 18 years of age or attends a postsecondary institution. Section 99.5(a) states that rights accorded to parents, and consent required of parents, to disclose education records under FERPA transfer from parents to a student when the student meets the definition of an eligible student.

Section 99.31(a)(8) provides that an educational agency or institution may disclose personally identifiable information from education records without consent to parents of a dependent student as defined in section 152 of the Internal Revenue Code of 1986. Under Sec. 99.31(a)(15) written consent is not required, regardless of dependency status, to disclose to a
[[Page 15578]]
parent of a student at an institution of postsecondary education information regarding the student's violation of any Federal, State or local law, or of any rule or policy of the institution, governing the use or possession of alcohol or a controlled substance if the institution determines that the student has committed a disciplinary violation with respect to that use or possession and the student is under the age of 21 at the time of the disclosure to the parent.

Section 99.31(a)(10) provides that an educational agency or institution may disclose personally identifiable information from education records without consent if the disclosure is in connection with a health or safety emergency under the conditions described in Sec. 99.36. Section 99.36 provides that an educational agency or institution may disclose personally identifiable information from an education record to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals.

Proposed Regulations: The proposed regulations in Sec. 99.5 clarify that even after a student has become an eligible student, an educational agency or institution may disclose education records to the student's parents, without the consent of the eligible student, if the student is a dependent for Federal income tax purposes (Sec. 99.31(a)(8)); in connection with a health or safety emergency (Sec. 99.31(a)(10)); if the student is under the age of 21 and has violated an institutional rule or policy governing the use or possession of alcohol or a controlled substance (Sec. 99.31(a)(15)); and if the disclosure falls within any other exception to the consent requirement in Sec. 99.31(a) of the regulations, such as the disclosure of directory information or in compliance with a court order or lawfully issued subpoena. The proposed regulations in Sec. 99.36(a) would clarify that an eligible student's parents are appropriate parties to whom an educational agency or institution may disclose personally identifiable information from education records without consent in a health or safety emergency.

Reasons: The Secretary is concerned that some institutions are under the mistaken impression that FERPA prevents them from providing parents with any information about a college student. The proposed regulations are needed to clarify that FERPA contains exceptions to the written consent requirement that permit colleges and other educational agencies and institutions to disclose personally identifiable information from education records to parents of certain eligible students whether or not the student consents.

Section 99.31(a)(8) permits an educational agency or institution to disclose education records, without consent, to either parent if at least one of the parents has claimed the student as a dependent on the parent's most recent tax return. Because many college students (and 18 yearold high school students) are tax dependents of their parents, this provision allows these institutions to disclose information from education records to the students' parents without meeting the written consent requirements in Sec. 99.30. (Institutions must first determine that a parent has claimed the student as a dependent on the parent's Federal income tax return. Institutions can determine that a parent claimed a student as a dependent by asking the parent to submit a copy of the parent's most recent Federal tax return. Institutions can also rely on a student's assertion that he or she is not a dependent unless the parent provides contrary evidence.)

The proposed regulations are also needed to clarify that colleges and other institutions may disclose information from education records to an eligible student's parents, without consent, under Sec. 99.31(a)(15) if the institution has determined that the student has violated Federal, State, or local law or an institution's rules or policies governing alcohol or substance abuse (provided the student is under 21 years of age), and in connection with a health or safety emergency under Sec. Sec. 99.31(a)(10) and 99.36 (regardless of the student's age) if the information is needed to protect the health or safety of the student or other individuals. These exceptions apply whether or not the student is a dependent of a parent for tax purposes. These proposed regulations would clarify the Department's policy with respect to an agency's or institution's disclosure of information from education records to parents under the health and safety emergency exception and do not represent a change in the Department's interpretation of who may qualify as an appropriate party under the health or safety emergency exception to the consent requirement. While institutions may choose to follow a policy of not disclosing education records to parents of eligible students in these circumstances, FERPA does not mandate such a policy.
3. Authorized Disclosure of Education Records Without Prior Written Consent (Sec. 99.31)

Section 99.31(a)(1) (School Officials) Outsourcing

Statute: 20 U.S.C. 1232g(a)(4)(A) defines education records to include records maintained by an educational agency or institution or by ``a person acting for'' the agency or institution. Under 20 U.S.C. 1232g(b)(1)(A), an educational agency or institution may allow teachers and other school officials within the institution or agency, without prior written consent, to obtain access to education records if the institution or agency has determined that they have legitimate educational interests in the information.

Current Regulations: Section 99.31(a)(1) allows disclosure of personally identifiable information from education records without consent to school officials, including teachers, within the agency or institution if the educational agency or institution has determined that they have legitimate educational interests in the information. An educational agency or institution that discloses information under this exception must specify in its annual notification of FERPA rights under Sec. 99.7(a)(3)(iii) the criteria it uses to determine who constitutes a school official and what constitutes legitimate educational interests. The recordkeeping requirements in Sec. 99.32(d) do not apply to disclosures to school officials with legitimate educational interests. Current regulations do not address disclosure of education records without consent to contractors, consultants, volunteers, and other outside parties providing institutional services and functions or otherwise acting for an agency or institution.

Proposed Regulations: The proposed regulations in Sec. 99.31(a)(1)(i)(B) would expand the school official exception to include contractors, consultants, volunteers, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions that it would otherwise use employees to perform. The outside party who obtains access to education records without consent must be under the direct control of the agency or institution and subject to the same conditions governing the use and redisclosure of education records that apply to other school officials under Sec. 99.33(a) of the regulations. These proposed regulations supersede previous technical assistance guidance issued by the Family Policy Compliance Office (Office) regarding disclosure of
[[Page 15579]]
education records without consent to parties acting for an educational agency or institution.

Educational agencies and institutions that outsource institutional services and functions must comply with the annual FERPA notification requirements under the current regulations in Sec. 99.7(a)(3)(iii) by specifying their contractors, consultants, and volunteers as school officials retained to provide various institutional services and functions. Failure to comply with the notice requirements for school officials in Sec. 99.7(a)(3)(iii) is not excused by recording the disclosure under Sec. 99.32. (We note that under current regulations disclosures to school officials under Sec. 99.31(a)(1) are specifically excluded from the recordation requirements under Sec. 99.32(d).) As a result, an educational agency or institution that has not included contractors and other outside service providers as school officials with legitimate educational interests in its annual FERPA notification may not disclose any personally identifiable information from education records to these parties until it has complied with the notice requirements in Sec. 99.7(a)(3)(iii).

Educational agencies and institutions are responsible for their outside service providers' failures to comply with applicable FERPA requirements. The agency or institution must ensure that the outside party does not use or allow anyone to obtain access to personally identifiable information from education records except in strict accordance with the requirements established by the educational agency or institution that discloses the information.

All outside parties serving as school officials are subject to FERPA's restrictions on the use and redisclosure of personally identifiable information from education records. These restrictions include current provisions in Sec. 99.33(a), which requires an educational agency or institution that discloses personally identifiable information from education records to do so only on the condition that the recipient, including a teacher or other school official, will use the information only for the purpose for which the disclosure was made and will not redisclose the information to any other party without the prior consent of the parent or eligible student unless the educational agency or institution has authorized the redisclosure under a FERPA exception and the agency or institution records the subsequent disclosure in accordance with the requirements in Sec. 99.32(b).

For example, under the proposed regulations, a party that contracts with an educational agency or institution to provide enrollment and degree verification services must ensure that only individuals with legitimate educational interests obtain access to personally identifiable information from education records maintained on behalf of the agency or institution. In accordance with current regulations at Sec. 99.33(b), a contractor may not redisclose personally identifiable information without prior written consent unless the educational agency or institution has authorized the redisclosure under a FERPA exception and the agency or institution records the subsequent disclosure in accordance with the requirements in Sec. 99.32(b). Like other school officials, contractors and other outside parties who provide institutional services may not decide unilaterally to redisclose personally identifiable information from education records, even in circumstances that would comply with an exception in Sec. 99.31(a).

Additionally, records directly related to a student that are maintained by a party acting for an educational agency or institution are education records subject to all FERPA requirements. This includes any new student records created under an outsourcing agreement that are maintained by the outside service provider.

Reasons: The proposed regulations are needed to resolve uncertainty about the specific conditions under which educational agencies and institutions may disclose personally identifiable information from education records, without prior written consent, to contractors, consultants, volunteers, and other outside parties performing institutional services or functions. While there is no explicit statutory exception to the prior written consent requirement for disclosures to contractors and other nonemployees to whom an educational agency or institution has outsourced services, we note that the statutory definition of education records protects records that are maintained by a party acting for the agency or institution. See 20 U.S.C. 1232g(a)(4)(A)(ii). Indeed, the Joint Statement in Explanation of Buckley/Pell Amendment (120 Cong. Rec. S39862, Dec. 13, 1974) refers specifically to materials that are maintained by a school ``or by one of its agents'' when describing the meaning of the new term education records in the December 1974 amendments to the statute.

The Department has long recognized in guidance that FERPA does not prevent educational agencies and institutions from outsourcing institutional services and functions and disclosing education records to contractors and other outside parties performing those services and functions in appropriate circumstances, such as for legal advice; debt collection; transcript distribution; fundraising and alumni communications; development and management of information systems; and degree and enrollment verification. The Secretary wishes to clarify and define the scope of this practice to avoid further confusion and prevent weakening of FERPA's privacy protections because of uncertainty about the requirements for making these kinds of disclosures.

One of the most frequently used exceptions to the prior written consent requirement allows teachers and other school officials to obtain access to education records provided the educational agency or institution has determined that the school official has legitimate educational interests in the information. This exception covers not only teachers and principals, but also school counselors, registrars, admissions personnel, attorneys, accountants, human resource staff, information systems specialists, and designated support and clerical personnel when they need access to personally identifiable information from education records in order to perform their official functions and duties for their employer. As noted above, an educational agency or institution that allows school officials to obtain access to education records under this exception must, under Sec. 99.7(a)(3), include in its annual notification of FERPA rights a specification of its criteria for determining who constitutes a school official and what constitutes legitimate educational interests under Sec. 99.31(a)(1). Disclosures to school officials under current regulations are subject to the restrictions on the use and redisclosure of information in Sec. 99.33 but are exempt from the FERPA recordkeeping requirements in Sec. 99.32.

The proposed regulations are included with the exception for school officials in Sec. 99.31(a)(1) because we believe that disclosures made for contract, volunteer, and other outsourced services and functions should be subject to the same conditions that would apply if the outside party were, in fact, providing institutional services or functions as an employee or officer of the educational agency or institution. In particular, the outside party must be under the direct control of the agency or institution with respect to the maintenance and use of personally identifiable information from education records. The outside party
[[Page 15580]]
must also perform the type of institutional services or functions for which the agency or institution would otherwise use its own employees. For example, an institution may disclose education records without consent under this provision to an outside party retained to provide enrollment verification services to student loan holders because the institution would otherwise have to use its own employees to conduct the required verifications. In contrast, an institution may not use this provision to disclose education records, without consent, to a financial institution or insurance company that provides a good student discount on its services and needs students' ID numbers and grades to verify an individual's eligibility, even if the institution enters into a contract with these companies to provide the student discount. Access to Education Records by School Officials

Statute: 20 U.S.C. 1232g(b)(1)(A) provides that an educational agency or institution may allow teachers and other school officials within the agency or institution to obtain access to education records, without prior written consent, if the agency or institution has determined that the school official has legitimate educational interests in the information.

Current Regulations: Section 99.31(a)(1) allows an educational agency or institution to disclose personally identifiable information from education records without consent to school officials, including teachers, within the agency or institution if the educational agency or institution has determined that they have legitimate educational interests in the information. An educational agency or institution that discloses information under this exception must specify in its annual notification of FERPA rights under Sec. 99.7(a)(3)(iii) the criteria it uses to determine who constitutes a school official and what constitutes legitimate educational interests. Current regulations do not specify whether the agency or institution must ensure that school officials obtain access to only those education records in which they have legitimate educational interests.

Proposed Regulations: The proposed regulations in Sec. 99.31(a)(1)(ii) would require an educational agency or institution to use reasonable methods to ensure that teachers and other school officials obtain access to only those education records in which they have legitimate educational interests. This requirement would apply to education records maintained in either paper or electronic format. Agencies and institutions that choose not to use physical or technological controls to restrict a school official's access to education records must ensure that their administrative policy for controlling access to and maintenance of education records is effective and that the agency or institution remains in compliance with the legitimate educational interests requirement in Sec.
99.31(a)(1)(i)(A). (These proposed regulations do not address what constitutes a legitimate educational interest under the regulations.)

Reasons: The proposed regulations are needed to ensure that teachers and other school officials only gain access to education records in which they have a legitimate educational interest. While the proposed regulations apply to records in any format (as defined in Sec. 99.3), the need to ensure compliance with the legitimate educational interest requirement has been driven largely by the increased use of computerized or electronic recordkeeping systems in which a user may have access to all records.

Many of the smaller educational agencies and institutions typically use a combination of physical and administrative methods to restrict access by school officials to paper copy records. For example, paper copy records may be maintained in lockable cabinets, desks, or rooms with distribution of records to school officials controlled by the teacher, registrar, or other authorized custodian as appropriate. With the advent of computerized or electronic records, particularly by the midsize and larger agencies and institutions, parents and students have complained that school officials may have unrestricted access to the records of all students in an institution's or local educational agency's (LEA) system. Agencies and institutions establishing or upgrading electronic student information systems have also expressed uncertainty about what methods they should use to comply with the legitimate educational interest requirement in this new environment.

Under the proposed regulations, an educational agency or institution should implement controls to protect student records. These controls should consist of a combination of appropriate physical, technical, administrative, and operational controls which will allow access to be limited when required. (Some examples of possible information security controls can be found in ``The National Institute of Standards and Technology (NIST) 80053, Recommended Security Controls for Federal Information Systems'' (December 2007). Educational institutions and agencies are not required to implement the NIST 80053 guidance, but may find it useful when determining possible controls.) For example, software used to access electronic records may contain rolebased security features that allow teachers to view only information about students currently enrolled in their classes. Similarly, a school principal or registrar may maintain paper records in locked cabinets and distribute records to authorized officials on an as needed basis.

An educational agency or institution that does not use some kind of physical or technological controls to restrict access and leaves education records open to all school officials may rely instead on administrative controls, such as an institutional policy that prohibits teachers and other school officials from accessing records except when they have a legitimate educational interest. However, an agency or institution that forgoes physical or technological access controls must ensure that its administrative policy for controlling access is effective and that it remains in compliance with the legitimate educational interest requirement in Sec. 99.31(a)(1). In that regard, if a parent or eligible student alleges that a school official obtained access to a student's education records without a legitimate educational interest, an agency or institution must show that the school official possessed a legitimate educational interest in obtaining the personally identifiable information from education records maintained by the agency or institution. An agency or institution may wish to restrict or track school officials who obtain access to education records to ensure that it is in compliance with Sec. 99.31(a)(1)(i)(A).

The risk of unauthorized access to education records by school officials means the likelihood that records may be targeted for compromise and the harm that could result. Methods used by an educational agency or institution to ensure compliance with the legitimate educational interests requirement are considered reasonable under the proposed regulations if they reduce the risk of unauthorized access by school officials to a level commensurate with the likely threat and potential harm. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will occur, the more protections an agency or institution must use to ensure that its methods are reasonable. For example, high risk records, such as those that [[Page 15581]]
contain credit card information, SSNs and other elements used for identity theft, immunization and other health records, certain records on special education students, and official transcripts and grades should generally receive greater and more immediate protection than medium or low risk records, such as those containing only publicly releasable directory information. Methods that an educational agency or institution should use to reduce risk to an acceptable level will depend on a variety of factors, including the organization's size and resources. In all cases, reasonableness depends ultimately on what are the usual and customary good business practices of educational agencies and institutions, which requires ongoing review and modification of methods and procedures, where appropriate, as standards and technologies continue to change.
Section 99.31(a)(2) (Disclosure to a School Where Student Seeks or Intends To Enroll)

Statute: 20 U.S.C. 1232g(b)(1)(B) allows an educational agency or institution to disclose, under certain conditions, education records to another school or school system in which the student seeks or intends to enroll without obtaining the prior written consent of a parent or eligible student.

Current Regulations: Under Sec. 99.31(a)(2), an educational agency or institution may disclose education records, without prior written consent, to officials of another school, school system, or postsecondary institution where the student seeks or intends to enroll, provided that the agency or institution complies with the requirements in Sec. 99.34(a) regarding notification to the parent or eligible student of the disclosure and, upon request, provide a copy of the records and an opportunity for a hearing under subpart C of the regulations.

Proposed Regulations: The proposed regulations in Sec. 99.31(a)(2) would allow an educational agency or institution to disclose education records, without consent, to another institution even after a student has already enrolled or transferred, and not just if the student seeks or intends to enroll, if the disclosure is for purposes related to the student's enrollment or transfer.

Reasons: The proposed amendments are needed to resolve uncertainty about whether consent is required to send a student's records to the student's new school after the student has already transferred and enrolled. This proposed exception to the consent requirement is intended to ease administrative burdens on educational agencies and institutions by allowing them to send transcripts and other information from education records to schools where a student seeks or intends to enroll without meeting the formal consent requirements in Sec. 99.30. We have concluded that authority to disclose or transfer information to a student's new school under this exception does not cease automatically the moment a student has actually enrolled. Rather, an educational agency or institution may transfer education records to a student's new school, including a postsecondary institution, at any point in time if the disclosure is in connection with the student's enrollment in the new school.

Based on these considerations, we have also determined that an educational agency or institution may update, correct, or explain information it has disclosed to another educational agency or institution as part of the original disclosure under Sec. 99.31(a)(2) without complying with the written consent requirements in Sec. 99.30. That is, a student's previous institution is not required to obtain prior written consent under Sec. 99.30 to respond to the new institution's request to explain the meaning of education records sent to it in connection with a student's new enrollment.

Finally, in the aftermath of the shooting at Virginia Tech, some questions have arisen about whether FERPA prohibits the disclosure of certain types of information from students' education records to new schools or postsecondary institutions to which they have applied. (Further discussion of the tragic events that occurred at Virginia Tech in April 2007 is included in the discussion of the proposed amendments to Sec. 99.36, which appears later in this document.) Under Sec. 99.31(a)(2) and Sec. 99.34(a), FERPA permits school officials to disclose any and all education records, including health and disciplinary records, to another institution where the student seeks or intends to enroll.
Section 99.31(a)(6) (Organizations Conducting Studies for or on Behalf of an Educational Agency or Institution)

Statute: 20 U.S.C. 1232g(b)(1)(F) allows an educational agency or institution to disclose personally identifiable information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institution for purposes of testing, student aid, and improvement of instruction. The information must be protected so that students and their parents cannot be identified by anyone other than representatives of the organization that conducts the study and must be destroyed when no longer needed for the study. As explained in Sec. 99.31(a)(6)(iii), failure to destroy information in accordance with this requirement could lead to a fiveyear ban on disclosure of information to that organization.

Current Regulations: The regulations restate the statutory language that the study is conducted ``for, or on behalf of'' the educational agency or institution, but do not explain what this language means.

Proposed Regulations: The proposed regulations require an educational agency or institution that discloses education records without consent under Sec. 99.31(a)(6) to enter into a written agreement with the recipient organization that specifies the purposes of the study. The agency or institution that discloses education records under this exception does not have to agree with or endorse the conclusions or results of the study. The written agreement must specify that information from education records may only be used to meet the purposes of the study stated in the written agreement and must contain the current restrictions on redisclosure and destruction of information requirements applicable to information disclosed under this exception.

Reasons: Research organizations have asked for clarification about the circumstances in which an educational agency or institution may disclose to them personally identifiable information from education records under Sec. 99.31(a)(6)(iii), and educational agencies and institutions have asked whether they may provide personally identifiable information to organizations for research purposes without parental consent even if the educational agency or institution has no particular interest in the study.

This exception to the consent requirement is intended to allow educational agencies and institutions to retain the services of outside organizations (or individuals) to conduct studies for or on their behalf to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction. An educational agency or institution need not initiate research requests or agree with or endorse a study's results and conclusions under this exception. However, the statutory language ``for, or on behalf of'' indicates that the disclosing agency or institution agrees with the purposes of the study and retains control over the information from education records that is disclosed.
[[Page 15582]]
The written agreement required under the proposed regulations will help ensure that information from education records is used only to meet the purposes of the study stated in the written agreement and that all applicable requirements are met. (See discussion of Sec. 99.31(b) below regarding disclosure of deidentified information to independent educational researchers.)

Section 99.31(a)(9) (USA Patriot Act)

Statute: The USA Patriot Act, Public Law 10756, amended FERPA by providing a new subsection 1232g(j), 20 U.S.C. 1232g(j), that authorizes the United States Attorney General (or designee not lower than an Assistant Attorney General) to apply for an ex parte court order (an order issued by a court without notice to an adverse party) allowing the Attorney General (or designee) to collect education records from an educational agency or institution, without the consent or knowledge of the student or parent, that are relevant to an investigation or prosecution of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism specified in 18 U.S.C. 2331. The statute requires the Attorney General (or designee not lower than an Assistant Attorney General) to certify facts in support of the order and to retain, disseminate, and use the records in a manner that is consistent with confidentiality guidelines established by the Attorney General in consultation with the Secretary of Education. Agencies and institutions are not required to record the disclosure and cannot be held liable to anyone for producing education records in good faith in accordance with a court order issued under this provision.

Current Regulations: The current regulations do not address the amendments made by the USA Patriot Act.

Proposed Regulations: The proposed regulations add new exceptions to the written consent requirement in Sec. 99.31(a)(9)(ii) and the recordkeeping requirement in Sec. 99.32(a) allowing disclosure of education records without notice in compliance with an ex parte court order obtained by the Attorney General (or designee) concerning investigations or prosecutions of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism defined in 18 U.S.C. 2331.

Reasons: The proposed regulations are necessary to implement the statutory amendment. An educational agency or institution that is served with an ex parte court order from the Attorney General (or designee) under this provision should ensure that the order is facially valid, just as it does when determining whether to comply with other judicial orders and subpoenas under Sec. 99.31(a)(9). An educational agency or institution is not, however, required or authorized to examine the underlying certification of facts presented to the court in the Attorney General's application for the ex parte court order.

The proposed regulations provide that an educational agency or institution may comply with the court order without notice to the parent or eligible student. (Note that Sec. 99.31(a)(9)(ii)(B) also allows an educational agency or institution to disclose education records without notice to representatives of the Attorney General or other law enforcement authorities who produce a subpoena that has been issued for law enforcement purposes and the court or other issuing agency has ordered that the existence or contents of the subpoena or information furnished in response to the subpoena not be disclosed.) Section 99.31(a)(16) (Registered Sex Offenders)

Statute: The Campus Sex Crimes Prevention Act (CSCPA), section 1601(d) of the Victims of Trafficking and Violence Protection Act of 2000, Public Law 106386, amended FERPA by adding 20 U.S.C. 1232g(b)(7), which provides that educational agencies and institutions may disclose information concerning registered sex offenders provided under State sex offender registration and community notification programs required by section 170101 of the Violent Crime Control and Law Enforcement Act of 1994, Public Law 103322, 42 U.S.C. 14071. Section 170101 contains the Jacob Wetterling Crimes Against Children and Sexually Violent Offender Registration Act (Wetterling Act).

Current Regulations: The current regulations do not address the disclosure of information concerning registered sex offenders.

Proposed Regulations: The proposed regulations add a new exception to the consent requirement in Sec. 99.31(a)(16) that permits an educational agency or institution to disclose information that the agency or institution received under a State community notification program about a student who is required to register as a sex offender in the State. Note that nothing in FERPA or these proposed regulations requires or encourages an educational agency or institution to collect or maintain information about registered sex offenders.

Reasons: The regulations implement the CSCPA amendment to FERPA, which allows educational agencies and institutions to disclose information about registered sex offenders without consent if the information was received through and complies with guidelines regarding a State community notification program issued by the U.S. Attorney General under the Wetterling Act. Wetterling Act guidelines issued by the Attorney General were published in the Federal Register on October 25, 2002 (67 FR 65598), and January 5, 1999 (64 FR 572).

The Wetterling Act sets forth minimum national standards for sex offender registration and community notification programs. Under the Wetterling Act, States must establish programs that require sexually violent predators (and anyone convicted of specified criminal offenses against minors) to register their name and address with the appropriate State authority where the offender lives, works, or is enrolled as a student. States are also required to release relevant information necessary to protect the public concerning persons required to register, excluding the identity of any victim. (This community notification provision is commonly known as the ``Megan's Law'' amendment to the Wetterling Act.)

CSCPA supplemented the general standards for sex offender registration and community notification programs in the Wetterling Act with provisions specifically designed for higher education campus communities. These include a requirement that States collect information about a registered offender's enrollment or employment at an institution of higher education, including any change in enrollment or employment status at the institution, and make this information available promptly to a campus police department or other appropriate law enforcement agency having jurisdiction where the institution is located. CSCPA also amended the Higher Education Act of 1965, as amended (HEA), by requiring institutions of higher education to advise the campus community where it can obtain information about registered sex offenders provided by the State pursuant to the Wetterling Act, such as the campus law enforcement office, a local law enforcement agency, or a computer network address. See 20 U.S.C. 1092(f)(1)(I) and 34 CFR 668.46(b)(12).

While the FERPA amendment was made in the context of CSCPA's enhancements to registration and
[[Page 15583]]
notification requirements applicable to the higher education community, the Department has determined that all educational institutions, including elementary and secondary schools, are covered by this amendment. The registration and community notification requirements apply in the State where an offender lives, works, or is a student, which is defined as ``a person who is enrolled on a fulltime or part time basis, in any public or private educational institution, including any secondary school, trade, or professional institution, or institution of higher education.'' See 42 U.S.C. 14071(a)(3)(G). Because the sex offender registration and community notification requirements apply broadly to students enrolled in ``any public or private educational institution,'' the Department likewise interprets the FERPA amendment to apply to all educational agencies and institutions subject to FERPA.