On March 24, 2008, the U.S. Department of Education (ED) issued a notice of proposed rulemaking to amend its regulations implementing the Family Educational Rights Privacy Act of 1974 (FERPA). FERPA is a federal law designed to protect the privacy of student records maintained by educational agencies or institutions, or those acting on their behalf. The law generally requires educational agencies or institutions that receive funds through programs administered by ED to obtain prior written consent from a student (or the student’s parent, as applicable) to disclose a student’s education records or personally identifiable information within such education records to a third party. The following discussion summarizes some of the many significant proposed revisions.
Definitions of Key FERPA Terms
Directory Information – Neither the statute nor current regulations currently specify whether a student’s Social Security Number (SSN), student ID number, or personal identifier for use in electronic systems may be designated and disclosed as directory information. Under the proposed rule, neither an SSN nor a student ID number can be designated directory information. An educational agency or institution may, however, designate as directory information a user ID or other unique identifier used by the student to access or communicate in electronic systems, provided that such user ID or other unique identifier does not permit access to education records covered by FERPA except when combined with other authenticating information known only to the student, such as a PIN.
Education Records – Current regulations specify that “education records” do not include records that contain only information about an individual after he or she is no longer a student. The proposed rule would clarify the intent of this exclusion as covering only records that concern an individual or events that occur after the individual is no longer a student in attendance, such as alumni activities. The definition would therefore be revised to exclude records created or received by an institution after an individual is no longer a student in attendance and that also are not directly related to the individual’s attendance as a student. The proposed rule would further amend the definition of “education records” to exclude peer-graded papers that have not been collected and recorded by a teacher, codifying the U.S. Supreme Court’s decision in Owasso Independent School Dist. No. I–011 v. Falvo, 534 U.S. 426 (2002).
Personally Identifiable Information – In addition to a student’s SSN, student ID number, indirect identifiers such as the name of the student’s parent or other family members, and the student’s address, the regulatory definition of “personally identifiable information” currently includes any personal characteristics or other information that would make the student’s identity easily traceable. The proposed rule would add to the scope of this definition: (1) other information that alone or in combination is linked or linkable to a specific student that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; (2) information requested by a person the institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates; and (3) biometric records of the student.
Permissive Disclosures to Parents of Eligible Students
The substantive legal rights granted by FERPA are generally held by either a student’s parent or an “eligible student” (i.e., students 18 years of age or older, or in attendance at a postsecondary educational institution), but never both at the same time. This has created significant concern and confusion in some parts of the higher education community about how parents of postsecondary students can receive information regarding their children. The proposed changes would clarify several statutory and regulatory provisions that currently permit disclosures of information to the parents of eligible students, including disclosures related to: (1) health or safety emergencies; (2) a violation of law or school policies regarding alcohol or controlled substances by a student under 21 years of age; (3) court orders and subpoenas; and (4) students who are dependents for income tax purposes.
Non-Consensual Disclosures for Health and Safety Emergencies
The current FERPA regulations permit non-consensual disclosure of a student’s personally identifiable information in connection with a health or safety emergency, if such disclosure is necessary to protect the student or other individuals in the school community. According to ED, such currently permitted disclosures include information concerning disciplinary actions for conduct that posed a safety risk to the student or other members of the school community, and disclosures regarding health and safety concerns to teachers and other school officials with a legitimate educational interest in the pertinent student. Under existing regulations, however, the FERPA provision allowing these non-consensual disclosures is to be strictly construed.
In commentary accompanying the proposed rule, ED acknowledges the June 13, 2007 Report to the President on Issues Raised by the Virginia Tech Tragedy (see http://www.hhs.gov/vtreport.html), which includes a finding that widespread “fears and misunderstandings” regarding FERPA and other privacy laws “likely limit the transfer of information in more significant ways than is required by law.” That report further recommended that ED “ensure that parents and school officials understand how and when postsecondary institutions can share information on college students with parents.” See 73 Fed. Reg. 15,574, 15,589 (Mar. 24, 2008).
In response to the report’s findings and recommendations, and in recognition that the current regulations offer no standard for determining whether a health and safety emergency warrants non-consensual disclosure of student information, the proposed rule would make the following revisions:
- Remove the current “strict construction” requirement for determining whether to disclose information that would otherwise be protected by FERPA;
- Permit an institution to take into account the totality of the circumstances pertaining to a threat to the safety of a student or to other individuals;
- Permit an institution, if it determines that there is an articulable and significant threat, to disclose information from education records to any person whose knowledge of the information is necessary to protect the health and safety of the student or other individuals; and
- Clarify that if there is a rational basis for the institution’s disclosure determination at the time it is made, ED will not retroactively substitute its judgment in evaluating the circumstances.
Disclosures to Contractors Performing Institution’s Services and Functions
Under existing regulations, personally identifiable information from a student’s education records may be disclosed to school officials having a legitimate educational interest in the information, without prior written consent of the student. ED has previously indicated through guidance letters that outside parties performing services or functions that would otherwise traditionally be undertaken by the institution should benefit from inclusion in the school official exception. The proposed changes would explicitly define the school official exception to include contractors, consultants, volunteers and other outside parties performing institutional services or functions, and further permit non-consensual disclosure of student information on the following terms:
- The outside contractor must be under the direct control of the educational agency or institution;
- The outside contractor must be performing the type of institutional service for which the educational agency or institution would otherwise use its own employees;
- The outside contractor must be subjct to the same conditions governing use and redisclosure of student information applicable to school officials under FERPA, namely, that (1) the student information may be used only for the purpose that the disclosure was made; and (2) redisclosure generally may not occur without prior written consent of the student; and
- The institution must have complied with FERPA’s annual notification requirements by (1) specifying to students the criteria used in designating school officials; and (2) identifying the contractors, consultants, and/or volunteers that have been designated as “school officials” for the purposes of non-consensual disclosures.
Additionally, it is incumbent upon the educational agency or institution to ensure that its outside contractors use any student’s personally identifiable information in strict compliance with the institution’s requirements and for no purpose beyond that specifically underlying the disclosure. Ultimately, it is the educational institution that is responsible to ED for its outside contractor’s failure to comply with FERPA’s requirements.
Identification and Authentication of Information Recipients
Presuming that disclosure is permitted, there is nothing in the current statute or regulations addressing whether an educational agency or institution must also ensure that it has properly identified and authenticated the party to whom it discloses personally identifiable information from a student’s education records. The proposed regulatory revisions would require an educational agency or institution to use reasonable methods to identify and authenticate the identity of the recipient before any information is provided. Although ED does not specifically define “reasonable methods,” it emphasizes that the chosen method must reduce the risk of unauthorized disclosure to a level that is commensurate with the likely threat and potential harm from wrongful disclosure. The proposed rule further states that “reasonable methods” can be defined by the usual and customary good business practices of other educational agencies and institutions, which requires ongoing review and modification of procedures as standards and technologies change.
FERPA Investigations and Enforcement
Current regulations specify that if an educational agency or institution has been found by ED to be noncompliant with FERPA and does not comply with corrective measures within a prescribed timeframe, then ED may withhold further payments of federal funds, issue a cease-and-desist order to compel compliance or terminate eligibility to receive federal funding. Acknowledging the U.S. Supreme Court’s decision in Gonzaga University v. Doe, 536 U.S. 273 (2002), which held that FERPA does not create a private right of action and that the enforcement of FERPA is exclusively a regulatory matter for ED, the proposed revisions would clarify that enforcement authority. Among other things, the proposed rule would clarify that ED may take any appropriate enforcement action in addition to those specifically listed in the regulations.
The above are just some of the major changes proposed to the regulations implementing FERPA. The full notice of proposed rulemaking is available at 73 Fed. Reg. 15574 (March 24, 2008) or in PDF format online at http://edocket.access.gpo.gov/2008/pdf/E8-5790.pdf. Comments to the proposed changes were due by May 8, 2008, and a final rule is expected to be issued later this year.