Changes are coming to FERPA, including the potential for fines

The House Committee on Education and the Workforce recently announced the introduction of a bill to amend FERPA. The Student Privacy Protection Act (H.R. 3157) has bipartisan support and is intended to modernize privacy protections, improve communication, and “hold schools, states and independent entities accountable for their use of student information.”

Included among the more significant changes the bill would make are:

• Giving State educational authorities a responsibility to ensure compliance. The bill would add a definition for a “State educational authority” as a “State agency or other entity in charge of the education programs of a State.” It imposes on the SEA a requirement to “verify” that the educational institutions under its jurisdiction have provided to parents and eligible students, in an “easy-to-understand” format, notices of their rights and that those institutions are in compliance with provisions dealing with disclosure of personally identifiable information from student educational records. It also includes a requirement for the SEA to certify to the Secretary of Education that each agency or institution under the jurisdiction of the SEA is in compliance with those provisions.
• Prescribing additional security practices. The bill would require educational agencies and institutions and the SEA to designate an official responsible for maintaining security of their education records. They are to require any party given access to such records to have similar security practices and are to establish a notification policy in the event of a breach of their policies regarding the security of the education records they hold or maintain. This requires notification of the breach to parents or eligible students be made within three days of becoming aware of the breach.
• Changing the “school official” exception for non-consensual disclosures. Per the regulations implementing the current version of FERPA, a “school official” is defined to include a “contractor, consultant, volunteer or other party to whom an agency or institution has outsourced institutional services or functions” subject to certain conditions. The bill, however, would limit this exception expressly to school officials, including teachers. However, it would then create a new exception for “an education service provider, contractor, consultant, volunteer, or other party” having legitimate educational interest and to whom the institution or agency has outsourced a function or service. It includes the conditions currently in the regulation for this exception to apply, but would add additional ones as well. Specifically, the bill would require that there be a written agreement with any such entity or individual that addresses the protection of the information being disclosed and specifies a number of provisions such an agreement is to address, including a description of any subcontractor or other person acting for the party and the penalties for a security breach in violation of the agreement.
• Making agreements available. The bill would require that institutions make available to parents and eligible students any agreements they are required to have pursuant to FERPA.
• Changing the exception for non-consensual disclosures for studies. FERPA currently allows non-consensual disclosures of information from student records to organizations conducting studies for, or on behalf of, institutions, but such studies must be for three specified purposes: develop, validate or administer predictive tests; administer student aid programs; or improve instruction. The bill, however, would limit the exception to studies for the purpose of “improving the academic outcomes of students attending that educational agency or institution.”
• Including a ban on marketing and advertising. The bill prohibits any “person with access to an education record or a student’s personally identifiable information contained in the education record” from marketing or otherwise advertising directly to students using information gained through that access. Some limited exceptions are provided such as for school pictures, class rings, yearbooks and similar school-sanctioned commemorative products, events or activities.
• Authorizing the imposition of penalties. The bill would authorize the Secretary of Education to impose fines upon educational agencies or institutions and the SEA for failures to voluntarily comply or for substantial violations. The fine is to be a minimum of $100, but depending on the severity of the violation can go to a maximum of $1.5 million. However, in no case could it exceed 10 percent of the violator’s annual budget. The money so collected would be used for purposes of providing technical assistance on privacy and security and enforcing the provisions of the bill. The bill would also authorize the Secretary to refer to the Federal Trade Commission or the Department of Justice violations by other parties and also authorize the Secretary to require institutions to prohibit such other party to have access to personally identifiable information for not less than five or more than 12 years as determined by the Secretary.

What this means to you

These are just some of the changes to FERPA that would result from enactment of H.R. 3157. Given the bipartisan support for the bill, institutions should review it to further understand the changes it will make. In anticipation of it becoming law during this session of Congress, they also should be prepared to update their policies and procedures designed to protect the confidentiality of student educational records consistent with the final version of the bill. However, there is still time to weigh in on the bill and provide your comments to your respective representatives and senators regarding matters or concern and additional burdens that would be imposed.