place to restrict access to education records only to a school official
with a legitimate educational interest.
Changes: None.
Transfer of Education Records to Student's New School (Sec. Sec.
99.31(a)(2) and 99.34(a))
Comment: All of the comments we received on proposed Sec. Sec.
99.31(a)(2) and 99.34(a) supported the clarification that an
educational agency or institution may disclose a student's education
records to officials of another school, school system, or institution
of postsecondary education not just when the student seeks or intends
to enroll, but after the student is already enrolled, so long as the
disclosure is for purposes related to the student's enrollment or
transfer. Some commenters noted that this clarification reduces legal
uncertainty about how long a school may continue to send records or
information to a student's new school; other commenters noted that this
clarification will be helpful in serving students who are homeless or
in foster care because these students are often already enrolled in a
new school system while waiting for records from a previous enrollment.
A few commenters asked us to clarify the requirement that the
disclosure must be for purposes related to the student's enrollment or
transfer. The commenters asked whether this meant that only records
specifically related to the new school's decision to admit the student
or records related to the transfer of course credit could be disclosed,
or whether the agency or institution could also disclose information
about previously undisclosed disciplinary actions related to the
student's ongoing attendance at the new institution. One commenter
suggested that we remove the requirement that the disclosure must be
for purposes of the student's enrollment or transfer because it was
confusing and unnecessary. Some commenters asked the Department to
provide guidance about the types of records that may be sent under the
regulations to a student's new school, noting that the preamble to the
NPRM stated that the regulations allow school officials to disclose any
and all education records, including health and disciplinary records,
to the new school (73 FR 15581).
One commenter asked us to clarify that any school, not just the
school the student attended most recently, may disclose information
from education records to the institution that the student currently
attends. Another commenter asked whether the amended regulations would
permit the disclosure of education records to an institution in which a
student seeks information or services but not enrollment, such as when
a charter school student requests an evaluation under the IDEA from the
student's home school district.
Two commenters asked whether mental health and other treatment
records of postsecondary students, which are excluded from the
definition of education records under FERPA, could be disclosed to the
new school. Other commenters asked whether FERPA places any limits on
the transfer of information about student disciplinary actions to
colleges and universities and what information a postsecondary
institution may ask for and receive regarding a student's disciplinary
actions. A few commenters asked us to address the relationship between
these regulations and guidance issued by the Department's Office for
Civil Rights (OCR) prohibiting the pre-admission release of information
about a student's disability under section 504 of the Rehabilitation
Act of 1973, as amended, and Title II of the Americans with
Disabilities Act of 1990, as amended.
Discussion: The regulations are intended to eliminate uncertainty
about whether, under Sec. 99.31(a)(2), an educational agency or
institution may send education records to a student's new school even
after the student is already enrolled and attending the new school. The
requirement that the disclosure must be for purposes related to the
student's enrollment or transfer is not intended to limit the kind of
records that may be disclosed under this exception. Instead, the
regulations are intended to clarify that, after a student has already
enrolled in a new school, the student's former school may disclose any
records or information, including health records and information about
disciplinary proceedings, that it could have disclosed when the student
was seeking or intending to enroll in the new school.
These regulations apply to any school that a student previously
attended, not just the school that the student attended most recently.
For example, under Sec. 99.31(a)(2), a student's high school may send
education records directly to a graduate school in which the student
seeks admission, or is already enrolled. Section 99.34(b), which
explains the conditions that apply to the disclosure of information to
officials of another school, school system, or postsecondary
institution, allows a public charter school or other agency or
institution to disclose the education records of one of its students in
attendance to the student's home school district if the student
receives or seeks to receive services from the home school district,
including an evaluation under the IDEA. We note, however, that the
confidentiality of information regulations under Part B of the IDEA
contain additional consent requirements that may also apply in these
circumstances.
Under section 444(a)(4)(B)(iv) of FERPA, 20 U.S.C.
1232g(a)(4)(B)(iv), medical and psychological treatment records of
eligible students are excluded from the definition of education records
if they are made, maintained, and used only in connection with
treatment of the student and disclosed only to individuals providing
the treatment, including treatment providers at the student's new
school. (While the comment concerned records of postsecondary students,
we note that the treatment records exception to the definition of
education records applies also to any student who is 18 years of age or
older, including 18 year old high school students.) An educational
agency or institution may disclose an eligible student's treatment
records to the student's new school for purposes other than treatment
provided that the records are disclosed under one of the exceptions to
written consent under Sec. 99.31(a), including Sec. 99.31(a)(2), or
with the student's written consent under Sec. 99.30. If an educational
agency or institution discloses an eligible student's treatment records
for purposes other than treatment, the treatment records are no longer
excluded from the definition of education records and are subject to
all other FERPA requirements, including the right of the eligible
student to inspect and review the records and to seek to have them
amended under certain conditions. In practical terms, this means that
an agency or institution may disclose an eligible student's treatment
records to the student's new school either with the student's written
consent, or under one of the exceptions in Sec. 99.31(a), including
Sec. 99.31(a)(2), which permits disclosure to a school where a student
seeks or intends to enroll, or where the student is already enrolled so
long as the disclosure is for purposes related to the student's
enrollment or transfer.
FERPA does not contain any particular restrictions on the
disclosure of a student's disciplinary records. Further, Congress has
enacted legislation to ensure that schools transfer disciplinary
records to a student's new school in certain circumstances. In
particular, section 444(h) of the statute, 20 U.S.C. 1232g(h), and the
implementing regulations in Sec. 99.36(b) provide that nothing in
FERPA prevents an educational agency
[[Page 74819]]
or institution from including in a student's records and disclosing to
teachers and school officials, including those in other schools,
appropriate information about disciplinary actions taken against the
student for conduct that posed a significant risk to the safety or
well-being of that student, other students, or other members of the
school community. This authority is in addition to any other authority
in FERPA for the disclosure of education records without consent,
including the authority under Sec. 99.36(a) to disclose education
records in connection with a health or safety emergency. In addition,
section 4155 of the Elementary and Secondary Education Act of 1965
(ESEA), 20 U.S.C. 7165, as amended by the No Child Left Behind Act of
2001 (NCLB), requires a State that receives funds under the ESEA to
have a procedure in place to facilitate the transfer of disciplinary
records, with respect to a suspension or expulsion, by LEAs to any
private or public elementary school or secondary school for any student
who is enrolled or seeks, intends, or is instructed to enroll, on a
full-or part-time basis, in the school.
There are, however, other Federal laws, such as the IDEA, section
504 of the Rehabilitation Act of 1973, as amended (Rehabilitation Act),
and Title II of the Americans with Disabilities Act of 1990, as amended
(ADA), with different requirements that may affect the release of
student information. For example, educational agencies and institutions
that are ``public agencies'' or ``participating agencies'' under the
IDEA must comply with the requirements in the Part B confidentiality of
information regulations. See, e.g., 34 CFR 300.622(b)(2) and (3). By
way of further illustration, because educational agencies and
institutions receive Federal financial assistance, they must comply
with the regulations implementing section 504 of the Rehabilitation
Act, which generally prohibit postsecondary institutions from making
pre-admission inquiries about an applicant's disability status. See 34
CFR 104.42(b)(4) and (c). However, after admission, in connection with
an emergency and if necessary to protect the health or safety of a
student or other persons as defined under FERPA and its implementing
regulations, section 504 of the Rehabilitation Act and Title II of the
ADA do not prohibit postsecondary institutions from obtaining
information and education records concerning a current student,
including those with disabilities, from any school previously attended
by the student. See the discussion in the section entitled Health or
Safety Emergency (Sec. 99.36).
Changes: None.
Ex Parte Court Orders Under the USA Patriot Act (Sec. 99.31(a)(9))
Comment: Two commenters expressed support for the proposed
regulations, which incorporate statutory changes that allow an
educational agency or institution to comply with an ex parte court
order issued under the USA Patriot Act. One commenter said that it
would be helpful to add to the regulations a statement from the
preamble to the NPRM that an institution is not responsible for
determining the relevance of the information sought or the merits of
the underlying claim for the court order.
Several commenters opposed Sec. 99.31(a)(9). One commenter said
that the USA Patriot Act is unconstitutional and that its provisions
will sunset in 2009. Another commenter said that the regulations harm
its ability to preserve the confidentiality of education records,
particularly those of foreign students. The commenter asked us to
change the regulations to permit institutions to notify students when
records are requested, unless the ex parte court order specifically
states that the student should not be notified. Another commenter said
that schools should be required to notify parents when records are
requested and to record the disclosure.
Discussion: The USA Patriot Act amendments to FERPA have not been
ruled unconstitutional, and its provisions relevant to FERPA do not
sunset in 2009. Therefore, we are implementing these provisions in our
regulations at this time.
Under the USA Patriot Act, the U.S. Attorney General, or a designee
in a position not lower than an Assistant Attorney General, may apply
for an ex parte court order to collect, retain, disseminate, and use
certain education records in the possession of an educational agency or
institution without regard to any other FERPA requirements, including
in particular the recordkeeping requirements. 20 U.S.C. 1232g(j)(3) and
(4). The USA Patriot Act amendments to FERPA also provide that an
educational agency or institution that complies in good faith with the
court order is not liable to any person for producing the information.
Nothing in these amendments, including the ``good faith'' requirement,
requires an educational agency or institution to evaluate the
underlying merits or legal sufficiency of the court order before
disclosing the requested information without consent. As with any court
order or subpoena that forms the basis of a disclosure without consent
under Sec. 99.31(a)(9), the agency or institution must simply
determine whether the ex parte court order is facially valid. We see no
reason to include this general requirement in the regulations.
Section 99.31(a)(9)(ii) requires an agency or institution to make a
reasonable effort to notify a parent or eligible student of a judicial
order or lawfully issued subpoena in advance of compliance, except for
certain law enforcement subpoenas if the court has ordered the agency
or institution not to disclose the existence or contents of the
subpoena or information disclosed. An ex parte order is by definition
an order issued without notice to or argument from the other party,
including the party whose education records are sought, and the USA
Patriot Act amendments provide that the Attorney General may collect
and use the records without regard to any FERPA requirements, including
the recordation requirements. Under this statutory authority, the
regulations properly provide that the agency or institution is not
required to notify the parent or eligible student before complying with
the order or to record the disclosure.
We do not agree with the commenter's request that we amend the
regulations to allow agencies and institutions to notify parents and
students and record these disclosures. We note that FERPA does not
prohibit an educational agency or institution from notifying a parent
or student or recording a disclosure made in compliance with an ex
parte court order under the USA Patriot Act. However, an agency or
institution that does so may violate the terms of the court order
itself and may also fail to meet the good faith requirements in the USA
Patriot Act for avoiding liability for the disclosure. We would also
recommend that agencies and institutions consult with legal counsel
before notifying a parent or student or recording a disclosure of
education records made in compliance with an ex parte court order under
the USA Patriot Act.
Changes: None.
Registered Sex Offenders (Sec. 99.31(a)(16))
Comment: One commenter asked for clarification whether the proposed
regulations authorizing the disclosure of personally identifiable
information from education records concerning registered sex offenders
authorize only the disclosure of information that is received from
local law enforcement officials, or whether disclosure could
[[Page 74820]]
also include other information from a student's education records, such
as campus of attendance. A second commenter expressed appreciation that
the regulations clarify that school districts are not required or
encouraged to collect or maintain information on registered sex
offenders and that these disclosures are permissible but not required.
Discussion: The Campus Sex Crimes Prevention Act (CSCPA) amendments
to FERPA allow educational agencies and institutions to disclose any
information concerning registered sex offenders provided to the agency
or institution under section 170101 of the Violent Crime Control and
Law Enforcement Act of 1994, 42 U.S.C. 14071, commonly known as the
Wetterling Act. Since publication of the NPRM, we have determined that
the proposed regulations were confusing, because they limited these
disclosures to information that was obtained and disclosed by an agency
or institution in compliance with a State community notification
program. In fact, the CSCPA amendments to FERPA cover any information
provided to an educational agency or institution under the Wetterling
Act, including not only information provided under general State
community notification programs, which are required under subsection
(e) of the Wetterling Act, 42 U.S.C. 14071(e), but also information
provided under the more specific campus community notification programs
for institutions of higher education, which are required under
subsection (j), 42 U.S.C. 14071(j).
The Wetterling Act requires States to release relevant information
about persons required to register as sex offenders that is necessary
to protect the public, including specific State reporting requirements
for law enforcement agencies having jurisdiction over institutions of
higher education. The exception to the consent requirement in FERPA
allows educational agencies and institutions to make available to the
school community any information provided to it under the Wetterling
Act. We interpret this to also include any additional information about
the student that is relevant to the purpose for which the information
was provided to the educational agency or institution--protecting the
public. This could include, for example, the school or campus at which
the student is enrolled.
The proposed regulations included a sentence stating that FERPA
does not require or encourage agencies or institutions to collect or
maintain information about registered sex offenders. We have determined
through further review, however, that this sentence could be confusing
and should be removed. Participating institutions are required under
section 485(f)(1) of the Higher Education Act of 1965, as amended, 20
U.S.C. 1092(f)(1), to advise the campus community where it may obtain
law enforcement agency information provided by the State under 42
U.S.C. 14071(j) concerning registered sex offenders. Further, the
Department does not wish to discourage educational agencies and
institutions from disclosing relevant information about a registered
sex offender in appropriate circumstances.
Changes: We have revised the regulations to remove the reference to
the disclosure of information obtained by the educational agency or
institution in compliance with a State community notification program.
The regulations now simply allow disclosure without consent of any
information concerning registered offenders provided to an educational
agency or institution under 42 U.S.C. 14071 and applicable Federal
guidelines. We also have removed the sentence stating that neither
FERPA nor the regulations requires or encourages agencies or
institutions to collect or maintain information about registered sex
offenders.
Redisclosure of Education Records and Recordkeeping by State and Local
Educational Authorities and Federal Officials and Agencies (Sec. Sec.
99.31(a)(3); 99.32(b); 99.33(b); 99.35(a)(2); 99.35(b))
(a) Redisclosure
Comment: We received a number of comments on the proposed changes
in Sec. 99.35(b) that would permit State and local educational
authorities and Federal officials and agencies listed in Sec.
99.31(a)(3) to redisclose personally identifiable information from
education records on behalf of educational agencies and institutions
without parental consent under the existing redisclosure authority in
Sec. 99.33(b). (Section 99.33(b) allows an educational agency or
institution to disclose personally identifiable information from
education records with the understanding that the recipient may make
further disclosures of the information on behalf of the agency or
institution if the disclosure falls under one of the exceptions in
Sec. 99.31(a) and the agency or institution has complied with the
recordation requirements in Sec. 99.32(b).) Many commenters said that
the proposed change would ease administrative burdens on State and
local educational authorities, agencies, and institutions. For example,
under the proposed regulations, a student's new school district or
institution would be able to obtain the student's prior education
records from a single State agency instead of contacting and waiting
for records from separate districts or institutions. Commenters noted,
however, that certain issues had not been addressed in the proposed
regulations and that further clarification was required. Commenters
also supported the new redisclosure authority to the extent that it
facilitates the exchange of education records among State educational
authorities, educational agencies and institutions, and educational
researchers through consolidated, statewide systems or separate data
sharing arrangements.
Two commenters expressed substantial concerns that the regulations
inappropriately expanded the situations in which personally
identifiable information could be redisclosed without parental or
student consent. One commenter noted that the theoretical benefits of
maintaining large, consolidated data systems, which allow users to
track individual students over time, do not outweigh the need to
protect individual privacy. Another commenter stated that the
regulations should not allow State and local educational authorities
and the Federal officials and agencies listed in Sec. 99.31(a)(3) to
set up and operate record systems containing personally identifiable
information that parents and students have no right to review or amend,
and may not even know about. Barring the withdrawal of these
regulations, these commenters urged the Department to strengthen or at
least preserve the safeguards and protections that accompany this new
data sharing authority. One commenter asked us to require any State or
Federal entity that maintains education records to provide parents and
students with annual notification and the right to review and amend the
students' records.
Many commenters indicated their strong support for allowing State
educational authorities to respond to requests for information from
education records and redisclose personally identifiable information,
whether for data sharing systems, transferring records to a student's
new school, or other purposes authorized under Sec. 99.31(a), without
involving school districts and postsecondary institutions. These
commenters generally thought that State educational authorities and
Federal officials listed in Sec. 99.31(a)(3) should not be required to
consult with educational agencies and institutions when redisclosing
information from education records. One commenter
[[Page 74821]]
asked us to clarify the role of the SEA or other State educational
authority as the custodian of education records and its authority to
act for educational agencies and institutions. Several commenters urged
us to revise the regulations to make clear that the redisclosing
official is authorized to make further disclosures under Sec. 99.31(a)
without approval from, or further consultation with, the original
source of the records and maintain the appropriate record related to
the redisclosure.
One commenter said that the regulations must allow State
educational authorities to transfer records on behalf of LEAs and
postsecondary institutions. One commenter strongly supported the
changes in Sec. 99.35(b) because they would allow the State McKinney-
Vento coordinator to control transfer of education records of abused
and homeless students to their new schools and prevent potential
abusers from locating the student.
Some commenters believed that current regulations impede the
ability of States to establish and operate data sharing systems and
that regulatory changes must allow all educational agencies,
institutions, SEAs, and other State educational authorities to exchange
data among themselves and work with researchers. One commenter
recommended that we create a specific exception in Sec. 99.31(a) that
would allow data sharing across State educational authorities in order
to establish and operate consolidated, longitudinal data systems.
Several commenters asked for clarification of the requirement in
Sec. 99.35(a)(2) that authority for an agency or official listed in
Sec. 99.31(a)(3) to conduct an audit, evaluation, or compliance or
enforcement activity is not conferred by FERPA or the regulations and
must be established under other Federal, State, or local law, including
valid administrative regulations. One commenter supported data sharing
among pre-school, K-12, and postsecondary institutions, provided that
appropriate legal authority for the underlying audit, evaluation, or
compliance and enforcement activity is established as required under
Sec. 99.35(a)(2). One commenter asked whether citation to a specific
law or regulations will be required, or whether general State laws that
provide joint authority to evaluate programs at all levels are
sufficient for parties to enter into data sharing agreements under the
regulations.
One commenter indicated that its State has no laws or regulations
that specifically allow the State-level advisory council to audit or
evaluate education programs, or that allow a K-12 school district to
audit or evaluate the programs offered by postsecondary institutions,
and vice versa, and the commenter asked whether general authority for
these entities to act under State law would be sufficient. Two
commenters whose States do not house their K-12 and postsecondary
systems within the same agency expressed concern whether they will be
able to develop consolidated databases under the regulations if their
K-12 and postsecondary agencies do not have appropriate authority to
audit or evaluate each other's programs.
Discussion: We continue to believe that State and local educational
authorities and Federal officials that receive education records under
Sec. Sec. 99.31(a)(3) and 99.35 should be permitted to redisclose
education records on behalf of educational agencies and institutions in
accordance with the existing regulations governing the redisclosure of
information in Sec. 99.33(b). We agree with the commenters that this
change will ease administrative burdens at all levels and facilitate
the creation and operation of statewide data sharing systems that
support the student achievement, program accountability, transfer of
records, and other objectives of Federal and State education programs
while protecting the privacy rights of parents and students in
students' education records.
We respond first to commenters' concerns about the requirement in
Sec. 99.33(b) that any redisclosure of personally identifiable
information from education records must be made on behalf of the
educational agency or institution that disclosed the information to the
receiving party, including any requirement for consulting with or
obtaining approval from the educational agency or institution that
disclosed the information. The statutory prohibitions on the
redisclosure of education records apply to education records that SEAs,
State higher educational authorities, the Department, and other Federal
officials receive under an exception to the written consent requirement
in FERPA, such as Sec. Sec. 99.31(a)(3) and 99.35 (for audit,
evaluation, compliance and enforcement purposes) and Sec. 99.31(a)(4)
(for financial aid purposes). As explained in the preamble to the NPRM,
Sec. 99.33(b) allows an educational agency or institution to disclose
education records with the understanding that the recipient may make
further disclosures on its behalf under one of the exceptions in Sec.
99.31 (73 FR 15586-15587). In that case, the disclosing agency or
institution must record the names of the additional parties to which
the receiving party may redisclose the information on behalf of the
educational agency or institution and their legitimate interests under
Sec. 99.31.
Under the regulatory framework for redisclosing education records
in Sec. 99.33(b), educational agencies and institutions retain primary
responsibility for disclosing and authorizing redisclosure of their
education records without consent. (We note again that the only
disclosures of education records that are mandatory under FERPA are
those made to parents and eligible students.) The purpose of Sec.
99.33(b), which allows redisclosure of education records
notwithstanding the general statutory restrictions, has always been to
ease administrative burdens on educational agencies and institutions
that disclose education records. The legal basis for this accommodation
is that the recipient is acting ``on behalf of'' the agency or
institution from which it received information from education records
and making a further disclosure that the agency or institution would
otherwise make itself under Sec. 99.31(a). Section 99.33(b) does not
confer on any recipient of education records independent authority to
redisclose those records apart from acting ``on behalf of'' the
disclosing educational agency or institution.
The Department recognizes that the State and local educational
authorities and Federal officials that receive education records
without consent under Sec. 99.31(a)(3) are responsible for supervising
and monitoring educational agencies and institutions and that many of
them also maintain centralized data systems that constitute a valuable
resource of information from education records. The proposed changes to
Sec. 99.35(b) would allow these State and Federal authorities and
officials to redisclose information received under Sec. 99.31(a)(3)
under any of the exceptions in Sec. 99.31(a), including transferring
education records to a student's new school under Sec. 99.31(a)(2),
sharing information among other State and local educational authorities
and Federal officials for audit or evaluation purposes under Sec.
99.31(a)(3), and using researchers to conduct evaluations and studies
under Sec. 99.31(a)(3) or Sec. 99.31(a)(6), without violating the
statutory prohibitions on redisclosing education records provided
certain conditions have been met. In the event that an educational
agency or institution objects to the redisclosure of information it has
provided, the State or
[[Page 74822]]
local educational authority or Federal official or agency may rely
instead on any independent legal authority it has to further disclose
the information.
We agree that current regulations were unclear about the ability of
States to establish and operate data sharing systems with educational
agencies and institutions, which is why we amended Sec. 99.35(b). As
explained in the NPRM (73 FR 15587), Sec. Sec. 99.35(a)(2) and
99.35(b) allow SEAs, higher education authorities, and educational
agencies and institutions, including local school districts and
postsecondary institutions, to share education records in personally
identifiable form with one another, provided that Federal, State, or
local law authorizes the recipient to conduct the audit, evaluation, or
compliance or enforcement activity in question. Accordingly, data
sharing arrangements among State and local educational authorities and
educational agencies and institutions generally must meet these
requirements to be permissible under FERPA. (Data sharing with
educational researchers is discussed below under Educational research.)
With respect to the comments recommending that we create a specific
exception in Sec. 99.31(a) to allow data sharing across State
educational authorities in order to establish and operate consolidated,
longitudinal data systems and other data sharing arrangements, there is
no provision in FERPA that allows disclosure or redisclosure of
education records, without consent, for the specific purpose of
establishing and operating consolidated databases and data sharing
systems, and, therefore, we are without authority to establish one in
these regulations.
In response to the questions concerning the need for Federal,
state, or local legal authority to disclose education records for audit
or evaluation purposes, we note that, in general, FERPA allows
educational agencies and institutions to disclose (and authorized
recipients to redisclose) education records without consent in
accordance with the exceptions listed in Sec. 99.31(a), including for
audit or evaluation purposes under Sec. Sec. 99.31(a)(3) and 99.35. It
does not, however, provide the underlying authority for individuals and
organizations to conduct the various activities that may allow them to
receive education records without consent under these exceptions. For
example, Sec. 99.31(a)(7) does not authorize an organization to
accredit educational institutions; it allows educational institutions
to disclose personally identifiable information from education records,
without consent, to an organization to carry out its accrediting
functions. If that organization is not, in fact, an accreditation
authority for that particular institution, then disclosure under Sec.
99.31(a)(7) is invalid and violates FERPA. Likewise, Sec. 99.31(a)(9)
does not authorize a court or Federal grand jury to issue an order or
subpoena; it allows an educational agency or institution to comply with
a facially valid order or subpoena, without consent.
We added the requirement in Sec. 99.35(a)(2) that the recipient
have authority under Federal, State, or local law to conduct the
activity for which the disclosure was made because there was
significant confusion in the educational community about who may
receive education records without consent for audit and evaluation
purposes under Sec. 99.35. For example, in 2005 the Pennsylvania
Department of Education (PDOE) asked the Department whether, in the
absence of parental consent, a charter school LEA responsible under
State law for providing a free appropriate public education to students
with disabilities enrolled in the charter school could send the local
school district of residence the IEP of each student with a disability.
The school districts of residence claimed that they needed this
information to substantiate the charter school's invoices for higher
payments based on the student's special education status under the
IDEA.
Our January 2006 response to PDOE explained that in order to meet
the requirements for disclosure of education records under Sec. Sec.
99.31(a)(3) and 99.35, Federal, State, or local law (including valid
administrative regulations) must authorize the relevant State or local
educational authority to conduct the audit, evaluation, or compliance
or enforcement activity in question. In particular, we noted that
charter schools in Pennsylvania could disclose the IEP cover sheet
under Sec. Sec. 99.31(a)(3) and 99.35 of the regulations if the State
law in question authorized a local school district to ``audit or
evaluate'' a charter school's request for payment of State funds at the
special education rate and the school district needed personally
identifiable information for that purpose, and that we would defer to
the State Attorney General's interpretation of State law on the matter.
We also explained that there appeared to be no legal authority that
would allow charter schools in the State to disclose a student's entire
IEP to the resident school district, as requested by the resident
school districts.
The Department has always interpreted Sec. Sec. 99.31(a)(3) and
99.35 to allow educational agencies and institutions to disclose
personally identifiable information from education records to the SEA
or State higher education board or commission responsible for their
supervision based on the understanding that those entities are
authorized to audit or evaluate (or enforce Federal legal requirements
related to) the education programs provided by the agencies and
institutions whose records are disclosed. Under this reasoning, a K-12
school district (LEA) may disclose personally identifiable information
from education records to another LEA, or to a State higher education
board or commission, without consent, if that LEA, board, or commission
has legal authority to conduct the audit, evaluation, or compliance or
enforcement activity with regard to the disclosing district's programs.
States do not have to house their K-12 or P-12 and postsecondary
systems within the same agency in order to take advantage of this
provision. However, they may need to review and modify the supervisory
and oversight responsibilities of various State and local educational
authorities to ensure that there is valid legal authority for LEAs,
postsecondary institutions, SEAs, and higher education authorities to
disclose or redisclose personally identifiable information from
education records to one another under Sec. 99.35(a) before
information is released.
It is not our intention in Sec. 99.35(a)(2) to require educational
agencies and institutions and other parties to identify specific
statutory authority before they disclose or redisclose education
records for audit or evaluation purposes but to ensure that some local,
State, or Federal legal authority exists for the audit or evaluation,
including for example an Executive Order or administrative regulation.
The Department encourages State and local educational authorities and
educational agencies and institutions to seek guidance from their State
attorney general on their legal authority to conduct a particular audit
or evaluation. The Department may also provide additional guidance, as
appropriate.
Changes: None.
(b) Recordation Requirements
Comment: In the NPRM, 73 FR 15587, we invited public comment on
whether an SEA, the Department, or other official or agency listed in
Sec. 99.31(a)(3) should be allowed to maintain the record of the
redisclosures it makes on behalf of an educational agency or
[[Page 74823]]
institution as a means of relieving any administrative burdens
associated with recording disclosures of education records. One
commenter urged the Department not to delegate responsibility for
recordkeeping to State and local educational authorities and Federal
agencies and officials that redisclose education records under Sec.
99.33(b). Another said that if a State or local educational authority
or Federal agency or official rediscloses information ``on behalf of''
an educational agency or institution under Sec. 99.35(b), these
further disclosures should be included in the student's record at the
educational agency or institution. All other comments on this issue
supported revising the regulations to allow State and local educational
authorities and Federal officials and agencies listed in Sec.
99.31(a)(3) to record any redisclosures they make under Sec. 99.33(b).
Several commenters suggested that the recordation requirements in
Sec. 99.32(b) would place an undue burden on State and local officials
when State educational authorities redisclose education records because
the State authority would need to return to each original source of the
records to record the redisclosure. Some commenters noted that
compliance with Sec. 99.32(b) is practically impossible if an LEA or
postsecondary institution is required to record all authorized
redisclosures at the time of the initial disclosure of information to
the State or Federal authority. Two commenters suggested that we
eliminate the recordation problem by redefining the term disclosure so
that it does not include disclosing information under Sec. 99.31(a)(3)
for audit, evaluation, or compliance and enforcement purposes. Another
commenter suggested that we define ``educational agency or
institution'' to include State educational authorities so that
disclosures to State educational authorities would not be considered a
disclosure under FERPA.
One commenter said that the regulations should permit State
educational authorities to record redisclosures as they are made and
without having to identify each student by name. Another commenter
asked for clarification whether the recordation requirements apply to
redisclosures that SEAs make to education researchers and other parties
that are not authorized to make any further disclosures, and what level
of detail is required in the record regarding who accessed the data and
what specific information was viewed.
One commenter stated that if State educational authorities and
Federal officials are authorized to record their own redisclosures of
information, then the educational agency or institution should be
required to retrieve these records in response to a request to review
education records by parents and eligible students who would otherwise
not know about the redisclosures. Other commenters suggested that the
State educational authority or Federal official could either make the
redisclosure record available directly to parents and students or send
it to the LEA or postsecondary institution for this purpose.
Discussion: We agree with commenters that in order to facilitate
the operation of State data systems and ease administrative burdens on
all parties, the regulations should allow State educational authorities
and Federal officials and agencies to record further disclosures they
make on behalf of educational agencies and institutions under Sec.
99.33(b). We are revising the provisions of Sec. 99.32 to address
commenters' concerns and ensure that these changes will not expand the
redisclosure authority of a State or local educational authority or
Federal official or agency under Sec. 99.35(b) and that parents and
students will have notice of and access to any State or Federal record
of further disclosures that is created.
In response to the commenter's suggestion that we define
``educational agency or institution'' and the term disclosure to
address recordation issues associated with the new redisclosure
authority in Sec. 99.35(b), we note that an educational agency or
institution is required by statute to maintain with each student's
education records a record of each request for access to and each
disclosure of personally identifiable information from the education
records of the student, including the parties who have requested or
received information and their legitimate interests in the information.
20 U.S.C. 1232g(b)(4)(A); 34 CFR 99.32(a). This includes each
disclosure of personally identifiable information from education
records that an educational agency or institution makes to an SEA or
other State educational authority and to Federal officials and
agencies, including the Department, for audit, evaluation, or
compliance and enforcement purposes under Sec. Sec. 99.31(a)(3) and
99.35, and under most other FERPA exceptions, such as the financial aid
exception in Sec. 99.31(a)(4). (Regulatory exceptions to the statutory
recordation requirements, which are set forth in Sec. 99.32(d), cover
disclosures that a parent or eligible student would generally know
about without the recordation or for which notice is prohibited under
court order; the exceptions do not include disclosures made to parties
outside the agency or institution for audit, evaluation, or compliance
and enforcement purposes.)
An educational agency or institution is required under FERPA to
record its disclosures of personally identifiable information from
education records even when it discloses information to another
educational agency or institution, such as occurs under Sec.
99.31(a)(2) when a school district transfers education records to a
student's new school. See 20 U.S.C. 1232g(b)(4)(A); 34 CFR 99.32(a).
Therefore, even if a State educational authority were considered an
``educational agency or institution'' under Sec. 99.1, a school
district or postsecondary institution would still be required to record
its own disclosures to that State educational authority; defining a
State educational authority as an educational agency or institution
would not eliminate this requirement. Therefore, a school district or
postsecondary institution is required to record its disclosures to any
State educational authority.
The term disclosure is defined in Sec. 99.3 to mean to permit
access to or the release, transfer, or other communication of
personally identifiable information contained in education records to
any party, by any means, including oral, written, or electronic means.
This includes releasing or making a student's education records
available to school officials within the agency or institution, for
which an exception to the consent requirement exists under Sec.
99.31(a)(1). We see no legal basis for redefining the term disclosure
to exclude the release of personally identifiable information to third
parties outside the educational agency or institution under the audit,
evaluation, or compliance and enforcement exception to the consent
requirement in Sec. Sec. 99.31(a)(3) and 99.35.
With regard to the level of detail required in the record of
redisclosures, current Sec. 99.32(b) requires an educational agency or
institution to record the ``names of the additional parties to which
the receiving party may disclose the information'' on its behalf and
their legitimate interests under Sec. 99.31. This means the name of
the individual (if an organization is not involved) or the organization
and the exception under Sec. 99.31(a) that would allow the
redisclosure to be made without consent. Under current Sec.
99.33(a)(2), the officers, employees, and agents of a party that
receives
[[Page 74824]]
information from education records may use the information for the
purposes for which the disclosure was made without violating the
limitations on redisclosure in Sec. 99.33(a)(1). Therefore, we
interpret the recordation requirement in Sec. 99.32(b) to mean that an
educational agency or institution may record the name of an
organization, including a research organization, to which a recipient
may make further disclosures under Sec. 99.33(b) and is not required
to record the name of each individual within the organization who is
authorized to use that information in accordance with Sec.
99.33(a)(2).
We also recognize that sometimes an educational agency or
institution does not know at the time of its disclosure of education
records that the receiving party may wish to make further disclosures
on its behalf. Therefore, we interpret Sec. 99.32(b) to allow a
receiving party to ask an educational agency or institution to record
further disclosures made on its behalf after the initial receipt of the
records or information.
These same policies apply to further disclosures made by State and
local educational authorities and Federal officials listed in Sec.
99.31(a)(3) that redisclose information on behalf of educational
agencies and institutions under the new authority in Sec. 99.35(b).
Educational agencies and institutions that disclose education records
under Sec. 99.31(a)(3) with the understanding that the State or
Federal authority or official may make further disclosures may continue
to record those further disclosures as provided in Sec. 99.32(b)(1).
Like any other recipient of education records, a State or Federal
authority or official may also ask an educational agency or institution
to record further disclosures made on its behalf after the initial
receipt of the records or information. It is incumbent upon a State or
Federal authority or official that makes further disclosures on behalf
of an educational agency or institution under Sec. 99.33(b) to
determine whether the educational agency or institution has recorded
those further disclosures. If the educational agency or institution
does not do so, then under the revisions to Sec. 99.32(b)(2)(i) in the
final regulations, the State and local educational authority or Federal
official or agency that makes further disclosures must maintain the
record of those disclosures.
We have also revised Sec. 99.32(a) to ensure that educational
agencies and institutions maintain a listing in each student's record
of the State and local educational authorities and Federal officials
and agencies that may make further disclosures of the student's
education records without consent under Sec. 99.33(b). This will help
ensure that parents and students know that the record of disclosures
maintained by an educational agency or institution as required under
Sec. 99.32(a) may not contain all further disclosures made on behalf
of the agency or institution by a State or Federal authority or
official and alert parents and students to the need to ask for access
to this additional information. We have also revised Sec. 99.32(a) to
require an educational agency or institution to obtain a copy of the
record of further disclosures maintained at the State or Federal level
and make it available for parents and students to inspect and review
upon request.
In response to commenters' suggestions, the regulations in new
Sec. 99.32(b)(2)(ii) allow a State or local educational authority or
Federal official or agency to identify the redisclosure by the
student's class, school, district, or other appropriate grouping rather
than by the name of each student whose record was redisclosed. For
example, an SEA may record that it disclosed to the State higher
education authority the scores of each student in grades nine through
12 on the State mathematics assessment for a particular year. We
believe that this procedure eases administrative burdens while ensuring
that a parent or student may access information about the redisclosure.
We note that the recordation requirements under Sec.
6401(c)(i)(IV) of the America COMPETES Act, Public Law 110-69, 20
U.S.C. 9871(c)(i)(IV), are more detailed and stringent than those
required under FERPA. In particular, a State that receives a grant to
establish a statewide P-16 education data system under Sec.
6401(c)(2), 20 U.S.C. 9871(c)(2), is required to keep an accurate
accounting of the date, nature, and purpose of each disclosure of
personally identifiable information in the statewide P-16 education
data system; a description of the information disclosed; and the name
and address of the person, agency, institution, or entity to whom the
disclosure is made. The State must also make this accounting available
on request to parents of any student whose information has been
disclosed. The Department will issue further guidance on these
requirements if the program is funded and implemented.
Changes: We have made several changes to Sec. 99.32, as follows:
New Sec. 99.32(b)(2)(i) provides that a State or local
educational authority or Federal official or agency listed in Sec.
99.31(a)(3) that makes further disclosures of information from
education records must record the names of the additional parties to
which it discloses information on behalf of an educational agency or
institution and their legitimate interests under Sec. 99.31 in the
information if the information was received from an educational agency
or institution that has not recorded the further disclosures itself or
from another State or local official or Federal official or agency
listed in Sec. 99.31(a)(3).
New Sec. 99.32(b)(2)(ii) provides that a State or local
educational authority or Federal official or agency that records
further disclosures of information may maintain the record by the
student's class, school, district or other appropriate grouping rather
than by the name of the student.
New Sec. 99.32(b)(2)(iii) provides that upon request of
an educational agency or institution, a State or local educational
authority or Federal official or agency that maintains a record of
further disclosures must provide a copy of the record of further
disclosures to the educational agency or institution within a
reasonable period of time not to exceed 30 days.
Revised Sec. 99.32(a)(1) requires educational agencies
and institutions to list in each student's record of disclosures the
names of the State and local educational authorities and Federal
officials or agencies that may make further disclosures of the
information on behalf of the educational agency or institution under
Sec. 99.33(b).
New Sec. 99.32(a)(4) requires an educational agency or
institution to obtain a copy of the record of further disclosures
maintained by a State or local educational authority or Federal
official or agency and make it available in response to a parent's or
student's request to review the student's record of disclosures.
Educational Research (Sec. Sec. 99.31(a)(6) and 99.31(a)(3))
Comment: We received a number of comments on proposed Sec.
99.31(a)(6)(ii). In this section, we proposed that an educational
agency or institution that discloses personally identifiable
information without consent to an organization conducting studies for,
or on behalf of, the educational agency or institution must enter into
a written agreement with the organization specifying the purposes of
the study and containing certain other elements. This exception to the
consent requirement is often referred to as the ``studies exception.''
While all of the comments on this provision generally supported the
changes, many of the commenters raised concerns about the scope and
[[Page 74825]]
applicability of the studies exception and requested clarification on
some of the proposed changes, particularly with regard to the
provisions relating to written agreements.
Discussion: We address commenters' specific concerns about the key
portions of these regulations in the following sections.
Changes: None.
(a) Scope and Applicability of Sec. 99.31(a)(6)
Comment: Several commenters stated that the proposed regulations
did not clearly indicate that the studies exception applies to State
educational authorities. Some commenters, assuming that Sec.
99.31(a)(6) applied to State educational authorities, noted that the
proposed regulations did not provide clear authority for State
educational authorities such as an SEA, or a State longitudinal data
system using State generated data (such as State assessment results),
to enter into research agreements on behalf of educational agencies and
institutions. One commenter stated that Sec. 99.31(a)(6) should not be
interpreted to require that research agreements be entered into by
individual schools or that any resulting redisclosures be recorded by
the individual schools.
One commenter asked for clarification regarding whether Sec.
99.31(a)(6) permitted a school to disclose a student's education
records to his or her previous school for the purpose of evaluating
Federal or State-supported education programs or for improving
instruction.
Another commenter stated that the Department should further revise
the regulations to provide that only individuals in the organization
conducting the study who have a legitimate interest in the information
disclosed be given access to the information. The commenter also stated
that the Department should specifically limit Sec. 99.31(a)(6) to bona
fide research projects by prohibiting organizations conducting studies
under this exception from using record-level data for other operational
or commercial purposes. The commenter also expressed concern about the
duration of research projects, noting that significantly more
restrictive access should be required for studies that track personally
identifiable information for long periods of time. The commenter stated
further that the Department should consider imposing a time limit on
how long information obtained through longitudinal studies can be
retained.
Discussion: FERPA permits an educational agency or institution to
disclose personally identifiable information from an education record
of a student without consent if the disclosure is to an organization
conducting studies for, or on behalf of, the educational agency or
institution to (a) develop, validate, or administer predictive tests;
(b) administer student aid programs; or (c) improve instruction. 20
U.S.C. 1232g(b)(1)(F); 34 CFR 99.31(a)(6). Disclosures made under the
studies exception may only be used by the receiving party for the
purposes for which the disclosure was made and for no other purpose or
study. As such, Sec. 99.31(a)(6) is not a general research exception
to the consent requirement in FERPA but an exception for studies
limited to the purposes specified in the statute and regulations.
We first note that it may not be necessary or even advantageous for
State educational authorities to use the studies exception in order to
conduct or authorize educational research because of the limitations in
Sec. 99.31(a)(6). In contrast, Sec. 99.31(a)(3)(iv), under the
conditions set forth in Sec. 99.35, allows educational agencies and
institutions, such as LEAs and postsecondary institutions, to disclose
education records without consent to State educational authorities for
audit and evaluation purposes, which can include a general range of
research studies beyond the more limited group of studies specified
under Sec. 99.31(a)(6). Also, as explained more fully elsewhere in
this preamble, while a State educational authority must have the
underlying legal authority to audit or evaluate the records it receives
from LEAs or postsecondary institutions under Sec. 99.35, the LEA or
postsecondary institution is not required to enter into a written
agreement for the audit or evaluation as it is required to do under
Sec. 99.31(a)(6). (See Redisclosure of Education Records and
Recordkeeping by State and Local Educational Authorities and Federal
Officials and Agencies.) The absence of an explanation of the
authorized representatives exception (Sec. 99.31(a)(3)) in the NPRM
created confusion, especially with regard to how State departments of
education may utilize education records for evaluation purposes.
Therefore, we have included that explanation here.
The conditions for disclosing education records without consent
under Sec. Sec. 99.31(a)(3)(iv) and 99.35 are discussed in the
Department's Memorandum from the Deputy Secretary of Education (January
30, 2003) available at http://www.ed.gov/policy/gen/guid/secletter/
030130.html. The Deputy Secretary's memorandum explains that under this
exception an ``authorized representative'' of a State educational
authority is a party under the direct control of that authority, e.g.,
an employee or a contractor.
In general, the Department has interpreted FERPA and implementing
regulations to permit the disclosure of personally identifiable
information from education records, without consent, in connection with
the outsourcing of institutional services and functions. Accordingly,
the term ``authorized representative'' in Sec. 99.31(a)(3) includes
contractors, consultants, volunteers, and other outside parties (i.e.,
non-employees) used to conduct an audit, evaluation, or compliance or
enforcement activities specified in Sec. 99.35, or other institutional
services or functions for which the official or agency would otherwise
use its own employees. For example, a State educational authority may
disclose personally identifiable information from education records,
without consent, to an outside attorney retained to provide legal
services or an outside computer consultant hired to develop and manage
a data system for education records.
The term ``authorized representative'' also includes an outside
researcher working as a contractor of a State educational authority or
other official listed in Sec. 99.31(a)(3) that has outsourced the
evaluation of Federal or State supported education programs. An outside
researcher may conduct independent research under this provision in the
sense that the researcher may propose or initiate research projects for
consideration and approval by the State educational authority or other
official listed in Sec. 99.31(a)(3) either before or after the parties
have negotiated a research agreement. Likewise, the State educational
authority or official does not have to agree with or endorse the
researcher's results or conclusions. In so doing, an outside researcher
retained to evaluate education programs by a State educational
authority or other official listed in Sec. 99.31(a)(3) as an
``authorized representative'' may be given access to personally
identifiable information from education records, including statistical
information with unmodified small data cells. However, the term
``authorized representative'' does not include independent researchers
that are not contractors or other parties under the direct control of
an official or agency listed in Sec. 99.31(a)(3).
While an educational agency or institution may not disclose
personally identifiable information from students' education records to
independent researchers, nothing in FERPA prohibits
[[Page 74826]]
them from disclosing information that has been properly de-identified.
Further discussion of this issue is provided in the following
paragraphs and under the section entitled Personally Identifiable
Information and De-Identified Records and Information.
An SEA or other State educational authority that has legal
authority to enter into agreements for LEAs or postsecondary
institutions under its jurisdiction may enter into an agreement with an
organization conducting a study for the LEA or institution under the
studies exception. If the SEA or other State educational authority does
not have the legal authority to act for or on behalf of an LEA or
institution, then it would not be permitted to enter into an agreement
with the organization conducting the study under this exception. As
previously mentioned, FERPA authorizes certain disclosures without
consent; it does not provide an SEA or other State educational
authority with the legal authority to act for or on behalf of an LEA or
postsecondary institution.
With regard to the request for clarification whether Sec.
99.31(a)(6) permits a school to disclose a student's education records
to his or her previous school for evaluation purposes, the studies
exception only allows disclosures to organizations conducting studies
for, or on behalf of, the educational agency or institution that
discloses its records. The ``for, or on behalf of'' language from the
statute does not permit disclosures under this exception so that the
receiving organization can conduct a study for itself or some other
party. This issue is discussed in more detail under the section of this
preamble entitled Disclosure of Education Records to Student's Former
Schools.
We agree with the comment that the regulations should be revised to
provide that only those individuals in the organization conducting the
study that have a legitimate interest in the personally identifiable
information from education records can have access to the records. The
Secretary also shares the commenter's concerns about limiting Sec.
99.31(a)(6) to bona fide research projects, prohibiting commercial
utilization of education records, and limiting the duration of research
projects. We address these issues in greater detail in the following
section concerning written agreements.
Changes: None.
(b) Written Agreements for Studies
Comment: Several commenters expressed concern that Sec.
99.31(a)(6) not be read so broadly as to erode parents' and students'
privacy rights, and, therefore, supported the restrictions that the
Secretary included in this provision. Specifically, they supported the
new requirement that educational agencies and institutions must enter
into a written agreement with the organization conducting the study
that specifies: the purpose of the study, that the information from the
education records disclosed be used only for the stated purpose, that
individuals outside the organization may not have access to personally
identifiable information about the students being studied, and that the
information be destroyed or returned when it is no longer needed for
the purpose of the study.
Several commenters said that the Department should clarify that the
existence of a written agreement is not a rationale in and of itself
for the disclosure of education records. They stated that the
regulations should provide explicitly that a written agreement does not
modify the protections under FERPA or justify the use of the records
transferred other than as permitted by the statute and the regulations.
Some of these commenters stated that the written agreement should
include a description of the specific records to be disclosed for the
study.
Several commenters agreed with the provision in the proposed
regulations that specified that an educational agency or institution
does not need to agree with or endorse the conclusions or results of
the study. Other commenters asked that we include in the regulations
the explanation provided in the preamble to the NPRM that the school
also does not need to initiate the study.
One commenter suggested that we change the references from
``study'' to ``studies'' so that it is clear that an agency or
institution and a research organization could enter into one agreement
that would cover a variety of studies that support the State's or
school district's educational objectives. One commenter suggested that
the Department certify agreements between educational agencies and
research organizations as meeting the requirements of FERPA.
There were several comments on the destruction of information
requirements in FERPA. Some suggested that we include in the
regulations the specific time period by which information disclosed to
a researcher must be destroyed, while others stated that ongoing access
to data is necessary and that researchers should be permitted to retain
information indefinitely. Some commenters suggested that the required
time period for the destruction or return of education records, as
deemed necessary by the parties to support the purposes of the
authorized study or studies, be established in the written agreement.
One commenter approved including the requirements regarding the use
and destruction of data in the written agreement as a way of improving
compliance with FERPA. However, the commenter questioned our
explanation that the language in the statute providing that the study
must be conducted ``for, or on behalf of'' the educational agency or
institution means that the disclosing school must retain control over
the information once it has been given to a third party conducting a
study. The commenter believed that school districts will not be
involved in how a study is performed and that the written agreement
with the organization specifying the organization's obligations with
regard to the use and destruction of data should be sufficient.
Discussion: The Secretary shares the concerns raised by commenters
that Sec. 99.31(a)(6) not be read so broadly as to erode parents' and
students' privacy rights. Accordingly, we have revised Sec.
99.31(a)(6) to address some of these concerns and believe that these
changes will provide adequate protection of students' education records
that may be disclosed under the studies exception.
In the NPRM, we proposed to remove current Sec. 99.31(a)(6)(ii)(A)
and (B) and included these requirements under the provisions for
written agreements. These paragraphs provide that the study must be
conducted in a manner that does not permit personal identification of
parents and students by individuals other than representatives of the
organization and that the information be destroyed when no longer
needed for the purposes for which the study was conducted. We are
including Sec. 99.31(a)(6)(ii)(A) and (B) in the final regulations.
After reviewing comments on the proposed changes, we concluded that, by
moving these two provisions into the new paragraph relating to written
agreements, we would have weakened the statutory requirements
concerning the studies exception. We believe this correction will
alleviate commenters' concerns about weakening parents' and students'
privacy rights under FERPA.
We agree with the comments that the existence of a written
agreement is not a rationale in and of itself for the disclosure of
education records. As a privacy statute, FERPA requires that parents
and eligible students provide written consent before educational
agencies and institutions disclose personally identifiable information
from students' education records. There are
[[Page 74827]]
several statutory exceptions to FERPA's general consent rule, one of
which is Sec. 99.31(a)(6), an exception that permits disclosure of
records for studies limited to the purposes specified in the statute
and regulations. However, a written agreement, a memorandum of
understanding, or a contract is not a justification for disclosure of
education records. Rather, a disclosure must meet the requirements in
Sec. 99.31(a)(6) or the other permitted disclosures under Sec. 99.31.
If a disclosure meets the conditions of Sec. 99.31(a)(6), the
disclosure may be made, and the written agreement sets forth the
requirements that must be followed when entering into such an
agreement.
As noted in our earlier discussion of the scope and applicability
of the studies exception, the Secretary concurs that the regulations
should be revised to require that a written agreement expressly include
the purpose, scope, and duration of the agreed upon study, as well as
the information to be disclosed. We also agree with commenters that the
regulations should specifically limit any disclosures of personally
identifiable information from students' education records to those
individuals in the organization conducting the study that have a
legitimate interest in the information. This requirement is consistent
with Sec. 99.32(a)(3)(ii), which requires that an educational agency
or institution record the ``legitimate interests'' the parties had in
obtaining information under FERPA.
The Secretary strongly recommends that schools carefully limit the
disclosure of students' personally identifiable information under this
and the other exceptions in Sec. 99.31 and reminds educational
agencies and institutions that disclosures without consent are subject
to Sec. 99.33(a)(2), which states: ``The officers, employees, and
agents of a party that receives information under paragraph (a)(1) of
this section may use the information, but only for the purposes for
which the disclosure was made.'' The recordation requirements in Sec.
99.32 also apply to any disclosures of personally identifiable
information made under the studies exception. (We note that a school
does not have to record the disclosure of information that has been
properly de-identified.)
Although FERPA permits schools to disclose personally identifiable
information under Sec. 99.31(a)(6) to organizations conducting studies
for or on its behalf, the Secretary recommends that educational
agencies and institutions release de-identified information whenever
possible under this exception. Even when schools opt not to release de-
identified information in these circumstances, we recommend that
schools reduce the risk of unauthorized disclosure by removing direct
identifiers, such as names and SSNs, from records that don't require
them, even though these records may still contain some personally
identifiable information. This is especially important when a school
also discloses sensitive information about students, such as type of
disability and special education services received by the students.
We agree with commenters that Sec. 99.31(a)(6) should be revised
to indicate that an educational agency or institution is not required
to initiate a study. Additionally, we have revised Sec. 99.31(a)(6) to
include the word ``studies'' so that an educational agency or
institution may utilize one written agreement for more than one study,
so long as the requirements concerning information that must be in the
agreement are met.
While we do not have the authority under FERPA to officially
certify agreements between educational agencies and institutions and
organizations conducting studies, FPCO does provide technical
assistance to educational agencies or institutions on FERPA. As such,
if school officials have questions about whether an agreement meets the
requirements in Sec. 99.31(a)(6), they may contact FPCO for
assistance.
With regard to the comments that we include in the regulations a
specific time period by which information provided under the studies
exception must be destroyed, we believe that the parties entering into
the agreement should decide when information has to be destroyed or
returned to the educational agency or institution. As we have
discussed, we have revised Sec. 99.31(a)(6) to require that the
written agreement include the duration of the study and the time period
during which the organization must either destroy or return the
information to the educational agency or institution.
With regard to the comment that a written agreement with the
organization conducting the study should be sufficient for an
educational agency or institution to retain control over information
from education records once the information is given to an organization
conducting a study, we agree that a written agreement required under
the regulations will help ensure that the information is used only to
meet the purposes of the study stated in the written agreement and that
all applicable requirements are met. However, similar to the
requirement that an outside service provider serving as a school
official is subject to FERPA's restrictions on the use and redisclosure
of personally identifiable information from education records,
educational agencies and institutions must ensure that organizations
with which they have entered into an agreement to conduct a study also
comply with FERPA's restrictions on the use of personally identifiable
information from education records. (See pages 15578-15580 of the
NPRM.) That is, the school must retain control over the organization's
access to and use of personally identifiable information from education
records for purposes of the study or studies, including access by the
organization's own employees and subcontractors, as well as any school
officials whom the organization permits to have access to education
records.
An educational agency or institution may need to determine that the
organization conducting the study has reasonable controls in place to
ensure that personally identifiable information from education records
is protected. We note that it is common practice for some data sharing
agreements to have a ``controls section'' that specifies required
controls and how they will be verified (e.g., surprise inspections). We
recommend that the agreement required by Sec. 99.31(a)(6) include a
section that sets forth similar requirements. If a school is unable to
verify that these controls are in place, then it should not disclose
personally identifiable information from education records to an
organization for the purpose of conducting a study.
In this regard, it should be noted that educational agencies and
institutions are responsible for any failures by an organization
conducting a study to comply with applicable FERPA requirements. FERPA
states that if a third party outside the educational agency or
institution fails to destroy information in violation of 20 U.S.C.
1232g(b)(1)(F), the studies exception in FERPA, the educational agency
or institution shall be prohibited from permitting access to
information from education records to that third party for a period of
not less than five years. See 20 U.S.C. 1232g(b)(4)(B).
Changes: We have revised Sec. 99.31(a)(6) to: (1) Retain Sec.
99.31(a)(6)(ii)(A) and (B); (2) amend Sec. 99.31(a)(6)(ii)(A) to
provide that the study must be conducted in a manner that does not
permit personal identification of parents or students by anyone other
than representatives of the organization that have legitimate interest
in the information; (3) amend Sec. 99.31(a)(6)(ii)(C) to require that
the written agreement specify the purpose,
[[Page 74828]]
scope, and duration of the study and the information to be disclosed;
require the organization to use personally identifiable information
from education records only to meet the purpose or purposes of the
study as stated in the written agreement; limit any disclosures of
information to individuals in the organization conducting the study who
have a legitimate interest in the information; and require the
organization to destroy or return to the educational agency all
personally identifiable information when the information is no longer
needed for the purposes of the study and specify the time period during
which the organization must either destroy or return the information to
the educational agency or institution; and (4) amend Sec. 99.31(a)(6)
in new paragraph (iii) to provide that an educational agency or
institution is not required to initiate a study.
Disclosure of Education Records to Non-Educational State Agencies
Comment: Several commenters stated that the proposed amendments did
not specifically address whether an educational agency or institution
is permitted to disclose education records to non-educational State
agencies, such as State health or labor agencies, as part of an
agreement with those agencies, without first obtaining consent. One
commenter said that because the Department has taken the position that
education records may be shared with State auditors who are not
educational officials and who are not, by definition, under the control
of a State educational authority, there is no legal basis to prohibit
the disclosure of education records to other non-educational State and
local agencies.
Some officials representing State health agencies commented that
FERPA should be more closely aligned with the disclosure provisions of
the HIPAA Privacy Rule. One commenter noted that there was a critical
need for public health researchers to be able to access, without
consent, personally identifiable information contained in student
health records to allow for analyses, public health studies, and
research that will benefit school-aged children, as well as the general
population. One organization representing school nurses noted that
public health officials need access to education records for the
purposes of public health reporting, surveillance, and reimbursement.
Several commenters recommended that SEAs be authorized to share
data from education records with State social services, health,
juvenile, and employment agencies, to serve the needs of students,
including special needs, low-income, and at-risk students. One SEA
commented that it did not support extending access to student data to
non-education State agencies, except to State auditors, as specified in
proposed Sec. 99.35(a)(3). This commenter asserted that access to and
use of information from students' education records should be
controlled by a limited number of education officials who are sensitive
to the intent of FERPA and well acquainted with its safeguards.
Discussion: There is no specific exception to the written consent
requirement in FERPA that permits the disclosure of personally
identifiable information from students' education records to non-
educational State agencies. Educational agencies and institutions may
disclose personally identifiable information for audit or evaluation
purposes under Sec. Sec. 99.31(a)(3) and 99.35 only to authorized
representatives of the officials or agencies listed in Sec.
99.31(a)(3)(i) through (iv). Typically, LEAs and their constituent
schools disclose education records to State educational authorities
under Sec. 99.31(a)(3)(iv), such as the SEA, for audit, evaluation, or
compliance and enforcement purposes.
There are some exceptions that might authorize disclosures to non-
educational State agencies for specified purposes. For example,
disclosures may be made in a health or safety emergency (Sec. Sec.
99.31(a)(10) and 99.36), in connection with financial aid (Sec.
99.31(a)(4)), or pursuant to a State statute under the juvenile justice
system exception (Sec. Sec. 99.31(a)(5) and 99.38), and any
disclosures must meet the specific requirements of the particular
exception. FERPA, however, does not contain any specific exceptions to
permit disclosures of personally identifiable information without
consent for public health or employment reporting purposes. That said,
nothing in FERPA prohibits an educational agency or institution from
importing information from another source to perform its own
evaluations.
We believe that any further expansion of the list of officials and
entities in FERPA that may receive education records without the
consent of the parent or eligible student must be authorized by
legislation enacted by Congress.
We explained in the NPRM on page 15577 that, with respect to State
auditors, legislative history for the 1979 FERPA amendment indicates
that Congress specifically intended that FERPA not preclude State
auditors from obtaining personally identifiable information from
education records in order to audit Federal and State supported
education programs, notwithstanding that the statutory language in the
amendment refers only to ``State and local educational officials.'' See
20 U.S.C. 1232g(b)(5); H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10
(1979), reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. This
legislative history provides a basis for drawing a distinction between
State auditors and officials of other State agencies that also are not
under the control of the State educational authority. (As explained
more fully under State auditors, upon further review, we have removed
from the final regulations the proposed regulations related to State
auditors and audits.)
The 1979 amendment to FERPA does not apply to other State officials
or agencies, and there is no other legislative history to indicate that
Congress intended that FERPA be interpreted to permit educational
agencies and institutions, or State and local educational authorities
or Federal officials and agencies listed in Sec. 99.31(a)(3), to share
students' education records with non-educational State officials. In
fact, Congress has, on numerous occasions, indicated otherwise.
As discussed elsewhere in this preamble under the heading Health or
Safety Emergency, the HIPAA Privacy Rule specifically excludes from
coverage health care information that is maintained as an ``education
record'' under FERPA. 45 CFR 160.103, Protected health information. We
understand that the HIPAA Privacy Rule allows covered entities to
disclose identifiable health data without written consent to public
health authorities. However, there is no comparable exception to the
written consent requirement in FERPA.
As mentioned previously, in conducting an audit, evaluation, or
compliance or enforcement activity, an educational authority may
collaborate with other State agencies by importing data from those
sources and conducting necessary matches. Any reports or other
information created as a result of the data matches may only be
released to those non-educational officials in non-personally
identifiable form. Educational authorities may also release information
on students to non-educational officials that has been properly de-
identified, as described in Sec. 99.31(b)(1).
Additionally, many agencies providing services to low income or at-
risk families have parents sign a consent form authorizing disclosure
of
[[Page 74829]]
information at intake time so that the agency can receive necessary
information from schools. In 1993, we amended the FERPA regulations to
help facilitate this practice. In final regulations published in the
Federal Register on January 7, 1993 (58 FR 3188), we removed the
previous requirement in the regulations that schools ``obtain'' consent
from parents and eligible students so that parents and eligible
students may ``provide'' a signed and dated consent to third parties in
order for the school to disclose education records to those parties.
Therefore, parents can provide consent at intake time to State and
local social services and other non-educational agencies serving the
needs of students in order to permit their children's schools (or the
SEA) to disclose education records to the agency. For example, parents
routinely provide consent to the Medicaid agency that permits that
agency to collect information from other agencies on the family being
served. In many cases those consents are written in a manner that
complies with the consent requirement in Sec. 99.30, and the student's
school may disclose information to the Medicaid agency necessary for
reimbursement purposes for services provided the student.
Changes: None.
Disclosure of Education Records to Student's Former Schools (Sec. Sec.
99.31(a)(3), 99.31(a)(6), and 99.35(b))
Comment: One commenter asked for clarification whether a school
could disclose a student's education records to the student's previous
school for the purpose of evaluating Federal or State supported
education programs or for improving instruction. Several commenters
said that there is a critical need for school districts to be able to
access the records of their former students from the student's new
district or postsecondary institution so that the previous institution
can evaluate the effectiveness of its own education programs. Some
commenters said that Sec. 99.35(a) clearly allows a K-12 data system
to use postsecondary records to evaluate its own programs, and that a
K-12 system does not need to have legal authority to evaluate
postsecondary programs for the disclosure to be valid under the audit
or evaluation exception.
Discussion: Section 99.31(a)(2) allows an educational agency or
institution to disclose personally identifiable information from
education records, without consent, to a school where the student seeks
or intends to enroll or is already enrolled if the disclosure relates
to the student's enrollment or transfer. There is no specific authority
in FERPA for an educational agency or institution, or a State or local
educational authority, to disclose or redisclose personally
identifiable information from education records to a student's former
school without consent.
As discussed above, Sec. Sec. 99.31(a)(3) and 99.35 allow
educational agencies and institutions to disclose personally
identifiable information from education records without consent to
State and local educational authorities that are legally authorized to
audit or evaluate the disclosing institution's programs or records. We
encourage State and local authorities to take advantage of this
exception and establish or modify State or local legal authority, as
necessary, to allow K-12 and postsecondary educational authorities to
audit or evaluate one another's programs. As noted above, the
Department will generally defer to a State Attorney General's
interpretation of State or local law on these matters.
Section 99.31(a)(6) allows an educational agency or institution to
disclose personally identifiable information from education records
without consent to an organization conducting a study for, or on behalf
of, the agency or institution that discloses its records. The ``for, or
on behalf of'' language from the statute and regulations, however, does
not allow the educational agency or institution to disclose personally
identifiable information from education records under this exception so
that the receiving organization can conduct a study for itself or some
other party. Further, the Secretary does not as a policy matter support
expanding the studies exception to permit such a disclosure because it
would result in a vast increase in the number of parties gaining access
to and maintaining personally identifiable information on students. As
discussed below, educational agencies and institution and other
parties, including State educational authorities, may always release
information from education records to a student's former school,
without consent, if all personally identifiable information has been
removed.
Personally Identifiable Information and De-Identified Records and
Information (Sec. Sec. 99.3 and 99.31(b))
(a) Definition of Personally Identifiable Information
Comment: We received a number of comments on proposed Sec. 99.3
regarding changes to the definition of personally identifiable
information. One commenter applauded the Department's recognition of
the increasing ease of identifying individuals from redacted records
and statistical information because of the large amount of detailed
personal information that is maintained on most Americans by many
different organizations. This commenter and others, however, stated
that the proposed regulations did not go far enough to ensure that
personally identifiable information about students would not be
released.
One commenter expressed concern about our proposal to eliminate
paragraphs (e) and (f) from the existing definition of personally
identifiable information, which included a list of personal
characteristics and other information that would make a student's
identity easily traceable. The commenter said that this was a change to
long-standing Department policy and represented an unwarranted invasion
of privacy that exceeds statutory authority. This commenter also
expressed concern that eliminating the ``easily traceable'' provisions
for determining whether information was personally identifiable could
prevent parents from accessing their children's education records and
might allow school officials to circumvent FERPA requirements by using
nicknames, initials, and other personal characteristics to refer to
children.
In contrast, several commenters stated that the regulations would
be unworkable or were too restrictive and would prevent or discourage
the release of information from education records needed for school
accountability and other public purposes. These commenters stated that
paragraphs (f) and (g) in the proposed definition of personally
identifiable information, which replaces the ``easily traceable''
provisions, would provide school officials too much discretion to
conceal information the public deserves to have in order to debate
public policy. Proposed paragraph (f) provided that personally
identifiable information includes other information that, alone or in
combination, is linked or linkable to a specific student that would
allow a reasonable person in the school or its community, who does not
have personal knowledge of the relevant circumstances, to identify the
student with reasonable certainty. Proposed paragraph (g) provided that
personally identifiable information includes information requested by a
person who the educational agency or institution reasonably believes
has direct, personal knowledge of the identity of the student
[[Page 74830]]
to whom the education record relates, sometimes known as a ``targeted
request.''
Several commenters expressed support for the provisions in
paragraphs (f) and (g) of the definition of personally identifiable
information. One of these commenters said that the ``school and
community'' limitation and the ``reasonable person'' standard in
paragraph (f) is sufficiently clear for implementation by parties that
release de-identified records. Another commenter said that ambiguity in
the terms ``reasonable person'' and ``reasonable certainty'' was
necessary so that organizations can develop their own standards for
addressing the problem of ensuring that information that is released is
not personally identifiable. This commenter asked the Department to
retain the flexibility in the proposed language and provide examples of
policies that have been implemented that meet the requirements in
paragraphs (f) and (g) of the definition. The commenter said that most
school districts know when they are receiving a targeted request
(paragraph (g)) but asked that the Department provide examples to help
districts determine whether a non-targeted request will reveal
personally identifiable information.
Journalism and writers' associations expressed concern about the
``reasonable person'' standard in paragraph (f) and our statement in
the preamble to the NPRM (73 FR 15583) that an educational agency or
institution may not be able to release redacted education records that
concern students or incidents that are well-known in the school
community, including when the parent or student who is the subject of
the record contacts the media and causes the publicity that prevents
the release of the record. These commenters stated that FERPA should
not prevent schools from releasing records from which all direct and
indirect identifiers, such as name, date of birth, address, unusual
place of birth, mother's maiden name, and sibling information, have
been removed without regard to any outside information, particularly
after a student or parent has waived any pretense of confidentiality by
contacting the media. They also said that the proposed definition of
personally identifiable information does not acknowledge the public
interest in school accountability.
One commenter said that the ``reasonable person in the school or
its community'' standard in paragraph (f) was too narrow and
inappropriate because it would allow individuals with even modest
scientific and technological abilities to identify students based on
supposedly de-identified information. Another commenter said that the
reference in paragraph (f) to a ``reasonable person'' should be changed
to ``ordinary person.'' A commenter said that if we retain the
``reasonable person'' standard, we should remove the references to the
school or its community and personal knowledge of the circumstances and
simply refer to a reasonable person. Several commenters said the
``school or its community'' standard is too vague and needs to be
clarified, particularly in relation to the provision in paragraph (g)
regarding targeted requests; these commenters said that school
officials will choose to evaluate a request for information based on
whether a reasonable person in the community, a broader standard than a
reasonable person in the school, could identify the student and
automatically find their own decisions to be reasonable. One commenter
said that the phrase ``relevant circumstances'' in paragraph (f) is
vague.
One commenter said that the standard in paragraph (f) about whether
the information requested is ``linked or linkable'' to a specific
student was too vague and overly broad and could be logically extended
to cover almost any information about a student. This commenter said
that the regulations should focus on preventing the release of records
that in and of themselves contain unique personal descriptors that
would make the student identifiable in the school community and not
refer to outside information, including what members of the public
might know independently of the records themselves.
Several commenters expressed concerns that the provision in
paragraph (g) regarding targeted requests will make FERPA and the
regulations administratively unwieldy and unnecessarily subjective. One
of these commenters said that paragraph (g) is unclear and adds more
confusion as opposed to providing clarity; this commenter said that
paragraph (g) should be removed and that the requirements in paragraph
(f) were sufficient. Another commenter said that the standard in
paragraph (g) unfairly holds agencies and institutions responsible for
ascertaining the requester's personal knowledge. One commenter said
that we should delete the words ``direct, personal'' before
``knowledge'' because these terms are unclear. According to this
commenter, if a school reasonably believes that the requester knows the
student's identity, the school should not disclose the records, whether
the knowledge is ``direct'' or ``personal.''
|