8 December 2008

[Federal Register: December 9, 2008 (Volume 73, Number 237)]
[Rules and Regulations]               
[Page 74805-74855]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr09de08-8]                         

[[Page 74805]]

-----------------------------------------------------------------------

Part II

Department of Education

-----------------------------------------------------------------------

34 CFR Part 99

Family Educational Rights and Privacy; Final Rule

[[Page 74806]]

-----------------------------------------------------------------------

DEPARTMENT OF EDUCATION

34 CFR Part 99

RIN 1855-AA05
[Docket ID ED-2008-OPEPD-0002]

 
Family Educational Rights and Privacy

AGENCY: Office of Planning, Evaluation, and Policy Development, 
Department of Education.

ACTION: Final regulations.

-----------------------------------------------------------------------

SUMMARY: The Secretary amends our regulations implementing the Family 
Educational Rights and Privacy Act (FERPA), which is section 444 of the 
General Education Provisions Act. These amendments are needed to 
implement a provision of the USA Patriot Act and the Campus Sex Crimes 
Prevention Act, which added new exceptions permitting the disclosure of 
personally identifiable information from education records without 
consent. The amendments also implement two U.S. Supreme Court decisions 
interpreting FERPA, and make necessary changes identified as a result 
of the Department's experience administering FERPA and the current 
regulations.
    These changes clarify permissible disclosures to parents of 
eligible students and conditions that apply to disclosures in health 
and safety emergencies; clarify permissible disclosures of student 
identifiers as directory information; allow disclosures to contractors 
and other outside parties in connection with the outsourcing of 
institutional services and functions; revise the definitions of 
attendance, disclosure, education records, personally identifiable 
information, and other key terms; clarify permissible redisclosures by 
State and Federal officials; and update investigation and enforcement 
provisions.

DATES: These regulations are effective January 8, 2009.

FOR FURTHER INFORMATION CONTACT:  Frances Moran, U.S. Department of 
Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-
8250. Telephone: (202) 260-3887.
    If you use a telecommunications device for the deaf (TDD), you may 
call the Federal Relay Service (FRS) at 1-800-877-8339.
    Individuals with disabilities may obtain this document in an 
alternative format (e.g., Braille, large print, audiotape, or computer 
diskette) on request to the contact person listed under FOR FURTHER 
INFORMATION CONTACT.

SUPPLEMENTARY INFORMATION: On March 24, 2008, the U.S. Department of 
Education (the Department or we) published a notice of proposed 
rulemaking (NPRM) in the Federal Register (73 FR 15574). In the 
preamble to the NPRM, the Secretary discussed the major changes 
proposed in that document that are necessary to implement statutory 
changes made to FERPA, to implement two U.S. Supreme Court decisions, 
to respond to changes in information technology, and to address other 
issues identified through the Department's experience in administering 
FERPA.
    We believe that the regulatory changes adopted in these final 
regulations provide clarification on many important issues that have 
arisen over time with regard to how FERPA affects decisions that school 
officials have to make on an everyday basis. Educational agencies and 
institutions face considerable challenges, especially with regard to 
maintaining safe campuses, protecting personally identifiable 
information in students' education records, and responding to requests 
for data on student progress. These final regulations, as well as the 
discussion on various provisions in the preamble, will assist school 
officials in addressing these challenges in a manner that complies with 
FERPA and protects the privacy of students' education records.

Notice of Proposed Rulemaking

    In the NPRM, we proposed regulations to implement section 507 of 
the USA Patriot Act (Pub. L. 107-56), enacted October 26, 2001, and the 
Campus Sex Crimes Prevention Act, section 1601(d) of the Victims of 
Trafficking and Violence Protection Act of 2000 (Pub. L. 106-386), 
enacted October 28, 2000. Other major changes proposed in the NPRM 
included the following:
     Amending Sec.  99.5 to clarify the conditions under which 
an educational agency or institution may disclose personally 
identifiable information from an eligible student's education records 
to a parent without the prior written consent of the eligible student;
     Amending Sec.  99.31(a)(1) to authorize the disclosure of 
education records without consent to contractors, consultants, 
volunteers, and other outside parties to whom an educational agency or 
institution has outsourced institutional services or functions;
     Amending Sec.  99.31(a)(1) to ensure that teachers and 
other school officials only gain access to education records in which 
they have legitimate educational interests;
     Amending Sec.  99.31(a)(2) to permit educational agencies 
and institutions to disclose education records, without consent, to 
another institution even after the student has enrolled or transferred 
so long as the disclosure is for purposes related to the student's 
enrollment or transfer;
     Amending Sec.  99.31(a)(6) to require that an educational 
agency or institution may disclose personally identifiable information 
under this section only if it enters into a written agreement with the 
organization specifying the purposes of the study and the use and 
destruction of the data;
     Amending Sec.  99.31 to include a new subsection to 
provide standards for the release of information from education records 
that has been de-identified;
     Amending Sec.  99.35 to permit State and local educational 
authorities and Federal officials listed in Sec.  99.31(a)(3) to make 
further disclosures of personally identifiable information from 
education records on behalf of the educational agency or institution; 
and
     Amending Sec.  99.36 to remove the language requiring 
strict construction of this exception and add a provision stating that 
if an educational agency or institution determines that there is an 
articulable and significant threat to the health or safety of a student 
or other individual, it may disclose the information to any person, 
including parents, whose knowledge of the information is necessary to 
protect the health or safety of the student or other individuals.

Significant Changes From the NPRM

    These final regulations contain several significant changes from 
the NPRM as follows:
     Amending the definition of personally identifiable 
information in Sec.  99.3 to provide a definition of biometric record;
     Removing the proposed definition of State auditor in Sec.  
99.3 and provisions in Sec.  99.35(a)(3) related to State auditors and 
audits;
     Revising Sec.  99.31(a)(6) to clarify the specific types 
of information that must be contained in the written agreement between 
an educational agency or institution and an organization conducting a 
study for the agency or institution;
     Removing the statement from Sec.  99.31(a)(16) that FERPA 
does not require or encourage agencies or institutions to collect or 
maintain information concerning registered sex offenders;
     Requiring a State or local educational authority or 
Federal official or agency that rediscloses personally identifiable 
information from education records to record that disclosure if the

[[Page 74807]]

educational agency or institution does not do so under Sec.  99.32(b); 
and
     Revising Sec.  99.32(b) to require an educational agency 
or institution that makes a disclosure in a health or safety emergency 
to record information concerning the circumstances of the emergency.
    These changes are explained in greater detail in the following 
Analysis of Comments and Changes.

Analysis of Comments and Changes

    In response to the Secretary's invitation in the NPRM, 121 parties 
submitted comments on the proposed regulations. An analysis of the 
comments and of the changes in the regulations since publication of the 
NPRM follows.
    We group major issues according to subject, with applicable 
sections of the regulations referenced in parentheses. We discuss other 
substantive issues under the sections of the regulations to which they 
pertain. Generally, we do not address technical and other minor 
changes, or suggested changes that the law does not authorize the 
Secretary to make. We also do not address comments pertaining to issues 
that were not within the scope of the NPRM.

Definitions (Sec.  99.3)

(a) Attendance

    Comment: We received no comments objecting to the proposed changes 
to the definition of the term attendance. Three commenters expressed 
support for the changes because the availability and use of alternative 
instructional formats are not clearly addressed by the current 
regulations. One commenter suggested that the definition could avoid 
obsolescence by referring to the receipt of instruction leading to a 
diploma or certificate instead of listing the types of instructional 
formats.
    Discussion: We proposed to revise the definition of attendance 
because we received inquiries from some educational agencies and 
institutions asking whether FERPA was applicable to the records of 
students receiving instruction through the use of new technology 
methods that do not require a physical presence in a classroom. Because 
the definition of attendance is key to determining when an individual's 
records at a school are education records protected by FERPA, it is 
essential that schools and institutions understand the scope of the 
term. To prevent the regulations from becoming out of date as new 
formats and methods are developed, the definition provides that 
attendance may also include ``other electronic information and 
telecommunications technologies.''
    While most schools are aware of the various formats distance 
learning may take, we believe it is informative to list the different 
communications media that are currently used. Also, we believe that 
parents, eligible students, and other individuals and organizations 
that use the FERPA regulations may find the listing of formats useful.
    We do not agree that the definition of attendance should be limited 
to receipt of instruction leading to a diploma or certificate, because 
this would improperly exclude many instructional formats.
    Changes: None.

(b) Directory Information (Sec. Sec.  99.3 and 99.37)

(1) Definition (Sec.  99.3)
    Comment: We received a number of comments on our proposal to revise 
the definition of directory information to provide that an educational 
agency or institution may not designate as directory information a 
student's social security number (SSN) or other student identification 
(ID) number. The proposed definition also provided that a student's 
user ID or other unique identifier used by the student to access or 
communicate in electronic systems could be considered directory 
information but only if the electronic identifier cannot be used to 
gain access to education records except when used in conjunction with 
one or more factors that authenticate the student's identity.
    All commenters agreed that student SSNs should not be disclosed as 
directory information. Several commenters strongly supported the 
definition of directory information as proposed, noting that failure to 
curtail the use of SSNs and student ID numbers as directory information 
could facilitate identity theft and other fraudulent activities.
    One commenter said that the proposed regulations did not go far 
enough to prohibit the use of students' SSNs as a student ID number, 
placing SSNs on academic transcripts, and using SSNs to search an 
electronic database. Another commenter expressed concern that the 
proposed regulations could prohibit reporting needed to enforce 
students' financial obligations and other routine business practices. 
According to this commenter, restrictions on the use of SSNs in FERPA 
and elsewhere demonstrate the need for a single student identifier that 
can be tied to the SSN and other identifying information to use for 
grade transcripts, enrollment verification, default prevention, and 
other activities that depend on sharing student information. Another 
commenter stated that institutions should not be allowed to penalize 
students who opt out of directory information disclosures by denying 
them access to benefits, services, and required activities.
    Several commenters said that the definition in the proposed 
regulations was confusing and unnecessarily restrictive because it 
treats a student ID number as the functional equivalent of an SSN. They 
explained that when providing access to records and services, many 
institutions no longer use an SSN or other single identifier that both 
identifies and authenticates identity. As a result, at many 
institutions, the condition specified in the regulations for treating 
electronic identifiers as directory information, i.e., that the 
identifier cannot be used to gain access to education records except 
when used in conjunction with one or more factors that authenticate the 
user's identity, often applies to student ID numbers as well because 
they cannot be used to gain access to education records without a 
personal identification number (PIN), password, or some other factor to 
authenticate the user's identity. Some commenters suggested that our 
nomenclature is the problem and that regardless of what it is called, 
an identifier that does not allow access to education records without 
the use of authentication factors should be treated as directory 
information. According to one commenter, allowing institutions to treat 
student ID numbers as directory information in these circumstances 
would improve business practices and enhance student privacy by 
encouraging institutions to require additional authentication factors 
when using student ID numbers to provide access to education records.
    One commenter strongly opposed allowing institutions to treat a 
student's electronic identifier as directory information if the 
identifier could be made available to parties outside the school 
system. This commenter noted that electronic identifiers may act as a 
key, offering direct access to the student's entire file, and that PINs 
and passwords alone do not provide adequate security for education 
records. Another commenter said that if electronic identifiers and ID 
numbers can be released as directory information, then password 
requirements need to be more stringent to guard against unauthorized 
access to information and identity theft.
    Some commenters recommended establishing categories of directory 
information, with certain information

[[Page 74808]]

made available only within the educational community. One commenter 
expressed concern about Internet safety because the regulations allow 
publication of a student's e-mail address. Another said that FERPA 
should not prevent institutions from printing the student's ID number 
on an ID card or otherwise restrict its use on campus but that 
publication in a directory should not be allowed.
    Two commenters asked the Department to confirm that the regulations 
allow institutions to post grades using a code known only by the 
teacher and the student.
    Discussion: We share commenters' concerns about the use of 
students' SSNs. In general, however, there is no statutory authority 
under FERPA to prohibit an educational agency or institution from using 
SSNs as a student ID number, on academic transcripts, or to search an 
electronic database so long as the agency or institution does not 
disclose the SSN in violation of FERPA requirements. As discussed 
elsewhere in this preamble, FERPA does prohibit using a student's SSN, 
without consent, to search records in order to confirm directory 
information.
    Some States prohibit the use of SSNs as a student ID number, and 
some institutions have voluntarily ceased using SSNs in this manner 
because of concerns about identity theft. Students are required to 
provide their SSNs in order to receive Federal financial aid, and the 
regulations do not prevent an agency or institution from using SSNs for 
this purpose. We note that FERPA does not address, and we do not 
believe that there is statutory authority under FERPA to require, 
creation of a single student identifier to replace the SSN. In any 
case, the Department encourages educational agencies and institutions, 
as well as State educational authorities, to follow best practices of 
the educational community with regard to protecting students' SSNs.
    We agree that students should not be penalized for opting out of 
directory information disclosures. Indeed, an educational agency or 
institution may not require parents and students to waive their rights 
under FERPA, including the right to opt out of directory information 
disclosures. On the other hand, we do not interpret FERPA to require 
educational agencies and institutions to ensure that students can 
remain anonymous to others in the school community when using an 
institution's electronic communications systems. As a result, parents 
and students who opt out of directory information disclosures may not 
be able to use electronic communications systems that require the 
release of the student's name or electronic identifier within the 
school community. (As discussed later in this notice in our discussion 
of the comments on Sec.  99.37(c), the right to opt out of directory 
information disclosures may not be used to allow a student to remain 
anonymous in class.)
    The regulations allow an educational agency or institution to 
designate a student's user ID or other electronic identifier as 
directory information if the identifier functions essentially like the 
student's name, and therefore, disclosure would not be considered 
harmful or an invasion of privacy. That is, the identifier cannot be 
used to gain access to education records except when combined with one 
or more factors that authenticate the student's identity.
    We have historically advised that student ID numbers may not be 
disclosed as directory information because they have traditionally been 
used like SSNs, i.e., as both an identifier and authenticator of 
identity. We agree, however, that the proposed definition was confusing 
and unnecessarily restrictive because it failed to recognize that many 
institutions no longer use student ID numbers in this manner. If a 
student identifier cannot be used to access records or communicate 
electronically without one or more additional factors to authenticate 
the user's identity, then the educational agency or institution may 
treat it as directory information under FERPA regardless of what the 
identifier is called. We have revised the definition of directory 
information to provide this flexibility.
    We share the commenters' concerns about the use of PINs and 
passwords. In the preamble to the NPRM, we explained that PINs or 
passwords, and single-factor authentication of any kind, may not be 
reasonable for protecting access to certain kinds of information (73 FR 
15585). We also recognize that user IDs and other electronic 
identifiers may provide greater access and linking to information than 
does a person's name. Therefore, we remind educational agencies and 
institutions that disclose student ID numbers, user IDs, and other 
electronic identifiers as directory information to examine their 
recordkeeping and data sharing practices and ensure that, when these 
identifiers are used, the methods they select for authenticating 
identity provide adequate protection against the unauthorized 
disclosure of information in education records.
    We also share the concern of commenters who stated that students' 
e-mail addresses and other identifiers should be disclosed as directory 
information only within the school system and should not be made 
available outside the institution. The disclosure of directory 
information is permissive under FERPA, and, therefore, an agency or 
institution is not required to designate and disclose any student 
identifier (or any other item) as directory information. Further, while 
FERPA does not expressly recognize different levels or categories of 
directory information, an agency or institution is not required to make 
student directories and other directory information available to the 
general public just because the information is shared within the 
institution. For example, under FERPA, an institution may decide to 
make students' electronic identifiers and e-mail addresses available 
within the institution but not release them to the general public as 
directory information. In fact, the preamble to the NPRM suggested that 
agencies and institutions should minimize the public release of student 
directories to mitigate the risk of re-identifying information that has 
been de-identified (73 FR 15584).
    With regard to student ID numbers in particular, an agency or 
institution may print an ID number on a student's ID card whether or 
not the number is treated as directory information because under FERPA 
simply printing the ID number on a card, without more, is not a 
disclosure and, therefore, is not prohibited. See 20 U.S.C. 
1232g(b)(2). If the student ID number is not designated as directory 
information, then the agency or institution may not disclose the card, 
or require the student to disclose the card, except in accordance with 
one of the exceptions to the consent requirement, such as to school 
officials with legitimate educational interests. If the student ID 
number is designated as directory information in accordance with these 
regulations, then it may be disclosed. However, the agency or 
institution may still decide against making a directory of student ID 
numbers available to the general public.
    We discuss codes used by teachers to post grades in our discussion 
of the definition of personally identifiable information elsewhere in 
this preamble.
    Changes: We have revised the definition of directory information in 
Sec.  99.3 to provide that directory information includes a student ID 
number if it cannot be used to gain access to education records except 
when used with one or more other factors to authenticate the user's 
identity.

[[Page 74809]]

(2) Conditions for Disclosing Directory Information
(i) 99.37(b)
    Comment: All comments on this provision supported our proposal to 
clarify that an educational agency or institution must continue to 
honor a valid request to opt out of directory information disclosures 
even after the student no longer attends the institution. One commenter 
stated that the proposed regulations appropriately provided former 
students with the continuing ability to control the release of 
directory information and remarked that this will benefit students and 
families. One commenter asked how long an opt out from directory 
information disclosures must be honored. Another commenter said that 
students may object if their former schools do not disclose directory 
information without their specific written consent because the school 
is unable to determine whether the student previously opted out. This 
could occur, for example, if a school declined to disclose that a 
student had received a degree to a prospective employer.
    Discussion: The regulations clarify that once a parent or eligible 
student opts out of directory information disclosures, the educational 
agency or institution must continue to honor that election after the 
student is no longer in attendance. While this is not a new 
interpretation, school districts and postsecondary institutions have 
been unclear about its application and have not administered it 
consistently. The inclusion in the regulations of this longstanding 
interpretation is necessary to ensure that schools clearly understand 
their obligation to continue to honor a decision to opt out of the 
disclosure of directory information after a student stops attending the 
school, until the parent or eligible student rescinds it.
    Educational agencies and institutions are not required under FERPA 
to disclose directory information to any party. Therefore, parents and 
students have no basis for objecting if an agency or institution does 
not disclose directory information because it is not certain whether 
the parent or student opted out. The regulations provide an educational 
agency or institution with the flexibility to determine the process it 
believes is best suited to serve its population as long as it honors 
prior elections to opt out of directory information disclosures.
    Changes: None.
(ii) Sec.  99.37(c)
    Comment: We received two comments in support of our proposal to 
clarify in this section that parents and students may not use the right 
to opt out of directory information disclosures to prevent disclosure 
of the student's name or other identifier in the classroom.
    Discussion: We appreciate the commenters' support.
    Changes: None.
(iii) Sec.  99.37(d)
    Comment: Two commenters supported the prohibition on using a 
student's SSN to disclose or confirm directory information unless a 
parent or eligible student provides written consent. One of these 
commenters questioned the statutory basis for this interpretation.
    Several commenters asked whether, under the proposed regulations, a 
school must deny a request for directory information if the requester 
supplies the student's SSN. One commenter asked whether a request for 
directory information that contains a student's SSN may be honored so 
long as the school does not use the SSN to locate the student's 
records. One commenter stated that the regulations could more 
effectively protect students' SSNs but was concerned that denying a 
request for directory information that contains an SSN may 
inadvertently confirm the SSN.
    One commenter expressed concern that the prohibition on using a 
student's SSN to verify directory information would leave schools with 
large student populations unable to locate the appropriate record 
because they will need to rely solely on the student's name and other 
directory information, if any, provided by the requester, which may be 
duplicated in their databases. This commenter said that students would 
object if institutions were unable to respond quickly to requests by 
banks or landlords for confirmation of enrollment because the request 
contained the student's SSN.
    One commenter suggested that the regulations require an educational 
agency or institution to notify a requester that the release or 
confirmation of directory information does not confirm the accuracy of 
the SSN or other non-directory information submitted with the request. 
Another commenter asked whether the regulations apply to confirmation 
of student enrollment and other directory information by outside 
service providers such as the National Student Clearinghouse.
    Discussion: The provision in the proposed regulations prohibiting 
an educational agency or institution from using a student's SSN when 
disclosing or verifying directory information is based on the statutory 
prohibition on disclosing personally identifiable information from 
education records without consent in 20 U.S.C. 1232g(b). The 
prohibition applies also to any party outside the agency or institution 
providing degree, enrollment, or other confirmation services on behalf 
of an educational agency or institution, such as the National Student 
Clearinghouse.
    A school is not required to deny a request for directory 
information about a student, such as confirmation whether a student is 
enrolled or has received a degree, if the requester supplies the 
student's SSN (or other non-directory information) along with the 
request. However, in releasing or confirming directory information 
about a student, the school may not use the student's SSN (or other 
non-directory information) supplied by the requester to identify the 
student or locate the student's records unless a parent or eligible 
student has provided written consent. This is because confirmation of 
information in education records is considered a disclosure under 
FERPA. See 20 U.S.C. 1232g(b). A school's use of a student's SSN (or 
other non-directory information) provided by the requester to confirm 
enrollment or other directory information implicitly confirms and, 
therefore, discloses, the student's SSN (or other non-directory 
information). This is true even if the requester also provides the 
school with the student's name, date of birth, or other directory 
information to help identify the student.
    A school may choose to deny a request for directory information, 
whether or not it contains a student's SSN, because only a parent or 
eligible student has a right to obtain education records under FERPA. 
Denial of a request for directory information that contains a student's 
SSN is not an implicit confirmation or disclosure of the SSN.
    These regulations will not adversely affect the ability of 
institutions to respond quickly to requests by parties such as banks 
and landlords for confirmation of enrollment that contain the student's 
SSN because students generally provide written consent for schools to 
disclose information to the inquiring party in order to obtain banking 
and housing services. We note, however, that if a school wishes to use 
the student's SSN to confirm enrollment or other directory information 
about the student, it must ensure that the written consent provided by 
the student includes consent for the school to

[[Page 74810]]

disclose the student's SSN to the requester.
    There is no authority in FERPA to require a school to notify 
requesters that it is not confirming the student's SSN (or other non-
directory information) when it discloses or confirms directory 
information. However, when a party submits a student's SSN along with a 
request for directory information, in order to avoid confusion, unless 
a parent or eligible student has provided written consent for the 
disclosure of the student's SSN, the school may indicate that it has 
not used the SSN (or other non-directory information) to locate the 
student's records and that its response may not and does not confirm 
the accuracy of the SSN (or other non-directory information) supplied 
with the request.
    We recognize that with a large database of student information, 
there may be some loss of ability to identify students who have common 
names if SSNs are not used to help identify the individual. However, 
schools that do not use SSNs supplied by a party requesting directory 
information, either because the student has not provided written 
consent or because the school is not certain that the written consent 
includes consent for the school to disclose the student's SSN, 
generally may use the student's address, date of birth, school, class, 
year of graduation, and other directory information to identify the 
student or locate the student's records.
    Changes: None.

(c) Disclosure (Sec.  99.3)

    Comment: Two commenters said that the proposal to revise the 
definition of disclosure to exclude the return of a document to its 
source was too broad and could lead to improper release of highly 
sensitive documents, such as an individualized education program (IEP) 
contained in a student's special education records, to anyone claiming 
to be the creator of a record. One of the commenters stated that 
changing the definition was unnecessary, as schools already have a 
means of verifying documents by requesting additional copies from the 
source. Both commenters also expressed concern that, because 
recordation is not required, a parent or eligible student will not be 
aware that the verification occurred.
    We also received comments of strong support for the proposed change 
to the definition of disclosure. The commenters stated that this 
change, targeted to permit the release of records back to the 
institution that presumably created them, will enhance an institution's 
ability to identify and investigate suspected fraudulent records in a 
timely manner.
    Discussion: For several years now, school officials have advised us 
that problems related to fraudulent records typically involve a 
transcript or letter of recommendation that has been altered by someone 
other than the responsible school official. Under the current 
regulations, an educational agency or institution may ask for a copy of 
a record from the presumed source when it suspects fraudulent activity. 
However, simply asking for a copy of a record may not be adequate, for 
example, if the original record no longer exists at the sending 
institution. In these circumstances, an institution will need to return 
a record to its identified source to be able to verify its 
authenticity. The final regulations permit a targeted release of 
records back to the stated source for verification purposes in order to 
provide schools with the flexibility needed for this process while 
preserving a more general prohibition on the release of information 
from education records.
    We do not agree that the term disclosure as proposed in the NPRM is 
too broad and could lead to the improper release of highly sensitive 
documents to anyone claiming to be the creator of the record. School 
officials have not advised us that they have had problems receiving IEP 
records and other highly sensitive materials from parties who did not 
in fact create or provide the record. Therefore, we do not believe that 
the proposed definition of disclosure is too broad.
    The commenters are correct that the return of an education record 
to its source does not have to be recorded, because it is not a 
disclosure. We do not consider this problematic, however, because the 
information is merely being returned to the party identified as its 
source. This is similar to the situation in which a school is not 
required under the regulations to record disclosures of education 
records made to school officials with legitimate educational interests. 
As in that instance, there is no direct notice to a parent or student 
of either the disclosure of the record or the information in the 
record. We also believe that if a questionable document is deemed to be 
inauthentic by the source, the student will be informed of the results 
of the authentication process by means other than seeing a record of 
the disclosure in the student's file. There appears to be little value 
in notifying a parent or student that a document was suspected of being 
fraudulent if the document is found to be genuine and accurate.
    Finally, we note that a transcript or other document does not lose 
its protection under FERPA, including the written consent requirements, 
when an educational agency or institution returns it to the source. The 
document and the information in it remains an ``education record'' 
under FERPA when it is returned to its source. As an education record, 
it may not be redisclosed except in accordance with FERPA requirements, 
including Sec.  99.31(a)(1), which allows the source institution to 
disclose the information to teachers and other school officials with 
legitimate educational interests, such as persons who need to verify 
the accuracy or authenticity of the information. If the source 
institution makes any further disclosures of the record or information, 
it must record them.
    Changes: None.

Additional Changes to the Definition of Disclosure

    Comment: Several commenters requested additional changes to the 
definition of disclosure. One commenter requested that any transfer of 
education records to a State's longitudinal data system not be 
considered a disclosure. Several commenters requested that additional 
changes be made so that a school could provide current education 
records of students back to the students' former schools or districts. 
A commenter recommended excluding from the definition of disclosure 
statistical information that is personally identifiable because of 
small cell sizes when the recipient agrees to maintain the 
confidentiality of the information.
    Discussion: The revised definition of disclosure, which excludes 
the return of a document to its stated source, clarifies that 
information provided by school districts or postsecondary institutions 
to State educational authorities, including information maintained in a 
consolidated student records system, may be provided back to the 
original district or institution without consent. There is no statutory 
authority, however, to exclude from the definition of disclosure a 
school district's or institution's release or transfer of personally 
identifiable information from education records to its State 
longitudinal data system. (We discuss the disclosure of education 
records in connection with the development of consolidated, 
longitudinal data systems in our response to comments on redisclosure 
and recordkeeping requirements elsewhere in this preamble.) Likewise, 
there is no statutory authority to exclude from the definition of 
disclosure the release of personally identifiable information from

[[Page 74811]]

education records to parties that agree to keep the information 
confidential. (See our discussion of personally identifiable 
information and de-identified records and information elsewhere in this 
preamble.)
    The revised regulations do not authorize the disclosure of 
education records to third parties who are not identified as the 
provider or creator of the record. For example, a college may not send 
a student's current college records to a student's high school under 
the revised definition of disclosure because the high school is not the 
stated source of those records. (We discuss this issue elsewhere in the 
preamble under Disclosure of Education Records to Students' Former 
Schools.)
    Changes: None.

(d) Education Records

(1) Paragraph (b)(5)
    Comment: Several commenters supported our proposal to clarify the 
existing exclusion from the definition of education records for records 
that only contain information about an individual after he or she is no 
longer a student, which we referred to as ``alumni records'' in the 
NPRM, 73 FR 15576. One commenter suggested that the term ``directly 
related,'' which is used in the amended definition in reference to a 
student's attendance, is inconsistent with the use of the term 
``personally identifiable'' in other sections of the regulations and 
could cause confusion.
    One commenter asked whether a postsecondary school could provide a 
student's education records from the postsecondary school to a 
secondary school that the student attended previously.
    Several commenters objected to the proposed regulations because, 
according to the commenters, the regulations would expand the records 
subject to FERPA's prohibition on disclosure of education records 
without consent. A journalist stated that the settlement agreement 
cited in the NPRM is an example of a record that should be excluded 
from the definition and that schools already are permitted to protect 
too broad a range of documents from public review because the documents 
are education records. The commenter stated that information from 
education records such as a settlement agreement is newsworthy, 
unlikely to contain confidential information, and that disclosure of 
such information provides a benefit to the public. Another commenter 
expressed concern that the regulations allow schools to collect 
negative information about a former student without giving the 
individual an opportunity to challenge the content because the 
information is not an education record under FERPA.
    Discussion: It has long been the Department's interpretation that 
records created or received by an educational agency or institution on 
a former student that are directly related to the individual's 
attendance as a student are not excluded from the definition of 
education records under FERPA, and that records created or received on 
a former student that are not directly related to the individual's 
attendance as a student are excluded from the definition and, 
therefore, are not ``education records.'' The proposed regulations in 
paragraph (b)(5) were intended to clarify the use of this exclusion, 
not to change or expand its scope.
    Our use of the phrase ``directly related to the individual's 
attendance as a student'' to describe records that do not fall under 
this exclusion from the definition of education records is not 
inconsistent with the term ``personally identifiable'' as used in other 
parts of the regulations and should not be confused. The term 
``personally identifiable information'' is used in the statute and 
regulations to describe the kind of information from education records 
that may not be disclosed without consent. See 20 U.S.C. 1232g(b); 34 
CFR 99.3, 99.30. While ``personally identifiable information'' 
maintained by an agency or institution is generally considered an 
``education record'' under FERPA, personally identifiable information 
does not fall under this exclusion from the definition of education 
records if the information is not directly related to the student's 
attendance as a student. For example, personally identifiable 
information related solely to a student's activities as an alumnus of 
an institution is excluded from the definition of education records 
under this provision. We think that the term ``directly related'' is 
clear in this context and will not be confused with ``personally 
identifiable.''
    A postsecondary institution may not disclose a student's 
postsecondary education records to the secondary school previously 
attended by the student under this provision because these records are 
directly related to the student's attendance as a student at the 
postsecondary institution. (We discuss this issue further under 
Disclosure of Education Records to Students' Former Schools.)
    We do not agree that documents such as settlement agreements are 
unlikely to contain confidential information. Our experience has been 
that these documents often contain highly confidential information, 
such as special education diagnoses, educational supports, or mental or 
physical health and treatment information. Our changes to the 
definition were intended to clarify that schools may not disclose this 
information to the media or other parties, without consent, simply 
because a student is no longer in attendance at the school at the time 
the record was created or received. A parent or eligible student who 
wishes to share the student's own records with the media or other 
parties is free to do so.
    Neither FERPA nor the regulations contains a provision for a parent 
or eligible student to challenge information that is not contained in 
an education record. FERPA does not prohibit a parent or student from 
using other venues to seek redress for collection and release of 
information in non-education records.
    Changes: None.
(2) Paragraph (b)(6)
    Comment: We received several comments supporting the proposed 
changes to the definition of education records that would exclude from 
the definition grades on peer-graded papers before they are collected 
and recorded by a teacher. These commenters expressed appreciation that 
this revision would be consistent with the U.S. Supreme Court's 
decision on peer-graded papers in Owasso Independent School Dist. No. 
I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso). Two commenters asked how 
the provision would be applied to the use of group projects and group 
grading within the classroom.
    Discussion: The proposed changes to the definition of education 
records in paragraph (b)(6) are designed to implement the U.S. Supreme 
Court's 2002 decision in Owasso, which held that peer grading does not 
violate FERPA. As noted in the NPRM, 73 FR 15576, the Court held in 
Owasso that peer grading does not violate FERPA because ``the grades on 
students' papers would not be covered under FERPA at least until the 
teacher has collected them and recorded them in his or her grade 
book.'' 534 U.S. at 436.
    As suggested by the Supreme Count in Owasso, 534 U.S. at 435, FERPA 
is not intended to interfere with a teacher's ability to carry out 
customary practices, such as group grading of team assignments within 
the classroom. Just as FERPA does not prevent teachers from allowing 
students to grade a test or homework assignment of another student or 
from calling out that grade in class, even though the grade may 
eventually become an education record,

[[Page 74812]]

FERPA does not prohibit the discussion of group or individual grades on 
classroom group projects, so long as those individual grades have not 
yet been recorded by the teacher. The process of assigning grades or 
grading papers falls outside the definition of education records in 
FERPA because the grades are not ``maintained'' by an educational 
agency or institution at least until the teacher has recorded the 
grades.
    Changes: None.

(e) Personally Identifiable Information

    Comments on the proposed definition of personally identifiable 
information are discussed elsewhere in this preamble under the heading 
Personally Identifiable Information and De-identified Records and 
Information.

(f) State Auditors and Audits (Sec. Sec.  99.3 and Proposed 
99.35(a)(3))

    Comment: Several commenters supported the clarification in proposed 
Sec.  99.35(a)(3) that State auditors may have access to education 
records, without consent, in connection with an ``audit'' of Federal or 
State supported education programs under the exception to the written 
consent requirement for authorized representatives of ``State and local 
educational authorities.'' All but one of the commenters, however, 
disagreed strongly with the proposed definition of audit in Sec.  
99.35(a)(3), which was limited to testing compliance with applicable 
laws, regulations, and standards and did not include the broader 
concept of evaluations.
    In general, the commenters said that the proposed definition of 
audit was too narrow and would prevent State auditors from conducting 
performance audits and other services that they routinely provide in 
accordance with professional auditing standards, including the U.S. 
Comptroller's Government Auditing Standards. See www.gao.gov/govaud/
ybk01.htm. A State legislative auditor noted, for example, that 45 
State legislatures have established legislative program evaluation 
offices whose express purpose is to provide research and evaluation for 
legislative decision making, and that these offices regularly use 
personally identifiable information from education records for their 
work. Some of the commenters also questioned whether financial audits 
and attestation engagements would be excluded under the proposed 
definition.
    One commenter said that the State auditor provisions in proposed 
Sec. Sec.  99.3 and 99.35(a)(3) should be expanded to apply to other 
non-education State officials responsible for evaluating publicly 
funded programs. Another commenter recommended that the regulations 
include examination of education records by health department officials 
to improve compliance with mandated immunization schedules.
    The majority of the comments we received with respect to the 
inclusion of local auditors in the proposed definition of State auditor 
in Sec.  99.3 supported permitting local auditors to have access to 
personally identifiable information for purposes of auditing Federal or 
State supported education programs. One commenter said that local 
auditors should not be included in the definition, while another 
commenter stated that auditors for the city health department need 
access to FERPA-protected information to determine the accuracy of 
claims for payment and asked for further clarification on the issue.
    Discussion: We explained in the preamble to the NPRM that the 
statute allows disclosure of personally identifiable information from 
education records without consent to authorized representatives of 
``State educational authorities'' in connection with an audit or 
evaluation of Federal or State supported education programs. 73 FR 
15577. Legislative history indicates that Congress amended the statute 
in 1979 to ``correct an anomaly'' in which the existing exception to 
the consent requirement in 20 U.S.C. 1232g(b)(3) was interpreted to 
preclude State auditors from obtaining access to education records for 
audit purposes. See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 
(1979), reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. 
However, because the amended statutory language in 20 U.S.C. 
1232g(b)(5) refers only to ``State and local educational officials,'' 
the proposed regulations sought to clarify that this included ``State 
auditors'' or auditors with authority and responsibility under State 
law for conducting audits. Due to the breadth of this inclusion, 
however, the proposed regulations also sought to limit access to 
education records by State auditors by narrowing the definition of 
audit.
    The Secretary has carefully reviewed the comments and, based upon 
further intradepartmental review, has decided to remove from the final 
regulations the provisions related to State auditors and audits in 
Sec. Sec.  99.3 and 99.35(a)(3). We share the commenters' concerns 
about preventing State auditors from conducting activities that they 
routinely perform under applicable auditing standards. However, because 
our focus was on the narrow definition of audit, we proposed a very 
broad definition of State auditor in Sec.  99.3 and did not examine 
which of the various types of officials, offices, committees, and staff 
in executive and legislative branches of State government should be 
included in the definition. We are concerned that without the narrow 
definition of audit as proposed in Sec.  99.35(a)(3), the proposed 
definition of State auditor may allow non-consensual disclosures of 
education records to a variety of officials for purposes not supported 
by the statute. The Department will study the matter further and may 
issue new regulations or guidance, as appropriate. In the interim, the 
Department will provide guidance on a case-by-case basis.
    Changes: We are not including the definition of State auditor in 
Sec.  99.3 and the provisions related to State auditors and audits in 
Sec.  99.35(a)(3) in these final regulations.

Disclosures to Parents (Sec. Sec.  99.5 and 99.36)

    Comment: A majority of commenters approved of the Secretary's 
efforts to clarify that, even after a student has become an eligible 
student, an educational agency or institution may disclose education 
records to the student's parents, without the consent of the student, 
if certain conditions are met. Those commenters stated that the 
clarification was especially helpful, particularly in light of issues 
that arose after the April 2007 shootings at the Virginia Polytechnic 
Institute and State University (Virginia Tech). A commenter stated that 
the clarification will assist emergency management officials on college 
and university campuses and help school officials know when they can 
properly share student information with parents and students. One 
commenter expressed support for the proposed regulations, because it 
has been her experience that colleges do not share information with 
parents on their children's financial aid or academic status.
    Some commenters disagreed with the proposed changes. One stated 
that, due to varying family dynamics, disclosures should not be limited 
only to parents, but should also include other appropriate family 
members. Another commenter objected to the phrase in Sec.  99.5(a)(2) 
that would permit disclosure to a parent without the student's consent 
if the disclosure meets ``any other provision in Sec.  99.31(a).'' The 
commenter stated that this ``catch-all phrase'' exceeded statutory 
authority.
    Noting the sensitivity of financial information included in income 
tax returns, a few commenters raised concerns about the discussion in 
the

[[Page 74813]]

NPRM in which we explained that an institution can determine that a 
parent claimed a student as a dependent by asking the parent to supply 
a copy of the parent's most recent Federal tax return. Another 
commenter stated that the NPRM did not go far enough and recommended 
specifically requiring an institution to rely on a copy of a parent's 
most recent Federal tax return to determine a student's dependent 
status, while another commenter recommended that we change the 
regulations to indicate that only the parent who has claimed the 
student as a dependent may have access to the student's education 
records.
    A commenter noted that some States have high school students who 
are concurrently enrolled in secondary schools and postsecondary 
institutions as early as ninth grade and supported the clarification 
that postsecondary institutions may disclose information to parents of 
students who are tax dependents.
    Discussion: Parents' rights under FERPA transfer to a student when 
the student reaches age 18 or enters a postsecondary institution. 20 
U.S.C. 1232g(d). However, under Sec.  99.31(a)(8), an educational 
agency or institution may disclose education records to an eligible 
student's parents if the student is a dependent as defined in section 
152 of the Internal Revenue Code of 1986. Under Sec.  99.31(a)(8), 
neither the age of a student nor the parent's status as custodial 
parent is relevant to the determination whether disclosure of 
information from an eligible student's education records to that parent 
without written consent is permissible under FERPA. If a student is 
claimed as a dependent for Federal income tax purposes by either 
parent, then under the regulations, either parent may have access to 
the student's education records without the student's consent.
    The statutory exception to the consent requirement in FERPA for the 
disclosure of records of dependent students applies only to the parents 
of the student. 20 U.S.C. 1232g(b)(1)(H). Accordingly, the Secretary 
does not have statutory authority to apply Sec.  99.31(a)(8) to any 
other family members. However, under Sec.  99.30(b)(3), an eligible 
student may provide consent for the school to disclose information from 
his or her education records to another family member. In some 
situations, such as when there is no parent in the student's life or 
the student is married, a spouse or other family member may be 
considered an appropriate party to whom a disclosure may be made, 
without consent, in connection with a health or safety emergency under 
Sec. Sec.  99.31(a)(10) and 99.36.
    In most cases, when an educational agency or institution discloses 
education records to parents of an eligible student, we expect the 
disclosure to be made under the dependent student provision (Sec.  
99.31(a)(8)), in connection with a health or safety emergency 
(Sec. Sec.  99.31(a)(10) and 99.36), or if a student has committed a 
disciplinary violation with respect to the use or possession of alcohol 
or a controlled substance (Sec.  99.31(a)(15)). This is the reason we 
mention these provisions specifically in the regulations. However, 
inclusion of the phrase ``of any other provision in Sec.  99.31(a)'' in 
Sec.  99.5(a)(2) is necessary and within our statutory authority 
because there may be other exceptions to FERPA's general consent 
requirement under which an agency or institution might disclose 
education records to a parent of an eligible student, such as the 
directory information provision in Sec.  99.31(a)(11) and the provision 
permitting disclosure in compliance with a court order or lawfully 
issued subpoena in Sec.  99.31(a)(9).
    As we explained in the NPRM, institutions can determine that a 
parent claims a student as a dependent by asking the parent to submit a 
copy of the parent's most recent Federal income tax return. However, we 
do not think it is appropriate to require an agency or institution to 
rely only on the most recent tax return to determine the student's 
dependent status because institutions should have flexibility in how to 
reach this determination. For instance, institutions may rely instead 
on a student's assertion that he or she is not a dependent unless the 
parent provides contrary evidence. We agree that financial information 
on a Federal tax return is sensitive information and, for that reason, 
in providing technical assistance and compliance training to school 
officials, we have advised that parents may redact all financial and 
other unnecessary information that appears on the form, as long as the 
tax return clearly shows the parent's or parents' names and the fact 
that the student is claimed as a dependent.
    In addition, in the fall of 2007, we developed two model forms that 
appear on the Department's Family Policy Compliance Office (FPCO or the 
Office) Web site that institutions may adapt and provide to students at 
orientation to indicate whether they are a dependent and, if not, 
obtaining consent from the student for disclosure of information to 
parents: http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/
modelform.html and http://www.ed.gov/policy/gen/guid/fpco/ferpa/
safeschools/modelform2.html.
    With regard to the comment about high school students who are 
concurrently enrolled in postsecondary institutions as early as ninth 
grade, FERPA not only permits those postsecondary institutions to 
disclose information to parents of the high school students who are 
dependents for Federal income tax purposes, it also permits high 
schools and postsecondary institutions who have dually-enrolled 
students to share information. Where a student is enrolled in both a 
high school and a postsecondary institution, the two schools may share 
education records without the consent of either the parents or the 
student under Sec.  99.34(b). If the student is under 18, the parents 
still retain the right under FERPA to inspect and review any education 
records maintained by the high school, including records that the 
college or university disclosed to the high school, even though the 
student is also attending the postsecondary institution.
    Changes: None.

Outsourcing (Sec.  99.31(a)(1)(i)(B))

(a) Outside Parties Who Qualify as School Officials

    Comment: A few commenters disagreed with the proposal to expand the 
``school officials'' exception in Sec.  99.31(a)(1)(i)(B) to include 
contractors, consultants, volunteers, and other outside parties to whom 
an educational agency or institution has outsourced institutional 
services or functions it would otherwise use employees to perform. They 
believed that the modifications undermined the plain language of the 
statute and congressional intent. Several other commenters supported 
the proposed regulations, saying that it was helpful to include in the 
regulations what has historically been the Department's interpretation 
of the ``school officials'' exception. A majority of commenters, while 
not agreeing or disagreeing with the proposed changes in Sec.  
99.31(a)(1)(i)(B), raised a number of issues concerning the proposal.
    Several commenters expressed concern that the requirement that an 
outside party must perform an institutional service or function for 
which the agency or institution would otherwise use employees is too 
restrictive and impractical. One commenter noted that some functions 
that a contractor performs could not be performed by a school official.
    Some commenters said we should clarify the regulations to explain 
the

[[Page 74814]]

circumstances under which volunteers may serve as school officials and 
have access to personally identifiable information from education 
records in connection with their services or responsibilities to the 
school. One commenter noted that this clarification was needed 
especially for parent-volunteers working at a school attended by their 
own children where they are likely to know other students and their 
families.
    Several commenters asked that we clarify in the regulations that 
Sec.  99.31(a)(1) also applies to school transportation officials, 
school bus drivers, and school bus attendants who need access to 
education records in order to safely and efficiently transport 
students. Another commenter asked for clarification whether, under the 
proposed regulations, practicum students, fieldwork students, and 
unpaid interns in schools would be considered ``school officials.'' One 
commenter asked whether Sec.  99.31(a)(1) permits outsourced medical 
providers to be considered ``school officials.''
    One commenter asked how proposed Sec.  99.31(a)(1) would apply to 
parties other than educational agencies and institutions. The commenter 
was concerned about permitting SEAs to disclose personally identifiable 
information to outside parties under Sec.  99.31(a)(1)(i)(B) because 
SEAs are not subject to Sec.  99.7, which requires educational agencies 
and institutions to annually notify parents and eligible students of 
their rights under FERPA, including a specific requirement in Sec.  
99.7(a)(3)(iii) that an educational agency or institution that has a 
policy of disclosing information under Sec.  99.31(a)(1) must include 
in its annual notice a specification of criteria for determining who 
constitutes a school official and what constitutes a legitimate 
educational interest. A number of commenters requested clarification 
about the applicability of Sec.  99.31(a)(1)(i)(B) to State authorities 
that operate State longitudinal data systems that maintain records of 
local educational agencies (LEAs) or institutions and are responsible 
for certain reporting requirements under the No Child Left Behind Act. 
Some of these commenters believe that State authorities operating these 
systems are ``school officials'' under Sec.  99.31(a)(1) who should be 
able to disclose education records for the purpose of outsourcing under 
Sec.  99.31(a)(1)(i)(B).
    One commenter recommended that the regulations permit the 
disclosure of education records to non-educational State agencies for 
evaluation purposes under Sec.  99.31(a)(1). Another commenter asked 
that we revise the regulations to permit representatives of the Centers 
for Disease Control and Prevention to access education records for the 
purpose of public health surveillance under the ``school officials'' 
exception.
    Another commenter requested further guidance on how Sec.  
99.31(a)(1) would apply to local law enforcement officers who work in 
collaboration with schools in various capacities and whether education 
records could be shared with these officers in order to ensure safe 
campuses.
    Discussion: The Secretary does not agree that the proposed changes 
to Sec.  99.31(a)(1) go beyond the plain reading of the statute and 
congressional intent. As we explained in the NPRM, FERPA's broad 
definition of education records includes records that are maintained by 
``a person acting for'' an educational agency or institution. 20 U.S.C. 
1232g(a)(4)(A)(ii); see 34 CFR 99.3. (In floor remarks describing the 
meaning of the definition of education records, Senators James Buckley 
and Claiborne Pell, principal sponsors of the December 1974 FERPA 
amendments, specifically referred to materials that are maintained by a 
school ``or by one of its agents.'' See ``Joint Statement in 
Explanation of Buckley/Pell Amendment'' (Joint Statement), 120 Cong. 
Rec. S21488 (Dec. 13, 1974).) Although the Secretary is concerned that 
educational agencies and institutions not misapply Sec.  99.31(a)(1), 
the changes to the regulations are necessary to clarify the scope of 
the ``school officials'' exception in FERPA.
    We disagree with commenters that the requirement in Sec.  
99.31(a)(1)(i)(B)(1) that the outside party must perform an 
institutional service or function for which the agency or institution 
would otherwise use employees is too restrictive or unworkable. The 
requirement serves to ensure that the ``school officials'' exception 
does not expand into a general exception to the consent requirement in 
FERPA that would allow disclosure any time a vendor or other outside 
party wants access to education records to provide a product or service 
to schools, parents, and students. As explained in the preceding 
paragraphs and in the NPRM, 73 FR 15578-15579, the statutory basis for 
expanding the ``school officials'' exception to outside service 
providers is that they are ``acting for'' the agency or institution, 
not selling products and services. This means, for example, that a 
school may not use the ``school officials'' exception to disclose 
personally identifiable information from a student's education record, 
such as the student's SSN or student ID number, without consent, to an 
insurance company that wishes to offer students a discount on auto 
insurance because the school is not outsourcing an institutional 
service or function for which it would otherwise use its own employees.
    Further, the requirement that the outside party must be performing 
services or functions an employee would otherwise perform does not mean 
that a school employee must be able to perform the outsourced service 
in order for the outside party to be considered a school official under 
Sec.  99.31(a)(1)(i)(B)(1). For example, many school districts 
outsource their legal services on an as-needed basis. Even though these 
school districts may have never hired an attorney as an employee, they 
may still disclose personally identifiable information from education 
records to outside legal counsel to whom they have outsourced their 
legal services. FERPA does not otherwise restrict whether a school may 
outsource institutional services and functions; it only addresses to 
whom and under what conditions personally identifiable information from 
students' education records may be disclosed.
    Once a school has determined that an outside party is a ``school 
official'' with a ``legitimate educational interest'' in viewing 
certain education records, that party may have access to the education 
records, without consent, in order to perform the required 
institutional services and functions for the school. These outside 
parties may include parents and other volunteers who assist schools in 
various capacities, such as serving on official committees, serving as 
teachers' aides, and working in administrative offices, where they need 
access to students' education records to perform their duties.
    The disclosure of education records under any of the conditions 
listed in Sec.  99.31, including the ``school officials'' exception, is 
permissive and not required. (Only parents and eligible students have a 
right under FERPA to inspect and review their education records.) 
Therefore, schools should always use good judgment in determining the 
extent to which volunteers, as well as other school officials, need to 
have access to education records and to ensure that school officials, 
including volunteers, do not improperly disclose information from 
students' education records.
    We decline to adopt commenters' suggestion that we include in Sec.  
99.31(a)(1)(i)(B) a list of the types of parties who may serve as 
school officials and receive personally identifiable information from 
education

[[Page 74815]]

records in connection with the institutional services and functions 
outsourced by the school. We think it would be impossible to provide a 
comprehensive listing and believe that agencies and institutions are in 
the best position to make these determinations. At the discretion of a 
school, school officials may include school transportation officials 
(including bus drivers), school nurses, practicum and fieldwork 
students, unpaid interns, consultants, contractors, volunteers, and 
other outside parties providing institutional services and performing 
institutional functions, provided that each of the requirements in 
Sec.  99.31(a)(1)(i)(B) has been met.
    Under Sec.  99.31(a)(1), a university could outsource the practical 
training of students. The information disclosed to the hospital, 
clinic, or business conducting the practical training may only be used 
for the purposes for which it was disclosed. In the NPRM, we discuss in 
more detail the types of services and functions covered under Sec.  
99.31(a)(1)(i)(B). (73 FR 15578-15580.)
    In response to the comment about the applicability of Sec.  
99.31(a)(1)(i)(B) to State educational authorities that operate State 
longitudinal data systems, such officials are not ``school officials'' 
under FERPA. Rather, these officials are generally considered 
authorized representatives of a State educational authority, and LEAs 
typically disclose information from students' education records to a 
longitudinal data system maintained by an SEA or other State 
educational authorities under the exception to the consent requirement 
for disclosures to authorized representatives of State and local 
educational authorities, Sec.  99.31(a)(3)(iv)), not the ``school 
officials'' exception. This issue is explained in more detail elsewhere 
in this preamble under Educational research (Sec. Sec.  99.31(a)(6), 
99.31(a)(3). We also discuss disclosures to non-educational agencies, 
such as to public health agencies, in the section of this preamble 
entitled Disclosure of Education Records to Non-Educational Agencies.
    Members of a school's law enforcement unit, as defined in Sec.  
99.8 of the regulations, who are employed by the agency or institution 
qualify as school officials under Sec.  99.31(a)(1)(i)(A) if the school 
has complied with the notification requirements in Sec.  
99.7(a)(3)(iii). As school officials, they may be given access to 
personally identifiable information from those students' education 
records in which the school has determined they have legitimate 
educational interests. The school's law enforcement unit must protect 
the privacy of education records it receives and may disclose them only 
with consent or under one of the exceptions to consent listed in Sec.  
99.31. For that reason, it is advisable that officials of a law 
enforcement unit maintain education records separately from law 
enforcement unit records, which are not subject to FERPA requirements. 
As we explained in Balancing Student Privacy and School Safety: A Guide 
to the Family Educational Rights and Privacy Act for Elementary and 
Secondary Schools, investigative reports and other records created by 
an institution's law enforcement unit are excluded from the definition 
of education records under Sec.  99.3 and, therefore, are not subject 
to FERPA requirements. Accordingly, schools may disclose information 
from law enforcement unit records to anyone, including local police and 
other outside law enforcement authorities, without consent. This 
brochure can be found on FPCO's ``Safe Schools & FERPA'' Web page: 
http://www.ed.gov/policy/gen/guid/fpco/ferpa/safeschools/index.html.
    Outside police officers or other non-employees to whom the school 
has outsourced its safety and security functions do not qualify as 
``school officials'' under FERPA unless they meet each of the 
requirements of Sec.  99.31(a)(1)(i)(B). If these police officers or 
other outside parties do not meet the requirements for being a school 
official under FERPA, they may not have access to students' education 
records without consent, unless there is a health or safety emergency, 
a lawfully issued subpoena or court order, or some other exception to 
FERPA's general consent requirement under which the disclosure falls.
    With respect to our amendment to the ``school officials'' 
exception, we note that Sec.  99.32(d) excludes from the recordation 
requirements disclosures of education records that educational agencies 
and institutions make to school officials. This exclusion from the 
recordation requirement will apply as well to disclosures to 
contractors, consultants, volunteers, and other outside parties to whom 
an agency or institution discloses education records under Sec.  
99.31(a)(1)(i)(B). The Department has long recognized that FERPA does 
not prevent schools from outsourcing institutional services and 
functions; to require schools to record disclosures to these outside 
parties serving as school officials would be overly burdensome and 
unworkable.
    An educational agency or institution that complies with the 
notification requirements in Sec.  99.7(a)(3)(iii) by specifying its 
policy regarding the disclosure of education records to contractors and 
other outside parties serving as school officials provides legally 
sufficient notice to parents and students regarding these disclosures. 
We have posted model notifications on our Web site, one for 
postsecondary institutions and one for LEAs. See http://www.ed.gov/
policy/gen/guid/fpco/ferpa/ps-officials.html and http://www.ed.gov/
policy/gen/guid/fpco/ferpa/lea-officials.html.
    Changes: None.

(b) Direct Control

    Comment: Some commenters asked the Department to clarify what the 
term ``direct control'' means as used in Sec.  99.31(a)(1)(i)(B)(2). 
This section provides that in order to be considered a ``school 
official'' an outside party must be under the direct control of the 
agency or institution. Some commenters asked if this term means that 
the school must monitor the operations of the outside party, and how it 
affects an agency's or institution's relationship with subcontractors 
or third- or fourth-party database hosting companies. One commenter 
stated that the regulations should not distinguish between whether the 
education records are hosted in a vendor's offsite network or within 
the institution's local network servers, while another commenter asked 
for clarification of how Sec.  99.31(a)(1)(i)(B) applies to outsourcing 
electronic mail (e-mail) services to third parties such as Microsoft or 
Google.
    One commenter stated that institutions should be required to verify 
that parties to whom they outsource services have the necessary 
resources to safeguard education records provided to them.
    A commenter suggested that, instead of the proposed ``direct 
control'' standard, the Department adopt language similar to the 
safeguarding standard found in the Gramm-Leach-Bliley Act (GLB) (Pub. 
L. 106-102, November 12, 1999). The commenter suggested that, as 
adapted in FERPA, the standard would require that for an outside party, 
acting on behalf of an educational institution, to be considered a 
``school official,'' the institution would have to: (1) Take reasonable 
steps to select and retain contractors, consultants, volunteers, or 
other outside parties that are capable of maintaining appropriate 
safeguards with respect to education records; and (2) mandate by 
contract that the outside party implement and maintain such safeguards.
    Discussion: The term ``direct control'' in Sec.  
99.31(a)(1)(i)(B)(2), is intended to

[[Page 74816]]

ensure that an educational agency or institution does not disclose 
education records to an outside service provider unless it can control 
that party's maintenance, use, and redisclosure of education records. 
This could mean, for example, requiring a contractor to maintain 
education records in a particular manner and to make them available to 
parents upon request. We are revising the regulations, however, to 
provide this clarification.
    Neither the statute nor the FERPA regulations specifically requires 
that educational agencies and institutions verify that outside parties 
to whom schools outsource services have the necessary resources to 
safeguard education records provided to them. However, as discussed in 
the NPRM, educational agencies and institutions are responsible under 
FERPA for ensuring that they themselves do not have a policy or 
practice of releasing, permitting the release of, or providing access 
to personally identifiable information from education records, except 
in accordance with FERPA. This includes ensuring that outside parties 
that provide institutional services or functions as ``school 
officials'' under Sec.  99.31(a)(1)(i)(B) do not maintain, use, or 
redisclose education records except as directed by the agency or 
institution that disclosed the information.
    The ``direct control'' requirement is intended to apply only to the 
outside party's provision of specific institutional services or 
functions that have been outsourced and the education records provided 
to that outside party to perform the services or function. It is not 
intended to affect an outside service provider's status as an 
independent contractor or render that party an employee under State or 
Federal law.
    We believe that the use of the ``direct control'' standard strikes 
an appropriate balance in identifying the necessary and proper 
relationship between the school and its outside parties that are 
serving as ``school officials.'' The recommendation that we adopt a 
standard more closely aligned with the GLB standard does not appear 
workable, especially with regard to requiring that schools enter into 
formal contracts with each outside party performing services, including 
parent-volunteers. However, one way in which schools can ensure that 
parties understand their responsibilities under FERPA with respect to 
education records is to clearly describe those responsibilities in a 
written agreement or contract.
    Exercising direct control could prove more challenging in some 
situations than in others. Schools outsourcing information technology 
services, such as web-based and e-mail services, should make clear in 
their service agreements or contracts that the outside party may not 
use or allow access to personally identifiable information from 
education records, except in accordance with the requirements 
established by the educational agency or institution that discloses the 
information.
    Changes: We have revised Sec.  99.31(a)(1)(B)(2) to clarify that 
the outside party must be under the direct control of the agency or 
institution with respect to the use and maintenance of information from 
education records.

(c) Protection of Records by Outside Parties Serving as School 
Officials

    Comment: We received several comments on proposed Sec.  
99.31(a)(1)(i)(B)(3), which provides that an outside party serving as a 
``school official'' is subject to the requirement in Sec.  99.33(a), 
regarding the use and redisclosure of personally identifiable 
information from education records. One commenter stated that, while he 
supported and welcomed this clarification, the proposed regulations did 
not go far enough to clarify that these outside third parties could not 
use education records of multiple institutions for which they serve as 
a contractor to engage in activities not associated with the service or 
function they were providing.
    Some commenters suggested that the regulations should require all 
school officials who handle education records, including parties to 
whom institutional services and functions are outsourced, to 
participate in annual training and to undergo fingerprint and 
background investigations.
    Another commenter stated that any disclosures associated with the 
outsourcing of institutional services and functions should include a 
record that will serve as an audit trail. The commenter noted that both 
the Health Insurance Portability and Accountability Act (HIPAA) and the 
Privacy Act of 1974 require the maintenance of audit trails or an 
accounting of disclosures of records.
    Discussion: An agency or institution must ensure that an outside 
party providing institutional services or functions does not use or 
allow access to education records except in strict accordance with the 
requirements established by the educational agency or institution that 
discloses the information. Section 99.33(a)(2) of the FERPA regulations 
applies to employees and outside service providers alike and prohibits 
the recipient from using education records for any purpose other than 
the purposes for which the disclosure was made. This includes ensuring 
that outside parties do not use education records in their possession 
for purposes other than those specified by the institution that 
disclosed the records.
    FERPA does not specifically require that educational agencies and 
institutions provide annual training to school officials that handle 
education records, and we decline to establish such a requirement in 
these regulations. Educational agencies and institutions should have 
flexibility in determining the best way to ensure that school officials 
are made aware of the requirements of FERPA. However, for entities 
subject to the Individuals with Disabilities Education Act (IDEA), 34 
CFR 300.623(c) provides that all persons collecting or using personally 
identifiable information must receive training or instruction regarding 
their State's policies and procedures under 34 CFR 300.123 
(Confidentiality of personally identifiable information) and 34 CFR 
Part 99, the FERPA regulations. We note that while schools are 
certainly free to implement a policy requiring school officials and 
parties to whom services have been outsourced to undergo fingerprint 
and background investigations, there is no statutory authority in FERPA 
to include such a requirement in the regulations.
    We note also that the Department routinely provides compliance 
training on FERPA for school officials. Typically, presentations are 
made throughout the year to national, regional, or State educational 
association conference workshops with numerous institutions in 
attendance. Training sessions are also scheduled for State departments 
of education and local school districts in the vicinity of any 
conference.
    For a discussion of the comment that recommended that the 
regulations require that schools maintain an audit trail or an 
accounting of disclosures to school officials, including outside 
providers, see the discussion under the following section entitled 
Control of Access to Education Records by School Officials.
    Changes: None.

Control of Access to Education Records by School Officials (Sec.  
99.31(a)(1)(ii))

    Comment: Many commenters supported proposed Sec.  99.31(a)(1)(ii), 
which requires an educational agency or institution to use reasonable 
methods to ensure that school officials have access to only those 
education records in which the official has a legitimate educational 
interest. In this section, we also proposed that an educational

[[Page 74817]]

agency or institution that does not use physical or technological 
access controls must ensure that its administrative policy for 
controlling access to education records is effective and that it 
remains in compliance with the ``legitimate educational interest'' 
requirement.
    One commenter who supported the proposed regulations expressed 
concern that not all districts and institutions have the financial or 
technological resources to create or purchase an electronic system that 
provides fully automated access control and that an institution using 
only administrative controls would be required to demonstrate that each 
school official who accessed education records possessed a legitimate 
educational interest in the education records to which the official 
gained access. According to the commenter, the regulations seem to omit 
the ``reasonable methods'' concept for those schools that utilize 
administrative controls rather than physical or technological controls. 
The commenter was concerned that smaller schools that lack resources to 
create or purchase a system that fully monitors record access would be 
disadvantaged by having to meet a higher standard of ensuring a 
legitimate educational interest on the part of the school officials 
that access the records.
    One commenter expressed concern that the standard in Sec.  
99.31(a)(1)(ii) is too restrictive and asked whether the Department 
would use flexibility and deference in taking into consideration an 
institution's efforts in compliance with the requirement.
    Another commenter requested that we include in the regulations a 
requirement that contractors hosting data at offsite locations must 
institute effective access control measures. The commenter stated that 
many schools and contractors are uncertain as to whether the school or 
the contractor is responsible for ensuring that access controls are 
applied to data hosted by contractors.
    One commenter stated that the regulations created an unnecessary 
burden, as school districts already do their best to comply with FERPA 
and an occasional mistake should be excused. The commenter, however, 
was pleased that the regulations do not require the use of 
technological controls. The commenter was concerned that schools are 
unable to pre-assign risk levels to categories of records in order to 
determine appropriate methods to mitigate improper access. The 
commenter supported the use of effective administrative controls as 
determined by a district to ensure that information is available only 
to those with a legitimate educational interest.
    One commenter expressed concern that the requirement to use 
reasonable methods to ensure appropriate access was not sufficiently 
restrictive, because under the regulations, all volunteers would be 
designated as school officials. The commenter believed that the 
regulations would enable volunteers to gain access more easily to 
confidential and sensitive information in education records.
    A commenter who is a parent of a special education student also 
expressed concern that the language in the regulations was not 
adequate. The commenter described a software package used by her 
district that permits all school officials unrestricted access to the 
IEPs of all special education students.
    Discussion: Section 99.30 requires that a parent or eligible 
student provide written consent for a disclosure of personally 
identifiable information from education records unless the 
circumstances meet one of the exceptions to consent, such as the 
release of information to a school official with a legitimate 
educational interest. Thus, a district or institution that makes a 
disclosure solely on the basis that the individual is a school official 
violates FERPA if it does not also determine that the school official 
has a legitimate educational interest. The regulations in Sec.  
99.31(a)(1)(ii) are designed to clarify the responsibility of the 
educational agency or institution to ensure that access to education 
records by school officials is limited to circumstances in which the 
school official possesses a legitimate educational interest.
    We believe that the standard of ``reasonable methods'' is 
sufficiently flexible to permit each educational agency or institution 
to select the proper balance of physical, technological, and 
administrative controls to effectively prevent unauthorized access to 
education records, based on their resources and needs. In order to 
establish a system driven by physical or technological access controls, 
a school would generally first determine when a school official has a 
legitimate educational interest in education records and then determine 
which physical or technological access controls are necessary to ensure 
that the official can access only those records. The regulations 
require a school that uses only administrative controls to ensure that 
its administrative policy for controlling access to education records 
is effective and that the school is in compliance with the legitimate 
educational interest requirement in Sec.  99.31(a)(1)(i)(A). However, 
the ``reasonable methods'' standard applies whether the control is 
physical, technological, or administrative.
    The regulations permit the use of a variety of methods to protect 
education records, in whatever format, from improper access. The 
Department expects that educational agencies and institutions will 
generally make appropriate choices in designing records access 
controls, but the Department reserves the right to evaluate the 
effectiveness of those efforts in meeting statutory and regulatory 
requirements.
    The additional language that one commenter requested concerning 
outsourcing is already included in the regulations in Sec.  
99.31(a)(1). That section specifically provides that contractors are 
subject to the same conditions governing the access and use of records 
that apply to other school officials. As long as those conditions are 
met, the physical location in which the contractor provides the service 
is not relevant.
    Because the regulations permit the use of a variety of methods to 
effectively reduce the risk of unauthorized access to education 
records, we do not believe the requirement to establish ``reasonable 
methods'' for controlling access is unduly burdensome. Schools have the 
flexibility to decide the method or methods best suited to their own 
circumstances. For the many schools, districts, and institutions that 
already meet the standard, no operational changes should be necessary.
    The regulations do not designate all volunteers as school 
officials. Rather, the regulations clarify that schools may designate 
volunteers as school officials who may be provided access to education 
records only when the volunteer has a legitimate educational interest. 
Schools can and should carefully assess and limit access by any school 
official, including volunteers. This issue is discussed in more detail 
previously in this preamble under the section entitled Outsourcing.
    With regard to the parent who expressed concern that the language 
in the regulations was not adequate to address the problem of software 
that permits all school officials to access the IEPs of all special 
education students, we believe that the language in Sec.  
99.31(a)(1)(ii) is sufficient. As previously noted, FERPA prohibits 
school officials from having access to education records unless they 
have a legitimate educational interest. The commenter's point 
illustrates the need for educational agencies and institutions to 
ensure that adequate controls are in

[[Page 74818]]

place to restrict access to education records only to a school official 
with a legitimate educational interest.
    Changes: None.

Transfer of Education Records to Student's New School (Sec. Sec.  
99.31(a)(2) and 99.34(a))

    Comment: All of the comments we received on proposed Sec. Sec.  
99.31(a)(2) and 99.34(a) supported the clarification that an 
educational agency or institution may disclose a student's education 
records to officials of another school, school system, or institution 
of postsecondary education not just when the student seeks or intends 
to enroll, but after the student is already enrolled, so long as the 
disclosure is for purposes related to the student's enrollment or 
transfer. Some commenters noted that this clarification reduces legal 
uncertainty about how long a school may continue to send records or 
information to a student's new school; other commenters noted that this 
clarification will be helpful in serving students who are homeless or 
in foster care because these students are often already enrolled in a 
new school system while waiting for records from a previous enrollment.
    A few commenters asked us to clarify the requirement that the 
disclosure must be for purposes related to the student's enrollment or 
transfer. The commenters asked whether this meant that only records 
specifically related to the new school's decision to admit the student 
or records related to the transfer of course credit could be disclosed, 
or whether the agency or institution could also disclose information 
about previously undisclosed disciplinary actions related to the 
student's ongoing attendance at the new institution. One commenter 
suggested that we remove the requirement that the disclosure must be 
for purposes of the student's enrollment or transfer because it was 
confusing and unnecessary. Some commenters asked the Department to 
provide guidance about the types of records that may be sent under the 
regulations to a student's new school, noting that the preamble to the 
NPRM stated that the regulations allow school officials to disclose any 
and all education records, including health and disciplinary records, 
to the new school (73 FR 15581).
    One commenter asked us to clarify that any school, not just the 
school the student attended most recently, may disclose information 
from education records to the institution that the student currently 
attends. Another commenter asked whether the amended regulations would 
permit the disclosure of education records to an institution in which a 
student seeks information or services but not enrollment, such as when 
a charter school student requests an evaluation under the IDEA from the 
student's home school district.
    Two commenters asked whether mental health and other treatment 
records of postsecondary students, which are excluded from the 
definition of education records under FERPA, could be disclosed to the 
new school. Other commenters asked whether FERPA places any limits on 
the transfer of information about student disciplinary actions to 
colleges and universities and what information a postsecondary 
institution may ask for and receive regarding a student's disciplinary 
actions. A few commenters asked us to address the relationship between 
these regulations and guidance issued by the Department's Office for 
Civil Rights (OCR) prohibiting the pre-admission release of information 
about a student's disability under section 504 of the Rehabilitation 
Act of 1973, as amended, and Title II of the Americans with 
Disabilities Act of 1990, as amended.
    Discussion: The regulations are intended to eliminate uncertainty 
about whether, under Sec.  99.31(a)(2), an educational agency or 
institution may send education records to a student's new school even 
after the student is already enrolled and attending the new school. The 
requirement that the disclosure must be for purposes related to the 
student's enrollment or transfer is not intended to limit the kind of 
records that may be disclosed under this exception. Instead, the 
regulations are intended to clarify that, after a student has already 
enrolled in a new school, the student's former school may disclose any 
records or information, including health records and information about 
disciplinary proceedings, that it could have disclosed when the student 
was seeking or intending to enroll in the new school.
    These regulations apply to any school that a student previously 
attended, not just the school that the student attended most recently. 
For example, under Sec.  99.31(a)(2), a student's high school may send 
education records directly to a graduate school in which the student 
seeks admission, or is already enrolled. Section 99.34(b), which 
explains the conditions that apply to the disclosure of information to 
officials of another school, school system, or postsecondary 
institution, allows a public charter school or other agency or 
institution to disclose the education records of one of its students in 
attendance to the student's home school district if the student 
receives or seeks to receive services from the home school district, 
including an evaluation under the IDEA. We note, however, that the 
confidentiality of information regulations under Part B of the IDEA 
contain additional consent requirements that may also apply in these 
circumstances.
    Under section 444(a)(4)(B)(iv) of FERPA, 20 U.S.C. 
1232g(a)(4)(B)(iv), medical and psychological treatment records of 
eligible students are excluded from the definition of education records 
if they are made, maintained, and used only in connection with 
treatment of the student and disclosed only to individuals providing 
the treatment, including treatment providers at the student's new 
school. (While the comment concerned records of postsecondary students, 
we note that the treatment records exception to the definition of 
education records applies also to any student who is 18 years of age or 
older, including 18 year old high school students.) An educational 
agency or institution may disclose an eligible student's treatment 
records to the student's new school for purposes other than treatment 
provided that the records are disclosed under one of the exceptions to 
written consent under Sec.  99.31(a), including Sec.  99.31(a)(2), or 
with the student's written consent under Sec.  99.30. If an educational 
agency or institution discloses an eligible student's treatment records 
for purposes other than treatment, the treatment records are no longer 
excluded from the definition of education records and are subject to 
all other FERPA requirements, including the right of the eligible 
student to inspect and review the records and to seek to have them 
amended under certain conditions. In practical terms, this means that 
an agency or institution may disclose an eligible student's treatment 
records to the student's new school either with the student's written 
consent, or under one of the exceptions in Sec.  99.31(a), including 
Sec.  99.31(a)(2), which permits disclosure to a school where a student 
seeks or intends to enroll, or where the student is already enrolled so 
long as the disclosure is for purposes related to the student's 
enrollment or transfer.
    FERPA does not contain any particular restrictions on the 
disclosure of a student's disciplinary records. Further, Congress has 
enacted legislation to ensure that schools transfer disciplinary 
records to a student's new school in certain circumstances. In 
particular, section 444(h) of the statute, 20 U.S.C. 1232g(h), and the 
implementing regulations in Sec.  99.36(b) provide that nothing in 
FERPA prevents an educational agency

[[Page 74819]]

or institution from including in a student's records and disclosing to 
teachers and school officials, including those in other schools, 
appropriate information about disciplinary actions taken against the 
student for conduct that posed a significant risk to the safety or 
well-being of that student, other students, or other members of the 
school community. This authority is in addition to any other authority 
in FERPA for the disclosure of education records without consent, 
including the authority under Sec.  99.36(a) to disclose education 
records in connection with a health or safety emergency. In addition, 
section 4155 of the Elementary and Secondary Education Act of 1965 
(ESEA), 20 U.S.C. 7165, as amended by the No Child Left Behind Act of 
2001 (NCLB), requires a State that receives funds under the ESEA to 
have a procedure in place to facilitate the transfer of disciplinary 
records, with respect to a suspension or expulsion, by LEAs to any 
private or public elementary school or secondary school for any student 
who is enrolled or seeks, intends, or is instructed to enroll, on a 
full-or part-time basis, in the school.
    There are, however, other Federal laws, such as the IDEA, section 
504 of the Rehabilitation Act of 1973, as amended (Rehabilitation Act), 
and Title II of the Americans with Disabilities Act of 1990, as amended 
(ADA), with different requirements that may affect the release of 
student information. For example, educational agencies and institutions 
that are ``public agencies'' or ``participating agencies'' under the 
IDEA must comply with the requirements in the Part B confidentiality of 
information regulations. See, e.g., 34 CFR 300.622(b)(2) and (3). By 
way of further illustration, because educational agencies and 
institutions receive Federal financial assistance, they must comply 
with the regulations implementing section 504 of the Rehabilitation 
Act, which generally prohibit postsecondary institutions from making 
pre-admission inquiries about an applicant's disability status. See 34 
CFR 104.42(b)(4) and (c). However, after admission, in connection with 
an emergency and if necessary to protect the health or safety of a 
student or other persons as defined under FERPA and its implementing 
regulations, section 504 of the Rehabilitation Act and Title II of the 
ADA do not prohibit postsecondary institutions from obtaining 
information and education records concerning a current student, 
including those with disabilities, from any school previously attended 
by the student. See the discussion in the section entitled Health or 
Safety Emergency (Sec.  99.36).
    Changes: None.

Ex Parte Court Orders Under the USA Patriot Act (Sec.  99.31(a)(9))

    Comment: Two commenters expressed support for the proposed 
regulations, which incorporate statutory changes that allow an 
educational agency or institution to comply with an ex parte court 
order issued under the USA Patriot Act. One commenter said that it 
would be helpful to add to the regulations a statement from the 
preamble to the NPRM that an institution is not responsible for 
determining the relevance of the information sought or the merits of 
the underlying claim for the court order.
    Several commenters opposed Sec.  99.31(a)(9). One commenter said 
that the USA Patriot Act is unconstitutional and that its provisions 
will sunset in 2009. Another commenter said that the regulations harm 
its ability to preserve the confidentiality of education records, 
particularly those of foreign students. The commenter asked us to 
change the regulations to permit institutions to notify students when 
records are requested, unless the ex parte court order specifically 
states that the student should not be notified. Another commenter said 
that schools should be required to notify parents when records are 
requested and to record the disclosure.
    Discussion: The USA Patriot Act amendments to FERPA have not been 
ruled unconstitutional, and its provisions relevant to FERPA do not 
sunset in 2009. Therefore, we are implementing these provisions in our 
regulations at this time.
    Under the USA Patriot Act, the U.S. Attorney General, or a designee 
in a position not lower than an Assistant Attorney General, may apply 
for an ex parte court order to collect, retain, disseminate, and use 
certain education records in the possession of an educational agency or 
institution without regard to any other FERPA requirements, including 
in particular the recordkeeping requirements. 20 U.S.C. 1232g(j)(3) and 
(4). The USA Patriot Act amendments to FERPA also provide that an 
educational agency or institution that complies in good faith with the 
court order is not liable to any person for producing the information. 
Nothing in these amendments, including the ``good faith'' requirement, 
requires an educational agency or institution to evaluate the 
underlying merits or legal sufficiency of the court order before 
disclosing the requested information without consent. As with any court 
order or subpoena that forms the basis of a disclosure without consent 
under Sec.  99.31(a)(9), the agency or institution must simply 
determine whether the ex parte court order is facially valid. We see no 
reason to include this general requirement in the regulations.
    Section 99.31(a)(9)(ii) requires an agency or institution to make a 
reasonable effort to notify a parent or eligible student of a judicial 
order or lawfully issued subpoena in advance of compliance, except for 
certain law enforcement subpoenas if the court has ordered the agency 
or institution not to disclose the existence or contents of the 
subpoena or information disclosed. An ex parte order is by definition 
an order issued without notice to or argument from the other party, 
including the party whose education records are sought, and the USA 
Patriot Act amendments provide that the Attorney General may collect 
and use the records without regard to any FERPA requirements, including 
the recordation requirements. Under this statutory authority, the 
regulations properly provide that the agency or institution is not 
required to notify the parent or eligible student before complying with 
the order or to record the disclosure.
    We do not agree with the commenter's request that we amend the 
regulations to allow agencies and institutions to notify parents and 
students and record these disclosures. We note that FERPA does not 
prohibit an educational agency or institution from notifying a parent 
or student or recording a disclosure made in compliance with an ex 
parte court order under the USA Patriot Act. However, an agency or 
institution that does so may violate the terms of the court order 
itself and may also fail to meet the good faith requirements in the USA 
Patriot Act for avoiding liability for the disclosure. We would also 
recommend that agencies and institutions consult with legal counsel 
before notifying a parent or student or recording a disclosure of 
education records made in compliance with an ex parte court order under 
the USA Patriot Act.
    Changes: None.

Registered Sex Offenders (Sec.  99.31(a)(16))

    Comment: One commenter asked for clarification whether the proposed 
regulations authorizing the disclosure of personally identifiable 
information from education records concerning registered sex offenders 
authorize only the disclosure of information that is received from 
local law enforcement officials, or whether disclosure could

[[Page 74820]]

also include other information from a student's education records, such 
as campus of attendance. A second commenter expressed appreciation that 
the regulations clarify that school districts are not required or 
encouraged to collect or maintain information on registered sex 
offenders and that these disclosures are permissible but not required.
    Discussion: The Campus Sex Crimes Prevention Act (CSCPA) amendments 
to FERPA allow educational agencies and institutions to disclose any 
information concerning registered sex offenders provided to the agency 
or institution under section 170101 of the Violent Crime Control and 
Law Enforcement Act of 1994, 42 U.S.C. 14071, commonly known as the 
Wetterling Act. Since publication of the NPRM, we have determined that 
the proposed regulations were confusing, because they limited these 
disclosures to information that was obtained and disclosed by an agency 
or institution in compliance with a State community notification 
program. In fact, the CSCPA amendments to FERPA cover any information 
provided to an educational agency or institution under the Wetterling 
Act, including not only information provided under general State 
community notification programs, which are required under subsection 
(e) of the Wetterling Act, 42 U.S.C. 14071(e), but also information 
provided under the more specific campus community notification programs 
for institutions of higher education, which are required under 
subsection (j), 42 U.S.C. 14071(j).
    The Wetterling Act requires States to release relevant information 
about persons required to register as sex offenders that is necessary 
to protect the public, including specific State reporting requirements 
for law enforcement agencies having jurisdiction over institutions of 
higher education. The exception to the consent requirement in FERPA 
allows educational agencies and institutions to make available to the 
school community any information provided to it under the Wetterling 
Act. We interpret this to also include any additional information about 
the student that is relevant to the purpose for which the information 
was provided to the educational agency or institution--protecting the 
public. This could include, for example, the school or campus at which 
the student is enrolled.
    The proposed regulations included a sentence stating that FERPA 
does not require or encourage agencies or institutions to collect or 
maintain information about registered sex offenders. We have determined 
through further review, however, that this sentence could be confusing 
and should be removed. Participating institutions are required under 
section 485(f)(1) of the Higher Education Act of 1965, as amended, 20 
U.S.C. 1092(f)(1), to advise the campus community where it may obtain 
law enforcement agency information provided by the State under 42 
U.S.C. 14071(j) concerning registered sex offenders. Further, the 
Department does not wish to discourage educational agencies and 
institutions from disclosing relevant information about a registered 
sex offender in appropriate circumstances.
    Changes: We have revised the regulations to remove the reference to 
the disclosure of information obtained by the educational agency or 
institution in compliance with a State community notification program. 
The regulations now simply allow disclosure without consent of any 
information concerning registered offenders provided to an educational 
agency or institution under 42 U.S.C. 14071 and applicable Federal 
guidelines. We also have removed the sentence stating that neither 
FERPA nor the regulations requires or encourages agencies or 
institutions to collect or maintain information about registered sex 
offenders.

Redisclosure of Education Records and Recordkeeping by State and Local 
Educational Authorities and Federal Officials and Agencies (Sec. Sec.  
99.31(a)(3); 99.32(b); 99.33(b); 99.35(a)(2); 99.35(b))

(a) Redisclosure

    Comment: We received a number of comments on the proposed changes 
in Sec.  99.35(b) that would permit State and local educational 
authorities and Federal officials and agencies listed in Sec.  
99.31(a)(3) to redisclose personally identifiable information from 
education records on behalf of educational agencies and institutions 
without parental consent under the existing redisclosure authority in 
Sec.  99.33(b). (Section 99.33(b) allows an educational agency or 
institution to disclose personally identifiable information from 
education records with the understanding that the recipient may make 
further disclosures of the information on behalf of the agency or 
institution if the disclosure falls under one of the exceptions in 
Sec.  99.31(a) and the agency or institution has complied with the 
recordation requirements in Sec.  99.32(b).) Many commenters said that 
the proposed change would ease administrative burdens on State and 
local educational authorities, agencies, and institutions. For example, 
under the proposed regulations, a student's new school district or 
institution would be able to obtain the student's prior education 
records from a single State agency instead of contacting and waiting 
for records from separate districts or institutions. Commenters noted, 
however, that certain issues had not been addressed in the proposed 
regulations and that further clarification was required. Commenters 
also supported the new redisclosure authority to the extent that it 
facilitates the exchange of education records among State educational 
authorities, educational agencies and institutions, and educational 
researchers through consolidated, statewide systems or separate data 
sharing arrangements.
    Two commenters expressed substantial concerns that the regulations 
inappropriately expanded the situations in which personally 
identifiable information could be redisclosed without parental or 
student consent. One commenter noted that the theoretical benefits of 
maintaining large, consolidated data systems, which allow users to 
track individual students over time, do not outweigh the need to 
protect individual privacy. Another commenter stated that the 
regulations should not allow State and local educational authorities 
and the Federal officials and agencies listed in Sec.  99.31(a)(3) to 
set up and operate record systems containing personally identifiable 
information that parents and students have no right to review or amend, 
and may not even know about. Barring the withdrawal of these 
regulations, these commenters urged the Department to strengthen or at 
least preserve the safeguards and protections that accompany this new 
data sharing authority. One commenter asked us to require any State or 
Federal entity that maintains education records to provide parents and 
students with annual notification and the right to review and amend the 
students' records.
    Many commenters indicated their strong support for allowing State 
educational authorities to respond to requests for information from 
education records and redisclose personally identifiable information, 
whether for data sharing systems, transferring records to a student's 
new school, or other purposes authorized under Sec.  99.31(a), without 
involving school districts and postsecondary institutions. These 
commenters generally thought that State educational authorities and 
Federal officials listed in Sec.  99.31(a)(3) should not be required to 
consult with educational agencies and institutions when redisclosing 
information from education records. One commenter

[[Page 74821]]

asked us to clarify the role of the SEA or other State educational 
authority as the custodian of education records and its authority to 
act for educational agencies and institutions. Several commenters urged 
us to revise the regulations to make clear that the redisclosing 
official is authorized to make further disclosures under Sec.  99.31(a) 
without approval from, or further consultation with, the original 
source of the records and maintain the appropriate record related to 
the redisclosure.
    One commenter said that the regulations must allow State 
educational authorities to transfer records on behalf of LEAs and 
postsecondary institutions. One commenter strongly supported the 
changes in Sec.  99.35(b) because they would allow the State McKinney-
Vento coordinator to control transfer of education records of abused 
and homeless students to their new schools and prevent potential 
abusers from locating the student.
    Some commenters believed that current regulations impede the 
ability of States to establish and operate data sharing systems and 
that regulatory changes must allow all educational agencies, 
institutions, SEAs, and other State educational authorities to exchange 
data among themselves and work with researchers. One commenter 
recommended that we create a specific exception in Sec.  99.31(a) that 
would allow data sharing across State educational authorities in order 
to establish and operate consolidated, longitudinal data systems.
    Several commenters asked for clarification of the requirement in 
Sec.  99.35(a)(2) that authority for an agency or official listed in 
Sec.  99.31(a)(3) to conduct an audit, evaluation, or compliance or 
enforcement activity is not conferred by FERPA or the regulations and 
must be established under other Federal, State, or local law, including 
valid administrative regulations. One commenter supported data sharing 
among pre-school, K-12, and postsecondary institutions, provided that 
appropriate legal authority for the underlying audit, evaluation, or 
compliance and enforcement activity is established as required under 
Sec.  99.35(a)(2). One commenter asked whether citation to a specific 
law or regulations will be required, or whether general State laws that 
provide joint authority to evaluate programs at all levels are 
sufficient for parties to enter into data sharing agreements under the 
regulations.
    One commenter indicated that its State has no laws or regulations 
that specifically allow the State-level advisory council to audit or 
evaluate education programs, or that allow a K-12 school district to 
audit or evaluate the programs offered by postsecondary institutions, 
and vice versa, and the commenter asked whether general authority for 
these entities to act under State law would be sufficient. Two 
commenters whose States do not house their K-12 and postsecondary 
systems within the same agency expressed concern whether they will be 
able to develop consolidated databases under the regulations if their 
K-12 and postsecondary agencies do not have appropriate authority to 
audit or evaluate each other's programs.
    Discussion: We continue to believe that State and local educational 
authorities and Federal officials that receive education records under 
Sec. Sec.  99.31(a)(3) and 99.35 should be permitted to redisclose 
education records on behalf of educational agencies and institutions in 
accordance with the existing regulations governing the redisclosure of 
information in Sec.  99.33(b). We agree with the commenters that this 
change will ease administrative burdens at all levels and facilitate 
the creation and operation of statewide data sharing systems that 
support the student achievement, program accountability, transfer of 
records, and other objectives of Federal and State education programs 
while protecting the privacy rights of parents and students in 
students' education records.
    We respond first to commenters' concerns about the requirement in 
Sec.  99.33(b) that any redisclosure of personally identifiable 
information from education records must be made on behalf of the 
educational agency or institution that disclosed the information to the 
receiving party, including any requirement for consulting with or 
obtaining approval from the educational agency or institution that 
disclosed the information. The statutory prohibitions on the 
redisclosure of education records apply to education records that SEAs, 
State higher educational authorities, the Department, and other Federal 
officials receive under an exception to the written consent requirement 
in FERPA, such as Sec. Sec.  99.31(a)(3) and 99.35 (for audit, 
evaluation, compliance and enforcement purposes) and Sec.  99.31(a)(4) 
(for financial aid purposes). As explained in the preamble to the NPRM, 
Sec.  99.33(b) allows an educational agency or institution to disclose 
education records with the understanding that the recipient may make 
further disclosures on its behalf under one of the exceptions in Sec.  
99.31 (73 FR 15586-15587). In that case, the disclosing agency or 
institution must record the names of the additional parties to which 
the receiving party may redisclose the information on behalf of the 
educational agency or institution and their legitimate interests under 
Sec.  99.31.
    Under the regulatory framework for redisclosing education records 
in Sec.  99.33(b), educational agencies and institutions retain primary 
responsibility for disclosing and authorizing redisclosure of their 
education records without consent. (We note again that the only 
disclosures of education records that are mandatory under FERPA are 
those made to parents and eligible students.) The purpose of Sec.  
99.33(b), which allows redisclosure of education records 
notwithstanding the general statutory restrictions, has always been to 
ease administrative burdens on educational agencies and institutions 
that disclose education records. The legal basis for this accommodation 
is that the recipient is acting ``on behalf of'' the agency or 
institution from which it received information from education records 
and making a further disclosure that the agency or institution would 
otherwise make itself under Sec.  99.31(a). Section 99.33(b) does not 
confer on any recipient of education records independent authority to 
redisclose those records apart from acting ``on behalf of'' the 
disclosing educational agency or institution.
    The Department recognizes that the State and local educational 
authorities and Federal officials that receive education records 
without consent under Sec.  99.31(a)(3) are responsible for supervising 
and monitoring educational agencies and institutions and that many of 
them also maintain centralized data systems that constitute a valuable 
resource of information from education records. The proposed changes to 
Sec.  99.35(b) would allow these State and Federal authorities and 
officials to redisclose information received under Sec.  99.31(a)(3) 
under any of the exceptions in Sec.  99.31(a), including transferring 
education records to a student's new school under Sec.  99.31(a)(2), 
sharing information among other State and local educational authorities 
and Federal officials for audit or evaluation purposes under Sec.  
99.31(a)(3), and using researchers to conduct evaluations and studies 
under Sec.  99.31(a)(3) or Sec.  99.31(a)(6), without violating the 
statutory prohibitions on redisclosing education records provided 
certain conditions have been met. In the event that an educational 
agency or institution objects to the redisclosure of information it has 
provided, the State or

[[Page 74822]]

local educational authority or Federal official or agency may rely 
instead on any independent legal authority it has to further disclose 
the information.
    We agree that current regulations were unclear about the ability of 
States to establish and operate data sharing systems with educational 
agencies and institutions, which is why we amended Sec.  99.35(b). As 
explained in the NPRM (73 FR 15587), Sec. Sec.  99.35(a)(2) and 
99.35(b) allow SEAs, higher education authorities, and educational 
agencies and institutions, including local school districts and 
postsecondary institutions, to share education records in personally 
identifiable form with one another, provided that Federal, State, or 
local law authorizes the recipient to conduct the audit, evaluation, or 
compliance or enforcement activity in question. Accordingly, data 
sharing arrangements among State and local educational authorities and 
educational agencies and institutions generally must meet these 
requirements to be permissible under FERPA. (Data sharing with 
educational researchers is discussed below under Educational research.)
    With respect to the comments recommending that we create a specific 
exception in Sec.  99.31(a) to allow data sharing across State 
educational authorities in order to establish and operate consolidated, 
longitudinal data systems and other data sharing arrangements, there is 
no provision in FERPA that allows disclosure or redisclosure of 
education records, without consent, for the specific purpose of 
establishing and operating consolidated databases and data sharing 
systems, and, therefore, we are without authority to establish one in 
these regulations.
    In response to the questions concerning the need for Federal, 
state, or local legal authority to disclose education records for audit 
or evaluation purposes, we note that, in general, FERPA allows 
educational agencies and institutions to disclose (and authorized 
recipients to redisclose) education records without consent in 
accordance with the exceptions listed in Sec.  99.31(a), including for 
audit or evaluation purposes under Sec. Sec.  99.31(a)(3) and 99.35. It 
does not, however, provide the underlying authority for individuals and 
organizations to conduct the various activities that may allow them to 
receive education records without consent under these exceptions. For 
example, Sec.  99.31(a)(7) does not authorize an organization to 
accredit educational institutions; it allows educational institutions 
to disclose personally identifiable information from education records, 
without consent, to an organization to carry out its accrediting 
functions. If that organization is not, in fact, an accreditation 
authority for that particular institution, then disclosure under Sec.  
99.31(a)(7) is invalid and violates FERPA. Likewise, Sec.  99.31(a)(9) 
does not authorize a court or Federal grand jury to issue an order or 
subpoena; it allows an educational agency or institution to comply with 
a facially valid order or subpoena, without consent.
    We added the requirement in Sec.  99.35(a)(2) that the recipient 
have authority under Federal, State, or local law to conduct the 
activity for which the disclosure was made because there was 
significant confusion in the educational community about who may 
receive education records without consent for audit and evaluation 
purposes under Sec.  99.35. For example, in 2005 the Pennsylvania 
Department of Education (PDOE) asked the Department whether, in the 
absence of parental consent, a charter school LEA responsible under 
State law for providing a free appropriate public education to students 
with disabilities enrolled in the charter school could send the local 
school district of residence the IEP of each student with a disability. 
The school districts of residence claimed that they needed this 
information to substantiate the charter school's invoices for higher 
payments based on the student's special education status under the 
IDEA.
    Our January 2006 response to PDOE explained that in order to meet 
the requirements for disclosure of education records under Sec. Sec.  
99.31(a)(3) and 99.35, Federal, State, or local law (including valid 
administrative regulations) must authorize the relevant State or local 
educational authority to conduct the audit, evaluation, or compliance 
or enforcement activity in question. In particular, we noted that 
charter schools in Pennsylvania could disclose the IEP cover sheet 
under Sec. Sec.  99.31(a)(3) and 99.35 of the regulations if the State 
law in question authorized a local school district to ``audit or 
evaluate'' a charter school's request for payment of State funds at the 
special education rate and the school district needed personally 
identifiable information for that purpose, and that we would defer to 
the State Attorney General's interpretation of State law on the matter. 
We also explained that there appeared to be no legal authority that 
would allow charter schools in the State to disclose a student's entire 
IEP to the resident school district, as requested by the resident 
school districts.
    The Department has always interpreted Sec. Sec.  99.31(a)(3) and 
99.35 to allow educational agencies and institutions to disclose 
personally identifiable information from education records to the SEA 
or State higher education board or commission responsible for their 
supervision based on the understanding that those entities are 
authorized to audit or evaluate (or enforce Federal legal requirements 
related to) the education programs provided by the agencies and 
institutions whose records are disclosed. Under this reasoning, a K-12 
school district (LEA) may disclose personally identifiable information 
from education records to another LEA, or to a State higher education 
board or commission, without consent, if that LEA, board, or commission 
has legal authority to conduct the audit, evaluation, or compliance or 
enforcement activity with regard to the disclosing district's programs. 
States do not have to house their K-12 or P-12 and postsecondary 
systems within the same agency in order to take advantage of this 
provision. However, they may need to review and modify the supervisory 
and oversight responsibilities of various State and local educational 
authorities to ensure that there is valid legal authority for LEAs, 
postsecondary institutions, SEAs, and higher education authorities to 
disclose or redisclose personally identifiable information from 
education records to one another under Sec.  99.35(a) before 
information is released.
    It is not our intention in Sec.  99.35(a)(2) to require educational 
agencies and institutions and other parties to identify specific 
statutory authority before they disclose or redisclose education 
records for audit or evaluation purposes but to ensure that some local, 
State, or Federal legal authority exists for the audit or evaluation, 
including for example an Executive Order or administrative regulation. 
The Department encourages State and local educational authorities and 
educational agencies and institutions to seek guidance from their State 
attorney general on their legal authority to conduct a particular audit 
or evaluation. The Department may also provide additional guidance, as 
appropriate.
    Changes: None.

(b) Recordation Requirements

    Comment: In the NPRM, 73 FR 15587, we invited public comment on 
whether an SEA, the Department, or other official or agency listed in 
Sec.  99.31(a)(3) should be allowed to maintain the record of the 
redisclosures it makes on behalf of an educational agency or

[[Page 74823]]

institution as a means of relieving any administrative burdens 
associated with recording disclosures of education records. One 
commenter urged the Department not to delegate responsibility for 
recordkeeping to State and local educational authorities and Federal 
agencies and officials that redisclose education records under Sec.  
99.33(b). Another said that if a State or local educational authority 
or Federal agency or official rediscloses information ``on behalf of'' 
an educational agency or institution under Sec.  99.35(b), these 
further disclosures should be included in the student's record at the 
educational agency or institution. All other comments on this issue 
supported revising the regulations to allow State and local educational 
authorities and Federal officials and agencies listed in Sec.  
99.31(a)(3) to record any redisclosures they make under Sec.  99.33(b).
    Several commenters suggested that the recordation requirements in 
Sec.  99.32(b) would place an undue burden on State and local officials 
when State educational authorities redisclose education records because 
the State authority would need to return to each original source of the 
records to record the redisclosure. Some commenters noted that 
compliance with Sec.  99.32(b) is practically impossible if an LEA or 
postsecondary institution is required to record all authorized 
redisclosures at the time of the initial disclosure of information to 
the State or Federal authority. Two commenters suggested that we 
eliminate the recordation problem by redefining the term disclosure so 
that it does not include disclosing information under Sec.  99.31(a)(3) 
for audit, evaluation, or compliance and enforcement purposes. Another 
commenter suggested that we define ``educational agency or 
institution'' to include State educational authorities so that 
disclosures to State educational authorities would not be considered a 
disclosure under FERPA.
    One commenter said that the regulations should permit State 
educational authorities to record redisclosures as they are made and 
without having to identify each student by name. Another commenter 
asked for clarification whether the recordation requirements apply to 
redisclosures that SEAs make to education researchers and other parties 
that are not authorized to make any further disclosures, and what level 
of detail is required in the record regarding who accessed the data and 
what specific information was viewed.
    One commenter stated that if State educational authorities and 
Federal officials are authorized to record their own redisclosures of 
information, then the educational agency or institution should be 
required to retrieve these records in response to a request to review 
education records by parents and eligible students who would otherwise 
not know about the redisclosures. Other commenters suggested that the 
State educational authority or Federal official could either make the 
redisclosure record available directly to parents and students or send 
it to the LEA or postsecondary institution for this purpose.
    Discussion: We agree with commenters that in order to facilitate 
the operation of State data systems and ease administrative burdens on 
all parties, the regulations should allow State educational authorities 
and Federal officials and agencies to record further disclosures they 
make on behalf of educational agencies and institutions under Sec.  
99.33(b). We are revising the provisions of Sec.  99.32 to address 
commenters' concerns and ensure that these changes will not expand the 
redisclosure authority of a State or local educational authority or 
Federal official or agency under Sec.  99.35(b) and that parents and 
students will have notice of and access to any State or Federal record 
of further disclosures that is created.
    In response to the commenter's suggestion that we define 
``educational agency or institution'' and the term disclosure to 
address recordation issues associated with the new redisclosure 
authority in Sec.  99.35(b), we note that an educational agency or 
institution is required by statute to maintain with each student's 
education records a record of each request for access to and each 
disclosure of personally identifiable information from the education 
records of the student, including the parties who have requested or 
received information and their legitimate interests in the information. 
20 U.S.C. 1232g(b)(4)(A); 34 CFR 99.32(a). This includes each 
disclosure of personally identifiable information from education 
records that an educational agency or institution makes to an SEA or 
other State educational authority and to Federal officials and 
agencies, including the Department, for audit, evaluation, or 
compliance and enforcement purposes under Sec. Sec.  99.31(a)(3) and 
99.35, and under most other FERPA exceptions, such as the financial aid 
exception in Sec.  99.31(a)(4). (Regulatory exceptions to the statutory 
recordation requirements, which are set forth in Sec.  99.32(d), cover 
disclosures that a parent or eligible student would generally know 
about without the recordation or for which notice is prohibited under 
court order; the exceptions do not include disclosures made to parties 
outside the agency or institution for audit, evaluation, or compliance 
and enforcement purposes.)
    An educational agency or institution is required under FERPA to 
record its disclosures of personally identifiable information from 
education records even when it discloses information to another 
educational agency or institution, such as occurs under Sec.  
99.31(a)(2) when a school district transfers education records to a 
student's new school. See 20 U.S.C. 1232g(b)(4)(A); 34 CFR 99.32(a). 
Therefore, even if a State educational authority were considered an 
``educational agency or institution'' under Sec.  99.1, a school 
district or postsecondary institution would still be required to record 
its own disclosures to that State educational authority; defining a 
State educational authority as an educational agency or institution 
would not eliminate this requirement. Therefore, a school district or 
postsecondary institution is required to record its disclosures to any 
State educational authority.
    The term disclosure is defined in Sec.  99.3 to mean to permit 
access to or the release, transfer, or other communication of 
personally identifiable information contained in education records to 
any party, by any means, including oral, written, or electronic means. 
This includes releasing or making a student's education records 
available to school officials within the agency or institution, for 
which an exception to the consent requirement exists under Sec.  
99.31(a)(1). We see no legal basis for redefining the term disclosure 
to exclude the release of personally identifiable information to third 
parties outside the educational agency or institution under the audit, 
evaluation, or compliance and enforcement exception to the consent 
requirement in Sec. Sec.  99.31(a)(3) and 99.35.
    With regard to the level of detail required in the record of 
redisclosures, current Sec.  99.32(b) requires an educational agency or 
institution to record the ``names of the additional parties to which 
the receiving party may disclose the information'' on its behalf and 
their legitimate interests under Sec.  99.31. This means the name of 
the individual (if an organization is not involved) or the organization 
and the exception under Sec.  99.31(a) that would allow the 
redisclosure to be made without consent. Under current Sec.  
99.33(a)(2), the officers, employees, and agents of a party that 
receives

[[Page 74824]]

information from education records may use the information for the 
purposes for which the disclosure was made without violating the 
limitations on redisclosure in Sec.  99.33(a)(1). Therefore, we 
interpret the recordation requirement in Sec.  99.32(b) to mean that an 
educational agency or institution may record the name of an 
organization, including a research organization, to which a recipient 
may make further disclosures under Sec.  99.33(b) and is not required 
to record the name of each individual within the organization who is 
authorized to use that information in accordance with Sec.  
99.33(a)(2).
    We also recognize that sometimes an educational agency or 
institution does not know at the time of its disclosure of education 
records that the receiving party may wish to make further disclosures 
on its behalf. Therefore, we interpret Sec.  99.32(b) to allow a 
receiving party to ask an educational agency or institution to record 
further disclosures made on its behalf after the initial receipt of the 
records or information.
    These same policies apply to further disclosures made by State and 
local educational authorities and Federal officials listed in Sec.  
99.31(a)(3) that redisclose information on behalf of educational 
agencies and institutions under the new authority in Sec.  99.35(b). 
Educational agencies and institutions that disclose education records 
under Sec.  99.31(a)(3) with the understanding that the State or 
Federal authority or official may make further disclosures may continue 
to record those further disclosures as provided in Sec.  99.32(b)(1). 
Like any other recipient of education records, a State or Federal 
authority or official may also ask an educational agency or institution 
to record further disclosures made on its behalf after the initial 
receipt of the records or information. It is incumbent upon a State or 
Federal authority or official that makes further disclosures on behalf 
of an educational agency or institution under Sec.  99.33(b) to 
determine whether the educational agency or institution has recorded 
those further disclosures. If the educational agency or institution 
does not do so, then under the revisions to Sec.  99.32(b)(2)(i) in the 
final regulations, the State and local educational authority or Federal 
official or agency that makes further disclosures must maintain the 
record of those disclosures.
    We have also revised Sec.  99.32(a) to ensure that educational 
agencies and institutions maintain a listing in each student's record 
of the State and local educational authorities and Federal officials 
and agencies that may make further disclosures of the student's 
education records without consent under Sec.  99.33(b). This will help 
ensure that parents and students know that the record of disclosures 
maintained by an educational agency or institution as required under 
Sec.  99.32(a) may not contain all further disclosures made on behalf 
of the agency or institution by a State or Federal authority or 
official and alert parents and students to the need to ask for access 
to this additional information. We have also revised Sec.  99.32(a) to 
require an educational agency or institution to obtain a copy of the 
record of further disclosures maintained at the State or Federal level 
and make it available for parents and students to inspect and review 
upon request.
    In response to commenters' suggestions, the regulations in new 
Sec.  99.32(b)(2)(ii) allow a State or local educational authority or 
Federal official or agency to identify the redisclosure by the 
student's class, school, district, or other appropriate grouping rather 
than by the name of each student whose record was redisclosed. For 
example, an SEA may record that it disclosed to the State higher 
education authority the scores of each student in grades nine through 
12 on the State mathematics assessment for a particular year. We 
believe that this procedure eases administrative burdens while ensuring 
that a parent or student may access information about the redisclosure.
    We note that the recordation requirements under Sec.  
6401(c)(i)(IV) of the America COMPETES Act, Public Law 110-69, 20 
U.S.C. 9871(c)(i)(IV), are more detailed and stringent than those 
required under FERPA. In particular, a State that receives a grant to 
establish a statewide P-16 education data system under Sec.  
6401(c)(2), 20 U.S.C. 9871(c)(2), is required to keep an accurate 
accounting of the date, nature, and purpose of each disclosure of 
personally identifiable information in the statewide P-16 education 
data system; a description of the information disclosed; and the name 
and address of the person, agency, institution, or entity to whom the 
disclosure is made. The State must also make this accounting available 
on request to parents of any student whose information has been 
disclosed. The Department will issue further guidance on these 
requirements if the program is funded and implemented.
    Changes: We have made several changes to Sec.  99.32, as follows:
     New Sec.  99.32(b)(2)(i) provides that a State or local 
educational authority or Federal official or agency listed in Sec.  
99.31(a)(3) that makes further disclosures of information from 
education records must record the names of the additional parties to 
which it discloses information on behalf of an educational agency or 
institution and their legitimate interests under Sec.  99.31 in the 
information if the information was received from an educational agency 
or institution that has not recorded the further disclosures itself or 
from another State or local official or Federal official or agency 
listed in Sec.  99.31(a)(3).
     New Sec.  99.32(b)(2)(ii) provides that a State or local 
educational authority or Federal official or agency that records 
further disclosures of information may maintain the record by the 
student's class, school, district or other appropriate grouping rather 
than by the name of the student.
     New Sec.  99.32(b)(2)(iii) provides that upon request of 
an educational agency or institution, a State or local educational 
authority or Federal official or agency that maintains a record of 
further disclosures must provide a copy of the record of further 
disclosures to the educational agency or institution within a 
reasonable period of time not to exceed 30 days.
     Revised Sec.  99.32(a)(1) requires educational agencies 
and institutions to list in each student's record of disclosures the 
names of the State and local educational authorities and Federal 
officials or agencies that may make further disclosures of the 
information on behalf of the educational agency or institution under 
Sec.  99.33(b).
     New Sec.  99.32(a)(4) requires an educational agency or 
institution to obtain a copy of the record of further disclosures 
maintained by a State or local educational authority or Federal 
official or agency and make it available in response to a parent's or 
student's request to review the student's record of disclosures.

Educational Research (Sec. Sec.  99.31(a)(6) and 99.31(a)(3))

    Comment: We received a number of comments on proposed Sec.  
99.31(a)(6)(ii). In this section, we proposed that an educational 
agency or institution that discloses personally identifiable 
information without consent to an organization conducting studies for, 
or on behalf of, the educational agency or institution must enter into 
a written agreement with the organization specifying the purposes of 
the study and containing certain other elements. This exception to the 
consent requirement is often referred to as the ``studies exception.'' 
While all of the comments on this provision generally supported the 
changes, many of the commenters raised concerns about the scope and

[[Page 74825]]

applicability of the studies exception and requested clarification on 
some of the proposed changes, particularly with regard to the 
provisions relating to written agreements.
    Discussion: We address commenters' specific concerns about the key 
portions of these regulations in the following sections.
    Changes: None.

(a) Scope and Applicability of Sec.  99.31(a)(6)

    Comment: Several commenters stated that the proposed regulations 
did not clearly indicate that the studies exception applies to State 
educational authorities. Some commenters, assuming that Sec.  
99.31(a)(6) applied to State educational authorities, noted that the 
proposed regulations did not provide clear authority for State 
educational authorities such as an SEA, or a State longitudinal data 
system using State generated data (such as State assessment results), 
to enter into research agreements on behalf of educational agencies and 
institutions. One commenter stated that Sec.  99.31(a)(6) should not be 
interpreted to require that research agreements be entered into by 
individual schools or that any resulting redisclosures be recorded by 
the individual schools.
    One commenter asked for clarification regarding whether Sec.  
99.31(a)(6) permitted a school to disclose a student's education 
records to his or her previous school for the purpose of evaluating 
Federal or State-supported education programs or for improving 
instruction.
    Another commenter stated that the Department should further revise 
the regulations to provide that only individuals in the organization 
conducting the study who have a legitimate interest in the information 
disclosed be given access to the information. The commenter also stated 
that the Department should specifically limit Sec.  99.31(a)(6) to bona 
fide research projects by prohibiting organizations conducting studies 
under this exception from using record-level data for other operational 
or commercial purposes. The commenter also expressed concern about the 
duration of research projects, noting that significantly more 
restrictive access should be required for studies that track personally 
identifiable information for long periods of time. The commenter stated 
further that the Department should consider imposing a time limit on 
how long information obtained through longitudinal studies can be 
retained.
    Discussion: FERPA permits an educational agency or institution to 
disclose personally identifiable information from an education record 
of a student without consent if the disclosure is to an organization 
conducting studies for, or on behalf of, the educational agency or 
institution to (a) develop, validate, or administer predictive tests; 
(b) administer student aid programs; or (c) improve instruction. 20 
U.S.C. 1232g(b)(1)(F); 34 CFR 99.31(a)(6). Disclosures made under the 
studies exception may only be used by the receiving party for the 
purposes for which the disclosure was made and for no other purpose or 
study. As such, Sec.  99.31(a)(6) is not a general research exception 
to the consent requirement in FERPA but an exception for studies 
limited to the purposes specified in the statute and regulations.
    We first note that it may not be necessary or even advantageous for 
State educational authorities to use the studies exception in order to 
conduct or authorize educational research because of the limitations in 
Sec.  99.31(a)(6). In contrast, Sec.  99.31(a)(3)(iv), under the 
conditions set forth in Sec.  99.35, allows educational agencies and 
institutions, such as LEAs and postsecondary institutions, to disclose 
education records without consent to State educational authorities for 
audit and evaluation purposes, which can include a general range of 
research studies beyond the more limited group of studies specified 
under Sec.  99.31(a)(6). Also, as explained more fully elsewhere in 
this preamble, while a State educational authority must have the 
underlying legal authority to audit or evaluate the records it receives 
from LEAs or postsecondary institutions under Sec.  99.35, the LEA or 
postsecondary institution is not required to enter into a written 
agreement for the audit or evaluation as it is required to do under 
Sec.  99.31(a)(6). (See Redisclosure of Education Records and 
Recordkeeping by State and Local Educational Authorities and Federal 
Officials and Agencies.) The absence of an explanation of the 
authorized representatives exception (Sec.  99.31(a)(3)) in the NPRM 
created confusion, especially with regard to how State departments of 
education may utilize education records for evaluation purposes. 
Therefore, we have included that explanation here.
    The conditions for disclosing education records without consent 
under Sec. Sec.  99.31(a)(3)(iv) and 99.35 are discussed in the 
Department's Memorandum from the Deputy Secretary of Education (January 
30, 2003) available at http://www.ed.gov/policy/gen/guid/secletter/
030130.html. The Deputy Secretary's memorandum explains that under this 
exception an ``authorized representative'' of a State educational 
authority is a party under the direct control of that authority, e.g., 
an employee or a contractor.
    In general, the Department has interpreted FERPA and implementing 
regulations to permit the disclosure of personally identifiable 
information from education records, without consent, in connection with 
the outsourcing of institutional services and functions. Accordingly, 
the term ``authorized representative'' in Sec.  99.31(a)(3) includes 
contractors, consultants, volunteers, and other outside parties (i.e., 
non-employees) used to conduct an audit, evaluation, or compliance or 
enforcement activities specified in Sec.  99.35, or other institutional 
services or functions for which the official or agency would otherwise 
use its own employees. For example, a State educational authority may 
disclose personally identifiable information from education records, 
without consent, to an outside attorney retained to provide legal 
services or an outside computer consultant hired to develop and manage 
a data system for education records.
    The term ``authorized representative'' also includes an outside 
researcher working as a contractor of a State educational authority or 
other official listed in Sec.  99.31(a)(3) that has outsourced the 
evaluation of Federal or State supported education programs. An outside 
researcher may conduct independent research under this provision in the 
sense that the researcher may propose or initiate research projects for 
consideration and approval by the State educational authority or other 
official listed in Sec.  99.31(a)(3) either before or after the parties 
have negotiated a research agreement. Likewise, the State educational 
authority or official does not have to agree with or endorse the 
researcher's results or conclusions. In so doing, an outside researcher 
retained to evaluate education programs by a State educational 
authority or other official listed in Sec.  99.31(a)(3) as an 
``authorized representative'' may be given access to personally 
identifiable information from education records, including statistical 
information with unmodified small data cells. However, the term 
``authorized representative'' does not include independent researchers 
that are not contractors or other parties under the direct control of 
an official or agency listed in Sec.  99.31(a)(3).
    While an educational agency or institution may not disclose 
personally identifiable information from students' education records to 
independent researchers, nothing in FERPA prohibits

[[Page 74826]]

them from disclosing information that has been properly de-identified. 
Further discussion of this issue is provided in the following 
paragraphs and under the section entitled Personally Identifiable 
Information and De-Identified Records and Information.
    An SEA or other State educational authority that has legal 
authority to enter into agreements for LEAs or postsecondary 
institutions under its jurisdiction may enter into an agreement with an 
organization conducting a study for the LEA or institution under the 
studies exception. If the SEA or other State educational authority does 
not have the legal authority to act for or on behalf of an LEA or 
institution, then it would not be permitted to enter into an agreement 
with the organization conducting the study under this exception. As 
previously mentioned, FERPA authorizes certain disclosures without 
consent; it does not provide an SEA or other State educational 
authority with the legal authority to act for or on behalf of an LEA or 
postsecondary institution.
    With regard to the request for clarification whether Sec.  
99.31(a)(6) permits a school to disclose a student's education records 
to his or her previous school for evaluation purposes, the studies 
exception only allows disclosures to organizations conducting studies 
for, or on behalf of, the educational agency or institution that 
discloses its records. The ``for, or on behalf of'' language from the 
statute does not permit disclosures under this exception so that the 
receiving organization can conduct a study for itself or some other 
party. This issue is discussed in more detail under the section of this 
preamble entitled Disclosure of Education Records to Student's Former 
Schools.
    We agree with the comment that the regulations should be revised to 
provide that only those individuals in the organization conducting the 
study that have a legitimate interest in the personally identifiable 
information from education records can have access to the records. The 
Secretary also shares the commenter's concerns about limiting Sec.  
99.31(a)(6) to bona fide research projects, prohibiting commercial 
utilization of education records, and limiting the duration of research 
projects. We address these issues in greater detail in the following 
section concerning written agreements.
    Changes: None.

(b) Written Agreements for Studies

    Comment: Several commenters expressed concern that Sec.  
99.31(a)(6) not be read so broadly as to erode parents' and students' 
privacy rights, and, therefore, supported the restrictions that the 
Secretary included in this provision. Specifically, they supported the 
new requirement that educational agencies and institutions must enter 
into a written agreement with the organization conducting the study 
that specifies: the purpose of the study, that the information from the 
education records disclosed be used only for the stated purpose, that 
individuals outside the organization may not have access to personally 
identifiable information about the students being studied, and that the 
information be destroyed or returned when it is no longer needed for 
the purpose of the study.
    Several commenters said that the Department should clarify that the 
existence of a written agreement is not a rationale in and of itself 
for the disclosure of education records. They stated that the 
regulations should provide explicitly that a written agreement does not 
modify the protections under FERPA or justify the use of the records 
transferred other than as permitted by the statute and the regulations. 
Some of these commenters stated that the written agreement should 
include a description of the specific records to be disclosed for the 
study.
    Several commenters agreed with the provision in the proposed 
regulations that specified that an educational agency or institution 
does not need to agree with or endorse the conclusions or results of 
the study. Other commenters asked that we include in the regulations 
the explanation provided in the preamble to the NPRM that the school 
also does not need to initiate the study.
    One commenter suggested that we change the references from 
``study'' to ``studies'' so that it is clear that an agency or 
institution and a research organization could enter into one agreement 
that would cover a variety of studies that support the State's or 
school district's educational objectives. One commenter suggested that 
the Department certify agreements between educational agencies and 
research organizations as meeting the requirements of FERPA.
    There were several comments on the destruction of information 
requirements in FERPA. Some suggested that we include in the 
regulations the specific time period by which information disclosed to 
a researcher must be destroyed, while others stated that ongoing access 
to data is necessary and that researchers should be permitted to retain 
information indefinitely. Some commenters suggested that the required 
time period for the destruction or return of education records, as 
deemed necessary by the parties to support the purposes of the 
authorized study or studies, be established in the written agreement.
    One commenter approved including the requirements regarding the use 
and destruction of data in the written agreement as a way of improving 
compliance with FERPA. However, the commenter questioned our 
explanation that the language in the statute providing that the study 
must be conducted ``for, or on behalf of'' the educational agency or 
institution means that the disclosing school must retain control over 
the information once it has been given to a third party conducting a 
study. The commenter believed that school districts will not be 
involved in how a study is performed and that the written agreement 
with the organization specifying the organization's obligations with 
regard to the use and destruction of data should be sufficient.
    Discussion: The Secretary shares the concerns raised by commenters 
that Sec.  99.31(a)(6) not be read so broadly as to erode parents' and 
students' privacy rights. Accordingly, we have revised Sec.  
99.31(a)(6) to address some of these concerns and believe that these 
changes will provide adequate protection of students' education records 
that may be disclosed under the studies exception.
    In the NPRM, we proposed to remove current Sec.  99.31(a)(6)(ii)(A) 
and (B) and included these requirements under the provisions for 
written agreements. These paragraphs provide that the study must be 
conducted in a manner that does not permit personal identification of 
parents and students by individuals other than representatives of the 
organization and that the information be destroyed when no longer 
needed for the purposes for which the study was conducted. We are 
including Sec.  99.31(a)(6)(ii)(A) and (B) in the final regulations. 
After reviewing comments on the proposed changes, we concluded that, by 
moving these two provisions into the new paragraph relating to written 
agreements, we would have weakened the statutory requirements 
concerning the studies exception. We believe this correction will 
alleviate commenters' concerns about weakening parents' and students' 
privacy rights under FERPA.
    We agree with the comments that the existence of a written 
agreement is not a rationale in and of itself for the disclosure of 
education records. As a privacy statute, FERPA requires that parents 
and eligible students provide written consent before educational 
agencies and institutions disclose personally identifiable information 
from students' education records. There are

[[Page 74827]]

several statutory exceptions to FERPA's general consent rule, one of 
which is Sec.  99.31(a)(6), an exception that permits disclosure of 
records for studies limited to the purposes specified in the statute 
and regulations. However, a written agreement, a memorandum of 
understanding, or a contract is not a justification for disclosure of 
education records. Rather, a disclosure must meet the requirements in 
Sec.  99.31(a)(6) or the other permitted disclosures under Sec.  99.31. 
If a disclosure meets the conditions of Sec.  99.31(a)(6), the 
disclosure may be made, and the written agreement sets forth the 
requirements that must be followed when entering into such an 
agreement.
    As noted in our earlier discussion of the scope and applicability 
of the studies exception, the Secretary concurs that the regulations 
should be revised to require that a written agreement expressly include 
the purpose, scope, and duration of the agreed upon study, as well as 
the information to be disclosed. We also agree with commenters that the 
regulations should specifically limit any disclosures of personally 
identifiable information from students' education records to those 
individuals in the organization conducting the study that have a 
legitimate interest in the information. This requirement is consistent 
with Sec.  99.32(a)(3)(ii), which requires that an educational agency 
or institution record the ``legitimate interests'' the parties had in 
obtaining information under FERPA.
    The Secretary strongly recommends that schools carefully limit the 
disclosure of students' personally identifiable information under this 
and the other exceptions in Sec.  99.31 and reminds educational 
agencies and institutions that disclosures without consent are subject 
to Sec.  99.33(a)(2), which states: ``The officers, employees, and 
agents of a party that receives information under paragraph (a)(1) of 
this section may use the information, but only for the purposes for 
which the disclosure was made.'' The recordation requirements in Sec.  
99.32 also apply to any disclosures of personally identifiable 
information made under the studies exception. (We note that a school 
does not have to record the disclosure of information that has been 
properly de-identified.)
    Although FERPA permits schools to disclose personally identifiable 
information under Sec.  99.31(a)(6) to organizations conducting studies 
for or on its behalf, the Secretary recommends that educational 
agencies and institutions release de-identified information whenever 
possible under this exception. Even when schools opt not to release de-
identified information in these circumstances, we recommend that 
schools reduce the risk of unauthorized disclosure by removing direct 
identifiers, such as names and SSNs, from records that don't require 
them, even though these records may still contain some personally 
identifiable information. This is especially important when a school 
also discloses sensitive information about students, such as type of 
disability and special education services received by the students.
    We agree with commenters that Sec.  99.31(a)(6) should be revised 
to indicate that an educational agency or institution is not required 
to initiate a study. Additionally, we have revised Sec.  99.31(a)(6) to 
include the word ``studies'' so that an educational agency or 
institution may utilize one written agreement for more than one study, 
so long as the requirements concerning information that must be in the 
agreement are met.
    While we do not have the authority under FERPA to officially 
certify agreements between educational agencies and institutions and 
organizations conducting studies, FPCO does provide technical 
assistance to educational agencies or institutions on FERPA. As such, 
if school officials have questions about whether an agreement meets the 
requirements in Sec.  99.31(a)(6), they may contact FPCO for 
assistance.
    With regard to the comments that we include in the regulations a 
specific time period by which information provided under the studies 
exception must be destroyed, we believe that the parties entering into 
the agreement should decide when information has to be destroyed or 
returned to the educational agency or institution. As we have 
discussed, we have revised Sec.  99.31(a)(6) to require that the 
written agreement include the duration of the study and the time period 
during which the organization must either destroy or return the 
information to the educational agency or institution.
    With regard to the comment that a written agreement with the 
organization conducting the study should be sufficient for an 
educational agency or institution to retain control over information 
from education records once the information is given to an organization 
conducting a study, we agree that a written agreement required under 
the regulations will help ensure that the information is used only to 
meet the purposes of the study stated in the written agreement and that 
all applicable requirements are met. However, similar to the 
requirement that an outside service provider serving as a school 
official is subject to FERPA's restrictions on the use and redisclosure 
of personally identifiable information from education records, 
educational agencies and institutions must ensure that organizations 
with which they have entered into an agreement to conduct a study also 
comply with FERPA's restrictions on the use of personally identifiable 
information from education records. (See pages 15578-15580 of the 
NPRM.) That is, the school must retain control over the organization's 
access to and use of personally identifiable information from education 
records for purposes of the study or studies, including access by the 
organization's own employees and subcontractors, as well as any school 
officials whom the organization permits to have access to education 
records.
    An educational agency or institution may need to determine that the 
organization conducting the study has reasonable controls in place to 
ensure that personally identifiable information from education records 
is protected. We note that it is common practice for some data sharing 
agreements to have a ``controls section'' that specifies required 
controls and how they will be verified (e.g., surprise inspections). We 
recommend that the agreement required by Sec.  99.31(a)(6) include a 
section that sets forth similar requirements. If a school is unable to 
verify that these controls are in place, then it should not disclose 
personally identifiable information from education records to an 
organization for the purpose of conducting a study.
    In this regard, it should be noted that educational agencies and 
institutions are responsible for any failures by an organization 
conducting a study to comply with applicable FERPA requirements. FERPA 
states that if a third party outside the educational agency or 
institution fails to destroy information in violation of 20 U.S.C. 
1232g(b)(1)(F), the studies exception in FERPA, the educational agency 
or institution shall be prohibited from permitting access to 
information from education records to that third party for a period of 
not less than five years. See 20 U.S.C. 1232g(b)(4)(B).
    Changes: We have revised Sec.  99.31(a)(6) to: (1) Retain Sec.  
99.31(a)(6)(ii)(A) and (B); (2) amend Sec.  99.31(a)(6)(ii)(A) to 
provide that the study must be conducted in a manner that does not 
permit personal identification of parents or students by anyone other 
than representatives of the organization that have legitimate interest 
in the information; (3) amend Sec.  99.31(a)(6)(ii)(C) to require that 
the written agreement specify the purpose,

[[Page 74828]]

scope, and duration of the study and the information to be disclosed; 
require the organization to use personally identifiable information 
from education records only to meet the purpose or purposes of the 
study as stated in the written agreement; limit any disclosures of 
information to individuals in the organization conducting the study who 
have a legitimate interest in the information; and require the 
organization to destroy or return to the educational agency all 
personally identifiable information when the information is no longer 
needed for the purposes of the study and specify the time period during 
which the organization must either destroy or return the information to 
the educational agency or institution; and (4) amend Sec.  99.31(a)(6) 
in new paragraph (iii) to provide that an educational agency or 
institution is not required to initiate a study.

Disclosure of Education Records to Non-Educational State Agencies

    Comment: Several commenters stated that the proposed amendments did 
not specifically address whether an educational agency or institution 
is permitted to disclose education records to non-educational State 
agencies, such as State health or labor agencies, as part of an 
agreement with those agencies, without first obtaining consent. One 
commenter said that because the Department has taken the position that 
education records may be shared with State auditors who are not 
educational officials and who are not, by definition, under the control 
of a State educational authority, there is no legal basis to prohibit 
the disclosure of education records to other non-educational State and 
local agencies.
    Some officials representing State health agencies commented that 
FERPA should be more closely aligned with the disclosure provisions of 
the HIPAA Privacy Rule. One commenter noted that there was a critical 
need for public health researchers to be able to access, without 
consent, personally identifiable information contained in student 
health records to allow for analyses, public health studies, and 
research that will benefit school-aged children, as well as the general 
population. One organization representing school nurses noted that 
public health officials need access to education records for the 
purposes of public health reporting, surveillance, and reimbursement.
    Several commenters recommended that SEAs be authorized to share 
data from education records with State social services, health, 
juvenile, and employment agencies, to serve the needs of students, 
including special needs, low-income, and at-risk students. One SEA 
commented that it did not support extending access to student data to 
non-education State agencies, except to State auditors, as specified in 
proposed Sec.  99.35(a)(3). This commenter asserted that access to and 
use of information from students' education records should be 
controlled by a limited number of education officials who are sensitive 
to the intent of FERPA and well acquainted with its safeguards.
    Discussion: There is no specific exception to the written consent 
requirement in FERPA that permits the disclosure of personally 
identifiable information from students' education records to non-
educational State agencies. Educational agencies and institutions may 
disclose personally identifiable information for audit or evaluation 
purposes under Sec. Sec.  99.31(a)(3) and 99.35 only to authorized 
representatives of the officials or agencies listed in Sec.  
99.31(a)(3)(i) through (iv). Typically, LEAs and their constituent 
schools disclose education records to State educational authorities 
under Sec.  99.31(a)(3)(iv), such as the SEA, for audit, evaluation, or 
compliance and enforcement purposes.
    There are some exceptions that might authorize disclosures to non-
educational State agencies for specified purposes. For example, 
disclosures may be made in a health or safety emergency (Sec. Sec.  
99.31(a)(10) and 99.36), in connection with financial aid (Sec.  
99.31(a)(4)), or pursuant to a State statute under the juvenile justice 
system exception (Sec. Sec.  99.31(a)(5) and 99.38), and any 
disclosures must meet the specific requirements of the particular 
exception. FERPA, however, does not contain any specific exceptions to 
permit disclosures of personally identifiable information without 
consent for public health or employment reporting purposes. That said, 
nothing in FERPA prohibits an educational agency or institution from 
importing information from another source to perform its own 
evaluations.
    We believe that any further expansion of the list of officials and 
entities in FERPA that may receive education records without the 
consent of the parent or eligible student must be authorized by 
legislation enacted by Congress.
    We explained in the NPRM on page 15577 that, with respect to State 
auditors, legislative history for the 1979 FERPA amendment indicates 
that Congress specifically intended that FERPA not preclude State 
auditors from obtaining personally identifiable information from 
education records in order to audit Federal and State supported 
education programs, notwithstanding that the statutory language in the 
amendment refers only to ``State and local educational officials.'' See 
20 U.S.C. 1232g(b)(5); H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 
(1979), reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. This 
legislative history provides a basis for drawing a distinction between 
State auditors and officials of other State agencies that also are not 
under the control of the State educational authority. (As explained 
more fully under State auditors, upon further review, we have removed 
from the final regulations the proposed regulations related to State 
auditors and audits.)
    The 1979 amendment to FERPA does not apply to other State officials 
or agencies, and there is no other legislative history to indicate that 
Congress intended that FERPA be interpreted to permit educational 
agencies and institutions, or State and local educational authorities 
or Federal officials and agencies listed in Sec.  99.31(a)(3), to share 
students' education records with non-educational State officials. In 
fact, Congress has, on numerous occasions, indicated otherwise.
    As discussed elsewhere in this preamble under the heading Health or 
Safety Emergency, the HIPAA Privacy Rule specifically excludes from 
coverage health care information that is maintained as an ``education 
record'' under FERPA. 45 CFR 160.103, Protected health information. We 
understand that the HIPAA Privacy Rule allows covered entities to 
disclose identifiable health data without written consent to public 
health authorities. However, there is no comparable exception to the 
written consent requirement in FERPA.
    As mentioned previously, in conducting an audit, evaluation, or 
compliance or enforcement activity, an educational authority may 
collaborate with other State agencies by importing data from those 
sources and conducting necessary matches. Any reports or other 
information created as a result of the data matches may only be 
released to those non-educational officials in non-personally 
identifiable form. Educational authorities may also release information 
on students to non-educational officials that has been properly de-
identified, as described in Sec.  99.31(b)(1).
    Additionally, many agencies providing services to low income or at-
risk families have parents sign a consent form authorizing disclosure 
of

[[Page 74829]]

information at intake time so that the agency can receive necessary 
information from schools. In 1993, we amended the FERPA regulations to 
help facilitate this practice. In final regulations published in the 
Federal Register on January 7, 1993 (58 FR 3188), we removed the 
previous requirement in the regulations that schools ``obtain'' consent 
from parents and eligible students so that parents and eligible 
students may ``provide'' a signed and dated consent to third parties in 
order for the school to disclose education records to those parties.
    Therefore, parents can provide consent at intake time to State and 
local social services and other non-educational agencies serving the 
needs of students in order to permit their children's schools (or the 
SEA) to disclose education records to the agency. For example, parents 
routinely provide consent to the Medicaid agency that permits that 
agency to collect information from other agencies on the family being 
served. In many cases those consents are written in a manner that 
complies with the consent requirement in Sec.  99.30, and the student's 
school may disclose information to the Medicaid agency necessary for 
reimbursement purposes for services provided the student.
    Changes: None.

Disclosure of Education Records to Student's Former Schools (Sec. Sec.  
99.31(a)(3), 99.31(a)(6), and 99.35(b))

    Comment: One commenter asked for clarification whether a school 
could disclose a student's education records to the student's previous 
school for the purpose of evaluating Federal or State supported 
education programs or for improving instruction. Several commenters 
said that there is a critical need for school districts to be able to 
access the records of their former students from the student's new 
district or postsecondary institution so that the previous institution 
can evaluate the effectiveness of its own education programs. Some 
commenters said that Sec.  99.35(a) clearly allows a K-12 data system 
to use postsecondary records to evaluate its own programs, and that a 
K-12 system does not need to have legal authority to evaluate 
postsecondary programs for the disclosure to be valid under the audit 
or evaluation exception.
    Discussion: Section 99.31(a)(2) allows an educational agency or 
institution to disclose personally identifiable information from 
education records, without consent, to a school where the student seeks 
or intends to enroll or is already enrolled if the disclosure relates 
to the student's enrollment or transfer. There is no specific authority 
in FERPA for an educational agency or institution, or a State or local 
educational authority, to disclose or redisclose personally 
identifiable information from education records to a student's former 
school without consent.
    As discussed above, Sec. Sec.  99.31(a)(3) and 99.35 allow 
educational agencies and institutions to disclose personally 
identifiable information from education records without consent to 
State and local educational authorities that are legally authorized to 
audit or evaluate the disclosing institution's programs or records. We 
encourage State and local authorities to take advantage of this 
exception and establish or modify State or local legal authority, as 
necessary, to allow K-12 and postsecondary educational authorities to 
audit or evaluate one another's programs. As noted above, the 
Department will generally defer to a State Attorney General's 
interpretation of State or local law on these matters.
    Section 99.31(a)(6) allows an educational agency or institution to 
disclose personally identifiable information from education records 
without consent to an organization conducting a study for, or on behalf 
of, the agency or institution that discloses its records. The ``for, or 
on behalf of'' language from the statute and regulations, however, does 
not allow the educational agency or institution to disclose personally 
identifiable information from education records under this exception so 
that the receiving organization can conduct a study for itself or some 
other party. Further, the Secretary does not as a policy matter support 
expanding the studies exception to permit such a disclosure because it 
would result in a vast increase in the number of parties gaining access 
to and maintaining personally identifiable information on students. As 
discussed below, educational agencies and institution and other 
parties, including State educational authorities, may always release 
information from education records to a student's former school, 
without consent, if all personally identifiable information has been 
removed.

Personally Identifiable Information and De-Identified Records and 
Information (Sec. Sec.  99.3 and 99.31(b))

(a) Definition of Personally Identifiable Information

    Comment: We received a number of comments on proposed Sec.  99.3 
regarding changes to the definition of personally identifiable 
information. One commenter applauded the Department's recognition of 
the increasing ease of identifying individuals from redacted records 
and statistical information because of the large amount of detailed 
personal information that is maintained on most Americans by many 
different organizations. This commenter and others, however, stated 
that the proposed regulations did not go far enough to ensure that 
personally identifiable information about students would not be 
released.
    One commenter expressed concern about our proposal to eliminate 
paragraphs (e) and (f) from the existing definition of personally 
identifiable information, which included a list of personal 
characteristics and other information that would make a student's 
identity easily traceable. The commenter said that this was a change to 
long-standing Department policy and represented an unwarranted invasion 
of privacy that exceeds statutory authority. This commenter also 
expressed concern that eliminating the ``easily traceable'' provisions 
for determining whether information was personally identifiable could 
prevent parents from accessing their children's education records and 
might allow school officials to circumvent FERPA requirements by using 
nicknames, initials, and other personal characteristics to refer to 
children.
    In contrast, several commenters stated that the regulations would 
be unworkable or were too restrictive and would prevent or discourage 
the release of information from education records needed for school 
accountability and other public purposes. These commenters stated that 
paragraphs (f) and (g) in the proposed definition of personally 
identifiable information, which replaces the ``easily traceable'' 
provisions, would provide school officials too much discretion to 
conceal information the public deserves to have in order to debate 
public policy. Proposed paragraph (f) provided that personally 
identifiable information includes other information that, alone or in 
combination, is linked or linkable to a specific student that would 
allow a reasonable person in the school or its community, who does not 
have personal knowledge of the relevant circumstances, to identify the 
student with reasonable certainty. Proposed paragraph (g) provided that 
personally identifiable information includes information requested by a 
person who the educational agency or institution reasonably believes 
has direct, personal knowledge of the identity of the student

[[Page 74830]]

to whom the education record relates, sometimes known as a ``targeted 
request.''
    Several commenters expressed support for the provisions in 
paragraphs (f) and (g) of the definition of personally identifiable 
information. One of these commenters said that the ``school and 
community'' limitation and the ``reasonable person'' standard in 
paragraph (f) is sufficiently clear for implementation by parties that 
release de-identified records. Another commenter said that ambiguity in 
the terms ``reasonable person'' and ``reasonable certainty'' was 
necessary so that organizations can develop their own standards for 
addressing the problem of ensuring that information that is released is 
not personally identifiable. This commenter asked the Department to 
retain the flexibility in the proposed language and provide examples of 
policies that have been implemented that meet the requirements in 
paragraphs (f) and (g) of the definition. The commenter said that most 
school districts know when they are receiving a targeted request 
(paragraph (g)) but asked that the Department provide examples to help 
districts determine whether a non-targeted request will reveal 
personally identifiable information.
    Journalism and writers' associations expressed concern about the 
``reasonable person'' standard in paragraph (f) and our statement in 
the preamble to the NPRM (73 FR 15583) that an educational agency or 
institution may not be able to release redacted education records that 
concern students or incidents that are well-known in the school 
community, including when the parent or student who is the subject of 
the record contacts the media and causes the publicity that prevents 
the release of the record. These commenters stated that FERPA should 
not prevent schools from releasing records from which all direct and 
indirect identifiers, such as name, date of birth, address, unusual 
place of birth, mother's maiden name, and sibling information, have 
been removed without regard to any outside information, particularly 
after a student or parent has waived any pretense of confidentiality by 
contacting the media. They also said that the proposed definition of 
personally identifiable information does not acknowledge the public 
interest in school accountability.
    One commenter said that the ``reasonable person in the school or 
its community'' standard in paragraph (f) was too narrow and 
inappropriate because it would allow individuals with even modest 
scientific and technological abilities to identify students based on 
supposedly de-identified information. Another commenter said that the 
reference in paragraph (f) to a ``reasonable person'' should be changed 
to ``ordinary person.'' A commenter said that if we retain the 
``reasonable person'' standard, we should remove the references to the 
school or its community and personal knowledge of the circumstances and 
simply refer to a reasonable person. Several commenters said the 
``school or its community'' standard is too vague and needs to be 
clarified, particularly in relation to the provision in paragraph (g) 
regarding targeted requests; these commenters said that school 
officials will choose to evaluate a request for information based on 
whether a reasonable person in the community, a broader standard than a 
reasonable person in the school, could identify the student and 
automatically find their own decisions to be reasonable. One commenter 
said that the phrase ``relevant circumstances'' in paragraph (f) is 
vague.
    One commenter said that the standard in paragraph (f) about whether 
the information requested is ``linked or linkable'' to a specific 
student was too vague and overly broad and could be logically extended 
to cover almost any information about a student. This commenter said 
that the regulations should focus on preventing the release of records 
that in and of themselves contain unique personal descriptors that 
would make the student identifiable in the school community and not 
refer to outside information, including what members of the public 
might know independently of the records themselves.
    Several commenters expressed concerns that the provision in 
paragraph (g) regarding targeted requests will make FERPA and the 
regulations administratively unwieldy and unnecessarily subjective. One 
of these commenters said that paragraph (g) is unclear and adds more 
confusion as opposed to providing clarity; this commenter said that 
paragraph (g) should be removed and that the requirements in paragraph 
(f) were sufficient. Another commenter said that the standard in 
paragraph (g) unfairly holds agencies and institutions responsible for 
ascertaining the requester's personal knowledge. One commenter said 
that we should delete the words ``direct, personal'' before 
``knowledge'' because these terms are unclear. According to this 
commenter, if a school reasonably believes that the requester knows the 
student's identity, the school should not disclose the records, whether 
the knowledge is ``direct'' or ``personal.''

    Other commenters expressed a more general concern that the standard 
for targeted requests in paragraph (g) places an undue burden on school 
officials to obtain information about the person requesting information 
and creates a potential conflict with State open records laws. 
According to these commenters, the regulations as proposed would 
encourage agencies and institutions to make illegitimate inquiries into 
a requester's motives for seeking information and what the requester 
intends to do with it, or require the agency or institution to read the 
mind of a party requesting information. According to the commenter, 
this would introduce a degree of subjective judgment that would 
invariably lead to abuse because the same record that could be 
considered a public record to one requester could be a confidential 
document to another. A large university that has decentralized 
administrative operations questioned how it could be expected to take 
institutional knowledge into account in evaluating whether a request 
for records is targeted and asked for confirmation that the Department 
will not substitute its judgment for that of the institution so long as 
there was a rational basis for the decision to release information.
    We received a few comments on the example of a targeted request 
that we provided in the preamble to the NPRM (73 FR 15583-15584), in 
which rumors circulate that a candidate running for political office 
plagiarized other students' work, and a reporter asks the university 
for the redacted disciplinary records of all students who were 
disciplined for plagiarism for the year in which the candidate 
graduated. We explained that the university may not release the records 
in redacted form because the circumstances indicate that the requester 
had direct, personal knowledge of the subject of the case. Two 
commenters said that confirmation that one unnamed student was 
disciplined in 1978 for plagiarism does not identify that student or 
confirm that the candidate was that student, and our explanation of the 
standard with this example showed that the regulations would prevent 
parents and the media from discharging their vital oversight 
responsibilities.
    One school district said that the targeted request provision could 
impair due process in some student discipline cases by limiting the 
release of redacted witness statements that concern more than one 
student. The commenter suggested that under its current

[[Page 74831]]

practice, if four students are involved in an altercation, the school 
redacts all personally identifiable information with regard to students 
2 through 4 when releasing the statement without parental consent to 
student 1, but under the proposed regulations, student 1's request 
would violate the requirements in paragraph (g) because of the 
student's knowledge of the identity of the other students to whom the 
record relates. This commenter said that the regulations should not be 
adopted if they do not address these due process concerns.
    Several commenters said they appreciated the addition of a 
student's date of birth and other indirect identifiers in the 
definition of personally identifiable information. Another commenter 
said that a comprehensive list of indirect identifiers would be 
helpful. One commenter asked us to define the concept of indirect 
identifiers. Another commenter asked us to clarify which personally 
identifiable data elements may be released without consent. A commenter 
asked us to define the term biometric record as used in the definition 
of personally identifiable information.
    Discussion: The Joint Statement explains that the purpose of FERPA 
is two-fold: to assure that parents and eligible students can access 
the student's education records, and to protect their right to privacy 
by limiting the transferability of their education records without 
their consent. 120 Cong. Rec. 39862. As such, FERPA is not an open 
records statute or part of an open records system. The only parties who 
have a right to obtain access to education records under FERPA are 
parents and eligible students. Journalists, researchers, and other 
members of the public have no right under FERPA to gain access to 
education records for school accountability or other matters of public 
interest, including misconduct by those running for public office. 
Nonetheless, as explained in the preamble to the NPRM, 73 FR 15584-
15585, we believe that the regulatory standard for defining and 
removing personally identifiable information from education records 
establishes an appropriate balance that facilitates school 
accountability and educational research while preserving the statutory 
privacy protections in FERPA.
    The simple removal of nominal or direct identifiers, such as name 
and SSN (or other ID number), does not necessarily avoid the release of 
personally identifiable information. Other information, such as 
address, date and place of birth, race, ethnicity, gender, physical 
description, disability, activities and accomplishments, disciplinary 
actions, and so forth, can indirectly identify someone depending on the 
combination of factors and level of detail released. Similarly, and as 
noted in the preamble to the NPRM, 73 FR 15584, the existing 
professional literature makes clear that public directories and 
previously released information, including local publicity and even 
information that has been de-identified, is sometimes linked or 
linkable to an otherwise de-identified record or data set and renders 
the information personally identifiable. The regulations properly 
require parties that release information from education records to 
address these situations.
    We removed the ``easily traceable'' standard from the definition of 
personally identifiable information because it lacked specificity and 
clarity. We were also concerned that the ``easily traceable'' standard 
suggested that a fairly low standard applied in protecting education 
records, i.e., that information was considered personally identifiable 
only if it was easy to identify the student.
    The removal of the ``easily traceable'' standard and adoption of 
the standards in paragraphs (f) and (g) will not affect a parent's 
right under FERPA to inspect and review his or her child's education 
records. Records that teachers and other school officials maintain on 
students that use only initials, nicknames, or personal descriptions to 
identify the student are education records under FERPA because they are 
directly related to the student.
    Further, records that identify a student by initials, nicknames, or 
personal characteristics are personally identifiable information if, 
alone or combined with other information, the initials are linked or 
linkable to a specific student and would allow a reasonable person in 
the school community who does not have personal knowledge about the 
situation to identify the student with reasonable certainty. For 
example, if teachers and other individuals in the school community 
generally would not be able to identify a specific student based on the 
student's initials, nickname, or personal characteristics contained in 
the record, then the information is not considered personally 
identifiable and may be released without consent. Experience has shown, 
however, that initials, nicknames, and personal characteristics are 
often sufficiently unique in a school community that a reasonable 
person can identify the student from this kind of information even 
without access to any personal knowledge, such as a key that 
specifically links the initials, nickname, or personal characteristics 
to the student.
    In contrast, if a teacher uses a special code known only by the 
teacher and the student (or parent) to identify a student, such as for 
posting grades, this code is not considered personally identifiable 
information under FERPA because the only reason the teacher can 
identify the student is because of the teacher's access to personal 
knowledge of the relevant circumstances, i.e., the key that links the 
code to the student's name.
    In response to the commenter who stated that a school should not be 
prevented from releasing information when the subject of the record has 
waived any pretense of confidentiality by contacting the media and 
making the incident well-known in the community, we have found that in 
limited circumstances a parent or student may impliedly waive their 
privacy rights under FERPA by disclosing information to parties in a 
special relationship with the institution, such as a licensing or 
accreditation organization. However, we have not found and do not 
believe that parents and students generally waive their privacy rights 
under FERPA by sharing information with the media or other members of 
the general public. The fact that information is a matter of general 
public interest does not give an educational agency or institution 
permission to release the same or related information from education 
records without consent.
    The ``reasonableness'' standards in paragraphs (f) and (g) of the 
new definition, which replace the ``easily traceable'' standard, do not 
require the exercise of subjective judgment or inquiries into a 
requester's motives. Both provisions require the disclosing party to 
use legally recognized, objective standards by referring to 
identification not in the mind of the disclosing party or requester but 
by a reasonable person and with reasonable certainty, and by requiring 
the disclosing party to withhold information when it reasonably 
believes certain facts to be present. These are not subjective 
standards, and these changes will not diminish the privacy protections 
in FERPA.
    The standard proposed in paragraph (f) regarding the knowledge of a 
reasonable person in the school or its community was not intended to 
describe the technological or scientific skill level of a person who 
would be capable of re-identifying statistical information or redacted 
records. Rather, it provided the standard an agency or

[[Page 74832]]

institution should use to determine whether statistical information or 
a redacted record will identify a student, even though certain 
identifiers have been removed, because of a well-publicized incident or 
some other factor known in the community. For example, as explained in 
the preamble to the NPRM, 73 FR 15583, a school may not release 
statistics on penalties imposed on students for cheating on a test 
where the local media have published identifiable information about the 
only student (or students) who received that penalty; that statistical 
information or redacted record is now personally identifiable to the 
student or students because of the local publicity.
    Paragraph (f) in the proposed definition provided that the agency 
or institution must make a determination about whether information is 
personally identifiable information not with regard to what someone 
with personal knowledge of the relevant circumstances would know, such 
as the principal who imposed the penalty, but with regard to what a 
reasonable person in the school or its community would know, i.e., 
based on local publicity, communications, and other ordinary 
conditions. We agree with the comment that the ``school or its 
community'' standard was confusing because it was not clear whether 
just the school itself or the larger community in which the school is 
located is the relevant group for determining what a reasonable person 
would know.
    We are changing this standard in paragraph (f) to the ``school 
community'' and by this change we mean that an educational agency or 
institution may not select a broader ``community'' standard when the 
information to be released would be personally identifiable under the 
narrower ``school'' standard. For example, it might be well known among 
students, teachers, administrators, parents, coaches, volunteers, or 
others at the local high school that a student was caught bringing a 
gun to class last month but generally unknown in the town where the 
school is located. In these circumstances, a school district may not 
disclose that a high school student was suspended for bringing a gun to 
class last month, even though a reasonable person in the community 
where the school is located would not be able to identify the student, 
because a reasonable person in the high school would be able to 
identify the student. The student's privacy is further protected 
because a reasonable person in the school community is also presumed to 
have at least the knowledge of a reasonable person in the local 
community, the region or State, the United States, and the world in 
general. The ``school community'' standard, therefore, provides the 
maximum privacy protection for students.
    We do not agree that the reference to ``reasonable person'' should 
be changed to ``ordinary person.'' ``Reasonable person'' is a legally 
recognized standard that represents a hypothetical, rational, prudent, 
average individual. It would be confusing and inappropriate to 
introduce a new term ``ordinary'' in this context.
    The standard in paragraph (f) excludes from the ``reasonable person 
in the school community'' standard persons who have personal knowledge 
of the ``relevant circumstances,'' which one commenter considered 
vague. Under this standard, an agency or institution is not required to 
take into consideration when releasing redacted or statistical 
information that someone with special knowledge of the circumstances 
could identify the student. For example, if it is generally known in 
the school community that a particular student is HIV-positive, or that 
there is an HIV-positive student in the school, then the school could 
not reveal that the only HIV-positive student in the school was 
suspended. However, if it is not generally known or obvious that there 
is an HIV-positive student in school, then the same information could 
be released, even though someone with special knowledge of the 
student's status as HIV-positive would be able to identify the student 
and learn that he or she had been suspended.
    The provisions in paragraph (g) regarding targeted requests do not 
require an educational agency or institution to ascertain or guess a 
requester's motives for seeking information from education records or 
what a requester intends to do with the information. This paragraph 
addresses a situation in which a requester seeks what might generally 
qualify as a properly redacted record but the facts indicate that 
redaction is a useless formality because the subject's identity is 
already known.
    An educational agency or institution is not required under 
paragraph (g) to make any special inquiries or otherwise seek 
information about the person requesting information from education 
records. It must use information that is obvious on the face of the 
request or provided by the requester, such as when a requester asks for 
the redacted transcripts of a particular student. Paragraph (f) also 
requires an agency or institution to use information known to a 
reasonable person in the school community, such as when a requester 
asks for the redacted transcripts of all basketball players who were 
expelled for accepting bribes after the local newspaper published a 
story about the matter. Paragraphs (f) and (g) do not require an 
educational agency or institution to inquire whether a requester has 
special knowledge not available generally in the school community that 
would make the subject of the record identifiable. We disagree with the 
comment that paragraph (f) is sufficient and paragraph (g) should be 
removed. Paragraph (g) addresses the problem of targeted requests, 
which is not addressed under paragraph (f).
    We agree with the comment that the provision in paragraph (g) under 
which an agency or institution must determine whether the information 
requested is personally identifiable information based on its 
reasonable belief that the requester has ``direct, personal'' knowledge 
of the identity of the student to whom the record relates is ambiguous 
and confusing, especially in relation to what might be considered 
indirect knowledge. Therefore, we have modified this provision so that 
an educational agency or institution must simply have a reasonable 
belief that the requester knows the identity of the student to whom the 
record relates.
    In reviewing a complaint that an educational agency or institution 
disclosed personally identifiable information from an education record 
in response to a targeted request, the Department would examine the 
request itself, the facts on which the agency or institution based its 
decision to release the information, as well as any information known 
generally in the school community that the agency or institution failed 
to take into account. The Department would also counsel an agency or 
institution about the nature of the violation in connection with the 
Department's responsibility for seeking voluntary compliance with FERPA 
before initiating any enforcement action under Sec.  99.67.
    With regard to the comment that the standard in paragraph (g) will 
impair due process in student discipline cases, it is unclear what the 
commenter means by releasing redacted witness statements under its 
current practice. Education records are defined in FERPA as records 
that are directly related to a student and maintained by an educational 
agency or institution, or by a party acting for the agency or 
institution. 20 U.S.C. 1232g(a)(4)(A); 34 CFR 99.3. Under this 
definition, a parent (or eligible student) has a right to inspect and 
review any witness statement that is directly related to the student, 
even if that statement

[[Page 74833]]

contains information that is also directly related to another student, 
if the information cannot be segregated and redacted without destroying 
its meaning.
    For example, parents of both John and Michael would have a right to 
inspect and review the following information in a witness statement 
maintained by their school district because it is directly related to 
both students: ``John grabbed Michael's backpack and hit him over the 
head with it.'' Further, in this example, before allowing Michael's 
parents to inspect and review the statement, the district must also 
redact any information about John (or any other student) that is not 
directly related to Michael, such as: ``John also punched Steven in the 
stomach and took his gloves.'' Since Michael's parents likely know from 
their son about other students involved in the altercation, under 
paragraph (g) the district could not release any part of this sentence 
to Michael's parents. We note also that the sanction imposed on a 
student for misconduct is not generally considered directly related to 
another student, even the student who was injured or victimized by the 
disciplined student's conduct, except if a perpetrator has been ordered 
to stay away from a victim.
    In order to provide maximum flexibility to educational agencies and 
institutions, we did not attempt to define or list all other ``indirect 
identifiers''. We believe that the examples listed in paragraph (3) of 
the definition of personally identifiable information--date of birth, 
place of birth, and mother's maiden name--indicate clearly the kind of 
information that could identify a student. Race and ethnicity, for 
example, could also be indirect identifiers. It is not possible, 
however, to list all the possible indirect identifiers and ways in 
which information might indirectly identify a student. Further, unlike 
the HIPAA Privacy Rule, these regulations do not attempt to provide a 
``safe harbor'' by listing all the information that may be removed in 
order to satisfy the de-identification requirements in Sec.  99.31(b). 
We have also added a definition of biometric record that is based on 
National Security Presidential Directive 59 and Homeland Security 
Presidential Directive 24.
    Changes: We added a definition of biometric record, which provides 
that the term means a record of one or more measurable biological or 
behavioral characteristics that can be used for automated recognition 
of an individual. Examples include fingerprints, retina and iris 
patterns, voiceprints, DNA sequence, facial characteristics, and 
handwriting.
    We also have revised paragraph (f) in the definition of personally 
identifiable information to change the reference ``school or its 
community'' to ``school community.'' In paragraph (g) of the definition 
of personally identifiable information, we removed the requirement that 
the requester have ``direct, personal knowledge.'' As revised, 
paragraph (g) provides that personally identifiable information means 
information requested by a person who the educational agency or 
institution reasonably believes knows the identity of the student to 
whom the record relates.

(b) De-Identified Records and Information

    Comment: We received a number of comments on Sec.  99.31(b)(1), 
which would allow an educational agency or institution, or a party that 
has received personally identifiable information from education 
records, to release the records or information without parental consent 
after the removal of all personally identifiable information, provided 
that the educational agency or institution or other party has made a 
reasonable determination that a student's identity is not personally 
identifiable because of unique patterns of information about the 
student, whether through single or multiple releases, and taking into 
account other reasonably available information. In order to permit 
ongoing educational research with the same data, Sec.  99.31(b)(2) 
allows an educational agency or institution or other party that 
releases de-identified, non-aggregated data (also known as 
``microdata'') from education records to attach a code to each record, 
which may allow the recipient to match information received from the 
same source, under three conditions--(1) the educational agency or 
institution does not disclose any information about how it generates 
and assigns a record code, or that would allow a recipient to identify 
a student based on a record code; (2) the record code is used for no 
purpose other than identifying a de-identified record for purposes of 
education research and cannot be used to ascertain personally 
identifiable information about a student; and (3) the record code is 
not based on a student's social security number or other personal 
information.
    Several commenters supported these proposed regulations and said 
that they will help facilitate valuable educational research. One of 
these commenters said that the provisions for de-identification of 
education records create clear standards that will allow researchers to 
conduct necessary research without compromising student privacy. One 
commenter appreciated being able to attach a code or linking key to 
records to facilitate matching students across data sets while 
preserving student confidentiality.
    One commenter stated that de-identified data do not support 
appropriate analytical research that will lead to improved educational 
outcomes. Further, according to this commenter, complete de-
identification of systematic, longitudinal data on every student may 
not be possible.
    Two commenters expressed concern that agencies and institutions 
redact too much information from education records and said that the 
Department should err on the side of disclosure of disaggregated data 
so that journalists and researchers can obtain accurate information 
about how students in every accountability subgroup are performing. 
These commenters said that the regulations should take into account the 
real track record of journalists and researchers in maintaining the 
confidentiality of information from education records.
    One commenter said that many institutions and individuals have the 
ability to re-identify seemingly de-identified data and that it is 
generally much easier to do than most people realize because 87 percent 
of Americans can be identified uniquely from their date of birth, five-
digit zip code, and gender. This commenter said that the regulations 
need to take into account that re-identification is a much greater risk 
for student data than other kinds of information because FERPA allows 
for the regular publication of student directories that contain a 
wealth of personal information, including address and date of birth, 
that can be used with existing tools and emerging technology to re-
identify statistical data, even by non-experts.
    Another commenter said that because the de-identification process 
is so resource-intensive, the regulations should allow the research 
entity to de-identify education records as a contractor under Sec.  
99.31(a)(1) of the regulations.
    We explained in the preamble to the NPRM (73 FR 15585) that 
educational agencies and institutions should monitor releases of coded, 
de-identified microdata from education records to ensure that 
overlapping or successive releases do not result in data sets in which 
a student's personally identifiable information is disclosed. One 
commenter said that this monitoring requirement was too burdensome 
given the vast number of

[[Page 74834]]

data requests it receives and asked us to limit the monitoring 
requirement to single or multiple releases it makes to the same party. 
An SEA asked specifically for clarification in the regulations 
regarding what steps, if any, it must take to ensure that multiple 
releases of de-identified data to the same requester over time that the 
requester intends to use for a longitudinal study do not result in 
small data cells that may reveal the identity of the student. A school 
district said that the regulations should require the destruction of 
de-identified information from education records by the receiving party 
to avoid the problem of combining successive data releases to identify 
students.
    Some commenters said that the regulations should provide objective 
standards for the de-identification of education records. One commenter 
asked the Department to prescribe a method for States to adopt to 
ensure that student confidentiality is protected. Two commenters asked 
specifically for guidance on what minimum cell size should be allowed 
when releasing statistical information. Several commenters said that 
SEAs and school districts need specific guidance regarding the release 
of student achievement data under the NCLB, including, in particular, 
reporting 100 percent achievement of certain performance levels on 
State assessments. One commenter who opposed restrictions on the 
release of de-identified data referred to instances in which some 
States have created minimum cell sizes of 100 for reporting 
disaggregated data under NCLB, which prevents the release of a great 
deal of important information. Another commenter said that our 
discussion of small cell sizes in the preamble to the NPRM, 73 FR 
15584, reflected a misunderstanding of the problem.
    One commenter said that Sec.  99.31(b) is confusing because it is 
not clear how paragraph (b)(2), which is limited to educational 
research, relates to paragraph (b)(1), which is not so limited. This 
commenter also said that the regulations impose an unnecessary burden 
on the entity receiving a request for information and that the 
requirements of paragraph (f) in the definition of personally 
identifiable information are sufficient to de-identify education 
records. Another commenter said that the language in Sec.  99.31(b)(1) 
that requires consideration of unique patterns of information about a 
student is confusing and creates ambiguity because the definition of 
personally identifiable information itself incorporates standards for 
de-identification that appear to differ from the standard in Sec.  
99.31(b).
    Discussion: As explained in the preamble to the NPRM, 73 FR 15584-
15585, we believe that the regulatory standard for de-identifying 
information from education records establishes an appropriate balance 
that facilitates the release of appropriate information for school 
accountability and educational research purposes while preserving the 
statutory privacy protections in FERPA. Unlike the HIPAA Privacy Rule, 
these regulations do not attempt to provide a ``safe harbor'' by 
listing all the direct and indirect identifiers that may be removed to 
satisfy the de-identification requirements in Sec.  99.31(b). Rather, 
they are intended to provide standards under which information from 
education records may be released without consent because all 
personally identifiable information has been removed.
    The Department recognizes that de-identified data may not be 
appropriate for all educational research purposes and that complete de-
identification of longitudinal student data may not be possible without 
sacrificing essential content and usability. In these situations, and 
as discussed elsewhere in this preamble, FERPA allows the disclosure 
and redisclosure of personally identifiable information from education 
records, without consent, to researchers under the terms and conditions 
specified in Sec. Sec.  99.31(a)(1), 99.31(a)(3), and 99.31(6). We note 
that a researcher who receives personally identifiable information 
under these provisions would, however, have to de-identify any report 
or other information in accordance with Sec.  99.31(b) before releasing 
it to the public or other parties, including other researchers.
    In response to comments that educational agencies and institutions 
may remove too much information from education records, we note that 
while we have attempted to provide a balanced standard for the release 
of de-identified data for school accountability and other purposes, 
FERPA is a privacy statute, and no party has a right under FERPA to 
obtain information from education records except parents and eligible 
students. Further, there is no statutory authority in FERPA to modify 
the prohibition on disclosure of personally identifiable information 
from education records, or the exceptions to the written consent 
requirement, based on the track record of the party, including 
journalists and researchers, in maintaining the confidentiality of 
information from education records that they have received.
    In response to the comment about allowing a researcher to de-
identify education records, educational agencies and institutions may 
outsource the de-identification process to any outside service provider 
serving as a school official in accordance with the requirements in 
Sec.  99.31(a)(1)(i)(B). (Those requirements are discussed in detail in 
the preamble to the NPRM at 73 FR 15578-15580 and elsewhere in these 
final regulations.) State and local educational authorities and Federal 
officials and agencies listed in Sec.  99.31(a)(3) may outsource the 
de-identification process to their authorized representatives under the 
conditions specified in Sec.  99.35.
    We agree that the risk of re-identification may be greater for 
student data than other information because of the regular publication 
of student directories, commercial databases, and de-identified but 
detailed educational reports by States and researchers that can be 
manipulated with increasing ease by computer technology. As noted in 
the preamble to the NPRM, 73 FR 15584, the re-identification risk of 
any given release is cumulative, i.e., directly related to what has 
previously been released, and this includes both publicly-available 
directory information, which is personally identifiable, and de-
identified data releases. For that reason, we advised in the NPRM that 
parties should minimize information released in directories to the 
extent possible because, since the enactment of FERPA in 1974, the risk 
of re-identification from such information has grown as a result of new 
technologies and methods.
    In response to comments about the need to monitor releases of 
coded, de-identified microdata to avoid re-identification of the data, 
because the risk of re-identification is cumulative, when making a new 
disclosure of coded data an educational agency or institution or other 
party must take into account all releases of information from education 
records it has made, not just releases it has made to the recipient of 
new data. We note that some of the publicly available directory 
information and de-identified data releases that need to be taken into 
account have been produced by the same agency or institution, State or 
local educational authority, or Federal official that wishes to release 
newly de-identified information. In general, FERPA poses no 
restrictions on the recipient's use of directory information and de-
identified data from education records. Therefore, it may be unclear 
whether previous data releases are available generally, have been 
shared with a limited number of

[[Page 74835]]

parties, or not shared at all. Further, unlike personally identifiable 
information that is disclosed under Sec. Sec.  99.31(a)(3) and (a)(6), 
de-identified information from education records does not have to be 
destroyed when no longer needed for the purposes for which it was 
released. We note, however, that a releasing party would reduce its 
monitoring responsibilities if it requires destruction or prohibits 
redisclosure of coded, de-identified microdata, because coded, de-
identified microdata has a higher risk of re-identification than de-
identified microdata. In the future the Department will provide further 
information on how to monitor and limit disclosure of personally 
identifiable information in successive statistical data releases.
    In response to requests for guidance on what specific steps and 
methods should be used to de-identify information (and as noted in the 
preamble to the NPRM, 73 FR 15584), it is not possible to prescribe or 
identify a single method to minimize the risk of disclosing personally 
identifiable information in redacted records or statistical information 
that will apply in every circumstance, including determining whether 
defining a minimum cell size is an appropriate means to protect the 
confidentiality of aggregated data and, if so, selection of an 
appropriate number. This is because determining whether a particular 
set of methods for de-identifying data and limiting disclosure risk is 
adequate cannot be made without examining the underlying data sets, 
other data that have been released, publicly available directories, and 
other data that are linked or linkable to the information in question. 
For these reasons, we are unable to provide examples of rules and 
policies that necessarily meet the de-identification requirements in 
Sec.  99.31(b). The releasing party is responsible for conducting its 
own analysis and identifying the best methods to protect the 
confidentiality of information from education records it chooses to 
release. We recommend that State educational authorities, educational 
agencies and institutions, and other parties refer to the examples and 
methods described in the NPRM at page 15584 and refer to the Federal 
Committee on Statistical Methodology's Statistical Policy Working Paper 
22, www.fcsm.gov/working-papers/wp22.html, for additional guidance.
    With regard to issues with NCLB reporting in particular, 
determining the minimum cell size to ensure statistical reliability of 
information is a completely different analysis than that used to 
determine the appropriate minimum cell size to ensure confidentiality. 
Further, as noted in the preceding paragraph and in the preamble to the 
NPRM, use of minimum cell sizes or data suppression is only one of 
several ways in which information from education records may be de-
identified before release. Statistical Policy Working Paper 22 
describes other disclosure limitation methods, such as ``top coding'' 
and ``data swapping,'' which may be more suitable than simple data 
suppression for releasing the maximum amount of information to the 
public without breaching confidentiality requirements. Decisions 
regarding whether to use data suppression or some other method or 
combination of methods to avoid disclosing personally identifiable 
information in statistical information must be made on a case-by-case 
basis.
    We agree with the commenter who said that the example we provided 
in the preamble to the NPRM regarding the small cell problem in 
reporting that two Hispanic females failed to graduate was misleading 
and offer the following, more complete explanation. Simply knowing that 
one out of 100 Hispanic females failed to graduate does not identify 
which of the Hispanic females it might be. But suppose this female is 
an English language learner who is also enrolled in special education 
classes. The school also publishes tables on participation in special 
education classes by race, ethnicity, and grade, and tables that 
include the graduation status of Hispanic females disaggregated in one 
table by English language proficiency status, and by participation in 
special education classes in another. Suppose that these three 
tabulations each show separately that there is one 12th grade Hispanic 
female enrolled in special education classes, that the one Hispanic 
female who did not graduate was enrolled in special education classes, 
and that the one Hispanic female who did not graduate was an English 
language learner. With this information, the discerning observer knows 
that the one Hispanic female who failed to graduate is an English 
language learner and that she was the only 12th grade Hispanic student 
enrolled in special education classes. Any number of people in the 
school would be able to identify the Hispanic female who did not 
graduate with these three pieces of information.
    Expanding the example to two individuals, the logic is similar, 
except in this case each of the Hispanic females knows her own 
characteristics and can find herself in each of the available tables, 
and thus by a process of elimination identifies the characteristics of 
the other non-graduate, perhaps learning something she did not already 
know about the other student. The published tables show that there are 
two 12th grade Hispanic females enrolled in special education classes, 
one with a learning disability and one with mental retardation. The 
tables also show that the two Hispanic females who did not graduate 
were enrolled in special education classes, and that the two Hispanic 
females who did not graduate were both English language learners. 
Others in the school community may be able to identify the two 12th 
grade Hispanic females who are English language learners enrolled in 
special education classes, but not necessarily be able to distinguish 
the student with the learning disability from the student with mental 
retardation. However, each girl knows her own disability and by the 
process of elimination now knows the other girl's disability. 
Similarly, anyone with knowledge of one of the two Hispanic females who 
did not graduate can find that girl in the tables, and then isolate the 
characteristics that belong to the other Hispanic female.
    This example can be expanded to an example with three Hispanic 
females who fail to graduate. All three of the Hispanic females who did 
not graduate are English language learners, and two Hispanic females 
who did not graduate are enrolled in special education classes--one 
with a learning disability and the other with mental retardation. In 
this case, the one Hispanic female who is an English language learner 
and did not graduate now knows that the other two Hispanic females in 
her English language learner classes and also did not graduate are in 
the special education program, but she does not know which condition 
each girl has. By the same logic, each of the two females who did not 
graduate and are in special education classes knows her own disability 
and as a result knows the disability of the other Hispanic female who 
was an English language learner enrolled in special education classes 
who did not graduate. These are some examples of situations in which 
small cell data reveals personally identifiable information from 
education records.
    The Secretary has no statutory authority to modify the regulations 
to allow LEAs and SEAs to report that 100 percent of students achieved 
specified performance levels. In that regard we note that the 
Department's Non-Regulatory Guidance for NCLB Report Cards (2003) 
provides:

    [S]chools must also ensure that the data they report do not 
reveal personally identifiable information about individual students 
* * *. States must adopt a strategy

[[Page 74836]]

for dealing with a situation in which all students in a particular 
subgroup scored at the same achievement level. One solution, 
referred to as ``masking'' the data, is to use the notation of >95% 
when all students in a subgroup score at the same achievement level.

See www.ed.gov/programs/titleiparta/reportcardsguidance.doc on page 3. 
Likewise, LEAs and SEAs must adopt a strategy for ensuring that they do 
not disclose personally identifiable information about low-performing 
students when they release information about their high-performing 
students.
    In response to the comments that paragraphs (1) and (2) in Sec.  
99.31(b) are confusing, paragraph (1) establishes a standard for de-
identifying education records that applies to disclosures made to any 
party for any purpose, including, for example, parents and other 
members of the general public who are interested in school 
accountability issues, as well as education policy makers and 
researchers. The release of de-identified information from education 
records under Sec.  99.31(b)(1) is not limited to education research 
purposes because, by definition, the information does not contain any 
personally identifiable information.
    Paragraph (2) of Sec.  99.31(b) applies only to parties conducting 
education research; it allows an educational agency or institution, or 
a party that has received education records, such as a State 
educational authority, to attach a code to each record that may allow 
the researcher to match microdata received from the same educational 
source under the conditions specified. The purpose of paragraph (2) is 
to facilitate education research by authorizing the release of coded 
microdata. The requirements in paragraph (2) that apply to a record 
code preclude matching de-identified data from education records with 
data from another source. Therefore, by its terms, the release of coded 
microdata under paragraph (2) is limited to education research.
    We agree with the commenter who stated that the reference in Sec.  
99.31(b)(1) to ``unique patterns of information about a student'' is 
confusing in relation to the definition of personally identifiable 
information and believe that it essentially restated the requirements 
in paragraph (f) of the definition. Therefore, we have removed this 
phrase from the regulations. We disagree that the definition of 
personally identifiable information and the requirements in Sec.  
99.31(b) impose an unnecessary burden on the entity receiving a request 
for de-identified information from education records and that the 
requirements in paragraph (f) in the definition are sufficient. As 
explained above, paragraph (f) does not address the problem of targeted 
requests. It also does not address the re-identification risk 
associated with multiple data releases and other reasonably available 
information, or allow for the coding of de-identified micro data for 
educational research purposes. Section 99.31(b) provides the additional 
standards needed to help ensure that educational agencies and 
institutions and other parties do not identify students when they 
release redacted records or statistical data from education records.
    Changes: We have removed the reference to ``unique patterns of 
information'' in Sec.  99.31(b).

Notification of Subpoena (Sec.  99.33(b)(2))

    Comment: We received a few comments on our proposal in Sec.  
99.33(b)(2) to require a party that has received personally 
identifiable information from education records from an educational 
agency or institution to provide the notice to parents and eligible 
students under Sec.  99.31(a)(9) before it discloses that information 
on behalf of an educational agency or institution in compliance with a 
judicial order or lawfully issued subpoena. One national education 
association supported the proposed amendment.
    One commenter asked the Department to clarify the intent of the 
proposed language. This commenter said that, when an educational agency 
or institution requests that a third party make the disclosure to 
comply with a lawfully issued subpoena or court order, it is reasonable 
to expect the educational agency or institution to send the required 
notice to the student(s). The commenter also said that it was not clear 
from the proposed change whether it is sufficient for the educational 
agency or institution to send the notice or whether it must come from 
the third party.
    Discussion: The Secretary agrees that there needs to be 
clarification about which party is responsible for notifying parents 
and eligible students before an SEA or other third party outside of the 
educational agency or institution discloses education records to comply 
with a lawfully issued subpoena or court order. We have revised the 
regulation to provide that the burden to notify a parent or eligible 
student rests with the recipient of the subpoena or court order. While 
a third party, such as an SEA, that is the recipient of a subpoena or 
court order is responsible for notifying the parents and eligible 
students before complying with the order or subpoena, the educational 
agency or institution could assist the third party in the notification 
requirement, by providing it with contact information so that it could 
provide the notice.
    In order to ensure that this new requirement is enforceable, we 
have also revised Sec.  99.33(e) so that if the Department determines 
that a third party, such as an SEA, did not provide the notification 
required under Sec.  99.31(a)(9)(ii), the educational agency or 
institution may not allow that third party access to education records 
for at least five years.
    Changes: We have amended Sec.  99.33(b)(2) to clarify that the 
third party that receives the subpoena or court order is responsible 
for meeting the notification requirements under Sec.  99.31(a)(9). We 
also have revised Sec.  99.33(e) to provide that if the Department 
determines that a third party, such as an SEA, did not provide the 
notification required under Sec.  99.31(a)(9)(ii), the educational 
agency or institution may not allow that third party access to 
education records for at least five years.

Health or Safety Emergency (Sec.  99.36)

    Comment: We received many comments in support of our proposal to 
amend Sec.  99.36 regarding disclosures of personally identifiable 
information without consent in a health or safety emergency. Most of 
the parties that commented stated that the proposed changes 
demonstrated the right balance between student privacy and campus 
safety. A number of commenters specifically supported the clarification 
regarding the disclosure of information from an eligible student's 
education records to that student's parents when a health or safety 
emergency occurs. One commenter said that the proposed amendment would 
provide appropriate protection for sensitive and otherwise protected 
information while clarifying that educational agencies and institutions 
may notify parents and other appropriate individuals in an emergency so 
that they may intervene to help protect the health and safety of those 
involved.
    Discussion: We appreciate the commenters' support for the 
amendments to the ``health or safety emergency'' exception in Sec.  
99.36(b). Educational agencies and institutions are permitted to 
disclose personally identifiable information from students' education 
records, without consent, under Sec.  99.31(a)(10) in connection with a 
health or safety emergency. Disclosures under Sec.  99.31(a)(10) must 
meet the conditions described in Sec.  99.36. We address specific 
comments

[[Page 74837]]

about the proposed amendments to this exception in the following 
paragraphs.
    Changes: None.

(a) Disclosure in Non-Emergency Situations

    Comment: Some commenters suggested that we interpret Sec.  99.36 to 
permit the sharing of information on reportable diseases to health 
officials in non-emergency situations. These commenters stated that the 
disclosure of routine immunization data should be subject to State, 
local, and regional public health laws and regulations and not FERPA. 
One of these commenters noted that the HIPAA Privacy Rule allows 
covered entities to disclose personally identifiable health data, 
without consent, to public health authorities.
    Discussion: There is no authority in FERPA to exclude students' 
immunization records from the definition of education records in FERPA. 
Further, the HIPAA Privacy Rule specifically excludes from coverage 
health care information that is maintained as an ``education record'' 
under FERPA. 45 CFR 160.103, Protected health information. We 
understand that the HIPAA Privacy Rule allows covered entities to 
disclose identifiable health data without written consent to public 
health authorities. However, there is no statutory exception to the 
written consent requirement in FERPA to permit this type of disclosure.
    As explained in the preamble to the NPRM (73 FR 15589), the 
amendment to the health or safety emergency exception in Sec.  99.36 
does not allow disclosures on a routine, non-emergency basis, such as 
the routine sharing of student information with the local police 
department. Likewise, this exception does not cover routine, non-
emergency disclosures of students' immunization data to public health 
authorities. Consequently, there is no statutory basis for the 
Department to revise the regulatory language as requested by the 
commenters.
    Changes: None.

(b) Strict Construction Standard

    Comment: Several commenters expressed concern that removing the 
language from current Sec.  99.36 requiring strict construction of the 
``health and safety emergency'' exception and substituting the language 
providing for a ``rational basis'' standard would not require schools 
to make an individual assessment to determine if there is an emergency 
that warrants a disclosure. One commenter stated that removal of the 
``strict construction'' requirement would severely weaken the 
Department's enforcement capabilities and that schools may see this 
change as an excuse to disclose sensitive student information when 
there is not a real emergency.
    A commenter stated that the removal of the ``strict construction'' 
requirement would mean that the Department would eliminate altogether 
its review of actions taken by schools under the health and safety 
emergency exception. Another commenter stated that removing the 
requirement that this exception be strictly construed could erode the 
privacy rights of individuals. The commenter noted that because parents 
and eligible students cannot bring suit in court to enforce FERPA, 
schools face virtually no liability if they violate FERPA requirements.
    A commenter asked that the Department clarify what is meant by an 
``emergency'' and how severe a concern must be to qualify as an 
emergency.
    Discussion: Section 99.36(c) eliminates the previous requirement 
that paragraphs (a) and (b) of this section be ``strictly construed'' 
and provides instead that, in making a determination whether a 
disclosure may be made under the ``health or safety emergency'' 
exception, an educational agency or institution may take into account 
the totality of the circumstances pertaining to a threat to the health 
or safety of a student or other individuals. The new provision states 
that if there is an articulable and significant threat to the health or 
safety of the student or other individuals, an educational agency or 
institution may disclose information to appropriate parties.
    As we indicated in the preamble to the NPRM, we believe paragraph 
(c) provides greater flexibility and deference to school administrators 
so they can bring appropriate resources to bear on a circumstance that 
threatens the health or safety of individuals. 73 FR 15574, 15589. In 
that regard, paragraph (c) provides that the Department will not 
substitute its judgment for that of the agency or institution if, based 
on the information available at the time of the determination there is 
a rational basis for the agency's or institution's determination that a 
health or safety emergency exists and that the disclosure was made to 
appropriate parties.
    We do not agree that removal of the ``strict construction'' 
standard weakens FERPA or erodes privacy protections. Rather, the 
changes appropriately balance the important interests of safety and 
privacy by providing school officials with the flexibility to act 
quickly and decisively when emergencies arise. Schools should not view 
FERPA's ``health or safety emergency'' exception as a blanket exception 
for routine disclosures of student information but as limited to 
disclosures necessary to protect the health or safety of a student or 
another individual in connection with an emergency.
    After consideration of the comments, we have determined that 
educational agencies and institutions should be required to record the 
``articulable and significant threat to the health or safety of a 
student or other individuals'' so that they can demonstrate (to 
parents, students, and to the Department) what circumstances led them 
to determine that a health or safety emergency existed and how they 
justified the disclosure. Currently, educational agencies and 
institutions are required under Sec.  99.32(a) to record any disclosure 
of personally identifiable information from education records made 
under Sec.  99.31(a)(10) and Sec.  99.36. We are revising the 
recordation requirements in Sec.  99.32(a)(5) to require an agency or 
institution to record the articulable and significant threat that 
formed the basis for the disclosure. The school must maintain this 
record with the education records of the student for as long as the 
student's education records are maintained (Sec.  99.32(a)(2)).
    We do not specify in the regulations a time period in which an 
educational agency or institution must record a disclosure of 
personally identifiable information from education records under Sec.  
99.32(a). We interpret this to mean that an agency or institution must 
record a disclosure within a reasonable period of time after the 
disclosure has been made, and not just at the time, if any, when a 
parent or student asks to inspect the student's record of disclosures. 
We will treat the requirement to record the significant and articulable 
threat that forms the basis for a disclosure under the health or safety 
emergency exception no differently than the recordation of other 
disclosures. In determining whether a period of time for recordation is 
reasonable, we would examine the relevant facts surrounding the 
disclosure and anticipate that an agency or institution would address 
the health or safety emergency itself before turning to recordation of 
any disclosures and other administrative matters.
    In response to concerns about the Department's enforcement of the 
provisions of Sec.  99.36, the ``rational basis'' test does not 
eliminate the Department's responsibility for oversight and 
accountability. Actions that the Secretary may take in addressing 
violations of this and other

[[Page 74838]]

FERPA provisions are addressed in the analysis of comments under the 
section in this preamble entitled Enforcement. While parents and 
eligible students do not have a right to sue for violations of FERPA in 
a court of law, the statute provides that the Secretary may not make 
funds available to any agency or institution that has a policy or 
practice of violating parents' and students' rights under the statute 
with regard to consent to the disclosure of education records. As such, 
parents and eligible students may file a complaint with the Office if 
they believe that a school has violated their rights under FERPA and 
has disclosed education records under Sec.  99.36 inconsistent with 
these regulations. In conducting an investigation, the Office will 
require that schools identify the underlying facts that demonstrated 
that there was an articulable and significant threat precipitating the 
disclosure under Sec.  99.36.
    In response to the comment about what would constitute an 
emergency, FERPA permits disclosure ``* * * in connection with an 
emergency * * * to protect the health or safety of the student or other 
persons.'' 20 U.S.C. 1232g(b)(1)(I). We note that the word ``protect'' 
generally means to keep from harm, attack, or injury. As such, the 
statutory text underscores that the educational agency or institution 
must be able to release information from education records in 
sufficient time for the institution to act to keep persons from harm or 
injury. Moreover, to be ``in connection with an emergency'' means to be 
related to the threat of an actual, impending, or imminent emergency, 
such as a terrorist attack, a natural disaster, a campus shooting, or 
the outbreak of an epidemic such as e-coli. An emergency could also be 
a situation in which a student gives sufficient, cumulative warning 
signs that lead an educational agency or institution to believe the 
student may harm himself or others at any moment. It does not mean the 
threat of a possible or eventual emergency for which the likelihood of 
occurrence is unknown, such as would be addressed in emergency 
preparedness activities.
    Changes: We have amended the recordkeeping requirements in Sec.  
99.32(a)(5) to require educational agencies and institutions to record 
the articulable and significant threat that formed the basis for a 
disclosure under the health or safety emergency exception and the 
parties to whom the information was disclosed.

(c) Articulable and Significant Threat

    Comment: One commenter stated that the word ``articulable'' in 
Sec.  99.36(c) was confusing in reference to a school's determination 
that there is an ``articulable and significant threat to the health or 
safety of a student or other individuals.'' This commenter stated that 
school officials might interpret the provision to mean that there must 
be a verbal threat or that school officials must write down the exact 
wording of the threat.
    Discussion: The requirement that there must be an ``articulable and 
significant threat'' does not mean that the threat must be verbal. It 
simply means that the institution must be able to articulate what the 
threat is under Sec.  99.36 when it makes and records the disclosure.
    In that regard, the words ``articulable and significant'' are 
adjectives modifying the key noun ``threat.'' As such, the focus is on 
the threat, with the question being whether the threat itself is 
articulable and significant. The word ``articulable'' is defined to 
mean ``capable of being articulated.'' http://www.merriam-webster.com/
dictionary/articulable. This portion of the standard simply requires 
that a school official be able to express in words what leads the 
official to conclude that a student poses a threat. The other half of 
the standard is the word ``significant,'' which means ``of a noticeably 
or measurably large amount.'' http://www.merriam-webster.com/
dictionary/significant. Taken together, the phrase ``articulable and 
significant threat'' means that if a school official can explain why, 
based on all the information then available, the official reasonably 
believes that a student poses a significant threat, such as a threat of 
substantial bodily harm, to any person, including the student, the 
school official may disclose education records to any person whose 
knowledge of information from those records will assist in protecting a 
person from that threat.
    Changes: None.

(d) Parties That May Receive Information Under Sec.  99.36

    Comment: A commenter recommended that the Department adopt a more 
subjective standard regarding the persons to whom education records may 
be disclosed under Sec.  99.36, suggesting that we remove the 
requirement that the disclosure must be to a person ``whose knowledge 
of the information is necessary to protect the health or safety of the 
student or other individuals.'' Conversely, another commenter expressed 
concern that the Department was sending the wrong message to 
educational agencies and institutions with these changes to Sec.  
99.36. The commenter stated that the health or safety emergency 
exception must not be perceived to permit schools to routinely disclose 
education records to parents, police, or others.
    A commenter asked who at a school may share personally identifiable 
information in a health or safety emergency, and specifically whether a 
school secretary would be allowed to tell parents that a student on 
campus made a threat to others.
    A commenter stated that school districts, especially small or rural 
districts, may not have the expertise on staff to determine whether a 
situation constitutes an ``articulable and significant threat.'' The 
commenter said that personally identifiable information on students may 
need to be disclosed to outside law enforcement and mental health 
professionals so that they can help schools determine whether a real 
threat exists. The commenter recommended that the Department change the 
proposed regulations to allow school districts to involve outside 
experts in determining whether a health or safety emergency exists. 
Noting that the NPRM addressed the disclosure of education records to 
an eligible student's parents, the organization also asked for 
clarification regarding whether the parents of a potential perpetrator 
and the potential victim at the K-12 level could be told about a 
threat.
    Several commenters stated that our proposed amendments did not go 
far enough and urged the Department to expand Sec.  99.36 to permit a 
school to notify whomever the student has listed as his or her 
emergency contact. Another commenter requested that the Secretary, 
through these regulations, direct institutions to proactively notify 
parents of students who are in acute care situations, such as illness 
or accidents, if any institutional official is aware of the emergency.
    Discussion: On its face, FERPA permits disclosure to ``appropriate 
persons if the knowledge of such information is necessary to protect 
the health or safety of the student or other persons.'' 20 U.S.C. 
1232g(b)(1)(I). FERPA does not require that the person receiving the 
information be responsible for providing the protection. Rather, the 
focus of the statutory provision is on the information itself: The 
``health or safety emergency'' exception permits the institution to 
disclose information from education records in order to gather 
information from any person who has information that would be necessary 
to

[[Page 74839]]

provide the requisite protection. Thus, for example, an educational 
institution that reasonably believes that a student poses a threat of 
bodily harm to any person may disclose information from education 
records to current or prior peers of the student or mental health 
professionals who can provide the institution with appropriate 
information to assist in protecting against the threat. Moreover, the 
institution may disclose records to persons such as law enforcement 
officials that it determines may be helpful in providing appropriate 
protection from the threat. An educational agency or institution may 
also generally disclose information under Sec.  99.36 to a potential 
victim and the parents of a potential victim as ``other individuals'' 
whose health or safety may need to be protected.
    Similarly, in order to obtain information that would inform its 
judgment on how to address the threat, the student's current 
institution may disclose information from education records to other 
schools or institutions which the student previously attended. In that 
regard, the same set of facts underlying the current institution's 
determination that an emergency existed would also permit former 
schools and institutions attended by the student to disclose personally 
identifiable information from education records to the student's 
current institution. That is, a former school would not need to make a 
separate determination regarding the existence of an articulable and 
significant threat to the health or safety of a student or others, and 
could rely instead on the determination made by the school currently 
attended by the student in making the disclosure.
    In the discussion on page 15589 of the NPRM, we noted that the 
``health or safety emergency'' exception does not permit a local school 
district to routinely share its student information database with the 
local police department. This example was meant to clarify that FERPA's 
health or safety provisions would not permit a school to disclose 
without consent education records to the local police department unless 
there was a health or safety emergency and the disclosure of the 
information was necessary to protect the health or safety of students 
or other individuals. This does not prevent schools from having working 
relationships with local police authorities and to use local police 
officers in maintaining the safety of their campuses.
    In response to the comment about which school official should be 
permitted to disclose information under Sec.  99.36, an educational 
agency or institution will need to make its own determination about 
which school officials may access a student's education records and 
disclose information to parents or other parties whose knowledge of the 
information is necessary to protect the health or safety of the student 
or other individuals. Under Sec.  99.31(a)(1), an educational agency or 
institution may disclose education records, without consent, to school 
officials whom the agency or institution has determined have legitimate 
educational interests in the information. It may be helpful for schools 
to have a policy in place concerning which school officials will have 
access to and the responsibility for disclosing information in 
emergency situations.
    We understand that some educational agencies and institutions may 
need assistance in determining whether a health or safety emergency 
exists for purposes of complying with these regulations. The Department 
encourages schools to implement a threat assessment program, including 
the establishment of a threat assessment team that utilizes the 
expertise of representatives from law enforcement agencies in the 
community. Schools can respond to student behavior that raises concerns 
about a student's mental health and the safety of the student and 
others that is chronic or escalating by using a threat assessment team, 
and then make other disclosures under the health or safety emergency 
exception, as appropriate, when an ``articulable and significant 
threat'' exists. Information on establishing a threat assessment 
program and other helpful resources for emergency situations can be 
found on the Department's Web site: http://www.ed.gov/admins/lead/
safety/edpicks.jhtml?src=ln.
    An educational agency or institution may disclose education records 
to threat assessment team members who are not employees of the district 
or institution if they qualify as ``school officials'' with 
``legitimate educational interests'' under Sec.  99.31(a)(1)(i)(B), 
which is discussed elsewhere in this preamble. To receive the education 
records under the ``school officials'' exception, members of the threat 
assessment team must be under the direct control of the educational 
agency or institution with respect to the maintenance and use of 
personally identifiable information from education records. For 
example, a representative from the city police who serves on a school's 
threat assessment team generally could not redisclose to the city 
police personally identifiable information from a student's education 
records to which he or she was privy as part of the team. As noted 
above, however, the institution may disclose personally identifiable 
information from education records when and if the threat assessment 
team determines that a health or safety emergency exists under 
Sec. Sec.  99.31(a)(10) and 99.36.
    We believe that Sec.  99.36 does not need to be expanded to permit 
a school to contact whomever an eligible student has listed as his or 
her emergency contact, nor is there authority to do so. FERPA does not 
preclude institutions from contacting other parties, including parents, 
in addition to the emergency contacts provided by the student, if the 
school determines these other parties are ``appropriate parties'' under 
this exception. (An eligible student may provide consent for the 
institution to notify certain individuals in case of an emergency, 
should an emergency occur.)
    The regulations would not prevent an institution from having a 
policy of seeking prospective consent from eligible students for the 
disclosure of personally identifiable information or from having a 
policy for obtaining consent for disclosure on a case-by-case basis. 
However, FERPA does not require that a postsecondary institution 
disclose information to any party except to the eligible student, even 
if the student has consented to the disclosure. Thus, the Secretary 
does not have the statutory authority to require school officials to 
disclose information from a student's education records in compliance 
with a consent signed by the student or to otherwise require the 
institution to contact a family member.
    Changes: None.

(e) Treatment Records

    Comment: A commenter stated that while the amendments to Sec.  
99.36 provide needed clarification about when an educational agency or 
institution may disclose students' education records to avert tragedies 
like the one at Virginia Tech in April 2007, the NPRM did not provide 
clarity on the issue of information sharing between on-campus and off-
campus health care providers. The commenter also noted that the 
Virginia Tech Review Panel recommended that Congress amend FERPA to 
explain how Federal privacy laws apply to medical records held for 
treatment purposes and that the NPRM did not provide that clarity.
    Another commenter stated that if information about a student 
related to a health or safety emergency is part of the treatment 
records maintained by a university's health clinic, the treatment 
records should be treated like education

[[Page 74840]]

records so that they may be disclosed under the health and safety 
emergency exception. A commenter asked that the Department clarify that 
college health and mental health records are not education records 
under FERPA and must be treated like other health and mental health 
records in other settings.
    Discussion: While we have carefully considered the comments 
concerning ``treatment records,'' the Secretary does not believe that 
it is necessary to amend the regulations to provide clarification on 
the handling of health and medical records. The Departments of 
Education and Health and Human Services have issued joint guidance that 
explains the relationship between FERPA and the HIPAA Privacy Rule. The 
guidance addresses this issue for these records at the elementary and 
secondary levels, as well as at the postsecondary level. The joint 
guidance, which is on the Web sites of both agencies, addresses many of 
the questions raised by school administrators, health care 
professionals, and others as to how these two laws apply to records 
maintained on students. It also addresses certain disclosures that are 
allowed without consent or authorization under both laws, especially 
those related to health and safety emergency situations. The guidance 
can be found here: http://www.ed.gov/policy/gen/guid/fpco/index.html.
    As discussed elsewhere in this preamble with respect to Sec.  
99.31(a)(2), while ``treatment records'' are excluded from the 
definition of education records under FERPA, if an eligible student's 
treatment records are used for any purpose other than the student's 
treatment, or if a school wishes to disclose the treatment records for 
any purpose other than the student's treatment, they may only be 
disclosed as education records subject to FERPA requirements. 
Therefore, an eligible student's treatment records may be disclosed to 
any party, without consent, as long as the disclosure meets one of the 
exceptions to FERPA's general consent rule. See 34 CFR 99.31. One of 
the permitted disclosures under this section is the ``health or safety 
emergency'' exception.
    Changes: None.

Identification and Authentication of Identity (Sec.  99.31(c))

    Comment: Several commenters supported our proposal to require 
educational agencies and institutions to use reasonable methods to 
identify and authenticate the identity of parents, students, school 
officials, and any other parties to whom the agency or institution 
discloses personally identifiable information from education records. 
One commenter supported the provision but advocated requiring the use 
of two-factor identification for information that could be used to 
commit identity theft and financial fraud. (Two-factor identification 
requires the use of two methods to authenticate identity, such as 
fingerprint identification in addition to a PIN.)
    One commenter said that the identification and authentication 
requirement will help protect students affected by domestic violence 
who are living in substitute care situations. The commenter noted that 
many parents in situations involving domestic violence do not have 
photo identification (ID) and would be unable to meet a requirement to 
provide photo ID in order to access their children's education records.
    One commenter strongly supported the proposed amendment and said it 
will be valuable in aiding the privacy and protection of homeless 
children. Another commenter questioned whether the identification and 
authentication requirement is necessary for staff of large school 
districts with centralized offices.
    One commenter did not support the proposed regulation stating that 
it will be an additional burden on school districts. The commenter 
agreed with our statement in the preamble to the NPRM that the 
regulations should permit districts to determine their own methods of 
identification and authentication. However, the commenter stated that 
districts should not be required to have a sliding scale of control 
based on the level of potential threat and harm and that it would not 
be practical to give every person requesting access to education 
records a PIN or similar method of authentication. For example, the 
commenter stated that parents might be provided with a PIN, but 
districts would not want to provide a PIN to a reporter or other third 
party. The commenter requested additional examples of how districts may 
authenticate requests received by phone or e-mail. The commenter also 
stated that districts are sometimes concerned that government-issued 
photo IDs are fraudulent. As a result, the group requested that the 
Department adopt a ``safe harbor'' provision that requiring a 
government-issued photo ID for in-person requests is reasonable.
    One commenter expressed concern that the proposed regulations were 
too restrictive and could be too complex to administer, and that this 
would cause an institution to choose not to transfer information even 
though it is permitted to do so. This commenter asked whether the 
Department will accept an institution's efforts at compliance as 
sufficient without examining the effectiveness of those efforts.
    Discussion: The identification and authentication methods discussed 
in the NPRM (73 FR 15585) are intended as examples and should not be 
considered to be exhaustive. Because there are many methods available 
to provide secure authentication of identity, and as more methods 
continue to be developed, we do not think it appropriate at this time 
to require the use of two-factor authentication as requested by the 
commenter. Two-factor authentication can be expensive and cumbersome, 
and we believe that each educational agency or institution should 
decide whether to use its resources to implement a two-factor 
authentication method or another reasonable method to ensure that 
education records are disclosed only to an authorized party. The 
comment that a portion of the population will be disadvantaged if only 
photo ID is permitted to authenticate identity confirms that we need to 
retain flexibility in the regulations.
    We do not agree that certain types of staff should be excepted from 
the identification and authentication requirement. All staff members, 
whether in a centralized office, or in separate administrative offices 
throughout a school system, must be cognizant of and responsible for 
complying with identification and authentication requirements.
    Due to the differences in size, complexity, and access to 
technology, we believe that educational agencies and institutions 
should have the flexibility to decide the methods for identification 
and authentication of identity best suited to their own circumstances. 
The regulatory requirement is that agencies and institutions use 
``reasonable'' methods to identify and authenticate identity when 
disclosing personally identifiable information from education records. 
``Effectiveness'' is certainly one measure, but not necessarily a 
dispositive measure, of whether the methods used by an agency or 
institution are ``reasonable''. As we explained in the NPRM, an agency 
or institution is not required to eliminate all risk of unauthorized 
disclosure of education records but to reduce that risk to a level 
commensurate with the likely threat and potential harm. 73 FR 15585.
    Further in that regard, we note that a ``sliding scale'' of 
protection is not mandated per se. However, it may not be 
``reasonable'' to use the same

[[Page 74841]]

methods to protect students' SSNs or credit card numbers from 
unauthorized access and disclosure that are used to protect students' 
names and other directory information. We believe that a PIN process 
could be useful to provide access to education records for parties, 
such as parents, students, or school officials, but that it would not 
generally be useful for providing records to outside parties, such as 
reporters or parties seeking directory information. While the use of 
government-issued photo ID may be a reasonable method to authenticate 
identity, depending on the circumstances and the information being 
released, we are unable to conclude at this time that it is 
sufficiently secure to constitute a safe harbor for meeting this 
requirement.
    Changes: None.

Enforcement (Sec.  99.64)

(a) Sec.  99.64(a)

    Comment: One commenter supported our proposal to amend Sec.  
99.64(a) to provide that a complaint submitted to FPCO does not have to 
allege that a violation or failure to comply with FERPA is based on a 
policy or practice of the agency or institution. The commenter stated 
that parents often are not aware of legal and technical criteria, and 
complaints filed by parents should not be subject to technical rules 
typically applied to filings made by attorneys.
    Another commenter did not support the proposed amendment and asked 
several questions concerning the effects of the change. The commenter 
asked whether this provision means that the Office will investigate an 
allegation concerning a single and perhaps unintentional action not 
related to a policy or practice of the institution. The commenter also 
asked whether such an investigation could result in a finding of a 
violation if the finding is not based on an institution's policy or 
practice, and what enforcement actions can be taken in those 
circumstances. The commenter suggested that we modify the regulations 
to provide that, for complaints not alleging a violation based on an 
institution's policy or practice, the Office will undertake an 
investigation only when it determines that the allegations are of a 
sufficiently serious nature to warrant an inquiry.
    Discussion: The changes we proposed in this section were intended 
to clarify that it is sufficient for a complaint to allege that an 
educational agency or institution violated a requirement of FERPA, and 
that a complaint does not need to allege that the violation is a result 
of a policy or practice of an agency or institution in order for the 
Office to investigate the complaint.
    We explain in our discussion of the proposed changes to Sec.  99.67 
that the Secretary must find that an educational agency or institution 
has a policy or practice in violation of the non-disclosure 
requirements in FERPA before seeking to withhold, terminate, or recover 
program funds for that violation. However, FPCO is not limited to 
investigating complaints and finding that an educational agency or 
institution violated FERPA only if the allegations and findings are 
based on a policy or practice of an educational agency or institution.
    Moreover, we do not agree that only conduct that involves a policy 
or practice or that affects multiple students is serious enough to 
warrant an investigation of the allegations. An educational agency or 
institution may not even be aware of FERPA violations committed by its 
own school officials until the Office investigates an allegation of 
misconduct. These kinds of investigations often serve the very 
important purpose of helping ensure that single instances of misconduct 
do not become policies or practices of an agency or institution. 
Further, while an agency or institution may not think that a single, 
unintentional violation of FERPA is significant, it is often considered 
serious by the parent or student affected by the violation.
    Therefore, consistent with its current practice, the Office may 
find that an educational agency or institution violated FERPA without 
also finding that the violation was based on a policy or practice. Note 
that under Sec. Sec.  99.66(c) and 99.67, the Office may not take any 
enforcement action against an agency or institution that has violated 
FERPA until it provides the agency or institution with a reasonable 
period of time to come into compliance voluntarily.
    Changes: None.

(b) Sec.  99.64(b)

    Comment: A number of commenters supported proposed Sec.  99.64(b), 
which provided that the Office may investigate a possible FERPA 
violation even if it has not received a timely complaint from a parent 
or student or if a valid complaint is subsequently withdrawn. Several 
of these commenters stated that it is appropriate and important to 
permit persons who are not parents or eligible students, but who have 
knowledge of potential FERPA violations, to provide this information to 
the Office for consideration of a possible investigation.
    Several commenters objected to the proposed change. One commenter 
expressed serious concern that the regulations will greatly expand the 
authority of the Office to investigate any potential FERPA violation, 
even when no complaint is filed or when a complaint has been withdrawn. 
In particular, the commenter stated that an institution would not have 
an opportunity to review and respond to specific allegations when the 
investigation does not concern a particular complaint.
    Another commenter asserted that the Department has not demonstrated 
why the proposed amendment is necessary. The commenter said that unless 
there is evidence of a widespread problem, the proposed change will 
increase university costs in responding to investigations without a 
corresponding benefit to the public.
    Another commenter said that the Office should not investigate 
allegations that are not filed by a parent or eligible student because 
an institution must know the name of the filing party and the specific 
circumstances of the allegation in order to properly defend its 
actions. The commenter said that it should not be unnecessarily 
burdened by an investigation by the Office when it has already dealt 
with the situation to the satisfaction of the affected student, and 
that any student who is not satisfied with the institution's efforts 
retains the ability to file a complaint. The commenter also noted that 
a complaint filed by an affected student has more credibility than 
allegations made by other parties. The commenter was concerned that 
accepting information from other parties could result in filings from 
persons with grievances unrelated to FERPA, such as a disgruntled 
employee, or an applicant rejected for admission, or a parent or 
eligible student who missed a filing deadline of some kind.
    One commenter said that the proposed change would result in an 
ineffective use of the limited resources of the Office because it would 
be investigating allegations that may not have a sufficient basis.
    Discussion: We proposed the changes to Sec.  99.64(b) to clarify 
that the Office may initiate its own investigation that an educational 
agency or institution has violated FERPA. (The amendment also clarifies 
that if the Office determines that an agency or institution violated 
FERPA, it may also determine whether the violation was based on a 
policy or practice of the agency or institution.)
    Our experience has shown that sometimes FERPA violations are 
brought to the attention of the Office by

[[Page 74842]]

school officials, officials in other schools, or by the media. It is 
important that the Office have authority to investigate allegations of 
non-compliance in these situations. Consistent with its current 
practice, a notice of investigation issued by the Office will provide 
sufficient and specific factual information to permit the agency or 
institution to adequately investigate and respond to the allegations, 
whether or not the investigation is based on a complaint by a parent or 
eligible student.
    We do not agree that allowing the Office to initiate its own 
investigations of possible FERPA violations will lead to abuses of the 
process by persons seeking to redress other grievances with an 
institution. The Office will continue to be responsible for evaluating 
the validity of the information and allegations that come to its 
attention by means other than a valid complaint and determining whether 
to initiate an investigation. We do not anticipate that the Office will 
initiate an investigation of every allegation or information it 
receives. We believe, however, that it is important that the Office be 
able to investigate any violation of FERPA for which it receives 
notice. As stated in the NPRM, 73 FR 15591, the Department is not 
seeking to expand the scope of FERPA investigations beyond the current 
practices of the Office.
    Changes: None.

(c) Sec.  99.66

    Comment: We received one comment on the proposed change to Sec.  
99.66(c), which allows but does not require FPCO to make a finding that 
an educational agency or institution has a policy or practice in 
violation of a FERPA requirement when the Office issues a notice of 
findings in Sec.  99.66(b). The commenter stated that its review of 
FERPA and the Supreme Court decision in Gonzaga University v. Doe, 536 
U.S. 273 (2002) (Gonzaga), indicates that the Office may not issue a 
finding of a violation of FERPA and require corrective action or take 
any enforcement action without also finding that the violation 
constituted a policy or practice of the agency or institution.
    Discussion: We explain in the discussion of the changes to Sec.  
99.67 that there are circumstances in which the Office would be 
required to find that an educational agency or institution has a policy 
or practice in violation of a FERPA requirement before taking certain 
enforcement actions, such as an action to terminate funding for a 
violation of the non-disclosure requirements, 20 U.S.C. 1232g(b)(1) and 
(b)(2) and 34 CFR 99.30. However, the Office is not required to find a 
policy or practice in violation of FERPA before issuing a notice of 
findings or taking other kinds of enforcement actions.
    Changes: None.

(d) Sec.  99.67

    Comment: One commenter supported the clarification in proposed 
Sec.  99.67 that the Office may not seek to withhold payments, 
terminate eligibility for funding, or take certain other enforcement 
actions unless it determines that the educational agency or institution 
has a policy or practice that violates FERPA. Another commenter 
expressed general support for the proposed change, including the 
clarification that the Secretary may take any legally available 
enforcement action, in addition to those specifically listed in the 
current regulations. The commenter expressed concern, however, that the 
penalties are not severe enough to effectively discourage unintentional 
or willful violations by third parties, particularly in areas of 
research and data sharing with outside parties.
    Another commenter expressed concern that the proposed amendment 
would unnecessarily broaden the enforcement options available to the 
Secretary. The commenter stated that educational agencies and 
institutions will not be able to assess the risks and consequences 
associated with their actions without a limitation on the range of 
enforcement actions available to the Department when a violation of 
FERPA is found.
    One commenter asked the Department to clarify that all methods of 
enforcing FERPA that are contained in the current regulations will be 
retained in the final regulations. The commenter said that the proposed 
regulations in the NPRM (73 FR 15602) appear to remove the Secretary's 
ability to terminate funding.
    Discussion: We explained in the preamble to the NPRM (73 FR 15592) 
that there were two reasons for the proposed changes to Sec.  99.67(a). 
One was the need to clarify that the Secretary may take any enforcement 
action that is legally available and is not limited to those specified 
under the current regulations, i.e., withholding further payments under 
any applicable program; issuing a complaint to compel compliance 
through a cease-and-desist order; or terminating eligibility to receive 
funding under any applicable program. Other actions the Secretary may 
take to enforce FERPA include entering into a compliance agreement 
under 20 U.S.C. 1234f and seeking an injunction.
    This change to Sec.  99.67(a) does not broaden the Secretary's 
enforcement options, as suggested by one commenter. The General 
Education Provisions Act (GEPA) provides the Secretary with the 
authority to take certain enforcement actions to address violations of 
statutory and regulatory requirements, including general authority to 
``take any other action authorized by law with respect to the 
recipient.'' 20 U.S.C. 1234c(a)(4). The change to Sec.  99.67(a) simply 
includes, for purposes of clarity, the Secretary's existing authority 
under GEPA to take any legally available action to enforce FERPA 
requirements. (We note that before taking enforcement action the Office 
must determine that the educational agency or institution is failing to 
comply substantially with a FERPA requirement and provide it with a 
reasonable period of time to comply voluntarily. See 20 U.S.C. 
1234c(a); 20 U.S.C. 1232g(f); and 34 CFR 99.66(c).)
    We also proposed to amend Sec.  99.67(a) to clarify that the Office 
may issue a notice of violation for failure to comply with specific 
FERPA requirements and require corrective actions but may not seek to 
terminate eligibility for funding, withhold payments, or take other 
enforcement actions unless the Office determined that an agency or 
institution has a policy or practice in violation of FERPA requirements 
(73 FR 15592). Upon further review, we have decided not to adopt this 
particular change because we believe it limits the Secretary's 
enforcement authority in a manner that is not legally required.
    In support of its holding in Gonzaga that FERPA's non-disclosure 
provisions do not create rights that are enforceable under 42 U.S.C. 
1983, the Court observed that FERPA provides that no funds shall be 
made available to an educational agency or institution that has a 
policy or practice of disclosing education records in violation of 
FERPA requirements. 536 U.S. at 288; see also 20 U.S.C. 1232g(b)(1) and 
(b)(2); 34 CFR 99.30. As such, the statute and Gonzaga decision suggest 
that with respect to violations of FERPA's non-disclosure requirements, 
the Secretary must find that an educational agency or institution has a 
policy or practice in violation of FERPA requirements before taking 
actions to terminate, withhold, or recover funds for those violations. 
However, there is no requirement under the statute (or the Gonzaga 
decision) for the Secretary to find a policy or practice in violation 
of FERPA requirements on the part of an educational agency or 
institution before taking other kinds of enforcement actions for 
violations of the non-disclosure requirements, such as

[[Page 74843]]

seeking an injunction or a cease-and-desist order. We note also that 
the Gonzaga opinion does not address violations of other FERPA 
requirements, such as parents' right to inspect and review their 
children's education records and the requirement that educational 
agencies and institutions afford parents an opportunity for a hearing 
to challenge the content of a student's education records under certain 
circumstances, which do not contain the same ``policy or practice'' 
language as the non-disclosure requirements. Because we did not address 
enforcement of these other FERPA requirements in the NPRM, we have 
decided not to address in the final regulations limitations or pre-
conditions that apply solely to actions to terminate, withhold, or 
recover program funds for violations of the non-disclosure 
requirements.
    In response to the comment that the available penalties are not 
severe enough to discourage FERPA violations, we note that the 
Secretary has authority to terminate, withhold, and recover program 
funds and take other enforcement actions in accordance with part E of 
GEPA. The Secretary may not increase penalties beyond those authorized 
under FERPA and GEPA. Further, the regulations do not remove the 
Secretary's authority to terminate eligibility for program funding or 
any other enforcement authority. The changes noted by the commenter who 
was concerned that the proposed regulations removed the Secretary's 
authority to terminate funding were corrections to punctuation and 
formatting only, not substantive changes.
    Changes: We have removed the language in Sec.  99.67(a) that 
requires the Office to determine that an educational agency or 
institution has a policy or practice in violation of FERPA requirements 
before taking any enforcement action.

Department Recommendations for Safeguarding Education Records

    Comment: We received a few comments on the recommendations for 
safeguarding education records included in the NPRM. One commenter 
expressed concern that schools and school districts should exercise 
enhanced security for the records of children receiving special 
education services. According to the commenter, these children often 
have a large number of records and may receive services from a variety 
of providers, which can add to the challenge of ensuring that 
appropriate privacy controls are used.
    One commenter supported the safeguarding recommendations and 
suggested that we revise the recommendations to list non-Federal 
government sources providing guidance on methods for safeguarding 
education records. Another commenter supported the recommendations, but 
suggested that the regulations should require that a parent or eligible 
student receive notification of an unauthorized release or theft of 
information.
    Discussion: The comments on the records of students who receive 
special education services illustrate the necessity for educational 
agencies and institutions to ensure that adequate controls are in place 
so that the education records of all students are handled in accordance 
with FERPA's privacy protections. The safeguarding recommendations that 
we provided in the NPRM, and are repeated in these final regulations, 
are intended to provide agencies and institutions additional 
information and resources to assist them in meeting this 
responsibility. In addition, educational agencies and institutions 
should refer to the protections required under Sec.  300.623 of the 
confidentiality of information requirements in Part B of the IDEA, 34 
CFR 300.623 (Safeguards).
    We acknowledge that there are many sources available concerning 
information security technology and processes. The Department does not 
wish to appear to endorse the information or product of any company or 
organization; therefore, we have included only Federal government 
sources in this notice.
    The Department does not have the authority under FERPA to require 
that agencies or institutions issue a direct notice to a parent or 
student upon an unauthorized disclosure of education records. FERPA 
only requires that the agency or institution record the disclosure so 
that a parent or student will become aware of the disclosure during an 
inspection of the student's education record.
    Changes: None.
    We are republishing here, for the administrative convenience of 
educational agencies and institutions and other parties, the Department 
Recommendations for Safeguarding Education Records that were published 
in the preamble to the NPRM (73 FR 15598-15599):
    The Department recognizes that agencies and institutions face 
significant challenges in safeguarding educational records. We are 
providing the following information and recommendations to assist 
agencies and institutions in meeting these challenges.
    As noted elsewhere in this document, FERPA provides that no funds 
administered by the Secretary may be made available to any educational 
agency or institution that has a policy or practice of releasing, 
permitting the release of, or providing access to personally 
identifiable information from education records without the prior 
written consent of a parent or eligible student except in accordance 
with specified exceptions. In light of these requirements, the 
Secretary encourages educational agencies and institutions to utilize 
appropriate methods to protect education records, especially in 
electronic data systems.
    In recent years the following incidents have come to the 
Department's attention:
     Students' grades or financial information, including SSNs, 
have been posted on publicly available Web servers;
     Laptops and other portable devices containing similar 
information from education records have been lost or stolen;
     Education records, or devices that maintain education 
records, have not been retrieved from school officials upon termination 
of their employment or service as a contractor, consultant, or 
volunteer;
     Computer systems at colleges and universities have become 
favored targets because they hold many of the same records as banks but 
are much easier to access. See ``College Door Ajar for Online 
Criminals'' (May 2006), available at http://www.uh.edu/ednews/2006/
latimes/200605/20060530hackers.html. and July 10, 2006, Viewpoint in 
Business Week/Online available at http://www.businessweek.com/
technology/content/jul2006/tc20060710_558020.htm;
     Nearly 65 percent of postsecondary educational 
institutions identified theft of personal information (SSNs, credit/
debit/ATM card, account or PIN numbers, etc.) as a high risk area. See 
Table 7, Perceived Risks at http://www.educause.edu/ir/library/pdf/
ecar_so/ers/ers0606/Ekf0606.pdf; and
     In December 2006, a large postsecondary institution 
alerted some 800,000 students and others that the campus computer 
system containing their names, addresses, and SSNs had been 
compromised.
    The Department's Office of Inspector General (OIG) noted in Final 
Inspection Alert Memorandum dated February 3, 2006, that the Privacy 
Rights Clearinghouse reported that between February 15, 2005, and 
November 19, 2005, there were 93 documented computer breaches of 
electronic files

[[Page 74844]]

involving personal information from education records such as SSNs, 
credit card information, and dates of birth. According to the reported 
data, 45 percent of these incidents have occurred at colleges and 
universities nationwide. OIG expressed concern that student information 
may be compromised due to a failure to implement or administer proper 
security controls for information systems at postsecondary 
institutions.
    The Department recognizes that no system for maintaining and 
transmitting education records, whether in paper or electronic form, 
can be guaranteed safe from every hacker and thief, technological 
failure, violation of administrative rules, and other causes of 
unauthorized access and disclosure. Although FERPA does not dictate 
requirements for safeguarding education records, the Department 
encourages the holders of personally identifiable information to 
consider actions that mitigate the risk and are reasonably calculated 
to protect such information. Of course, an educational agency or 
institution may use any method, combination of methods, or technologies 
it determines to be reasonable, taking into consideration the size, 
complexity, and resources available to the institution; the context of 
the information; the type of information to be protected (such as 
social security numbers or directory information); and methods used by 
other institutions in similar circumstances. The greater the harm that 
would result from unauthorized access or disclosure and the greater the 
likelihood that unauthorized access or disclosure will be attempted, 
the more protections an agency or institution should consider using to 
ensure that its methods are reasonable.
    One resource for administrators of electronic data systems is ``The 
National Institute of Standards and Technology (NIST) 800-100, 
Information Security Handbook: A Guide for Managers'' (October 2006). 
See http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-
2007.pdf. A second resource is NIST 800-53, Information Security, which 
catalogs information security controls. See http://csrc.nist.gov/
publications/nistpubs/800-53-Rev1/800-53-rev1-final-clean-sz.pdf. 
Similarly, a May 22, 2007, memorandum to heads of Federal agencies from 
the Office of Management and Budget requires executive departments and 
agencies to ensure that proper safeguards are in place to protect 
personally identifiable information that they maintain, eliminate the 
unnecessary use of SSNs, and develop and implement a ``breach 
notification policy.'' This memorandum, although directed towards 
Federal agencies, may also serve as a resource for educational agencies 
and institutions. See http://www.whitehouse.gov/omb/memoranda/fy2007/
m07-16.pdf.
    Finally, if an educational agency or institution has experienced a 
theft of files or computer equipment, hacking or other intrusion, 
software or hardware malfunction, inadvertent release of data to 
Internet sites, or other unauthorized release or disclosure of 
education records, the Department suggests consideration of one or more 
of the following steps:
     Report the incident to law enforcement authorities.
     Determine exactly what information was compromised, i.e., 
names, addresses, SSNs, ID numbers, credit card numbers, grades, and 
the like.
     Take steps immediately to retrieve data and prevent any 
further disclosures.
     Identify all affected records and students.
     Determine how the incident occurred, including which 
school officials had control of and responsibility for the information 
that was compromised.
     Determine whether institutional policies and procedures 
were breached, including organizational requirements governing access 
(user names, passwords, PINS, etc.); storage; transmission; and 
destruction of information from education records.
     Determine whether the incident occurred because of a lack 
of monitoring and oversight.
     Conduct a risk assessment and identify appropriate 
physical, technological, and administrative measures to prevent similar 
incidents in the future.
     Notify students that the Department's Office of Inspector 
General maintains a Web site describing steps students may take if they 
suspect they are a victim of identity theft at http://www.ed.gov/about/
offices/list/oig/misused/idtheft.html; and http://www.ed.gov/about/
offices/list/oig/misused/victim.html.
    FERPA does not require an educational agency or institution to 
notify students that information from their education records was 
stolen or otherwise subject to an unauthorized release, although it 
does require the agency or institution to maintain a record of each 
disclosure. 34 CFR 99.32(a)(1). (However, student notification may be 
required in these circumstances for postsecondary institutions under 
the Federal Trade Commission's Standards for Insuring the Security, 
Confidentiality, Integrity and Protection of Customer Records and 
Information (``Safeguards Rule'') in 16 CFR part 314.) In any case, 
direct student notification may be advisable if the compromised data 
includes student SSNs and other identifying information that could lead 
to identity theft.

Executive Order 12866

    Under Executive Order 12866, the Secretary must determine whether 
this regulatory action is ``significant'' and therefore subject to the 
requirements of the Executive Order and subject to review by OMB. 
Section 3(f) of Executive Order 12866 defines a ``significant 
regulatory action'' as an action likely to result in a rule that may 
(1) have an annual effect on the economy of $100 million or more, or 
adversely affect a sector of the economy, productivity, competition, 
jobs, the environment, public health or safety, or State, local or 
tribal governments, or communities in a material way (also referred to 
as an ``economically significant'' rule); (2) create serious 
inconsistency or otherwise interfere with an action taken or planned by 
another agency; (3) materially alter the budgetary impacts of 
entitlement grants, user fees, or loan programs or the rights and 
obligations of recipients thereof; or (4) raise novel legal or policy 
issues arising out of legal mandates, the President's priorities, or 
the principles set forth in the Executive order. The Secretary has 
determined that this regulatory action is significant under section 
3(f)(4) of the Executive order.

1. Summary of Public Comments

    The Department did not receive any comments on the analysis of the 
costs and benefits in the NPRM. However, since the publication of the 
NPRM, we have identified several information collection requirements 
that were not identified in the NPRM. We have added discussions of the 
costs and benefits of two information collection requirements in the 
following Summary of Costs and Benefits.

2. Summary of Costs and Benefits

    Following is an analysis of the costs and benefits of the most 
significant changes to the FERPA regulations. In conducting this 
analysis, the Department examined the extent to which the regulations 
add to or reduce the costs of educational agencies and institutions 
and, where appropriate, State educational agencies (SEAs) and other 
State and local educational authorities in relation to their costs of 
complying with the FERPA regulations prior to these changes.

[[Page 74845]]

    This analysis is based on data from the most recent Digest of 
Education Statistics (2007) published by the National Center for 
Education Statistics (NCES), which projects total enrollment for Fall 
2008 of 49,812,000 students in public elementary and secondary schools 
and 18,264,000 students in postsecondary institutions; and a total of 
97,382 public K-12 schools; 14,166 school districts; and 6,463 
postsecondary institutions. (Excluded are data from private 
institutions that do not receive Federal funding from the Department 
and, therefore, are not subject to FERPA.) Based on this analysis, the 
Secretary has concluded that the changes in these regulations will not 
impose significant net costs on educational agencies and institutions. 
Analyses of specific provisions follow.

Alumni Records

    The regulations in Sec.  99.3 clarify the current exclusion from 
the definition of education records for records that only contain 
information about an individual after he or she is no longer a student, 
which is intended to cover records of alumni and similar activities. 
Some institutions have applied this exclusion to records that are 
created after a student has ceased attending the institution but that 
are directly related to his or her attendance as a student, such as 
investigatory reports and settlement agreements about incidents and 
injuries that occurred during the student's enrollment. The amendment 
will clarify that this provision applies only to records created or 
received by an educational agency or institution after an individual is 
no longer a student in attendance and that are not directly related to 
the individual's attendance as a student.
    We believe that most of the more than 103,845 K-12 schools and 
postsecondary institutions subject to FERPA already adhere to this 
revised interpretation in the regulations and that for those that do 
not, the number of records affected is likely to be very small. 
Assuming that each year one half of one percent of the 68.1 million 
students enrolled in these institutions have one record each affected 
by the change, in the year following issuance of the regulations 
institutions will be required to try to obtain written consent before 
releasing 350,380 records that they would otherwise release without 
consent. We estimate that for the first year contacting the affected 
parent or student to seek and process written consent for these 
disclosures will take approximately one-half hour per record at an 
average cost of $32.67 per hour for a total cost of $5,562,068. 
(Compensation for administrative staff time is based on published 
estimates for 2005 from the Bureau of Labor Statistics' National 
Compensation Survey of $23.50 per hour plus an average 39 percent 
benefit load for Level 8 administrators in education and related 
fields.)
    In terms of benefits, the change will protect the privacy of 
parents and students by clarifying the intent of this regulatory 
exclusion and help prevent the unlawful disclosure of these records. It 
will also provide greater legal certainty and therefore some cost 
savings for those agencies and institutions that may be required to 
litigate this issue in connection with a request under a State open 
records act or other legal proceeding. For these reasons, we believe 
that the overall benefits outweigh the potential costs of this change.

Exclusion of SSNs and ID Numbers From Directory Information

    The proposed regulations in Sec.  99.3 clarified that a student's 
SSN or student ID number is personally identifiable information that 
may not be disclosed as directory information under FERPA. The final 
regulations allow an educational agency or institution to designate and 
disclose student ID numbers as directory information if the number 
cannot be used by itself to gain access to education records, i.e. , it 
is used like a name. SSNs may never be disclosed as directory 
information.
    The principal effect of this change is that educational agencies 
and institutions may not post grades by the student's SSN or non-
directory student ID number and may not include these identifiers with 
directory information they disclose about a student, such as a 
student's name, school, and grade level or class, on rosters, or on 
sign-in sheets that are made available to students and others. 
(Educational agencies and institutions may continue to include SSNs and 
non-directory student ID numbers on class rosters and schedules that 
are disclosed only to teachers and other school officials who have 
legitimate educational interests in this information.)
    A class roster or sign-in sheet that contains or requires students 
to affix their SSN or non-directory student ID number makes that 
information available to every individual who signs in or sees the 
document and increases the risk that the information may be improperly 
used for purposes such as identity theft or to find out a student's 
grades or other confidential educational information. In regard to 
posting grades, an individual who knows which classes a particular 
student attends may be able to ascertain that student's SSN or non-
directory student ID number by comparing class lists for repeat 
numbers. Because SSNs are not randomly generated, it may be possible to 
identify a student by State of origin based on the first three (area) 
digits of the number, or by date of issuance based on the two middle 
digits.
    The Department does not have any actual data on how many class or 
test grades are posted by SSN or non-directory student ID number at 
this time, but we believe that the practice is rare or non-existent 
below the secondary level. Although the practice was once widespread, 
particularly at the postsecondary level, anecdotal evidence suggests 
that as a result of consistent training and informal guidance by the 
Department over the past several years, together with the increased 
attention States and privacy advocates have given to the use of SSNs, 
many institutions now either require teachers to use a code known only 
to the teacher and the student or prohibit the posting of grades 
entirely.
    The most recent figures available from the Bureau of Labor 
Statistics (2007) indicate that there are approximately 2.7 million 
secondary and postsecondary teachers in the United States. As noted 
above, we assume that most of these teachers either do not post grades 
at all or already use a code known only to the teacher or student. We 
assume further that additional costs to deliver grades personally in 
the classroom or through electronic mail, instead of posting, will be 
minimal. For purposes of this analysis, we estimate that no more than 
five percent of 2.7 million, or 135,000 teachers, continue to post 
grades by SSN or non-directory student ID number and thus will need to 
convert to a code, which will require them to spend an average of one-
half hour each semester establishing and managing grading codes for 
students. Since we do not know how many teachers at either education 
level will continue to post grades, and wages for postsecondary 
teachers are higher than secondary teacher wages, we use postsecondary 
teacher wages to ensure that the estimate encompasses the upper limit 
of possible costs. Using the Bureau of Labor Statistics' published 
estimate of average hourly wages of $42.98 for teachers at 
postsecondary institutions and an average 39 percent load for benefits, 
we estimate an average cost of $59.74 per teacher per year, for a total 
of $8,064,900. Parents and students should incur no costs except for 
the time they might have to spend to

[[Page 74846]]

contact the school official if they forget the student's grading code.
    This change will benefit parents and students and educational 
agencies and institutions by reducing the risk of identity theft 
associated with posting grades by SSN, and the risk of disclosing 
grades and other confidential educational information caused by posting 
grades by a non-directory student ID number. It is difficult to 
quantify the value of reducing the risk of identity theft. According to 
the Federal Trade Commission, however, for the past few years over one-
third of complaints filed with that agency have been for identity 
theft. According to the Better Business Bureau, identity theft costs 
businesses nearly $57 billion in 2006, while victims spent an average 
of 40 hours resolving identity theft issues. It is even more difficult 
to measure the benefits of enhanced privacy protections for student 
grades and other confidential educational information from education 
records because the value individuals place on the privacy of this 
information varies considerably and because we are unable to determine 
how often it happens. Therefore, we have no basis to estimate the value 
of these enhanced privacy protections in relation to the expected costs 
to implement the changes.

Prohibit Use of SSN To Confirm Directory Information

    The regulations will prevent an educational agency or institution 
(or a contractor providing services for an agency or institution) from 
using a student's SSN (or other non-directory information) to identify 
the student when releasing or confirming directory information. This 
occurs, for example, when a prospective employer or insurance company 
telephones an institution or submits an inquiry through the 
institution's Web site to find out whether a particular individual is 
enrolled in or has graduated from the institution. While this provision 
will apply to educational agencies and institutions at all grade 
levels, we believe that it will affect mainly postsecondary 
institutions because K-12 agencies and institutions typically do not 
provide enrollment and degree verification services.
    A survey conducted in March 2002 by the American Association of 
Collegiate Registrars and Admissions Officers (AACRAO) showed that 
nearly half of postsecondary institutions used SSNs as the primary 
means to track students in academic databases. Since then, use of SSNs 
as a student identifier has decreased significantly in response to 
public concern about identity theft. While postsecondary institutions 
may continue to collect students' SSNs for financial aid and tax 
reporting purposes, many have ceased using the SSN as a student 
identifier either voluntarily or in compliance with State laws. Also, 
over the past several years the Department has provided training on 
this issue and published on the Office Web site a 2004 letter finding a 
postsecondary institution in violation of FERPA when its agent used a 
student's SSN, without consent, to search its database to verify that 
the student had received a degree. www.ed.gov/policy/gen/guid/fpco/
ferpa/library/auburnuniv.html. Given these circumstances, we estimate 
that possibly one-quarter of the nearly 6,463 postsecondary 
institutions in the United States, or 1,616 institutions, may ask a 
requester to provide the student's SSN (or non-directory student ID 
number) in order to locate the record and respond to an inquiry for 
directory information.
    Under the regulations an educational agency or institution that 
identifies students by SSN (or non-directory student ID number) when 
releasing directory information will either have to ensure that the 
student has provided written consent to disclose the number to the 
requester, or rely solely on a student's name and other properly 
designated directory information to identify the student, such as 
address, date of birth, dates of enrollment, year of graduation, major 
field of study, degree received, etc. Costs to an institution of 
ensuring that students have provided written consent for these 
disclosures, for example by requiring the requester to fax copies of 
each written consent to the institution or its contractor, or making 
arrangements to receive them electronically, could be substantial for 
large institutions and organizations that utilize electronic 
recordkeeping systems. Institutions may choose instead to conduct these 
verifications without using SSNs or non-directory student IDs, which 
may make it more difficult to ensure that the correct student has been 
identified because of the known problems in matching records without 
the use of a universal identifier. Increased institutional costs either 
to verify that the student has provided consent or to conduct a search 
without use of SSNs or non-directory student ID numbers should be less 
for smaller institutions, where the chances of duplicate records are 
decreased. Parents and students may incur additional costs if an 
employer, insurance company, or other requester is unable to verify 
enrollment or graduation based solely on directory information, and 
written consent for disclosure of the student's SSN or non-directory 
student ID number is required. Due to the difficulty in ascertaining 
actual costs associated with these transactions, we have no basis to 
estimate costs that educational agencies and institutions and parents 
and students will incur as a result of this change.
    The enhanced privacy protections of this amendment will benefit 
students and parents by reducing the risk that third parties will 
disclose a student's SSN without consent and possibly confirm a 
questionable number for purposes of identity theft. Similarly, 
preventing institutions from implicitly confirming a questionable non-
directory student ID number will help prevent unauthorized individuals 
from obtaining confidential information from education records. In 
evaluating the benefits or value of this change, we note that this 
provision does not affect any activity that an educational agency or 
institution is permitted to perform under FERPA or other Federal law, 
such as using SSNs to identify students and confirm their enrollment 
status for student loan purposes, which is permitted without consent 
under the financial aid exception in Sec.  99.31.

User ID for Electronic Communications

    The regulations will allow an educational agency or institution to 
disclose as directory information a student's ID number, user ID or 
other electronic identifier so long as the identifier functions like a 
name; that is, it cannot be used without a PIN, password, or some other 
authentication factor to gain access to education records. This change 
will impose no costs and will provide benefits in the form of 
regulatory relief allowing agencies and institutions to use directory 
services in electronic communications systems without incurring the 
administrative costs associated with obtaining student consent for 
these disclosures.
    Costs related to honoring a student's decision to opt out of these 
disclosures will be minimal because we assume that only a small number 
of students will elect not to participate in electronic communications 
at their school. Applying this change to records of both K-12 and 
postsecondary students and assuming that one-tenth of one percent of 
parents and eligible students will opt out of these disclosures, we 
estimate that institutions will have to flag the records of 
approximately 68,000 students for opt-out purposes. We lack sufficient 
data on costs institutions currently incur to flag records for

[[Page 74847]]

directory information opt-outs for other purposes, so we are unable to 
estimate the administrative and information technology costs 
institutions will incur to process these new directory information opt-
outs resulting from this change.

Student Anonymity in the Classroom

    The final regulations will ensure that parents and students do not 
use the right to opt out of directory information disclosures to remain 
anonymous in the classroom, by clarifying that opting out does not 
prevent disclosure of the student's name, institutional e-mail address, 
or electronic identifier in the student's physical or electronic 
classroom. We estimate that this change will result in a small net 
benefit to educational agencies and institutions because they will have 
greater legal certainty about the element of classroom administration, 
and it will reduce the institutional costs of responding to complaints 
from students and parents about the release of this information.

Disclosing Education Records to New School and to Party Identified as 
Source Record

    The final regulations in Sec.  99.31(a)(2) will allow an 
educational agency or institution to disclose education records, or 
personally identifiable information from education records, to a 
student's new school even after the student is already attending the 
new school so long as the disclosure relates to the student's 
enrollment in the new school. This change will provide regulatory 
relief by reducing legal uncertainty about how long a school may 
continue to send records or information to a student's new school, 
without consent, under the ``seeks or intends to enroll'' exception.
    The amendment to the definition of disclosure in Sec.  99.3 will 
allow a school that has concerns about the validity of a transcript, 
letter of recommendation, or other record to return these documents (or 
personally identifiable information from these documents) to the 
student's previous school or other party identified as the source of 
the record in order to resolve questions about their validity. Combined 
with the change to Sec.  99.31(a)(2), discussed earlier in this 
analysis, this change will also allow the student's previous school to 
continue to send education records, or clarification about education 
records, to the student's new school in response to questions about the 
validity or meaning of records sent previously by that party. We are 
unable to determine how much it will cost educational agencies and 
institutions to return potentially fraudulent documents to the party 
identified as the sender because we do not have any basis for 
estimating how often this occurs. However, we believe that these 
changes will provide significant regulatory relief to educational 
agencies and institutions by helping to reduce transcript and other 
educational fraud based on falsified records.

Outsourcing

    The regulations in Sec.  99.31(a)(1)(i) will allow educational 
agencies and institutions to disclose education records, or personally 
identifiable information from education records, without consent to 
contractors, volunteers, and other non-employees performing 
institutional services and functions as school officials with 
legitimate educational interests. An educational agency or institution 
that uses non-employees to perform institutional service and functions 
will have to amend its annual notification of FERPA rights to include 
these parties as school officials with legitimate educational 
interests.
    This change will provide regulatory relief by permitting, and 
clarifying the conditions for, non-consensual disclosure of education 
records. Our experience suggests that virtually all of the more than 
103,000 schools subject to FERPA will take advantage of this provision. 
We have no actual data on how many school districts publish annual 
FERPA notifications for the 97,382 K-12 public schools included in this 
total and, therefore, how many entities will be affected by this 
requirement. However, because educational agencies and institutions 
were already required under previous regulations to publish a FERPA 
notification annually, we believe that costs to include this new 
information will be minimal.

Access Control and Tracking

    The regulations in Sec.  99.31(a)(1)(ii) will require an 
educational agency or institution to use reasonable methods to ensure 
that teachers and other school officials obtain access to only those 
education records in which they have legitimate educational interests. 
This requirement will apply to records in any format, including 
computerized or electronic records and paper, film, and other hard copy 
records. An educational agency or institution that chooses not to 
restrict access to education records with physical or technological 
controls, such as locked cabinets and role-based software security, 
must ensure that its administrative policy for controlling access is 
effective and that it remains in compliance with the legitimate 
educational interest requirement.
    Administrative experience has shown that schools that allow 
teachers and other school officials to have unrestricted access to 
education records tend to have more problems with unauthorized 
disclosures, such as school officials obtaining access to education 
records for personal rather than professional reasons. Preventing 
unrestricted access to education records by teachers and other school 
officials will benefit parents and students by helping to ensure that 
education records are used only for legitimate educational purposes. It 
will also help ensure that education records are not accessed or 
disclosed inadvertently.
    Information gathered by the Director of the Office at numerous 
FERPA training sessions and seminars, along with recent discussions 
with software vendors and educational organizations, indicates that the 
vast majority of mid- and large-size school districts and postsecondary 
institutions currently use commercial software for student information 
systems. These systems generally include role-based security features 
that allow administrators to control access to specific records, 
screens, or fields according to a school official's duties and 
responsibilities. These systems also typically contain transactional 
logging features that document or track a user's actual access to 
particular records, which will help ensure that an agency's or 
institution's access control methods are effective. Educational 
agencies and institutions that already have these systems will incur no 
additional costs to comply with the regulations.
    For purposes of this analysis we excluded from a total of 14,166 
school districts and 6,463 postsecondary institutions those with more 
than 1,000 students, for a total of 6,887 small K-12 districts and 
3,906 small postsecondary institutions that may not have software with 
access control security features. The discussions that the Director of 
the Office has had with numerous SEAs and local districts suggest that 
the vast majority of these small districts and institutions do not make 
education records available to school officials electronically or by 
computer but instead use some system of administrative and physical 
controls.
    We estimate for this analysis that 15 percent, or 1,619, of these 
small districts and institutions use home-built computerized or 
electronic systems that may not have the role-based security features 
of commercial software. The most recent published estimate we have for 
software costs comes from the final

[[Page 74848]]

Standards for Privacy of Individually Identifiable Health Information 
under the Health Insurance Portability and Accountability Act of 1996 
(HIPAA Privacy Rule) published by the Department of Health and Human 
Services (HHS) on December 28, 2000, which estimated that the initial 
per-hospital cost of software upgrades to track the disclosure of 
medical records would be $35,000 (65 FR 82768). We assume that costs 
will be comparable for education records, and, as discussed above, 
software that tracks disclosure history can also be used to control or 
restrict access to electronic records. Based on these assumptions, if 
1,619 small K-12 districts and postsecondary institutions decide to 
purchase student information software rather than rely on 
administrative policies to comply with the regulations, they will incur 
estimated costs of $56,665,000. We estimate that the remaining 9,174 
small districts and institutions will not purchase new software because 
they do not make education records available electronically and rely 
instead on less costly administrative and physical methods to control 
access to records by school officials. Those that provide school 
officials with open access to hard copy education records may incur new 
costs to track actual disclosures to help ensure that they remain in 
compliance with legitimate educational interests requirements. We 
assume that these districts and institutions may devote some additional 
administrative staff time to procedures such as keeping logs of school 
officials who access records. However, no reliable estimates exist for 
the average number of teachers and other school officials who access 
education records or the number of times access is sought, so we are 
unable to estimate the cost of restricting or tracking actual 
disclosures of hard copy education records to school officials.

Education Research

    The regulations in Sec.  99.31(a)(6)(ii)(C) require an educational 
agency or institution to enter into a written agreement before 
disclosing personally identifiable information from education records, 
without consent, to organizations conducting studies for, or on behalf 
of, the educational agency or institution to: (a) Develop, validate, or 
administer predictive tests; (b) administer student aid programs; or 
(c) improve instruction. The written agreement must specify the purpose 
or purposes, scope, and duration of the study or studies and the 
information to be disclosed, require the organization to conduct the 
study in a manner that does not permit personal identification of 
parents and students by anyone other than representatives of the 
organization with legitimate interests, require the destruction or 
return of the information to the educational agency or institution when 
the study is completed, and specify the time period for destruction or 
return of the information. We believe that the additional cost of 
entering into written agreements to comply with this change is unlikely 
to be significant because most educational agencies and institutions 
already specify the terms under which personally identifiable 
information can be used when it is disclosed to organizations for these 
types of studies. Although this change will create an additional 
information collection requirement, we believe the benefits of the 
written agreement outweigh the costs, because it will ensure better 
compliance with FERPA and provide clarity for both researchers and 
educational agencies and institutions about the restrictions and use of 
personally identifiable information disclosed under Sec.  99.31(a)(6) 
for studies.

Identification and Authentication of Identity

    The regulations in Sec.  99.31(c) require educational agencies and 
institutions to use reasonable methods to identify and authenticate the 
identity of parents, students, school officials and other parties to 
whom the agency or institution discloses personally identifiable 
information from education records. The use of widely available 
information to authenticate identity, such as the recipient's name, 
date of birth, SSN or student ID number, is not considered reasonable 
under the regulations.
    The regulations will impose no new costs for educational agencies 
and institutions that disclose hard-copy records through the U.S. 
postal service or private delivery services with use of the recipient's 
name and last known official address.
    We were unable to find reliable data that would allow us to 
estimate the additional administrative time that educational agencies 
and institutions will spend checking photo ID against school records or 
using other reasonable methods, as appropriate, to identify and 
authenticate the identity of students, parents, and other parties to 
whom the agency or institution discloses education records in person.
    Authentication of identity for electronic or telephonic access to 
education records involves a wider array of security options because of 
continuing advances in technologies, but is not necessarily more costly 
than authentication of identity for hard-copy records. We assume that 
educational agencies and institutions that require users to enter a 
secret password or PIN to authenticate identity will deliver the 
password or PIN through the U.S. postal service or in person. We 
estimate that no new costs will be associated with this process because 
agencies and institutions already have direct contact with parents, 
eligible students, and school officials for a variety of other purposes 
and will use these opportunities to deliver a secret authentication 
factor.
    As noted in the preamble to the NPRM, 73 FR 15585, single-factor 
authentication of identity, such as a standard form user name combined 
with a secret password or PIN, may not provide reasonable protection 
for access to all types of education records or under all 
circumstances. We lack a basis for estimating costs of authenticating 
identity when educational agencies and institutions allow authorized 
users to access sensitive personal or financial information in 
electronic records for which single-factor authentication would not be 
reasonable.

Redisclosure and Recordkeeping

    The regulations allow the officials and agencies listed in Sec.  
99.31(a)(3) (the U.S. Comptroller General, the U.S. Attorney General, 
the Secretary, and State and local educational authorities) to 
redisclose education records, or personally identifiable information 
from education records, without consent under the same conditions that 
apply currently to other recipients of education records under Sec.  
99.33(b). This change provides substantial regulatory relief to these 
parties by allowing them to redisclose information on behalf of 
educational agencies and institutions under any provision in Sec.  
99.31(a), which allows disclosure of education records without consent. 
For example, States will be able to consolidate K-16 education records 
under the SEA or State higher educational authority without having to 
obtain written consent under Sec.  99.30. Parties that currently 
request access to records from individual school districts and 
postsecondary institutions will in many instances be able to obtain the 
same information in a more cost-effective manner from the appropriate 
State educational authority or the Department.
    In accordance with the current regulations in Sec.  99.32(b), an 
educational agency or institution must record any redisclosure of 
education records made on its behalf under Sec.  99.33(b), including 
the names of the additional parties to

[[Page 74849]]

which the receiving party may redisclose the information and their 
legitimate interests or basis for the disclosure without consent under 
Sec.  99.31 in obtaining the information. The regulations require SEAs 
and other State educational authorities (such as higher education 
authorities), the Secretary, and other officials or agencies listed in 
Sec.  99.31(a)(3) that make further disclosures on behalf of an 
educational agency or institution to maintain the record of 
redisclosure required under Sec.  99.32(b) if the educational agency or 
institution has not recorded the redisclosure or if the information was 
obtained from another State or Federal official or agency listed in 
Sec.  99.31(a)(3). The regulations also require the State or Federal 
official or agency listed in Sec.  99.31(a)(3) to provide a copy of its 
record of redisclosures to the educational agency or institution upon 
request. In addition, an educational agency or institution must 
maintain with each student's record of disclosures the names of State 
and local educational authorities and Federal officials and agencies 
that may make further disclosures from the student's records without 
consent under Sec.  99.33(b) and must obtain a copy of the record of 
redisclosure, if any, maintained by the State or Federal official that 
redisclosed information on behalf of the agency or institution.
    State educational authorities and Federal officials listed in Sec.  
99.31(a)(3) will incur new administrative costs if they maintain the 
record of redisclosure for the educational agency or institution on 
whose behalf they redisclose education records under the regulations. 
We estimate that two educational authorities or agencies in each State 
and the District of Columbia (one for K-12 and one for postsecondary) 
and the Department itself, for a total of 103 authorities, will 
maintain the required records of redisclosures. (We anticipate that 
educational agencies and institutions will record under Sec.  
99.32(b)(1) any further disclosures made by the other Federal officials 
listed in Sec.  99.31(a)(3), the U.S. Comptroller General and the U.S. 
Attorney General.) We estimate further that these authorities will need 
to record two redisclosures per year from their records and that it 
will take one hour of administrative time to record each redisclosure 
electronically at an average hourly rate of $32.67, for a total annual 
administrative cost of $6,730. (Compensation for administrative staff 
time is explained earlier in this analysis.) We also assume for 
purposes of this analysis that State educational authorities and the 
Department already have software that will allow them to record these 
disclosures electronically.
    State educational authorities and Federal officials that maintain 
records of redisclosures will also have to make that information 
available to the educational agency or institution whose records were 
redisclosed, upon request, so that the agency or institution can make 
that record available to a parent or eligible student who has asked to 
inspect and review the student's record of disclosures. We assume that 
few parents and students request this information and, therefore, use 
an estimate that one tenth of one percent of a total of 68.1 million 
students will make such a request each year, or 68,076 requests. If it 
takes one-quarter of an hour to locate and print a record of 
disclosures at an average administrative hourly rate of $32.67, the 
average annual administrative cost for State and Federal officials and 
agencies to provide this service will be $556,011, plus mailing costs 
(at $.42 per letter) of $28,592, for a total of $584,603. We estimate 
that educational agencies and institutions themselves will incur 
comparable costs when they ask State and Federal officials to send them 
these records of redisclosure and then make them available to parents 
and students. We note that printing and mailing costs may be reduced to 
the extent that e-mail is used to transmit the record, and if parents 
or students pick up the record on-site, but we do not have information 
to estimate these potential savings.
    The Department believes that these changes will result in a net 
benefit to educational agencies and institutions because they will not 
have to record further disclosures made by State and Federal 
authorities and officials who redisclose information from education 
records on their behalf and will not have to ask for a copy unless a 
parent or eligible student asks to inspect and review the student's 
record of disclosures. State and Federal authorities and officials will 
also benefit because they will not have to provide their record of 
further disclosures to anyone unless the educational agency or 
institution asks for a copy. Overall, the costs to State and Federal 
authorities to record their own redisclosures will be offset by the 
savings that educational agencies and institutions will realize by not 
having to record the disclosures themselves.

Notification of Compliance With Court Order or Subpoena

    The regulations in Sec.  99.33(b)92) require any party that 
rediscloses education records in compliance with a court order or 
subpoena under Sec.  99.31(a)(9) to provide the notice to parents and 
eligible students required under Sec.  99.31(a)(9)(ii). We anticipate 
that this provision will affect mostly State and local educational 
authorities, which maintain education records they have obtained from 
their constituent districts and institutions and, under Sec.  99.35(b), 
may redisclose the information, without consent, in compliance with a 
court order or subpoena under Sec.  99.31(a)(9).
    There is no change in costs as a result of shifting responsibility 
for notification to the disclosing party under this change. However, we 
believe that minimizing or eliminating uncertainty about which party is 
legally responsible for the notification will result in a net benefit 
to all parties.

Health or Safety Emergency

    The regulations in Sec.  99.32(a)(5) require that a school that 
discloses information under the health and safety emergency exception 
in Sec.  99.36 record the articulable and significant threat that 
formed the basis for the disclosure and the parties to whom the 
education records were disclosed. Because Sec.  99.32(a) already 
requires schools to record disclosures made under Sec.  99.36, 
including the legitimate interests the parties had in requesting or 
obtaining the information, we believe these changes will not create any 
significant additional administrative costs for schools and that the 
benefit of including the legitimate interests the parties had in 
requesting or obtaining the information outweighs the costs.

Directory Information Opt Outs

    The regulations in Sec.  99.37(b) clarify that while an educational 
agency or institution is not required to notify former students under 
Sec.  99.37(a) about the institution's directory information policy or 
allow former students to opt out of directory information disclosures, 
they must continue to honor a parent's or student's decision to opt out 
of directory information disclosures after the student leaves the 
institution. Most agencies and institutions should already comply with 
this requirement because of informal guidance and training provided by 
FPCO.
    Parents and students will benefit from this clarification because 
it will help ensure that schools do not invalidate the parent's or 
student's decisions on directory information disclosures after the 
student is no longer in attendance. It will also benefit schools by 
eliminating any uncertainty they may have about whether they must 
continue to honor an opt out once the student is

[[Page 74850]]

no longer in attendance. We have insufficient information to estimate 
the number of institutions affected and the additional costs involved 
in changing systems to maintain opt-out flags on education records of 
former students.

Paperwork Reduction Act of 1995

    Following publication of the NPRM, we provided, through a notice 
published in the Federal Register (73 FR 28810, May 19, 2008) 
opportunity for the public to comment on information collections in the 
current regulations, and indicated in that notice the pendency of the 
NPRM. Additionally, based on comments received in response to the NPRM, 
we have identified several information collection requirements 
associated with these regulations. We describe these information 
collections in the following paragraphs and will be submitting these 
sections to OMB for review and approval. We note that the Paperwork 
Reduction Act of 1995 does not require a response to these information 
collection requirements unless they display a valid OMB control number. 
A valid OMB control number will be assigned to the information 
collection requirements at the end of the affected sections of the 
regulations.

(1) Sec.  99.31(a)(6)(ii)

    FERPA permits an educational agency or institution to disclose 
personally identifiable information from education records, without 
consent, to organizations conducting studies for or on behalf of the 
agency or institution for purposes of testing, student aid, and 
improvement of instruction. In the NPRM, we proposed to add Sec.  
99.31(a)(6)(ii) to require that an educational agency or institution to 
disclose personally identifiable information under Sec.  99.31(a)(6)(i) 
only if it enters into a written agreement with the organization 
specifying the purposes of the study. Under these final regulations, 
this written agreement must specify the purpose, scope, and duration of 
the study or studies and the information to be disclosed; require the 
organization to use personally identifiable information from education 
records only to meet the purpose or purposes of the study as stated in 
the written agreement; require the organization to conduct the study in 
a manner that does not permit personal identification of parents and 
students by individuals other than representatives with legitimate 
interest of the organization that conducts the study; require the 
organization to destroy the information or return to the educational 
agency or institution when it is no longer needed for the purposes for 
which the study was conducted; and specify the time period for the 
destruction or return of the information.
    The Department did not identify in the NPRM the requirement in 
Sec.  99.31(a)(6)(ii) as an information collection requirement under 
the Paperwork Reduction Act of 1995 and did not realize this would be 
an information collection requirement until a commenter brought this 
matter to our attention. The commenter pointed out that, while this 
change created another paperwork burden for school districts, the 
commenter did not object to the written agreement requirement because 
putting the requirements regarding the use and destruction of data in 
writing may improve compliance with FERPA. The Department agrees with 
the comment.

(2) Sec.  99.32(a)(1)

    Under FERPA, an educational agency or institution is required to 
record its disclosures of personally identifiable information from 
education records, even when it discloses information to its own State 
educational authority. This statutory requirement is reflected in the 
current FERPA regulations. The final regulations permit the State and 
local educational authorities and Federal officials listed in Sec.  
99.31(a)(3) to make further discloses of personally identifiable 
information from education records on behalf of the educational agency 
or institution in accordance with the requirements of Sec.  99.33(b) 
and require them to record these further disclosures of Sec.  99.33(b) 
if the educational agency or institution does not do so. We have 
included provisions in the final regulations that require educational 
agencies and institutions to maintain a listing in each student's 
record of the State and local educational authorities and Federal 
officials and agencies that may make further disclosures of the 
student's education records without consent so that parents and 
eligible students will be made aware of these further disclosures.

(3) Sec.  99.32(a)(4)

    Under this new provision, parents and eligible students will be 
able to inspect and review any further disclosures that were made by 
any of the parties listed under Sec.  99.31(a)(3) by asking the 
educational agency or institution to obtain a copy of the record of 
further disclosures. We believe that this is only a minor paperwork 
burden for schools because it would involve asking officials to whom 
they have disclosed education records for the record of further 
disclosure or, in the case of some SEAs, accessing the State database 
for this information. Also, we do not expect that a large number of 
parents and eligible students will ask to see the record of further 
disclosures.

(4) Sec.  99.32(a)(5)

    During the development of the final regulations, we identified 
another change to the recordation requirements of Sec.  99.32 that 
would require the collection of information. In response to several 
comments we received regarding changes to FERPA's ``health or safety 
emergency exception'' in Sec.  99.36, we have amended Sec.  99.32(a) to 
include a new recordation requirement. Specifically, we have added a 
paragraph to the recordation requirement that requires that for any 
disclosures under Sec.  99.36 a school must record the articulable and 
significant threat to the health or safety of a student or other 
individuals that formed the basis for the disclosure and the parties to 
whom the agency or institution disclosed information.
    The Secretary believes that this is only a minor paperwork burden 
for schools because schools are already required to record disclosures 
made under Sec.  99.36. The new language in Sec.  99.32(a)(5) simply 
clarifies the type of information that must be recorded when a school 
discloses personally identifiable information in response to a health 
or safety emergency, either for one student or for all students in a 
school.

(5) Sec.  99.32(b)(2)

    In the NPRM, we specifically noted that the Department was 
interested in relieving any administrative burdens associated with 
recording disclosures of education records and, therefore, invited 
public comment on whether an SEA, the Department, or other authority or 
official listed in Sec.  99.31(a)(3) should be allowed to maintain the 
record of the redisclosures it makes on behalf of an educational agency 
or institution under Sec.  99.32(b).
    Several commenters stated that an SEA (or other authority or 
official listed in Sec.  99.31(a)(3)) should be responsible for 
maintaining the record of disclosure required under Sec.  99.32 when it 
rediscloses information on behalf of educational agencies and 
institutions. The commenters stated that requiring each educational 
agency or institution, such as school districts, to record each 
redisclosure made by an SEA or other State educational authority on its 
behalf imposes an unacceptable recordkeeping burden on school districts 
and is impractical for State educational authorities to adhere to in 
making

[[Page 74851]]

further disclosures on behalf of the agency or institution. In response 
to these comments, we are revising Sec.  99.32 to require the State and 
local educational authorities and Federal officials listed in Sec.  
99.31(a)(3) to maintain the record of further disclosures if the 
educational agency or institution does not do so and make it available 
to the educational agency or institution upon request. We agree that by 
requiring State and Federal authorities and officials to record their 
redisclosures in these circumstances school districts will have less 
total paperwork burden because schools will not have to comply with the 
recordkeeping requirement in these instances.

Assessment of Educational Impact

    In the NPRM, and in accordance with section 411 of the General 
Education Provisions Act, 20 U.S.C. 1221e-4, we requested comments on 
whether the proposed regulations would require transmission of 
information that any other agency or authority of the United States 
gathers or makes available.
    Based on the response to the NPRM and on our review, we have 
determined that these final regulations do not require transmission of 
information that any other agency or authority of the United States 
gathers or makes available.

Electronic Access to This Document

    You may view this document, as well as all other Department of 
Education documents published in the Federal Register, in text or Adobe 
Portable Document Format (PDF) on the Internet at the following site: 
www.ed.gov/news/fedregister.
    To use PDF you must have Adobe Acrobat Reader, which is available 
free at this site. If you have questions about using PDF, call the U.S. 
Government Printing Office (GPO), toll free, at 1-888-293-6498; or in 
the Washington, DC area at (202) 512-1530.

    Note: The official version of this document is the document 
published in the Federal Register. Free Internet access to the 
official edition of the Federal Register and the Code of Federal 
Regulations is available on GPO Access at www.gpoaccess.gov/nara/
index.html.

    (Catalog of Federal Domestic Assistance Number does not apply.)

List of Subjects in 34 CFR Part 99

    Administrative practice and procedure, Directory information, 
Education records, Information, Parents, Privacy, Records, Social 
Security Numbers, Students.

    Dated: December 2, 2008.
Margaret Spellings,
Secretary of Education.

0
For the reasons discussed in the preamble, the Secretary amends part 99 
of title 34 of the Code of Federal Regulations as follows:

PART 99--FAMILY EDUCATIONAL RIGHTS AND PRIVACY

0
1. The authority citation for part 99 continues to read as follows:

    Authority: 20 U.S.C. 1232g, unless otherwise noted.


0
2. Section 99.2 is amended by revising the note following the authority 
citation to read as follows:


Sec.  99.2  What is the purpose of these regulations?

* * * * *

    Note to Sec.  99.2: 34 CFR 300.610 through 300.626 contain 
requirements regarding the confidentiality of information relating 
to children with disabilities who receive evaluations, services or 
other benefits under Part B of the Individuals with Disabilities 
Education Act (IDEA). 34 CFR 303.402 and 303.460 identify the 
confidentiality of information requirements regarding children and 
infants and toddlers with disabilities and their families who 
receive evaluations, services, or other benefits under Part C of 
IDEA. 34 CFR 300.610 through 300.627 contain the confidentiality of 
information requirements that apply to personally identifiable data, 
information, and records collected or maintained pursuant to Part B 
of the IDEA.


0
3. Section 99.3 is amended by:
0
A. Adding, in alphabetical order, a definition of Biometric record.
0
B. Revising the definitions of Attendance, Directory information, 
Disclosure, and Personally identifiable information.
0
C. In the definition of Education records, revising paragraph (b)(5) 
and adding a new paragraph (b)(6).
    These additions and revisions read as follows:


Sec.  99.3  What definitions apply to these regulations?

* * * * *
    Attendance includes, but is not limited to--
    (a) Attendance in person or by paper correspondence, 
videoconference, satellite, Internet, or other electronic information 
and telecommunications technologies for students who are not physically 
present in the classroom; and
    (b) The period during which a person is working under a work-study 
program.

(Authority: 20 U.S.C. 1232g)

* * * * *
    Biometric record, as used in the definition of personally 
identifiable information, means a record of one or more measurable 
biological or behavioral characteristics that can be used for automated 
recognition of an individual. Examples include fingerprints; retina and 
iris patterns; voiceprints; DNA sequence; facial characteristics; and 
handwriting.

(Authority: 20 U.S.C. 1232g)

* * * * *
    Directory information means information contained in an education 
record of a student that would not generally be considered harmful or 
an invasion of privacy if disclosed.
    (a) Directory information includes, but is not limited to, the 
student's name; address; telephone listing; electronic mail address; 
photograph; date and place of birth; major field of study; grade level; 
enrollment status (e.g., undergraduate or graduate, full-time or part-
time); dates of attendance; participation in officially recognized 
activities and sports; weight and height of members of athletic teams; 
degrees, honors and awards received; and the most recent educational 
agency or institution attended.
    (b) Directory information does not include a student's--
    (1) Social security number; or
    (2) Student identification (ID) number, except as provided in 
paragraph (c) of this section.
    (c) Directory information includes a student ID number, user ID, or 
other unique personal identifier used by the student for purposes of 
accessing or communicating in electronic systems, but only if the 
identifier cannot be used to gain access to education records except 
when used in conjunction with one or more factors that authenticate the 
user's identity, such as a personal identification number (PIN), 
password, or other factor known or possessed only by the authorized 
user.

(Authority: 20 U.S.C. 1232g(a)(5)(A))

* * * * *
    Disclosure means to permit access to or the release, transfer, or 
other communication of personally identifiable information contained in 
education records by any means, including oral, written, or electronic 
means, to any party except the party identified as the party that 
provided or created the record.

(Authority: 20 U.S.C. 1232g(b)(1) and (b)(2))

* * * * *
Education Records
* * * * *
    (b) * * *
    (5) Records created or received by an educational agency or 
institution after

[[Page 74852]]

an individual is no longer a student in attendance and that are not 
directly related to the individual's attendance as a student.
    (6) Grades on peer-graded papers before they are collected and 
recorded by a teacher.
* * * * *
Personally Identifiable Information
    The term includes, but is not limited to--
    (a) The student's name;
    (b) The name of the student's parent or other family members;
    (c) The address of the student or student's family;
    (d) A personal identifier, such as the student's social security 
number, student number, or biometric record;
    (e) Other indirect identifiers, such as the student's date of 
birth, place of birth, and mother's maiden name;
    (f) Other information that, alone or in combination, is linked or 
linkable to a specific student that would allow a reasonable person in 
the school community, who does not have personal knowledge of the 
relevant circumstances, to identify the student with reasonable 
certainty; or
    (g) Information requested by a person who the educational agency or 
institution reasonably believes knows the identity of the student to 
whom the education record relates.

(Authority: 20 U.S.C. 1232g)

* * * * *

0
4. Section 99.5 is amended by redesignating paragraph (a) as paragraph 
(a)(1) and adding a new paragraph (a)(2) to read as follows:


Sec.  99.5  What are the rights of students?

    (a)(1) * * *
    (2) Nothing in this section prevents an educational agency or 
institution from disclosing education records, or personally 
identifiable information from education records, to a parent without 
the prior written consent of an eligible student if the disclosure 
meets the conditions in Sec.  99.31(a)(8), Sec.  99.31(a)(10), Sec.  
99.31(a)(15), or any other provision in Sec.  99.31(a).
* * * * *

0
5. Section 99.31 is amended by:
0
A. Redesignating paragraph (a)(1) as paragraph (a)(1)(i)(A) and adding 
new paragraphs (a)(1)(i)(B) and (a)(1)(ii).
0
B. Revising paragraph (a)(2).
0
C. Redesignating paragraphs (a)(6)(iii) and (a)(6)(iv) as paragraphs 
(a)(6)(iv) and (a)(6)(v), respectively.
0
D. Revising paragraph (a)(6)(ii).
0
E. Adding a new paragraph (a)(6)(iii).
0
F. In paragraph (a)(9)(ii)(A), removing the word ``or'' after the 
punctuation ``;''.
0
G. In paragraph (a)(9)(ii)(B), removing the punctuation ``.'' and 
adding in its place the word ``;or''.
0
H. Adding paragraph (a)(9)(ii)(C).
0
I. Adding paragraph (a)(16).
0
J. Revising paragraph (b).
0
K. Adding paragraphs (c) and (d).
0
L. Revising the authority citation at the end of the section.
    The additions and revisions read as follows:


Sec.  99.31  Under what conditions is prior consent not required to 
disclose information?

    (a) * * *
    (1)(i)(A) * * *
    (B) A contractor, consultant, volunteer, or other party to whom an 
agency or institution has outsourced institutional services or 
functions may be considered a school official under this paragraph 
provided that the outside party--
    (1) Performs an institutional service or function for which the 
agency or institution would otherwise use employees;
    (2) Is under the direct control of the agency or institution with 
respect to the use and maintenance of education records; and
    (3) Is subject to the requirements of Sec.  99.33(a) governing the 
use and redisclosure of personally identifiable information from 
education records.
    (ii) An educational agency or institution must use reasonable 
methods to ensure that school officials obtain access to only those 
education records in which they have legitimate educational interests. 
An educational agency or institution that does not use physical or 
technological access controls must ensure that its administrative 
policy for controlling access to education records is effective and 
that it remains in compliance with the legitimate educational interest 
requirement in paragraph (a)(1)(i)(A) of this section.
    (2) The disclosure is, subject to the requirements of Sec.  99.34, 
to officials of another school, school system, or institution of 
postsecondary education where the student seeks or intends to enroll, 
or where the student is already enrolled so long as the disclosure is 
for purposes related to the student's enrollment or transfer.

    Note: Section 4155(b) of the No Child Left Behind Act of 2001, 
20 U.S.C. 7165(b), requires each State to assure the Secretary of 
Education that it has a procedure in place to facilitate the 
transfer of disciplinary records with respect to a suspension or 
expulsion of a student by a local educational agency to any private 
or public elementary or secondary school in which the student is 
subsequently enrolled or seeks, intends, or is instructed to enroll.

    (6)(i) * * *
    (ii) An educational agency or institution may disclose information 
under paragraph (a)(6)(i) of this section only if--
    (A) The study is conducted in a manner that does not permit 
personal identification of parents and students by individuals other 
than representatives of the organization that have legitimate interests 
in the information;
    (B) The information is destroyed when no longer needed for the 
purposes for which the study was conducted; and
    (C) The educational agency or institution enters into a written 
agreement with the organization that--
    (1) Specifies the purpose, scope, and duration of the study or 
studies and the information to be disclosed;
    (2) Requires the organization to use personally identifiable 
information from education records only to meet the purpose or purposes 
of the study as stated in the written agreement;
    (3) Requires the organization to conduct the study in a manner that 
does not permit personal identification of parents and students, as 
defined in this part, by anyone other than representatives of the 
organization with legitimate interests;

and
    (4) Requires the organization to destroy or return to the 
educational agency or institution all personally identifiable 
information when the information is no longer needed for the purposes 
for which the study was conducted and specifies the time period in 
which the information must be returned or destroyed.
    (iii) An educational agency or institution is not required to 
initiate a study or agree with or endorse the conclusions or results of 
the study.
* * * * *
    (9) * * *
    (ii) * * *
    (C) An ex parte court order obtained by the United States Attorney 
General (or designee not lower than an Assistant Attorney General) 
concerning investigations or prosecutions of an offense listed in 18 
U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism 
as defined in 18 U.S.C. 2331.
* * * * *
    (16) The disclosure concerns sex offenders and other individuals 
required to register under section 170101 of the Violent Crime Control 
and Law Enforcement Act of 1994, 42 U.S.C. 14071, and the information 
was provided to the educational agency or institution under 42 U.S.C. 
14071 and applicable Federal guidelines.
    (b)(1) De-identified records and information. An educational agency 
or

[[Page 74853]]

institution, or a party that has received education records or 
information from education records under this part, may release the 
records or information without the consent required by Sec.  99.30 
after the removal of all personally identifiable information provided 
that the educational agency or institution or other party has made a 
reasonable determination that a student's identity is not personally 
identifiable, whether through single or multiple releases, and taking 
into account other reasonably available information.
    (2) An educational agency or institution, or a party that has 
received education records or information from education records under 
this part, may release de-identified student level data from education 
records for the purpose of education research by attaching a code to 
each record that may allow the recipient to match information received 
from the same source, provided that--
    (i) An educational agency or institution or other party that 
releases de-identified data under paragraph (b)(2) of this section does 
not disclose any information about how it generates and assigns a 
record code, or that would allow a recipient to identify a student 
based on a record code;
    (ii) The record code is used for no purpose other than identifying 
a de-identified record for purposes of education research and cannot be 
used to ascertain personally identifiable information about a student; 
and
    (iii) The record code is not based on a student's social security 
number or other personal information.
    (c) An educational agency or institution must use reasonable 
methods to identify and authenticate the identity of parents, students, 
school officials, and any other parties to whom the agency or 
institution discloses personally identifiable information from 
education records.
    (d) Paragraphs (a) and (b) of this section do not require an 
educational agency or institution or any other party to disclose 
education records or information from education records to any party.

(Authority: 20 U.S.C. 1232g(a)(5)(A), (b), (h), (i), and (j)).



0
6. Section 99.32 is amended by:
0
A. Revising paragraph (a)(1).
0
B. Adding new paragraphs (a)(4) and (a)(5).
0
C. Redesignating paragraphs (b)(1) and (b)(2) as paragraphs (b)(1)(i) 
and (b)(1)(ii) and redesignating paragraph (b), introductory text, as 
paragraph (b)(1).
0
D. Revising newly redesignated paragraph (b)(1).
0
E. Adding a new paragraph (b)(2).
0
F. Revising paragraph (d)(5).
    The additions and revisions read as follows:


Sec.  99.32  What recordkeeping requirements exist concerning requests 
and disclosures?

    (a)(1) An educational agency or institution must maintain a record 
of each request for access to and each disclosure of personally 
identifiable information from the education records of each student, as 
well as the names of State and local educational authorities and 
Federal officials and agencies listed in Sec.  99.31(a)(3) that may 
make further disclosures of personally identifiable information from 
the student's education records without consent under Sec.  99.33(b).
* * * * *
    (4) An educational agency or institution must obtain a copy of the 
record of further disclosures maintained under paragraph (b)(2) of this 
section and make it available in response to a parent's or eligible 
student's request to review the record required under paragraph (a)(1) 
of this section.
    (5) An educational agency or institution must record the following 
information when it discloses personally identifiable information from 
education records under the health or safety emergency exception in 
Sec.  99.31(a)(10) and Sec.  99.36:
    (i) The articulable and significant threat to the health or safety 
of a student or other individuals that formed the basis for the 
disclosure; and
    (ii) The parties to whom the agency or institution disclosed the 
information.
    (b)(1) Except as provided in paragraph (b)(2) of this section, if 
an educational agency or institution discloses personally identifiable 
information from education records with the understanding authorized 
under Sec.  99.33(b), the record of the disclosure required under this 
section must include:
* * * * *
    (2)(i) A State or local educational authority or Federal official 
or agency listed in Sec.  99.31(a)(3) that makes further disclosures of 
information from education records under Sec.  99.33(b) must record the 
names of the additional parties to which it discloses information on 
behalf of an educational agency or institution and their legitimate 
interests in the information under Sec.  99.31 if the information was 
received from:
    (A) An educational agency or institution that has not recorded the 
further disclosures under paragraph (b)(1) of this section; or
    (B) Another State or local educational authority or Federal 
official or agency listed in Sec.  99.31(a)(3).
    (ii) A State or local educational authority or Federal official or 
agency that records further disclosures of information under paragraph 
(b)(2)(i) of this section may maintain the record by the student's 
class, school, district, or other appropriate grouping rather than by 
the name of the student.
    (iii) Upon request of an educational agency or institution, a State 
or local educational authority or Federal official or agency listed in 
Sec.  99.31(a)(3) that maintains a record of further disclosures under 
paragraph (b)(2)(i) of this section must provide a copy of the record 
of further disclosures to the educational agency or institution within 
a reasonable period of time not to exceed 30 days.
* * * * *
    (d) * * *
    (5) A party seeking or receiving records in accordance with Sec.  
99.31(a)(9)(ii)(A) through (C).
* * * * *

0
7. Section 99.33 is amended by revising paragraphs (b), (c), (d), and 
(e) to read as follows:
* * * * *


Sec.  99.33  What limitations apply to the redisclosure of information?

* * * * *
    (b)(1) Paragraph (a) of this section does not prevent an 
educational agency or institution from disclosing personally 
identifiable information with the understanding that the party 
receiving the information may make further disclosures of the 
information on behalf of the educational agency or institution if--
    (i) The disclosures meet the requirements of Sec.  99.31; and
    (ii)(A) The educational agency or institution has complied with the 
requirements of Sec.  99.32(b); or
    (B) A State or local educational authority or Federal official or 
agency listed in Sec.  99.31(a)(3) has complied with the requirements 
of Sec.  99.32(b)(2).
    (2) A party that receives a court order or lawfully issued subpoena 
and rediscloses personally identifiable information from education 
records on behalf of an educational agency or institution in response 
to that order or subpoena under Sec.  99.31(a)(9) must provide the 
notification required under Sec.  99.31(a)(9)(ii).
    (c) Paragraph (a) of this section does not apply to disclosures 
under Sec. Sec.  99.31(a)(8), (9), (11), (12), (14), (15), and (16), 
and to information that postsecondary institutions are required

[[Page 74854]]

to disclose under the Jeanne Clery Disclosure of Campus Security Policy 
and Campus Crime Statistics Act, 20 U.S.C. 1092(f) (Clery Act), to the 
accuser and accused regarding the outcome of any campus disciplinary 
proceeding brought alleging a sexual offense.
    (d) An educational agency or institution must inform a party to 
whom disclosure is made of the requirements of paragraph (a) of this 
section except for disclosures made under Sec. Sec.  99.31(a)(8), (9), 
(11), (12), (14), (15), and (16), and to information that postsecondary 
institutions are required to disclose under the Clery Act to the 
accuser and accused regarding the outcome of any campus disciplinary 
proceeding brought alleging a sexual offense.
    (e) If this Office determines that a third party outside the 
educational agency or institution improperly rediscloses personally 
identifiable information from education records in violation of this 
section, or fails to provide the notification required under paragraph 
(b)(2) of this section, the educational agency or institution may not 
allow that third party access to personally identifiable information 
from education records for at least five years.
* * * * *

0
8. Section 99.34 is amended by revising paragraph (a)(1)(ii) to read as 
follows:


Sec.  99.34  What conditions apply to disclosure of information to 
other educational agencies and institutions?

    (a) * * *
    (1) * * *
    (ii) The annual notification of the agency or institution under 
Sec.  99.7 includes a notice that the agency or institution forwards 
education records to other agencies or institutions that have requested 
the records and in which the student seeks or intends to enroll or is 
already enrolled so long as the disclosure is for purposes related to 
the student's enrollment or transfer;
* * * * *

0
9. Section 99.35 is amended by revising paragraphs (a) and (b)(1) to 
read as follows:


Sec.  99.35  What conditions apply to disclosure of information for 
Federal or State program purposes?

    (a)(1) Authorized representatives of the officials or agencies 
headed by officials listed in Sec.  99.31(a)(3) may have access to 
education records in connection with an audit or evaluation of Federal 
or State supported education programs, or for the enforcement of or 
compliance with Federal legal requirements that relate to those 
programs.
    (2) Authority for an agency or official listed in Sec.  99.31(a)(3) 
to conduct an audit, evaluation, or compliance or enforcement activity 
is not conferred by the Act or this part and must be established under 
other Federal, State, or local authority.
    (b) * * *
    (1) Be protected in a manner that does not permit personal 
identification of individuals by anyone other than the officials or 
agencies headed by officials referred to in paragraph (a) of this 
section, except that those officials and agencies may make further 
disclosures of personally identifiable information from education 
records on behalf of the educational agency or institution in 
accordance with the requirements of Sec.  99.33(b); and
* * * * *

0
10. Section 99.36 is amended by revising paragraphs (a) and (c) to read 
as follows:


Sec.  99.36  What conditions apply to disclosure of information in 
health and safety emergencies?

    (a) An educational agency or institution may disclose personally 
identifiable information from an education record to appropriate 
parties, including parents of an eligible student, in connection with 
an emergency if knowledge of the information is necessary to protect 
the health or safety of the student or other individuals.
* * * * *
    (c) In making a determination under paragraph (a) of this section, 
an educational agency or institution may take into account the totality 
of the circumstances pertaining to a threat to the health or safety of 
a student or other individuals. If the educational agency or 
institution determines that there is an articulable and significant 
threat to the health or safety of a student or other individuals, it 
may disclose information from education records to any person whose 
knowledge of the information is necessary to protect the health or 
safety of the student or other individuals. If, based on the 
information available at the time of the determination, there is a 
rational basis for the determination, the Department will not 
substitute its judgment for that of the educational agency or 
institution in evaluating the circumstances and making its 
determination.
* * * * *

0
11. Section 99.37 is amended by:
0
A. Revising paragraph (b).
0
B. Adding new paragraphs (c) and (d).
    The revision and additions read as follows:


Sec.  99.37  What conditions apply to disclosing directory information?

* * * * *
    (b) An educational agency or institution may disclose directory 
information about former students without complying with the notice and 
opt out conditions in paragraph (a) of this section. However, the 
agency or institution must continue to honor any valid request to opt 
out of the disclosure of directory information made while a student was 
in attendance unless the student rescinds the opt out request.
    (c) A parent or eligible student may not use the right under 
paragraph (a)(2) of this section to opt out of directory information 
disclosures to prevent an educational agency or institution from 
disclosing or requiring a student to disclose the student's name, 
identifier, or institutional e-mail address in a class in which the 
student is enrolled.
    (d) An educational agency or institution may not disclose or 
confirm directory information without meeting the written consent 
requirements in Sec.  99.30 if a student's social security number or 
other non-directory information is used alone or combined with other 
data elements to identify or help identify the student or the student's 
records.
* * * * *

0
12. Section 99.62 is revised to read as follows:


Sec.  99.62  What information must an educational agency or institution 
submit to the Office?

    The Office may require an educational agency or institution to 
submit reports, information on policies and procedures, annual 
notifications, training materials, and other information necessary to 
carry out its enforcement responsibilities under the Act or this part.

(Authority: 20 U.S.C. 1232g(f) and (g))

Sec.  99.63  [Amended]

0
13. Section 99.63 is amended by removing the mail code designation 
``4605'' before the punctuation ``.''

0
14. Section 99.64 is amended by:
0
A. Revising the section heading.
0
B. Revising paragraphs (a) and (b).
    The revisions read as follows:


Sec.  99.64  What is the investigation procedure?

    (a) A complaint must contain specific allegations of fact giving 
reasonable cause to believe that a violation of the Act or this part 
has occurred. A complaint does not have to allege that a violation is 
based on a policy or practice of the educational agency or institution.

[[Page 74855]]

    (b) The Office investigates a timely complaint filed by a parent or 
eligible student, or conducts its own investigation when no complaint 
has been filed or a complaint has been withdrawn, to determine whether 
an educational agency or institution has failed to comply with a 
provision of the Act or this part. If the Office determines that an 
educational agency or institution has failed to comply with a provision 
of the Act or this part, it may also determine whether the failure to 
comply is based on a policy or practice of the agency or institution.
* * * * *

0
15. Section 99.65 is revised to read as follows:


Sec.  99.65  What is the content of the notice of investigation issued 
by the Office?

    (a) The Office notifies the complainant, if any, and the 
educational agency or institution in writing if it initiates an 
investigation under Sec.  99.64(b). The notice to the educational 
agency or institution--
    (1) Includes the substance of the allegations against the 
educational agency or institution; and
    (2) Directs the agency or institution to submit a written response 
and other relevant information, as set forth in Sec.  99.62, within a 
specified period of time, including information about its policies and 
practices regarding education records.
    (b) The Office notifies the complainant if it does not initiate an 
investigation because the complaint fails to meet the requirements of 
Sec.  99.64.

(Authority: 20 U.S.C. 1232g(g))



0
16. Section 99.66 is amended by revising paragraphs (a), (b), and the 
introductory text of paragraph (c) to read as follows:


Sec.  99.66  What are the responsibilities of the Office in the 
enforcement process?

    (a) The Office reviews a complaint, if any, information submitted 
by the educational agency or institution, and any other relevant 
information. The Office may permit the parties to submit further 
written or oral arguments or information.
    (b) Following its investigation, the Office provides to the 
complainant, if any, and the educational agency or institution a 
written notice of its findings and the basis for its findings.
    (c) If the Office finds that an educational agency or institution 
has not complied with a provision of the Act or this part, it may also 
find that the failure to comply was based on a policy or practice of 
the agency or institution. A notice of findings issued under paragraph 
(b) of this section to an educational agency or institution that has 
not complied with a provision of the Act or this part--
* * * * *

0
17. Section 99.67 is amended by revising paragraph (a) to read as 
follows:


Sec.  99.67  How does the Secretary enforce decisions?

    (a) If an educational agency or institution does not comply during 
the period of time set under Sec.  99.66(c), the Secretary may take any 
legally available enforcement action in accordance with the Act, 
including, but not limited to, the following enforcement actions 
available in accordance with part E of the General Education Provisions 
Act--
* * * * *
 [FR Doc. E8-28864 Filed 12-8-08; 8:45 am]

BILLING CODE 4000-01-P