|
Publication Date: March 24, 2008 FRPart: Page Numbers: 15573-15602 Summary: FERPA; Notice of Proposed Rulemaking Posted on 03-24-2008 [Federal Register: March 24, 2008 (Volume 73, Number 57)] [Proposed Rules] [Page 15573-15602] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr24mr08-20] ----------------------------------------------------------------------- Part II Department of Education ----------------------------------------------------------------------- 34 CFR Part 99 Family Educational Rights and Privacy; Proposed Rule ----------------------------------------------------------------------- DEPARTMENT OF EDUCATION 34 CFR Part 99 RIN 1855-AA05 [Docket ID ED-2008-OPEPD-0002] Family Educational Rights and Privacy AGENCY: Office of Planning, Evaluation, and Policy Development, Department of Education. ACTION: Notice of proposed rulemaking. ----------------------------------------------------------------------- SUMMARY: The Secretary proposes to amend the regulations governing education records maintained by educational agencies and institutions under section 444 of the General Education Provisions Act, which is also known as the Family Educational Rights and Privacy Act of 1974, as amended (FERPA). These proposed regulations are needed to implement amendments to FERPA contained in the USA Patriot Act and the Campus Sex Crimes Prevention Act, to implement two U.S. Supreme Court decisions interpreting FERPA, and to make necessary changes identified as a result of the Department's experience administering FERPA and current regulations. These changes would clarify permissible disclosures to parents of eligible students and conditions that apply to disclosures in health and safety emergencies; clarify permissible disclosures of student identifiers as directory information; allow disclosures to contractors and other outside parties in connection with the outsourcing of institutional services and functions; revise the definitions of attendance, disclosure, education records, personally identifiable information, and other key terms; clarify permissible redisclosures by State and Federal officials; and update investigation and enforcement provisions. DATES: We must receive your comments on or before May 8, 2008. ADDRESSES: Submit your comments through the Federal eRulemaking Portal or via postal mail, commercial delivery, or hand delivery. We will not accept comments by fax or by e-mail. Please submit your comments only one time, in order to ensure that we do not receive duplicate copies. In addition, please include the Docket ID at the top of your comments. Federal eRulemaking Portal: Go to http://www.regulations.gov. Under ``Search Documents'' go to ``Optional Step 2'' and select ``Department of Education'' from the agency drop-down menu; then click ``Submit.'' In the Docket ID column, select ED-2008-OPEPD-0002 to add or view public comments and to view supporting and related materials available electronically. Information on using Regulations.gov, including instructions for submitting comments, accessing documents, and viewing the docket after the close of the comment period, is available through the site's ``User Tips'' link. Postal Mail, Commercial Delivery, or Hand Delivery. If you mail or deliver your comments about these proposed regulations, address them to LeRoy S. Rooker, U.S. Department of Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202-5920. Privacy Note: The Department's policy for comments received from members of the public (including those comments submitted by mail, commercial delivery, or hand delivery) is to make these submissions available for public viewing in their entirety on the Federal eRulemaking Portal at http://www.regulations.gov. Therefore, commenters should be careful to include in their comments only information that they wish to make publicly available on the Internet. FOR FURTHER INFORMATION CONTACT: Frances Moran, U.S. Department of Education, 400 Maryland Avenue, SW., room 6W243, Washington, DC 20202- 8250. Telephone: (202) 260-3887. If you use a telecommunications device for the deaf (TDD), you may call the Federal Relay Service (FRS) at 1-800-877-8339. Individuals with disabilities may obtain this document in an alternative format (e.g., Braille, large print, audiotape, or computer diskette) on request to the contact person listed under FOR FURTHER INFORMATION CONTACT. Invitation To Comment We invite you to submit comments and recommendations regarding these proposed regulations. To ensure that your comments have maximum effect in developing the final regulations, we urge you to identify clearly the specific section or sections of the proposed regulations that each of your comments addresses and to arrange your comments in the same order as the proposed regulations. We invite you to assist us in complying with the specific requirements of Executive Order 12866 and its overall requirement of reducing regulatory burden that might result from these proposed regulations. Please let us know of any further opportunities we should take to reduce potential costs or increase potential benefits while preserving the effective and efficient administration of the program. During and after the comment period, you may inspect all public comments about these proposed regulations in room 6W243, 400 Maryland Avenue, SW., Washington, DC, between the hours of 8:30 a.m. and 4 p.m. Eastern time, Monday through Friday of each week except Federal holidays. Public comments may also be inspected at www.regulations.gov. Assistance to Individuals With Disabilities in Reviewing the Rulemaking Record On request, we will supply an appropriate aid to an individual with a disability who needs assistance to review the comments or other documents in the public rulemaking record for these proposed regulations. If you want to schedule an appointment for this type of aid, please contact the person listed under FOR FURTHER INFORMATION CONTACT. Background These proposed regulations would implement section 507 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot Act) of 2001 (Pub. L. 107-56), enacted Oct. 26, 2001, and the Campus Sex Crimes Prevention Act, section 1601(d) of the Victims of Trafficking and Violence Protection Act of 2000 (Pub. L. 106-386), enacted Oct. 28, 2000, both of which amended FERPA. The proposed regulations also would implement the U.S. Supreme Court's decisions in Owasso Independent School Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002) (Owasso) and Gonzaga University v. Doe, 536 U.S. 273 (2002) (Gonzaga). Finally, the proposed regulations respond to changes in information technology and address other issues identified through the Department's experience administering FERPA, including the need to clarify how postsecondary institutions may share information with parents and other parties in light of the tragic events at Virginia Tech in April 2007. The Department has developed these proposed regulations in accordance with its ``Principles for Regulating,'' which are intended to ensure that the Department regulates in the most flexible, equitable, and least burdensome way possible. These proposed regulations seek to provide the greatest flexibility to State and local governments and schools while ensuring that personally identifiable information about students remains protected from unauthorized disclosure. Technical Corrections The proposed regulations correct Sec. 99.33(e) by adding the statutory [[Page 15575]] language ``outside the educational agency or institution'' after the words ``third party'' in the first sentence. They also correct an error in the section number cited in Sec. 99.34(a)(1)(ii). Significant Proposed Regulations We discuss substantive issues under the sections of the proposed regulations to which they pertain. Generally, we do not address proposed regulatory provisions that are technical or otherwise minor in effect. 1. Definitions (Sec. 99.3) Attendance Statute: 20 U.S.C. 1232g(a)(6) defines the term student as any person with respect to whom an educational agency or institution maintains education records or personally identifiable information but does not include a person who has not been in attendance at such agency or institution. The statute does not define attendance. Current Regulations: As defined in the current regulations, the term attendance includes attendance in person or by correspondence, and the period during which a person is working under a work-study program. The current definition does not address the status of distance learners who are taught through the use of electronic information and telecommunications technologies. Proposed Regulations: The proposed regulations in Sec. 99.3 would add attendance by videoconference, satellite, Internet, or other electronic information and telecommunications technologies for students who are not physically present in the classroom. Reasons: The proposed regulations are needed to clarify that students who are not physically present in the classroom may attend an educational agency or institution not only through traditional correspondence courses but through advanced electronic information and telecommunications technologies used for distance education, such as videoconferencing, satellite, and Internet-based communications. Directory Information Statute: 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2) allows disclosure without consent of information such as a student's name and address, telephone listing, date and place of birth, major field of study, etc., defined as directory information, provided that specified notice and opt out conditions have been met. Current Regulations: Directory information is defined in Sec. 99.3 as information contained in an education record of a student that would not generally be considered harmful or an invasion of privacy if disclosed, and includes information listed in FERPA (e.g., a student's name and address, telephone listing) as well as other information, such as a student's electronic mail (e-mail) address, enrollment status, and photograph. Current regulations do not specify whether a student's Social Security Number (SSN), official student identification (ID) number, or personal identifier for use in electronic systems may be designated and disclosed as directory information. Proposed Regulations: The proposed regulations would provide that an educational agency or institution may not designate as directory information a student's SSN or other student ID number. However, directory information may include a student's user ID or other unique identifier used by the student to access or communicate in electronic systems, but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student's identity, such as a personal identification number (PIN), password, or other factor known or possessed only by the student. Reasons: SSNs and other student ID numbers are personal identifiers that are typically used for identification purposes in order to establish an account, gain access to or confirm private information, obtain services, etc. The proposed regulations are needed to ensure that educational agencies and institutions do not disclose these identifiers as directory information, or include them with other personally identifiable information that may be disclosed as directory information, because SSNs and other student ID numbers can be used to impersonate the owner of the number and obtain information or services by fraud. The proposed regulations are also needed to clarify that unique personal identifiers used for electronic communications may be disclosed as directory information under certain conditions. Names and addresses are personal identifiers (and personally identifiable information under Sec. 99.3) that have always been available for disclosure as directory information under FERPA because they are generally known to others and often appear in public directories outside the school context. (It is precisely because names and addresses are widely available that they may not be used to authenticate identity, as discussed below in connection with proposed Sec. 99.31(c).) SSNs and other student ID numbers are also personal identifiers and personally identifiable information under Sec. 99.3. Unlike names and addresses, SSNs and other student ID numbers are typically used to obtain a variety of non-public information about an individual, such as employment, credit, financial, health, motor vehicle, and educational information, that would be harmful or an invasion of privacy if disclosed. An SSN or other student ID number can also be used in conjunction with commonly available information, such as name, address, and date of birth, to establish fraudulent accounts and otherwise impersonate an individual. As a result, under the proposed regulations, SSNs and other student ID numbers may not be designated and disclosed as directory information. Educational agencies and institutions have reported to us that in addition to needing a traditional student ID number (or SSN used as a student ID number), they need to identify or assign to students a unique electronic identifier that can be made available publicly. (Names are generally not appropriate for these purposes because they may not be unique to the population.) Unique electronic identifiers are needed, for example, for students to be able to use portals or single sign-on approaches to student information systems that provide access to class registration, academic records, library resources, and other student services. Much of the directory-based software used for these systems, as well as protocols for electronic collaboration by students and teachers within and among institutions, essentially cannot function without making an individual's user ID or other electronic identifier publicly available in these kinds of systems. Some systems, for example, require users to log on with their e- mail address or other published user name or account ID. (Note that a student's e-mail address was added to the regulatory definition of directory information in the final regulations published on July 6, 2000 (65 FR 41852, 41855). Public key infrastructure (PKI) technology for encryption and digital signatures also requires wide dissemination of the sender's public key. These are the types of circumstances in which educational agencies and institutions may need to publish or disclose a student's unique electronic identifier. The proposed regulations would permit disclosure of a student's user ID or other electronic identifier as directory information, but only if the identifier functions essentially as a name; that is, the identifier is not used by itself to authenticate identity and cannot be [[Page 15576]] used by itself to gain access to education records. A unique electronic identifier disclosed as directory information may be used to provide access to the student's education records, but only when combined with other factors known only to the authorized user (student, parent, or school official), such as a secret password or PIN, or some other method to authenticate the user's identity and ensure that the user is, in fact, a person authorized to access the records. Note that eligible students and parents have a right under FERPA to opt out of directory information disclosures and refuse to allow the student's e-mail address, user ID or other electronic identifier disclosed as directory information (except as provided in proposed Sec. 99.37(c), discussed elsewhere in this document). This is similar to a decision not to participate in an institution's paper-based student directory, yearbook, commencement program, etc. In these cases, the student or parent will not be able to take advantage of the services, such as portals for class registration, academic records, etc., provided solely through the electronic communications or software that require public disclosure of the student's unique electronic identifier. Disclosure Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an educational agency or institution subject to FERPA may not have a policy or practice of releasing, permitting the release of, or providing access to personally identifiable information from education records without prior written consent. Current Regulations: The regulations in Sec. 99.3 define the term disclosure to mean permitting access to or the release, transfer, or other communication of personally identifiable information from education records to any party by any means. The regulations do not address issues relating to the return of records to the party that provided or created them. Proposed Regulations: The proposed regulations would exclude from the definition of disclosure the release or return of an education record, or personally identifiable information from an education record, to the party identified as the party that provided or created the record. This would allow an educational agency or institution (School B) to send a transcript, letter of recommendation, or other record that appears to have been falsified back to the institution or school official identified as the creator or sender of the record (School A) for confirmation of its status as an authentic record. School A may confirm or deny that the record is accurate and send the correct version back to School B under Sec. 99.31(a)(2), which allows an institution to disclose education records without prior written consent to an institution in which the student seeks or intends to enroll, or is already enrolled. The proposed regulations would also permit a State or local educational authority or other entity to redisclose education records or personally identifiable information from education records, without consent, to the school district, institution, or other party that provided the records or information. Reasons: School officials have reported to the Department that they are receiving with more frequency what appear to be falsified transcripts, letters of recommendation, and other information about students from educational agencies and institutions. The proposed amendment is needed to verify the accuracy of this type of information and to ensure that the privacy protections in FERPA are not used to shield or prevent detection of fraud. Several State educational agencies (SEAs) that maintain consolidated student records systems have also expressed uncertainty whether they may allow a local school district to obtain access to personally identifiable information from education records provided to the SEA by that district. The amendment is needed to clarify that SEAs and other parties that maintain education records provided by school districts and other educational agencies and institutions may allow a party to obtain access to the specific records and information that the party provided to the consolidated student records system. Education Records Statute: 20 U.S.C. 1232g(a)(4) provides a broad, general definition of education records that includes all records that are directly related to a student and maintained by an educational agency or institution. Student, in turn, is defined in 20 U.S.C. 1232g(a)(6) to exclude individuals who have not been in attendance at the agency or institution. Current Regulations: The definition of education records in Sec. 99.3 excludes records that only contain information about an individual after he or she is no longer a student. Proposed Regulations: The proposed regulations would clarify that, with respect to former students, the term education records excludes records that are created or received by the educational agency or institution after an individual is no longer a student in attendance and are not directly related to the individual's attendance as a student. Reasons: Institutions have told us that there is some confusion about the provision in the definition of education records that excludes certain alumni records from the definition. Some schools have mistakenly interpreted this provision to mean that any record created or received after a student is no longer enrolled is not an education record under FERPA. The proposed regulations are needed to clarify that the exclusion is intended to cover records that concern an individual or events that occur after the individual is no longer a student in attendance, such as alumni activities. The exclusion is not intended to cover records that are created and matters that occur after an individual is no longer in attendance but that are directly related to his or her previous attendance as a student, such as a settlement agreement that concerns matters that arose while the individual was in attendance as a student. Statute: The statute does not address peer-grading practices in relation to FERPA requirements. Current Regulations: The definition of education records includes records that are maintained by an educational agency or institution, or a party acting for the educational agency or institution, but does not provide any guidance on the status of student-graded tests and assignments before they have been collected and recorded by a teacher. Proposed Regulations: Proposed regulations in Sec. 99.3 would clarify that peer-graded papers that have not been collected and recorded by a teacher are not considered maintained by an educational agency or institution and, therefore, are not education records under FERPA. Reasons: The proposed regulations are needed to implement the U.S. Supreme Court's decision on peer-graded papers in Owasso. ``Peer- grading'' refers to a common educational practice in which students exchange and grade one another's papers and then either call out the grade or turn in the work to the teacher for recordation. In Owasso, the Court held that this practice does not violate FERPA because ``the grades on students' papers would not be covered under FERPA at least until the teacher has collected them and recorded them in his or her grade book.'' Owasso, 534 U.S. at 436. [[Page 15577]] Personally Identifiable Information Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an educational agency or institution may not have a policy or practice of permitting the release of or providing access to education records or any personally identifiable information other than directory information in education records without prior written consent except in accordance with statutory exceptions. Current Regulations: The term personally identifiable information is defined in Sec. 99.3 to include the student's name and other personal identifiers, such as the student's social security number or student number. Current regulations also include indirect identifiers, such as the name of the student's parent or other family members; the address of the student or the student's family; and personal characteristics or other information that would make the student's identity easily traceable. Proposed Regulations: The proposed regulations would add biometric record to the list of personal identifiers and add other indirect identifiers, such as date and place of birth and mother's maiden name, to the list of personally identifiable information. The regulations would remove language about personal characteristics and other information that would make the student's identity easily traceable and provide instead that personally identifiable information includes other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty. Personally identifiable information would also include information requested by a person who the educational agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates. Reasons: See the discussion of proposed regulations adding a new Sec. 99.31(b) for de-identified education records elsewhere in this document. State Auditor Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) allows an educational agency or institution to disclose personally identifiable information from education records, without prior written consent, to State and local educational authorities and officials for the audit or evaluation of Federal or State supported education programs, or for the enforcement of or compliance with Federal legal requirements that relate to those programs. Current Regulations: The current regulations do not address the disclosure of education records to State auditors. Proposed Regulations: The proposed regulations in Sec. 99.3 would define State auditor as a party under any branch of government with authority and responsibility under State law for conducting audits. We propose to add a new paragraph (a)(2) to Sec. 99.35 to clarify that State auditors that are not State or local educational authorities may have access to education records in connection with an audit of Federal or State supported education programs. Reasons: 20 U.S.C. 1232g(b)(3) (section (b)(3) of the statute) allows disclosure of education records without consent to ``State educational authorities'' for audit and evaluation purposes. According to the legislative history of FERPA, section (b)(5) of the statute, which allows disclosure of education records without consent to ``State and local educational officials'' for audit and evaluation purposes, was added in 1979 to ``correct an anomaly'' in which the existing exception in section (b)(3) was interpreted to preclude State auditors from obtaining records in order to conduct State audits of local and State-supported programs. See H.R. Rep. No. 338, 96th Cong., 1st Sess. at 10 (1979), reprinted in 1979 U.S. Code Cong. & Admin. News 819, 824. The amended statutory language in section (b)(5) is ambiguous, however, because it does not actually mention State auditors and, like section (b)(3), refers only to educational officials. Over the years several States have questioned whether this exception includes audits conducted by legislative branch officials and other parties that may not be considered educational authorities or officials. The regulations are needed to clarify that State auditors may receive personally identifiable information from education records, without prior written consent, even if they are not considered State or local educational authorities or officials, provided that they are auditing a Federal or State supported education program. We are interested in receiving comments about whether the definition needs to cover local auditors as well. The exception for disclosure of education records to State auditors is narrowly limited to audits (defined in proposed Sec. 99.35 as testing compliance with applicable laws, regulations, and standards) and does not include the broader concept of evaluations, for which disclosure of education records remains limited to educational authorities or officials. 2. Disclosures to Parents of Eligible Students (Sec. Sec. 99.5, 99.36) Section 99.5(a) (Rights of Students) Statute: 20 U.S.C. 1232g(d) provides that once a student reaches 18 years of age or attends a postsecondary institution, all rights accorded to parents under FERPA, and the consent required to disclose education records, transfer from the parents to the student. Under 20 U.S.C. 1232g(b)(1)(H), an educational agency or institution may disclose personally identifiable information from an education record without meeting FERPA's written consent requirement to parents of a dependent student as defined in 26 U.S.C. 152. Under 20 U.S.C. 1232g(i), an institution of higher education may disclose personally identifiable information from an education record, without meeting FERPA's written consent requirement, to a parent or legal guardian of a student information regarding the student's violation of any Federal, State or local law, or any rule or policy of the institution governing the use or possession of alcohol or a controlled substance if the student is under the age of 21 and the institution determines that the student has committed a disciplinary violation with respect to such use or possession. Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or institution may disclose personally identifiable information from an education record, without meeting FERPA's written consent requirement, to appropriate persons in connection with an emergency if the knowledge of such information is necessary to protect the health or safety of the student or other persons. Current Regulations: Section 99.3 defines an eligible student as a student who has reached 18 years of age or attends a postsecondary institution. Section 99.5(a) states that rights accorded to parents, and consent required of parents, to disclose education records under FERPA transfer from parents to a student when the student meets the definition of an eligible student. Section 99.31(a)(8) provides that an educational agency or institution may disclose personally identifiable information from education records without consent to parents of a dependent student as defined in section 152 of the Internal Revenue Code of 1986. Under Sec. 99.31(a)(15) written consent is not required, regardless of dependency status, to disclose to a [[Page 15578]] parent of a student at an institution of postsecondary education information regarding the student's violation of any Federal, State or local law, or of any rule or policy of the institution, governing the use or possession of alcohol or a controlled substance if the institution determines that the student has committed a disciplinary violation with respect to that use or possession and the student is under the age of 21 at the time of the disclosure to the parent. Section 99.31(a)(10) provides that an educational agency or institution may disclose personally identifiable information from education records without consent if the disclosure is in connection with a health or safety emergency under the conditions described in Sec. 99.36. Section 99.36 provides that an educational agency or institution may disclose personally identifiable information from an education record to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals. Proposed Regulations: The proposed regulations in Sec. 99.5 clarify that even after a student has become an eligible student, an educational agency or institution may disclose education records to the student's parents, without the consent of the eligible student, if the student is a dependent for Federal income tax purposes (Sec. 99.31(a)(8)); in connection with a health or safety emergency (Sec. 99.31(a)(10)); if the student is under the age of 21 and has violated an institutional rule or policy governing the use or possession of alcohol or a controlled substance (Sec. 99.31(a)(15)); and if the disclosure falls within any other exception to the consent requirement in Sec. 99.31(a) of the regulations, such as the disclosure of directory information or in compliance with a court order or lawfully issued subpoena. The proposed regulations in Sec. 99.36(a) would clarify that an eligible student's parents are appropriate parties to whom an educational agency or institution may disclose personally identifiable information from education records without consent in a health or safety emergency. Reasons: The Secretary is concerned that some institutions are under the mistaken impression that FERPA prevents them from providing parents with any information about a college student. The proposed regulations are needed to clarify that FERPA contains exceptions to the written consent requirement that permit colleges and other educational agencies and institutions to disclose personally identifiable information from education records to parents of certain eligible students whether or not the student consents. Section 99.31(a)(8) permits an educational agency or institution to disclose education records, without consent, to either parent if at least one of the parents has claimed the student as a dependent on the parent's most recent tax return. Because many college students (and 18- year-old high school students) are tax dependents of their parents, this provision allows these institutions to disclose information from education records to the students' parents without meeting the written consent requirements in Sec. 99.30. (Institutions must first determine that a parent has claimed the student as a dependent on the parent's Federal income tax return. Institutions can determine that a parent claimed a student as a dependent by asking the parent to submit a copy of the parent's most recent Federal tax return. Institutions can also rely on a student's assertion that he or she is not a dependent unless the parent provides contrary evidence.) The proposed regulations are also needed to clarify that colleges and other institutions may disclose information from education records to an eligible student's parents, without consent, under Sec. 99.31(a)(15) if the institution has determined that the student has violated Federal, State, or local law or an institution's rules or policies governing alcohol or substance abuse (provided the student is under 21 years of age), and in connection with a health or safety emergency under Sec. Sec. 99.31(a)(10) and 99.36 (regardless of the student's age) if the information is needed to protect the health or safety of the student or other individuals. These exceptions apply whether or not the student is a dependent of a parent for tax purposes. These proposed regulations would clarify the Department's policy with respect to an agency's or institution's disclosure of information from education records to parents under the health and safety emergency exception and do not represent a change in the Department's interpretation of who may qualify as an appropriate party under the health or safety emergency exception to the consent requirement. While institutions may choose to follow a policy of not disclosing education records to parents of eligible students in these circumstances, FERPA does not mandate such a policy. 3. Authorized Disclosure of Education Records Without Prior Written Consent (Sec. 99.31) Section 99.31(a)(1) (School Officials) Outsourcing Statute: 20 U.S.C. 1232g(a)(4)(A) defines education records to include records maintained by an educational agency or institution or by ``a person acting for'' the agency or institution. Under 20 U.S.C. 1232g(b)(1)(A), an educational agency or institution may allow teachers and other school officials within the institution or agency, without prior written consent, to obtain access to education records if the institution or agency has determined that they have legitimate educational interests in the information. Current Regulations: Section 99.31(a)(1) allows disclosure of personally identifiable information from education records without consent to school officials, including teachers, within the agency or institution if the educational agency or institution has determined that they have legitimate educational interests in the information. An educational agency or institution that discloses information under this exception must specify in its annual notification of FERPA rights under Sec. 99.7(a)(3)(iii) the criteria it uses to determine who constitutes a school official and what constitutes legitimate educational interests. The recordkeeping requirements in Sec. 99.32(d) do not apply to disclosures to school officials with legitimate educational interests. Current regulations do not address disclosure of education records without consent to contractors, consultants, volunteers, and other outside parties providing institutional services and functions or otherwise acting for an agency or institution. Proposed Regulations: The proposed regulations in Sec. 99.31(a)(1)(i)(B) would expand the school official exception to include contractors, consultants, volunteers, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions that it would otherwise use employees to perform. The outside party who obtains access to education records without consent must be under the direct control of the agency or institution and subject to the same conditions governing the use and redisclosure of education records that apply to other school officials under Sec. 99.33(a) of the regulations. These proposed regulations supersede previous technical assistance guidance issued by the Family Policy Compliance Office (Office) regarding disclosure of [[Page 15579]] education records without consent to parties acting for an educational agency or institution. Educational agencies and institutions that outsource institutional services and functions must comply with the annual FERPA notification requirements under the current regulations in Sec. 99.7(a)(3)(iii) by specifying their contractors, consultants, and volunteers as school officials retained to provide various institutional services and functions. Failure to comply with the notice requirements for school officials in Sec. 99.7(a)(3)(iii) is not excused by recording the disclosure under Sec. 99.32. (We note that under current regulations disclosures to school officials under Sec. 99.31(a)(1) are specifically excluded from the recordation requirements under Sec. 99.32(d).) As a result, an educational agency or institution that has not included contractors and other outside service providers as school officials with legitimate educational interests in its annual FERPA notification may not disclose any personally identifiable information from education records to these parties until it has complied with the notice requirements in Sec. 99.7(a)(3)(iii). Educational agencies and institutions are responsible for their outside service providers' failures to comply with applicable FERPA requirements. The agency or institution must ensure that the outside party does not use or allow anyone to obtain access to personally identifiable information from education records except in strict accordance with the requirements established by the educational agency or institution that discloses the information. All outside parties serving as school officials are subject to FERPA's restrictions on the use and redisclosure of personally identifiable information from education records. These restrictions include current provisions in Sec. 99.33(a), which requires an educational agency or institution that discloses personally identifiable information from education records to do so only on the condition that the recipient, including a teacher or other school official, will use the information only for the purpose for which the disclosure was made and will not redisclose the information to any other party without the prior consent of the parent or eligible student unless the educational agency or institution has authorized the redisclosure under a FERPA exception and the agency or institution records the subsequent disclosure in accordance with the requirements in Sec. 99.32(b). For example, under the proposed regulations, a party that contracts with an educational agency or institution to provide enrollment and degree verification services must ensure that only individuals with legitimate educational interests obtain access to personally identifiable information from education records maintained on behalf of the agency or institution. In accordance with current regulations at Sec. 99.33(b), a contractor may not redisclose personally identifiable information without prior written consent unless the educational agency or institution has authorized the redisclosure under a FERPA exception and the agency or institution records the subsequent disclosure in accordance with the requirements in Sec. 99.32(b). Like other school officials, contractors and other outside parties who provide institutional services may not decide unilaterally to redisclose personally identifiable information from education records, even in circumstances that would comply with an exception in Sec. 99.31(a). Additionally, records directly related to a student that are maintained by a party acting for an educational agency or institution are education records subject to all FERPA requirements. This includes any new student records created under an outsourcing agreement that are maintained by the outside service provider. Reasons: The proposed regulations are needed to resolve uncertainty about the specific conditions under which educational agencies and institutions may disclose personally identifiable information from education records, without prior written consent, to contractors, consultants, volunteers, and other outside parties performing institutional services or functions. While there is no explicit statutory exception to the prior written consent requirement for disclosures to contractors and other non-employees to whom an educational agency or institution has outsourced services, we note that the statutory definition of education records protects records that are maintained by a party acting for the agency or institution. See 20 U.S.C. 1232g(a)(4)(A)(ii). Indeed, the Joint Statement in Explanation of Buckley/Pell Amendment (120 Cong. Rec. S39862, Dec. 13, 1974) refers specifically to materials that are maintained by a school ``or by one of its agents'' when describing the meaning of the new term education records in the December 1974 amendments to the statute. The Department has long recognized in guidance that FERPA does not prevent educational agencies and institutions from outsourcing institutional services and functions and disclosing education records to contractors and other outside parties performing those services and functions in appropriate circumstances, such as for legal advice; debt collection; transcript distribution; fundraising and alumni communications; development and management of information systems; and degree and enrollment verification. The Secretary wishes to clarify and define the scope of this practice to avoid further confusion and prevent weakening of FERPA's privacy protections because of uncertainty about the requirements for making these kinds of disclosures. One of the most frequently used exceptions to the prior written consent requirement allows teachers and other school officials to obtain access to education records provided the educational agency or institution has determined that the school official has legitimate educational interests in the information. This exception covers not only teachers and principals, but also school counselors, registrars, admissions personnel, attorneys, accountants, human resource staff, information systems specialists, and designated support and clerical personnel when they need access to personally identifiable information from education records in order to perform their official functions and duties for their employer. As noted above, an educational agency or institution that allows school officials to obtain access to education records under this exception must, under Sec. 99.7(a)(3), include in its annual notification of FERPA rights a specification of its criteria for determining who constitutes a school official and what constitutes legitimate educational interests under Sec. 99.31(a)(1). Disclosures to school officials under current regulations are subject to the restrictions on the use and redisclosure of information in Sec. 99.33 but are exempt from the FERPA recordkeeping requirements in Sec. 99.32. The proposed regulations are included with the exception for school officials in Sec. 99.31(a)(1) because we believe that disclosures made for contract, volunteer, and other outsourced services and functions should be subject to the same conditions that would apply if the outside party were, in fact, providing institutional services or functions as an employee or officer of the educational agency or institution. In particular, the outside party must be under the direct control of the agency or institution with respect to the maintenance and use of personally identifiable information from education records. The outside party [[Page 15580]] must also perform the type of institutional services or functions for which the agency or institution would otherwise use its own employees. For example, an institution may disclose education records without consent under this provision to an outside party retained to provide enrollment verification services to student loan holders because the institution would otherwise have to use its own employees to conduct the required verifications. In contrast, an institution may not use this provision to disclose education records, without consent, to a financial institution or insurance company that provides a good student discount on its services and needs students' ID numbers and grades to verify an individual's eligibility, even if the institution enters into a contract with these companies to provide the student discount. Access to Education Records by School Officials Statute: 20 U.S.C. 1232g(b)(1)(A) provides that an educational agency or institution may allow teachers and other school officials within the agency or institution to obtain access to education records, without prior written consent, if the agency or institution has determined that the school official has legitimate educational interests in the information. Current Regulations: Section 99.31(a)(1) allows an educational agency or institution to disclose personally identifiable information from education records without consent to school officials, including teachers, within the agency or institution if the educational agency or institution has determined that they have legitimate educational interests in the information. An educational agency or institution that discloses information under this exception must specify in its annual notification of FERPA rights under Sec. 99.7(a)(3)(iii) the criteria it uses to determine who constitutes a school official and what constitutes legitimate educational interests. Current regulations do not specify whether the agency or institution must ensure that school officials obtain access to only those education records in which they have legitimate educational interests. Proposed Regulations: The proposed regulations in Sec. 99.31(a)(1)(ii) would require an educational agency or institution to use reasonable methods to ensure that teachers and other school officials obtain access to only those education records in which they have legitimate educational interests. This requirement would apply to education records maintained in either paper or electronic format. Agencies and institutions that choose not to use physical or technological controls to restrict a school official's access to education records must ensure that their administrative policy for controlling access to and maintenance of education records is effective and that the agency or institution remains in compliance with the legitimate educational interests requirement in Sec. 99.31(a)(1)(i)(A). (These proposed regulations do not address what constitutes a legitimate educational interest under the regulations.) Reasons: The proposed regulations are needed to ensure that teachers and other school officials only gain access to education records in which they have a legitimate educational interest. While the proposed regulations apply to records in any format (as defined in Sec. 99.3), the need to ensure compliance with the legitimate educational interest requirement has been driven largely by the increased use of computerized or electronic recordkeeping systems in which a user may have access to all records. Many of the smaller educational agencies and institutions typically use a combination of physical and administrative methods to restrict access by school officials to paper copy records. For example, paper copy records may be maintained in lockable cabinets, desks, or rooms with distribution of records to school officials controlled by the teacher, registrar, or other authorized custodian as appropriate. With the advent of computerized or electronic records, particularly by the mid-size and larger agencies and institutions, parents and students have complained that school officials may have unrestricted access to the records of all students in an institution's or local educational agency's (LEA) system. Agencies and institutions establishing or upgrading electronic student information systems have also expressed uncertainty about what methods they should use to comply with the legitimate educational interest requirement in this new environment. Under the proposed regulations, an educational agency or institution should implement controls to protect student records. These controls should consist of a combination of appropriate physical, technical, administrative, and operational controls which will allow access to be limited when required. (Some examples of possible information security controls can be found in ``The National Institute of Standards and Technology (NIST) 800-53, Recommended Security Controls for Federal Information Systems'' (December 2007). Educational institutions and agencies are not required to implement the NIST 800-53 guidance, but may find it useful when determining possible controls.) For example, software used to access electronic records may contain role-based security features that allow teachers to view only information about students currently enrolled in their classes. Similarly, a school principal or registrar may maintain paper records in locked cabinets and distribute records to authorized officials on an as needed basis. An educational agency or institution that does not use some kind of physical or technological controls to restrict access and leaves education records open to all school officials may rely instead on administrative controls, such as an institutional policy that prohibits teachers and other school officials from accessing records except when they have a legitimate educational interest. However, an agency or institution that forgoes physical or technological access controls must ensure that its administrative policy for controlling access is effective and that it remains in compliance with the legitimate educational interest requirement in Sec. 99.31(a)(1). In that regard, if a parent or eligible student alleges that a school official obtained access to a student's education records without a legitimate educational interest, an agency or institution must show that the school official possessed a legitimate educational interest in obtaining the personally identifiable information from education records maintained by the agency or institution. An agency or institution may wish to restrict or track school officials who obtain access to education records to ensure that it is in compliance with Sec. 99.31(a)(1)(i)(A). The risk of unauthorized access to education records by school officials means the likelihood that records may be targeted for compromise and the harm that could result. Methods used by an educational agency or institution to ensure compliance with the legitimate educational interests requirement are considered reasonable under the proposed regulations if they reduce the risk of unauthorized access by school officials to a level commensurate with the likely threat and potential harm. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will occur, the more protections an agency or institution must use to ensure that its methods are reasonable. For example, high risk records, such as those that [[Page 15581]] contain credit card information, SSNs and other elements used for identity theft, immunization and other health records, certain records on special education students, and official transcripts and grades should generally receive greater and more immediate protection than medium or low risk records, such as those containing only publicly releasable directory information. Methods that an educational agency or institution should use to reduce risk to an acceptable level will depend on a variety of factors, including the organization's size and resources. In all cases, reasonableness depends ultimately on what are the usual and customary good business practices of educational agencies and institutions, which requires ongoing review and modification of methods and procedures, where appropriate, as standards and technologies continue to change. Section 99.31(a)(2) (Disclosure to a School Where Student Seeks or Intends To Enroll) Statute: 20 U.S.C. 1232g(b)(1)(B) allows an educational agency or institution to disclose, under certain conditions, education records to another school or school system in which the student seeks or intends to enroll without obtaining the prior written consent of a parent or eligible student. Current Regulations: Under Sec. 99.31(a)(2), an educational agency or institution may disclose education records, without prior written consent, to officials of another school, school system, or postsecondary institution where the student seeks or intends to enroll, provided that the agency or institution complies with the requirements in Sec. 99.34(a) regarding notification to the parent or eligible student of the disclosure and, upon request, provide a copy of the records and an opportunity for a hearing under subpart C of the regulations. Proposed Regulations: The proposed regulations in Sec. 99.31(a)(2) would allow an educational agency or institution to disclose education records, without consent, to another institution even after a student has already enrolled or transferred, and not just if the student seeks or intends to enroll, if the disclosure is for purposes related to the student's enrollment or transfer. Reasons: The proposed amendments are needed to resolve uncertainty about whether consent is required to send a student's records to the student's new school after the student has already transferred and enrolled. This proposed exception to the consent requirement is intended to ease administrative burdens on educational agencies and institutions by allowing them to send transcripts and other information from education records to schools where a student seeks or intends to enroll without meeting the formal consent requirements in Sec. 99.30. We have concluded that authority to disclose or transfer information to a student's new school under this exception does not cease automatically the moment a student has actually enrolled. Rather, an educational agency or institution may transfer education records to a student's new school, including a postsecondary institution, at any point in time if the disclosure is in connection with the student's enrollment in the new school. Based on these considerations, we have also determined that an educational agency or institution may update, correct, or explain information it has disclosed to another educational agency or institution as part of the original disclosure under Sec. 99.31(a)(2) without complying with the written consent requirements in Sec. 99.30. That is, a student's previous institution is not required to obtain prior written consent under Sec. 99.30 to respond to the new institution's request to explain the meaning of education records sent to it in connection with a student's new enrollment. Finally, in the aftermath of the shooting at Virginia Tech, some questions have arisen about whether FERPA prohibits the disclosure of certain types of information from students' education records to new schools or postsecondary institutions to which they have applied. (Further discussion of the tragic events that occurred at Virginia Tech in April 2007 is included in the discussion of the proposed amendments to Sec. 99.36, which appears later in this document.) Under Sec. 99.31(a)(2) and Sec. 99.34(a), FERPA permits school officials to disclose any and all education records, including health and disciplinary records, to another institution where the student seeks or intends to enroll. Section 99.31(a)(6) (Organizations Conducting Studies for or on Behalf of an Educational Agency or Institution) Statute: 20 U.S.C. 1232g(b)(1)(F) allows an educational agency or institution to disclose personally identifiable information from education records, without consent, to organizations conducting studies for or on behalf of the agency or institution for purposes of testing, student aid, and improvement of instruction. The information must be protected so that students and their parents cannot be identified by anyone other than representatives of the organization that conducts the study and must be destroyed when no longer needed for the study. As explained in Sec. 99.31(a)(6)(iii), failure to destroy information in accordance with this requirement could lead to a five-year ban on disclosure of information to that organization. Current Regulations: The regulations restate the statutory language that the study is conducted ``for, or on behalf of'' the educational agency or institution, but do not explain what this language means. Proposed Regulations: The proposed regulations require an educational agency or institution that discloses education records without consent under Sec. 99.31(a)(6) to enter into a written agreement with the recipient organization that specifies the purposes of the study. The agency or institution that discloses education records under this exception does not have to agree with or endorse the conclusions or results of the study. The written agreement must specify that information from education records may only be used to meet the purposes of the study stated in the written agreement and must contain the current restrictions on redisclosure and destruction of information requirements applicable to information disclosed under this exception. Reasons: Research organizations have asked for clarification about the circumstances in which an educational agency or institution may disclose to them personally identifiable information from education records under Sec. 99.31(a)(6)(iii), and educational agencies and institutions have asked whether they may provide personally identifiable information to organizations for research purposes without parental consent even if the educational agency or institution has no particular interest in the study. This exception to the consent requirement is intended to allow educational agencies and institutions to retain the services of outside organizations (or individuals) to conduct studies for or on their behalf to develop, validate, or administer predictive tests; administer student aid programs; or improve instruction. An educational agency or institution need not initiate research requests or agree with or endorse a study's results and conclusions under this exception. However, the statutory language ``for, or on behalf of'' indicates that the disclosing agency or institution agrees with the purposes of the study and retains control over the information from education records that is disclosed. [[Page 15582]] The written agreement required under the proposed regulations will help ensure that information from education records is used only to meet the purposes of the study stated in the written agreement and that all applicable requirements are met. (See discussion of Sec. 99.31(b) below regarding disclosure of de-identified information to independent educational researchers.) Section 99.31(a)(9) (USA Patriot Act) Statute: The USA Patriot Act, Public Law 107-56, amended FERPA by providing a new subsection 1232g(j), 20 U.S.C. 1232g(j), that authorizes the United States Attorney General (or designee not lower than an Assistant Attorney General) to apply for an ex parte court order (an order issued by a court without notice to an adverse party) allowing the Attorney General (or designee) to collect education records from an educational agency or institution, without the consent or knowledge of the student or parent, that are relevant to an investigation or prosecution of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism specified in 18 U.S.C. 2331. The statute requires the Attorney General (or designee not lower than an Assistant Attorney General) to certify facts in support of the order and to retain, disseminate, and use the records in a manner that is consistent with confidentiality guidelines established by the Attorney General in consultation with the Secretary of Education. Agencies and institutions are not required to record the disclosure and cannot be held liable to anyone for producing education records in good faith in accordance with a court order issued under this provision. Current Regulations: The current regulations do not address the amendments made by the USA Patriot Act. Proposed Regulations: The proposed regulations add new exceptions to the written consent requirement in Sec. 99.31(a)(9)(ii) and the recordkeeping requirement in Sec. 99.32(a) allowing disclosure of education records without notice in compliance with an ex parte court order obtained by the Attorney General (or designee) concerning investigations or prosecutions of an offense listed in 18 U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism defined in 18 U.S.C. 2331. Reasons: The proposed regulations are necessary to implement the statutory amendment. An educational agency or institution that is served with an ex parte court order from the Attorney General (or designee) under this provision should ensure that the order is facially valid, just as it does when determining whether to comply with other judicial orders and subpoenas under Sec. 99.31(a)(9). An educational agency or institution is not, however, required or authorized to examine the underlying certification of facts presented to the court in the Attorney General's application for the ex parte court order. The proposed regulations provide that an educational agency or institution may comply with the court order without notice to the parent or eligible student. (Note that Sec. 99.31(a)(9)(ii)(B) also allows an educational agency or institution to disclose education records without notice to representatives of the Attorney General or other law enforcement authorities who produce a subpoena that has been issued for law enforcement purposes and the court or other issuing agency has ordered that the existence or contents of the subpoena or information furnished in response to the subpoena not be disclosed.) Section 99.31(a)(16) (Registered Sex Offenders) Statute: The Campus Sex Crimes Prevention Act (CSCPA), section 1601(d) of the Victims of Trafficking and Violence Protection Act of 2000, Public Law 106-386, amended FERPA by adding 20 U.S.C. 1232g(b)(7), which provides that educational agencies and institutions may disclose information concerning registered sex offenders provided under State sex offender registration and community notification programs required by section 170101 of the Violent Crime Control and Law Enforcement Act of 1994, Public Law 103-322, 42 U.S.C. 14071. Section 170101 contains the Jacob Wetterling Crimes Against Children and Sexually Violent Offender Registration Act (Wetterling Act). Current Regulations: The current regulations do not address the disclosure of information concerning registered sex offenders. Proposed Regulations: The proposed regulations add a new exception to the consent requirement in Sec. 99.31(a)(16) that permits an educational agency or institution to disclose information that the agency or institution received under a State community notification program about a student who is required to register as a sex offender in the State. Note that nothing in FERPA or these proposed regulations requires or encourages an educational agency or institution to collect or maintain information about registered sex offenders. Reasons: The regulations implement the CSCPA amendment to FERPA, which allows educational agencies and institutions to disclose information about registered sex offenders without consent if the information was received through and complies with guidelines regarding a State community notification program issued by the U.S. Attorney General under the Wetterling Act. Wetterling Act guidelines issued by the Attorney General were published in the Federal Register on October 25, 2002 (67 FR 65598), and January 5, 1999 (64 FR 572). The Wetterling Act sets forth minimum national standards for sex offender registration and community notification programs. Under the Wetterling Act, States must establish programs that require sexually violent predators (and anyone convicted of specified criminal offenses against minors) to register their name and address with the appropriate State authority where the offender lives, works, or is enrolled as a student. States are also required to release relevant information necessary to protect the public concerning persons required to register, excluding the identity of any victim. (This community notification provision is commonly known as the ``Megan's Law'' amendment to the Wetterling Act.) CSCPA supplemented the general standards for sex offender registration and community notification programs in the Wetterling Act with provisions specifically designed for higher education campus communities. These include a requirement that States collect information about a registered offender's enrollment or employment at an institution of higher education, including any change in enrollment or employment status at the institution, and make this information available promptly to a campus police department or other appropriate law enforcement agency having jurisdiction where the institution is located. CSCPA also amended the Higher Education Act of 1965, as amended (HEA), by requiring institutions of higher education to advise the campus community where it can obtain information about registered sex offenders provided by the State pursuant to the Wetterling Act, such as the campus law enforcement office, a local law enforcement agency, or a computer network address. See 20 U.S.C. 1092(f)(1)(I) and 34 CFR 668.46(b)(12). While the FERPA amendment was made in the context of CSCPA's enhancements to registration and [[Page 15583]] notification requirements applicable to the higher education community, the Department has determined that all educational institutions, including elementary and secondary schools, are covered by this amendment. The registration and community notification requirements apply in the State where an offender lives, works, or is a student, which is defined as ``a person who is enrolled on a full-time or part- time basis, in any public or private educational institution, including any secondary school, trade, or professional institution, or institution of higher education.'' See 42 U.S.C. 14071(a)(3)(G). Because the sex offender registration and community notification requirements apply broadly to students enrolled in ``any public or private educational institution,'' the Department likewise interprets the FERPA amendment to apply to all educational agencies and institutions subject to FERPA. 4. De-Identification of Information (Sec. 99.31(b)) Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provide that an educational agency or institution may not have a policy or practice of permitting the release of or providing access to education records, or personally identifiable information from education records, without prior written consent except in accordance with statutory exceptions. Current Regulations: Personally identifiable information under Sec. 99.3 includes personal identifiers such as a student's name, address, and identification numbers, as well as personal characteristics or other information that would make the student's identity easily traceable. Proposed Regulations: The proposed regulations would amend Sec. 99.31(b) to provide objective standards under which educational agencies and institutions may release, without consent, education records, or information from education records, that has been de- identified through the removal of all personally identifiable information. Personally identifiable information is defined in Sec. 99.3 to mean information that can be used to identify a student, including direct identifiers, such as the student's name, SSN, and biometric records, alone or combined with other personal or identifying information that is linked or linkable to a specific individual, including indirect identifiers such as the name of the student's parent or other family member, the student's or family's address, and the student's date and place of birth and mother's maiden name, that would allow a reasonable person in the school or its community, who does not have personal knowledge of the relevant circumstance, to identify the student with reasonable certainty. The Department does not hold educational agencies and institutions responsible for knowing the status of all non-educational records about students (e.g., law enforcement or hospital records). However, the Department encourages educational agencies and institutions to be sensitive to publicly available data on students and to the cumulative effect of disclosures of student data. Additionally, personally identifiable information includes information that is requested by a person who an agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates. This is known as a targeted request. Reasons: Disclosure is defined in the regulations as permitting access to or releasing, transferring, or otherwise communicating personally identifiable information contained in education records. Accordingly, there is no ``disclosure'' under FERPA when education records are released if all identifiers have been removed, along with other personally identifiable information. The proposed regulations are needed to establish this guidance in a definitive and legally binding interpretation, and to provide standards for ensuring that a student's personally identifiable information is not disclosed. The Department's November 18, 2004, letter to the Tennessee Department of Education (TNDOE) explains that an educational agency or institution may release for educational research purposes (without parental consent) anonymous data files, i.e., records from which all personally identifiable information has been removed but that have coded each student's record with a non-personal identifier as described in the letter. (Records or data that have been stripped of identifiers and coded may be re-identified and, therefore, are properly characterized as de-identified.) Under the guidance in the TNDOE letter, a party must ensure that the identity of any student cannot be determined in coded records, including assurances of sufficient cell and subgroup size, and the linking key that connects the code to student information must not be shared with the requesting entity. The Department recognizes that avoiding the risk of disclosure of identity or individual attributes in statistical information cannot be completely eliminated, at least not without negating the utility of the information, and is always a matter of analyzing and balancing risk so that the risk of disclosure is very low. The reasonable certainty standard in the proposed definition of personally identifiable information requires such a balancing test. (Similarly, we are proposing here to use the term ``de-identified'' instead of ``anonymous''--which appears in previous guidance--because it is more consistent with terminology used by experts in the field and reflects more accurately the level of disclosure risk that should be achieved.) Many educational institutions have asked for guidance about how they may disclose ``redacted'' education records that concern students or incidents that are well-known in the school or its community. For example, a school has suspended a student from school and given the student a failing grade for cheating on a test. The parent believes the discipline is too harsh and inconsistent with discipline given to other students and asks to see the redacted records of other students who have been disciplined for cheating on tests that year. Only one student has been disciplined for this infraction during the year, and the name of that student is widely known because her parents went to the media about the accusation. The school may not release the record in redacted form because the publicity has made the record personally identifiable. Additionally, personally identifiable information includes information that is requested by a person who an agency or institution reasonably believes has direct, personal knowledge of the identity of the student to whom the education record directly relates. This is known as a targeted request. In the simplest case, if an individual asks for the disciplinary report for a named student, the institution may not release a redacted copy of the report because the requester knows the identity of the student who is the subject of the report. An individual can also make a targeted request without mentioning the student's name. For example, a person running for local office is known to have graduated from a particular university in 1978. Rumors circulate that the candidate plagiarized other students' work while in school. A local reporter asks the university for redacted disciplinary records for all students who graduated in 1978 who were disciplined for plagiarism. The university may not release the records in redacted form because the circumstances indicate that the requester has made a targeted request, i.e. has direct, personal [[Page 15584]] knowledge of the subject of the case. In another case, a local reporter reviewed law enforcement unit records in October 2007 and learned that a prominent high school athlete was under investigation for use of illegal drugs. The newspaper published front-page articles about the matter that same month. Thereafter, the reporter asked the student's school for a redacted copy of all disciplinary records related to illegal drug use by student athletes since October 2007. The school may not release the records in redacted form because the reporter has made a targeted request. Clearly, extenuating circumstances sometimes cause identity to be revealed even after all identifiers have been removed, whether in aggregated or student-level data. In these situations, the key consideration in determining whether the information is personally identifiable is whether a reasonable person in the school or its community, without personal knowledge of the relevant circumstances, would be able to identify a student with reasonable certainty. The Department is interested in receiving comments on the scope of the ``school or its community'' limitation in the reasonable person standard, and how it would apply to the release of redacted records as well as statistical information, including information released by State educational authorities and entities other than local districts and institutions. In regard to numerical or statistical information, several educational agencies and institutions have expressed concern about the public release of information that contains small data sets that may be personally identifiable. We have advised States and schools generally that they may not report publicly on the number of students of a specified race, gender, disability, English language proficiency, migrant status, or other condition who failed to graduate, received financial aid, achieved certain test scores, etc., unless there is a sufficient number of students in the defined category so that personally identifiable information is not released. Some schools have indicated, for example, that they would not disclose that two Hispanic, female students failed to graduate, even if there are several Hispanic females at the institution, because of the likelihood that the students who failed to graduate could easily be identified in such a small data set. A review of data confidentiality issues, especially as concerns the Federal statistical agencies, indicates that it is not possible to prescribe a single method to apply in every circumstance to minimize risk of disclosing personally identifiable information. This is true for several reasons, including the wide variety of data compilations and systems maintained by different agencies and institutions and the different types of search requests they receive and data sets they wish to disclose. More generally, and as indicated in the Federal Committee on Statistical Methodology's Statistical Policy Working Paper 22 (available at http://www.fcsm.gov/working-papers/wp22.html), educational agencies and institutions may wish to consider current statistical, scientific and technological concepts, and standards when making decisions about analyzing and minimizing the risk of disclosure in statistical information. Consistent with that view, the Department has consistently declined to take a categorical approach and advised instead that the parties themselves are in the best position to analyze and identify the best methods to use to protect the confidentiality of their own data. See, for example, the September 25, 2003, letter to Board of Regents of the University System of Georgia at http:// www.ed.gov/policy/gen/guid/fpco/ferpa/library/georgialtr.html; October 19, 2004, letter to Miami University at http://www.ed.gov/policy/gen/ guid/fpco/ferpa/library/unofmiami.html. However, the Department recognizes that there are some practices from the existing professional literature on disclosure limitation that can assist covered entities in developing a sound approach to de- identifying data for release, particularly when consultation with professional statisticians with experience in disclosure limitation methods is not feasible. Each of the items discussed in the following subsection is elaborated on in Statistical Working Paper 22 for further reference. There are several steps that can assist with de-identifying any data release. The choice of methods depends on the nature of the data release that must be de-identified. First, covered entities should recognize that the re-identification risk of any given release is cumulative, i.e., directly related to what has previously been released. Previous releases include both publicly-available directory information and de-identified data releases. For example, if a publicly available directory provides date and place of birth, then a de- identified data release that also contains the same information for a group of students could pose a re-identification risk if one of those students has an unusual date and place of birth relevant to others in the data release. Second, covered entities should minimize information released in directories to the extent possible. The Department is not attempting to limit the statutory authority available to covered entities in releasing directory information, but recognizes that since the statute's enactment, the risk of re-identification from such information has grown as a result of new technologies and methods. Third, covered entities should apply a consistent de-identification strategy for all of its data releases of a similar type. The two major types of data release are aggregated data (such as tables showing numbers of enrolled students by race, age and sex) and microdata (such as individual level student assessment results by grade and school). There are several acceptable de-identification strategies for each type of data. Major methods used by the Department for tabular data include defining a minimum cell size (meaning no results will be released for any cell of a table with a number smaller than ``X'' or else cells are aggregated until no cells based on one or two cases remain) or controlled rounding (meaning that cells with a number smaller than ``X'' require that numbers in the affected rows and columns be rounded so that the totals remain unchanged. For microdata releases, the primary consideration is whether the proposed release contains any ``unique'' individuals whose identity can be deduced by the combination of variables in the file. If such a condition exists, there are a number of methods that can be employed. These include ``top coding'' a variable (e.g., test scores above a certain level are recoded to a defined maximum), converting continuous data elements into categorical data elements (e.g., creating categories that subsume unique cases) or data swapping to introduce uncertainty so that the data user does not know whether the real data values correspond to certain records. The Department seeks public comment on whether it needs to develop further guidance on this topic to assist educational agencies and institutions. Although FERPA does not contain a general ``research'' exception to the consent requirement, the Department recognizes that useful and valid educational research may be conducted using de-identified data where disclosure of personally identifiable information from education records would not be permissible under the limited standards of Sec. 99.31(a)(6) or [[Page 15585]] Sec. 99.31(a)(3), discussed above. This regulation should not be interpreted to discourage de-identified data releases, but rather to clarify how to do so in a manner that minimizes the risk of re- identification. Accordingly, the proposed regulations are also needed to provide a method that may be used by a school, school district, state department of education, postsecondary institution or commission, or another party that maintains education records to release student- level or microdata for purposes of education research. We believe that these standards establish an appropriate balance that facilitates educational research and accountability while preserving the privacy protections in FERPA. In order to permit ongoing educational research with the same data, the party that releases the information may attach a unique descriptor to each de-identified record that will allow the recipient to match other de-identified information received from the same source. However, the recipient may not be allowed to have access to any information about how the descriptor is generated and assigned, or that would allow it to match the information from education records with data from any other source, unless that data is de-identified and coded by the party that discloses education records. Furthermore, a record descriptor assigned for educational research purposes under this rule may not be based on a student's social security number. De-identified, student-level data released for educational research purposes must still conform to the requirements discussed above regarding small data sets that may lead to personal identification of students. However, unlike information released in personally identifiable form under Sec. Sec. 99.31(a)(3) and 99.31(a)(6), de- identified information from education records is not subject to any destruction requirements because, by definition, it is not ``personally identifiable information'' under FERPA. The Department cannot specify in general which statistical disclosure limitation (SDL) methods should be used in any particular case. However, educational agencies and institutions should monitor releases of coded, de-identified microdata and take reasonable measures to ensure that overlapping or successive releases do not result in data sets in which a student's personally identifiable information is disclosed. 5. Identification and Authentication of Identity (Sec. 99.31(c)) Statute: 20 U.S.C. 1232g(b)(1) and (b)(2) provides that an educational agency or institution may not have a policy or practice of releasing, permitting the release of, or providing access to any personally identifiable information from education records without written consent, except in accordance with specified statutory exceptions. Current Regulations: Current regulations do not address whether an educational agency or institution must ensure that it has properly identified a party to whom it discloses personally identifiable information from education records. Proposed Regulations: The proposed regulations in Sec. 99.31(c) would require an educational agency or institution to use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the agency or institution discloses personally identifiable information from education records. Reasons: The proposed regulations are needed to ensure that educational agencies and institutions disclose personally identifiable information from education records only to authorized recipients. Identification in this context means determining who is the intended or authorized recipient of the information in question; authentication of identity means ensuring that the recipient is, in fact, who he or she purports to be. Identification of a party requesting disclosure of hard copy education records is relatively simple--the responsible school official can confirm the name and correct address for records sent by mail and obtain photo identification for personal delivery of records to students, parents, school officials, and other authorized recipients who are not recognized personally by the custodian of the records. Identification presents unique challenges in an electronic or telephonic environment, where personal recognition and photo identification cards are irrelevant. Occasionally educational agencies and institutions disclose education records to the wrong party because someone misaddresses an envelope, or puts the wrong material in a properly addressed envelope. This is a failure to properly identify the authorized recipient. More commonly, parents and students complain that unauthorized parties obtain access to the student's education records because agencies and institutions use widely available information, such as name and date of birth, or name and SSN or other student ID number, when providing access to electronic records or disclosing information about a student by telephone. This is a failure to properly authenticate identity. These proposed regulations would address both of these problems. Authentication of identity is a complex subject that continues to advance as new methods and technologies are developed to meet evolving standards for safeguarding financial, health, and other types of electronic records. The proposed regulations allow an educational agency or institution to use any reasonable method. As discussed above in connection with controlling access to education records by school officials, methods are considered reasonable if they reduce the risk of unauthorized disclosure to a level that is commensurate with the likely threat and potential harm and depend on variety of factors, including the organization's size and resources. The greater the harm that would result from unauthorized access or disclosure, and consequently the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution must use to ensure that its methods are reasonable. Again, reasonableness depends ultimately on what are the usual and customary good business practices of educational agencies and institutions, which requires ongoing review and modification of procedures, where appropriate, as standards and technologies change. Authentication of identity generally involves requiring a user to provide something that only the user knows, such as a PIN, password, or answer to a personal question; something that only the user has, such as a smart card or token; or a biometric factor associated with no one other than the user, such as a finger, iris, or voice print. Under the proposed regulations an educational agency or institution may determine that single-factor authentication, such as a standard form user name combined with a secret PIN or password, is reasonable for protecting access to electronic grades and transcripts. Single-factor authentication may not be reasonable, however, for protecting access to SSNs, credit card numbers, and similar information that could be used for identity theft and financial fraud. Likewise, an educational agency or institution must ensure that it does not deliver a password, PIN, smart card, or [[Page 15586]] other factor used to authenticate identity in a manner that would allow access to unauthorized recipients. For example, an agency or institution may not make education records available electronically by using a common form user name (e.g., last name and first name initial) with date of birth or SSN, or a portion of the SSN, as an initial password to be changed upon first use of the system. 6. Redisclosure of Education Records by Officials Listed in Sec. 99.31(a)(3) (Sec. 99.32, Sec. 99.35) Statute: 20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5) permits an educational agency or institution to disclose education records, without prior written consent, to authorized representatives of the United States Comptroller General, the Secretary of Education, State and local educational authorities, and the U.S. Attorney General as necessary in connection with the audit or evaluation of Federal and State supported education programs, or in connection with the enforcement of Federal legal requirements that relate to those programs. Except when the collection of personally identifiable information is specifically authorized by Federal law, personally identifiable information of parents and students may not be redisclosed to any other parties and must be destroyed when no longer needed for such audit, evaluation or enforcement purposes. In contrast, section 1232g(b)(4)(B) contains a general prohibition on the redisclosure of information from education records. In particular, by statute an educational agency or institution may disclose personal information from education records only on the condition that the recipient will not redisclose the information to any other party without meeting the prior written consent requirement. If a recipient rediscloses personally identifiable information from education records in violation of the prior written consent requirement, the agency or institution that disclosed the records may not permit that recipient to have access to information from education records for at least five years. There is no general destruction requirement similar to the specific requirement for destruction of personally identifiable information described above for records disclosed for audit, evaluation, and enforcement purposes under section 1232g(b)(3). Current Regulations: Section 99.31(a)(3) lists the four officials or authorities that may receive education records, without consent, for the specified audit, evaluation, or compliance and enforcement purposes. The Department has interpreted the term ``evaluation'' broadly to include all manner of studies, assessments, measurements, appraisals, research, and other efforts, including analyses of statistical or numerical data derived from education records. Section 99.35 provides that information disclosed under this exception to the consent requirement must be protected in a manner that does not permit personal identification of individuals by anyone except the officials listed in Sec. 99.31(a)(3) and must be destroyed when no longer needed for the audit, evaluation, or compliance and enforcement purposes, unless a parent or eligible student consents to the disclosure or Federal law specifically authorizes the collection of personally identifiable information. Current regulations do not specify any further conditions under which these officials or authorities may redisclose personally identifiable information from education records without prior written consent. Section 99.33(c) establishes specific exceptions to the general statutory prohibition on redisclosure of information from education records under 20 U.S.C. 1232g(b)(4)(B). Section 99.33(b) also allows an educational agency or institution to disclose education records with the understanding that the recipient may make further disclosures of the information on its behalf if the disclosures could be made under Sec. 99.31 and the educational agency or institution complies with the recordkeeping requirements specified in Sec. 99.32(b). Section 99.32(a) requires an educational agency or institution to maintain a record of each request for access to and each disclosure of personally identifiable information from the education records of each student. If a recipient is authorized to make further disclosures of personally identifiable information from education records under Sec. 99.33(b), the educational agency or institution must record the names of the additional parties to which the receiving party may disclose the information on behalf of the educational agency or institution and their legitimate interests under Sec. 99.31 in requesting or obtaining the information. Each student's record of disclosures is an education record that must be made available to a parent or eligible student under Sec. 99.32(c). The Department has not applied the regulatory exception in Sec. 99.33(b) to officials or authorities that receive information under Sec. Sec. 99.31(a)(3) and 99.35 because of the more specific statutory limitations, including the destruction requirement, that generally apply to these disclosures. Proposed Regulations: The proposed regulations in Sec. 99.35(b)(1) would permit officials and authorities listed in Sec. 99.31(a)(3)(i) to redisclose personally identifiable information from education records under the same conditions, set forth in Sec. 99.33(b), that apply to parties that receive personally identifiable information from education records under other exceptions in Sec. 99.31. For example, this proposed change would allow a State educational agency (SEA) to use the exception in Sec. 99.31(a)(2) to transfer a student's education records to a student's new school district on behalf of the former district. Similarly, an SEA or other official listed in Sec. 99.31(a)(3) would be able to redisclose personally identifiable information from education records received under Sec. 99.35 to an accrediting agency under Sec. 99.31(a)(7); in response to a subpoena or court order under Sec. 99.31(a)(9); or in connection with a health or safety emergency under Sec. Sec. 99.31(a)(10) and 99.36. The proposed regulations would also apply to the redisclosure of education records by an SEA (or other official listed in Sec. 99.31(a)(3)) to another listed official, such as the Secretary, for audit, evaluation, or compliance and enforcement purposes under Sec. 99.35. The regulations would also clarify that authority to conduct an audit, evaluation, or compliance or enforcement activity is not conferred by FERPA and must be established under other Federal, State, or local law, including valid administrative regulations. Like redisclosures permitted currently under Sec. 99.33(b), redisclosures made by officials listed in Sec. 99.31(a)(3)(i) under the proposed amendment would be subject to the recordation requirements in Sec. 99.32(b). Reasons: School districts and postsecondary institutions typically disclose education records, or personally identifiable information from education records, to their SEA or State higher education authority, without prior written consent, for audit, evaluation, or compliance and enforcement purposes subject to the requirements of Sec. 99.35. Several SEAs that maintain Statewide, consolidated systems for school district records subject to Sec. 99.35 have questioned whether they may allow a student's new school district to obtain access to personally identifiable information from education records submitted to the system by the student's former district. (Historically, when a student transfers to a new school, the former school district sends the student's education records to the student's new district, [[Page 15587]] without consent, under Sec. 99.31(a)(2).) Others have asked whether records subject to Sec. 99.35 may be redisclosed in compliance with a subpoena or court order and, if so, what conditions apply. States have also asked about the operation of longitudinal data systems that consolidate K-12 and postsecondary education records. As noted elsewhere in this notice, there are no specific statutory exceptions to either the prohibition on redisclosure of education records disclosed under Sec. 99.31 or the more specific limitations for records disclosed under Sec. 99.35. Accordingly, final regulations published on June 17, 1976 (41 FR 24662) provided in Sec. 99.33(a) that educational agencies and institutions must inform a third party to whom personally identifiable information from education records is disclosed that it may not redisclose any personally identifiable information without the written consent of a parent or eligible student. However, these regulations also added a provision in Sec. 99.33(b) that permits the agency or institution to disclose personally identifiable information under Sec. 99.31 with the understanding that the information will be redisclosed to other parties under that section; Provided, That the recordkeeping requirements of Sec. 99.32 are met with respect to each of those parties. 41 FR 24662, 24679. The Secretary recognizes that officials and authorities that receive education records for audit, evaluation, compliance, or enforcement purposes under Sec. Sec. 99.31(a)(3) and 99.35 are no less capable of protecting the information against unauthorized access and disclosure than parties that receive education records under other exceptions in Sec. 99.31. The proposed amendment is needed so that SEAs and other officials and authorities listed in Sec. 99.31(a)(3)(i) may take advantage of the regulatory exception in Sec. 99.33(b) and redisclose personally identifiable information from education records directly to a qualified recipient under an exception in Sec. 99.31 instead of requiring that party to go to each school district or institution that submitted the records for audit, evaluation, compliance, or enforcement purposes. Similarly, the proposed regulations are needed to clarify that an official or authority that maintains personally identifiable information from education records subject to Sec. 99.35 may redisclose that information to another authority listed in Sec. 99.31(a)(3)(i) for another qualifying audit, evaluation, compliance, or enforcement activity, notwithstanding the limitations in Sec. 99.35. The proposed regulations clarify that while FERPA permits the disclosure and redisclosure of education records without consent to officials and authorities listed in Sec. 99.31(a)(3)(i) for the purposes specified, it does not confer or establish the underlying authority for those officials and authorities to conduct an audit, evaluation, or compliance or enforcement activity. If Federal, State, or local law authorizes a particular entity to audit or evaluate the education records, then FERPA permits the disclosure of personally identifiable information for that purpose without consent. For example, this exception allows a school district to disclose education records to its own State department of education or other SEA because that agency is legally authorized to audit or evaluate the school district's education programs, or enforce Federal legal requirements related to those programs. This exception does not allow a school district to disclose education records to the State higher education authority without parental consent unless that agency is empowered under Federal, State or local law to conduct an audit, evaluation, or compliance or enforcement activity with respect to that school district's education programs. The legal authority to audit, evaluate, or enforce education programs does not derive from FERPA itself. These proposed regulations would also ensure that State and local educational authorities may redisclose personally identifiable information from education records in order to consolidate K-16 education records for audit, evaluation, compliance, or enforcement purposes under Sec. 99.35(a). For example, under the proposed regulations, a State's postsecondary or higher education authority may redisclose personally identifiable information from the education records it maintains to a consolidated data system operated by the SEA if the SEA is legally authorized to conduct an audit, evaluation, compliance, or enforcement activity of postsecondary education programs. Likewise, an SEA may redisclose personally identifiable information from K-12 education records to a consolidated database operated by a State's higher education authority if the higher education authority is legally authorized to conduct the audit, evaluation, compliance, or enforcement activity of K-12 educational programs. As noted above, disclosures under Sec. 99.33(b) are based on an understanding on the part of the educational agency or institution that the recipient will redisclose information to specified recipients on its behalf subject to the recordation requirements in Sec. 99.32(b). The Department is interested in relieving any administrative burdens associated with recording disclosures of education records and, therefore, invites public comment on whether an SEA, the Department, or other official or agency listed in Sec. 99.31(a)(3) should be allowed to maintain the record of the redisclosures it makes on behalf of an educational agency or institution under Sec. 99.32(b). 7. Limitations on the Redisclosure of Information From Education Records (Sec. 99.33) Section 99.31(a)(9) (Subpoenas and Court Orders) Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational agency or institution may disclose personally identifiable information from education records to a third party only on the condition that the recipient will not redisclose the information to anyone else without written consent of the parent or eligible student. If a third party outside the educational agency or institution permits access to information without written consent of a parent or eligible student as required under 20 U.S.C. 1232g(b)(2)(A), the educational agency or institution may not permit access to information from education records by that third party for a period of not less than five years. There is no specific statutory exception to the prohibition on redisclosure of personally identifiable information from education records. 20 U.S.C. 1232g(b)(2)(B) provides that an educational agency or institution may disclose personally identifiable information without consent if the information is furnished in compliance with a judicial order or any lawfully issued subpoena, upon the condition that parents and students are notified in advance of compliance. Advance notice is not required for certain Federal grand jury subpoenas and subpoenas issued for law enforcement purposes. 20 U.S.C. 1232g(b)(1)(J). Current Regulations: Section 99.33(a)(1) permits an educational agency or institution to disclose personally identifiable information from education records only on the condition that the recipient will not redisclose the information to any other party without the prior consent of the parent or eligible student. Section 99.33(b) provides for an exception to this general rule. Specifically, under Sec. 99.33(b), an educational agency or institution may [[Page 15588]] disclose personally identifiable information from education records with the understanding that the party receiving the information may make further disclosures on behalf of the educational agency or institution if the disclosures meet the requirements of Sec. 99.31(a) and the educational agency or institution complies with the recordkeeping requirements in Sec. 99.32(b). Under Sec. 99.33(e), if the Office determines that a third party improperly rediscloses personally identifiable information from education records in violation of the prohibition on redisclosure in Sec. 99.33(a), subject to the provisions of Sec. 99.33(b), the educational agency or institution may not allow that third party access to personally identifiable information from education records for at least five years. Section 99.31(a)(9) permits an educational agency or institution to disclose personally identifiable information from education records without consent in compliance with a judicial order or lawfully issued subpoena, provided that the agency or institution makes a reasonable effort to notify the parent or eligible student of the order or subpoena in advance of compliance so that the parent or eligible student may seek protective action. Notification is not required for certain grand jury and law enforcement subpoenas. Proposed Regulations: The proposed regulations in Sec. 99.33(b)(2) would require a party that has received personally identifiable information from education records from an educational agency or institution, including an SEA or other official listed in Sec. 99.31(a)(3)(i), to provide the notice to parents and eligible students, if any, required under Sec. 99.31(a)(9) before it rediscloses personally identifiable information from the records on behalf of an educational agency or institution in compliance with a judicial order or lawfully issued subpoena, as authorized under Sec. 99.33(b). Reasons: Section 99.33(b) allows a party to redisclose personally identifiable information under Sec. 99.31(a) on behalf of an educational agency or institution, including redisclosure in compliance with a judicial order or lawfully issued subpoena under Sec. 99.31(a)(9). (As noted above, the proposed amendments to Sec. 99.35 would extend this authority to SEAs and other officials and agencies listed in Sec. 99.31(a)(3)(i).) The proposed regulations are needed to clarify which party is responsible for notifying parents and eligible students before an SEA or other third party outside of the educational agency or institution complies with a judicial order or subpoena to redisclose personally identifiable information from education records. The Secretary believes that the party that has been ordered to produce the information should be responsible for ensuring that the parent or eligible student has been notified because the educational agency or institution has no control over whether and when that party will comply. The penalty in Sec. 99.33(e) would prohibit an educational agency or institution from providing access to any third party that fails to provide reasonable notice to parents and eligible students before complying with a judicial or lawfully issued subpoena. Disclosures Required Under the Clery Act Statute: 20 U.S.C. 1232g(b)(4)(B) provides that an educational agency or institution may disclose personally identifiable information from education records to a third party only on the condition that the recipient will not redisclose the information to anyone else without written consent of the parent or eligible student. 20 U.S.C. 1232g(b)(6)(B) allows a postsecondary institution to disclose to any party, without consent, the final results of a disciplinary proceeding against a student for crimes of violence or non-forcible sex offenses if the institution determines as a result of the disciplinary proceeding that the student committed the violation in question. 20 U.S.C. 1232g(b)(6)(A) allows a postsecondary institution to disclose to the alleged victim the final results of disciplinary proceedings against a student for crimes of violence or non-forcible sex offenses regardless of the outcome. The Jeanne Clery Disclosure of Campus Security Policy and Campus Crime Statistics Act (Clery Act), which amended the HEA, requires postsecondary institutions to inform both the accuser and the accused of the outcome of a campus disciplinary proceeding brought alleging a sexual assault regardless of the outcome. 20 U.S.C. 1092(f)(8)(B)(iv)(II); 34 CFR 668.46(b)(11)(vi)(B). Current Regulations: Regulations implementing the Clery Act, 34 CFR Sec. 668.46(b)(11)(iv)(B), require postsecondary institutions to inform both the accuser and the accused of the outcome of any institutional disciplinary proceeding brought alleging a sex offense. Under this provision the outcome of a disciplinary proceeding means only the institution's final determination with respect to the alleged sex offense and any sanction that is imposed against the accused. Section 99.33(a) permits an educational agency or institution to disclose personally identifiable information from education records only on the condition that the recipient will not redisclose the information to any other party without the prior consent of the parent or eligible student. Section 99.33(c) excludes from the statutory prohibition on redisclosure information that an educational agency or institution may disclose without consent to any member of the public, such as directory information under Sec. 99.31(a)(11) and the final results of a disciplinary proceeding for acts constituting crimes of violence or non-forcible sex offenses under Sec. 99.31(a)(14) when a postsecondary institution has determined that the student committed the violation in question. Current regulations in Sec. 99.33(c) do not exclude from the redisclosure prohibition disclosures made by postsecondary institutions to an alleged victim of a crime of violence or non-forcible sex offense under Sec. 99.31(a)(13) or disclosures they are required to make under the Clery Act. Proposed Regulations: The proposed regulations would amend Sec. 99.33(c) to exclude from the statutory prohibition on redisclosure of education records information that postsecondary institutions are required to disclose under the Clery Act to the accuser and accused regarding the outcome of any campus disciplinary proceeding brought alleging a sexual offense. Reasons: Some postsecondary institutions have required the accuser to execute a non-disclosure agreement before they disclose the outcome of a disciplinary proceeding for an alleged sexual offense as required under the Clery Act. In analyzing and ruling on these practices, the Department determined that the statutory prohibition on redisclosure of information from education records in FERPA does not apply to information that a postsecondary institution is required to release to students under the Clery Act. The proposed regulations would clarify that postsecondary institutions may not require the accuser to execute a non-disclosure agreement or otherwise interfere with the redisclosure or other use of information disclosed as required under the Clery Act. 8. Health and Safety Emergencies (Sec. 99.36) Section 99.36(c) (Conditions That Apply to Disclosure of Information in Health and Safety Emergencies) Statute: Under 20 U.S.C. 1232g(b)(1)(I), an educational agency or institution may disclose personally [[Page 15589]] identifiable information from education records without prior written consent, subject to regulations by the Secretary, in connection with an emergency to appropriate persons if the knowledge of such information is necessary to protect the health or safety of the student or other persons. Current regulations: Under Sec. 99.36(a), an educational agency or institution may disclose personally identifiable information from education records to appropriate parties in connection with an emergency if knowledge of the information is necessary to protect the health or safety of the student or other individuals. Under Sec. 99.36(b), educational agencies and institutions may include in a student's education records appropriate information concerning disciplinary action taken against the student for conduct that posed a significant risk to the safety or well-being of that student, other students, or other members of the school community. Educational agencies and institutions may also disclose appropriate information about these kinds of disciplinary actions to teachers and school officials within the agency or institution or in other schools who have legitimate educational interests in the behavior of the student. Under Sec. 99.36(c), all of these regulatory provisions must be strictly construed. Proposed regulations: The Department proposes to revise Sec. 99.36(c) to remove the language requiring strict construction of this exception and add a provision that in making a determination under Sec. 99.36(a), an educational agency or institution may take into account the totality of the circumstances pertaining to a threat to the safety or health of a student or other individuals. If the educational agency or institution determines that there is an articulable and significant threat to the health or safety of a student or other individuals, it may disclose information from education records to any person whose knowledge of the information is necessary to protect the health and safety of the student or other individuals. If, based on the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination. Reasons: In the wake of the tragic shootings at Virginia Tech, the President directed the Secretary, together with the Secretary of Health and Human Services and the Attorney General, to travel to communities across the nation and to meet with educators, mental health experts, law enforcement and State and local officials to discuss the broader issues raised by the tragedy. On June 13, 2007, those officials transmitted a ``Report to the President on Issues Raised by the Virginia Tech Tragedy.'' See http://www.hhs.gov/vtreport.html. In relevant part, the report provided: A consistent theme and broad perception in our meetings was that this confusion and differing interpretations about state and federal privacy laws and regulations impede appropriate information sharing. In some sessions, there were concerns and confusion about the potential liability of teachers, administrators, or institutions that could arise from sharing information, or from not sharing information, under privacy laws, as well as laws designed to protect individuals from discrimination on the basis of mental illness. It was almost universally observed that these fears and misunderstandings likely limit the transfer of information in more significant ways than is required by law. Particularly, although participants in each state meeting were aware of both [the Health Insurance Portability and Accountability Act of 1996 (HIPAA)] and FERPA, there was significant misunderstanding about the scope and application of these laws and their interrelation with state laws. In a number of discussions, participants reported circumstances in which they incorrectly believed that they were subject to liability or foreclosed from sharing information under federal law. Other participants were unsure whether and how HIPAA and FERPA actually limit or allow information to be shared and unaware of exceptions that could allow relevant information to be shared. Report at page 7. The report went on to charge the Department with certain specific recommended actions: The U.S. Departments of Health and Human Services and Education should develop additional guidance that clarifies how information can be shared legally under HIPAA and FERPA and disseminate it widely to the mental health, education, and law enforcement communities. The U.S. Department of Education should ensure that parents and school officials understand how and when post-secondary institutions can share information on college students with parents. In addition, the U.S. Departments of Education and Health and Human Services should consider whether further actions are needed to balance more appropriately the interests of safety, privacy, and treatment implicated by FERPA and HIPAA. Report at page 8 (italics in original). The Department of Education and the Department of Health and Human Services are currently working together on guidance for our respective communities on these issues. This guidance is in addition to compliance training and guidance that the two agencies have provided since issuance of the HIPAA Privacy Rule in December 2000 and, more recently, since the events in April 2007 at Virginia Tech. Further, the Secretary has carefully considered the appropriate relationship between conditions associated with Federal funding and the exigencies of administering an agency or institution of education on a daily basis. In examining the application of FERPA to the recipients of Departmental funds, the Secretary is mindful that the ``health and safety'' exception does not allow disclosures on a routine, non- emergency basis. For example, the ``health and safety'' exception does not permit a school district to routinely share its student information database with the local police department. The present regulation, however, which merely admonishes that the regulation should be ``strictly construed,'' does not provide a standard to determine whether a particular disclosure complies with the statute. Consequently, the Secretary has decided to provide a new standard for the administration of this exception to the written consent requirement in FERPA. To assure that there are adequate safeguards on this exception, the Secretary requires that, considering the totality of the circumstances, there must be an articulable and significant threat to the health or safety of a student or other individuals, and that the disclosure be to any person whose knowledge of the information is necessary to protect against the threat. On the other hand, the Secretary has determined that greater flexibility and deference should be afforded to administrators so they can bring appropriate resources to bear on a circumstance that threatens the health or safety of individuals. To provide for appropriate flexibility and deference, the Secretary has determined that if, based on the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making its determination. In short, in balancing the interests of safety, privacy, and treatment, the Secretary proposes to revise the regulation to specify legal standards, but to couple those standards with greater flexibility and deference to administrators so they can bring appropriate resources to bear on a circumstance that threatens the health or safety of individuals. [[Page 15590]] 9. Directory Information (Sec. 99.37) Section 99.37(b) (Disclosure of Directory Information About Former Students) Statute: Under 20 U.S.C. 1232g(a)(5), (b)(1), and (b)(2), an educational agency or institution may disclose directory information without meeting FERPA's written consent requirements provided that it first notifies the parents or eligible student of the types of information that may be disclosed and allows them to opt out of the disclosure. The statute lists a number of items in the definition of directory information, including a student's name, address and telephone listing. The statute does not address procedures for disclosing directory information about former students. Current Regulations: Section 99.37(a) requires an educational agency or institution to provide public notice to parents of students in attendance and eligible students in attendance of the types of directory information that may be disclosed and the parent's or eligible student's right to opt out. Section 99.37(b) allows the agency or institution to disclose directory information about former students without providing the notice required under Sec. 99.37(a). Proposed Regulations: Proposed Sec. 99.37(b) clarifies that an agency or institution must continue to honor any valid request to opt out of directory information disclosures made while the individual was a student unless the parent or eligible student rescinds the decision to opt out of directory information disclosures. Reasons: Some institutions have indicated that Sec. 99.37(b) creates uncertainty about whether they must continue to honor a parent's or eligible student's decision to opt out of directory information disclosures once the student no longer attends the institution. The regulations are needed to clarify that while an agency or institution does not have to notify former students about its policy on directory information disclosures a |