Section By Section Analysis Of Final Regulations Family ...
Family Educational Rights and Privacy Act (FERPA)
Final Rule
34 CFR Part 99
Section-by-Section Analysis
December 2008
Under FERPA, 20 U.S.C. § 1232g, a parent or eligible student has a right to inspect and review the
student’s education records and to seek to have them amended in certain circumstances. A parent or
eligible student must also provide a signed and dated written consent before an educational agency or
institution discloses personally identifiable information from education records. Exceptions to this
requirement are set forth in § 99.31(a).
FERPA applies to any “educational agency or institution” that receives funds under any program
administered by the Department. See 34 CFR § 99.1(a). This includes all public K-12 school districts
and virtually all postsecondary institutions, public or private. For ease of reference, this document uses
the terms school or institution, school district or district, college, institution of higher education, and
postsecondary institution, as appropriate, in place of “educational agencies and institutions.” We have
noted all changes from the Notice of Proposed Rulemaking (NPRM) that was published in the Federal
Register on March 24, 2008 (73 FR 15574). For the purposes of this document, when we refer to
“current” regulations we mean the FERPA regulations that are in effect until January 8, 2009.
§ 99.3 Definitions
Attendance is defined currently to include attendance in person or by correspondence. (A “student” is
defined as an individual who is or has been “in attendance” at an educational agency or institution and
regarding whom the agency or institution maintains education records.) The final regulations add
other situations in which students “attend” classes but are not physically present, including attendance
by videoconference, satellite, Internet, or other electronic information and telecommunications
technologies. This change will ensure that individuals who receive instruction through distance
learning and other contemporary modalities are covered as “students” and, therefore, that their records
are protected under FERPA. No changes from the NPRM.
Directory information is defined currently as information that would not generally be considered
harmful or an invasion of privacy if disclosed. School districts and postsecondary institutions may
disclose directory information without consent if they have given the parent or eligible student notice
of the kinds of information they designate as directory information and an opportunity to opt out of
directory information disclosures. The statute and current regulations specifically list some items as
directory information, including a student’s name; address; telephone number; email address;
photograph; date and place of birth; enrollment status; and major field of study. Neither the statute nor
current regulations lists any items that may not be designated and disclosed as directory information.
SSNs and student ID numbers. Current regulations specify that a student’s Social Security
Number (SSN) and student ID number are “personally identifiable information” (see below)
but do not indicate whether these personal identifiers may be designated and disclosed as
directory information. The final regulations specifically prohibit the disclosure of a student’s
SSN as directory information; based on public comments, we modified the rule to allow student
ID numbers to be disclosed as directory information if they qualify as electronic identifiers
(discussed below). This will prevent districts and institutions from attaching these identifiers to
students’ names on sign-in sheets in classrooms, health clinics, etc.; prevent schools from
disclosing lists with these identifiers attached to students’ names, addresses, and other directory
information; and prevent teachers from using them to post grades. This change is intended to
help reduce the risk of unauthorized access to personal information and identity theft by
ensuring that schools do not make these identifiers available publicly. School officials will still
be able to use class lists with ID numbers but cannot make them available to students or
parents. Teachers that still post grades publicly will have to use a code known only to the
teacher and the student.
Electronic personal identifiers. Schools have indicated that the directories that support
electronic information systems used to deliver certain student services, such as Web-based
class registration, access to academic records and library resources, etc., require disclosure of
the user name or other personal identifier, used by a student to gain access to these systems.
Public key infrastructure (PKI) technology for encryption and digital signatures also requires
wide dissemination of the sender’s public key, which is an identifier. The final regulations
allow school districts and postsecondary institutions to designate these electronic personal
identifiers as directory information, including student ID numbers, but only if the identifier
functions essentially as a name, i.e., it is not used by itself to authenticate identity and cannot
be used by itself to gain access to education records. A unique electronic identifier disclosed as
directory information may be used to provide access to education records, but only when the
identifier is combined with other authentication factors known only to the user, such as a secret
password or personal identification number (PIN), or some other method or combination of
methods to authenticate the user’s identity and ensure that the user is, in fact, a person
authorized to access the records. This change will ensure that institutions can use advanced
technologies to deliver student services and access to education records. As noted above,
parents and eligible students can opt out of directory information disclosures; those that do will
not be able to participate in student services that are delivered in this manner.
Disclosure is defined currently to mean permitting access to or the release, transfer, or other
communication of personally identifiable information from education records to any party by any
means. The final regulations exclude from “disclosure” returning an education record, or information
from an education record, to the party identified as the provider or creator of the record. This will
accomplish two things. First, a State consolidated record system can allow a school district or
postsecondary institution to have access to information that that district or institution provided to the
system without violating the statutory prohibition on redisclosure, 20 U.S.C. 1232g(b)(3). Second, it
will help schools deal with falsified transcripts, letters of recommendation, and other documents they
receive by allowing an institution that has received a questionable document to return it to the
ostensible sender for verification. (This second problem is also addressed in changes to § 99.31(a)(2),
discussed below.) In response to public comments, we clarify in the preamble to the final regulations
that we have no authority to exclude from the term “disclosure” a school district’s or institution’s
release or transfer of personally identifiable information from education records to its State
longitudinal data system or to parties that agree to keep the information confidential, and that the final
regulations do not authorize the release or transfer of education records to a student’s previous
institution that is not identified as the source of those records. No changes from the NPRM.
Education records are currently defined as records that are directly related to a “student” and
maintained by an “educational agency or institution” or by a party acting for the agency or institution.
(The term “student” excludes individuals who have not been in attendance at the agency or institution.)
2
Post-enrollment records. Current regulations exclude records that only contain information
about an individual after he or she is no longer a student at that school. This was intended to
apply to fundraising and similar types of records related to alumni. Some schools, however,
have mistakenly interpreted this provision to mean that any record created or received by the
institution after a student is no longer enrolled, regardless of the subject matter, is not an
“education record” under FERPA. For example, under this interpretation a settlement
agreement maintained by a school district related to a discrimination, wrongful death, or other
lawsuit brought by a parent after the student is no longer enrolled is not an “education record”
under FERPA and, therefore, could be subject to mandatory disclosure under an open records
law or otherwise released without consent to anyone. The final regulations clarify that records
that pertain to an individual’s previous attendance as a student are “education records” under
FERPA regardless of when they were created or received by the institution. No changes from
the NPRM.
Peer-grading (Owasso Indep. Sch. Dist. No. I-011 v. Falvo, 534 U.S. 426 (2002)). Under
FERPA a school may not disclose a student’s grades to another student without the prior
written consent of the parent or eligible student. “Peer-grading” is a common educational
practice in which teachers require students to exchange homework assignments, tests, and other
papers, grade one another’s work, and then either call out the grade or turn in the work to the
teacher for recordation. Even though peer-grading results in students finding out each other’s
grades, the U.S. Supreme Court in 2002 issued a narrow holding in Owasso that this practice
does not violate FERPA because grades on students’ papers are not “maintained” under the
definition of “education records” and, therefore, would not be covered under FERPA at least
until the teacher has collected and recorded them in the teacher’s grade book, a decision
consistent with the Department’s longstanding position on peer-grading. The Court rejected
assertions that students were “parties acting for” an institution when they scored each other’s
work and that the student papers were, at that stage, “maintained” within the meaning of
FERPA. Among other considerations, the Court expressed doubt that Congress intended to
intervene in such a drastic fashion with traditional State functions or that the “federal power
would exercise minute control over specific teaching methods and instructional dynamics in
classrooms throughout the country.” The final regulations create a new exception to the
definition of “education records” that excludes grades on peer-graded papers before they are
collected and recorded by a teacher. This change clarifies that peer-grading does not violate
FERPA. No changes from the NPRM.
Personally identifiable information. This is discussed below under § 99.31(b).
State auditor is not defined in current regulations. Sections 99.31(a)(3) and 99.35 of the current
regulations allow disclosure of education records to “State and local educational authorities” for audit
and evaluation of State and Federally funded education programs, or for the enforcement of or
compliance with Federal legal requirements that relate to those programs. Legislative history for Pub.
L. 96-46 (1979), which added 20 U.S.C. § 1232g(b)(5) to FERPA, indicates that Congress intended to
include State auditors within the statutory exception for “audits or evaluations.” H.R. Report 96-338 at
10, 14 (1979) and 125 Cong. Record S20327 (July 24, 1979) (statement of Sen. Pell). The amendment
is ambiguous, however, because the statutory language does not actually mention “auditors” and refers
only to “State and local educational officials.” We have been concerned about the potential breadth of
these disclosures given the ambiguity of the statutory term and the lack of detail in the legislative
history regarding which among many possible entities should be considered “State auditors.”
3
The proposed regulations addressed the issue by defining “State auditor” (§99.3) as a party under any
branch of government with authority and responsibility under State law for conducting audits, and
limited disclosures to “audits,” defined as “testing compliance with applicable laws, regulations, and
standards” (§ 99.35(a)(3)). We proposed this narrow definition of “audit,” which would limit which
entities would gain access to personally identifiable information in education records, in order to honor
congressional intent without opening the door to potential abuses by a multitude of agencies seeking
that information for their own purposes.
We received many comments opposing the proposed definition of “audits” because it would prevent
auditors from conducting “performance audits” (i.e., evaluations of program efficiency and
effectiveness), which are specifically included as professional services under the U.S. Comptroller’s
Generally Accepted Government Auditing Standards (GAGAS). Simply expanding the definition of
“audit” in the final regulations, however, would leave unaddressed our concern about the potential
breadth of the term “State auditor,” which our research has shown could include a large number and
variety of State officials and offices that perform a range of functions, depending on how the term is
defined or interpreted. In addition to the range of possible offices, titles, and functions, we identified a
number of important issues that would need to be addressed, such as whether a new definition should
include only auditors who follow GAGAS and the consequences of excluding certain officials. Given
these unresolved policy issues for which we do not have the benefit of public comment, and our legal
concern over making a substantive change without public comment, we decided to remove the State
auditor provisions from the final rule, continue to study the matter, and issue guidance or new
regulations, as appropriate.
§ 99.5 Disclosures to parents and rights of students. Under current regulations, all rights of parents
under FERPA, including the right to inspect and review education records, to seek to have education
records amended in certain circumstances, and to consent to the disclosure of education records,
transfer to the student once the student has reached 18 years of age or attends a postsecondary
institution and thereby becomes an “eligible student.” Current regulations also provide that even after
a student has become an “eligible student” under FERPA, postsecondary institutions (and high schools,
for students over 18 years of age) may allow parents to have access to their child’s education records,
without the student’s consent, in the following circumstances: the student is a dependent for Federal
income tax purposes (§ 99.31(a)(8)); the disclosure is in connection with a health or safety emergency
under the conditions specified in § 99.36 (i.e., if knowledge of the information is necessary to protect
the health or safety of the student or other individuals (§ 99.31(a)(10))); and for postsecondary
students, the student has violated any Federal, State or local law, or any rule or policy of the institution,
governing the use or possession of alcohol or a controlled substance, if the institution determines that
the student has committed a disciplinary violation regarding that use or possession and the student is
under 21 at the time of the disclosure (§ 99.31(a)(15)).
The Department has been concerned that some colleges and other postsecondary institutions do not
fully understand their options with regard to disclosing education records (or personally identifiable
information from education records) of eligible students to their parents and continue to believe
mistakenly that FERPA prevents them from releasing this information to parents under any
circumstances, including a health or safety emergency. The final regulations clarify that disclosures to
parents are permissible without the student’s consent under any of these three exceptions. That is, a
school may disclose education records to a parent of a dependent student under any circumstance; this
exception to the consent requirement is likely to cover the vast majority of traditional college students.
Even if a student is not a dependent, a postsecondary institution may disclose education records to a
student’s parent under the alcohol or controlled substance exception (§ 99.31(a)(15)) or in connection
4
with a health or safety emergency (§ 99.31(a)(10)) under the circumstances set forth in § 99.36,
discussed below. The change will help these institutions understand that while they may choose to
follow a policy of not disclosing information to the parents of eligible students, FERPA does not
prevent them from doing so in most circumstances. No changes from the NPRM.
§ 99.31(a)(1) School officials. Under current regulations, school districts and postsecondary
institutions may allow “school officials, including teachers, within the agency or institution” to have
access to students’ education records, without consent, if they have determined that the official has
“legitimate educational interests” in the information. Under § 99.7, a district or postsecondary
institution that discloses information under this exception must include in its annual FERPA
notification for parents and students a specification of criteria for determining who constitutes a school
official and what constitutes a legitimate educational interest. Disclosures to school officials with
legitimate educational interests are not subject to the recordation requirements in § 99.32.
§ 99.31(a)(1)(i)(B) Outsourcing. Neither the statute nor current regulations addresses
disclosure of education records without consent to non-employees retained to perform
institutional services and functions. The final regulations expand the “school officials”
exception to include contractors, consultants, volunteers, and other outside service providers
used by a school district or postsecondary institution to perform institutional services and
functions. A contractor (or other outside service provider) that is given access to education
records under this provision must be under the direct control of the disclosing institution and
subject to the same conditions on use and redisclosure of education records that govern other
school officials (see § 99.33). In particular, the contractor must ensure that only individuals
with legitimate educational interests (as determined by the district or institution, as appropriate)
obtain access to personally identifiable information from education records it maintains (or
creates) on behalf of the district or institution. Further, in accordance with § 99.33(a) and (b),
the contractor may not redisclose personally identifiable information without consent unless the
district or institution has authorized the redisclosure under a FERPA exception and the district
or institution records the subsequent disclosure. A district or institution may not disclose
education records to an outside service provider under this exception unless it has specified in
its annual FERPA notification that it uses contractors, consultants, volunteers, etc. as school
officials to provide certain institutional services and functions. A district’s or institution’s
recordation of a disclosure to an outside service provider will not waive its failure to comply
with the annual notification requirements for outside service providers.
This change is consistent with the Department’s longstanding guidance that FERPA does not
require school districts and postsecondary institutions to provide all institutional services and
functions on an in-house basis. As institutions have expanded the range of services they
outsource, from traditional legal and debt collection services to fundraising, enrollment and
degree verification, transcript distribution, and information technology (IT) services and more,
the need to establish in regulations the conditions for these non-consensual disclosures has
become critical. In addition to requiring the disclosing institution to have direct control over its
outside service providers’ maintenance and use of education records, the regulations explain
that disclosure is permitted under this exception only if the district or institution is outsourcing
a service it would otherwise provide using employees. For example, postsecondary institutions
may not use this exception to disclose education records, without consent, to a financial
institution or insurance company that provides a good student discount on services that the
institution would not otherwise provide. This will prevent uncontrolled designation of outside
5
parties as “school officials” for marketing and other purposes for which non-consensual
disclosure of education records is not authorized by statute.
In response to public comments, the preamble to the final regulations explains that State
educational authorities that operate State longitudinal data systems are not “school officials”
under this exception and that disclosures to these State systems generally fall under the “audit
or evaluation” exception. The preamble also explains how a district or institution may disclose
education records without consent to its own law enforcement unit under the school officials’
exception but not to outside police officers. We revised the regulations to clarify that the
“direct control” requirement means control of the outside service provider’s maintenance and
use of information from education records and is not intended to affect the outside party’s
status as an independent contractor or render that party an employee under State or Federal law.
§ 99.31(a)(1)(ii) Controlling access to education records by school officials. Current
regulations do not specify what steps, if any, a school district or postsecondary institution must
take to enforce the “legitimate educational interests” requirement in the school officials’
exception. Parents and students have complained that school officials have unrestricted access
to the education records of all students in a district’s or institution’s system, particularly in
districts and institutions where records are maintained electronically. Institutions themselves
have expressed uncertainty about what methods they should use to comply with this
requirement when establishing or upgrading their recordkeeping systems.
The final regulations require school districts and postsecondary institutions to use “reasonable
methods” to ensure that teachers and other school officials (including outside service providers)
obtain access to only those education records -- paper or electronic -- in which they have
legitimate educational interests. Many districts and postsecondary institutions already use
physical or technological controls to protect education records against unauthorized access,
such as locks on filing cabinets for paper records and software applications with role-based
access controls for electronic records. Under the final regulations, districts and institutions may
forego physical or technological controls and rely instead on administrative policies for
controlling access to education records by school officials. Those that choose this method must
ensure that their administrative policy is effective and that they remain in compliance with the
legitimate educational interest requirement for accessing records. In particular, if a parent or
eligible student alleges that a school official obtained access to the student’s records without a
legitimate educational interest, the burden is on the district or institution to show that the school
official had a legitimate educational interest in the information. In response to public
comments, the preamble to the final regulations explains that the requirement for using
“reasonable methods” applies whether an agency or institution uses physical, technological, or
administrative controls to restrict access to education records by school officials.
The preamble to the NPRM suggested that districts and institutions should consider restricting
or tracking access to education records by school officials to ensure that they remain in
compliance with this requirement. (Recommendations for safeguarding education records from
unauthorized access and disclosure outside the institution itself are discussed below.)
In terms of assessing the reasonableness of methods used to control access to education records
by school officials, the preamble to the final regulations explains that the risk of unauthorized
access means the likelihood that records may be targeted for compromise and the harm that
could result. Methods are considered reasonable if they reduce the risk to a level
6
commensurate with the likely threat and potential harm. The greater the harm that would
result, the more protections a school or district must use to ensure that its methods are
reasonable. For example, high-risk records, such as SSNs and other information that could be
used for identity theft, should generally receive greater and more immediate protection than
medium- or low-risk records, such as those containing only publicly available directory
information. We note also that reasonableness depends ultimately on what are the usual and
customary good business practices of similarly situated institutions, which, in turn, requires
ongoing review and modification of methods and procedures as standards and technologies
change.
Many institutions use software with role-based security features that limit an individual’s
access to electronic records based on their professional responsibilities and, therefore, already
comply with the final regulations. Those that do not will now have specific guidance for
updating or upgrading the security of their recordkeeping systems as appropriate. No changes
from the NPRM.
§ 99.31(a)(2) Student’s new school. Under current regulations, a school district or postsecondary
institution may disclose education records, without consent, to officials of another school, school
system, or postsecondary institution where a student “seeks or intends to enroll.” There has been
uncertainty in the education community about whether the “seeks or intends to enroll” language in the
statute and current regulations authorizes a district or institution to send, or continue sending,
education records to a student’s new school once the student has actually enrolled. The final
regulations clarify that the authority to disclose or transfer education records to a student’s new school
does not cease automatically the moment a student has enrolled and continues to any future point in
time so long as the disclosure is for purposes related to the student’s enrollment or transfer. In
response to public comments, we explain in the preamble to the final regulations that this means that a
school may disclose any records or information, including health and disciplinary records, that the
school could have disclosed when the student was seeking or intending to enroll in the new school.
We also explain in the preamble to the final regulations that there are other Federal laws, such as the
Individuals with Disabilities Education Act (IDEA), §504 of the Rehabilitation Act of 1973, and Title
II of the Americans with Disabilities Act of 1990 (ADA), with different requirements that may affect
the release of student information. For example, §504 generally prohibits postsecondary institutions
from making pre-admission inquiries about an applicant’s disability status. However, after admission,
§504 and Title II of the ADA do not prohibit institutions from obtaining information concerning a
current student, including those with disabilities, from any school previously attended by the student in
connection with an emergency and if necessary to protect the health or safety of a student or other
persons under FERPA.
The clarification regarding the nature of the disclosure authority under this section will allow a
student’s previous school to supplement, update, or correct any records it sent during the student’s
application or transfer period. Combined with the changes to the definition of “disclosure” (described
earlier) that allow a student’s new school to return a transcript or other document to the purported
sender or creator of the record, this change will also allow a student’s previous school to identify any
falsified or fraudulent records and explain the meaning of any records disclosed previously to the new
school. No changes from the NPRM.
§ 99.31(a)(6) Organizations conducting studies. Current regulations restate the statutory provision
that allows a school district or postsecondary institution to disclose personally identifiable information
7
from education records, without consent, to organizations conducting studies “for, or on behalf of” the
disclosing institution for purposes of developing, validating, or administering predictive tests;
administering student aid programs; or improving instruction. (Note that under changes to § 99.35(b),
discussed below, this exception now applies also to State educational agencies (SEAs) and State higher
education authorities that receive education records without consent from school districts and
postsecondary institutions under § 99.31(a)(3) for audit, evaluation, or enforcement purposes.) Under
current regulations, information disclosed under this exception must be protected so that students and
their parents cannot be personally identified by anyone other than representatives of the organization
conducting the study, and must be destroyed when no longer needed for the study. Failure to destroy
information in accordance with this requirement could lead to a five-year ban on the disclosure of
information to that organization.
Current regulations do not explain what “for, or on behalf of” means. Organizations seeking to
conduct independent research have asked for clarification about the circumstances in which personally
identifiable information from education records may be disclosed without consent under this
exception, and districts and institutions have asked whether they may use this exception even if they
have no particular interest in the proposed study.
The final regulations require a school district or postsecondary institution that uses this exception to
enter into a written agreement with the recipient organization that specifies the purposes of the study.
The written agreement must specify that information from education records may only be used to meet
the purposes of the study stated in the written agreement and must contain the current requirements in
§ 99.31(a)(6) on redisclosure and destruction of information, as described above. In response to public
comments, we revised the regulations to require that the written agreement must require the
organization to conduct the study in a manner that does not permit personal identification of parents
and students by anyone other than representatives of the organization with legitimate interests. The
final regulations also require that the written agreement must specify the purpose, scope, and duration
of the study and the information to be disclosed; require the organization to destroy or return all
personally identifiable information when no longer needed for the purposes of the study; and specify
the time period during which the organization must either destroy or return the information.
In response to public comments we added a new provision in the regulations stating that an agency or
institution is not required to initiate research requests or agree with or endorse the conclusions or
results of the study when disclosing information under this exception. However, the statutory language
“for, or on behalf of” indicates that the disclosing district or institution agrees with the purposes of the
study and retains control over the information from education records that is disclosed. The written
agreement required under the regulations will help ensure that information disclosed under this
exception is used only to meet the purposes of the study as stated in the agreement and that all
redisclosure and destruction requirements are met.
We also explain in the preamble to the final regulations that although disclosure of personally
identifiable information without consent is allowed for studies under this exception, we recommend
that whenever possible agencies and institutions either release de-identified information or remove
students’ names and SSNs to reduce the risk of unauthorized disclosure of personally identifiable
information.
Applicability of this provision to SEAs and State higher educational authorities that redisclose
personally identifiable information from education records on behalf of school districts and
postsecondary institutions is discussed below under § 99.35(b).
8
§ 99.31(a)(9)(ii) Ex parte court orders under USA Patriot Act. Current regulations do not address
amendments to FERPA under the USA Patriot Act, Pub. L. 107-56, which authorizes the U.S.
Attorney General (or designee) to apply for an ex parte court order that allows the Attorney General to
collect education records from an educational agency or institution, without the consent or knowledge
of the student or parent, that are relevant to an investigation or prosecution of an offense listed in 18
U.S.C. 2332b(g)(5)(B) or an act of domestic or international terrorism specified in 18 U.S.C. 2331.
Under the statutory amendment and final regulations, school districts and postsecondary institutions
are allowed to make these disclosures without consent or notice to the parent or student that would
otherwise be required under § 99.31(a)(9) of the regulations and without recording the disclosure under
§ 99.32(a). Note that the court order itself may instruct the district or institution not to notify the
parent or student or record the disclosure of education records, or disclose the existence of the ex parte
order to any party.
The district or institution that is served by the Attorney General with an ex parte court order under this
exception should ensure that the order is facially valid, just as it does when determining whether to
comply with other judicial orders and subpoenas under § 99.31(a)(9). It is not, however, required or
authorized to examine the underlying certification of facts that the Attorney General is required to
present to the court in the Attorney General’s application for the order. No changes from the NPRM.
§ 99.31(a)(16) Registered sex offenders. The Campus Sex Crimes Prevention Act (CSCPA), which
is § 1601(d) of the Victims of Trafficking and Violence Protection Act of 2000, Pub. L. 106-386,
created a new exception to the consent requirement in FERPA that allows school districts and
postsecondary institutions to disclose information concerning registered sex offenders provided under
State sex offender registration and campus community notification programs for institutions of higher
education required under the Wetterling Act, 42 U.S.C. 14071. Under the Wetterling Act, States must
require certain sex offenders to register their name and address with the State authority where the
offender lives, works, or is enrolled as a student. States are also required to release relevant
information necessary to protect the public concerning persons required to register under what are
known as “community notification programs.”
CSCPA contains registration and notice requirements designed specifically for higher education
campus communities, including a requirement that States collect information about a registered
offender’s enrollment or employment at an institution of higher education, along with any change in
enrollment or employment status at the institution, and make this information available promptly to a
campus police department or other appropriate law enforcement agency. CSCPA also amended the
Higher Education Act of 1965 (HEA) by requiring institutions of higher education to advise the
campus community where it can obtain information about registered sex offenders provided by the
State under the Wetterling Act, such as a campus law enforcement office, a local law enforcement
agency, or a computer network address. While the FERPA amendment was made in the context of
CSCPA’s amendments applicable to the higher education community, the Department determined that
all agencies and institutions, including elementary and secondary schools and school districts, are
covered by the amendment.
The regulations add a new exception that allows a school district or postsecondary institution to
disclose without consent information it has received from a State under the Wetterling Act about a
student who is required to register as a sex offender in the State. In response to comments, we
removed the sentence stating that nothing in FERPA requires or encourages a school district or
institution to collect or maintain information about registered sex offenders because it could be
9
confusing and could discourage schools from disclosing relevant information about a registered sex
offender in appropriate circumstances. Note that disclosures under this exception are required to
comply with guidelines issued by the U.S. Attorney General for State community notification
programs, which were published in the Federal Register on Jan. 5, 1999 (64 FR 572) and Oct. 25,
2002 (67 FR 65598).
§ 99.31(b) De-identification of information. Education records may be released without consent
under FERPA if all personally identifiable information has been removed. The final regulations
provide objective standards under which school districts, postsecondary institutions, SEAs, State
higher education authorities, and any other party may release, without consent, education records, or
information from education records, that has been de-identified through the removal of all “personally
identifiable information” taking into account unique patterns of information about the student, whether
through single or multiple releases, and other reasonably available information. The new standards
apply to both individual, redacted records and statistical information from education records in both
student level or microdata and aggregate form.
Under current regulations, personally identifiable information (PII) includes a student’s name and
other direct personal identifiers, such as the student’s SSN or student number. PII also includes
indirect identifiers, such as the name of the student’s parent or other family members; the student’s or
family’s address, and personal characteristics or other information that would make the student’s
identity easily traceable. The final regulations add biometric records to the list of personal identifiers
that constitute PII, and add other indirect identifiers, such as date and place of birth and mother’s
maiden name, as examples of identifiers that should be considered in determining whether information
is personally identifiable. In response to public comments, the final regulations define “biometric
record” to mean a record of one or more measurable biological or behavioral characteristics that can be
used for automated recognition of an individual, including fingerprints, retina and iris patterns,
voiceprints, DNA sequence, facial characteristics, and handwriting. The definition is based on
National Security Presidential Directive 59 and Homeland Security Presidential Directive 24.
The final regulations remove from the definition of PII the reference to “other information that would
make the student’s identity easily traceable” because the phrase lacked specificity and clarity, and
possibly suggested a fairly low standard for protecting education records. In its place, the regulations
add that PII includes “other information that, alone or in combination, is linked or linkable to a specific
student that would allow a reasonable person in the school community, who does not have personal
knowledge of the relevant circumstances, to identify the student with reasonable certainty.” This
change brings the definition more in line with recent Office of Management and Budget (OMB)
guidance to Federal agencies, with modifications tailored to the educational community. (See OMB
M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information”
at footnote 1: http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf.) Under the final
regulations, PII also includes “information requested by a person who the educational agency or
institution reasonably believes knows the identity of the student to whom the education record relates.”
The definition of PII provides objective standards for districts, institutions, SEAs, State higher
education authorities, and other parties that release information, either at will or in response to an open
records request, to use in determining whether they may release information, including in special cases
such as those involving well-known students or records that concern highly publicized incidents. In
response to public comments, we clarify in the preamble to the final regulations that the disclosing
party must look to local news, events, and media coverage in the “school community” in determining
whether “other information” (i.e., information other than direct and indirect identifiers listed in the
10
definition of PII), would make a particular record personally identifiable even after all direct identifiers
have been removed. In regard to so-called targeted requests, the final regulations clarify that a party
may not release information from education records if the requester asks for the record of a particular
student, or if the party has reason to believe that the requester knows the identity of the student to
whom the requested records relate. These standards for determining whether records contain PII also
apply to the release of statistical information from education records, in particular small data cells that
may identify students.
Under the final regulations a party that releases either redacted records or statistical information should
also consider other information that is linked or linkable to a student, such as law enforcement records,
published directories, and other publicly available records that could be used to identify a student, and
the cumulative effect of disclosure of student data. In all cases, the disclosing party must determine
whether the other information that is linked or linkable to an education record would allow a
“reasonable person in the school community” to identify the student “with reasonable certainty.” (In
response to public comment, we changed “school or its community” to “school community” to avoid
confusion.) The regulations recognize that the risk of avoiding the disclosure of PII cannot be
completely eliminated and is always a matter of analyzing and balancing risk so that the risk of
disclosure is very low. The reasonable certainty standard in the new definition of PII requires such a
balancing test.
In regard to statistical information from education records, the final regulations recognize that it is not
possible to prescribe a single disclosure limitation method to apply in every circumstance to minimize
the risk of disclosing PII. The preamble to the final regulations does, however, provide several
examples of the kinds of statistical, scientific, and technological concepts used by the Federal
statistical agencies that can assist parties in developing a sound approach to de-identifying information
for release depending on what information has already been released and what other information is
publicly available.
The final regulations also codify the Department’s November 18, 2004, guidance to the Tennessee
Department of Education by allowing a disclosing party to attach a code to properly de-identified
student level information for education research, which would allow the recipient to match information
received from the same source. (The recipient may not have access to any information about how the
disclosing party generates and assigns a record code, or that would allow the recipient to identify a
student based on the record code; certain other conditions apply.) A party that releases data under this
provision must ensure that the identity of any student cannot be determined with reasonable certainty
in this “coded data,” including assurances of sufficient cell and subgroup size, and the linking key that
connects the code to student information cannot be shared with the requesting party. The Department
believes that these standards establish an appropriate balance that facilitates educational research and
accountability while preserving the privacy protections in FERPA. As noted above, the Department
cannot specify in general which disclosure limitation methods should be used in any particular case.
However, parties are directed to monitor releases of coded microdata to ensure that overlapping or
successive releases do not result in data sets in which PII is disclosed.
§ 99.31(c) Identification and authentication of identity. The final regulations require a school
district or postsecondary institution to use reasonable methods to identify and authenticate the identity
of parents, students, school officials, and any other parties to whom they disclose education records.
Current regulations do not address this issue. Authentication of identity is more complex for
disclosure of electronic records as new methods and technologies are developed. Under the final
regulations, districts and institutions may use PINs, passwords, personal security questions; “smart
11
cards” and tokens; biometric indicators; or other factors known or possessed only by the user, as
appropriate. No changes from the NPRM.
§ 99.33 Redisclosure of education records. Current regulations prohibit recipients of education
records, without prior written consent, from redisclosing personally identifiable information from the
records unless the agency or institution disclosed the information with the understanding that the
recipient may make further disclosures on its behalf under one of the exceptions in § 99.31 and the
agency or institution records the redisclosure.
§ 99.35(b)(1) By Federal and State officials. Current regulations do not permit Federal and
State officials that receive education records under §§ 99.31(a)(3) and 99.35 for audit,
evaluation, and compliance and enforcement purposes to redisclose education records under the
conditions of § 99.33(b). The final regulations permit these officials to redisclose education
records under the same conditions that apply currently to other recipients of education records.
For example, an SEA that has obtained education records for audit, evaluation, or compliance
and enforcement purposes may redisclose the records for other qualifying purposes under
§ 99.31. These include forwarding records to a student’s new school district and to another
official listed in § 99.31(a)(3) (such as the Secretary, or an SEA or State higher education
authority) for another qualifying audit, evaluation, or compliance and enforcement purpose.
This will facilitate the development of consolidated State data systems used for accountability
and research purposes. The final regulations also allow State and Federal officials to redisclose
education records under other exceptions listed in § 99.31(a), including disclosures to an
accrediting agency; in connection with a health or safety emergency; and in compliance with a
court order or subpoena. No changes from the NPRM.
§ 99.33(b)(2) Under court order or subpoena. The final regulations require an SEA or other
party that rediscloses education records on behalf of an educational agency or institution in
compliance with a court order or subpoena to comply with the parental notification
requirements in § 99.31(a)(9)(ii) before it responds to the order or subpoena. We also revised
the five-year penalty rule in § 99.33(e) so that if the Department determines that a third party,
such as an SEA, does not notify the parent as required, the agency or institution may not allow
that third party access to education records for at least five years.
§ 99.33(c) Clery Act. Under current regulations implementing the Jeanne Clery Disclosure of
Campus Security Policy and Campus Crimes Statistics Act (Clery Act) in the HEA,
postsecondary institutions are required to inform both the accuser and accused of the outcome
of any institutional disciplinary proceeding brought alleging a sex offense. Current FERPA
regulations permit a postsecondary institution to disclose the outcome of a disciplinary
proceeding to a victim of an alleged perpetrator of a crime of violence or a non-forcible sex
offense, regardless of the outcome, but only on the condition that the institution notify the
recipient that he or she may not redisclose the information without the student-perpetrator’s
consent. Some postsecondary institutions have required the victim to execute a non-disclosure
agreement before they release the information required under the Clery Act. The Department
has determined that the statutory prohibition on redisclosure of information from education
records in FERPA does not apply to information that a postsecondary institution is required to
release to students under the Clery Act. The final regulations provide that disclosures under the
Clery Act are not subject to the prohibition on redisclosure in § 99.33(a) and that postsecondary
institutions may not require the victim to execute a non-disclosure or confidentiality agreement
12
in order to receive information that the institution is required to disclose under the Clery Act.
No changes from the NPRM.
§ 99.32 Recordkeeping requirements. Current regulations require an educational agency or
institution to maintain a record of redisclosures it has authorized under § 99.33(b), including the names
of the additional parties to which the receiving party may further disclose the information on behalf of
the agency or institution and their legitimate interests under § 99.31 in receiving the information. In
response to public comments on this issue, and in order to ease the administrative burdens of
recordkeeping, we revised the regulations to require a State or Federal official that rediscloses
education records on behalf of an agency or institution to comply with these recordation requirements
if the agency or institution does not do so, and to make the record available to an educational agency or
institution upon request within a reasonable period of time not exceeding 30 days. An educational
agency or institution is required to obtain a copy of the State or Federal official’s record of further
disclosures and make it available in response to a parent’s or eligible student’s request to review the
student’s record of disclosures. The regulations also allow a State or Federal official to maintain the
record by the student’s class, school, district, or other grouping rather than by the name of the student.
§ 99.36 Health and safety emergencies. Current regulations state, in part, that an educational agency
or institution may disclose personally identifiable information from education records to appropriate
parties in connection with an emergency if knowledge of the information is necessary to protect the
health or safety of the student or other individuals. The current regulations also state that the health
and safety emergencies provisions must be “strictly construed.”
The final regulations remove the language requiring strict construction of this exception and add a
provision that says that, in making a determination under § 99.36, an educational agency or institution
may take into account the totality of the circumstances pertaining to a threat to the safety or health of
the student or other individuals. If the school determines that there is an articulable and significant
threat to the health or safety of a student or other individuals, it may disclose information from
education records to appropriate parties whose knowledge of the information is necessary to protect the
health and safety of the student or other individuals. In response to public comments, we revised the
recordkeeping requirements in § 99.32(a)(5) by requiring an educational agency or institution to record
the articulable and significant threat that formed the basis for the disclosure and the parties to whom
the information was disclosed. If there is a rational basis for the determination, the Department will
not substitute its judgment for that of the educational agency or institution in deciding to release the
information. Section 99.36 also provides that “appropriate parties” include “parents of an eligible
student.” In response to public comments, the preamble to the final regulations clarifies the
circumstances under which an educational agency or institution may release without consent an
eligible student’s “treatment records” for purposes other than treatment.
These changes were made as a result of issues that were raised after the Virginia Tech tragedy in April
2007. In the first instance, the Secretary determined that greater flexibility and deference should be
afforded to administrators so that they can bring appropriate resources to bear on circumstances that
threaten the health or safety of individuals. With regard to the second amendment adding “parents” to
those considered an “appropriate party,” this change will clarify to colleges and universities that
parents may be notified when there is a health or safety emergency involving their son or daughter,
notwithstanding any FERPA provision that might otherwise prevent such a disclosure.
§ 99.37 Directory information. Current regulations permit the disclosure of properly designated
directory information without meeting FERPA’s written consent requirement. A school must
13
designate the categories to be disclosed and permit students the opportunity to opt out before making
such disclosures.
§ 99.37(b) Former students. Current regulations permit schools to disclose directory
information on former students without providing notice as otherwise required or an additional
opt-out opportunity. The final regulations require schools to honor a former student’s opt-out
request made while in attendance unless it has been specifically rescinded by the former
student. This will make clear that schools may not disclose the directory information of a
former student if the student opted out of the disclosure while the student was in attendance.
No changes from the NPRM.
§ 99.37(c) Student identification and communication in class. Current regulations do not
address whether a student who opts out of directory information disclosures may prevent
school officials from identifying the student by name or from disclosing the student’s electronic
identifier or institutional email address in class. The final regulations provide specifically that
an opt out of directory information disclosures does not prevent a school from identifying a
student by name or from disclosing a student’s electronic identifier or institutional email
address in class. This change clarifies that a right to opt out of directory information
disclosures does not include a right to remain anonymous in class, and may not be used to
impede routine classroom communications and interactions, whether class is held in a specified
physical location or on-line through electronic communications. No changes from the NPRM.
§ 99.37(d) Use of SSNs. Current regulations do not specifically prohibit the use of SSNs to
identify students when disclosing or confirming directory information. The final regulations
prohibit the use of an SSN as an identification element when disclosing or confirming directory
information unless the student has provided written consent for the disclosure. Some
institutions and vendors providing services such as degree verifications on behalf of the
institution currently use a student’s SSN as a means of confirming identity. Unless the student
has provided prior written consent to confirm the SSN, this implicit confirmation of the SSN is
improper under FERPA. No changes from the NPRM.
§ 99.62, § 99.64, § 99.65, § 99.66, § 99.67 Enforcement Provisions. Current regulations contain a
number of provisions that address the Department’s authority, through the Family Policy Compliance
Office (FPCO), to investigate a school district or postsecondary institution when a parent or eligible
student files a complaint. The final regulations enhance and clarify the Department’s enforcement
responsibilities as described in Gonzaga University v. Doe, 536 U.S. 273 (2002). In particular, the
regulations clarify that FPCO may investigate allegations that FERPA has been violated made by a
school official or some other party that is not a parent or eligible student, including information that
has been brought to the attention of the Department by media reports. The regulations also clarify that
a complaint does not have to allege that an institution has a policy or practice of violating FERPA in
order for the Department to initiate an investigation or find the institution in violation. In response to
public comments, we removed a provision in the proposed rules that would have required FPCO to
find that an educational agency or institution has a policy or practice in violation of FERPA in order to
take any enforcement action because it unnecessarily limited the Department’s enforcement authority.
Safeguarding recommendations. The preambles to the NPRM and final regulations contain non-
binding recommendations to help agencies and institutions face significant challenges in safeguarding
education records from unauthorized access and disclosure. These challenges include inadvertent
posting of students’ grades or financial information on publicly available Web servers; theft or loss of
14
laptops and other portable devices that contain education records; computer hacking; and failure to
retrieve education records at termination of employment. Agencies and institutions are encouraged to
review the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-100,
“Information Security Handbook: A Guide for Managers,” and NIST SP 800-53, “Recommended
Security Controls for Federal Information Systems” for guidance and to use any methods or
technologies they determine are reasonable to mitigate the risk of unauthorized access and disclosure
taking into account the likely harm that would result. The recommendations also include suggested
responses to data breaches and other unauthorized disclosures, such as reporting the incident to law
enforcement authorities; taking steps to retrieve data and prevent further disclosures; identifying all
affected records and students; determining how the incident occurred; determining whether
institutional policies and procedures were breached; and conducting a risk assessment. Notification of
students is not required but recommended.
15
