2011 30683

Vol.
76 Friday,
No. 232 December 2, 2011
Part II
Department of Education
34 CFR Part 99
Family Educational Rights and Privacy; Final Rule
mstockstill on DSK4VPTVN1PROD with RULES2
VerDate Mar<15>2010 19:14 Dec 01, 2011 Jkt 226001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\02DER2.SGM 02DER2
75604 Federal Register / Vol. 76, No. 232 / Friday, December 2, 2011 / Rules and Regulations
DEPARTMENT OF EDUCATION in the Federal Register (76 FR 19726). requirements related to directory
In the preamble to the NPRM, the information to clarify (1) that the right
34 CFR Part 99 Secretary stated that the proposed to opt out of the disclosure of directory
[DOCKET ID ED2011OM0002] changes were necessary to ensure the information under FERPA does not
Departments proper implementation of include the right to refuse to wear, or
RIN 1880AA86 FERPA, while allowing for the effective otherwise disclose, a student
use of student data, and to address other identification (ID) card or badge; (2) that
Family Educational Rights and Privacy issues identified through the schools may implement a limited
AGENCY: Office of Management, Departments experience in directory information policy in which
Department of Education. administering FERPA. they specify the parties or purposes for
ACTION: Final regulations.
Protecting student privacy is which the information is disclosed; and
paramount to the effective (3) the Departments authority to hold
SUMMARY: The Secretary of Education implementation of FERPA. All State educational authorities and other
(Secretary) amends the regulations education data holders must act recipients of Department funds under a
implementing section 444 of the General responsibly and be held accountable for program administered by the Secretary
Education Provisions Act (GEPA), safeguarding students personally accountable for compliance with
which is commonly referred to as the identifiable information (PII) from FERPA.
Family Educational Rights and Privacy education records. The need for clarity We believe that the regulatory
Act (FERPA). These amendments are surrounding privacy protections and changes adopted in these final
needed to ensure that the U.S. data security continues to grow as regulations provide clarification on
Department of Education (Department statewide longitudinal data systems many important issues that have arisen
or we) continues to implement FERPA (SLDS) are built and more education over time with regard to how FERPA
in a way that protects the privacy of records are digitized and shared applies to SLDS and to other requests
education records while allowing for the electronically. As States develop and for data on student progress.
effective use of data. Improved access to refine their information management Additionally, educational agencies and
data will facilitate States ability to systems, it is critical that they take steps institutions continue to face
evaluate education programs, to ensure to ensure that student information is considerable challenges implementing
limited resources are invested protected and that PII from education directory information policies that help
effectively, to build upon what works records is disclosed only for authorized them maintain safe campuses and
and discard what does not, to increase purposes and under circumstances protect PII from education records from
accountability and transparency, and to permitted by law. (When we use the potential misuse, such as identity theft.
contribute to a culture of innovation and term disclose in this document, we These final regulations, as well as the
continuous improvement in education. sometimes are referring to redisclosures discussion in the preamble, will assist
The use of data is vital to ensuring the as well.) school officials in addressing these
best education for our children. The amendments reflected in these challenges in a manner that complies
However, the benefits of using student final regulations establish the with FERPA. These final regulations
data must always be balanced with the procedures that State and local also respond to the September 2010 U.S.
need to protect student privacy. educational authorities, and Federal Government Accountability Office
Protecting student privacy helps achieve agencies headed by officials listed in (GAO) study entitled Many States
a number of important goals, including 99.31(a)(3) (FERPA-permitted entities), Collect Graduates Employment
avoiding discrimination, identity theft, their authorized representatives, and Information, but Clearer Guidance on
as well as other malicious and damaging organizations conducting studies must Student Privacy Requirements Is
criminal acts. follow to ensure compliance with Needed, by clarifying the means by
FERPA. The amendments also reduce which States can collect and share
DATES: These regulations are effective
barriers that have inhibited the effective graduates employment information
January 3, 2012. However, State and use of SLDS as envisioned in the under FERPA.
local educational authorities, and America Creating Opportunities to Finally, we have discussed with the
Federal agencies headed by officials Meaningfully Promote Excellence in U.S. Department of Agriculture (USDA)
listed in 99.31(a)(3) with written Technology, Education, and Science Act the potential effect of these regulations
agreements in place prior to January 3, (the America COMPETES Act) (Pub. L. on the use of information regarding
2012, must comply with the existing 11069) and the American Recovery and individual childrens eligibility for free
requirement in 99.35(a)(3) to use Reinvestment Act of 2009 (ARRA) (Pub. or reduced price school meals in the
written agreements to designate any L. 1115). Finally, by expanding the National School Lunch and School
authorized representatives, other than requirements for written agreements and Breakfast Programs (School Meals
employees, only upon any renewal of or the Departments enforcement Programs or SMPs) in connection with
amendment to the written agreement mechanisms, the amendments help to an audit or evaluation of Federal- or
with such authorized representative. ensure increased accountability on the State-supported education programs.
FOR FURTHER INFORMATION CONTACT: part of those with access to PII from Congress recognized that sharing of
Ellen Campbell, U.S. Department of education records. childrens eligibility information could
Education, 400 Maryland Avenue SW., These amendments include benefit schools and children
Room 2E203, Washington, DC 20202 definitions for two previously participating in the SMPs. As a result,
8520. Telephone: (202) 2603887. undefined terms, authorized section 9(b)(6) of the Richard B. Russell
If you use a telecommunications representative and education National School Lunch Act, as amended
device for the deaf (TDD), call the program, to permit greater access by (National School Lunch Act) (42 U.S.C.
Federal Relay Service (FRS), toll-free, at appropriate and authorized parties to 1758(b)(6)) permits schools to disclose
1(800) 8778339. information on students in order to childrens eligibility information to
SUPPLEMENTARY INFORMATION: On April evaluate the effectiveness of education persons with a need to know who are
8, 2011, the Department published a programs. Specifically, we have associated with a Federal or State
notice of proposed rulemaking (NPRM) modified the definition of and education program and who will not
Federal Register / Vol. 76, No. 232 / Friday, December 2, 2011 / Rules and Regulations 75605
further disclose that information. a written agreement to designate an We have modified the written
Because of the importance of assuring authorized representative (other than an agreement requirement in 99.35(a)(3)
not only that FERPA requirements are employee) under the provisions in to require that the agreement specify
met, but also that all of the Federal 99.31(a)(3) and 99.35 that allow the how the work falls within the exception
confidentiality protections in the authorized representative access to PII of 99.31(a)(3), including a description
National School Lunch Act are met, the from education records without prior of the PII from education records that
two Departments intend to jointly issue written consent in connection with any will be disclosed, and how the PII from
guidance in the near future for use by audit, evaluation, or enforcement or education records will be used.
the educational community and by State compliance activity; We have also made the following
and local administrators of USDA Add a new 99.35(d) to clarify that minor or non-substantive changes from
programs. in the event that the Departments the NPRM:
Family Policy Compliance Office (FPCO We have made minor editorial
Notice of Proposed Rulemaking or Office) finds an improper changes to the definition of authorized
In the NPRM, we proposed redisclosure in the context of representative in 99.3 to ensure
regulations to: 99.31(a)(3) and 99.35 (the audit or greater consistency between the
Amend 99.3 to define the term evaluation exception), the Department language in that definition and the
authorized representative to include would prohibit the educational agency language in 99.35(a)(1);
individuals or entities designated by or institution from which the PII We have removed language from
FERPA-permitted entities to carry out originated from permitting the party 99.31(a)(6)(iii)(C)(4) and
an audit or evaluation of Federal- or responsible for the improper disclosure 99.35(a)(3)(iii) and (a)(3)(iv) that
State-supported education programs, or (i.e., the authorized representative, or permitted an organization conducting a
for the enforcement of or compliance the FERPA-permitted entities, or both) study or an authorized representative to
with Federal legal requirements related access to PII from education records for return PII from education records to the
to these programs (audit, evaluation, or a period of not less than five years (five- FERPA-permitted entity from which the
enforcement or compliance activity); year rule); PII originated, in lieu of destroying such
Amend the definition of directory Amend 99.37(c) to clarify that information. We made these changes to
information in 99.3 to clarify that a while parents or eligible students more closely align the regulatory
unique student identification (ID) (students who have reached 18 years of language with the statute and to ensure
number may be designated as directory age or are attending a postsecondary that the PII from education records is
information for the purposes of display institution at any age) may opt out of the destroyed as required by the statute;
on a student ID card or badge if the disclosure of directory information, this We have made changes to
unique student ID number cannot be opt out does not prevent an educational 99.35(a)(2) to clarify that the FERPA-
used to gain access to education records agency or institution from requiring a permitted entity from which the PII
except when used in conjunction with student to wear, display, or disclose a originated is responsible for using
one or more factors that authenticate the student ID card or badge that exhibits reasonable methods to ensure to the
users identity, such as a Personal directory information; greatest extent practicable that any
Identification Number, password, or Amend 99.37(d) to clarify that entity or individual designated as its
other factor known or possessed only by educational agencies or institutions may authorized representative complies with
the authorized user; develop policies that allow the FERPA requirements;
Amend 99.3 to define the term disclosure of directory information only We have made editorial changes to
education program as any program to specific parties, for specific purposes, 99.35(a)(2) so the language in that
principally engaged in the provision of or both; and section is more consistent with the
education, including, but not limited to, Add 99.60(a)(2) to authorize the language in 99.35(a)(1) regarding the
early childhood education, elementary Secretary to take appropriate actions to requirements for an audit, evaluation, or
and secondary education, postsecondary enforce FERPA against any entity that enforcement or compliance activity;
education, special education, job receives funds under any program We have clarified in 99.35(a)(3)(v)
training, career and technical education, administered by the Secretary, that the required written agreement
and adult education; including funds provided by grant, must establish policies and procedures
Amend 99.31(a)(6) to clarify that cooperative agreement, contract, to protect PII from education records
FERPA-permitted entities are not subgrant, or subcontract. from further disclosure, including by
prevented from redisclosing PII from limiting use of PII to only authorized
education records as part of agreements Changes From the NPRM representatives with legitimate interests
with researchers to conduct studies for, These final regulations contain the in the audit, evaluation, or enforcement
or on behalf of, educational agencies following substantive changes from the or compliance activity;
and institutions; NPRM: We have revised 99.35(b)(1) to
Remove the provision in In 99.3, we have defined the term refer to a State or local educational
99.35(a)(2) that required that any early education program as that term authority or agency headed by an
FERPA-permitted entity must have legal is used in the definition of education official listed in 99.31(a)(3) rather than
authority under other Federal, State, or program. The definition is based on the authority or agency, to ensure
local law to conduct an audit, definition of early childhood education consistency with the language used in
evaluation, or enforcement or program in section 103(8) of the Higher 99.35(a)(2) and (a)(3);
compliance activity; Education Act of 1965, as amended We have consolidated all regulatory
Amend 99.35(a)(2) to provide that (HEA) (20 U.S.C. 1003(8)); provisions related to prohibiting an
FERPA-permitted entities are We have made changes to the educational agency or institution from
responsible for using reasonable definition of education program in disclosing PII from education records to
methods to ensure that their authorized 99.3 to clarify that any program a third party outside of an educational
representatives comply with FERPA; administered by an educational agency agency or institution for at least five
Add a new 99.35(a)(3) to require or institution is considered an education years (five-year rule) and moved them to
that FERPA-permitted entities must use program; and subpart E of part 99 (What are the
Enforcement Procedures?). Specifically, comments represented a broad spectrum including any school funded or
we of viewpoints from a number of operated by the U.S. Department of the
Included in 99.67(c) language different interested parties, including Interiors Bureau of Indian Education
from current 99.31(a)(6)(iv) concerning students, parents, privacy advocacy (BIE),1 or to any postsecondary
the application of the five-year rule organizations, researchers, numerous institution that receives funds under a
when the Department determines that a associations, and representatives from program administered by the Secretary
third party outside the educational schools, local educational agencies and that provides educational services
agency or institution fails to destroy PII (LEAs) (also referred to as districts), or instruction, or both, to students (see
from education records after the and State educational agencies (SEAs). 99.1(a)(1)). Additionally, 99.3 of the
information is no longer needed for the We have carefully considered these FERPA regulations defines institution
study for which it was disclosed; comments and, as a result of this public of postsecondary education as an
Clarified in 99.67(d) that, in the input, have made several changes to the institution that provides education to
context of the audit or evaluation final regulations since publication of the students beyond the secondary school
exception, the five-year rule applies to NPRM. An analysis of the comments level. We generally use the term
any FERPA-permitted entity or its and changes follows. We group major institution of postsecondary
authorized representative if the issues according to subject, with education to refer to colleges and
Department determines that either party applicable sections of the regulations universities and, in this document, use
improperly redisclosed PII from referenced in parentheses. Generally, we it interchangeably with the terms
education records; and do not address technical and other postsecondary institution and
Moved to 99.67(e) the language minor changes that we made, or respond institution of higher education.
from current 99.33(e) concerning the to suggested changes that the law does Educational agency. Under
application of the five-year rule when not authorize the Secretary to make, or 99.1(a)(2), an educational agency is
the Department determines that a third to comments that were outside the an entity that is authorized to direct and
party outside the educational agency or scope of the NPRM. control public elementary or secondary
institution improperly rediscloses PII schools or postsecondary institutions.
from education records in violation of General Comments Thus, we consider LEAs (a term that we
99.33 or fails to provide the Definitions use interchangeably with school
notification required under districts) to be educational agencies
99.33(b)(2); Comment: Several commenters stated in the context of FERPA. However, we
Throughout subpart E of part 99 that the terms used in the proposed do not generally view SEAs as being
( 99.60 through 99.67), we have regulations to refer to the different types educational agencies under
revised the language regarding of entities affected by the regulations 99.1(a)(2) because we interpret the
enforcement procedures to clarify that were unclear and asked for the statutory definition of the term
the Secretary may investigate, process, Department to clarify their meaning. student to mean that an educational
and review complaints and violations of Specifically, they asked if there is a agency is an agency attended by
FERPA against an educational agency or difference between an educational students. Under paragraph (a)(6) of
institution or against any other recipient agency or institution, on the one hand, FERPA, a student includes any person
of Department funds under a program and a State or local educational with respect to whom an educational
administered by the Secretary. This authority, on the other. Some agency or institution maintains
marks a change from the current commenters requested that we clarify education records or personally
provisions, which refer only to the whether a State agency, other than an identifiable information, but does not
Departments enforcement procedures SEA, such as a State department of include a person who has not been in
against educational agencies and social services, could be considered a attendance at such agency or
institutions, which are defined in State educational authority under the institution. 20 U.S.C. 1232g(a)(6). For
99.3 as any public or private agency or regulations. Another commenter asked example, we have generally considered
institution to which part 99 applies that we also define the term school students to be in attendance at the
under 99.1(a). Section 99.1 describes official to differentiate it from the term Fairfax County Public Schools school
FERPA as applying to an educational authorized representative. district, but not at the Virginia
agency or institution to which funds Discussion: There are differences in Department of Education. Therefore,
have been made available under any meaning between the terms under this framework, the term
program administered by the Secretary educational agency, educational educational agencies or institutions
if (1) The educational institution institution, and State and local generally refers to LEAs, elementary and
provides educational services or educational authority, and we provide secondary schools, schools operated by
instruction, or both, to students; or (2) the following explanation to clarify how BIE, and postsecondary institutions.
the educational agency is authorized to these terms are used in the context of State and local educational
direct and control public elementary or FERPA and its implementing authorities. The term State and local
secondary, or postsecondary regulations. educational authority is not defined in
educational institutions; and In general, FERPA applies to an FERPA. The term State and local
Throughout subpart E of part 99 educational agency or institution that
( 99.60 through 99.67), we have receives funds under a program 1 Under section 9204(a) of the Elementary and
clarified the procedures that the Office administered by the Secretary. 20 U.S.C. Secondary Education Act of 1965, as amended
1232g(a)(3). In 99.3, we define the (ESEA), the Secretary of Education and the
will follow to investigate, review,
Secretary of the Interior are required to reach an

process, and enforce the five-year rule term educational agency or institution agreement regarding how the BIE will comply with
against third parties outside of the as any public or private agency or ESEA requirements. Under a 2005 Final Agreement
educational agency or institution. institution to which part 99 applies between the Department of Education and the
under 99.1(a). Department of the Interior, the two Departments
Analysis of Comments and Changes Educational institution. We use the agreed, as a general matter, that the Department of
Education would treat BIE as an SEA and each BIE
We received a total of 274 comments term educational institution to refer school as an LEA, for purposes of complying with
on the proposed regulations. The to any elementary or secondary school, the requirements of ESEA.
educational authority is important in under FERPA because it provides Discussion: The terms identified by
the context of FERPAs audit or educational services or instruction to the commenters are not defined in
evaluation exception in 99.31(a)(3) students. In general, the Department FERPA, and the Department did not
and 99.35 because State and local does not consider a State social services propose to define them in the NPRM
educational authorities are permitted to agency to be an educational agency or because we did not wish to define them
access, without consent, PII from institution under FERPA because, in ways that would unnecessarily
education records. We generally have although such an agency may provide restrict the educational community.
interpreted the term State and local educational services or instruction to Moreover, we do not believe it would be
educational authority to refer to an students, it is not authorized to direct appropriate to define these terms in
SEA, a State postsecondary commission, and control public elementary or these final regulations because the
BIE, or any other entity that is secondary or postsecondary educational public would not have had an
responsible for and authorized under institutions, and it does not have opportunity to comment on them.
local, State, or Federal law to supervise, students in attendance. In addition, the Changes: None.
plan, coordinate, advise, audit, or Department does not consider a State Fair Information Practice Principles
evaluate elementary, secondary, or social services agency to be a State
postsecondary Federal- or State- educational authority because such an Comment: Some commenters stated
supported education programs and agency generally is not responsible for that the proposed amendments to part
services in the State. (See http:// and authorized under State law to 99 in the NPRM represented a
www2.ed.gov/policy/gen/guid/fpco/ supervise, plan, coordinate, advise, wholesale repudiation of the fair
ferpa/library/wku071105.html for more audit, or evaluate federally or State- information practices. Others
information.) While we have not supported elementary, secondary, or contended that the proposed regulatory
generally viewed an SEA as being an changes go too far; that the changes
postsecondary education programs and
educational agency under 99.1(a)(2) would permit the disclosure of
services in the State. However, because
for the reasons outlined in the preceding confidential student records to
States vary widely in how they
paragraph, it is important to note that organizations that have little
administer programs, the Department
we do view an SEA as a State involvement in education, and the data
would make this determination on a
educational authority for FERPA will be used for purposes unrelated to
case-by-case basis and evaluate the
purposes. education. Others expressed concern
particular responsibilities of that agency
An LEA can be both an educational that the regulatory changes would result
before giving definitive guidance on
agency and a local educational authority in student records being used for a wide
whether a particular agency would be
under FERPA because an LEA is range of activities under the pretext that
considered an educational agency or some educational result would be
authorized to direct and control public institution or a State or local
elementary and secondary schools and derived from those activities. Others
educational authority under FERPA. commented that obtaining parental
to supervise Federal- or State-supported
With regard to the request that we consent to permit the disclosure of PII
education programs and services in the
define the term school official to from education records should be the
State. Because an LEA is considered to
avoid confusion with the term preferred approach.
be an educational authority, the LEA
authorized representative, we note Discussion: The Fair Information
may conduct an audit or evaluation of
that current 99.31(a)(1) in the FERPA Practice Principles (FIPPs) are the
a Federal- or State-supported education
regulations already describes school foundation for information privacy in
program under the audit or evaluation
official. This section makes clear that the United States. These principles are
exception. For example, an LEA may
school officials are teachers and sometimes referred to just as FIPs (Fair
wish to evaluate the effectiveness of a
particular program in the school district. administrators who work within a Information Practices) and various
Some commenters asked whether a school, school district, or postsecondary versions of these principles exist with
State agency other than an SEA, such as institution. The regulations also state in different numbering schemes. These
a State social services agency, could be 99.31(a)(1) that contractors, principles include: That there be no
considered an educational agency or consultants, volunteers, or other parties secret recordkeeping systems; that
institution or a State or local to whom an educational agency or individuals should have a way to find
educational authority. We believe that institution has outsourced institutional out information about themselves in a
State agencies other than an SEA could, services or functions under the record and how it is used; that
depending on the individual conditions listed in 99.31(a)(1)(i)(B)(1) individuals be allowed to prevent
circumstances, be considered to be an through (a)(1)(i)(B)(3) may be information obtained for one purpose
educational agency or institution or a considered school officials with from being used for another; that
State educational authority under legitimate educational interests in individuals be allowed to correct
FERPA. The Department generally students education records. We believe records about themselves; and that the
considers a State postsecondary that this language in 99.31(a)(1) and organization that created the record
commission to be a State educational the definition of authorized assure its reliability and take steps to
authority because such commissions are representative are sufficiently clear to prevent misuse. FIPPs form the basis of
typically responsible for and authorized ensure that there is no confusion most State and Federal privacy laws in
under State law to supervise, plan, between these different categories of the United States, including FERPA.
coordinate, advise, audit, or evaluate individuals. Like most privacy laws, however, the
Federal- or State-supported Changes: None. FIPPs must be adapted to fit the
postsecondary education programs and Comment: Several commenters asked educational context of data disclosure.
services in the State. Likewise, a State- the Department to include definitions For example, one of the FIPPs principles
administered school that receives funds for, and examples of, the following is that individuals should have the right
under a program administered by the terms: evaluation, audit, to prevent information for one purpose
Secretary, such as a school serving research, legitimate educational from being used for another. FERPA
hearing-impaired students, is interest, compliance activities, and expressly permits the redisclosure,
considered an educational institution enforcement activities. without consent, of PII from education
records for a reason other than the programs, and improving instruction. We decline to adopt the suggestion
reason for which the PII was originally We believe that the best method to that schools be required to notify
collected, if the redisclosure is made on prevent misuse of education records is parents and eligible students when PII
behalf of the educational agency or not to bar all legitimate uses of from education records is redisclosed to
institution that provided the PII and the education data, but rather to provide an outside entity, and to provide parents
redisclosure meets the requirements of guidance and technical assistance on and eligible students with an
sec. 99.31. how legitimate uses can be opportunity to opt out of the disclosure.
The Department is not repudiating implemented while properly protecting FERPA expressly provides for
FIPPs, but rather is making only narrow PII from education records in disclosure without consent in these
changes to its regulations that it has accordance with FERPA. circumstances, a reflection of the
determined are necessary to allow for Changes: None. importance of those limited disclosures.
the disclosure of PII from education Comments: Several commenters Under 99.7(a), educational agencies
records to improve Federal- and State- expressed concern or confusion about and institutions are required to annually
supported education programs while how the FERPA recordation, review, notify parents and eligible students of
still preserving student privacy. The and correction provisions would work their rights under FERPA. While FERPA
Department remains committed to FIPPs at the various school, LEA, or State does not require that this notice inform
and believes that the final regulations levels. parents or eligible students of
appropriately embody core FIPPs tenets. Several commenters raised concerns individual data sharing arrangements,
In fact, FIPPs underlay the Departments about up-stream data sharing as it we believe that transparency is a best
recent privacy initiatives, including relates to the validity of the information practice. For this reason, we have
creating a Chief Privacy Officer maintained in SLDS. They expressed amended our model notifications of
position,2 creating the Privacy general concern that changes made to rights under FERPA to include an
Technical Assistance Center (PTAC),3 education records at the local level explanation of the various exceptions to
and issuing a series of technical briefs would not be reflected in the SLDS, so FERPAs general consent disclosure
on privacy, confidentiality, and data that authorized representatives of an rule. This change to the model
security. SEA would be looking at out-of-date notifications should help parents and
We agree that it is preferable to obtain information. Some commenters eligible students understand under what
consent before disclosing PII from suggested that when schools amend circumstances, such as the evaluation of
education records, and nothing in these education records, they should be a Federal- or State-supported education
final regulations is intended to change required to forward these amendments program, PII from education records
the statutory framework for consent. or corrections to their LEA or SEA. may be disclosed to third parties
Nonetheless, Congress explicitly A few commenters recommended that without prior written consent. The
provided in FERPA that for certain we require schools to notify parents and Model Notification of Rights under
purposes, PII from education records eligible students when PII from FERPA for Elementary and Secondary
may be disclosed without consent. 20 education records is disclosed to an Schools is included as Appendix B to
U.S.C. 1232g(b). outside entity. One commenter this notice and the Model Notification of
We recognize that some may fear that suggested that parents and students not Rights under FERPA for Postsecondary
these final regulations will permit the only be notified, but that they also be Institutions is included as Appendix C
disclosure of PII from education records given an opportunity to opt out of the to this notice; these model notifications
to improper parties, or for improper disclosure. Several commenters are also available on the FPCO Web site
purposes, but we firmly believe such expressed support for the notion that at: http://www2.ed.gov/policy/gen/guid/
fears lack foundation. To be clear, these parents and students should be able to fpco/ferpa/lea-officials.html and http://
final regulations do not permit PII from inspect and review education records www2.ed.gov/policy/gen/guid/fpco/
education records to be disclosed for held by authorized representatives. ferpa/ps-officials.html.
purposes unrelated to education. For One commenter asked why the With respect to the suggestion that we
example, the statute limits disclosures Department did not propose to use its revise the regulations so that parents
to those organizations that conduct putative enforcement authority to and eligible students can inspect and
studies for the purposes of developing, create the right for parents and eligible review and seek to amend education
validating, or administering predictive students to inspect and seek to correct records held by authorized
tests, administering student aid education records in the hands of representatives, we note that FERPA
authorized representatives. provides a right for parents and eligible
2 The Department established an executive level Discussion: We appreciate the students to inspect and review their
Chief Privacy Officer (CPO) position in early 2011. concern that records at State and local education records held by SEAs, LEAs,
The CPO oversees a new division dedicated to educational authorities be up-to-date to
advancing the responsible stewardship, collection,
and schools. 20 U.S.C. 1232g(a)(1)(A)
use, maintenance, and disclosure of information at reflect changes made at the school level. and (a)(1)(B). The statute does not
the national level and for States, LEAS, We decline, however, to require schools provide any right to inspect and review
postsecondary institutions, and other education to forward every change to up-stream education records held by authorized
stakeholders. educational entities, as this would be
3 PTAC was established to serve as a one-stop
representatives of FERPA-permitted
resource for SEAs, LEAs, the postsecondary
overly burdensome. Schools correct and entities or other third parties (other than
community, and other parties engaged in building update student education records on a SEAs). Further, FERPA also provides a
and using education data systems. PTACs role is daily basis and requiring daily up- right for parents and eligible students to
to provide timely and accurate information and stream updates is not feasible. Rather, seek to amend their education records
guidance about data privacy, confidentiality, and

security issues and practices in education;
we urge LEAs and SEAs to arrange for held by LEAs and schools, but not
disseminate this information to the field and the periodic updates. We believe that such SEAs. 20 U.S.C. 1232g(a)(2). Again,
public; and provide technical assistance to key an arrangement will help ensure the however, the statute does not provide
stakeholders. PTAC will share lessons learned; validity and accuracy of PII from any right to seek to amend education
provide technical assistance in both group settings
and in one-on-one meetings with States; and create
education records disclosed to LEAs records held by authorized
training materials on privacy, confidentiality, and and SEAs and ultimately held in an representatives of FERPA-permitted
security issues. SLDS. entities or other third parties. For this
reason, we do not have the authority to authority to issue the proposed records, while allowing for PII from
expand these statutory provisions to regulations, stating the proposals exceed education records to be effectively used,
apply to authorized representatives of the Departments statutory authority. particularly in SLDS.
FERPA-permitted entities or other third Enacting the proposed changes, many of Moreover, we disagree with the
parties (other than the right to inspect these commenters argued, would contention that the America COMPETES
and review education records require legislative amendments to Act and ARRA do not provide evidence
maintained by SEAs). FERPA that could not be achieved of Congressional intent to expand and
Parents and eligible students seeking through the rulemaking process. develop SLDS to include early
to inspect and review a students Several commenters also stated that childhood education, postsecondary,
education records held by an authorized the America COMPETES Act and ARRA and workforce information. We believe
representative or a third party other do not confer legal authority upon the the America COMPETES Act and ARRA
than the SEA may contact the disclosing Department to propose regulations that should be read consistently with
school or LEA. The school or LEA would allow the disclosure of PII from FERPA, where permissible. It is a well-
would then be required to allow them education records in the manner established canon of statutory
to inspect and review and seek to envisioned in the NPRM. While construction that a statute must not be
amend the education records that they acknowledging that the America interpreted so that it is inconsistent
maintain. Additionally, while FERPA COMPETES Act generally supports the with other statutes where an ambiguity
does not accord a right to a parent or an establishment and expansion of SLDS, exists. Where two statutes appear to be
eligible student to inspect and review several commenters noted that the inconsistent with one another, it is
and seek to amend education records America COMPETES Act requires States appropriate to provide an interpretation
held by authorized representatives, to develop and utilize their SLDS only that reconciles them while still
FERPA-permitted entities are free to in ways that comply with the existing preserving their original sense and
include inspection or amendment FERPA regulations. One commenter purpose. See, e.g., Lewis v. Lewis &
requirements in the written agreements stated that ARRA was merely an Clark Marine, Inc., 531 U.S. 438 (2001);
they enter into with their authorized appropriations law and did not suggest Ruckelshaus v. Monsanto Co., 467 U.S.
representatives, assuming it is any shift in Congressional intent 986, 101718 (1984).
permissible under applicable State and regarding FERPAs privacy protections, In this case, the Department is
local law to do so. information sharing, or the disclosure of interpreting its regulations in a manner
FERPA does not require parental or student education records, generally. that is consistent with FERPA, the
student notification of individual data Discussion: We disagree with America COMPETES Act, and ARRA.
sharing arrangements that may utilize commenters who stated that they Under section 6401(e)(2)(D) of the
PII from education records. However, believe the Department lacks the America COMPETES Act, Congress
99.32(a) does require recordation, statutory authority to promulgate the clearly set forth its desire that States
except as provided in 99.32(d), of proposed regulations contained in the develop SLDS that cover students from
disclosures whenever an educational NPRM. As a general matter, the preschool through postsecondary
agency or institution or FERPA- Department has broad statutory education by including information
permitted entity discloses PII from authority to promulgate regulations to such as the capacity to communicate
education records under one of the implement programs established by with higher education data systems,
exceptions to the consent requirement. statute and administered by the information regarding the extent to
Thus, the recordation provisions in Department. Under section 414 of the which students transition successfully
99.32(a)(3) require educational Department of Education Organization from secondary school to postsecondary
agencies and institutions to record the Act, 20 U.S.C. 3474, [t]he Secretary is education, including whether students
parties to whom they have disclosed PII authorized to prescribe such rules and enroll in remedial coursework, and
from education records and the regulations as the Secretary determines other information determined
legitimate interests the parties had in necessary or appropriate to administer necessary to address alignment and
obtaining the information. This and manage the functions of the adequate preparation for success in
recordation must also identify the Secretary or the Department. Similarly, postsecondary education.
FERPA-permitted entities that may section 410 of GEPA, 20 U.S.C. 1221e ARRA provides clear evidence of
make further disclosures of PII from 3, provides that the Secretary may Congressional intent to support the
education records without consent (see make, promulgate, issue, rescind, and expansion of SLDS, and is not merely an
99.32(a)(1)). When requested, FERPA- amend rules and regulations governing appropriations law, as suggested by one
permitted entities must provide the manner of operation of, and commenter. Section 14001(d) of ARRA
pursuant to 99.32(b)(2)(iii) a copy of governing the applicable programs specified that the Governor of a State
their record of further disclosures to the administered by, the Department. desiring to receive an allocation under
requesting educational agency or Neither section 444 of GEPA, which is the State Fiscal Stabilization Fund was
institution where the PII from education more commonly known as FERPA, nor required to include assurances in its
records originated within a reasonable any other statute, limits the application that, among other things, the
period of time, not to exceed 30 days. Departments authority to promulgate State will establish a longitudinal data
For example, a school may request a regulations to protect the privacy of PII system that includes the elements
record of all further disclosures made by from education records or to interpret described in section 6401(e)(2)(D) of the
its SEA of PII from education records its regulations on FERPA consistently America COMPETES Act. All States
with other Federal statutes. The received grants under the State Fiscal
from that school. The SEA would be

required to comply with this request proposed regulations in the NPRM fall Stabilization Fund. Thus, all States are
within 30 days. clearly within the commonplace use of required to include these 12 elements in
Changes: None. the Departments regulatory authority. their SLDS. Through ARRA, Congress
Adopting these provisions is necessary also provided $250 million for
Legal Authority to ensure that the Departments additional State grants to support the
Comment: Numerous commenters implementation of FERPA continues to expansion of SLDS to include
questioned the Departments legal protect the privacy of PII from education postsecondary and workforce
information, providing further evidence Health and Human Services, to institutional level. The Department does
of Congress intention that States facilitate social engineering such as not collect PII from education records
include these elements in their SLDS. development of the type of workforce outside of its duties that require it, such
Interpretations of our current FERPA deemed necessary by the government. as administering student loans and
regulations created obstacles for States Discussion: The Department agrees grants, conducting surveys, and
in their efforts to comply with ARRAs that it should not collect such investigating individual complaints.
requirement that SLDS include the 12 information or guide students toward The Department offers this
elements specified in the America predetermined workforce outcomes, as clarification to address the public
COMPETES Act, and thereby allow for the commenters stated. Moreover, the comments that mistakenly interpreted
the sharing of education data from Department did not propose in the the Departments proposed regulations
preschool to higher education. The NPRM to permit the collection of this as a mechanism to collect sensitive
changes that the Department is adopting information or to conduct the activities personal data on individual students at
through these regulations should described by these commenters. the Federal level, including data
eliminate barriers that may have Commenters mistakenly inferred that elements that are not related to
prevented States from complying with the proposed changes to the regulations education, to be used for non-
the ARRA assurances while still would expand the types of data educational purposes. As discussed
ensuring that PII in education records is collections that the Department may later in this preamble, the Department is
protected under FERPA. For example, require as conditions of receiving not legally authorized to create a
under these final regulations, a local or Federal funds. FERPA itself does not national, student-level database, and the
State educational authority may establish the authority for any type of Department has no desire or intention to
designate a postsecondary institution as data collection at any level, whether create a student record data system at
its authorized representative, in Federal, State, or local. Likewise, the national level. Thus, the SLDS
connection with the evaluation of FERPA does not authorize the mentioned in these final regulations
Federal- or State-supported education establishment of SLDS. Congress refers to individual States longitudinal
programs. As such, the K12 local or granted the Department the authority to data systems, not a Federal database.
State educational authority may disclose provide grants to States for the Commenters interested in
PII from education records to the development of SLDS under section 208 understanding more about the data
postsecondary institution without of the Educational Technical Assistance collections required by the Department
consent for purposes of evaluating Act of 2002, 20 U.S.C. 9607. States have should visit the Departments Web site
either the K12 or postsecondary invested in SLDS to enhance their at http://edicsweb.ed.gov and select the
Federal- or State-supported education ability to efficiently and accurately Browse Active Collections link.
programs. manage, analyze, and use education Changes: None.
If the Department were to make no data, which includes PII from education Comment: Several commenters
regulatory changes, as requested by records that are protected under FERPA. expressed concern that the Departments
several commenters, then Congress SLDS for K12 education often include proposal would create a national
stated intentions behind the America data related to Federal- and State- database of student PII. One commenter
COMPETES Act and ARRA regarding funded education programs, such as expressed strong opposition to the
the development and expansion of data related to assessments, grades, establishment of a national database
SLDS would be significantly impeded. course enrollment and completion, because of concern that such a database
Instead, considering the extent of data attendance, discipline, special could be used for non-educational
sharing contemplated by these statutes, education status, homeless status, purposes. Another commenter
the Department is amending several migrant status, graduation or dropout recommended that the Department
regulatory provisions that have status, demographics, and unique publicly affirm that it does not support
unnecessarily hindered the student identifiers. Schools and LEAs the establishment of a national database.
development and expansion of SLDS as are the primary collectors of these data. Several commenters indicated that the
envisioned by the America COMPETES LEAs report these individual student- proposed changes reflected in the
Act and required under ARRA, while level data to the SEA to meet various NPRM would permit data sharing and
still remaining consistent with FERPAs requirements, and the data is linking of SLDS across State lines,
underlying purpose of protecting warehoused in the SLDS. allowing for the creation of a de facto
student privacy. For Federal K12 reporting, SEAs national database of student PII. These
Changes: None. report aggregated counts at the State, commenters expressed concern that
local, and school levels for various interconnected SLDS would invite
FERPA Does Not Provide Authority for indicators that are required for substantial threats to student privacy.
Data Collection participation in Federal education Another commenter noted that the
Comment: Several commenters programs, such as the number of prohibition regarding the establishment
expressed concern about the types of students participating in and served by of a national database in the ESEA,
student PII described in the NPRM and Title I. Similarly, postsecondary demonstrated Congress intent to
what they perceived as the Departments institutions are required to complete prohibit Federal funding of an
intent to collect information on Integrated Postsecondary Education interconnected SLDS.
individual students. The Department Data Systems (IPEDS) surveys if they Discussion: The Department is not
received similar comments from participate in or are applicants for establishing a national database of PII
multiple parties who inferred from the participation in any Federal student from education records and we have no
NPRM that the Department sought to financial aid program (such as Pell intention to do so. Moreover, neither
collect information on students such as grants and Federal student loans). While ESEA nor HEA provides the Department
hair color, blood type or health care schools, LEAs, SEAs, and postsecondary with the authority to establish a Federal
history. These commenters appeared to institutions maintain student-level data, database of PII from education records.
believe that the Department would what is reported to the Department in Specifically, [n]othing in [ESEA] * * *
collect this data and provide it to other IPEDS and in Federal K12 reporting is shall be construed to authorize the
Federal agencies, such as Labor and aggregated, at a minimum, at the development of a nationwide database
of PII from education records. 20 U.S.C. these activities are only being carried disclosed across State lines, noting that
7911. Likewise, nothing in [HEA] shall out at the State level, not through the there is increased demand to disclose
be construed to authorize the creation of a Federal database. These PII from education records to third
development, implementation, or final regulations will help reduce parties in other States to make
maintenance of a Federal database of barriers that have hindered States and comparative evaluations of Federal- or
PII from education records. 20 U.S.C. consortia of States from developing, State-supported education programs, or
1015c(a). implementing, and maintaining their to connect data on students who may be
On the other hand, we do not agree own SLDS. educated in multiple States. For
with the suggestion that Congress Changes: None. example, one commenter asked the
intended to prohibit States from Department to clarify whether FERPA
Use of Social Security Numbers
developing their own SLDS or linking would permit postsecondary
SLDS across State lines. The right to Comment: Several commenters institutions to disclose PII from
develop SLDS or link SLDS across State requested clarification on whether education records, including outcome
lines is reserved to the States. Both Social Security numbers (SSNs) could data back to high schools in another
ESEA and HEA permit States or a be maintained in an SLDS or used as a State.
consortium of States to develop their linking variable. These commenters Several stakeholders have raised
own State-developed databases. In fact, stated that they had been hindered in questions about whether the proposed
HEA specifically states that it does not their efforts to build a robust SLDS by regulations would permit the State
prohibit a State or a consortium of limitations on the exchange of SSNs. educational authority in one State to
States from developing, implementing, Other commenters suggested that the designate a State educational authority
or maintaining State-developed use of SSNs, names, and dates of birth in another State as its authorized
databases that track individuals over be minimized, and that SLDS should representative to disclose PII from
time, including student unit record instead create a common identifier that education records from one authority to
systems that contain information related would allow the SEA and its authorized the other.
to enrollment, attendance, graduation representative to match student records Another commenter recommended
and retention rates, student financial data without an unnecessary transfer of that the Department restrict the
assistance, and graduate employment SSNs and other identifying information. disclosure of PII from education records
outcomes. 20 U.S.C. 1015c(c). Discussion: We understand that data under the audit or evaluation exception
The Department does not agree with contained within an SLDS cannot be to authorized representatives within a
those commenters who expressed used effectively without using unique State, or alternatively limit out-of-State
concerns that the linking of SLDS across linking variables. Without the use of authorized representatives to only other
State lines would allow for the creation linking variables, States would be State educational authorities. Another
of a de facto national database of unable to monitor the educational commenter also asked about a schools
student PII. First, as discussed earlier, progress and experiences of individual ability to disclose PII from education
States are not prohibited from students as they progress through the records to other countries.
establishing their own SLDS or linking education system across grade levels, Discussion: FERPA makes no
SLDS across State lines provided that schools, institutions, and into the distinctions based on State or
they do so in compliance with all workforce. international lines. However, transfers
applicable laws, including FERPA. FERPA does not prohibit the use of a of PII from education records across
Second, if a consortium of States chose SSN as a personal identifier or as a international boundaries, in particular,
to link their individual SLDS across linking variable. However, we agree can raise legal concerns about the
State lines, such a system of with commenters that the use of SSNs Departments ability to enforce FERPA
interconnected SLDS would not be should be minimized given that SSNs requirements against parties in foreign
national because the Federal are often used by criminals for identity countries. It is important to keep in
Government would not play a role in its theft. The Federal Government itself mind that for a data disclosure to be
operation. Rather, responsibility for attempts to minimize the use of SSNs. made without prior written consent
operating such a system would lie See, e.g., Office of Management and under FERPA, the disclosure must meet
entirely with the consortium of States. Budget (OMB) Directive M0716, all of the requirements under the
Further, Congress made clear in the Safeguarding Against and Responding exceptions to FERPAs general consent
America COMPETES Act and ARRA to the Breach of Personally Identifiable requirement. For example, if the
that it supports the development and Information, and Guidance for conditions under the audit or evaluation
expansion of SLDS. For example, title Statewide Longitudinal Data Systems, exception in FERPA are met, a State
VIII of ARRA appropriated $250,000,000 (National Center for Education Statistics educational authority could designate
to the Institute of Education Sciences to (NCES) 2011- 602). The importance of an entity in a different State as an
carry out section 208 of the Educational limiting SSN use is recognized in authorized representative for the
Technical Assistance Act to provide FERPA, as schools are prohibited from purpose of conducting an audit or
competitive grants to State for the designating SSNs as directory evaluation of the Federal- or State-
development of their SLDS that include information. Hence, while FERPA does supported education programs in either
early childhood through postsecondary not expressly prohibit States from using State. The disclosure of PII from
and workforce information. In addition, SSNs, best practices dictate that States education records is not restricted by
section 14005 of ARRA provides that in should limit their use of SSNs to geographic boundaries. However,
order to receive funds under the State disclosure of PII from education records
instances in which there is no other

Fiscal Stabilization Fund a State was feasible alternative. for an audit or evaluation of a Federal-
required to provide an assurance that it Changes: None. or State-supported education program is
will establish an SLDS that includes the permitted only under the written
elements described in section Disclosures Beyond State Lines agreement requirements in 99.35(a)(3)
6401(e)(2)(D) of the America Comment: Several commenters sought that apply to that exception. Under
COMPETES Act (20 U.S.C. 9871). clarification on whether FERPA allowed these requirements, the disclosing entity
Consistent with congressional intent, PII from education records to be would need to take reasonable methods
to ensure to the greatest extent sharing by educational agencies or reasonable and would help protect the
practicable that its authorized institutions; these data sharing activities confidentiality of the data.
representative is in compliance with are voluntary, and may occur at the Discussion: The Department agrees
FERPA, as is explained further under discretion of educational agencies or with these commenters that these
the Reasonable Methods ( 99.35(a)(2)) institutions. We recognize that some activities would be permissible under
section in this preamble. More educational agencies and institutions these final regulations.
specifically, an LEA could designate a may need technical assistance from the Changes: None.
university in another State as an Department to help ensure that their Comment: One commenter stated that
authorized representative in order to data sharing activities comply with the Departments proposed change to
disclose, without consent, PII from these regulations, and the Department remove the requirement in 99.35(a)(2)
education records on its former students will help meet this potential need for that express authority is required under
to the university. The university then SEAs and LEAs. Federal, State, or local law to conduct
may disclose, without consent, See the Potential Costs and Benefits, an audit, evaluation, or enforcement or
transcript data on these former students elsewhere in this preamble, for our compliance activity would turn a
to the LEA to permit the LEA to evaluate estimation of costs associated with these narrow exception to consent into a
how effectively the LEA prepared its regulations. magic incantation that would allow
students for success in postsecondary Changes: None. unfettered access to PII from
education. education records for purposes other
Changes: None. Audit or Evaluation Exception ( 99.35)
than what Congress intended. Several
Cloud Computing General Discussion commenters objected on the grounds
Comment: We received many that the proposed change would result
Comment: Several commenters sought
comments supporting the proposed in confusion, with educational
clarification on whether the proposed
changes to the audit or evaluation institutions struggling to separate real
regulations would permit cloud
exception. A comment co-signed by two claims of authority from frivolous or
computing, where data can be hosted in
dozen organizations supported the false ones. Finally, a few commenters
a different State or country. Commenters
proposed regulations as the revised contended that the Department lacks the
suggested that the final regulations not
interpretations would permit more legal authority to make this proposed
discriminate based on where data are
opportunities for data analysis by States, change.
hosted.
Discussion: The Department has not LEAs, schools, and research Discussion: In 2008, we amended
yet issued any official guidance on organizations. 99.35(a)(2) of the Departments FERPA
cloud computing, as this is an emerging Other commenters generally regulations to specifically require that
field. We note, however, that the expressed support for the proposed legal authority exist under Federal,
Federal Government itself is moving changes, asserting that they would State, or local law to conduct an audit,
towards a model for secure cloud increase the ability to evaluate and evaluation, or enforcement or
computing. Regardless of whether cloud improve education programs. compliance activity. While we imposed
computing is contemplated, States Supporters of the proposed no requirement to identify legal
should take care that their security regulations noted that, by reducing authority for other exceptions, we
plans adequately protect student data, barriers to data sharing, more States explained that we added this
including PII from education records, would be able to connect their data requirement to the audit or evaluation
regardless of where the data are hosted. systems to drive improvement in K12 exception because we viewed the
Changes: None. schools. Commenters noted several educational community as being
specific evaluations that would be significantly confused about who may
Administrative Burden possible with the proposed amendments receive education records without
Comment: Several commenters to the audit or evaluation exception. For consent for audit or evaluation purposes
predicted an increase in administrative example, an evaluation of college under 99.35. We explained that [i]t
time and resources needed to comply freshmen, who all graduated from the [was] not our intention in 99.35(a)(2)
with the proposed regulations, with one same high school, may reveal the to require educational agencies or
predicting an exponential increase. students needed postsecondary institutions and other parties to identify
Given the current state of State budget remediation in math. This information specific statutory authority before they
deficits, several commenters asked the could help the high school improve its disclose or redisclose PII from education
Department to provide guidance for math program. records for audit or evaluation purposes
ways to decrease burden, such as Likewise, career and technical but to ensure that some local, State or
offering planning and streamlining education (CTE) agencies would be able Federal authority exists for the audit or
administrative processes and tools, to improve program effectiveness by evaluation, including for example an
while still ensuring the protection of PII accessing more data with their Executive Order or an administrative
from education records. collaborative partners in workforce regulation. 73 FR 74806, 74822
Discussion: The Department development and other non-educational (December 9, 2008).
appreciates this suggestion and agencies that prepare students for In the NPRM, we proposed removing
acknowledges the current reality of college and careers. Several commenters the language regarding legal authority in
State budget deficits. The Department noted that these changes would allow 99.35(a)(2) due to confusion caused by
believes, however, that regulating the State departments of education to assess the 2008 regulations. We explained in
specifics of data sharing would drive up their CTE programs and meet Federal the preamble of the NPRM that the
costs, not reduce them. The Department accountability requirements in the Carl authority for a FERPA-permitted entity
notes that the changes reflected in these D. Perkins Vocational and Technical to conduct an audit, evaluation, or
regulations aim to reduce the barriers to Education Act of 2006 (Pub. L. 109 enforcement or compliance activity may
data sharing while still protecting 270). Those that were supportive of be express or implied. The intent
student privacy. FERPA regulations these amendments stated that the behind this proposed change was to
themselves also do not require any data written agreement requirements were make clear that Federal, State, and local
law determine whether a given audit or educational agency or institution under Changes: None.
evaluation is permitted, not FERPA. [FERPA]. Comment: One commenter asked
Based on the comments, however, we 42 U.S.C. 9836a(b)(4)(A). This whether the proposed regulations would
are concerned that our explanation in commenter also suggested that the allow an entity that receives PII from
the NPRM was not sufficiently clear. Department and HHS work together to education records under the audit or
Certainly, if an educational agency or minimize the financial burden of the evaluation exception to redisclose the
institution is concerned that a third proposed regulations on Head Start PII from education records over the
party seeking access to PII from agencies. original disclosing entitys objection.
education records is not authorized Discussion: We disagree with the Discussion: In 2008, we amended the
under Federal, State, or local law to commenters contention that proposed FERPA regulations to expressly permit
conduct an audit, evaluation, or 99.3 and 99.35 would supplant the FERPA-permitted entities to redisclose
enforcement or compliance activity, that PII from education records received
authority of HHS as those provisions
educational agency or institution should under the audit or evaluation exception
relate to Head Start; these proposed
seek guidance from its attorneys or from in certain conditions. See 99.33(b)(1)
changes would not overreach into HHS
the State attorney general if the concern and (b)(2). For example, this change
sphere of activity. First, we note that
involves the interpretation of State law. permitted an SEA to redisclose PII on
FERPA applies directly to LEAs that
If the concern involves the behalf of the LEA if the redisclosure is
receive funding under a program
interpretation of Federal law, the to another school where the student
administered by the Department,
educational agency or institution should seeks or intends to enroll, under
including the Head Start programs that
seek guidance from its attorneys or from 99.31(a)(2) and 99.34 and the
they operate. Concurrent jurisdiction
the Federal agency that administers the recordkeeping requirements in
exists between the Department and HHS 99.32(b)(1) or (b)(2) are met.
law in question. FERPA itself does not for these Head Start programs. The
confer the authority to conduct an audit, However, in 2008 we did not clarify
Department did not propose in the that a redisclosure under the studies
evaluation, or enforcement or NPRM that FERPA requirements would
compliance activity. exception would be on behalf of an
apply to Head Start programs not under educational agency or institution if the
We disagree with the commenters the concurrent jurisdiction of the
contention that the Department lacks SEA or other FERPA-permitted entity
Department and HHS. believed it would benefit the
legal authority to amend the 2008 Further, under current regulations,
regulations. Because the statute itself educational agency or institution.
SEAs and LEAs receiving funding under In the NPRM, we specifically
does not specifically require that legal a program administered by the
authority is necessary under Federal, proposed that FERPA-permitted entities
Departmentand, therefore, falling that receive PII from education records
State, or local law before an audit, under the Departments exclusive
evaluation, or enforcement or under the audit or evaluation exception
jurisdictionare unable to disclose PII be able to redisclose the PII from
compliance activity may be from educational records, such as the education records under the studies
conductedand is, in fact, entirely kindergarten grades of former Head Start exception if all requirements to that
silent on this issuewe retain the students, to Head Start programs in exception are met. For example, a
authority, subject to rulemaking order to evaluate the effectiveness of the FERPA-permitted entity would be
requirements, to remove the language Head Start programs. These final permitted to redisclose PII from
we added in 2008, effectively clarifying regulations permit State and local education records under the studies
that the authority may be either express educational agencies and BIE funded exception in 99.31(a)(6) if: (1) The
or implied. This deletion makes and operated schools to disclose PII FERPA-permitted entity has the express
99.35(a)(2) consistent with the rest of from education records to Head Start or implied legal authority to have the
the regulations, which do not address programs for an audit, evaluation, or study in question conducted, and (2) the
legal authority beyond FERPA. enforcement or compliance activity. We educational agency or institution either
Changes: None. believe this change aligns with
Comment: One commenter stated that agrees to the redisclosure, in which case
Congress stated intention in the the redisclosure would be for the
the Department lacked the authority to
America COMPETES Act and ARRA to educational agency or institution, or the
regulate how education records are
link data across all sectors. Permitting study is designed to improve
shared with respect to programs that are
access to student longitudinal data also instruction, in which case the
funded by the U.S. Department of
builds upon the Departments and HHS redisclosure would be on behalf of
Health and Human Services (HHS).
commitment to coordinate programs the educational agency or institution.
Specifically, this commenter stated the
administered by State and local Accordingly, a redisclosure may be
authority to regulate education records
educational agencies and BIE funded for or on behalf of of the original
maintained by Early Head Start and
and operated schools with early disclosing entity even if that entity
Head Start programs (collectively,
learning programs administered by non- objects to the redisclosure. For instance,
Head Start) fell within the exclusive
educational agencies. an SEA receiving PII from an LEA may
jurisdiction of HHS and could not be
Finally, the Department believes that redisclose PII on behalf of the LEA if
regulated by the Department of
any potential financial burden on Head the redisclosure is for a study designed
Education. This commenter relied upon
Start agencies that may result from these to improve the LEAs instruction. In this
a provision in the Head Start Act that
regulations is outweighed by the example, it would be irrelevant if the
states the:
elimination of unnecessary barriers to LEA objected to the SEAs redisclosure.
Secretary [of HHS], through regulation, the evaluation of their programs and the FERPA-permitted entities that make
shall ensure the confidentiality of any increased flexibility in the operation of further disclosures of PII from education
personally identifiable data, information, and
records collected or maintained under this
their programs. Nonetheless, the records under the studies exception also
subchapter by the Secretary or any Head Start Department is committed to working must comply with the conditions
agency. Such regulations shall provide the with HHS to minimize the financial specified in 99.31(a)(6) and ensure that
policies, protections, and rights equivalent to burden of these regulations should such the recordkeeping requirements in
those provided to a parent, student, or an increase in burden actually occur. 99.32(b)(1) or (b)(2) have been met.
Changes: None. or institution, and termed it an marketers, and neighborhood book

unreasonable interpretation. clubs. These are not all-inclusive lists;
Definition of Education Program Discussion: The Department has each program will need to be assessed
( 99.3 and 99.35) decided to make several changes to the to determine if it meets this regulatory
Comment: Many commenters were definition as a result of the comments definition of education program
supportive of the proposal to define the received. Whether a program is because it is principally engaged in the
term education program. Many of determined to be an education program provision of education.
these commenters commended the should be based on the totality of the The Department declines to change
Departments proposal to adopt a broad program, and not on whether the the word principally to primarily
definition of education program program contains a specific incidental in the definition of education
because doing so recognizes the fact that educational or training activity within a program because we view these terms
education begins prior to kindergarten broader non-education program, as as being synonymous and
and involves programs not administered suggested by one commenter. The interchangeable. The Department also
by State or local educational agencies. number of commenters requesting declines to explicitly state that
While some commenters expressed clarity on which early childhood transitions from secondary to
concern that an overly broad definition programs would be considered postsecondary education are included
of education program would result in education programs under FERPA in the definition, because any transition
extraneous programs being wrongly suggested a real need for the Department program must meet the definition of
allowed access to student PII from to define the term in the regulations to education program, and it may be
education records, others expressed support faithful implementation of the misleading to list some types of these
concern that an overly narrow definition FERPA amendments in the field. We programs and not others. The
would hinder legitimate data sharing agree with those commenters who Department further declines to amend
needed to improve education programs. suggested that the Department utilize the definition of education program to
One commenter was concerned that the the HEA definition of early childhood require that the education program be
definition would omit programs many education program and are adopting principally engaged in the provision of
believe are necessary for students to this definition for several key reasons. education to students in early
succeed but may not be principally By adopting a definition already childhood through postsecondary
engaged in the provision of education. established by Congress, we are education. Explicitly adding students
The commenter gave several examples confident that it will provide the to the definition would potentially
including substance abuse, anti- requested clarity. This definition also exclude certain programs that would
bullying, and suicide prevention provides greater consistency across otherwise fit under this definition and
programs. Federal programs, resulting in more that the Department intends to include.
Numerous commenters provided transparency and less burden. For example, this change would be
The final regulations provide that any particularly problematic for early
other examples of specific programs and
program administered by an educational childhood education programs, such as
asked the Department to identify if
agency or institution is considered to be Head Start and IDEA Part C, which refer
those programs would be considered an
an education program. We have made to their participants as children and
education program under the proposed
this change to ensure that, in addition infants or toddlers, respectively, not
definition. Commenters specifically
to programs dedicated to improving students. Head Start and IDEA Part C
requested clarity about what types of academic outcomes, this definition are explicitly included in the definition
early childhood programs would be includes programs, such as bullying of early childhood education
considered education programs. A few prevention, cyber-security education, program, and the Department refrains
commenters suggested that the and substance abuse and violence from adding language that would
Department utilize the HEA definition prevention, when administered by an contradict this definition and create
of early childhood education educational agency or institution. confusion for implementation.
program. It is the Departments intent that the FERPA-permitted entities may
One commenter suggested that we following types of programs, regardless disclose PII from education records
change principally to primarily in of where or by whom they are without obtaining consent in order to
the definition of education program. administered, fall under the new conduct an audit, evaluation, or
Another recommended that the definition of education program: The enforcement or compliance activity.
definition include transitions from educational programs conducted by FERPA permits these disclosures to
secondary to postsecondary education. correctional and juvenile justice occur without consent, but FERPA-
We also received the suggestion that we facilities or alternative long-term permitted entities have the discretion to
amend the definition of education facilities such as hospitals, dropout set their own policies and practices for
program to specify that the program prevention and recovery programs, implementing these disclosures,
must be principally engaged in the afterschool programs dedicated to including any resolution processes that
provision of education to students in enhancing the academic achievement of may be necessary to handle disputes
early childhood through postsecondary. its enrollees, schools for the hearing and regarding whether a program meets the
One commenter requested further visually impaired, college test tutoring definition of education program.
clarity regarding who determines services, and high school equivalency Finally, we disagree with the
whether a program meets the definition programs. The following are examples commenters who suggested that the
of education program and how to of the types of programs that will Department lacks the legal authority to
handle any potential disputes regarding generally be excluded from the define education program in a way
that determination. definition of education program: that would allow authorized
Another commenter suggested that Programs that are principally engaged in representatives to use PII from
the Department was acting outside of its recreation or entertainment (such as education records to evaluate programs
legal authority to expand the use of PII programs designed to teach hunting, not administered by an educational
from education records to programs not boating safety, swimming, or exercise), agency or institution. As discussed
administered by an educational agency programs administered by direct elsewhere in greater detail, the
Department has broad authority under health is necessary to evaluate an as part of its proposal for the
GEPA to promulgate regulations that education program, this information reauthorization of ESEA, supports
implement programs established by may be disclosed without obtaining strengthening the role of TEAs in
statute and administered by the consent, provided all other coordinating and implementing services
Department, including FERPA. In this requirements in the regulations are met. and programs for Indian students within
case, nothing in the statute itself or its However, the same information would their jurisdiction, we did not propose to
legislative history limits the not be permitted to be disclosed without define the term State and local
Departments authority to define obtaining consent to evaluate the educational authorities in the NPRM
education program, a previously effectiveness of a health program. and, therefore, decline to regulate on it
undefined term. Changes: None. without providing the public with
The new definition of education notice and the opportunity to comment.
Definition of Authorized Representative
program helps to ensure that the The Departments interpretation of the
( 99.3 and 99.35)
FERPA regulations do not impede term State and local educational
States ability to comply with ARRA. As Comment: Numerous commenters authorities does, however, include BIE.
discussed in the NPRM, in order to expressed support for our proposed Changes: None.
ensure that the Departments regulations definition of the term authorized Comment: One commenter requested
do not create obstacles to States representative. Among other reasons that we clarify the proposed definition
compliance with ARRA, the Department given for support, commenters stated of the term authorized representative
sought to find a solution that would give that they were confident that the to make it more similar to the regulatory
effect to both FERPA and this more definition would facilitate better language currently used in 99.35(a)(1).
recent legislation by defining the term evaluations or would lead to an This commenter expressed concern that,
education program to include increased ability to conduct evaluations in our proposed definition, an
programs that are not administered by of Federal- and State-supported authorized representative could be
an educational agency or institution. education programs. One commenter interpreted to mean an individual or
The Departments definition of the stated that the proposed definition was entity who is engaged only in activities
term education program is intended appropriate and necessary and connected to Federal legal requirements
to facilitate the disclosure of PII from reasonable in scope. One commenter related to Federal or State supported
education records, as necessary, to was especially pleased that an SEA or education programs. The commenter
evaluate a broad category of education LEA would have the ability to designate noted that 99.35(a)(1) addresses both
programs. an individual or entity under the new audit or evaluation activities associated
The Departments definition of definition for the purposes of with a Federal- or State-supported
education program is also intended to conducting evaluations. Multiple education program, and activities
harmonize FERPA and ARRA so as to commenters stated that the proposed associated with enforcement of, or
protect PII from education records, even definition would assist SEAs in compliance with, Federal legal
where the Department may not have a handling PII disclosed from education requirements that relate to those
direct funding relationship with the records and in linking it across sectors, programs. The commenter
recipient of PII from education records. including the education and workforce recommended that we clarify the
We believe that the definition of the sectors for the purposes of an audit, definition of the term authorized
term education program sufficiently evaluation, or enforcement or representative to align it with
recognizes those common elements compliance activity. 99.35(a)(1) and make clear that the
among entities that need to evaluate Finally, one commenter stated that Federal legal requirement only modifies
education programs and services, FERPA-permitted entities under 99.31 the compliance or enforcement activity.
regardless of whether the education should include tribal education agencies Specifically, when describing the
programs are funded by the Department. (TEAs). This commenter contended that activities an authorized representative
Changes: In 99.3, we have added a because FERPA regulations allow for the can carry out, the commenter requested
definition of the term early childhood disclosure, without consent, of PII from we add an or between the words
education program. In addition, we education records to State and local audit and evaluation, as opposed to
have revised the definition of educational authorities for audit or a comma, and the word any before the
education program to include any evaluation of Federal- and State-funded term compliance or enforcement
program that is administered by an education programs, TEAsthe activity.
educational agency or institution. education arms of sovereign tribal Discussion: We intend for our
Comment: One commenter requested governmentsshould also be allowed to definition of the term authorized
that the Department clarify that PII from access PII from education records representative to cover both an
education records disclosed without without consent. individual or an entity engaged in the
obtaining consent under the audit or Discussion: The Department agrees enforcement of or compliance with
evaluation exception must be limited to with these commenters that the Federal legal requirements related to
PII related to educational data, given the definition of the term authorized Federal- or State-supported education
wider variety of health information and representative in the final regulations programs, and also to cover an
other PII included in the school records will increase the ability of FERPA- individual or an entity conducting an
of students with disabilities. permitted entities to conduct audits or audit or evaluation of a Federal- or
Discussion: Under the audit or evaluations of Federal- and State-funded State-supported education program.
evaluation exception, PII from education programs, including those Accordingly, we are making this
education records may be disclosed that link PII from education records clarification in the definition.
without consent only to audit or across the education and workforce Changes: We have made the minor
evaluate Federal- or State-supported sectors. changes suggested by the commenter to
education programs, or to enforce or to As for TEAs, the Departments current the definition of authorized
comply with Federal legal requirements interpretation of State and local representative.
related to such programs. If PII from educational authorities does not Comment: Multiple commenters
education records related to a students include them. Although the Department, suggested that the Department exceeded
its legal authority by proposing to define Accounting Office and the Department evaluations, or enforcement or
the term authorized representative. of Health, Education, and Welfare. compliance activities. Restricting their
While acknowledging that FERPA does From this Joint Statement, these discretion to select only their own
not define this term, these commenters commenters suggested that Congress did officers and employees or those under
stated that authorized representatives not intend for authorized their direct control is not required by
should only consist of the Comptroller representative to be defined as broadly. the terms plain, dictionary meaning.
General, the Attorney General, the Commenters also cited several policy Additionally, we do not find the
Secretary, and State and local reasons for precluding other entities policy concerns for precluding other
educational authorities since FERPA from serving as authorized entities from serving as authorized
specifically allows for the disclosure of representatives of FERPA-permitted representatives offered by commenters
PII from education records to these entities, including that this definition to be persuasive. While nothing in the
entities. The commenters contended would weaken the accountability of final regulations specifically prohibits a
that expanding the definition beyond State or local educational authorities State politician or private company, for
the four entities specifically identified and would allow criminals, repeated example, from being designated as an
in FERPA would be impermissible and privacy violators, and those with authorized representative, the full
that such a change would require dubious standing to serve as authorized requirements under FERPA must be met
congressional action. A few commenters representatives. One commenter before PII from education records may
pointed to a statement from the questioned whether individual State be disclosed to any party. These
preamble to the final FERPA regulations politicians or private companies could regulations do not expand any of the
(73 FR 74806, 74828) published in the be authorized representatives. reasons an individual or an entity can
Federal Register on December 9, 2008, One commenter, though supporting be designated as an authorized
in which the Department stated that our definition of the term authorized representative. As before, it may only be
any further expansion of the list of representative, suggested that the done to conduct an audit, evaluation, or
officials and entities in FERPA that may definition of the term was too narrow enforcement or compliance activity. For
receive education records without the and should be broadened to include example, to authorize a representative to
consent of the parent or the eligible child welfare agencies and their conduct an evaluation, there must be a
student must be authorized by obligations to monitor the education written agreement specifying the terms
legislation enacted by Congress. outcomes of the children in their care. of the disclosure, and PII from
Other commenters objected to the One commenter challenged the education records may only be used for
rescission of the direct control Departments proposed definition of the purposes specified in the written
requirement contained in the policy authorized representative on the agreement; the FERPA-permitted entity
guidance on authorized representatives grounds that it constituted an unlawful authorizing the evaluation must also
issued by then-Deputy Secretary of sub-delegation of the Departments take reasonable methods to ensure to the
Education William D. Hansen in a statutory authority by vesting the greatest extent practicable that its
memorandum dated January 30, 2003 interpretation of FERPA in non-Federal authorized representative complies with
(Hansen Memorandum). The Hansen entities. This commenter cited U.S. FERPA, as is explained in the
Memorandum required that under the Telecom Assn v. F.C.C., 359 F.3d 554, Reasonable Methods ( 99.35(a)(2)),
audit or evaluation exception, an 565 (DC Cir., cert. denied, 543 U.S. 925 section later in this preamble. If an
authorized representative of a State (2004), in support of the position that individual or organization sought access
educational authority must be a party such delegations are improper absent to PII from education records for its own
under the direct control of that an affirmative showing of congressional purpose, disclosure of the PII from
authority, e.g., an employee or a authorization. education records without consent
contractor. Under the Hansen Discussion: It is important to note that would not be permitted under FERPA,
Memorandum, an SEA or other State FERPA does not define the term and the FERPA-permitted entity must
educational authority could not disclose authorized representative. In the not authorize the representative or
PII without consent from education absence of a statutory definition, the permit the disclosure of PII from
records to other State agencies, such as Supreme Court has made it clear that it education records without consent. The
a State health and human services is appropriate to construe a statutory written agreement operates as a contract
department, a State unemployment term in accordance with its ordinary or between the FERPA-permitted entity
insurance department, or a State natural meaning. See, e.g., FDIC v. and the authorized representative, so in
department of labor because these State Meyer, 510 U.S. 471, 476 (1994). the event that an individual or entity
agencies were not under the SEAs In this case, authorize is commonly misuses PII from education records for
direct control. understood to mean to: Invest purposes other than those that are
Commenters further cited the especially with legal authority: authorized, there would be recourse
conclusion in the Hansen Memorandum EMPOWER * * *. Representative is according to the terms specified in the
that the two references to the word commonly understood to mean: * * * written agreement, in addition to any
officials in paragraph (b)(3) of FERPA standing or acting for another especially enforcement actions the Department
reflect a congressional concern that the through delegated authority * * *. may take.
authorized representatives of a State Merriam-Websters Collegiate Dictionary Also, we continue to believe that
educational authority be under the (11th Ed. 2011). there are good policy reasons to allow
direct control of that authority. Following these standard definitions other agencies to serve as authorized
Specifically, commenters relied upon a of authorize and representative, it representatives of FERPA-permitted
December 13, 1974, joint statement in is entirely appropriate that we permit entities. As we explained in the NPRM,
explanation of the Buckley/Pell State educational authorities, the we believe that our prior interpretation
Amendment (Joint Statement) that Secretary, the Comptroller General, and of the term authorized representative
suggested that FERPA restricts transfer, the Attorney General to have the unduly restricted State and local
without the consent of parents or flexibility and discretion to determine educational authorities from disclosing
students, of PII concerning a student to who would best be able to represent PII from education records for the
* * * auditors from the General them in connection with audits, purpose of obtaining data on post-
school outcomes, such as employment contractors, consultants, volunteers, and This was not an exhaustive listing of
of their former students, in order to other outside parties (i.e., nonemployees) FERPA exceptions to the general
evaluate the effectiveness of education used to conduct an audit, evaluation, or consent requirement that would permit
compliance or enforcement activities
programs. Accordingly, we believe that disclosure to non-educational State
specified in 99.35, or other institutional
our interpretation reflected in these services or functions for which the official or agencies. For example, a disclosure
final regulations reasonably permits agency would otherwise use its own without consent also may be made to
State and local educational authorities, employees. For example, a State educational non-educational State agencies pursuant
the Secretary, the Comptroller General, authority may disclose personally to the exception for lawfully issued
and the Attorney General of the United identifiable information from education subpoenas ( 99.31(a)(9)), but this was
States to have the necessary flexibility records, without consent, to an outside not included in the 2008 preamble.
attorney retained to provide legal services or Even if the preamble to the 2008 final
and discretion to determine who may
an outside computer consultant hired to regulations clearly stated that the
represent them with respect to audits develop and manage a data system for
and evaluations of Federal- or State- education records.
officials and agencies listed under
supported education programs and to 99.31(a)(3)(i) through (a)(3)(iv) could
73 FR 74806, 74825 (Dec. 9, 2008). not designate non-educational State
enforce and to comply with Federal
legal requirements that relate to such In other words, since 2008, we have agencies as their authorized
programs, subject to the requirements in included within the definition of representativeswhich it did notthe
FERPA. authorized representative any outside Department still retains the authority to
Some commenters also appear to have party used to conduct an audit, change its interpretation through notice-
misunderstood the Departments evaluation, or enforcement or and-comment rulemaking, especially in
previous interpretation of the term compliance activity specified in 99.35, light of recent legislation. Accordingly,
authorized representative and or other institutional services or because the term authorized
mistakenly assumed that the functions for which the official or representative is not defined in the
Department has historically only agency would otherwise use its own statute, and the America COMPETES
permitted employees and contractors of employees. These outside parties were Act and ARRA have provided evidence
FERPA-permitted entities to serve as required to be under the direct control of Congressional intent to expand and
authorized representatives. This is not of an SEA pursuant to the Hansen develop SLDS to include early
the case. For instance, prior to the Memorandum; however, as we discuss childhood, postsecondary, and
issuance of the Hansen Memorandum in in further detail in the following workforce information, the Department
2003, the Department entered into a paragraphs, the Department has decided has decided to change its interpretation
memorandum of agreement with the to eliminate the Hansen Memorandums of the term authorized representative
Centers for Disease Control and direct control requirement in these final in order to permit State and local
Prevention (CDC) in which the regulations. educational authorities, the Secretary of
The statement in the preamble to the Education, the Comptroller General, and
Department designated the CDC to serve
2008 final regulations that any further the Attorney General of the United
as its authorized representative for
expansion of the list of officials and States to have greater flexibility and
purposes of collecting information
entities in FERPA that may receive discretion to designate authorized
under the Metropolitan Atlanta
education records without the consent representatives who may access PII from
Developmental Disabilities Surveillance of the parent or the eligible student
Program. education records as needed to conduct
must be authorized by legislation an audit, evaluation, or enforcement or
Further, prior to the Hansen
enacted by Congress, means that any compliance activity specified in 99.35.
Memorandum, the Department had
expansion of the current statutory In response to commenters who
provided guidance that State
exceptions to the consent requirement objected to the rescission of the Hansen
educational authorities could designate
must be authorized by Congress. Memorandums direct control
a State Unemployment Insurance
Todays change is not an expansion of requirement, the direct control
agency as an authorized representative
the statutory exceptions to the consent requirement is not found in FERPA and
for the purpose of conducting wage requirement; rather it is a modification
record matches to carry out the is inconsistent with requirements of the
of the Departments interpretation of a America COMPETES Act and ARRA.
performance reporting requirements of term used in one of FERPAs existing We do not interpret the two references
the Workforce Investment Act (WIA). statutory exceptions to consent so as to to the word officials in paragraph
Memorandum on Application of FERPA be consistent with recent developments (b)(3) of FERPA as defining who may
to Reporting for Eligible Training in the law. serve as an authorized representative of
Providers under Title I of WIA from Moreover, the 2008 FERPA the officials listed in the exception. This
Judith A. Winston, Undersecretary of amendments did not provide an would, in fact, limit those who could
the Department of Education, (January exhaustive or comprehensive list of the serve as an authorized representative to
19, 2001). exceptions to the written consent
Further, in the 2008 FERPA officials of the heads of agencies listed,
requirement that would permit which is inconsistent with the position
regulations, the term authorized disclosure to non-educational State adopted by the Hansen Memorandum.
representative was not limited to agencies. Rather, we noted that there are Rather, we interpret the word officials
employees and contractors of the some exceptions that might authorize in paragraph (b)(3) of FERPA as simply
FERPA-permitted entities. In the disclosures to non-educational State a reference back to the four officials who
preamble to those regulations, we wrote: agencies for specified purposes and are listed in the exception: the
In general, the Department has interpreted listed as examples disclosures made Secretary, the Comptroller General, the
FERPA and implementing regulations to under the health or safety emergency Attorney General of the United States,
permit the disclosure of personally exception ( 99.31(a)(10) and 99.36),
identifiable information from education
and State educational authorities.
records, without consent, in connection with the financial aid exception The 1974 Joint Statement stated that
the outsourcing of institutional services and ( 99.31(a)(4)), or pursuant to a State existing law restricts transfer, without
functions. Accordingly, the term authorized statute under the juvenile justice the consent of parents or students, of
representative in 99.31(a)(3) includes exception ( 99.31(a)(5) and 99.38). personally identifiable information
concerning a student to * * * auditors education records is restricted to audits, determinations under 47 U.S.C.
from the General Accounting Office and evaluations, or enforcement or 251(d)(2), the FWS retained ultimate
the Department of Health, Education, compliance activities. control over the delegates
and Welfare * * * 120 Cong. Rec. at The Department also disagrees that its determinations.
39863 (December 13, 1974). FERPA, definition of authorized Likewise, in adopting the definition of
however, was originally enacted on representative constitutes an unlawful the term authorized representative,
August 21, 1974. Thus, the Joint sub-delegation of authority to non- the Department is not delegating its
Statement provides little more than a Federal entities. Although U.S. Telecom statutory authority to address violations
retrospective narrative background stands for the proposition that certain of FERPA under 20 U.S.C. 1232g(f). The
regarding the exception to consent in 20 Federal agency sub-delegations are Department is simply delegating the
U.S.C. 1232g(b)(1)(C) and (b)(3), which improper, its holding is inapposite authority to the entities specified in 20
already was in existing law and was not when applied to the Departments U.S.C. 1232g(b)(1)(C) and (b)(3) to
being amended in December 1974. definition of the term authorized determine who may serve as their
Further, the Joint Statement only representative in 99.3. Unlike the authorized representatives to conduct
provides a short-hand and incomplete statutory language in 20 U.S.C. an audit, evaluation, or enforcement or
summary of this exception to consent. 1232g(b)(1)(C) and (b)(3) that compliance activity. This delegation is
Significantly, the Joint Statement omits specifically identifies authorized premised on compliance with other
many aspects of this then-existing representatives of the designated statutory and regulatory conditions, in
exception, which in addition to entities as potential recipients to whom connection with audits, evaluations, or
permitting disclosure of PII from PII from education records may be enforcement or compliance activities.
education records without consent to disclosed without consent, the Some commenters asked that we
authorized representatives of the authorizing statute at issue in U.S. expand the definition of the term
Comptroller General and the Secretary Telecom assigned the FCC the specific authorized representative to include
of Health, Education, and Welfare (as responsibility of making impairment child welfare agencies, to allow these
referred to in the Joint Statement) also determinations: agencies to monitor the educational
permitted disclosure without consent to * * * the Commission shall consider, at outcomes of children under their care
authorized representatives of State a minimum, whether(A) access to such and responsibility. Paragraph (b)(3) of
educational authorities and an network elements as are proprietary in nature FERPA, however, does not allow this
administrative head of an education is necessary; and (B) the failure to provide expansion of the purposes for which PII
access to such network elements would from education records may be used by
agency. See section 513 of Pub. L. 93 impair the ability of the telecommunications
380 (August 21, 1974). Further, this then authorized representatives. While we
carrier seeking access to provide the services agree that authorized representatives of
existing exception to consent permitted that it seeks to offer.
State educational authorities may
disclosure of PII from education records
See 47 U.S.C. 251(d)(2). The U.S. generally include child welfare
without consent not only for the Telecom court rejected the FCCs agencies, authorized representatives
conduct of audits by auditors (as argument that it possessed the may only access PII from education
referred to in the Joint Statement), but presumptive authority to sub-delegate records under paragraph (b)(3) of
also for the conduct of evaluations and its statutory decisionmaking FERPA in order to conduct audits,
the enforcement of Federal legal responsibilities to any party absent evaluations, or enforcement or
requirements. Id. congressional intent to the contrary. In compliance activities.
While we support the efforts in the this case, however, the Department is Changes: None.
Hansen Memorandum to protect student not attempting to delegate its Comment: One commenter expressed
privacy, the Hansen Memorandums decisionmaking authority and is only concern about being held responsible
direct control requirement resulted in permitting authority for an audit, for the disclosure of PII from education
State and local educational authorities evaluation, or enforcement or records to an authorized representative
engaging in convoluted processes to compliance activity to be delegated to over which it does not have direct
conduct an audit, evaluation, or authorized representatives of FERPA- control, such as another State agency, if
enforcement or compliance activity that permitted entities, as Congress the authorized representative
may serve only to increase costs and specifically identified in FERPA. improperly rediscloses that information.
lessen privacy protection. Student U.S. Telecom is similarly This commenter, therefore,
privacy can be protected without having distinguished in Fund for Animals v. recommended that the FERPA
to prohibit disclosure of PII from Norton, 365 F. Supp. 2d 394 (S.D.N.Y. regulations provide that a State or local
education records to other entities in 2005), which held that the Fish and educational authority is not required to
order to conduct an audit, evaluation, or Wildlife Service (FWS) did not act comply with FERPA in regard to PII
enforcement or compliance activity. unlawfully by delegating limited from education records that it discloses
Although increased data sharing may authority over management of to an authorized representative over
result from our definition of authorized cormorant populations to regional FWS which it does not have direct control. In
representative, it still would only be and State wildlife services directors, the alternative, this commenter
permitted under the terms of the State agencies, and federally recognized requested that the regulations clarify
exception. To disclose PII from Indian Tribes. Fund for Animals that a State or local educational
education records without consent to an emphasized that FWS delegation was authority retains control over the entity
authorized representative (other than an not inconsistent with the statutory or individual designated as its
employee), the exception requires requirements and thus was entitled to authorized representative through the
written agreements and the use of deference under the Supreme Courts required written agreement to ensure PII
reasonable methods to ensure to the decision in Chevron U.S.A. Inc. v. from education records is protected
greatest extent practicable FERPA NRDC, 467 U.S. 837 (1984). Id. at 410 from unauthorized redisclosure.
compliance by an authorized 11. Unlike the FCCs wholesale Discussion: Like any disclosing entity,
representative. Further, an authorized delegation to State commissioners of its State or local educational authorities
representatives use of PII from statutory responsibility to make access have an important responsibility to
protect the privacy of PII from education constitutes a legitimate interest in agencies or other entities responsible for
records. To carry out this responsibility, receiving PII from education records. an education program, as that term was
a State or local educational authority We have not required that authorized defined in the NPRM, are educational
must use reasonable methods to ensure representatives have legitimate authorities for the limited purpose of
to the greatest extent practicable that its educational interests in receiving PII the administration of their Federal- or
authorized representative is complying from education records, as suggested by State-supported education programs and
with FERPA. A disclosing State or local the commenter, because we already that such entities are subject to the
educational authority, such as an SEA, require in 99.31(a)(1) of the current enforcement powers of the Department.
also must enter into a written agreement regulations that educational agencies Discussion: We did not propose in the
with its authorized representative that and institutions must determine that NPRM to define the term State and
details the responsibilities of both school officials have legitimate local educational authorities, which is
parties to protect the PII from education educational interests. Because used in 99.31(a)(3). Therefore, we do
records disclosed to the authorized authorized representatives differ from not believe it is appropriate to define
representative by the educational school officials and may receive PII this term without providing the public
authority. If the State or local from education records only for with notice and the opportunity to
educational authority, such as an SEA, statutorily-specified purposes, we refer comment on a proposed definition.
does not have confidence that the to the interests of authorized Further, we do not agree that every
authorized representative will meet its representatives in receiving PII from entity that is responsible for an
responsibilities under the written education records as legitimate education program would be
agreement to protect PII from education interests. considered a State or local educational
records, the State or local educational Changes: We have revised authority. As explained earlier in the
authority should not authorize the 99.35(a)(3)(v) to substitute the phrase preamble, the Department has generally
individual or entity as a representative. authorized representatives with interpreted the term State and local
The Department would be abdicating its legitimate interests in the audit or educational authorities to mean LEAs,
responsibility under FERPA to protect evaluation of a Federal- or State- SEAs, State postsecondary
the privacy of PII from education supported education program or for commissions, BIE, or entities that are
records if we released a State or local compliance or enforcement of Federal responsible for and authorized under
educational authority from legal requirements related to these State or Federal law to supervise, plan,
responsibility when it discloses PII from programs for the phrase authorized coordinate, advise, audit, or evaluate
education records to an authorized representatives with legitimate elementary, secondary, or
representative that is not under its interests. postsecondary education programs and
direct control, such as another State Comment: Some commenters services in the State. Thus, we would
agency. indicated that the proposed definition of not consider individual schools or early
Changes: None. authorized representative should be learning centers to be State or local
Comment: One commenter stated that, amended so that authorized educational authorities. Finally, the
because the definition of authorized representatives may use PII from Departments enforcement powers with
representative would allow any education records for any compliance or respect to a State or local educational
individual or entity to be designated as enforcement activity in connection with authority are dependent on whether the
an authorized representative, the State legal requirements that relate to educational authority receives funding
Department appears to be adopting a Federal- or State-supported education under a program administered by the
position under which an authorized programs, as opposed to just Federal Secretary. If an educational authority
representative is not required to have a legal requirements. does not receive such funding, then the
legitimate educational interest to Discussion: The Department lacks the Departments only FERPA enforcement
receive PII from education records statutory authority to make the measure would be the five-year rule.
under the audit or evaluation exception. requested change to expand the Changes: None.
Discussion: We believe the regulations disclosures of PII from education Comment: Several commenters stated
clearly articulate that a FERPA- records permitted without consent to that the Department should adopt
permitted entity may only disclose PII include compliance or enforcement additional remedies or sanctions to hold
from education records to an authorized activity in connection with State legal authorized representatives accountable.
representative under the audit or requirements that relate to Federal- or Discussion: FERPA authorizes the
evaluation exception if the authorized State-supported education programs. Secretary to pursue specific remedies
representative will use PII from Specifically, section (b)(3) and (b)(5) of against recipients of funds under
education records for one of the FERPA only permit the disclosure of PII programs administered by the Secretary.
statutorily-specified purposes, i.e., if it from education records, without Congress expressly directed the
is needed to conduct audits, consent, in connection with the Secretary to take appropriate actions
evaluations, or enforcement or enforcement of the Federal legal to enforce FERPA and to deal with
compliance activities. We have revised requirements that relate to Federal- or violations of its terms in accordance
the regulations regarding written State-supported education programs. with [GEPA]. 20 U.S.C. 1232g(f). In
agreements between FERPA-permitted Accordingly, the Department is unable GEPA, Congress provided the Secretary
entities and their authorized to expand the permitted disclosures of with the authority and discretion to take
representatives to include a requirement PII from education records to include a enforcement actions against any
that the written agreement establish the compliance or enforcement activity in recipient of funds under any program
policies and procedures that limit the connection with State legal administered by the Secretary for
use of PII from education records to requirements. failures to comply substantially with
only authorized representatives for Changes: None. FERPA (or other requirements of
statutorily-specified purposes. If an Comment: One commenter also applicable law). 20 U.S.C. 1221 and
authorized representative receives PII requested that, in lieu of the proposed 1234c(a). GEPAs enforcement methods
from education records for one of these definition of authorized expressly permit the Secretary to issue
statutorily-specified purposes, then this representative, we provide that State a complaint to compel compliance
through a cease and desist order, to proposed regulations. Others criticized education records to authorized
recover funds improperly spent, to the failure of the proposed regulations representatives.
withhold further payments, to enter into to require specific reasonable methods, While the Department declines to
a compliance agreement, or to take any contending that the Department was impose specific requirements for
other action authorized by law, taking steps to allow more access to PII reasonable methods, we are issuing non-
including suing for enforcement of from education records but was not regulatory guidance on best practices for
FERPAs requirements. 20 U.S.C. 1234a, taking commensurate steps to prevent reasonable methods as Appendix A.
1234c(a), 1234d, 1234e; 1234f; 34 CFR misuse of PII from education records Variations of the elements appear in
99.67(a); see also United States v. Miami being disclosed. One commenter Appendix A as best practices for written
Univ., 294 F.3d 797 (6th Cir. 2002) requested further clarification on the agreements. In the following paragraphs,
(affirming district courts decision that expected enforcement actions the we provide a summary and discussion
the United States may bring suit to Department would take if an LEA or of the various suggestions for reasonable
enforce FERPA). Thus, if an authorized SEA did not use reasonable methods to methods the Department received in
representative receives funds under a ensure that its authorized response to the NRPM, and discuss
program administered by the Secretary, representatives were in compliance with whether we consider them best
the Department has the authority to FERPA before disclosing PII from practices. Please note that Appendix A
enforce failures to comply with FERPA education records to them. may also include best practices that
under any of GEPAs enforcement Discussion: The Department proposed were not mentioned by commenters, but
methods. If an authorized representative the reasonable methods requirement to that the Department believes would
does not receive funds under a program increase accountability so that FERPA- result in both increased data and
administered by the Secretary and permitted entities disclosing PII from privacy protection.
improperly rediscloses PII from Reasonable methods are those actions
education records hold their authorized
education records, then the only remedy the disclosing FERPA-permitted entity
representatives accountable for
available under FERPA against the would take to ensure to the greatest
complying with FERPA. FERPA-
authorized representative would be for extent practicable that its authorized
permitted entities must monitor the data
the Department to prohibit the representative complies with FERPA.
handling practices of their own
disclosing educational agency or The disclosing FERPA-permitted entity
employees. They must also use
institution from permitting the should generally take most of these
reasonable methods to ensure FERPA
authorized representative from actions by requiring them in its written
compliance to the greatest extent
accessing PII from education records for agreement with its authorized
practicable by their authorized
a period of not less than five years. 20 representative. Many commenters
representatives. The Department discussed how reasonable methods
U.S.C. 1232g(b)(4)(B). These are the only believes that FERPA-permitted entities
remedies available to the Department to could ensure FERPA compliance, but
should be accorded substantial some commenters suggested that these
enforce FERPA. Remedies, such as flexibility to determine the most
assessing fines against any entity that techniques be required for FERPA-
appropriate reasonable methods for permitted entities in addition to their
violates FERPA, are not within the their particular circumstances. In other
Departments statutory authority. authorized representatives. While this is
words, what constitutes a reasonable beyond the scope of the reasonable
Under the FERPA regulations, and in
method for ensuring compliance is not methods contemplated in the
accordance with its longstanding
practice, the Department only will take a one-size-fits-all solution; there are regulations, the best practices that the
an enforcement action if voluntary numerous actions a FERPA-permitted Department provides apply equally to
compliance and corrective actions entity may take to ensure to the greatest other entities as a starting point for good
cannot first be obtained. If the violating extent practicable FERPA compliance data governance, the responsible use of
entity refuses to come into voluntary by its authorized representatives. data, and the protection of student
compliance, the Department can take Nonetheless, while the Department is privacy.
the above listed enforcement actions. granting more flexibility to determine The Department has already produced
However, in addition to these statutorily appropriate reasonable methods given several technical briefs that address
authorized remedies, we encourage the specific circumstances of the data many of the suggestions the Department
FERPA-permitted entities to consider disclosure, the Department will received on reasonable methods and
specifying additional remedies or consider a FERPA-permitted entity written agreements: Basic Concepts
sanctions as part of the written disclosing PII from education records to and Definitions for Privacy and
agreements with their authorized its authorized representative without Confidentiality in Student Education
representatives under 99.35 in order to taking any reasonable methods to be in Records, Data Stewardship: Managing
protect PII from education records. violation of FERPA and subject to Personally Identifiable Information in
Written agreements can be used to enforcement actions by the Department. Electronic Student Education Records,
permit increased flexibility in sanctions, It is worth noting that the FERPA and Statistical Methods for Protecting
to the extent that the desired sanction is regulations already require that Personally Identifiable Information in
permitted under law. educational agencies and institutions Aggregate Reporting. The briefs can be
Changes: None. use reasonable methods such as access found at http://nces.ed.gov/programs/
controls so that school officials only ptac/Toolkit.aspx?section=
Reasonable Methods ( 99.35(a)(2)) may access those education records in Technical%20Briefs. The Department is
Comment: Commenters were split on which they have a legitimate continually looking to improve the best
whether it was appropriate to define educational interest. See practices information found in the briefs
reasonable methods in the 99.31(a)(1)(ii). The lack of specificity and encourages comments and
regulations. Some commenters agreed in 99.31(a)(1)(ii) is appropriate, given suggestions to be emailed to the
that the Department should not variations in conditions from school-to- Department at SLDStechbrief@ed.gov.
prescribe reasonable methods in the school. The Department believes similar As with the best practices in Appendix
regulations and welcomed the flexibility is appropriate when FERPA- A to this document, these briefs serve as
additional flexibility offered by the permitted entities disclose PII from resources for practitioners to consider
adopting or adapting to complement the previous record of improperly about FERPA and how to protect PII
work they are already doing; they are disclosing PII from education records from education records, or the FERPA-
not one-size-fits-all solutions. and that it is not currently under permitted entity may want to train its
Changes: None. suspension from any State or local authorized representatives itself.
Comment: One commenter objected to educational authority for inappropriate As these are best practices, it is up to
the use of the word ensure, as it was disclosure of student data. Multiple the FERPA-permitted entities to
proposed in 99.35(a)(2), stating the commenters also suggested that the determine which actions are appropriate
term was unrealistic and misleading Department publish a list of individuals based on the circumstances; it is their
as nothing could definitively ensure that or entities we found to have violated responsibility to determine whether
FERPA violations would not happen. FERPA and against which we have their authorized representatives
Discussion: The Department agrees taken enforcement actions. Some understand their obligations under
with the commenter and is changing the commenters stated that reasonable FERPA and whether they are likely to
language concerning reasonable methods should include verifying that comply with FERPAs requirements. For
methods in 99.35(a)(2) to clarify that the authorized representative is not on example, even if an authorized
we expect FERPA-permitted entities to that list published by the Department, representative discloses a past FERPA
be responsible for using reasonable while others suggested that individuals violation, a FERPA-permitted entity
methods to ensure to the greatest extent and entities on the list should be may nonetheless determine that the
practicable that their authorized prevented from entering into future circumstances are such that it is still
representatives protect PII from written agreements with all other appropriate to disclose PII from
education records in accordance with FERPA-permitted entities, not just the education records to that individual or
FERPA. FERPA-permitted entity whose data entity. The disclosing entity should take
Changes: Section 99.35(a)(2) has been were mishandled. all factors into account, including the
revised to state that FERPA-permitted Discussion: The Department agrees length of time since the violation,
entities are responsible for using that it is vital to verify that the subsequent good behavior, corrective
reasonable methods to ensure to the individual or entity acting as an actions taken to negate the possibility of
greatest extent practicable that any authorized representative has proven any similar future violations, etc.
entity or individual designated as its that it is trustworthy and has policies For the time being, the Department
authorized representative protects PII and procedures in place to continue that has decided not to implement the idea
from education records. record. While the Department will not of compiling a list of FERPA violators.
Comment: The Department received mandate any specific requirements, the The Department believes that a public
multiple suggestions on actions a best practices for reasonable methods in list of entities that have violated FERPA
FERPA-permitted entity should take to Appendix A include: is an intriguing idea and will continue
verify that its authorized representative Verify the existence of disciplinary to keep this idea in mind and possibly
is trustworthy and has a demonstrated policies to protect data. The FERPA- implement it at a later date.
track record of protecting data permitted entity may want to verify that The Department declines to broaden
responsibly. Several comments its authorized representative has the requirement that, under the five-year
suggested the need to verify that an appropriate disciplinary policies for rule, the authorized representative is
authorized representative has employees that violate FERPA. This can prevented only from receiving PII from
disciplinary policies and procedures in include termination in appropriate education records from the educational
place to ensure that employees who instances. agency or institution that originally
violate FERPA are dealt with Know to whom you are disclosing disclosed the PII from education
appropriately, including possible data. The FERPA-permitted entity may records. The statutory language is clear
termination of employment. Others want to require its authorized that the five-year rule only permits the
suggested that individuals accessing PII representative to conduct background Department to prohibit further
from education records as authorized investigations of employees who will disclosures from the educational
representatives should be required to have access to PII from education agenc(ies) or institution(s) which
undergo criminal background checks. A records, or it may want to conduct these maintained the original education
number of commenters suggested that investigations itself. Additionally, the records from which PII was improperly
the Department require verification that FERPA-permitted entity may want to redisclosed.
the authorized representative has a require its authorized representative to If an authorized representative is
training program to teach employees disclose past FERPA or data alleged to have violated FERPA, the
who will have access to PII from management violations. If the FERPA- Department will also investigate the
education records about their permitted entity discovers past complaint to determine the extent to
responsibilities under FERPA. A violations, it would want to explore the which the disclosing FERPA-permitted
common suggestion was to require the circumstances behind the violation, and entity employed reasonable methods.
authorized representative to verify that discover all information that would The Departments investigation will
it has no previous record of improperly allow it to make an informed judgment consider the reasonable methods taken
disclosing PII from education records. on whether the individual or entity is and the specific circumstances of the
One possible method of corroboration likely to be a responsible data steward. disclosure.
included requiring the authorized This may include discovering whether Changes: None.
representative to divulge under penalty the violation was covered up, including Comment: Numerous commenters
of perjury, both to the entity disclosing if it was voluntarily reported to affected suggested that FERPA-permitted entities
the data and to the general public, students or FPCO, and whether should require their authorized
parents, and students, whether it has appropriate breach response procedures representatives to use specific data
violated any written agreements or were followed. security methods in order to ensure
otherwise inappropriately disclosed Verify training. The FERPA- FERPA compliance. Many commenters
FERPA-protected data. Another permitted entity may want to verify that provided suggestions for data security
suggested receiving assurances that the its authorized representative has a methods, including: Requiring strong
authorized representative has no training program to teach its employees encryption, publishing security
guidelines, instituting dual-key login, elements, including requirements organizations policies and procedures
preparing formal security assessments, related to encryption, where the data to protect privacy and data security,
instituting a security audit program, can be hosted, transmission including the ongoing management of
completing formal risk assessments, methodologies, and provisions to data collection, processing, storage,
monitoring security events, creating prevent unauthorized access. maintenance, use, and destruction. The
data disposal procedures, implementing Changes: None. plan could also include designating an
access controls, and monitoring Comment: Some commenters individual to oversee the privacy and
physical security controls, including suggested that the Department mandate security of the PII from the education
what people keep on their desks and that FERPA-permitted entities require records it maintains.
printers. Several commenters stated that their authorized representatives to As with data security, it is up to the
the Department should specifically implement various practices that fall FERPA-permitted entities to determine
regulate data security, as HHS does in under the rubric of data governance. if the authorized representatives data
the Health Insurance Portability and Several commenters suggested the stewardship plan is sufficient.
Accountability Act of 1996 Security addition of various staff positions as Depending on the circumstances of the
Rule, 45 CFR 164.306 et seq. part of a proper data governance disclosure, this may include simply
Discussion: The Department does not strategy. One commenter suggested that adding a description of the data
believe it is appropriate to regulate the Department require LEAs to appoint governance plan to the written
specific data security requirements formal FERPA compliance liaisons who agreement or conducting an on-site
under FERPA. The Department believes would develop FERPA policies and inspection to ensure the authorized
it is more appropriate to allow for procedures and provide professional representative is properly implementing
flexibility based on individual development to those at the LEA who its plan.
circumstances. In addition, rapid handle PII from education records. Changes: None.
changes in technology may potentially Another commenter suggested that the
Comment: Multiple commenters
make any regulations related to data FERPA-permitted entity require the
suggested ways that reasonable methods
security quickly obsolete. With the authorized representative to create an
could be used to prevent the authorized
increasing move toward mobile information security office. One
representative from improperly
computing, evolving hacking commenter recommended, that as data
governance is ultimately the redisclosing PII from education records.
techniques, and the push toward ever
responsibility of everyone in an Some commenters expressed concern
stronger encryption standards, we
organization, that the FERPA-permitted that there is no bright line rule for how
believe that it is inadvisable to establish
entity should require its authorized long PII from education records could
specific regulations in this area.
Still, the Department recognizes the representative to adopt a formal be maintained by an authorized
important need, especially with the governance plan that includes all levels representative before it was required to
development of SLDS, for authorized of stakeholders, such as management, be destroyed or returned. One
representatives to have strong data the policy team, data providers, and commenter suggested a period of five
security policies and programs in place. data consumers. The same commenter years should be mandated as the
Data security is also an essential part of recommended that the Department maximum time PII from education
complying with FERPA as violations of require FERPA-permitted entities to records could be kept. Others expressed
the law can occur due to weak or have a formal communications plan so the view that exact timelines for keeping
nonexistent data security protocols. As expectations regarding the governance data were not warranted. Some
such, the Department is adding the plan are known to everyone. requested that the Department clarify
following to its best practices, which are Discussion: The Department declines how PII from education records can be
included as Appendix A to this to regulate specific data governance retained for purposes of long-term
document: requirements, as we prefer to grant analysis.
Verify the existence of a sound data FERPA-permitted entities the flexibility Several commenters asked the
security plan. to determine the appropriate elements Department to require a formal process
The FERPA-permitted entity may for their authorized representatives to to document the destruction or return of
wish to verify before disclosing PII from include in a comprehensive governance the disclosed PII from education
education records that its authorized plan. The Department is adding the records, such as a notarized letter, to
representative has a sound data security following element to the best practices ensure that both the disclosing FERPA-
program, one that protects both data at for reasonable methods in Appendix A: permitted entity and the authorized
rest and data in transmission. A FERPA- Verify the existence of a data representative are upholding their
permitted entity has a responsibility to stewardship program. The FERPA- responsibilities. Some commenters
determine if its authorized permitted entity may want to examine argued that this type of process would
representatives data security plan is its authorized representatives data be ideal as it is often too difficult for the
adequate to prevent FERPA violations. stewardship program. Data stewardship disclosing FERPA-permitted entity to
The steps that the disclosing entity may should involve internal control verify that PII from education records
need to take in order to verify a sound procedures that protect PII from has in fact been fully destroyed, and
data security program are likely to vary education records and include all that the authorized representative did
with each situation. In some cases, it aspects of data collectionfrom not maintain some electronic copy of
may suffice to add language to the planning to maintenance to use and the PII. If such a notarized statement
written agreement that states what data dissemination. The Department believes were required, one commenter then
security measures are required. In other that a good data stewardship plan asserted that the FERPA-permitted
cases, it may be more prudent for the would have support and participation entity making the disclosure be held
FERPA-permitted entity to take a hands- from across the organization, including harmless if its authorized representative
on approach and complete a physical the head of the organization, nonetheless maintained a copy of the
inspection. Additionally, the FERPA- management, legal counsel, and data data. Others stated that there should be
permitted entitys written agreements administrators, providers, and users. more flexibility, such as permitting the
could specify required data security The plan should detail the storage of PII from education records in
secure archives as opposed to fully that should be corrected. The NPRM detailed in the written agreement to
returning or destroying it. provided that in some instances data help ensure that unauthorized
The Department also received must be destroyed when no longer redisclosures do not happen.
comments suggesting that we limit the needed, and that the data must be In addition, the FERPA-permitted
number or nature of data elements in PII returned or destroyed in other instances. entities might wish to maintain the right
from education records that can be We believe the reference to returning to conduct monitoring and audits of the
disclosed or included in an SLDS, data was more appropriate in a paper- authorized representatives processes,
including how that data could based environment, and that destroying procedures, and systems. If the FERPA-
potentially be linked to other data is the more appropriate action permitted entities decide to exercise this
information. The Department received when discussing electronic records. An right, they should be free to choose who
comments stating that FERPA-permitted entity could elect to destroy the data in should conduct the audits or monitoring
entities should be given the right to question by returning the original file activities, whether it is themselves or an
review any document being published and erasing all versions of the data from external third party, and if the results
by the authorized representative that its servers. should be made public. The Department
uses the disclosed PII from education Accordingly, we have decided to declines to regulate on this issue as we
records to ensure that proper disclosure remove the proposed requirements in do not believe that it will always be
avoidance techniques were used to 99.35(a)(3)(iii) and (a)(3)(iv) that necessary to conduct such audits or
prevent an unauthorized disclosure. permitted an authorized representative monitoring activities. The parties to the
Finally, several commenters requested to return PII from education records to data disclosure agreement can
that reasonable methods include a the FERPA-permitted entity, in lieu of determine if such activity is warranted
provision that would allow the destroying such information, in order to based on criteria, such as the scope or
disclosing FERPA-permitted entity correct the inconsistency. duration of the audit, evaluation, or
access to the authorized representatives While the Department is not enforcement or compliance activity.
policies, procedures, and systems to regulating on this particular process, Based on the discussion in this
conduct monitoring and audit activities when assessing responsibility, if the section, we are including the following
to ensure the authorized representative Department finds that PII from elements in Appendix A as best
is taking all necessary steps to protect education records has not been practices for FERPA-permitted entities
the PII from education records. Some appropriately destroyed by an to consider when implementing
commenters stated that these audits authorized representative, the reasonable methods.
should be completed by independent Department would review all of the Convey the limitations on the data.
third parties. Other commenters reasonable methods taken by the A FERPA-permitted entity should take
requested that the results of the audits disclosing FERPA-permitted entity, steps to ensure that its authorized
be disclosed to the public. such as if the written agreement representative knows the limitations on
Discussion: The Department believes included a formal process to verify the the use of the data (i.e., that the data is
that outlining the time period that an destruction of PII from education only to carry out the audit or evaluation
authorized representative can maintain records. of Federal- or State-supported education
data for the purpose of an audit, The Department is not addressing programs, or to enforce or to comply
evaluation, or enforcement or through the FERPA regulations the with Federal legal requirements that
compliance activity is extremely number or nature of elements that can relate to those programs).
important, which is why it is one of the be disclosed, included in an SLDS, or Obtain assurances against
minimum required components of the linked to other elements. As stated redisclosure. A FERPA-permitted entity
written agreement (see 99.35(a)(3)(iv)). earlier, FERPA is not a data collection should obtain assurances from its
Nonetheless, the Department declines to statute, and it is beyond the scope of the authorized representative that the data
specify a set period of time in the statute to address these issues in these will not be redisclosed without
regulations for data retention, as the regulations. So long as all requirements permission, including such assurances
necessary amount of retention time is of FERPA are met, the parties to the that the authorized representative will
highly fact specific. For example, if an agreement have the flexibility to provide the FERPA-permitted entity (the
SEA is disclosing PII from education determine what elements should be disclosing entity) the right to review any
records to an authorized representative disclosed and how they can be data prior to publication and to verify
for an evaluation that is expected to take combined with other elements. Still, the proper disclosure avoidance techniques
six months, it may be, depending on the FERPA regulations require that PII from have been used.
circumstances of the evaluation, education records may not be used for Be clear about destruction. A
reasonable to require that the authorized any purpose other than the audit, FERPA-permitted entity should set clear
representative to destroy the disclosed evaluation, or enforcement or expectations so its authorized
PII in six months. If, however, an SEA compliance activity that prompted the representative knows what process
is disclosing PII from education records original disclosure. needs to be followed for the proper
to a regional entity for a longitudinal, It is important that the authorized destruction of PII from education
multi-year evaluation, the written representative not purposely or records.
agreement might specify that data inadvertently redisclose PII from Maintain a right to audit. A FERPA-
retention would be reviewed annually, education records inappropriately. For permitted entity should maintain the
with data elements being retained or example, the written agreement could right to conduct audits or other
destroyed as appropriate. The reflect the expectations that the FERPA- monitoring activities of the authorized
Department believes it is important to permitted entities have of the representatives policies, procedures,
leave the determination of the authorized representatives when it and systems.
appropriate time period up to the comes to making the data public. Disclose only PII from education
parties to the agreement. Methods, such as using disclosure records that is needed. When the
The comments about methods for avoidance techniques or exercising the FERPA-permitted entity considers
destruction do, however, point out a right to review and approve any reports disclosing PII from education records to
potential inconsistency in the NPRM using the data before release, can be an authorized representative for an
audit, evaluation, or enforcement or Discussion: The Department proposed mentioned in the comments, but the
compliance activity, it may want to adding a new 99.35(a)(3) to require adoption of which the Department
explore which specific data elements written agreements when FERPA- believes would result in increased
are necessary for that activity and permitted entities designate an accountability for all parties to the
provide only those elements. FERPA- authorized representative (other than an agreement. At this time the Department
permitted entities should take care to employee) under the audit or evaluation is not providing a model template for a
ensure that they are not disclosing more exception. The proposal included written agreement but intends to issue
PII from education records than needed several specific provisions that must be one as additional non-regulatory
for the stated activity and purpose. included in written agreements: (1) guidance at a later date. It is also worth
FERPA-permitted entities should also Designate the individual or entity as an noting that the studies exception has
explore whether PII from education authorized representative; (2) specify had a requirement for written
records is actually required, or whether the information to be disclosed and that agreements since 2008. The matters
de-identified data would suffice. the purpose for which the information discussed here logically apply to PII
Changes: The Department has is disclosed to the authorized from education records disclosed under
removed the proposed requirement in representative is to carry out an audit or both the studies and audit or evaluation
99.35(a)(3)(iii) and (a)(3)(iv) that evaluation of Federal- or State- exceptions. It is only through the use of
permitted an authorized representative supported education programs, or to written agreements that parties can
to return PII from education records to enforce or to comply with Federal legal establish legally binding roles and
the FERPA-permitted entity, in lieu of requirements that relate to those responsibilities.
destroying such information, in order to programs; (3) require the authorized We specifically carve out employees
be more consistent with the statute and representative to destroy or return to the from the written agreement
to correct an inconsistency in the State or local educational authority or requirements reflected in 99.35(a)(3)
NPRM. agency headed by an official listed in because the Department is not requiring
99.31(a)(3) personally identifiable written agreements when FERPA-
Written Agreements ( 99.35(a)(3)) information from education records permitted entities use their own
when the information is no longer employees to conduct audits,
Comment: As with reasonable
needed for the purpose specified; (4) evaluations, or compliance or
methods, the Department received
specify the time period in which the enforcement activities. Agreements
mixed comments on the value of the under the audit or evaluation exception
information must be returned or
proposed written agreement are only necessary when an authorized
destroyed; and (5) establish policies and
requirement and suggestions for how to representative is selected that is outside
procedures consistent with FERPA and
improve it. One commenter, while of the organization disclosing the data.
other Federal and State confidentiality
approving of the written agreement Employees have an inherently different
and privacy provisions to protect
provision, expressed concern that the relationship with their employing
personally identifiable information from
proposed changes would relieve data organization than does an outside
education records from further
recipients of responsibility for actually disclosure (except back to the disclosing entity. It is important that any
implementing protections, theorizing entity) and unauthorized use, including organization with access to PII from
that the agreements would require only limiting use of personally identifiable education records train its employees
that policies and procedures be information to only authorized about their responsibilities under
established, rather than the inclusion of representatives with legitimate interests. FERPA, including proper data
any provisions providing true While the Department agrees that it is governance and data security
accountability. Other commenters vital that written agreements clearly set procedures. We would expect, therefore,
requested that the Department provide forth all parties obligations with respect that organizations would establish
the flexibility to FERPA-permitted to PII from education records, the conditions of employment for their
entities to draft agreements that meet Department believes that it would be employees that are consistent with the
the needs and requirements of the inappropriate to be more prescriptive components required of written
circumstances of the data disclosures than the specific safeguards and agreements under 99.35(a)(3) and that
and the requirements of the relevant provisions we are including in these violations of those conditions would
State and local laws. One requester regulations. The Department believes result in disciplinary actions, up to and
asked the Department to add the phrase that it is more appropriate to provide including termination.
including but not limited to when the parties to the agreements with the The Department declines to add the
referring to the specific requirements of flexibility to draft written agreements suggested including but not limited to
written agreements as laid out in the that meet the specific needs of the language when referring to the
NPRM. Several commenters requested circumstances surrounding the data minimum written agreement provisions
further guidance on written agreements, disclosure. In addition, the Department specified in the regulations. The
including asking the Department to defers to State law governing contracts language in the final regulations, as
provide a model template. One and written agreements, including the proposed in the NPRM, reads that the
commenter asked the Department to imposition of allowable sanctions. written agreement must include these
provide clarity around why the other While the Department declines to provisions but does not indicate that
than an employee language is included impose additional requirements for these are the only provisions that can be
in the written agreement requirement. written agreements, the Department is included in the written agreement. As
Another commenter requested that the including in Appendix A a summary of such, the Department believes that the
Department replace the term written best practices for written agreements. In including but not limited to language
agreement with data exchange the following discussion, we address is implied and therefore unnecessary.
agreement because the commenter comments and suggestions the Likewise, the Department declines to
believed the written agreement term Department received and whether the change the term written agreement to
is too vague and data exchange Department considers these best data exchange agreement. Written
agreement is the standard information practices. Appendix A also includes agreement is a general term that would
security term. best practices that have not been include the more specific data
exchange agreement. The Department in order for the public to provide Department to mandate, as a condition
is leaving it up to the discretion of the oversight regarding the appropriateness of data disclosure, that the written
parties to the agreement to decide how of the data disclosures. agreements include contractual
the agreement may be termed, whether Discussion: The Department concurs safeguards such as liquidated damage
that be written agreement, contract, that transparency is important to provisions for breach of the agreement
memorandum of understanding, data ensuring the accountability of all and third party beneficiary status for
exchange agreement, or some other parties. While we decline to issue individuals whose PII from education
term. regulations requiring it, we suggest that records is disclosed.
Changes: None. FERPA-permitted entities post Discussion: The Department agrees
Comment: Several commenters substantive information on their Web with many of the suggestions included
seemed to misinterpret one of the sites or in other public locations about in these comments; however, we decline
Departments proposed required the disclosure of PII from education to incorporate them as regulatory
components of the written agreement: records, including the written requirements. Rather, many suggestions
Specify the information to be disclosed agreements governing data disclosures have been included as best practices for
and that the purpose for which the and information about specific projects written agreements in order to provide
information is disclosed to the and uses. As such, we have added the FERPA-permitted entities with the
authorized representative is to carry out following to Appendix A as a best flexibility to craft provisions in the
an audit or evaluation of Federal or practice: written agreements that meet their
State supported education programs, or Inform the public about written specific needs and the circumstances of
to enforce or to comply with Federal agreements. Transparency is a best the data disclosures. The Department
legal requirements that relate to those practice. The FERPA-permitted entity agrees that the written agreements must
programs. These commenters stated might want to post its data sharing comply with all applicable laws at the
that the Department was requiring the agreements on its Web site, or provide Federal, State, and local levels. This
written agreement to include the some equivalent method to let would include any State data security
purposes for which the information is interested parties know what data it is laws. The Department cannot regulate
being disclosed. Others noted that sharing, the reasons it is being through FERPA on whether IRB review
anytime PII from education records is disclosed, and how it is being protected. and approval is necessary or prudent.
shared through one of the exceptions to While the Department generally On the other hand, if the circumstances
the general consent rule under FERPA, recommends public posting of written surrounding the audit, evaluation, or
the specific reasons for that disclosure agreements, parties are encouraged to enforcement or compliance activity
should be clearly stated. review their contractual data security dictate that IRB involvement is required,
Discussion: The Department originally provisions carefully and redact, prior to it would be a best practice for the
only proposed that a written agreement publication, any provisions that may aid written agreement to reflect that. It
include a statement that the purpose of those seeking unauthorized access to should be noted, however, that the
the disclosure was for an audit, systems. In certain instances a separate amendments are not intended to
evaluation, or enforcement or confidential IT Security Plan may be supersede the research regulations
compliance activity. The NPRM did not appropriate. under the Common Rule that apply to
include a requirement to describe the Changes: None. Federally funded research of
details of the activity or why PII from Comment: The Department received educational data that qualifies as human
education records was a necessary multiple suggestions on ways to subject research. This includes the
component to the activity. Based on the increase the legal protections offered by requirement that the researcher receive
comments we received, the Department the written agreements. Several a waiver from an IRB if they intend to
is revising the regulations to require that commenters requested that the conduct research with identifiable
written agreements include a Department explicitly require that the information without consent of the
description of the audit, evaluation, or written agreements comply with all participants.
enforcement or compliance activity. applicable laws, whether at the Federal, The Department also agrees that it is
Changes: Section 99.35(a)(3)(ii)(C) is State, or local level. One commenter sensible to list the express or implied
added to require that the written specifically mentioned ensuring legal authority that permits the data
agreement include a description of the compliance with State data security disclosure and the audit, evaluation, or
activity with sufficient specificity to laws and policies. Several commenters enforcement or compliance activity. As
make clear that the work falls within the requested the inclusion of provisions stated elsewhere in this document,
exception of 99.31(a)(3), including a that would ensure that Institutional FERPA itself does not grant the
description of how the personally Review Board (IRB) protocols are in authority for these activities, and the
identifiable information from education place and properly implemented. existence of this authority is generally a
records will be used. Another commenter requested that the matter of other Federal, State, and local
Comment: Several commenters Department require the written laws.
suggested that FERPA-permitted entities agreement to include a provision In general, the Department agrees
should be required to provide specifying the legal authority for the with the view that written agreements
information about PII from education data disclosure in order to ensure that should be used, to the extent
records being disclosed, such as the data anyone disclosing or receiving PII from permissible under applicable State law,
elements being shared and the purpose education records has the authority to to ensure that authorized
of the disclosure, to parents and other do so. Finally, the Department received representatives (other than employees)
stakeholders. Use of a Web site for this many comments stating that increased comply with FERPA to the greatest
purpose was specifically recommended, accountability over authorized extent practicable. While the
particularly for posting the information representatives could be achieved if the Department believes that there is merit
on the minimum provisions required for Department required that written in having written agreements that
written agreements. One commenter agreements have the force of a contract clearly set forth all parties obligations
noted that it was important for the under applicable State law. Specifically, with respect to FERPA-protected
written agreements to be made available these commenters strongly urged the information, the Department believes
that it would be inappropriate to require suggested that the written agreement Discussion: As discussed earlier in
that the parties include specific include provisions for the handling of this preamble, it is not only the FERPA
contractual safeguards. The fact that the the breach, such as who would bear the regulations that govern what can be
authority to enforce FERPA lies with the costs associated with notifying those included in a written agreement. As
Department should not be taken to affected. such, it is important to address any
abrogate the responsibility that FERPA- Discussion: The Department takes remedies that are also available under
permitted entities have to protect PII seriously the suggestion that parents State law. Nonetheless, a breach of the
from education records. FERPA- and eligible students should be notified provisions in a written agreement may
permitted entities that are disclosing PII when PII from education records has also constitute a violation of FERPA and
from education records to authorized been disclosed in violation of FERPA should therefore be reported to FPCO.
representatives (other than employees) and agrees that notice should be given Changes: None.
are encouraged to provide for sanctions when there is a data security breach. Comment: None.
in their written agreements, and to However, the Department declines to Discussion: The Department wishes to
enforce those sanctions. The impose through the FERPA regulations reduce the implementation burden of
Department believes that it is specific requirements for breach the new written agreement requirement
appropriate to defer to applicable State notification. This will allow FERPA- in 99.35(a)(3) on FERPA-permitted
laws governing contracts and written permitted entities the requisite entities by only requiring that new,
agreements for purposes of safeguarding flexibility to ascertain the appropriate renewed, or amended written
FERPA-protected information. responses and approaches to their agreements with authorized
Based on these suggestions, the particular situations and to comply with representatives that are entered into on
following is being added to the best any existing Federal, State, or local laws or after the effective date of the
practices listed in Appendix A: or regulations governing breach regulations comply with the new
Identify and comply with all legal notification. requirement. The written agreement
requirements. It is important to Good data governance also includes requirement in 99.35(a)(3) must be
remember that FERPA may not be the breach notification; every organization adhered to for any new designation of
only law that governs a data sharing responsible for managing education an authorized representative that is not
agreement. The agreement could records that contain PII should maintain an employee as of the effective date of
broadly require compliance with all a breach response plan. These plans these regulations. As provided in the
applicable Federal, State, and local laws should provide specific guidelines for DATES section of the preamble, for
and regulations, and identify the legal an appropriate and timely response to a written agreements that are in place
authority (whether express or implied) breach, including a clear description of with authorized representatives prior to
that permits the audit, evaluation, or what constitutes a breach, and a the effective date of the regulations,
enforcement or compliance activity. description of the immediate steps to be FERPA-permitted entities must comply
Mention Institutional Review Board taken in the event that a breach is with the written agreement
(IRB) review and approval. While suspected. In particular, there should be requirements in 99.35(a)(3) when they
FERPA does not mention IRBs, research a designated person in the management renew or amend their agreements.
proposals involving human subjects chain who will be notified in the event Changes: None.
may have to be reviewed and approved of actual or suspected breaches. When a
by IRBs, if required under protection of breach occurs, the designated authority Protection of PII From Education
human subject regulations of the should conduct an analysis of the Records By FERPA-Permitted Entities
Department and other Federal agencies. likelihood of exposure and potential ( 99.35(b)(1))
If IRB review and approval is required harm to affected individuals. This Comment: None.
or expected, this may be noted in the analysis will inform whether Discussion: The Department wishes to
written agreement. notification is warranted and what its make the language used to refer to
Identify penalties. The agreement content may be. There should also be an FERPA-permitted entities in
could include penalties under State analysis of the circumstances that 99.35(b)(1) consistent with the
contract law such as liquidated resulted in the breach, so that the language used to refer to FERPA-
damages, data bans of varying length, system or procedures can be modified as permitted entities in 99.35(a)(2) and
and any other penalties the parties to quickly as possible to avoid further (a)(3).
the agreement deem appropriate. The breaches through the same mechanism. Changes: We have revised
FERPA-permitted entity may want its Although the Department is not 99.35(b)(1) so that it uses the term,
agreement to create third-party regulating on breach notification, the State or local educational authority or
beneficiary rights, e.g., allowing parties following is being added to the best agency headed by an official listed in
injured by a data breach to sue for practices listed in Appendix A: 99.31(a)(3), which is used in
damages. While FERPA itself has little Have plans to handle a data breach. 99.35(a)(2) and (a)(3).
flexibility for sanctions, the FERPA- While no one anticipates a data breach,
Disclosures to Organizations
permitted entity can include a wide data loss may occur. The FERPA-
Conducting Studies ( 99.31(a)(6))
range of appropriate sanctions in its permitted entity may wish to include
written agreements. specific procedures in its written Comment: A few commenters
Changes: None. agreements detailing the parties suggested that FERPAs for, or on
Comment: Several commenters expectations in the event that PII from behalf of requirement in the studies
suggested that because the disclosure of education records is lost, including exception contains a significant
PII from education records may create specifying the parties responsibilities limitation. Specifically, these
serious risks such as identify theft, the with regard to breach response and commenters suggested that the
proposed regulations should require notification and financial responsibility. exception prohibits FERPA-permitted
timely notification to parents and Changes: None. entities, such as an SEA, from
eligible students when their data has Comment: The Department received redisclosing PII from education records
been disclosed as a result of a data requests to clarify to whom breaches of that they received under one of FERPAs
security breach. Commenters also written agreements should be reported. exceptions to the general consent rule,
for, or on behalf of, the original Nevertheless, we can reasonably foresee its LEAs to further assess what programs
disclosing educational agency or instances in which these FERPA- provide the best instruction and then
institution, such as an LEA, if the permitted entities would make duplicate those results in other LEAs.
original agency or institution objected to redisclosures on behalf of an LEA or Changes: None.
the disclosure. Another commenter postsecondary institution without Comment: None.
asked that we further amend obtaining its approval. Discussion: Upon further review, we
99.31(a)(6) to permit disclosures to For instance, an SEA must have the decided to remove the proposed
organizations conducting studies for, on authority to enter into agreements with requirement in 99.31(a)(6)(iii)(C)(4)
behalf of, or in partnership with, or in researchers to conduct studies to and the requirement in
the interest of, educational agencies or improve instruction across LEAs within 99.31(a)(6)(ii)(C)(4) of the current
institutions, as determined by those its own State. Studies such as these can regulations that permitted an
agencies or institutions. help States save money and improve organization conducting a study to
Discussion: We disagree that the student outcomes by identifying return PII from education records to the
phrase for, or on behalf of prohibits effective practices and targeting limited FERPA-permitted entity, in lieu of
a disclosure to which the original resources accordingly, while destroying such information. We made
disclosing educational agency or simultaneously increasing the these changes so that the regulations are
institution objects. Historically, the transparency of taxpayer investments. more consistent with the statute, which
Department has viewed the for, or on Therefore, in order to provide greater requires the destruction of such
behalf of requirement as being based flexibility to FERPA-permitted entities, information, and to correct an
on the unstated premise that some form we interpret the phrase for, or on inconsistency in the current and
of agreement by the original disclosing behalf of to recognize both disclosures proposed regulations, which required
educational agency or institution, such for the LEA or postsecondary institution both the destruction of such information
as an LEA or postsecondary institution, that are made with the approval of the and the return or destruction of such
was a necessary prerequisite for these LEA or postsecondary institution and information. While returning the
types of disclosure. However, it has disclosures made on behalf of the LEA information to the originating entity can
become necessary for the Department to or postsecondary institution that are be a form of destruction so long as the
consider whether its interpretation made for their benefit in the absence of organization conducting the study also
concerning the for, or on behalf of their approval. properly erases all PII from education
language was fully consistent with This approach ensures that FERPA- records that is maintained in electronic
recently enacted laws. permitted entities have the necessary format, returning the information would
We have concluded that for, or on latitude to fulfill their statutory and be insufficient if the PII from education
behalf of does not require the assent of regulatory mandates. They may conduct records is continued to be maintained in
or express approval by the original studies of publicly funded education electronic format by the organization
disclosing educational agency or programs while still ensuring that any conducting the study.
institution. For example, it is not PII from education records is Changes: We have removed the
necessary for an SEA to secure the appropriately protected. FERPA permits proposed requirement in
approval of an LEA prior to making disclosure without consent to an 99.31(a)(6)(iii)(C)(4) and the
disclosures for, or on behalf of the LEA, organization conducting a study for, or requirement in 99.31(a)(6)(ii)(C)(4) of
so long as the SEA is acting with on behalf of, educational agencies or the current regulations that permitted an
express or implied legal authority and institutions for statutorily enumerated organization conducting a study to
for the benefit of the LEA. purposes. 20 U.S.C. 1232g(b)(1)(F). We return PII from education records, in
The changes to 99.31(a)(6)(ii) are see no need to deviate from the statutory lieu of destroying such information, in
necessary to clarify that while FERPA language in the regulations and agree order to be more consistent with the
does not confer legal authority on that 99.31(a)(6) permits disclosure statute and to correct an inconsistency
FERPA-permitted entities to enter into without consent to organizations in the current and proposed regulations.
agreements and act as representatives of conducting studies in partnership with
LEAs or postsecondary institutions, educational agencies or institutions, in Directory Information ( 99.3 and
nothing in FERPA prevents them from which case we would view the study as 99.37)
entering into agreements and being for the educational agencies or
redisclosing PII from education records Definition of Directory Information
institutions. Similarly, as explained
related to studies conducted on behalf ( 99.3)
earlier in this discussion, we also view
of LEAs or postsecondary institutions 99.31(a)(6) as permitting disclosure Comment: One commenter supported
under 99.31(a)(6), provided that the without consent to organizations the proposed change to the definition of
redisclosure requirements in 99.33(b) conducting studies for the benefit of directory information, which clarifies
are met. Permissive disclosures of this educational agencies or institutions, in that an educational agency or institution
type may be made notwithstanding the which case we would consider the may designate and disclose as directory
objection of the LEA or postsecondary study to be on behalf of educational information a students ID number, or
institution so long as the disclosing agencies or institutions. other unique personal identifier that is
FERPA-permitted entity has However, we disagree with the displayed on a students ID card or
independent authority to have the study contention that only an educational badge, if the identifier cannot be used to
conducted, whether expressly stated or agency or institution may make the gain access to education records, except
implied, and makes the disclosure on determination regarding whether a when used in conjunction with one or
behalf of the LEA or postsecondary study is for or on its behalf. Rather, more factors that authenticate the
institution. FERPA-permitted entities may also students identity. We also received
We anticipate that the majority of make the determination that a study is numerous comments from a variety of
redisclosures made by FERPA-permitted for the benefit of the original disclosing parties that expressed support for this
entities will be made for, or with the educational agency or institution. For change.
approval of, the original disclosing example, an SEA may conduct a study One commenter suggested that we
educational agency or institution. that compares program outcomes across remove from the definition of directory
information the items address, education records it has designated as in bar codes or magnetic stripes, as
telephone listing, and date and place directory information. If a school has needed, to avoid any privacy conflicts.
of birth, noting that the availability of the administrative capacity, it may A student stated that a university
directory information jeopardizes permit parents or eligible students to should be able to require that students
students right to privacy and makes opt out of specific items it has wear ID badges on campus in order to
identity theft easier. Another designated. However, it has been our better protect students.
commenter raised a number of concerns understanding that most schools do not Another commenter recommended
about how directory information might have the administrative capacity to that we specify which directory
affect a student who is homeless and permit parents and eligible students to information can be displayed on a
recommended that a students address opt out of some, but not all, directory student ID card or badge. Some
not be included in the definition of information. Because the disclosure of commenters asked if there would be any
directory information for a student directory information is permissive, we situations in which a student might be
who meets the definition of homeless have advised schools that they can exempted from wearing an ID badge,
child or youth under the McKinney- employ an all-or-nothing approach to such as where a student is the victim of
Vento Homeless Assistance Act. For a the disclosure of directory information. stalking at a large postsecondary
number of reasons, the commenter That is, a school may provide public institution. Another commenter
stated that disclosing a homeless notice of the items that it has designated expressed concern that including a
students address would be harmful or as directory information and permit student ID number as directory
an invasion of privacy. A few parents and eligible students to opt out information would have a negative
commenters raised concerns about what of the disclosure of the items as a whole. effect on students receiving services
they mistakenly thought was an With regard to the comment about not under the Individuals with Disabilities
expansion of the definition of directory designating an address as directory Education Act (IDEA) and raised
information by including any student information for a student who is concerns about physical safety and
ID number, user ID, or other unique homeless, as explained elsewhere, protection from identity theft. The
personal identifier used by a student for FERPA provides schools with the commenter suggested that a student ID
purposes of accessing or communicating authority to include or exclude any number or other unique identifier that
in electronic systems. items within the definition of directory may be displayed on a student ID card
Discussion: We appreciate the support information. and is designated as directory
that we received from those parties who The definition of directory information should not be usedeven
agreed with the clarification we information in FERPA is generally a in conjunction with one or more factors
proposed to the definition of directory guideline for schools to use in that authenticate the users identityto
information, and we regret any designating types of information as gain access to education records. The
confusion caused by including the directory information. A school is not same commenter supported permitting a
entire definition in the NPRM. As we required to designate all of the types of school to require a student to wear or
explained in the preamble to the NPRM, information given as examples in publicly display a student ID card or
we proposed to modify the definition of FERPA as directory information. The badge that exhibits directory
directory information only to clarify decision to designate certain types of information, as long as the student ID
that under 99.37(c)(2), an educational information as directory information, number cannot be used to gain access to
agency or institution may require such as the students address, is left to education records.
students to wear or display ID badges or the discretion of the individual A commenter also suggested that we
identity cards that display directory educational agency or institution. amend this provision to include other
information, even if the parent or the We share the concerns raised by activities for which parents and eligible
eligible student opted out of directory commenters that certain directory students cannot opt out, such as
information. The inclusion of a student information items may make identity participation in education activities that
ID number or other unique identifier in theft easier in our modern information require sign-in access to electronic
the definition of directory age. We encourage school officials to be systems. Specifically, the commenter
information is not new; we made this cognizant of this fact and, if feasible, to requested that we add a new
amendment in 2008. The NPRM merely work hand-in-hand with parents and requirement stating that a parent or
proposed to establish that the student ID eligible students in their community to eligible student could not opt out of
number or other unique identifier that develop a directory information policy directory information disclosures to
we allowed to be designated as directory that specifically meets their needs and prevent an educational agency or
information in 2008 could also be addresses legitimate concerns. institution from disclosing or requiring
displayed on a student ID card or badge. Changes: None. a student to disclose the students name,
With regard to the concerns about identifier, or institutional email address
including in the definition of directory Student ID Cards and ID Badges in a class in which the student is
information such items as address, ( 99.37) enrolled. This would include access to
telephone listing, and date and place Comment: Several commenters instruction, curriculum, courses, or
of birth, we note that these items have expressed support for the proposed other administrative functions provided
been in the FERPA statute since its amendment in 99.37(c)(2), which online. The commenter stated that the
enactment in 1974, and any change to provides that parents and eligible increased use of electronic systems for
remove these items would require students may not use their right to opt both instructional and administrative
congressional action. We include these out of directory information disclosures activities dictates that the Secretary not
and other items in the regulations, in order to prevent an educational differentiate between these types of
explaining in 99.37 that an agency or institution from requiring activities in which students may opt
educational agency or institution may students to wear or otherwise disclose out. The commenter asked for these
disclose directory information under student ID cards or badges that display changes to ensure that students are not
certain conditions, including the information that may be directory allowed to opt out of participation in
condition that it notify parents and information. One commenter noted that various classroom or other instructional
eligible students of the types of PII from schools can embed student ID numbers activities simply because they have to
sign on to an electronic system. Another the scope of the NRPM and, therefore, specifically limits who may not receive
commenter asked that we not permit the do not believe it is appropriate to directory information. Two commenters
students picture to be on the student address in these final regulations. recommended that the regulations
ID. This commenter also expressed Additionally, in 2008, we expanded explicitly state that directory
support for permitting parents and the definition of directory information designated by a school may
eligible students to have the right to opt information in 99.3 of the FERPA not be disclosed, except for the limited
out of wearing a student ID badge. regulations to include a student ID disclosure to specific parties, or for
Discussion: We appreciate the support number, user ID, or other unique specific purposes, or both.
we received concerning this proposed personal identifier used by the student One commenter supported the
change. With regard to the comment for purposes of accessing or amendment to permit schools to have a
that we specify the directory communication in electronic systems, if limited directory information policy,
information that can or cannot be the identifier could not be used to gain believing this change would help ensure
displayed on an ID card or badge (e.g., access to education records, except that school officials do not contact
a students picture), we do not believe when used in conjunction with one or landlords, employers, or other third
this is appropriate or necessary. Rather, more factors to authenticate the users parties to discuss a childs housing
we believe that educational agencies identity. Further, the 2008 regulation situation. One commenter stated that he
and institutions should have the changes clarified the definition of opposed any changes to the FERPA
flexibility to make these determinations attendance to clarify that students regulations that would restrict access to
best suited to their particular situations. who are not physically present in the directory information. Another
Similarly, we do not believe that we classroom may attend an educational commenter said that adopting 99.37(d)
should require that information agency or institution via as proposed would add confusion and
displayed on a student ID card or badge videoconference, satellite, Internet, or may raise unnecessary allegations of
contain only information that cannot be other electronic information and improper disclosure of directory
used to gain access to education records. telecommunications technologies. information from parents and eligible
Student ID numbers, user IDs, and any In 2008, we also amended 99.37(c) students. This commenter pointed out
other unique personal identifiers may to state that parents or eligible students that there is no requirement in FERPA
only be included as directory may not use their right to opt out of that a school adopt a directory
information if they cannot be used to directory information to prevent a information policy or disclose directory
gain access to education records except school from disclosing, or requiring the information even if it has a policy. One
when used in conjunction with one or disclosure of, a students name, commenter expressed concern that the
more other factors that authenticate the identifier, or institutional email address proposed changes to the definition of
users identity. in a class in which the student is directory information do not
For the same reasons school enrolled. 73 FR 74806 (December 9, adequately address the capacity of
administrators need the flexibility to 2008). These three provisions are read marketers and other commercial
determine what type of information is together to permit directory information enterprises to obtain, use, and re-sell
directory information, they need to have to be used to access online electronic student information. The commenter
the flexibility to determine what systems and to prevent opt-out rights stated that few parents are aware, for
directory information should be from being used to prevent an example, that anyone can request and
included on a student ID card or badge. educational agency or institution from receive a student directory from a
Smaller schools may know their student disclosing or requiring a student to school. The commenter also stated that
population well enough that they may disclose the students name, identifier, States may take action, through
not need to have an ID number or other or institutional email address in a class legislation, to tighten restrictions on the
unique identifier, while larger LEAs, in which the student is attending, in use of directory information, perhaps
colleges, and universities may need to either a traditional or non-traditional restricting the disclosure of directory
include more information. As one classroom setting. information for marketing purposes.
school official noted, educational Changes: None. A few commenters expressed concern
agencies and institutions can embed that the proposal to permit schools to
Limited Directory Information Policy
student ID numbers in bar codes or have a limited directory information
( 99.37(d))
magnetic stripes to address privacy policy would prevent the release of
concerns, including identity theft. This Comment: A number of commenters information about students to those who
practice would also address the expressed support for the proposal have a legitimate reason for obtaining
apprehension of some commenters that clarifying that an educational agency or the information, including the media.
some students may have special reasons institution may have a limited directory The commenters also expressed concern
for not wearing ID badges, such as information policy. One commenter that withholding directory information
special education students, younger stated that this clarification will provide could become a tool for schools to
children, or students who are the educational agencies and institutions engage in retribution against disfavored
victims of stalking. This amendment to with more certainty and control in using media outlets, social or political causes,
FERPA permits, but does not require, directory information for their own or parental activist groups. The
schools to include directory information purposes. A few commenters stated that commenters stated that the Secretary
on student ID cards and badges or to it would be helpful if the regulations should give detailed guidance to
require students to wear or display ID clarified that institutions can have educational agencies and institutions
cards and badges. different policies based on each specific concerning this change in order to
With regard to the request that we type or subset of directory information, diminish any negative effect that such
include other activities for which such as being able to institute a policy policies could have on the free flow of
parents and student cannot opt out, that only certain directory information information to the public. These
such as activities that require sign-in may be disclosed to specific parties. commenters stated that the effect of the
access to electronic systems for Some pointed out that the proposed regulatory changes will be that schools
instructional and administrative regulations did not specify whether a will decide not to disclose directory
activities, we note that this is outside school could put into effect a policy that information to the media for any reason,
including publicity or investigations. are only required to provide access to the adoption of a limited directory
One of these commenters said that it education records to parents and information policy is required by the
was not clear how recipients of eligible students. All other disclosures regulations. The regulations make clear
directory information would be chosen, listed in 99.31 are optional. This that if a school chooses to adopt a
whether the specific parties would be includes the disclosure of directory limited directory information policy,
selected by the institution or by each information under 99.31(a)(11), under then it must limit its directory
individual student. This commenter the conditions specified in 99.37. information disclosures to those
noted that a limited directory However, some educational agencies specified in its public notice.
information policy might make it and institutions have advised, and With regard to concerns expressed by
difficult for a party that was not administrative experience has shown, commenters about directory information
included in the policy at the beginning that State open records laws have being released to entities for marketing
of a year but that needed to do business required disclosure of student directory purposes, a school has the flexibility to
with the school mid-year to have fair information because, in most cases, allow or restrict disclosure to any
access to directory information. FERPA does not specifically prohibit potential recipient. For example, a
A commenter stated that the ability to the disclosure of this information. It is limited directory information policy
disclose directory information for some our understanding that many, if not may be expressed in a negative fashion,
purposes, but not others, might prove most, State open records or sunshine indicating that the school does not
more useful to educational agencies and laws require that public entities, such as disclose directory information for
institutions that are not subject to a public schools, LEAs, and State colleges marketing purposes. While Congress has
State open records law than to those and universities, disclose information to not amended FERPA to specifically
that are. Educational agencies and the public unless the disclosure is address disclosure of directory
institutions that are subject to open specifically prohibited by another State information to companies for marketing
records laws would be required to law or by a Federal law such as FERPA. purposes, Congress amended section
disclose all directory information and Thus, in practice, while FERPA only 445 of GEPA, commonly referred to as
would not benefit from a limited requires schools to disclose PII from the Protection of Pupil Rights
directory information policy. The education records to parents or eligible Amendment (PPRA) in 2001 to address
commenter requested clarification students, State sunshine laws may this issue. Public Law 107110, 1061.
whether the ability to limit directory require the public release of properly Under PPRA, LEAs are required to
information is optional and whether a designated directory information from work in consultation with parents to
failure to institute such a policy would which parents and eligible students develop and adopt a policy governing
subject the institution to enforcement have not opted out. the collection, disclosure, or use of
proceedings by the Department. With regard to the commenter who personal information collected from
Similarly, another commenter asked for asked whether a school that chooses not students for the purpose of marketing or
clarification as to whether a school that to adopt a limited directory information for selling that information (or
chose not to adopt a limited directory policy could still limit the disclosure of otherwise providing that information to
information policy may under the directory information if its State law others for those purposes). The policy
proposed regulations still limit the required the disclosure, FERPA permits must include arrangements to protect
disclosure of directory information to the disclosure of directory information student privacy in the event of such
whomever they want, and for whatever but it does not require it. Some States collection, disclosure, or use. LEAs are
reason they want, even though State law have State open records laws that may also required to notify parents of
may require disclosure. require the disclosure of directory students of any activities that involve
Finally, a few commenters pointed information if a school has a directory the collection, disclosure, or use of
out that even under a limited directory information policy and the parent or personal information collected from
information policy, it would not be a eligible student has not opted out. students for the purpose of marketing or
violation of FERPA for a party that We believe that the FERPA selling that information (or otherwise
received directory information to regulations will better assist educational providing that information to others for
redisclose it. To address that issue, agencies and institutions in protecting those purposes) so that parents may opt
some of the commenters supported the directory information if an educational their child out of participation in those
idea of a non-disclosure agreement so agency or institution that adopts a activities. 20 U.S.C. 1232h(c)(1)(E) and
that the disclosing school could control limited directory information policy (c)(2). While PPRA does not generally
any redisclosures of directory limits its directory information apply to postsecondary institutions,
information. However, one commenter disclosures only to those parties and understanding and complying with its
stated that our suggestion in the purposes that were specified in the requirements for LEAs should address
preamble to the NPRM that schools policy. To clarify, this regulatory some of the commenters concerns about
adopt a non-disclosure agreement is scheme gives each school the option of this matter.
unrealistic; schools may have difficulty limiting its directory information With regard to the fact that we did not
identifying who may redisclose the disclosures and does not subject a propose to amend the FERPA
information, and schools have no school to enforcement proceedings by regulations to prevent third parties that
authority and limited resources to FPCO if the school elects not to limit receive directory information from
enforce such agreements. This disclosure to specific parties or for further disclosing it, we do not believe
commenter also stated that making specific purposes, or both. that it is realistic to make such a change.
recipients sign such agreements could With regard to the recommendations By its nature, directory information is
be a significant administrative burden by commenters that the regulations intended to be publicly shared.
for LEAs that receive many requests for explicitly state that directory Congress included the disclosure of
directory information, even if they have information not be disclosed except to properly designated directory
adopted a limited directory information specific parties or for specific purposes, information as an exception to the
policy. we do not believe this change is general consent requirement in FERPA
Discussion: Under FERPA, necessary. As noted, neither the so that schools may make disclosures of
educational agencies and institutions disclosure of directory information nor the type of information generally not
considered harmful or an invasion of student activities and extracurricular administered by the Secretary and
privacy, such as information on pursuits of students. which, nevertheless, are in possession
students that would normally be found Changes: None. and control of PII from education
in a school yearbook or directory. It is General Enforcement Issue ( 99.67) records.
not administratively practicable to take The Department continues to believe
action against a third party that Comment: Several commenters stated that it is necessary to use its broad
rediscloses directory information. For that the Department lacks the legal enforcement powers to ensure that
example, it would be virtually authority to investigate, review, process, FERPAs protections apply to these
impossible to control how student or enforce an alleged FERPA violation recipients. The Department has decided,
information contained in a yearbook is committed by recipients of Department however, not to define in 99.60(a)(2)
distributed to others. Therefore, we funds under a program administered by all recipients of Department funding
believe that schools are in the best the Secretary that students do not under a program administered by the
position to determine who should attend. These recipients include but are Secretary as educational agencies and
receive directory information and, not limited to, SEAs, nonprofit institutions in the context of the
should they choose, implement a organizations, student loan lenders, and enforcement provisions, as was reflected
limited directory information policy. guaranty agencies. Specifically, the in proposed 99.60(a)(2), because it is
commenters stated that nonprofit evident from the comments that the
With regard to the commenter who
organizations, guaranty agencies, and terminology is confusing. We have
stated that adopting the limited
lenders could not be considered decided instead to revise 99.61
directory information provision in the
educational agencies or institutions through 99.67, which set out FERPAs
regulations would add confusion and
under FERPA because these enforcement procedures. These
possibly raise unnecessary allegations of
organizations have no students in amendments authorize the Department
improper disclosure from parents and
attendance. In addition, some to investigate, process, and review
eligible students, we do not believe this
commenters argued that as financial complaints and violations of FERPA
is the case. On the contrary, the option institutions, student loan lenders,
to have a limited directory information alleged to have been committed by
servicers, and guaranty agencies are educational agencies and institutions, as
policy should better protect against already subject to numerous Federal
improper disclosures of PII from well as other recipients of Department
laws that require them to protect PII funds under any program administered
education records and reduce the from education records, making them
number of complaints in this regard. by the Secretary (e.g., State educational
subject to FERPA would not effectively authorities, such as SEAs, and State
With regard to our recommendation increase protection. postsecondary agencies, local
that schools adopting a limited directory Discussion: The Department disagrees educational authorities, nonprofit
information policy consider entering with the comment that it does not have organizations, student loan guaranty
into non-disclosure agreements to the legal authority to take enforcement agencies, and student loan lenders).
restrict the information from being actions against entities that receive Because these entities receive PII from
further disclosed, we agree that this will Department funding under a program education records, we believe that this
not always be feasible. Clearly there are administered by the Secretary that change is justified in order to protect
situations in which a school could not students do not attend. Section (f) of against improper redisclosure of PII
have a non-disclosure agreement, such FERPA provides that the Department from education records.
as when it publishes directory shall take appropriate actions to enforce In the case of an improper
information in a school yearbook, a and deal with violations of provisions in redisclosure of PII from education
sports event program, or a program for FERPA in accordance with GEPA. 20 records by a non-profit organization,
a school play. Schools will have to U.S.C. 1232g(f). However, as we lender, servicer, or guaranty agency that
exercise judgment with respect to discussed in the preamble to the NPRM is a recipient of Department funds under
whether to utilize non-disclosure (76 FR at 19733), the current regulations a program administered by the Secretary
agreements to prevent further disclosure do not clearly describe the entities and that received PII from education
of directory information by assessing the against which we may take actions records from an institution of higher
circumstances surrounding the under section (f) of FERPA. education, the Department will enforce
disclosure of the directory information. Accordingly, the Department believes sanctions against the responsible party,
Finally, we note that the regulatory that it is necessary to clarify in these whether that be the non-profit
change to allow educational agencies new regulations that FPCO has the organization, lender, servicer, or
and institutions to implement a limited authority to hold these entities guaranty agency. The Department,
directory information policy was not responsible for FERPA compliance, however, may also pursue enforcement
specifically intended to address how given the disclosures of PII from measures against the institution of
schools interact with or disclose education records that are needed to higher education, depending on the
directory information to members of the implement SLDS. We believe this circumstances. In addition, we are not
media. Rather, we were addressing clarification is necessary in light of convinced that other confidentiality
concerns raised by school officials who, recent developments in the law. laws that apply to financial institutions
alarmed about the increase in identity In addition, in order for the provide the same protections as FERPA.
theft, expressed a need to protect the Department to appropriately investigate, Although the confidentiality laws cited
privacy of students directory process, and review complaints and by the commenters address privacy
information. We encourage school alleged violations of FERPA, the generally, they are not specifically
officials to act responsibly in developing Department proposed in 99.60(a)(2) to designed to protect the confidentiality
a limited directory information policy take a more expansive view of the term of student education records. Moreover,
and to keep in mind routine disclosures educational agency or institution. The while the Secretary can take steps to
that schools need to make in the normal expanded definition would include enforce FERPA directly, we may need to
course of business, including providing entities that do not necessarily have rely on other Federal and State agencies
properly designated directory students in attendance but still receive to enforce these other confidentiality
information to the media about various Department funding under a program laws identified by the commenters.
Changes: The Department has decided FERPAs requirements. 20 U.S.C. 1234a, an opportunity for further public
not to adopt the change proposed in 1234c(a), 1234d; 1234e; 1234f; 34 CFR comment and review. Still, it is
99.60(a)(2), which would have 99.67(a); see also United States v. Miami important to note that FPCO can initiate
provided, solely for purposes of Univ., 294 F.3d 797 (6th Cir. 2002) an investigation on its own, without
enforcement of FERPA under 34 CFR (affirming the district courts decision receiving a complaint, to address other
part 99, subpart E, all recipients of that the United States may bring suit to violations.
Department funds under a program enforce FERPA). Therefore, the Changes: None.
administered by the Secretary as Secretary will use one or a combination Comment: One commenter asked us
educational agencies and institutions. of these enforcement tools as is to consider expanding the scope of our
Rather, the Department has decided to appropriate given the circumstances. enforcement procedures to apply to tax
amend 99.61 through 99.67 to clarify Additionally, the Department has the exempt organizations under 26 U.S.C.
FPCOs enforcement responsibilities. authority to impose the five-year rule 501(c) that students do not attend and
Specifically, we revised these sections against any entity that FPCO determines that are not the recipients of Department
to clarify that FPCO may investigate, has violated FERPA either through an funds but that have PII from education
review, and process complaints filed improper redisclosure of PII from records.
against, or alleged violations of FERPA education records or through its failure Discussion: If a tax exempt
committed by, any recipient of to destroy PII from education records organization under 26 U.S.C. 501(c) has
Department funds under a program under the studies exception. (See PII from education records, but is not a
administered by the Secretarynot just discussion of five-year rule later in this recipient of funds under a program
educational agencies and institutions preamble). administered by the Secretary, then the
and may hold any such recipient With respect to the suggestion that we Department would not have the
accountable for compliance with create additional penalties, the authority under GEPA to take
FERPA. Department lacks the statutory authority enforcement measures against such an
Comment: One commenter asked that to incarcerate violators, impose fines, or organization. FPCO, however, may
we clarify which enforcement tools force a third party to surrender all PII impose, under 20 U.S.C. 1232g(b)(4)(B)
legally available to the Secretary would from education records currently in its and new 99.67(c), (d), and (e), the five-
be utilized in actions against State and possession because the Department year rule against any entity that FPCO
local educational authorities and other lacks the statutory authority to do so. determines has violated FERPA either
recipients of Department funding under Changes: None. through an improper redisclosure of PII
a program administered by the Comment: One commenter requested from education records received under
Secretary. that the Department clarify that non- any of the exceptions to the general
Four commenters requested that the school entities are only required to consent rule or through the failure to
Department adopt more significant comply with FERPA to the extent they destroy PII from education records
penalties, including incarceration and have received FERPA-protected PII from under the studies exception. (See
substantial fines, for FERPA violations education records from an educational discussion of five-year rule later in this
caused by authorized representatives. agency or institution. preamble.)
Another commenter stated that the Discussion: The Department would For instance, if an LEAs authorized
Department should sanction an entity only take actions against non-school representative does not receive funding
that makes an unauthorized disclosure entities that have not complied with from the Department and violates
by requiring the entity to surrender all FERPA requirements that relate to PII FERPA due to poor data security
PII from education records already in its from education records they received practices, FPCO could apply the five-
possession. Several commenters stated under one of the exceptions to FERPAs year rule by prohibiting the disclosing
that other privacy statutes include general consent requirement. The LEA from providing PII from education
significant sanctions and that FERPA Department has no authority under records to the authorized representative
requires a similar deterrent to prevent FERPA to take actions for other PII these for at least five years. If the disclosing
violations of student privacy. entities may possess. LEA refuses to comply and continues its
Discussion: In FERPA, Congress Changes: None. relationship with the authorized
expressly directed the Secretary to take Comment: A commenter suggested representative, FPCO could, under
appropriate actions to enforce that other parties beyond those GEPA, terminate funding to the LEA.
FERPA and to deal with violations of enumerated in the statute (i.e., eligible Changes: None.
its terms in accordance with [GEPA]. parents and students) should have Comment: One commenter asked that
20 U.S.C. 1232g(f). standing to file complaints with FPCO. we clarify how the enforcement
In GEPA, Congress provided the Further, this commenter suggested that measures would apply if a contractor of
Secretary with the authority and the Department should increase the an entity that received funding under a
discretion to take enforcement actions amount of time a complainant has to file program administered by the
against any recipient of funds under any a complaint with FPCO. Department violated FERPAs
program administered by the Secretary Discussion: We decline to expand the requirements. The commenter wanted to
for failures to comply substantially with entities eligible to file complaints with know, for example, what the liability of
any requirement of applicable law, FPCO beyond parents and eligible a school would be if its contractor
including FERPA. 20 U.S.C. 1234c(a). students and decline to increase the violated FERPA.
GEPAs enforcement methods expressly amount of time a complainant has to file Discussion: Whether the Department
permit the Secretary to issue a a complaint with FPCO beyond 180 would take enforcement action against a
complaint to compel compliance days of the date of the alleged violation contractor that violates FERPA under a
through a cease and desist order, to (or of the date that the complainant program administered by the Secretary,
recover funds improperly spent, to knew or reasonably should have known depends upon the exception to FERPA
withhold further payments, to enter into of the alleged violation). We did not under which the contractor received the
a compliance agreement, or to take any propose these changes in the NPRM and PII from education records, if the
other action authorized by law, therefore cannot make these changes in contractor was a recipient of
including suing for enforcement of these final regulations without allowing Department funds, and the
circumstances of the violation. If the inconsistent with the statute and that years. 65 FR 19738 (April 8, 2011).
contractor was a recipient of changes in the law should be made Specifically, we are replacing
Department funds and violated FERPA, through a legislative amendment and authorized representative, or the State
the Department could take sanctions as not rulemaking. or local educational authority or the
permissible under GEPA. If the Discussion: To clarify, the Department agency headed by an official in
contractor was not a recipient of did not propose the five-year rule for the proposed 99.35(d) with the third
Department funds and improperly first time in the NPRM; rather, Congress party in the final regulation. Similarly,
disclosed PII from education records amended FERPA in the Improving we are also consolidating the text of
received under any of the exceptions to Americas Schools Act of 1994, 249, proposed 99.35(d) into 99.67, the
the general consent rule or failed to Public Law 103382, to provide that if enforcement section.
destroy PII from education records in a third party outside the educational Comment: Many commenters asked
accordance with the requirements of the agency or institution improperly which entities were subject to the five-
studies exception, the Department could rediscloses FERPA-protected data that it year rule. Some of these commenters
implement the five-year rule. (See received under any of the exceptions to expressed concern that the rule would
discussion of the five-year rule later in the general consent rule or fails to be enforced against an entire
this preamble.) destroy information under the studies educational agency or institution acting
Likewise, the Department may also exception, then the educational agency as a third party, such as a State
take enforcement action against the or institution shall be prohibited from university system, and asked whether
entity that disclosed PII from education permitting access to information * * * the rule could be applied in a more
records to the contractor. For example, to that third party for a period of not limited manner against an individual
if the contractor was acting as an less than five years. 20 U.S.C. researcher or department within the
authorized representative of a FERPA- 1232g(b)(4)(B). educational agency or institution,
permitted entity and violated FERPA, The Department amended its arguing, for example, that if an
FPCO would investigate and review regulations to implement this statutory individual researcher is at fault, it
whether the disclosing entity met all of change in 1996. 61 FR 59292 (November would be excessive to prohibit an entire
its obligations under FERPA, such as 21, 1996). The Departments current organization from receiving PII from
taking reasonable methods to ensure to regulations in 99.31(a)(6)(iv) and education records for a period of not
the greatest extent practicable the 99.33(e), taken together, provide that if less than five years.
FERPA compliance of the contractor. FPCO determines that a third party At the same time, others were equally
FPCO could take applicable GEPA outside the educational agency or emphatic that the rule must apply to the
enforcement actions against the institution improperly rediscloses PII entire educational agency or institution
disclosing entity, if it did not meet its from education records in violation of acting as a third party to have any
responsibilities. 99.33 or fails to destroy PII from enforcement effect or to deter potential
If the contractor received PII from education records in violation of violations. Consequently, many of these
education records while acting as a 99.31(a)(6)(ii)(B), then the educational commenters asked how the Department
school official under 99.31(a)(1)(i)(B), agency or institution may not provide would define an educational agency or
then the educational agency or that third party access for a minimum institution acting as a third party.
institution would be liable for the period of five years. One commenter recommended that
contractors FERPA violation and is Still, based upon the confusion the five-year rule only be applied
subject to GEPA enforcement actions by expressed by commenters regarding the against an educational agency or
the Department. In any of these five-year rule, we are changing the final institution acting as a third party that
instances, FPCO would initiate an regulations to consolidate all regulatory was expressly responsible for the
investigation and seek voluntary provisions relating to the five-year rule unauthorized redisclosure of PII from
compliance before imposing any into one section of the regulations, education records. Another commenter
sanctions. 99.67. This is not a substantive wanted the Department to clarify
Changes: None. change, but it is one intended to whether FERPA-permitted entities
improve comprehension and promote could be subjected to the five-year rule
Five-Year Rule ( 99.67) ease of use because we believe it will be due to an unauthorized redisclosure of
Comments: Many commenters raised helpful for readers to see all of the PII from education records made by the
questions about the provision in FERPA regulatory language concerning the five- FERPA-permitted entitys authorized
that prohibits an educational agency or year rule in a single regulatory section. representative.
institution from disclosing PII from Changes: We are removing the Discussion: The statute and current
education records to a third party for existing two provisions in 99.31(a)(6)(iv) and 99.33(e), taken
a period of not less than five years if 99.31(a)(6)(iv) and 99.33(e) regarding together, are clear that any third party
that third party improperly rediscloses the five-year rule and consolidating all outside of the educational agency or
PII from education records received provisions relating to the five-year rule institution that improperly rediscloses
under any of the exceptions to the into 99.67. PII from education records received
general consent rule or fails to destroy In addition, we are changing the under any of the exceptions to the
PII from education records under the language that we proposed in 99.35(d) general consent rule or fails to destroy
studies exception. 20 U.S.C. that stated that in the event that FPCO PII from education records as required
1232g(b)(4)(B). finds an improper re-disclosure of PII under current 99.31(a)(6)(ii)(B) may be
Multiple commenters appeared to from education records, * * * the subjected to the five-year rule. We
believe that the Department was educational agency or institution from understand a third party to refer
proposing the five-year rule for the first which the [PII] originated may not allow broadly to any entity outside of the
time in the NPRM and questioned the authorized representative, or the educational agency or institution from
whether the Department had the legal State or local educational authority or which the PII from education records
authority to implement such a rule. One the agency headed by an official listed was originally disclosed and may
commenter specifically opposed the in 99.31(a)(3), or both, access to [PII] include an authorized representative. In
rule on the grounds that it was from education records for at least five other words, authorized representatives
make up a subset of the larger set of a detailed explanation regarding who the authority to impose the five-year
third parties outside the educational could enforce the rule, how the rule rule against third parties that FPCO
agency or institution from which the PII would be applied, and whether those determines have violated either the
from education records was originally sanctioned would have a right to appeal. redisclosure provisions of 99.33 or the
disclosed. Any individual or entity to Several commenters asked how much destruction requirements of
which PII from education records is discretion educational agencies and 99.31(a)(6)(iii)(B). In other words, only
disclosed without consent by an institutions would have to either bar FPCO has the authority to implement
educational agency or institution under third parties or authorized the five-year rule to prohibit an
99.31(a), except for disclosures under representatives under the five-year rule educational agency or institution from
99.31(a)(1) to school officials because or to modify the length of the debarment providing a third party with access to
they are within the educational depending upon the circumstances. FERPA-protected data.
institution or agency, is a third party. Several commenters asked how much When making such a determination,
The NPRM proposed adding a third discretion the Department would have FPCO, consistent with its longstanding
regulatory provision to 99.35 in order when applying the five-year rule. Some practice, will investigate allegations of
to implement the five-year rule more expressed concern that the Department third parties improperly redisclosing PII
specifically in the context of an would apply the five-year rule from education records under 99.33 or
improper redisclosure of PII from automatically after a single failing to destroy data under
education records by FERPA-permitted unauthorized redisclosure of PII from 99.31(a)(6)(iii)(B). If FPCO were to find
entities or by their authorized education records by a third party. One a FERPA violation, then it would first
representatives (which are third parties). commenter expressed concern that the attempt to bring the offending third
As explained in the NPRM, the Department would apply the rule like a party into voluntary compliance. As
Department sought to clarify that FPCO zero tolerance policy. suggested by one commenter, FPCO may
could impose the five-year rule against Concerned about the severity of the use remediation as a tool to bring the
FERPA-permitted entities, their five-year rule, many commenters third party into voluntary compliance.
authorized representatives, or both. requested an opportunity to come into For instance, if FPCO were to
Under the final regulations, the compliance with approved best investigate and determine that a third
provisions of the five-year rule apply to practices and methods for data party had failed to timely destroy data,
all improper redisclosures by third protection as an alternative to an FPCO could work with the third party
parties outside of the educational immediate application of the five-year conducting the study to implement an
agency or institution from which PII rule. One commenter suggested appropriate destruction policy. If FPCO
from education records was originally remediation as an alternative to the five- were unable to bring the offending third
disclosed. These third parties include year rule to help a third party with the party into voluntary compliance, then
FERPA-permitted entities or their process of voluntary compliance. FPCO would have the discretion to
authorized representatives, whether Another commenter asked the prohibit the educational agency or
they obtained PII from education Department to amend the regulations to institution from allowing that third
records under the studies exception, the apply the five-year rule only when there party access to PII from education
audit or evaluation exception, or any are repeated, unauthorized redisclosures records for a period of at least five years.
other exception to the requirement of of PII from education records or when In deciding whether to exercise this
consent in 99.31(a) (other than the parties responsible for the discretion and which third parties
99.31(a)(1), which applies to unauthorized disclosure are grossly should be banned, FPCO will consider
disclosures to school officials who are negligent. Some of these commenters the nature of the violation and the
within the educational institution or suggested that we take into account the attendant circumstances. One factor
agency). level or magnitude of the improper FPCO will consider is whether the third
The five-year rule also applies to all redisclosure. One commenter suggested party has repeatedly redisclosed PII
third parties that fail to destroy PII from that the regulations should be modified from education records improperly,
education records in violation of the to recognize that in todays which will make it more likely that the
studies exception in 99.31(a)(6). By technological environment, it is not FPCO will apply the five-year rule. The
contrast, the statute does not feasible to require absolute compliance. Department believes that outlining this
specifically authorize the Department to Finally, a few commenters asked detailed process here provides adequate
apply the rule against a third party for whether debarment under the five-year clarification of FPCOs enforcement
failure to destroy PII from education rule follows an individual who has procedures.
records under the audit or evaluation been debarred from one employer to the Moreover, as discussed in more detail
exception or for other inappropriate individuals next employer. These earlier in this preamble, FPCO is not
activities that affect privacy beyond the commenters also asked whether limited to the five-year rule in the
improper redisclosure and the failure to debarment attaches to a third party even enforcement actions it may take; it also
destroy PII from education records in if the individual who is found to be has the discretion to consider whether
violation of the studies exception in responsible for an improper redisclosure it would be more appropriate to apply
99.31(a)(6), as discussed earlier. of PII from education records leaves the GEPA enforcement mechanisms against
However, FERPA-permitted entities are employment of that third party. those third parties receiving Department
free to include sanctions for other Discussion: Some commenters funds. Accordingly, the five-year rule is
inappropriate activities that affect appeared to have misunderstood the not a zero tolerance policy, as
privacy as part of their written NPRM as proposing that an individual suggested by one commenter, and FPCO
agreements with third parties and school or LEA would have the authority would not apply the rule without
authorized representatives. to impose the five-year rule against a considering the facts of each particular
Changes: None. third party, such as an SEA or a Federal situation, as some commenters feared.
Comment: Many commenters agency headed by an official listed in As for whether a third party would be
requested clarification regarding how 99.31(a)(3), in the event of an able to appeal a decision made by FPCO
the five-year rule would be improper redisclosure by that third to prohibit an educational agency or
implemented and specifically requested party. This is incorrectonly FPCO has institution from disclosing PII from
education records to that third party, no Comment: Several commenters improper redisclosure made by a third
such appeal right exists. Under current provided general support for the five- party conducting research under the
99.60(b)(1), only FPCO has the year rule as a means to enforce FERPA. studies exception. Thus, the final
authority to [i]nvestigate, process, and One commenter stated that five years is regulations include a third regulatory
review complaints and violations under an appropriate time period for such a provision, reflected in 99.67(d), that
the Act * * *. FPCO also retains violation, and another stated that describes the five-year rule as it applies
complete authority to enforce the five- substantial consequences are a must and specifically in the context of the audit
year rule, and its decisions are final. that debarment would be an appropriate or evaluation exception. Section 99.67
However, FPCOs investigative process remedy for FERPA violations. states that in the context of the audit or
would provide ample opportunity for Other commenters found this sanction evaluation exception, where the FERPA-
the party being investigated to have insufficient to adequately protect permitted entities and any of their
FPCO consider all relevant facts and privacy and called for more extensive authorized representatives are third
circumstances before making a decision. and harsher penalties. One commenter parties, the five-year rule could be
Importantly, the fact that FPCO must requested that other penalties be applied against the FERPA-permitted
find a violation before the five-year rule developed out of a concern that the five- entities, an authorized representative
may be enforced does not relieve year rule would not be used frequently thereof, or both.
educational agencies and institutions or enough to deter egregious and flagrant Changes: None.
FERPA-permitted entities of their violations of FERPA. Several Comment: Another commenter
responsibility to protect PII from commenters requested that the requested that the regulations be
education records. As discussed earlier, Department apply the rule more changed to prohibit the offending third
we encourage FERPA-permitted entities broadly. For example, one commenter party from requesting PII from
that are redisclosing PII from education stated that the Department should education records from the disclosing
records to third parties to include sanction other inappropriate activities educational agency or institution in the
sanctions in their written agreements that affect privacy besides improper future rather than placing the burden on
with their third parties and authorized redisclosures, including, but not limited the educational agency or institution to
representatives, and to enforce those to, using records for an improper deny access.
sanctions. FERPA-permitted entities, purpose; examining individual records Discussion: The Department cannot
and their authorized representatives, without justification * * * and not prohibit a third party who has violated
may agree to any sanctions permissible allowing access to or correction of FERPA from requesting PII from
under applicable law. For instance, records when appropriate. education records from an educational
written agreements could call for Still others expressed concern that the agency or institution. The five-year rule
monetary penalties, data bans of varying Department would apply the five-year clearly states that it is the duty of the
length, or any of the range of civil rule too broadly. One commenter educational agency or institution that
penalties that the disclosing entity suggested limiting the scope of the originally disclosed the PII from
believes is appropriate. The Department prohibition to PII from education education records to the third party to
encourages the use of these agreed-upon records used for the purposes of prevent further disclosure to the same
sanctions to ensure control and proper conducting studies and not necessarily third party. Still, the five-year rule does
use of PII from education records. for other purposes related to the not prohibit all educational agencies
Finally, depending upon the specific provision of products, services, and and institutions from disclosing PII from
facts of the situation, debarment may other functions. education records to the offending third
follow an individual who has been Discussion: The Department lacks the party; as made clear by the statute, the
sanctioned under the five-year rule from legal authority to expand the prohibition only applies to the
one employer to another. Further, enforcement mechanisms available educational agency or institution that
debarment would likely not remain under FERPA beyond those discussed in originally disclosed PII from education
attached to a third party if it is this preamble and therefore declines to records to that third party.
determined that only the debarred include harsher penalties such as those Changes: None.
individual was responsible for the requested by a number of commenters. Comments: Some expressed concern
improper redisclosure of PII from For the same reason, we cannot expand that under the five-year rule,
education records, the debarred the list of inappropriate activities that educational agencies and institutions,
individual leaves the third partys may be sanctioned under the five-year such as LEAs, would be prohibited from
employment, and the improper rule beyond improper redisclosures disclosing PII from education records to
redisclosure was not caused by a policy under 99.33 and the failure to destroy third parties, such as SEAs, if these
of the third party. It is important to note, PII in violation of 99.31(a)(6)(iii)(B). third parties improperly redisclosed
however, that such determinations are The five-year rule is clear that it only FERPA-protected data that they received
highly fact specific and the Department applies to improper redisclosures of PII from the educational agency or
will review each situation case by case. received under any of the exceptions to institution. The commenters expressed
Changes: We are amending 99.61, the general consent rule and the failure concern that Federal and State
99.62, 99.64, 99.65, 99.66 and 99.67 of to destroy PII from education records education laws require LEAs to share
the FERPA regulations. These changes under the studies exception. data with SEAs in order to qualify for
provide more detailed procedures The Department also declines to limit Federal and State education funds.
governing the investigation, processing, the scope of the prohibition to the Another commenter expressed a
and review of complaints and violations purpose of conducting studies and not similar concern that an institution of
against third parties outside of an necessarily for other purposes related to higher education might be prohibited
educational agency or institution for the provision of products, services, and from offering Federal financial aid to its
failing to destroy PII from education other functions. Section (b)(4)(B) of students if the Department itself were
records in violation of FERPA (20 U.S.C. 1232g(b)(4)(B)) responsible for the improper
99.31(a)(6)(iii)(B) or for improperly provides that the five-year rule applies redisclosure. In the commenters
redisclosing PII from education records to any improper redisclosure made by example, the institution of higher
in violation of 99.33. any third party and not just to an education would be unable to make data
disclosures needed to process Federal regarding the five-year rule and the The Department has also reviewed
and State loans, if the five-year rule language in current regulations. these regulations pursuant to Executive
were applied to the Department. Although the statute states that the Order 13563, published on January 21,
Discussion: The Department would original, disclosing educational agency 2011 (76 FR 3821). Executive Order
interpret the five-year rule consistently or institution shall be prohibited from 13563 is supplemental to and explicitly
with other Federal laws to the greatest permitting an offending third party to reaffirms the principles, structures, and
extent possible in order to avoid a access PII from education records for at definitions governing regulatory review
conflict between Federal laws. If least five years, the regulations state that established in Executive Order 12866.
imposition of the five-year rule would the disclosing educational agency or To the extent permitted by law, agencies
prevent an LEA from complying with institution may not allow the third are required by Executive Order 13563
other legal requirements, FPCO may party access to PII from education to: (1) Propose or adopt regulations only
sanction the offending SEA using an records. One commenter preferred to upon a reasoned determination that
enforcement mechanism that is use the terms may not instead of their benefits justify their costs
available to the Department under shall be prohibited because may (recognizing that some benefits and
GEPA, such as issuing a cease and desist not suggested greater flexibility in how costs are difficult to quantify); (2) tailor
order, thereby allowing the LEA to meet the five-year rule would be applied. their regulations to impose the least
its other legal obligations. Discussion: We disagree that a conflict burden on society, consistent with
Similarly, in response to those exists between the language contained obtaining regulatory objectives, taking
commenters who expressed a concern in the statute and current regulations into account, among other things, and to
that subjecting the Department to the regarding the five-year rule. the extent practicable, the costs of
five-year rule would prevent institutions Specifically, we consider the terms used cumulative regulations; (3) select, in
of higher education from providing in the regulations (may not allow choosing among alternative regulatory
student information to the Departments access) to have the same meaning as the approaches, those approaches that
Federal Student Aid (FSA) office, the language used in the statute (shall be maximize net benefits (including
Department will administer FERPA in a prohibited from permitting access). potential economic, environmental,
reasonable manner and read it Changes: None. public health and safety, and other
consistently with Federal laws advantages; distributive impacts; and
governing student financial aid. Like Executive Order 12866 and 13563 equity); (4) specify, to the extent
any other third party outside of an Regulatory Impact Analysis feasible, performance objectives, rather
educational agency or institution, FSA, than specifying the behavior or manner
or any other office in the Department Under Executive Order 12866, the of compliance that regulated entities
that receives PII from education records, Secretary must determine whether the must adopt; and (5) identify and assess
must also comply with FERPA; if FPCO regulatory action is significant and available alternatives to direct
found that FSA, or any other third party, therefore subject to the requirements of regulation, including providing
violated the redisclosure provisions in the Executive Order and subject to economic incentives to encourage the
FERPA, FPCO would then work with review by OMB. Section 3(f) of desired behavior, such as user fees or
that third party to obtain voluntary Executive Order 12866 defines a marketable permits, or providing
compliance with FERPA, potentially significant regulatory action as an information upon which choices can be
eliminating the need to impose the five- action likely to result in regulations that made by the public.
year ban. may (1) have an annual effect on the We emphasize as well that Executive
Changes: None. economy of $100 million or more, or Order 13563 requires agencies to use
Comment: One commenter expressed adversely affect a sector of the economy, the best available techniques to quantify
concern about existing contracts and productivity, competition, jobs, the anticipated present and future benefits
written agreements being violated environment, public health or safety, or and costs as accurately as possible. In
because of an application of the five- State, local or tribal governments or its February 2, 2011, memorandum
year rule regarding a separate and communities in a material way (also (M1110) on Executive Order 13563,
unrelated improper redisclosure of PII referred to as economically significant improving regulation and regulatory
from education records by an authorized regulations); (2) create serious review, the Office of Information and
representative. inconsistency or otherwise interfere Regulatory Affairs in OMB has
Discussion: The Department disagrees with an action taken or planned by emphasized that such techniques may
that application of the five-year rule will another agency; (3) materially alter the include identifying changing future
automatically result in a debarred third budgetary impacts of entitlement grants, compliance costs that might result from
party from complying with its user fees, or loan programs or the rights technological innovation or anticipated
obligations under other pre-existing and obligations of recipients thereof; or behavioral changes.
contracts or written agreements. If FPCO (4) raise novel legal or policy issues We are issuing these regulations only
were to find that application of the rule arising out of legal mandates, the upon a reasoned determination that
was warranted, the regulations would Presidents priorities, or the principles their benefits justify their costs, and we
prohibit only the original, disclosing set forth in the Executive order. selected, in choosing among alternative
educational agency or institution from Pursuant to the terms of the Executive regulatory approaches, those approaches
providing PII from education records to Order, we have determined this that maximize net benefits. Based on the
the third party. Furthermore, this regulatory action is significant and following analysis, the Department
prohibition would only occur if the subject to OMB review under section believes that these final regulations are
third party refused to work with FPCO 3(f)(4) of Executive Order 12866. consistent with the principles in
to voluntarily comply with FERPA. Notwithstanding this determination, we Executive Order 13563.
Changes: None. have assessed the potential costs and We also have determined that this
Comment: Two commenters noted benefitsboth quantitative and regulatory action would not unduly
what they perceived to be a conflict qualitativeof this regulatory action. interfere with State, local, and tribal
between the language used in the statute The Department believes that the governments in the exercise of their
(and the preamble of the NPRM) benefits justify the costs. governmental functions.
Potential Costs and Benefits purposes of conducting audits, database). These final regulations allow
Following is an analysis of the costs evaluations, or enforcement and FERPA-permitted entities to disclose PII
and benefits of the changes reflected in compliance activities relating to from education records without consent
these final FERPA regulations. These Federal- and State-supported education to authorized representatives, which
changes facilitate the disclosure, programs. However, in the past, we had may include other State agencies, or to
without written consent, of PII from not defined the term authorized house data in a common State data
education records for the purposes of representative in our regulations. The system, such as a data warehouse
auditing or evaluating Federal- or State- Departments position had been that administered by a central State
supported education programs and educational authorities may only authority for the purposes of conducting
disclose education records to entities audits or evaluations of Federal- or
enforcing or ensuring compliance with
over which they have direct control, State-supported education programs, or
Federal legal requirements related to
such as an employee or a contractor. for enforcement of and ensuring
these programs. In conducting this
Therefore, under the Departments compliance with Federal legal
analysis, the Department examined the
interpretation of its regulations, SEAs requirements relating to Federal- and
extent to which the changes add to or
were not able to disclose PII from State-supported education programs
reduce the costs of educational agencies,
education records to many State (consistent with FERPA and other
other agencies, and institutions in
agencies, even for the purpose of Federal and State confidentiality and
complying with the FERPA regulations
evaluating education programs under privacy provisions).
prior to these changes, and the extent to The Department also amends 99.35
which the changes are likely to provide the purview of the SEAs. For example,
to require that FERPA-permitted entities
educational benefit. Allowing data- an SEA or LEA could not disclose PII
use written agreements with an
sharing across agencies, because it from education records to a State
authorized representative (other than
increases the number of individuals employment agency for the purpose of
employees) when they agree to disclose
who have access to PII from education obtaining data on post-school outcomes
PII from education records without
records, may increase the risk of such as employment for its former
consent to the authorized representative
unauthorized disclosure of PII from students. Thus, if an SEA or LEA
under the audit or evaluation exception.
education records. However, we do not wanted to match education records with
The cost of entering into such
believe that the staff in the additional State employment records for purposes
agreements should be minimal in
agencies who will have access to PII of evaluating its secondary education relation to the benefits of being able to
from education records are any more programs, it would have to import the disclose this information. Section
likely to violate FERPA than existing entire workforce database and do the 99.35(a)(3) requires that the written
users, and the strengthened match itself (or contract with a third agreement specify that the information
accountability and enforcement party to do the same analysis). is being disclosed for the purpose of
mechanisms reflected in these Similarly, if a State workforce agency carrying out an allowable audit,
regulations will help to ensure better wanted to use PII from education evaluation, or enforcement or
compliance overall. While there will be records maintained by the SEA in its compliance activity, as well as a
administrative costs associated with SLDS, in combination with data it had description of the activity and how the
implementing data-sharing protocols on employment outcomes, to evaluate disclosed information is to be used.
that ensure that PII from education secondary vocational education
records is disclosed in accordance with programs, it would not be able to obtain Education Program
the limitations in FERPA, we believe PII from the education records in the The final regulations amend 99.3 by
that the relatively minimal SEAs SLDS to conduct the analyses. It adding a definition for the term
administrative costs of establishing would have to provide the workforce education program. This definition
these protocols will be off-set by data to the SEA so that the SEA could clarifies that an education program can
potential analytic benefits. Based on this conduct the analyses or to a third party include a program administered by a
analysis, the Secretary has concluded (e.g., an entity under the direct control non-educational agency (e.g., an early
that the amendments reflected in these of the SEA) to construct the needed childhood program administered by a
final regulations will result in savings to longitudinal administrative data human services agency or a career and
entities and have the potential to benefit systems. While feasible, these strategies technical education program
the Nation by improving capacity to force agencies to outsource their administered by a workforce or labor
conduct analyses that will provide analyses to other agencies or entities, agency) and any program administered
information needed to improve adding administrative cost, burden, and by an educational agency or institution.
education. complexity. Moreover, preventing These final regulations also define the
agencies from using PII from education term early childhood education
Authorized Representative records directly for conducting their program, because that term is used in
These regulations amend 99.3 by own analytical work increases the the definition of education program.
adding a definition of the term likelihood that the work will not meet For the definition of the early
authorized representative; an their expectations or get done at all. education program, we use the
authorized representative is any Finally, the previous interpretation of definition of that term from HEA.
individual or entity designated by a the current regulations exposed greater These definitions, in combination
State or local educational authority or a amounts of PII from education records with the addition of the definition of the
Federal agency headed by the Secretary, to risk of disclosure as a result of greater term authorized representative,
the Comptroller General, or the Attorney quantities of PII from education records results in a regulatory framework for
General to carry out audits, evaluations, moving across organizations (e.g., the FERPA that allows non-educational
or enforcement or compliance activities entire workforce database) than would agencies to have easier access to PII in
relating to education programs. FERPA be the case with a more targeted data student education records that they can
permits educational authorities to request (e.g., disclosure of PII from use to evaluate the education programs
provide to authorized representatives education records for graduates from a they administer. For example, these
PII from education records for the given year who appear in the workforce changes permit disclosures of PII in
elementary and secondary school Authority To Evaluate violations of FERPA by an educational

education records without consent to a Current 99.35(a)(2) provides that the agency or institution. Because the
non-educational agency that is authority for a FERPA-permitted entity Department had not interpreted the term
administering an early childhood to conduct an audit, evaluation, or educational agency or institution to
education program in order to evaluate enforcement or compliance activity include agencies or institutions that
the impact of its early childhood must be established under a Federal, students do not attend (such as an SEA),
education program on its students long- State, or local authority other than the current FERPA regulations do not
term educational outcomes. The FERPA. Lack of such explicit State or specifically permit the Secretary to
potential benefits of these regulatory local authority has hindered the use of bring an enforcement action against an
changes are substantial, including the SEA or other State or local educational
PII from education records in some
benefits of non-educational agencies authority or any other recipient of
States. These final regulations remove
that are administering education Department funds under a program
this language about legal authority
programs, as that term is defined in administered by the Secretary that did
because we believe that the language
these regulations, being able to conduct not meet the definition of an
unnecessarily caused confusion in the
their own analyses without incurring educational agency or institution
field. This is because FERPA does not
under FERPA. Thus, for example, if an
the prohibitive costs of obtaining require that a State or local educational
SEA improperly redisclosed PII from
consent for access to individual authority have express legal authority to
education records obtained from its
students PII from education records. conduct audits, evaluations, or
LEAs, the Department could pursue
compliance or enforcement activities. enforcement actions against each of the
Research Studies Rather, we believe FERPA permits LEAs (because the Department views an
Section (b)(1)(F) of FERPA permits disclosure of PII from education records LEA as an educational agency attended
educational agencies and institutions to to a State or local educational authority by students), but not the SEA. These
disclose PII from education records if that entity also has implied authority final regulations amend the regulatory
without consent to organizations to conduct audit, evaluation, or provisions in subpart E to clarify that
conducting research studies for, or on enforcement or compliance activities the Secretary may investigate, process,
behalf of, educational agencies or with respect to its own programs. review, and enforce complaints and
institutions from which the PII from This regulatory change also allows an violations of FERPA against an
SEA to receive PII from education educational agency or institution, any
education records originated, for
records originating at postsecondary other recipient of Department funds
statutorily-specified purposes. The
institutions as needed to evaluate its under a program administered by the
amendment to 99.31(a)(6) permits any
own programs and determine whether Secretary, or other third parties.
of the authorities listed in 99.31(a)(3),
its schools are adequately preparing This change will result in some
including SEAs, to enter into written
students for higher education. The administrative savings and improve the
agreements that provide for the
preamble to the final FERPA regulations efficiency of the enforcement process.
disclosure of PII from education records published in the Federal Register on Under the current regulations, if, for
to research organizations for studies that December 9, 2008 (73 FR 74806, 74822)
would benefit the educational agencies example, an SEA with 500 LEAs
suggested that PII in education records improperly redisclosed PII from its
or institutions that disclosed the PII to maintained by postsecondary
the SEA or other educational SLDS to an unauthorized party, the
institutions could only be disclosed to Department would have had to
authorities. The preamble to the final an SEA if the SEA had legal authority
FERPA regulations published in the investigate each of the 500 LEAs, which
to evaluate postsecondary institutions. are unlikely to have had knowledge
Federal Register on December 9, 2008 This interpretation restricted SEAs from relating to the disclosure. Under the
(73 FR 74806, 74826) took the position conducting analyses to determine how final regulations, the LEAs will be
that an SEA, for example, could not effectively their own programs are relieved of any administrative costs
redisclose PII from education records preparing students for higher education associated with responding to the
that it obtained from an LEA to a and from identifying effective programs. Departments request for information
research organization unless the SEA As a result, this interpretation resulted about the disclosure and the Department
had separate legal authority to act for, or in a regulatory framework for FERPA will immediately direct the focus of its
on behalf of, the LEA (or other that has hindered efforts to improve investigation on the SEA, the agency
educational institution. Because, in education. The primary benefit of this most likely to have information on and
practice, this authority may not be change is that it will allow SEAs to bear responsibility for the disclosure of
explicit in all States, we are amending conduct analyses of data that includes PII, without having to spend time and
99.31 to specifically allow State PII from education records for the resources contacting the LEAs.
educational authorities, which include purpose of program evaluations
SEAs, to enter into agreements with (consistent with FERPA and other Regulatory Flexibility Act Certification
research organizations for studies that Federal and State confidentiality and The Secretary certifies that this
are for one or more of the enumerated privacy provisions) without incurring regulatory action will not have a
purposes under FERPA, such as studies the prohibitive costs of obtaining prior significant economic impact on a
to improve instruction (see written consent from eligible students or substantial number of small entities.
99.31(a)(6)(ii)). The Department parents. The small entities that this final
believes that this regulatory change will regulatory action will affect are small
be beneficial because it will reduce the Educational Agency or Institution LEAs. The Secretary believes that the
administrative costs of, and reduce the Sections (f) and (g) of FERPA costs imposed by these regulations will
barriers to, using PII from education authorize the Secretary to take be limited to paperwork burden related
records, including PII from education appropriate actions to enforce the law to requirements concerning data-sharing
records in SLDS, in order to conduct and address FERPA violations, but agreements and that the benefits from
studies to improve instruction in subpart E of the current FERPA ensuring that PII from education records
education programs. regulations only addressed alleged are collected, stored, and shared
appropriately outweigh any costs sharing protocol. Thus, we assume the implications as defined in Executive
incurred by these small LEAs. In impact on the entities will be minimal. Order 13132.
addition, it is possible that State and
Federalism Paperwork Reduction Act of 1995
local educational authorities may enter
into agreements with small institutions Executive Order 13132 requires us to As part of its continuing effort to
of higher education or other small ensure meaningful and timely input by reduce paperwork and respondent
entities that will serve as their State and local elected officials in the burden, the Department conducts a
authorized representatives to conduct development of regulatory policies that preclearance consultation program to
evaluations or other authorized have federalism implications. provide the general public and Federal
activities. Entering into such agreements Federalism implications means agencies with an opportunity to
would be entirely voluntary on the part substantial direct effects on the States, comment on proposed and continuing
of the institutions of higher education or on the relationship between the collections of information in accordance
other entities, would be of minimal cost, National Government and the States, or with the Paperwork Reduction Act of
and presumably would be for the benefit on the distribution of power and 1995 (PRA) (44 U.S.C. 3506(c)(2)(A)).
of the institution of higher education or responsibilities among the various This helps ensure that: the public
other entity. levels of government. Among other understands the Departments collection
The U.S. Small Business requirements, the Executive order instructions; respondents can provide
Administration Size Standards define as requires us to consult with State and the requested data in the desired format;
small entities for-profit or nonprofit local elected officials respecting any reporting burden (time and financial
institutions with total annual revenue regulations that have federalism resources) is minimized; collection
below $7,000,000 or, if they are implications and either preempt State instruments are clearly understood; and
institutions controlled by small law or impose substantial direct the Department can properly assess the
governmental jurisdictions (that are compliance costs on State and local impact of collection requirements on
comprised of cities, counties, towns, governments, and are not required by respondents. The term collections of
townships, villages, school districts, or statute, unless the Federal government information under the PRA includes
special districts), with a population of provides the funds for those costs. regulatory requirements that parties
less than 50,000. must follow concerning paperwork, e.g.,
The Department has reviewed these
According to estimates from the U.S. the requirement that educational
final regulations in accordance with
Census Bureaus Small Area Income and agencies and institutions annually
Executive Order 13132. We have
Poverty Estimates programs that were notify parents and eligible students of
concluded that these final regulations
based on school district boundaries for their rights under FERPA. It does not
do not have federalism implications, as
the 20072008 school year, there are necessarily mean that information is
defined in the Executive order. The
12,484 LEAs in the country that include being collected by a government entity.
regulations do not have substantial Sections 99.7, 99.31(a)(6)(ii),
fewer than 50,000 individuals within
direct effects on the States, on the 99.35(a)(3), and 99.37(d) contain
their boundaries and for which there is
relationship between the national information collection requirements. In
estimated to be at least one school-age
government and the States, or on the the NPRM published on April 8, 2011,
child. In its 1997 publication,
distribution of power and we requested public comments on the
Characteristics of Small and Rural
responsibilities among the various information collection requirements in
School Districts, the NCES defined a
levels of government. proposed 99.31(a)(6)(ii) and
small school district as one having
fewer students in membership than the In the NPRM we explained that the 99.35(a)(3). Since publication of the
sum of (a) 25 students per grade in the proposed regulations in 99.3, NPRM, we have determined that
elementary grades it offers (usually K 99.31(a)(6), and 99.35 may have 99.37(d) also has an information
8) and (b) 100 students per grade in the federalism implications, as defined in collection associated with it. In
secondary grades it offers (usually 9 Executive Order 13132, and we asked addition, since publication of the
12). Using this definition, a district that State and local elected officials NPRM, we decided to make changes to
would be considered small if it had make comments in this regard. One the model notification, which we
fewer than 625 students in membership. commenter stated that it believed that provide to assist entities to comply with
The Secretary believes that the 4,800 some of the proposed changes would the annual notification of rights
very small LEAs that meet this second increase burdens on SEAs, especially requirement in 99.7. Therefore, this
definition are highly unlikely to enter with respect to enforcing the destruction section discusses the information
into data-sharing agreements directly of PII from education records once a collections associated with these four
with outside entities. study or an audit or evaluation has regulatory provisions. These
In the NPRM, the Department ended. information collections will be
solicited comments from entities The FERPA requirements that PII submitted to OMB for review and
familiar with data sharing in small from education records be destroyed approval. A valid OMB control number
districts on the number of entities likely when no longer needed for both the will be assigned to the information
to enter into agreements each year, the studies exception and the audit or collection requirements at the end of the
number of such agreements, and the evaluation exception are statutory (20 affected sections of the regulations.
number of hours required to execute U.S.C. 1232g(b)(1)(F) and 1232g(b)(3)).
each agreement, but we received no Further, the regulatory provisions Section 99.7Annual Notification of
comments and do not have reliable data concerning destruction for these two Rights Requirement (OMB Control
with which to estimate how many of the exceptions ( 99.31(a)(6) and 99.35) are Number 18750246)
remaining 7,684 small LEAs will enter not new. Therefore, these final Although we did not propose any
into data-sharing agreements. For small regulations do not include additional changes to 99.7, which requires that
LEAs that enter into data-sharing burden. educational agencies and institutions
agreements, we estimate that they will After giving careful consideration to annually notify parents and eligible
spend approximately 4 hours executing the comment, we conclude that these students of their rights under FERPA,
each agreement, using a standard data- final regulations do not have federalism we did make some modifications to our
model notification associated with this relate to those programs; (4) describe the 99.37(a) to provide public notice of its
requirement. Specifically, to allow activity to make clear that it legitimately directory information policy. However,
parents and eligible students to more fits within the exception of 99.31; (5) the change reflected in amended
fully understand the circumstances require the authorized representative to 99.37(d) could result in a burden
under which disclosures may occur destroy PII from education records increase for an educational agency or
without their consent, we have when the information is no longer institution that currently has a policy of
amended the model annual notifications needed for the purpose specified; (6) disclosing all directory information and
to include a listing of the various specify the time period in which the PII elects, under the new regulations, to
exceptions to the general consent rule in from education records must be limit the disclosure of directory
the regulations. The model notices (one destroyed; and (7) establish policies and information. The agency or institution
for elementary and secondary schools procedures, consistent with FERPA and would now be required to inform
and another one for postsecondary other Federal and State confidentiality parents and eligible students that it has
institutions) are included as Appendix and privacy provisions, to protect PII a limited directory information policy.
B and Appendix C to this notice. We from education records from further The notice provides parents and eligible
also post the model notifications on our disclosure (except back to the disclosing students with the opportunity to opt out
Web site and have indicated the site entity) and unauthorized use. The total of the disclosure of directory
address in the preamble. We do not estimated burden under this provision information. Additionally, many
believe that this addition to the model is 9,928 hours. Specifically, the burden educational agencies and institutions
notification increases the currently for States under this provision is include their directory information
approved burden of .25 hours (15 estimated to be 40 hours annually for notice as part of the required annual
minutes) we previously estimated for each of the 103 State educational notification of rights under 99.7,
the annual notification of rights authorities in the various States and which is already listed as a burden and
requirement. territories subject to FERPA (one for approved under OMB Control Number
K12 and one for postsecondary in each 18750246. These educational agencies
Section 99.31(a)(6)(ii)Written
SEA). Assuming that each State and institutions, therefore, would not
Agreements for Studies (OMB Control
authority handles the agreements up to experience an increase in burden
Number 18750246)
10 times per year with an estimated associated with the changes reflected in
The final regulations modify the 4 hours per agreement, the total 99.37(d).
information collection requirements in anticipated increase in annual burden
99.31(a)(6)(ii); however, the Assessment of Educational Impact
would be 4,120 hours for this new
Department does not believe these requirement in OMB Control Number In the NPRM, and in accordance with
regulatory changes result in any new 18750246. In addition, the burden for section 441 of the General Education
burden to State or local educational large LEAs and postsecondary Provisions Act, 20 U.S.C. 1221e4, we
authorities. As amended, institutions (1,452 educational agencies requested comments on whether the
99.31(a)(6)(ii) clarifies that FERPA- and institutions with a student proposed regulations would require
permitted entities may enter into population of over 10,000) is estimated transmission of information that any
written agreements with organizations to be 4 hours annually. Assuming each other agency or authority of the United
conducting studies for, or on behalf of, large LEA and postsecondary institution States gathers or makes available.
educational agencies and institutions. handles the agreements up to 1 time per Based on the response to the NPRM
We do not believe this will result in a year with an estimated 4 hours per and on our review, we have determined
change or an increase in burden because agreement, the total anticipated increase that these final regulations do not
the provision would permit an in annual burden for large LEAs and require transmission of information that
organization conducting a study to enter postsecondary institutions would be any other agency or authority of the
into one written agreement with a 5,808 hours for this requirement. United States gathers or makes
FERPA-permitted entity, rather than available.
Note: For purposes of the burden analysis Accessible Format: Individuals with
making the organization enter into for 99.35(a)(3), we estimate the burden on
multiple written agreements with a large LEAs and postsecondary institutions disabilities can obtain this document in
variety of schools and school districts. because we believe that estimating burden for an accessible format (e.g., braille, large
these institutions captures the high-end of print, audiotape, or compact disc) on
Section 99.35(a)(3)Written
the burden estimate. We expect that burden request to the program contact person
Agreements for Audits, Evaluations, for smaller LEAs and postsecondary listed under FOR FURTHER INFORMATION
Compliance or Enforcement Activities institutions under 99.35(a)(3) would be CONTACT.
(OMB Control Number 18750246) much less than estimated here. Electronic Access to This Document:
Section 99.35(a)(3) requires FERPA- The official version of this document is
permitted entities to use a written Section 99.37(d)Parental Notice of the document published in the Federal
agreement to designate authorized Disclosure of Directory Information Register. Free Internet access to the
representatives other than agency (OMB Control Number 18750246) official edition of the Federal Register
employees. Under the final regulations, Section 99.37(d) requires any and the Code of Federal Regulations is
the agreement must: (1) Designate the educational agency or institution that available via the Federal Digital System
individual or entity as an authorized elects to implement a limited directory at: http://www.gpo.gov/fdsys. At this
representative; (2) specify the PII from information policy to specify its policy site you can view this document, as well
education records to be disclosed; (3) in the public notice to parents and as all other documents of this
specify that the purpose for which the eligible students in attendance at the Department published in the Federal
PII from education records is disclosed educational agency or institution. We do Register, in text or Adobe Portable
to the authorized representative is to not expect this requirement to result in Document Format (PDF). To use PDF
carry out an audit or evaluation of an additional burden for most you must have Adobe Acrobat Reader,
Federal- or State-supported education educational agencies and institutions which is available free at the site.
programs, or to enforce or to comply because educational agencies and You may also access documents of the
with Federal legal requirements that institutions are already required under Department published in the Federal
Register by using the article search place of birth; major field of study; (iii) A program operated by a local
feature at: http:// grade level; enrollment status (e.g., educational agency.
www.federalregister.gov. Specifically, undergraduate or graduate, full-time or * * * * *
through the advanced search feature at part-time); dates of attendance; Education program means any
this site, you can limit your search to participation in officially recognized program that is principally engaged in
documents published by the activities and sports; weight and height the provision of education, including,
Department. of members of athletic teams; degrees, but not limited to, early childhood
(Catalog of Federal Domestic Assistance honors, and awards received; and the education, elementary and secondary
Number does not apply.) most recent educational agency or education, postsecondary education,
institution attended. special education, job training, career
List of Subjects in 34 CFR Part 99 (b) Directory information does not and technical education, and adult
Administrative practice and include a students education, and any program that is
procedure, Directory information, (1) Social security number; or administered by an educational agency
Education records, Information, Parents, (2) Student identification (ID) or institution.
Privacy, Records, Social Security number, except as provided in (Authority: 20 U.S.C. 1232g(b)(3), (b)(5))
numbers, Students. paragraph (c) of this definition.
* * * * *
Dated: November 23, 2011. (c) In accordance with paragraphs (a)
and (b) of this definition, directory 3. Section 99.31 is amended by:
Arne Duncan, A. Removing paragraph (a)(6)(iii).
Secretary of Education.
information includes
B. Redesignating paragraph (a)(6)(ii)
(1) A student ID number, user ID, or
For the reasons discussed in the as paragraph (a)(6)(iii).
other unique personal identifier used by
C. Adding a new paragraph (a)(6)(ii).
preamble, the Secretary amends part 99 a student for purposes of accessing or D. Revising the introductory text of
of title 34 of the Code of Federal communicating in electronic systems,
Regulations as follows: newly redesignated paragraph (a)(6)(iii).
but only if the identifier cannot be used E. Revising the introductory text of
to gain access to education records newly redesignated paragraph
PART 99FAMILY EDUCATIONAL except when used in conjunction with
RIGHTS AND PRIVACY (a)(6)(iii)(C).
one or more factors that authenticate the F. Revising newly redesignated
users identity, such as a personal paragraph (a)(6)(iii)(C)(4).
1. The authority citation for part 99
identification number (PIN), password G. Revising paragraph (a)(6)(iv).
continues to read as follows:
or other factor known or possessed only The addition and revisions read as
Authority: 20 U.S.C. 1232g, unless by the authorized user; and
otherwise noted. follows:
(2) A student ID number or other
2. Section 99.3 is amended by: unique personal identifier that is 99.31 Under what conditions is prior
A. Adding, in alphabetical order, displayed on a student ID badge, but consent not required to disclose
definitions for authorized only if the identifier cannot be used to information?
representative, early childhood gain access to education records except (a) * * *
education program, and education when used in conjunction with one or (6) * * *
program. more factors that authenticate the users (ii) Nothing in the Act or this part
B. Revising the definition of directory identity, such as a PIN, password, or prevents a State or local educational
information. The additions and revision other factor known or possessed only by authority or agency headed by an
read as follows: the authorized user. official listed in paragraph (a)(3) of this
section from entering into agreements
99.3 What definitions apply to these (Authority: 20 U.S.C. 1232g(a)(5)(A))
with organizations conducting studies
regulations? * * * * * under paragraph (a)(6)(i) of this section
* * * * * Early childhood education program and redisclosing personally identifiable
Authorized representative means any means information from education records on
entity or individual designated by a (a) A Head Start program or an Early behalf of educational agencies and
State or local educational authority or Head Start program carried out under institutions that disclosed the
an agency headed by an official listed in the Head Start Act (42 U.S.C. 9831 et information to the State or local
99.31(a)(3) to conductwith respect to seq.), including a migrant or seasonal educational authority or agency headed
Federal- or State-supported education Head Start program, an Indian Head by an official listed in paragraph (a)(3)
programsany audit or evaluation, or Start program, or a Head Start program of this section in accordance with the
any compliance or enforcement activity or an Early Head Start program that also requirements of 99.33(b).
in connection with Federal legal receives State funding; (iii) An educational agency or
requirements that relate to these (b) A State licensed or regulated child institution may disclose personally
programs. care program; or identifiable information under
(Authority: 20 U.S.C. 1232g(b)(1)(C), (b)(3), (c) A program that paragraph (a)(6)(i) of this section, and a
and (b)(5)) (1) Serves children from birth through State or local educational authority or
* * * * * age six that addresses the childrens agency headed by an official listed in
Directory information means cognitive (including language, early paragraph (a)(3) of this section may
information contained in an education literacy, and early mathematics), social, redisclose personally identifiable
record of a student that would not emotional, and physical development; information under paragraph (a)(6)(i)
generally be considered harmful or an and and (a)(6)(ii) of this section, only if
invasion of privacy if disclosed. (2) Is * * * * *
(a) Directory information includes, (i) A State prekindergarten program; (C) The educational agency or
but is not limited to, the students name; (ii) A program authorized under institution or the State or local
address; telephone listing; electronic section 619 or part C of the Individuals educational authority or agency headed
mail address; photograph; date and with Disabilities Education Act; or by an official listed in paragraph (a)(3)
of this section enters into a written (A) The personally identifiable B. Redesignating paragraph (d) as
agreement with the organization that information from education records to paragraph (e).
* * * * * be disclosed; C. Adding a new paragraph (d).
(4) Requires the organization to (B) That the purpose for which the The addition and revision read as
destroy all personally identifiable personally identifiable information from follows:
information when the information is no education records is disclosed to the
authorized representative is to carry out 99.37 What conditions apply to
longer needed for the purposes for disclosing directory information?
which the study was conducted and an audit or evaluation of Federal- or
State-supported education programs, or * * * * *
specifies the time period in which the (c) A parent or eligible student may
information must be destroyed. to enforce or to comply with Federal
legal requirements that relate to those not use the right under paragraph (a)(2)
(iv) An educational agency or of this section to opt out of directory
institution or State or local educational programs; and
(C) A description of the activity with information disclosures to
authority or Federal agency headed by (1) Prevent an educational agency or
an official listed in paragraph (a)(3) of sufficient specificity to make clear that
the work falls within the exception of institution from disclosing or requiring
this section is not required to initiate a a student to disclose the students name,
study or agree with or endorse the 99.31(a)(3), including a description of
how the personally identifiable identifier, or institutional email address
conclusions or results of the study. in a class in which the student is
information from education records will
* * * * * be used; enrolled; or
(iii) Require the authorized (2) Prevent an educational agency or
99.33 [Amended]
representative to destroy personally institution from requiring a student to
4. Section 99.33 is amended by identifiable information from education wear, to display publicly, or to disclose
removing paragraph (e). records when the information is no a student ID card or badge that exhibits
5. Section 99.35 is amended by: longer needed for the purpose specified; information that may be designated as
A. Revising paragraph (a)(2). (iv) Specify the time period in which directory information under 99.3 and
B. Adding a new paragraph (a)(3). the information must be destroyed; and that has been properly designated by the
C. Revising paragraph (b). (v) Establish policies and procedures, educational agency or institution as
D. Revising the authority citation at consistent with the Act and other directory information in the public
the end of the section. Federal and State confidentiality and notice provided under paragraph (a)(1)
The addition and revisions read as privacy provisions, to protect personally of this section.
follows: identifiable information from education (d) In its public notice to parents and
records from further disclosure (except eligible students in attendance at the
99.35 What conditions apply to
back to the disclosing entity) and agency or institution that is described in
disclosure of information for Federal or
State program purposes? unauthorized use, including limiting paragraph (a) of this section, an
use of personally identifiable educational agency or institution may
(a) * * * specify that disclosure of directory
(2) The State or local educational information from education records to
only authorized representatives with information will be limited to specific
authority or agency headed by an parties, for specific purposes, or both.
official listed in 99.31(a)(3) is legitimate interests in the audit or
evaluation of a Federal- or State- When an educational agency or
responsible for using reasonable institution specifies that disclosure of
methods to ensure to the greatest extent supported education program or for
compliance or enforcement of Federal directory information will be limited to
practicable that any entity or individual specific parties, for specific purposes, or
designated as its authorized legal requirements related to these
programs. both, the educational agency or
representative institution must limit its directory
(b) Information that is collected under
(i) Uses personally identifiable information disclosures to those
paragraph (a) of this section must
information only to carry out an audit (1) Be protected in a manner that does specified in its public notice that is
or evaluation of Federal- or State- not permit personal identification of described in paragraph (a) of this
supported education programs, or for individuals by anyone other than the section.
the enforcement of or compliance with State or local educational authority or
Federal legal requirements related to * * * * *
agency headed by an official listed in 6. Section 99.61 is revised to read as
these programs; 99.31(a)(3) and their authorized
(ii) Protects the personally identifiable follows:
representatives, except that the State or
information from further disclosures or local educational authority or agency 99.61 What responsibility does an
other uses, except as authorized in headed by an official listed in educational agency or institution, a
paragraph (b)(1) of this section; and 99.31(a)(3) may make further recipient of Department funds, or a third
(iii) Destroys the personally disclosures of personally identifiable party outside of an educational agency or
identifiable information in accordance information from education records on institution have concerning conflict with
with the requirements of paragraphs (b) State or local laws?
behalf of the educational agency or
and (c) of this section. institution in accordance with the If an educational agency or institution
(3) The State or local educational requirements of 99.33(b); and determines that it cannot comply with
authority or agency headed by an (2) Be destroyed when no longer the Act or this part due to a conflict
official listed in 99.31(a)(3) must use a with State or local law, it must notify
needed for the purposes listed in

written agreement to designate any paragraph (a) of this section. the Office within 45 days, giving the
authorized representative, other than an text and citation of the conflicting law.
* * * * *
employee. The written agreement If another recipient of Department funds
must (Authority: 20 U.S.C. 1232g(b)(1)(C), (b)(3), under any program administered by the
(i) Designate the individual or entity and (b)(5)) Secretary or a third party to which
as an authorized representative; 5. Section 99.37 is amended by: personally identifiable information from
(ii) Specify A. Revising paragraph (c). education records has been non-
consensually disclosed determines that to comply with a provision of the Act party a written notice of its findings and
it cannot comply with the Act or this or this part, it may also determine the basis for its findings.
part due to a conflict with State or local whether the failure to comply is based (c) If the Office finds that an
law, it also must notify the Office within on a policy or practice of the agency or educational agency or institution or
45 days, giving the text and citation of institution or other recipient. The Office other recipient has not complied with a
the conflicting law. also investigates a timely complaint provision of the Act or this part, it may
(Authority: 20 U.S.C. 1232g(f)) filed by a parent or eligible student, or also find that the failure to comply was
conducts its own investigation when no based on a policy or practice of the
7. Section 99.62 is revised to read as
complaint has been filed or a complaint agency or institution or other recipient.
follows:
has been withdrawn, to determine A notice of findings issued under
99.62 What information must an whether a third party outside of the paragraph (b) of this section to an
educational agency or institution or other educational agency or institution has educational agency or institution, or
recipient of Department funds submit to the failed to comply with the provisions of other recipient that has not complied
Office? 99.31(a)(6)(iii)(B) or has improperly with a provision of the Act or this part
The Office may require an educational redisclosed personally identifiable (1) Includes a statement of the specific
agency or institution, other recipient of information from education records in steps that the agency or institution or
Department funds under any program violation of 99.33. other recipient must take to comply; and
administered by the Secretary to which * * * * * (2) Provides a reasonable period of
personally identifiable information from time, given all of the circumstances of
(Authority: 20 U.S.C. 1232g(b)(4)(B), (f) and
education records is non-consensually (g))
the case, during which the educational
disclosed, or any third party outside of agency or institution or other recipient
an educational agency or institution to 9. Section 99.65 is amended by may comply voluntarily.
which personally identifiable revising paragraph (a) to read as follows: (d) If the Office finds that a third party
information from education records is outside of an educational agency or
99.65 What is the content of the notice of
non-consensually disclosed to submit investigation issued by the Office?
institution has not complied with the
reports, information on policies and provisions of 99.31(a)(6)(iii)(B) or has
procedures, annual notifications, (a) The Office notifies in writing the improperly redisclosed personally
training materials, or other information complainant, if any, and the educational identifiable information from education
necessary to carry out the Offices agency or institution, the recipient of records in violation of 99.33, the
enforcement responsibilities under the Department funds under any program Offices notice of findings issued under
Act or this part. administered by the Secretary, or the paragraph (b) of this section
third party outside of an educational (1) Includes a statement of the specific
(Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and
agency or institution if it initiates an steps that the third party outside of the
(g))
investigation under 99.64(b). The educational agency or institution must
8. Section 99.64 is amended by: written notice take to comply; and
A. Revising paragraphs (a) and (b). (1) Includes the substance of the (2) Provides a reasonable period of
B. Revising the authority citation at allegations against the educational time, given all of the circumstances of
the end of the section. agency or institution, other recipient, or the case, during which the third party
The revisions read as follows: third party; and may comply voluntarily.
99.64 What is the investigation (2) Directs the agency or institution, (Authority: 20 U.S.C. 1232g(b)(4)(B), (f), and
procedure? other recipient, or third party to submit (g))
(a) A complaint must contain specific a written response and other relevant
information, as set forth in 99.62, 11. Section 99.67 is revised to read as
allegations of fact giving reasonable follows:
cause to believe that a violation of the within a specified period of time,
Act or this part has occurred. A including information about its policies 99.67 How does the Secretary enforce
complaint does not have to allege that and practices regarding education decisions?
a violation is based on a policy or records. (a) If an educational agency or
practice of the educational agency or * * * * * institution or other recipient of
institution, other recipient of 10. Section 99.66 is revised to read as Department funds under any program
Department funds under any program follows: administered by the Secretary does not
administered by the Secretary, or any comply during the period of time set
third party outside of an educational 99.66 What are the responsibilities of the under 99.66(c), the Secretary may take
agency or institution. Office in the enforcement process? any legally available enforcement action
(b) The Office investigates a timely (a) The Office reviews a complaint, if in accordance with the Act, including,
complaint filed by a parent or eligible any, information submitted by the but not limited to, the following
student, or conducts its own educational agency or institution, other enforcement actions available in
investigation when no complaint has recipient of Department funds under accordance with part D of the General
been filed or a complaint has been any program administered by the Education Provisions Act
withdrawn, to determine whether an Secretary, or third party outside of an (1) Withhold further payments under
educational agency or institution or educational agency or institution, and any applicable program;
other recipient of Department funds any other relevant information. The (2) Issue a complaint to compel
under any program administered by the Office may permit the parties to submit compliance through a cease and desist
Secretary has failed to comply with a further written or oral arguments or order; or
provision of the Act or this part. If the information. (3) Terminate eligibility to receive
Office determines that an educational (b) Following its investigation, the funding under any applicable program.
agency or institution or other recipient Office provides to the complainant, if (b) If, after an investigation under
of Department funds under any program any, and the educational agency or 99.66, the Secretary finds that an
administered by the Secretary has failed institution, other recipient, or third educational agency or institution, other
recipient, or third party has complied (d) If the Office finds that a State or institution, improperly rediscloses
voluntarily with the Act or this part, the local educational authority, a Federal personally identifiable information from
Secretary provides the complainant and agency headed by an official listed in education records in violation of 99.33
the agency or institution, other 99.31(a)(3), or an authorized or fails to provide the notification
recipient, or third party with written representative of a State or local required under 99.33(b)(2), then the
notice of the decision and the basis for educational authority or a Federal educational agency or institution from
the decision. agency headed by an official listed in which the personally identifiable
99.31(a)(3), improperly rediscloses information originated may not allow
(c) If the Office finds that a third personally identifiable information from
party, outside the educational agency or the third party found to be responsible
education records, then the educational
institution, violates 99.31(a)(6)(iii)(B), for the violation access to personally
agency or institution from which the
then the educational agency or identifiable information from education
personally identifiable information
institution from which the personally records for at least five years.
originated may not allow the third party
identifiable information originated may found to be responsible for the improper (Authority: 20 U.S.C. 1232g(b)(4)(B) and (f);
not allow the third party found to be redisclosure access to personally 20 U.S.C. 1234c)
responsible for the violation of identifiable information from education Note: The following appendices will not
99.31(a)(6)(iii)(B) access to personally records for at least five years. appear in the Code of Federal Regulations.
identifiable information from education (e) If the Office finds that a third
records for at least five years. party, outside the educational agency or BILLING CODE 400001P
ER02DE11.062</GPH>
ER02DE11.063</GPH>
ER02DE11.064</GPH>
ER02DE11.065</GPH>
ER02DE11.066</GPH>
ER02DE11.067</GPH>
ER02DE11.068</GPH>
ER02DE11.069</GPH>
ER02DE11.070</GPH>
ER02DE11.071</GPH>
ER02DE11.072</GPH>
ER02DE11.073</GPH>
ER02DE11.074</GPH>
ER02DE11.075</GPH>
ER02DE11.076</GPH>
[FR Doc. 201130683 Filed 12111; 8:45 am]

ER02DE11.077</GPH>
BILLING CODE 400001C

2011 30683

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2011 30683

Uploaded by

Copyright:

Available Formats

Vol.

Secretary of the Interior are required to reach an

guidance about data privacy, confidentiality, and

from that school. The SEA would be

instances in which there is no other

Changes: None. or institution, and termed it an marketers, and neighborhood book

elementary and secondary school Authority To Evaluate violations of FERPA by an educational

needed for the purposes listed in

[FR Doc. 201130683 Filed 12111; 8:45 am]

BILLING CODE 400001C

You might also like