[Federal Register Volume 76, Number 68 (Friday, April 8, 2011)]
[Proposed Rules]
[Pages 19726-19739]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-8205]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF EDUCATION
34 CFR Part 99
RIN 1880-AA86
[Docket ID ED-2011-OM-0002]
Family Educational Rights and Privacy
AGENCY: Office of Management, Department of Education.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Secretary proposes to amend the regulations implementing
section 444 of the General Education Provisions Act, which is also
known as the Family Educational Rights and Privacy Act of 1974, as
amended (FERPA). These proposed amendments are necessary to ensure that
the Department's implementation of FERPA continues to protect the
privacy of education records, as intended by Congress, while allowing
for the effective use of data in statewide longitudinal data systems
(SLDS) as envisioned in the America Creating Opportunities to
Meaningfully Promote Excellence in Technology, Education, and Science
Act (COMPETES Act) and furthermore supported under the American
Recovery and Reinvestment Act of 2009 (ARRA). Improved access to data
contained within an SLDS will facilitate States' ability to evaluate
education programs, to build upon what works and discard what does not,
to increase accountability and transparency, and to contribute to a
culture of innovation and continuous improvement in education. These
proposed amendments would enable authorized representatives of State
and local educational authorities, and organizations conducting
studies, to use SLDS data to achieve these important outcomes while
protecting privacy under FERPA through an expansion of the requirements
for written agreements and the Department's enforcement mechanisms.
DATES: We must receive your comments on or before May 23, 2011.
Comments received after this date will not be considered.
ADDRESSES: Submit your comments through the Federal eRulemaking Portal
or via postal mail, commercial delivery, or hand delivery. We will not
accept comments by fax or by e-mail. Please submit your comments only
one time, in order to ensure that we do not receive duplicate copies.
In addition, please include the Docket ID at the top of your comments.
Federal eRulemaking Portal: Go to http://www.regulations.gov to submit your comments electronically. Information
on using Regulations.gov, including instructions for accessing agency
documents, submitting comments, and viewing the docket, is available on
the site under ``How To Use This Site.''
Postal Mail, Commercial Delivery, or Hand Delivery. If you
mail or deliver your comments about these proposed regulations, address
them to Regina Miles, U.S. Department of Education, 400 Maryland
Avenue, SW., Washington, DC 20202.
Privacy Note: The Department's policy for comments received from
members of the public (including those comments submitted by mail,
commercial delivery, or hand delivery) is to make these submissions
available for public viewing in their entirety on the Federal
eRulemaking Portal at http://www.regulations.gov. Therefore,
commenters should be careful to include in their comments only
information that they wish to make publicly available on the
Internet.
FOR FURTHER INFORMATION CONTACT: Ellen Campbell, U.S. Department of
Education, 400 Maryland Avenue, SW., Washington, DC 20202. Telephone:
(202) 260-3887 or via Internet: [email protected].
If you use a telecommunications device for the deaf, call the
Federal Relay Service (FRS), toll free, at 1-800-877-8339.
Individuals with disabilities can obtain this document in an
accessible format (e.g., braille, large print, audiotape, or computer
diskette) on request to the contact person listed under FOR FURTHER
INFORMATION CONTACT.
SUPPLEMENTARY INFORMATION:
Invitation to Comment
We invite you to submit comments regarding these proposed
regulations. To ensure that your comments have maximum effect in
developing the final regulations, we urge you to identify clearly the
specific section or sections of the proposed regulations that each of
your comments addresses and to arrange your comments in the same order
as the proposed regulations.
We invite you to assist us in complying with the specific
requirements of Executive Order 12866 and its overall requirement of
reducing regulatory burden that might result from these proposed
regulations. Please let us know of any further opportunities we should
take to reduce potential costs or increase potential benefits while
preserving the effective and efficient administration of the program.
During and after the comment period, you may inspect all public
comments about these proposed regulations by accessing http://www.regulations.gov. You may also inspect the comments in person in
room 6W243, 400 Maryland Avenue, SW., Washington, DC, 20202 between the
hours of 8:30 a.m. and 4 p.m. Eastern time, Monday through Friday of
each week except Federal holidays.
Assistance to Individuals With Disabilities in Reviewing the Rulemaking
Record
On request, we will supply an appropriate aid, such as a reader or
print magnifier, to an individual with a disability who needs
assistance to review the comments or other documents in the public
rulemaking record for these proposed regulations. If you want to
schedule an appointment for this type of aid, please contact the person
listed under FOR FURTHER INFORMATION CONTACT.
Background: On February 17, 2009, the President signed the ARRA
(Pub. L.
[[Page 19727]]
111-5) into law. The ARRA includes significant provisions relating to
the expansion and development of SLDS. Under title XIV of the ARRA, in
order for a State to receive funding under the State Fiscal
Stabilization Fund program (SFSF), the State's Governor must provide an
assurance in the State's application for SFSF funding that the State
will establish an SLDS that meets the requirements of section
6401(e)(2)(D) of the COMPETES Act (20 U.S.C. 9871(e)(2)(D)).
With respect to public preschool through grade 12 and postsecondary
education, COMPETES requires that the SLDS include: (a) A unique
statewide student identifier that, by itself, does not permit a student
to be individually identified by users of the system; (b) student-level
enrollment, demographic, and program participation information; (c)
student-level information about the points at which students exit,
transfer in, transfer out, drop out, or complete P-16 education
programs; (d) the capacity to communicate with higher education data
systems; and (e) a State data audit system assessing data quality,
validity, and reliability.
With respect to public preschool through grade 12 education,
COMPETES requires that the SLDS include: (a) Yearly test records of
individual students with respect to assessments under section 1111(b)
of the Elementary and Secondary Education Act of 1965, as amended (20
U.S.C. 6311(b)); (b) information on students not tested by grade and
subject; (c) a teacher identifier system with the ability to match
teachers to students; (d) student-level transcript information,
including information on courses completed and grades earned; and (e)
student-level college readiness test scores.
With respect to postsecondary education, COMPETES requires that the
SLDS include: (a) Information regarding the extent to which students
transition successfully from secondary school to postsecondary
education, including whether students enroll in remedial coursework;
and (b) other information determined necessary to address alignment and
adequate preparation for success in postsecondary education.
Separate provisions in title VIII of the ARRA appropriated $250
million for additional grants to State educational agencies (SEAs)
under the Statewide Longitudinal Data Systems program, authorized under
section 208 of the Educational Technical Assistance Act of 2002 (20
U.S.C. 9601, et seq.) to support the expansion of SLDS to include
postsecondary and workforce information.
The extent of data sharing contemplated by these and other Federal
initiatives prompted the Department to review the impact that its FERPA
regulations could have on the development and use of SLDS. FERPA is a
Federal law that protects student privacy by prohibiting educational
agencies and institutions from having a practice or policy of
disclosing personally identifiable information in student education
records (``PII'') unless a parent or eligible student provides prior
written consent or a statutory exception applies. In those
circumstances in which educational agencies and institutions may
disclose PII to third parties without consent, FERPA and its
implementing regulations limit the redisclosure of PII by the
recipients, except as set forth in Sec. Sec. 99.33(c) and (d) and
99.35(c)(2) (see 20 U.S.C. 1232g(b)(3) and (b)(4)(B) and Sec. Sec.
99.33 and 99.35(c)(2)). For example, State and local educational
authorities that receive PII without consent from the parent or
eligible student under the ``audit or evaluation'' exception may not
make further disclosures of the PII on behalf of the educational agency
or institution unless prior written consent from the parent or eligible
student is obtained, Federal law specifically authorized the collection
of the PII, or a statutory exception applies and the redisclosure and
recordation requirements are met (see 20 U.S.C. 1232g(b)(3) and (b)(4)
and Sec. Sec. 99.32(b)(2), 99.33(b)(1)), and 99.35(c)).
In light of the ARRA, the Department has conducted a review of its
FERPA regulations in 34 CFR part 99, including changes reflected in the
final regulations published on December 9, 2008 (73 FR 74806). Further,
the Department has reviewed its guidance interpreting FERPA, including
statements made in the preamble discussion to the final regulations
published on December 9, 2008 (73 FR 74806).
Based on its review, the Department has determined that the
Department's December 2008 changes to the FERPA regulations promote the
development and expansion of robust SLDS in the following ways:
Expanding the redisclosure authority in FERPA by amending
Sec. 99.35 to permit State and local educational authorities and other
officials listed in Sec. 99.31(a)(3) to make further disclosures of
personally identifiable information from education records, without the
consent of parents or eligible students, on behalf of the educational
agency or institution from which the PII was obtained under specified
conditions (see Sec. Sec. 99.33(b)(1) and 99.35(b)(1)).
Permitting SEAs and other State educational authorities,
as well as the other officials listed in Sec. 99.31(a)(3), to record
their redisclosures at the time they are made and by groups (i.e., by
the student's class, school district, or other appropriate grouping
rather than by the name of each student whose record was redisclosed);
and only requiring them to send these records of redisclosure to the
educational agencies or institutions from which the PII was obtained
upon the request of an educational agency or institution (see Sec.
99.32(b)(2)).
Notwithstanding these provisions in the Department's FERPA
regulations and the preamble discussion relating to the December 2008
changes to the regulations, the Department's review indicates that
there are a small number of other regulatory provisions and policy
statements that unnecessarily hinder the development and expansion of
SLDS consistent with the ARRA. Because the Department has determined
that these regulatory provisions and policies are not necessary to
ensure privacy protections for PII, it proposes to amend 34 CFR part 99
to make the changes described in the following section.
Significant Proposed Regulations
We discuss substantive issues under the sections of the proposed
regulations to which they pertain. Generally, we do not address
proposed regulatory provisions that are technical or otherwise minor in
effect.
Definitions (Sec. 99.3)
Authorized Representative (Sec. Sec. 99.3, 99.35)
Statute: Sections (b)(1)(C), (b)(3) and (b)(5) of FERPA (20 U.S.C.
1232g(b)(1)(C), (b)(3) and (b)(5)) permit educational agencies and
institutions nonconsensually to disclose PII to ``authorized
representatives'' of State and local educational authorities, the
Secretary, the Attorney General of the United States, and the
Comptroller General of the United States, as may be necessary in
connection with the audit, evaluation, or the enforcement of Federal
legal requirements related to Federal or State supported education
programs. The statute does not define the term authorized
representative.
Current Regulations: The term authorized representative, which is
used in current Sec. Sec. 99.31(a)(3) and 99.35(a)(1), is not defined
in the current regulations. Current Sec. Sec. 99.31(a)(3) and
99.35(a)(1), together, implement sections (b)(1)(C), (b)(3) and (b)(5)
of FERPA (20 U.S.C. 1232g(b)(1)(C), (b)(3) and (b)(5)).
[[Page 19728]]
Proposed Regulations: We propose to amend Sec. 99.3 to add a
definition of the term authorized representative. Under the proposed
definition, an authorized representative would mean any entity or
individual designated by a State or local educational authority or
agency headed by an official listed in Sec. 99.31(a)(3) to conduct--
with respect to Federal or State supported education programs--any
audit, evaluation, or compliance or enforcement activity in connection
with Federal legal requirements that relate to those programs.
In order to help ensure proper implementation of FERPA requirements
that protect student privacy, we also propose to amend Sec. 99.35
(What conditions apply to disclosure of information for Federal or
State program purposes?). Specifically, we would provide, in proposed
Sec. 99.35(a)(2), that responsibility remains with the State or local
educational authority or agency headed by an official listed in Sec.
99.31(a)(3) to use reasonable methods to ensure that any entity
designated as its authorized representative remains compliant with
FERPA. We are not proposing to define ``reasonable methods'' in the
proposed regulations in order to provide flexibility for a State or
local educational authority or an agency headed by an official listed
in Sec. 99.31(a)(3) to make these determinations. However, we are
interested in receiving comments on what would be considered reasonable
methods. The Department anticipates issuing non-regulatory guidance on
this and other related matters when we issue the final regulations or
soon thereafter.
We also would amend Sec. 99.35 to require written agreements
between a State or local educational authority or agency headed by an
official listed in Sec. 99.31(a)(3) and its authorized representative,
other than an employee (see proposed Sec. 99.35(a)(3)). We propose
that these agreements: designate the individual or entity as an
authorized representative; specify the information to be disclosed and
that the purpose for which the PII is disclosed to the authorized
representative is only to carry out an audit or evaluation of Federal
or State supported education programs, or to enforce or to comply with
Federal legal requirements that relate to those programs; require the
return or destruction of the PII when no longer needed for the
specified purpose in accordance with the requirements of Sec.
99.35(b)(2); specify the time period in which the PII must be returned
or destroyed; and establish policies and procedures (consistent with
FERPA and other Federal and State confidentiality and privacy
provisions) to protect the PII from further disclosure (except back to
the disclosing entity) and unauthorized use, including limiting the use
of PII to only those authorized representatives with legitimate
interests (see proposed Sec. 99.35(a)(3)).
We would propose a minor change to Sec. 99.35(b) to clarify that
the requirement to protect PII from disclosure applies to authorized
representatives.
Finally, proposed Sec. 99.35(d) would clarify that if the
Department's Family Policy Compliance Office (FPCO) finds that a State
or local educational authority, an agency headed by an official listed
in Sec. 99.31(a)(3), or an authorized representative of a State or
local educational authority or agency headed by an official listed in
Sec. 99.31(a)(3) improperly rediscloses PII in violation of FERPA, the
educational agency or institution from which the PII originated would
be prohibited from permitting the entity responsible for the improper
redisclosure (i.e., the authorized representative, or the State or
local educational authority or the agency headed by an officials listed
in Sec. 99.31(a)(3), or both) access to the PII for at least five
years (see 20 U.S.C. 1232g(b)(4)(B) and Sec. 99.33(e)).
Reasons: Under current Sec. Sec. 99.31(a)(3) and 99.35(a)(1) and
20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5), an educational agency or
institution may disclose PII to an authorized representative of a State
or local educational authority or an agency headed by an official
listed in Sec. 99.31(a)(3), without prior written consent, for the
purposes of conducting--with respect to Federal or State supported
education programs--any audit, evaluation, or compliance or enforcement
activity in connection with Federal legal requirements that relate to
those education programs, provided that such disclosures are subject to
the applicable privacy protections in FERPA. Although the term
authorized representative is not defined in FERPA or the current
regulations, the Department's longstanding interpretation of this term
has been that it does not include other State or Federal agencies
because these agencies are not under the direct control (e.g., they are
not employees or contractors) of a State educational authority (or
other agencies headed by officials listed in Sec. 99.31(a)(3)).
(Memorandum from William D. Hansen, Deputy Secretary of Education, to
State officials, January 30, 2003, (``Hansen memorandum'')). Under this
interpretation of the term authorized representative, as it is used in
current Sec. Sec. 99.31(a)(3) and 99.35(a)(1) (and 1232g(b)(1)(C),
(b)(3), and (b)(5)), an SEA or other State educational authority may
not make further disclosures of PII to other State agencies, such as
State health and human services departments, because these agencies are
not employees or contractors to which the State educational authority
has outsourced the audit or evaluation of education programs (or other
institutional services or functions). (This interpretation was later
incorporated in the preamble to the final FERPA regulations published
on December 9, 2008 (73 FR 74806, 74825).)
As explained in further detail in the following paragraphs, the
Department has concluded that FERPA does not require that an authorized
representative be under the educational authority's direct control in
order to receive PII for purposes of audit or evaluation. We also do
not believe such a restrictive interpretation is warranted given
Congress' intent in the ARRA to have States link data across sectors.
Through these regulations, therefore, we are proposing to rescind the
policy established in the January 30, 2003, Hansen memorandum and the
preamble to the final FERPA regulations published on December 9, 2008
(73 FR 74806, 74825). These proposed regulations also would expressly
permit State and local educational authorities and other agencies
headed by officials listed in Sec. 99.31(a)(3) to exercise the
flexibility and discretion to designate other individuals and entities,
including other governmental agencies, as their authorized
representatives for evaluation, audit, or legal enforcement or
compliance purposes of a Federal or State-supported education program,
subject to the requirements in FERPA and its implementing regulations.
We first note that nothing in FERPA prescribes which agencies,
organizations, or individuals may serve as an authorized representative
of a State or local educational authority or an agency headed by an
official listed in Sec. 99.31(a)(3), or whether an authorized
representative must be a public or private entity or official.
Moreover, the Department believes that it is unnecessarily restrictive
to interpret FERPA as prohibiting an individual or entity who is not an
employee or contractor under the ``direct control'' of a State or local
educational authority or agency headed by an official listed in Sec.
99.31(a)(3) from serving as an authorized representative.
One of the key purposes of FERPA is to ensure the privacy of
personally identifiable information in student education records.
Therefore, the determination of who can serve as an authorized
representative should be
[[Page 19729]]
made in light of that purpose. Accordingly, we believe it is
appropriate to require that any State or local educational authority or
agency headed by an official listed in Sec. 99.31(a)(3) that
designates an individual or entity as an authorized representative--
Be responsible for using reasonable methods to ensure that
the designated individual or entity--
[cir] Uses PII only for purposes of the audit, evaluation, or
compliance or enforcement activity in question;
[cir] Destroys or returns PII when no longer needed for these
purposes; and
[cir] Protects PII from redisclosure (and use by any other third
party), except as permitted in Sec. 99.35(b)(1) (i.e., back to the
disclosing entity) (see proposed Sec. 99.35(a)(2)); and
Use a written agreement that designates any authorized
representative other than an employee and includes the privacy
protections set forth in proposed Sec. 99.35(a)(3) (i.e., to use
reasonable methods to limit its authorized representative's use of PII
for these purposes, to require the return or destruction of PII when it
is no longer needed for these purposes, and to establish policies and
procedures consistent with FERPA and other Federal and State
confidentiality and privacy provisions) to protect PII from further
disclosure (except back to the disclosing entity). If a State or local
educational authority or agency headed by an official listed in Sec.
99.31(a)(3) is able to comply with these requirements (i.e., to use
reasonable methods to limit its authorized representative's use of PII
for these purposes, to establish policies and procedures to protect PII
from further disclosure and to require the return or destruction of PII
when it is no longer needed for these purposes), then there is no
reason why a State health and human services or labor department, for
example, should be precluded from serving as the authority's authorized
representative and receiving non-consensual disclosures of PII to link
education, workforce, health, family services, and other data for the
purpose of evaluating, auditing, or enforcing Federal legal
requirements related to, Federal or State supported education programs.
Furthermore, under proposed Sec. 99.35(d), we would clarify that
in the event that the Family Policy Compliance Office finds an improper
redisclosure, the Department would prohibit the educational agency or
institution from which the PII originated from permitting the party
responsible for the improper redisclosure (i.e., the authorized
representative, or the State or local educational authority or agency
headed by an official listed in Sec. 99.31(a)(3), or both) access to
the PII for at least five years.
With these proposed changes to the privacy provisions in Sec.
99.35, we believe that PII, including PII in SLDS, will be
appropriately protected while giving each State the needed flexibility
to house information in a SLDS that best meets the needs of the
particular State. FERPA does not constrain State administrative choices
regarding the data system architecture, data strategy, or technology
for SLDS as long as the required designation, purpose, and privacy
protections are in place. The proposed amendments to Sec. 99.35 would
require that these protections are in place.
Directory Information (Sec. 99.3)
Statute: Sections (a)(5)(A), (b)(1), and (b)(2) of FERPA (20 U.S.C.
1232g(a)(5), (b)(1), and (b)(2)) permit educational agencies and
institutions nonconsensually to disclose information defined as
directory information, such as a student's name and address, telephone
listing, date and place of birth, and major field of study, provided
that specified public notice and opt out conditions have been met.
Current Regulations: Directory information is defined in current
Sec. 99.3 as information contained in an education record of a student
that would not generally be considered harmful or an invasion of
privacy if disclosed, and includes information listed in section
(a)(5)(A) of FERPA (20 U.S.C. 1232g(a)(5)(A)) (e.g., a student's name
and address, telephone listing) as well as other information, such as a
student's electronic mail (e-mail) address, enrollment status, and
photograph. Current regulations also specify that a student's Social
Security Number (SSN) or student identification (ID) number may not be
designated and disclosed as directory information. However, the current
regulations state that a student ID number, user ID, or other unique
personal identifier used by the student for purposes of accessing or
communicating in electronic systems may be designated and disclosed as
directory information if the identifier cannot be used to gain access
to education records except when used in conjunction with one or more
factors to authenticate the user's identity.
Proposed Regulations: The proposed regulations would modify the
definition of directory information to clarify that an educational
agency or institution may designate as directory information and
nonconsensually disclose a student ID number or other unique personal
identifier that is displayed on a student ID card or badge if the
identifier cannot be used to gain access to education records except
when used in conjunction with one or more factors that authenticate the
user's identity, such as a PIN, password, or other factor known or
possessed only by the authorized user.
Reasons: Directory information items, such as name, photograph, and
student ID number, are the types of information that are typically
displayed on a student ID card or badge. For the reasons outlined in
our discussion later in this notice regarding the proposed changes in
Sec. 99.37(c), the proposed change to the definition of directory
information is needed to clarify that FERPA permits educational
agencies and institutions to designate student ID numbers as directory
information in the public notice provided to parents and eligible
students in attendance at the agency or institution under Sec.
99.37(a)(1). Including the designation of student ID numbers as a
directory information item will permit schools to disclose as directory
information a student ID number on a student ID card or badge if the
student ID number cannot be used to gain access to education records
except when used in conjunction with one or more factors that
authenticate the user's identity. In situations where a student's
social security number is used as the student's ID number, that number
may not be designated as directory information, even for purposes of a
student's ID card or badge.
Education Program (Sec. Sec. 99.3, 99.35)
Statute: The statute does not define the term education program.
Current Regulations: The term education program, which is used in
current Sec. 99.35(a)(1), is not defined in the current regulations.
Current Sec. 99.35(a)(1) provides that authorized representatives of
the officials or agencies headed by officials listed in Sec.
99.31(a)(3) may have non-consensual access to personally identifiable
information from education records in connection with an audit or
evaluation of Federal or State supported ``education programs'', or for
the enforcement of or compliance with Federal legal requirements that
relate to those programs.
Proposed Regulations: We propose to define the term education
program to mean any program that is principally engaged in the
provision of education, including, but not limited to early childhood
education, elementary and secondary education, postsecondary education,
special education, job training, career and technical education,
[[Page 19730]]
and adult education, regardless of whether the program is administered
by an educational authority.
Reasons: The proposed definition of education program in Sec. 99.3
is intended to establish that a program need not be administered by an
educational agency or institution in order for it to be considered an
education program for purposes of Sec. 99.35(a)(1) and 20 U.S.C.
1232g(b)(1). The Secretary recognizes that education may begin before
kindergarten and may involve learning outside of postsecondary
institutions. However, in many States, programs that the Secretary
would regard as education programs are not administered by SEAs or
LEAs. For example, in many States, State-level health and human
services departments administer early childhood education programs,
including early intervention programs authorized under Part C of the
Individuals with Disabilities Education Act (IDEA). Similarly, agencies
other than SEAs may administer career and technical education or adult
education programs. Because all of these programs could benefit from
the type of rigorous data-driven evaluation that SLDS will facilitate,
we are proposing to define the term education program to include these
programs that are not administered by education agencies. This proposed
change would provide greater access to information on students before
entering or exiting the P-16 programs. The information could be used to
evaluate these education programs and provide increased opportunities
to build upon successful ones and improve less successful ones. In
order to accomplish these objectives, and to give States the
flexibility needed to develop and expand the SLDS contemplated under
the ARRA, the Department proposes to interpret the term education
program, as used in FERPA and its implementing regulations, to mean any
program that is principally engaged in the provision of education,
including, but not limited to, early childhood education, elementary
and secondary education, postsecondary education, special education,
job training, career and technical education, and adult education, even
when agencies other than SEAs administer such a program.\1\ Thus, as an
example, under the proposed definitions of the terms, authorized
representative and education program, FERPA would permit a State
educational authority to designate a State health and human services
agency as its authorized representative in order to conduct an audit or
an evaluation of any Federal or State supported education program, such
as the Head Start program.
---------------------------------------------------------------------------
\1\ We intend for the proposed definition of the term education
program to include, but not be limited to, any applicable program,
as that term is defined in section 400 of the General Education
Provisions Act (20 U.S.C. 1221).
---------------------------------------------------------------------------
Research Studies (Sec. 99.31(a)(6))
Statute: Section (b)(1)(F) of FERPA permits educational agencies
and institutions non-consensually to disclose PII to organizations
conducting studies for, or on behalf of, educational agencies and
institutions to improve instruction, to administer student aid
programs, or to develop, validate, or administer predictive tests.
Current Regulations: Current Sec. 99.31(a)(6)(ii)(C) requires that
an educational agency or institution enter into a written agreement
with the organization conducting the study that specifies the purpose,
scope, and duration of the study and the information to be disclosed
and meets certain other requirements. Current regulations do not
indicate whether State and local educational authorities and agencies
headed by officials listed in Sec. 99.31(a)(3) that may redisclose PII
on behalf of educational agencies and institutions under Sec. 99.33(b)
may also enter into this type of written agreement.
Proposed Regulations: The Secretary proposes to amend Sec. 99.31
by redesignating paragraphs (a)(6)(ii) through (a)(6)(v) as paragraphs
(a)(6)(iii) through (a)(6)(vi) and adding a new paragraph (a)(6)(ii).
This new paragraph would clarify that nothing in FERPA or its
implementing regulations prevents a State or local educational
authority or agency headed by an official listed in Sec. 99.31(a)(3)
from entering into agreements with organizations conducting studies
under Sec. 99.31(a)(6)(i) and redisclosing PII on behalf of the
educational agencies and institutions that provided the information in
accordance with the requirements of Sec. 99.33(b). We also propose to
amend Sec. 99.31(a)(6) to require written agreements between a State
or local educational authority or agency headed by an official listed
in Sec. 99.31(a)(3) and any organization conducting studies with
redisclosed PII under this exception (see proposed Sec.
99.31(a)(6)(iii)(C)). Under this amended regulatory provision, these
agreements would need to contain the specific provisions currently
required in agreements between educational agencies or institutions and
such organizations under current Sec. 99.31(a)(6)(ii)(C). Thus, the
only differences between proposed Sec. 99.31(a)(6)(iii)(C) and current
Sec. 99.31(a)(6)(ii)(C) would be to make the written agreement
requirements apply to State or local educational authorities or
agencies headed by an official listed in Sec. 99.31(a)(3) as well as
educational agencies and institutions. Finally, newly redesignated
Sec. 99.31(a)(6)(iv) and (a)(6)(v) would be revised to ensure that
these provisions apply to State and local educational authorities or
agencies headed by an official listed in Sec. 99.31(a)(3)--not only
educational agencies and institutions.
Reasons: In the preamble to the FERPA regulations published in the
Federal Register on December 9, 2008 (73 FR 74806, 74826), the
Department explained that an SEA or other State educational authority
that has legal authority to enter into agreements for LEAs or
postsecondary institutions under its jurisdiction may enter into an
agreement with an organization conducting a study for the LEA or
institution under the studies exception in Sec. 99.31(a)(6). The
preamble explained further that if the SEA or other State educational
authority does not have the legal authority to act for or on behalf of
an LEA or institution, then the SEA or other State educational
authority would not be permitted to enter into an agreement with an
organization under this exception. The changes reflected in proposed
Sec. 99.31(a)(6)(ii) are necessary to clarify that while FERPA does
not confer legal authority on State and Federal agencies to enter into
agreements and act on behalf of or in place of LEAs and postsecondary
institutions, nothing in FERPA prevents them from entering into these
agreements and redisclosing PII on behalf of LEAs and postsecondary
institutions to organizations conducting studies under Sec.
99.31(a)(6) in accordance with the redisclosure requirements in Sec.
99.33(b).
As explained in the preamble to the December 2008 regulations (see
73 FR 74806, 74821), the Department recognizes that the State and local
educational authorities and Federal officials that receive PII without
consent under Sec. 99.31(a)(3) are generally responsible for
supervising and monitoring LEAs and postsecondary institutions. SEAs
and State higher educational agencies, in particular, typically have
the role and responsibility to perform and support research and
evaluation of publicly funded education programs for the benefit of
multiple educational agencies and institutions in their States. We
understand further that these relationships generally provide
sufficient authority for a State educational authority to enter into an
[[Page 19731]]
agreement with an organization conducting a study and to redisclose PII
received from educational agencies and institutions that provided the
information in accordance with Sec. 99.33(b). The proposed
regulations, therefore, would clarify that studies supported by these
State and Federal authorities of publicly funded education programs
generally may be conducted, while simultaneously ensuring that any PII
disclosed is appropriately protected by the organizations conducting
the studies.
In the event that an educational agency or institution objects to
the redisclosure of PII it has provided, the State or local educational
authority or agency headed by an official listed in Sec. 99.31(a)(3)
may rely instead on any independent authority it has to further
disclose the information on behalf of the agency or institution. The
Department recognizes that this authority may be implied and need not
be explicitly granted.
Authority To Audit or Evaluate (Sec. 99.35)
Statute: Sections (b)(1)(C), (b)(3) and (b)(5) of FERPA (20 U.S.C.
1232g(b)(1)(C), (b)(3) and (b)(5)) permit educational agencies and
institutions non-consensually to disclose PII to authorized
representatives of State and local educational authorities, the
Secretary, the Attorney General of the United States, and the
Comptroller General of the United States, as may be necessary in
connection with the audit, evaluation, or the enforcement of Federal
legal requirements related to Federal or State supported education
programs.
Current Regulations: Current Sec. 99.35(a)(2) provides that in
order for a State or local educational authority or other agency headed
by an official listed in Sec. 99.31(a)(3) to conduct an audit,
evaluation, or compliance or enforcement activity, its authority to do
so must be established under other Federal, State, or local authority
because that authority is not conferred by FERPA.
Proposed Regulations: The Secretary proposes to amend Sec.
99.35(a)(2) by removing the provision that a State or local educational
authority or other agency headed by an official listed in Sec.
99.31(a)(3) must establish legal authority under other Federal, State
or local law to conduct an audit, evaluation, or compliance or
enforcement activity.
Reasons: Current Sec. Sec. 99.33(b)(1) and 99.35(b)(1) permit
State and local educational authorities and agencies headed by
officials listed in Sec. 99.31(a)(3) to further disclose PII from
education records on behalf of educational agencies or institutions to
other authorized recipients under Sec. 99.31, including separate State
educational authorities at different levels of education, provided that
the redisclosure meets the requirements of Sec. 99.33(b)(1) and the
recordkeeping requirements in Sec. 99.32(b). However, we believe that
our prior guidance and statements made in the preambles to the notice
of proposed rulemaking published on March 24, 2008 (73 FR 15574), and
the final regulations published on December 9, 2008 (73 FR 74806), may
have created some confusion about whether a State or local educational
authority or agency headed by an official listed in Sec. 99.31(a)(3)
that receives PII under the audit and evaluation exception must be
authorized to conduct an audit or evaluation of a Federal or State
supported education program, or enforcement or compliance activity in
connection with Federal legal requirements related to the education
program of the disclosing educational agency or institution or whether
the PII may be disclosed in order for the recipient to conduct an
audit, evaluation, or enforcement or compliance activity with respect
to the recipient's own Federal or State supported education programs.
By removing the language concerning legal authority from current
Sec. 99.35(a)(2), the Department would clarify two things to eliminate
this confusion. First, the Department would clarify that the authority
for a State or local educational authority or Federal agency headed by
an official listed in Sec. 99.31(a)(3) to conduct an audit,
evaluation, enforcement or compliance activity may be express or
implied. And, second, the Department would clarify that FERPA permits
non-consensual disclosure of PII to a State or local educational
authority or agency headed by an official listed in Sec. 99.31(a)(3)
to conduct an audit, evaluation, or compliance or enforcement activity
with respect to the Federal or State supported education programs of
the recipient's own Federal or State supported education programs as
well as those of the disclosing educational agency or the institution.
The Department intends these clarifications to promote Federal
initiatives to support the robust use of data by State and local
educational authorities to evaluate the effectiveness of Federal or
State supported education programs. The provision of postsecondary
student data to P-12 data systems is vital to evaluating whether P-12
schools are effectively preparing students for college. This proposed
clarification would, for example, establish that FERPA does not
prohibit a private postsecondary institution from non-consensually
disclosing to an LEA PII on the LEA's former students who are now in
attendance at the private postsecondary institution, as may be
necessary for the LEA to evaluate the Federal or State supported
education programs that the LEA administers. This proposed
clarification similarly would establish that FERPA does not prohibit a
postsecondary data system from non-consensually redisclosing PII to an
SEA in connection with the SEA's evaluation of whether the State's LEAs
effectively prepared their graduates to enroll, persist, and succeed in
postsecondary education.
Directory Information (Sec. 99.37)
Section 99.37(c) (Student ID Cards and ID Badges)
Statute: The statute does not address whether parents and eligible
students may use their right to opt out of directory information
disclosures to prevent school officials from requiring students to
disclose ID cards or to wear ID badges.
Current Regulations: Current regulations do not address whether
parents and eligible students may use their right to opt out of
directory information disclosures to prevent school officials from
requiring students to disclose ID cards or to wear ID badges.
Proposed Regulations: The proposed regulations would provide in
Sec. 99.37(c) that parents or eligible students may not use their
right to opt out of directory information disclosures to prevent an
educational agency or institution from requiring students to wear or
otherwise disclose student ID cards or badges that display information
that may be designated as directory information under Sec. 99.3 and
that has been properly designated by the educational agency or
institution as directory information under Sec. 99.37(a)(1).
Reasons: An increased awareness of school safety and security has
prompted some educational agencies and institutions, especially school
districts, to require students to wear and openly display a student ID
badge that contains identifying information (typically, name, photo,
and student ID number) when the student is on school property or
participates in extracurricular activities. We have received inquiries
about this issue, as well as complaints that the mandatory public
display of identifying information on a student ID
[[Page 19732]]
badge violates the FERPA rights of parents and eligible students who
have opted out of directory information disclosures. The proposed
regulations are needed to clarify that the right to opt out of
directory information disclosures is not a mechanism for students, when
in school or at school functions, to refuse to wear student ID badges
or to display student ID cards that display information that may be
designated as directory information under Sec. 99.3 and that has been
properly designated by the educational agency or institution as
directory information under Sec. 99.37(a)(1). Because we recognize
that the types of ID cards and badges that postsecondary institutions
require may differ significantly from those required by elementary and
secondary schools, we are requesting comments from postsecondary
officials on whether this proposed change raises any particularized
concerns for their institutions.
The directory information exception is intended to facilitate
communication among school officials, parents, students, alumni, and
others, and permits schools to publicize and promote institutional
activities to the general public. Many schools do so by publishing
paper or electronic directories that contain student names, addresses,
telephone listings, e-mail addresses, and other information the
institution has designated as directory information. Some schools do
not publish a directory but do release directory information on a more
selective basis. FERPA allows a parent or eligible student to opt out
of these disclosures (under the conditions specified in Sec.
99.37(a)), whether the information is made available to the general
public, limited to members of the school community, or released only to
specified individuals.
The Secretary believes, however, that the need for schools and
college campuses to implement measures to ensure the safety and
security of students is of the utmost importance and that FERPA should
not be used as an impediment to achieving student safety. Thus, the
right to opt out of the disclosure of directory information does not
include the right to refuse to wear or otherwise disclose a student ID
card or badge that displays directory information and, therefore, may
not be used to impede a school's ability to monitor and control who is
in school buildings or on school grounds or whether a student is where
he or she should be. This proposed change would mean that, even when a
parent or eligible student opts out of the disclosure of directory
information, an educational agency or institution may nevertheless
require the student to wear and otherwise disclose a student ID card or
badge that displays information that may be designated as directory
information under Sec. 99.3 and that has been properly designated by
the educational agency or institution as directory information under
Sec. 99.37(a)(1).
Section 99.37(d) (Limited Directory Information Policy)
Statute: Under sections (a)(5), (b)(1), and (b)(2) of FERPA (20
U.S.C. 1232g(a)(5), (b)(1), and (b)(2)), an educational agency or
institution may disclose directory information without meeting FERPA's
written consent requirements provided that it first notifies the
parents or eligible students of the types of information that may be
disclosed and allows them to opt out of the disclosure. The statute
lists a number of items in the definition of directory information,
including a student's name, address, and telephone listing. The statute
does not otherwise address whether an educational agency or institution
may have a limited directory information policy in which it specifies
the exact parties who may receive directory information, the specific
purposes for which the directory information may be disclosed, or both.
Current Regulations: Section 99.37(a) requires an educational
agency or institution to provide public notice to parents of students
in attendance and eligible students in attendance of the types of
directory information that may be disclosed and the parent's or
eligible student's right to opt out.
Proposed Regulations: Proposed Sec. 99.37(d) would clarify that an
educational agency or institution may specify in the public notice it
provides to parents and eligible students in attendance provided under
Sec. 99.37(a) that disclosure of directory information will be limited
to specific parties, for specific purposes, or both. We also propose to
clarify that an educational agency or institution that adopts a limited
directory information policy must limit its directory information
disclosures only to those parties and purposes that were specified in
the public notice provided under Sec. 99.37(a).
Reasons: Some school officials have advised us that their
educational agencies and institutions do not have a directory
information policy under FERPA, due to concerns about the potential
misuse by members of the public of personally identifiable information
about students, including potential identity theft. Clarifying that the
regulations permit educational agencies and institutions to have a
limited directory information policy would give educational agencies
and institutions greater discretion in protecting student privacy by
permitting them to limit the release of directory information for
specific purposes, to specific parties, or both. This proposed change
also would provide a regulatory authority for FPCO to investigate and
enforce a violation of a limited directory information policy by an
educational agency or institution.
However, in order not to impose additional administrative burdens
on educational agencies and institutions, the Department is not
proposing changes to the recordkeeping requirement in Sec.
99.32(d)(4), which currently excepts educational agencies and
institutions from having to record the disclosure of directory
information. For similar reasons, the Department is not proposing to
amend the redisclosure provisions in Sec. 99.33(c), which except the
redisclosure of directory information from the general prohibition on
redisclosure of personally identifiable information. While the
Department is not proposing to regulate on the redisclosure of
directory information by third parties that receive directory
information from educational agencies or institutions under a limited
directory information policy, we nevertheless strongly recommend that
educational agencies and institutions that choose to adopt a limited
directory information policy assess the need to protect the directory
information from further disclosure by the third parties to which they
disclose directory information; when a need to protect the information
from further disclosure is identified, educational agencies and
institutions should enter into non-disclosure agreements with the third
parties.
Enforcement Procedures With Respect to Any Recipient of Department
Funds That Students Do Not Attend (Sec. 99.60)
Statute: Sections (f) and (g) of FERPA (20 U.S.C. 1232g(f) and (g))
authorize the Secretary to take appropriate actions to enforce and
address violations of FERPA in accordance with part D of the General
Education Provisions Act (20 U.S.C. 1234 through 1234i) and to
establish or designate an office and review board within the Department
for the purpose of investigating, processing, reviewing, and
adjudicating alleged violations of FERPA.
Current Regulations: Current Sec. 99.60(b) designates the FPCO as
the office within the Department responsible for investigating,
processing, and reviewing alleged
[[Page 19733]]
violations of FERPA. Current subpart E of the FERPA regulations
(Sec. Sec. 99.60 through 99.67), however, only addresses alleged
violations of FERPA committed by an educational agency or institution.
Proposed Regulations: Proposed Sec. 99.60(a)(2) would provide
that, solely for purposes of subpart E of the FERPA regulations, which
addresses enforcement procedures, an ``educational agency or
institution'' includes any public or private agency or institution to
which FERPA applies under Sec. 99.1(a)(2), as well as any State
educational authority (e.g., SEAs or postsecondary agency) or local
educational authority or any other recipient to which funds have been
made available under any program administered by the Secretary (e.g., a
nonprofit organization, student loan guaranty agency, or a student loan
lender), including funds provided by grant, cooperative agreement,
contract, subgrant, or subcontract.
Reasons: With the advent of SLDS, it is necessary for the
Department to update our enforcement regulations to clearly set forth
the Department's authority to investigate and enforce alleged
violations of FERPA by State and local educational authorities or any
other recipients of Department funds under a program administered by
the Secretary. Current Sec. Sec. 99.60 through 99.67 only apply the
enforcement provisions in FERPA to an ``educational agency or
institution.'' Although the statute and the regulations broadly define
the term ``educational agency or institution,'' the Department
generally has not interpreted the term to include entities that
students do not attend. The Department's interpretation is based upon
the fact that FERPA defines ``education records'' as information
directly related to a ``student,'' and that ``student'' is, in turn,
defined as excluding a person who has not been in attendance at the
educational agency or institution. 20 U.S.C. 1232g(a)(4) and (a)(6).
Because students do not attend non-school types of entities the
Department has generally not viewed these recipients of Department
funds as being ``educational agencies or institutions'' under FERPA.
Consequently, the current regulations do not clearly authorize FPCO
to investigate, review, and process an alleged violation committed by
recipients of Department funds under a program administered by the
Secretary in which students do not attend. In addition, the regulations
do not clearly authorize the Secretary to bring an enforcement action
against these recipients. Further, it would not be fair to hold an LEA
or institution of higher education (IHE) that originally disclosed the
PII to a State or local educational authority responsible for violation
of FERPA by the State or local educational authority because the LEA or
IHE generally would not have an effective means to prevent such an
improper redisclosure by a State or local educational authority.
Therefore, the Department proposes to add a new Sec. 99.60(a)(2)
that would clearly authorize the Department to hold State educational
authorities(e.g., SEAs and State postsecondary agencies), local
educational authorities, as well as other recipients of Department
funds under any program administered by the Secretary (e.g., nonprofit
organizations, student loan guaranty agencies, and student loan
lenders), accountable for compliance with FERPA. The Department
believes that this authority is especially important given the
disclosures of PII needed to implement SLDS.
Because the Department has generally not viewed these entities as
being ``educational agencies or institutions'' under FERPA and
consequently has not viewed most FERPA provisions as applying to them
(e.g., the requirement in Sec. 99.7 to annually notify parents and
eligible students of their rights under FERPA, and the requirement in
Sec. 99.37 to give public notice to parents and eligible students
about directory information, if it has a policy of disclosing directory
information), we anticipate that most FERPA compliance issues involving
these entities will concern whether they have complied with FERPA's
redisclosure provision in Sec. 99.33.
We expect that we will face few issues concerning these entities'
compliance with the few additional FERPA provisions that may be
applicable to them. For example, the FERPA requirements, in addition to
those in Sec. 99.33, that may be applicable to entities that are not
``educational agencies or institutions'' under FERPA include, but are
not limited to, the right to inspect and review education records
maintained by an SEA or any of its components under Sec. 99.10(a)(2),
the requirement that organizations conducting studies under Sec.
99.31(a)(6) must not permit the personal identification of parents and
students by anyone other than representatives of that organization with
legitimate interests in the information and must destroy or return
personally identifiable information from education records when the
information is no longer needed for the purposes for which the study
was conducted, and the requirement in Sec. 99.35(b)(2) that personally
identifiable information from education records that is collected by a
State or local educational authority or agency headed by an official
listed in Sec. 99.31(a)(3) in connection with an audit or evaluation
of Federal or State supported education programs, or to enforce Federal
legal requirements related to Federal or State supported education
programs, must be destroyed when no longer needed for these purposes.
Executive Order 12866
Under Executive Order 12866, the Secretary must determine whether
this regulatory action is ``significant'' and therefore subject to the
requirements of the Executive Order and subject to review by the Office
of Management and Budget (OMB). Section 3(f) of Executive Order 12866
defines a ``significant regulatory action'' as an action likely to
result in a rule that may: (1) Have an annual effect on the economy of
$100 million or more, or adversely affect a sector of the economy,
productivity, competition, jobs, the environment, public health or
safety, or State, local or Tribal governments or communities in a
material way (also referred to as an ``economically significant''
rule); (2) create serious inconsistency or otherwise interfere with an
action taken or planned by another agency; (3) materially alter the
budgetary impacts of entitlement grants, user fees, or loan programs or
the rights and obligations of recipients thereof; or (4) raise novel
legal or policy issues arising out of legal mandates, the President's
priorities, or the principles set forth in the Executive Order. The
Secretary has determined that this regulatory action is significant
under section 3(f) of the Executive order.
In accordance with Executive Order 12866, the Secretary has
assessed potential costs and benefits of this regulatory action and
determined that the benefits justify the costs.
Need for Federal Regulatory Action
These proposed regulations are needed to ensure that the
Department's implementation of FERPA continues to protect the privacy
of student education records, while allowing for the effective use of
data in education records, particularly data in statewide longitudinal
data systems.
Summary of Costs and Benefits
Following is an analysis of the costs and benefits of the proposed
changes to the FERPA regulations, which would make changes to
facilitate the disclosure, without written consent, of education
records, particularly data in
[[Page 19734]]
statewide longitudinal data systems, for the purposes of evaluating
education programs and ensuring compliance with Federal and State
requirements. In conducting this analysis, the Department examined the
extent to which the proposed changes would add to or reduce the costs
of educational agencies, other agencies, and institutions in complying
with the FERPA regulations prior to these changes, and the extent to
which the proposed changes are likely to provide educational benefit.
Allowing data-sharing across agencies, because it increases the number
of individuals who have access to personally identifiable information,
may increase the risk of unauthorized disclosure. However, we do not
believe that the staff in the additional agencies who will have access
to the data are any more likely to violate FERPA than existing users,
and the strengthened accountability and enforcement mechanisms will
help to ensure better compliance overall. While there will be
administrative costs associated with implementing data-sharing
protocols, we believe that the relatively minimal administrative costs
of establishing data-sharing protocols would be off-set by potential
analytic benefits. Based on this analysis, the Secretary has concluded
that the proposed modifications would result in savings to entities and
have the potential to benefit the Nation by improving capacity to
conduct analyses that will provide information needed to improve
education.
Authorized Representative
The proposed regulations would amend Sec. 99.3 by adding a
definition of the term authorized representative that would include any
individual or entity designated by an educational authority or certain
other officials to carry out audits, evaluations, or enforcement or
compliance activities relating to education programs. Under the current
regulations, educational authorities may provide to authorized
representatives PII for the purposes of conducting audits, evaluations,
or enforcement and compliance activities relating to Federal and State
supported education programs. The term ``authorized representative'' is
not defined, but the Department's position has been that educational
authorities may only disclose education records to entities over which
they have direct control, such as an employee or a contractor of the
authority. Therefore, SEAs have not been able to disclose PII to other
State agencies, even for the purpose of evaluating education programs
under the purview of the SEAs. For example, an SEA or LEA could not
disclose PII to a State employment agency for the purpose of obtaining
data on post-school outcomes such as employment for its former
students. Thus, if an SEA or LEA wanted to match education records with
State employment records for purposes of evaluating its secondary
education programs, it would have to import the entire workforce
database and do the match itself (or contract with a third party to do
the same analysis). Similarly, if a State workforce agency wanted to
use PII maintained by the SEA in its longitudinal educational data
system, in combination with data it had on employment outcomes, to
evaluate secondary vocational education programs, it would not be able
to obtain the SEA's educational data in order to conduct the analyses.
It would have to provide the workforce data to the SEA to conduct the
analyses or to a third party (e.g., an entity under the direct control
of the SEA) to construct the needed longitudinal administrative data
systems. While feasible, these strategies force agencies to outsource
their analyses to other agencies or entities, adding administrative
cost, burden, and complexity. Moreover, preventing agencies from using
data directly for conducting their own analytical work increases the
likelihood that the work will not meet their expectations or get done
at all. Finally, the current interpretation of the regulations exposes
greater amounts of PII to risk of disclosure as a result of greater
quantities of PII moving across organizations (e.g., the entire
workforce database) than would be the case with a more targeted data
request (e.g., graduates from a given year who appear in the workforce
database). The proposed regulatory changes would permit educational
agencies (and other entities listed in Sec. 99.31(a)(3)) to non-
consensually disclose PII to other State agencies or to house data in a
common State data system, such as a data warehouse administered by a
central State authority for the purposes of conducting audits or
evaluations of Federal or State supported education programs, or for
enforcement of and compliance with Federal legal requirements relating
to Federal and State supported education programs (consistent with
FERPA and other Federal and State confidentiality and privacy
provisions).
The Department also proposes to amend Sec. 99.35 to require that
written agreements require PII to be used only to carry out an audit or
an evaluation of Federal or State supported education program or for an
enforcement or compliance activity in connection with Federal legal
requirements that relate to those programs and protect PII from
unauthorized disclosure. The cost of entering into such agreements
should be minimal in relation to the benefits of being able to share
data.
Education Program
The proposed regulations would amend Sec. 99.3 by providing a
definition of the term education program to clarify that an education
program can include a program administered by a non-educational agency,
e.g., an early childhood program administered by a human services
agency or a career or technical training program administered by a
workforce or labor agency. This proposed change, in combination with
the proposed definition of the term authorized representative, would
allow non-educational agencies to have easier access to PII in student
education records that they could use to evaluate the education
programs they administer. For example, this proposed change would
permit nonconsensual disclosures of PII in elementary and secondary
school education records to a non-educational agency that is
administering an early childhood education program in order to evaluate
the impact of its early childhood education program on its students'
long-term educational outcomes. The potential benefits of this proposed
change are substantial, including the benefits of non-educational
agencies that are administering ``education programs'' being able to
conduct their own analyses without incurring the prohibitive costs of
obtaining consent for access to individual student records.
Research Studies
Section (b)(1)(F) of FERPA permits educational agencies and
institutions non-consensually to disclose PII to organizations
conducting research studies for, or on behalf of, educational agencies
or institutions that provided the PII, for statutorily-specified
purposes. The proposed amendment to Sec. 99.31(a)(6) would permit any
of the authorities listed in Sec. 99.31(a)(3), including SEAs, to
enter into written agreements that provide for the disclosure of PII to
research organizations for studies that would benefit the educational
agencies or institutions that provided the PII to the SEA or other
educational authorities, whether or not the educational authority has
explicit authority to act on behalf of those agencies or institutions.
The preamble to the final FERPA regulations published in the Federal
Register on
[[Page 19735]]
December 9, 2008 (73 FR 74806, 74826) took the position that an SEA,
for example, cannot re-disclose PII obtained from LEAs to a research
organization unless the SEA had separate legal authority to act on an
LEA's (or other educational institution's) behalf. Because, in
practice, this authority may not be explicit in all States, we propose
to amend Sec. 99.31 to specifically allow State educational
authorities to enter into agreements with research organizations for
studies that are for enumerated purposes under FERPA, such as studies
to improve instruction (see proposed Sec. 99.31(a)(6)(ii)). The
Department believes that this change will have benefits for education
because it would reduce the administrative costs of, and reduce the
barriers to, using student data, including data in SLDS, in order to
conduct studies to improve education programs.
Authority to Evaluate
Under current Sec. 99.35(a)(2), the authority for an SEA or LEA to
conduct an audit, evaluation, or compliance or enforcement activity is
not conferred by FERPA, but ``must be established under other Federal,
State, or local authority.'' Lack of such explicit State or local
authority has hindered the use of data in some States. The proposed
amendments would remove the discussion of legal authority in order to
clarify that FERPA and its implementing regulations do not require that
a State or local educational authority have express legal authority to
conduct audits, evaluations, or compliance or enforcement activities,
but instead may obtain PII when they have implied authority to conduct
evaluation, audit, and compliance activities of their own programs.
This proposed change also would allow an SEA to receive PII from
postsecondary institutions as needed to evaluate its own programs and
determine whether its schools are adequately preparing students for
higher education. The preamble to the final FERPA regulations published
in the Federal Register on December 9, 2008 (73 FR 74806, 74822)
suggested that PII in the records of postsecondary institutions could
only be disclosed to an SEA if the SEA has legal authority to evaluate
postsecondary institutions. This interpretation restricts SEAs from
conducting analyses to determine how effectively they are preparing
students for higher education and from identifying effective programs,
and thus has hindered efforts to improve education. The primary benefit
of this proposed change is that it would allow SEAs to conduct analyses
(consistent with FERPA and other Federal and State confidentiality and
privacy provisions) that they previously were unable to undertake,
without incurring the prohibitive costs of obtaining consent from
students or parents in order to obtain, without prior, written consent,
PII for the purpose of program evaluations.
Educational Agency or Institution
Sections (f) and (g) of FERPA authorize the Secretary to take
appropriate actions to enforce and deal with FERPA violations, but
subpart E of the FERPA regulations only addresses alleged violations of
FERPA by an ``educational agency or institution.'' Because the
Department has not interpreted that term to include agencies or
institutions that students do not attend, the current FERPA regulations
do not specifically permit the Secretary to bring an enforcement action
against an SEA or other State or local educational authority that does
not meet the definition of an ``educational agency or institution''
under FERPA. Thus, for example, if an SEA improperly redisclosed PII
obtained from its LEAs, the Department would pursue enforcement actions
against each of the LEAs, and not the SEA. Proposed Sec. 99.60(a)(2),
which would define an ``educational agency or institution'' to include
any State or local educational authority or other recipient that has
received Department of Education funds, would allow the Department to
pursue enforcement against a State agency or other recipient of
Department funds that had allegedly disclosed the PII, rather than
against the agency or institution that had provided the PII to the
State agency or other recipient of Department funds.
This change would result in some administrative savings and improve
the efficiency of the enforcement process. Under the current
regulations, if, for example, an SEA with 500 LEAs improperly
redisclosed PII from its SLDS to an unauthorized party, the Department
would need to investigate each of the 500 LEAs, which are unlikely to
have knowledge relating to the disclosure. Under the proposed change,
the LEAs would be relieved of any administrative costs associated with
responding to the Department's request for information about the
disclosure and the Department could immediately direct the focus of its
investigation on the SEA, the agency most likely to have information on
and bear responsibility for the disclosure of PII, without having to
waste time and resources contacting the LEAs.
We welcome public input and data to further inform and allow us to
quantify the costs and benefits of these proposed changes. We
particularly welcome information on the costs encountered by State
agencies using education data maintained by SEAs and the impediments to
using postsecondary education data.
2. Clarity of the Regulations
Executive Order 12866 and the Presidential memorandum on ``Plain
Language in Government Writing'' require each agency to write
regulations that are easy to understand.
The Secretary invites comments on how to make these proposed
regulations easier to understand, including answers to questions such
as the following:
Are the requirements in the proposed regulations clearly
stated?
Do the proposed regulations contain technical terms or
other wording that interferes with their clarity?
Does the format of the proposed regulations (grouping and
order of sections, use of headings, paragraphing, etc.) aid or reduce
their clarity?
Would the proposed regulations be easier to understand if
we divided them into more (but shorter) sections? (A ``section'' is
preceded by the symbol ``Sec. '' and a numbered heading; for example,
Sec. 99.35.)
Could the description of the proposed regulations in the
Supplementary Information section of this preamble be more helpful in
making the proposed regulations easier to understand? If so, how?
What else could we do to make the proposed regulations
easier to understand?
To send any comments that concern how the Department could make
these proposed regulations easier to understand, see the instructions
in the ADDRESSES section of this preamble.
Regulatory Flexibility Act Certification
The Secretary certifies that this regulatory action will not have a
significant economic impact on a substantial number of small entities.
The small entities that this final regulatory action will affect
are small LEAs. The Secretary believes that the costs imposed on
applicants by these regulations would be limited to paperwork burden
related to requirements concerning data-sharing agreements and that the
benefits from ensuring that data from education records are collected,
stored, and shared appropriately outweigh any costs incurred by
applicants.
The U.S. Small Business Administration Size Standards define as
[[Page 19736]]
``small entities'' for-profit or nonprofit institutions with total
annual revenue below $7,000,000 or, if they are institutions controlled
by small governmental jurisdictions (that are comprised of cities,
counties, towns, townships, villages, school districts, or special
districts), with a population of less than 50,000.
According to estimates from the U.S. Census Bureau's Small Area
Income and Poverty Estimates programs that were based on school
district boundaries for the 2007-8 school year, there are 12,484 LEAs
in the country that include fewer than 50,000 individuals within their
boundaries and for which there is estimated to be at least one school-
age child. In its 1997 publication, Characteristics of Small and Rural
School Districts, the National Center for Education Statistics defined
a small school district as ``one having fewer students in membership
than the sum of (a) 25 students per grade in the elementary grades it
offers (usually K-8) and (b) 100 students per grade in the secondary
grades it offers (usually 9-12).'' Using this definition, a district
would be considered small if it had fewer than 625 students in
membership. The Secretary believes that the 4,800 very small LEAs that
meet this second definition are highly unlikely to enter into data-
sharing agreements directly with outside entities.
The Department does not have reliable data with which to estimate
how many of the remaining 7,684 small LEAs would enter into data-
sharing agreements. For small LEAs that enter into data-sharing
agreements, we estimate that they would spend approximately 4 hours
executing each agreement, using a standard data-sharing protocol. Thus,
we assume the impact on the entities would be minimal. However, we
invite comment from entities familiar with data-sharing in small
districts on the number of entities likely to enter into agreements
each year, the number of such agreements, and number of hours required
to execute each agreement.
Federalism
Executive Order 13132 requires us to ensure meaningful and timely
input by State and local elected officials in the development of
regulatory policies that have federalism implications.
``Federalism implications'' means substantial direct effects on the
States, on the relationship between the national government and the
States, or on the distribution of power and responsibilities among the
various levels of government. The proposed regulations in Sec. Sec.
99.3, 99.31(a)(6), and 99.35 may have federalism implications, as
defined in Executive Order 13132, in that they will have some effect on
the States and the operation of educational agencies and institutions
subject to FERPA. We encourage State and local elected officials to
review and provide comments on these proposed regulations. To
facilitate review and comment by appropriate State and local officials,
the Department will, aside from publication in the Federal Register,
post the NPRM to the FPCO Web site and to the Privacy Technical
Assistance Center (PTAC) Web site and make a specific e-mail posting
via a special listserv that is sent to each State department of
education superintendent and higher education commission director.
Paperwork Reduction Act of 1995
Proposed Sec. Sec. 99.31(a)(6)(ii) and 99.35(a)(3) contain
information collection requirements. Under the Paperwork Reduction Act
of 1995 (44 U.S.C. 3507(d)), the Department of Education has submitted
a copy of these sections to the Office of Management and Budget (OMB)
for its review. (OMB Control Number 1875-0246.)
The proposed regulations modify the information collection
requirements in Sec. 99.31(a)(6)(ii) and Sec. 99.32(b)(2); however,
the Department does not believe the proposed changes add any new burden
to State or local educational authorities. Burdens associated with
Sec. Sec. 99.31(a)(6)(ii) and 99.32(b)(2) were approved under OMB
Control Number 1875-0246 when the December 9, 2008 regulations were
published. The proposed change that would clarify that nothing in FERPA
prevents a State or local educational authority or Federal agencies and
officials listed in Sec. 99.31(a)(3) from entering into written
agreements with organizations conducting studies, for or on behalf of
educational agencies and institutions does not constitute a change or
an increase in burden. This is because the provision would permit an
organization conducting a study to enter into one written agreement
with a State or local educational authority or Federal agency or
official listed in Sec. 99.31(a)(3), rather than making the
organization enter into many more written agreements with each school
district or school that provided the data to the State or local
educational authority or Federal agency or official listed in Sec.
99.31(a)(3). The addition of the definition of the term authorized
representative, which would permit a State or local educational
authority, the Secretary, the Comptroller General of the United States,
or the Attorney General of the United States to designate any entity or
individual to conduct--with respect to Federal or State supported
education programs--any audit, evaluation, or compliance or enforcement
activity in connection with Federal legal requirements that related to
those programs also does not constitute a change or an increase in
burden because these entities are already required to record
disclosures, pursuant to Sec. 99.32(b)(2).
Section 99.35(a)(3) would be a new requirement that requires the
agency headed by an official listed in Sec. 99.31(a)(3) to use a
written agreement to designate any authorized representative other than
an agency employee. Under the proposed regulations, the agreement would
need to: (1) Designate the individual or entity as an authorized
representative; (2) specify the information to be disclosed and the
purpose for which the information is disclosed to the authorized
representative (i.e., to carry out an audit or evaluation of Federal or
State supported education programs, or for the enforcement of or
compliance with Federal legal requirements that relate to those
programs); (3) require the authorized representative to destroy or
return to the State or local educational authority or agency headed by
an official listed in Sec. 99.31(a)(3) personally identifiable
information from education records when the information is no longer
needed for the purpose specified; (4) specify the time period in which
the information must be returned or destroyed; and (5) establish
policies and procedures consistent with FERPA and other Federal and
State privacy and confidentiality provisions to protect personally
identifiable information from education records from further disclosure
(except back to the disclosing entity) and unauthorized use, included
limiting use of information by only those authorized representatives of
the entity with legitimate interested. The burden for States under this
provision is estimated at 40 hours annually for each educational
authority (one for K-12 and one for postsecondary).
If you want to comment on the proposed information collection
requirements in these proposed regulations, please send your comments
to the Office of Information and Regulatory Affairs, OMB, Attention:
Desk Officer for the U.S. Department of Education. Send these comments
by e-mail to [email protected] or by fax to (202) 395-6974.
Commenters need only submit comments via one submission medium. You may
also send a copy of these comments to the Department contact
[[Page 19737]]
named in the ADDRESSES section of this preamble.
We consider your comments on these proposed collections of
information in--
Deciding whether the proposed collections are necessary
for the proper performance of our functions, including whether the
information will have practical use;
Evaluating the accuracy of our estimate of the burden of
the proposed collections, including the validity of our methodology and
assumptions;
Enhancing the quality, usefulness, and clarity of the
information we collect; and
Minimizing the burden on those who must respond. This
includes exploring the use of appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology; e.g., permitting electronic submission of
responses.
OMB is required to make a decision concerning the collection of
information contained in these proposed regulations between 30 and 60
days after publication of this document in the Federal Register.
Therefore, to ensure that OMB gives your comments full consideration,
it is important that OMB receives the comments within 30 days of
publication. This does not affect the deadline for your comments to us
on the proposed regulations.
Intergovernmental Review
This program is not subject to Executive Order 12372 and the
regulations in 34 CFR part 79.
Assessment of Educational Impact
In accordance with section 411 of the General Education Provisions
Act, 20 U.S.C. 1221e-4, the Secretary particularly requests comments on
whether these proposed regulations would require transmission of
information that any other agency or authority of the United States
gathers or makes available.
Electronic Access to This Document
You may view this document, as well as all other Department of
Education documents published in the Federal Register, in text or Adobe
Portable Document Format (PDF) on the Internet at the following site:
http://www.ed.gov/news/fedregister.
To use PDF, you must have Adobe Acrobat Reader, which is available
free at this site.
Note: The official version of this document is the document
published in the Federal Register. Free Internet access to the
official edition of the Federal Register and the Code of Federal
Regulations is available via the Federal Digital System at http://www.gpo.gov/fdsys.
(Category of Federal Domestic Assistance Number does not apply.)
List of Subjects in 34 CFR Part 99
Administrative practice and procedure, Education records, Education
research, Information, Personally identifiable information, Privacy,
Records, Statewide longitudinal data systems.
Dated: April 1, 2011.
Arne Duncan,
Secretary of Education.
For the reasons discussed in the preamble, the Secretary proposes
to amend part 99 of title 34 of the Code of Federal Regulations as
follows:
PART 99--FAMILY EDUCATIONAL RIGHTS AND PRIVACY
1. The authority citation for part 99 continues to read as follows:
Authority: 20 U.S.C. 1232g, unless otherwise noted.
2. Section 99.3 is amended by:
A. Adding, in alphabetical order, definitions for ``authorized
representative'' and ``education program''.
B. Revising the definition of ``directory information''.
The additions and revision read as follows:
Sec. 99.3 What definitions apply to these regulations?
* * * * *
Authorized representative means any entity or individual designated
by a State or local educational authority or an agency headed by an
official listed in Sec. 99.31(a)(3) to conduct--with respect to
Federal or State supported education programs--any audit, evaluation,
or compliance or enforcement activity in connection with Federal legal
requirements that relate to those programs.
(Authority: 20 U.S.C. 1232g(b)(1)(C), (3), and (5))
* * * * *
Directory information means information contained in an education
record of a student that would not generally be considered harmful or
an invasion of privacy if disclosed.
(a) Directory information includes, but is not limited to, the
student's name; address; telephone listing; electronic mail address;
photograph; date and place of birth; major field of study; grade level;
enrollment status (e.g., undergraduate or graduate, full-time or part-
time); dates of attendance; participation in officially recognized
activities and sports; weight and height of members of athletic teams;
degrees, honors, and awards received; and the most recent educational
agency or institution attended.
(b) Directory information does not include a student's--
(1) Social security number; or
(2) Student identification (ID) number, except as provided in
paragraph (c) of this section.
(c) Directory information includes--
(1) A student ID number, user ID, or other unique personal
identifier used by a student for purposes of accessing or communicating
in electronic systems, but only if the identifier cannot be used to
gain access to education records except when used in conjunction with
one or more factors that authenticate the user's identity, such as a
personal identification number (PIN), password or other factor known or
possessed only by the authorized user; and
(2) A student ID number or other unique personal identifier that is
displayed on a student ID badge, but only if the identifier cannot be
used to gain access to education records except when used in
conjunction with one or more factors that authenticate the user's
identity, such as a PIN, password, or other factor known or possessed
only by the authorized user.
(Authority: 20 U.S.C. 1232g(a)(5)(A))
* * * * *
Education program means any program that is principally engaged in
the provision of education, including, but not limited to, early
childhood education, elementary and secondary education, postsecondary
education, special education, job training, career and technical
education, and adult education.
(Authority: 20 U.S.C. 1232g(b)(3), (5))
* * * * *
3. Section 99.31 is amended by:
A. Redesignating paragraphs (a)(6)(ii) through (v) as paragraphs
(a)(6)(iii) through (vi), respectively.
B. Adding a new paragraph (a)(6)(ii).
C. Revising the introductory text of newly redesignated paragraph
(a)(6)(iii).
D. Revising the introductory text of newly redesignated paragraph
(a)(6)(iii)(C).
E. Revising newly redesignated paragraph (a)(6)(iii)(C)(4).
F. Revising newly redesignated paragraph (a)(6)(iv).
G. Revising newly redesignated paragraph (a)(6)(v).
The addition and revisions read as follows:
[[Page 19738]]
Sec. 99.31 Under what conditions is prior consent not required to
disclose information?
(a) * * *
(6) * * *
(ii) Nothing in the Act or this part prevents a State or local
educational authority or agency headed by an official listed in
paragraph (a)(3) of this section from entering into agreements with
organizations conducting studies under paragraph (a)(6)(i) of this
section and redisclosing personally identifiable information from
education records on behalf of educational agencies and institutions
that disclosed the information to the State or local educational
authority or agency headed by an official listed in paragraph (a)(3) of
this section in accordance with the requirements of Sec. 99.33(b).
(iii) An educational agency or institution may disclose personally
identifiable information under paragraph (a)(6)(i) of this section, and
a State or local educational authority or agency headed by an official
listed in paragraph (a)(3) of this section may redisclose personally
identifiable information under paragraph (a)(6)(i) and (a)(6)(ii) of
this section, only if--
* * * * *
(C) The educational agency or institution or the State or local
educational authority or agency headed by an official listed in
paragraph (a)(3) of this section enters into a written agreement with
the organization that--
* * * * *
(4) Requires the organization to destroy or return to the
educational agency or institution or the State or local educational
authority or agency headed by an official listed in paragraph (a)(3) of
this section all personally identifiable information when the
information is no longer needed for the purposes for which the study
was conducted and specifies the time period in which the information
must be returned or destroyed.
(iv) An educational agency or institution or State or local
educational authority or agency headed by an official listed in
paragraph (a)(3) of this section is not required to initiate a study or
agree with or endorse the conclusions or results of the study.
(v) If the Family Policy Compliance Office determines that a third
party, outside the educational agency or institution, or the State or
local educational authority or agency headed by an official listed in
paragraph (a)(3) of this section to which personally identifiable
information is disclosed under paragraph (a)(6) of this section,
violates paragraph (a)(6)(iii)(B) of this section, then the educational
agency or institution, or the State or local educational authority or
agency listed in paragraph (a)(3) of this section from which the
personally identifiable information originated may not allow the third
party responsible for the violation of paragraph (a)(6)(iii)(B) of this
section access to personally identifiable information from education
records for at least five years.
* * * * *
4. Section 99.35 is amended by:
A. Revising paragraph (a)(2).
B. Adding a new paragraph (a)(3).
C. Revising paragraph (b).
D. Adding a new paragraph (d).
E. Revising the authority citation at the end of the section.
The additions and revisions read as follows:
Sec. 99.35 What conditions apply to disclosure of information for
Federal or State program purposes?
(a) * * *
(2) The State or local educational authority or agency headed by an
official listed in Sec. 99.31(a)(3) is responsible for using
reasonable methods to ensure that any entity or individual designated
as its authorized representative--
(i) Uses personally identifiable information from education records
only to carry out an audit, evaluation, or an activity for the purpose
of enforcement of, or ensuring compliance with, Federal legal
requirements related to Federal or State supported education programs;
(ii) Protects the personally identifiable information from further
disclosures or other uses, except as authorized in paragraph (b)(1) of
this section; and
(iii) Destroys the personally identifiable information in
accordance with the requirements of paragraphs (b) and (c) of this
section.
(3) The State or local educational authority or agency headed by an
official listed in Sec. 99.31(a)(3) must use a written agreement to
designate any authorized representative, other than an employee. The
written agreement must--
(i) Designate the individual or entity as an authorized
representative;
(ii) Specify the information to be disclosed and that the purpose
for which the information is disclosed to the authorized representative
is to carry out an audit or evaluation of Federal or State supported
education programs, or to enforce or to comply with Federal legal
requirements that relate to those programs;
(iii) Require the authorized representative to destroy or return to
the State or local educational authority or agency headed by an
official listed in Sec. 99.31(a)(3) personally identifiable
information from education records when the information is no longer
needed for the purpose specified;
(iv) Specify the time period in which the information must be
returned or destroyed; and
(v) Establish policies and procedures, consistent with FERPA and
other Federal and State confidentiality and privacy provisions, to
protect personally identifiable information from education records from
further disclosure (except back to the disclosing entity) and
unauthorized use, including limiting use of personally identifiable
information to only authorized representatives with legitimate
interests.
(b) Information that is collected under paragraph (a) of this
section must--
(1) Be protected in a manner that does not permit personal
identification of individuals by anyone other than the authorities or
agencies headed by officials referred to in paragraph (a) of this
section and their authorized representatives, except that those
authorities and agencies may make further disclosures of personally
identifiable information from education records on behalf of the
educational agency or institution in accordance with the requirements
of Sec. 99.33(b); and
(2) Be destroyed when no longer needed for the purposes listed in
paragraph (a) of this section.
* * * * *
(d) If the Family Policy Compliance Office finds that a State or
local educational authority, an agency headed by an official listed in
Sec. 99.31(a)(3), or an authorized representative of a State or local
educational authority or an agency headed by an official listed in
Sec. 99.31(a)(3), improperly rediscloses personally identifiable
information from education records, the educational agency or
institution from which the personally identifiable information
originated may not allow the authorized representative, or the State or
local educational authority or the agency headed by an official listed
in Sec. 99.31(a)(3), or both, access to personally identifiable
information from education records for at least five years.
(Authority: 20 U.S.C. 1232g(b)(1)(C), (3), and (5))
5. Section 99.37 is amended by:
A. Revising paragraph (c).
B. Redesignating paragraph (d) as paragraph (e) and adding a new
paragraph (d).
The additions and revisions read as follows:
[[Page 19739]]
Sec. 99.37 What conditions apply to disclosing directory information?
* * * * *
(c) A parent or eligible student may not use the right under
paragraph (a)(2) of this section to opt out of directory information
disclosures to--
(1) Prevent an educational agency or institution from disclosing or
requiring a student to disclose the student's name, identifier, or
institutional e-mail address in a class in which the student is
enrolled; or
(2) Prevent an educational agency or institution from requiring a
student to wear, to display publicly, or to disclose a student ID card
or badge that exhibits information that may be designated as directory
information under Sec. 99.3 and that has been properly designated by
the educational agency or institution as directory information in the
public notice provided under paragraph (a)(1) of this section.
(d) In its public notice to parents and eligible students in
attendance at the agency or institution that is described in paragraph
(a) of this section, an educational agency or institution may specify
that disclosure of directory information will be limited to specific
parties, for specific purposes, or both. When an educational agency or
institution specifies that disclosure of directory information will be
limited to specific parties, for specific purposes, or both, the
educational agency or institution must limit its directory information
disclosures to those specified in its public notice that is described
in paragraph (a) of this section.
* * * * *
6. Section 99.60 is amended by redesignating paragraph (a) as
paragraph (a)(1) and adding a new paragraph (a)(2) to read as follows:
Sec. 99.60 What functions has the Secretary delegated to the Office
and to the Office of Administrative Law Judges?
(a) * * *
(2) Solely for the purposes of this subpart, an ``educational
agency or institution'' includes any public or private agency or
institution to which this part applies under Sec. 99.1(a)(2), as well
as any State or local educational authority or any other recipient to
which funds have been made available under any program administered by
the Secretary, including funds provided by grant, cooperative
agreement, contract, subgrant, or subcontract.
* * * * *
[FR Doc. 2011-8205 Filed 4-7-11; 8:45 am]
BILLING CODE 4000-01-P