December 17, 2008
This letter is to inform you that the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) final regulations were published in the Federal Register on December 9, 2008. As you know, the U.S. Department of Education (Department) issued a notice of proposed rulemaking (NPRM) announcing proposed changes in the Federal Register on March 24, 2008, to help educational agencies and institutions better understand and administer FERPA, and to make important changes to improve school safety, access to education data for research and accountability, and the safeguarding of education records, among other areas. The final regulations include changes and clarifications as a result of public comments on the NPRM from over 100 individuals and organizations. We believe the final regulations represent an appropriate balance between preserving students' privacy, promoting their safety, and facilitating research and accountability that will help ensure that students receive a quality education.
A brief summary of the final regulations is presented below along with information on where to access the regulations. For your convenience, we have enclosed a document that describes the final regulations in more detail.
Health or Safety Emergencies
As Secretary Spellings has noted, "Nothing is more important to Americans than the safety of their children. FERPA is not intended to be an obstacle in achieving that goal." Although FERPA does not permit disclosures of personally identifiable information on a routine, non-emergency basis, the final regulations afford greater flexibility and deference to administrators so that they can bring appropriate resources to bear when there is a threat to the health or safety of students. Section 99.36 in the final regulations makes clear that educational agencies and institutions may disclose information from education records to appropriate parties, including parents, whose knowledge of the information is necessary to protect the health or safety of a student or another individual if there is a significant and articulable threat to the health or safety of a student or other individual, considering the totality of the circumstances. The final regulations add a requirement that the educational agency or institution record in the student's education records the basis for its decision that a health or safety emergency existed. If, considering the information available at the time of the determination, there is a rational basis for the determination, the Department will not substitute its judgment for that of the educational agency or institution in evaluating the circumstances and making the determination. We believe these changes appropriately balance the interests of safety and privacy.
Disclosures to Parents
The Secretary remains concerned that some educational agencies and institutions are under the mistaken impression that FERPA prevents them from providing parents with information about most "eligible students" (students who are at least 18 years of age or attending a postsecondary institution). The final regulations clarify that even after the rights under FERPA have transferred from parents to an eligible student, an educational agency or institution may generally disclose education records to the student's parents without consent under several existing provisions of FERPA. For example, the final regulations clarify that under §§ 99.5 and 99.36 an educational agency or institution may disclose information to an eligible student's parents in a health or safety emergency, regardless of whether the student is a dependent for Federal income tax purposes, and may disclose information to parents under any circumstances if the eligible student is a dependent for Federal income tax purposes.
Better Access to Education Data for Research and Accountability
The final regulations contain important modifications to FERPA's prohibition on redisclosure of education records by State and local educational authorities, including State educational agencies (SEAs). Under the final regulations, State and local educational authorities, as well as the Secretary and other Federal officials and agencies that are listed in § 99.31(a)(3), may redisclose personally identifiable information on behalf of educational agencies and institutions under certain conditions discussed below.
State Consolidated Education Data Systems
As you know, the Department has been working closely with SEAs to establish or upgrade State data systems in order to manage information generated by assessments, and use the data to improve student academic achievement and close achievement gaps. Changes to § 99.35(b) make it possible for SEAs and other State educational authorities to implement K-16 accountability systems by redisclosing personally identifiable student information on behalf of LEAs and postsecondary institutions provided they have legal authority to audit or evaluate one another's education programs.
Transfer of Education Records
Schools are permitted to disclose a student's education records to officials of another school, school system, or institution of postsecondary education where the student seeks or intends to enroll. The final regulations permit SEAs and other State educational authorities to facilitate this transfer of students' education records by allowing them to redisclose information on behalf of school districts and institutions in the State as part of their consolidated education data system. We believe that these changes will help school districts and institutions obtain access to a new student's education records, including the student's scores on State assessments, in a more timely manner.
Release of Data
While FERPA is a privacy statute and not a research statute, it should not be a barrier to conducting useful and valid educational research that uses de-identified student data. Educational agencies and institutions are permitted to release, without consent, education records, or information from education records that have been de-identified through the removal of all personally identifiable information. The final regulations amend the definition of "personally identifiable information" and offer guidance to educational agencies and institutions and State educational authorities on determining how to de-identify information. The final regulations also identify factors that should be considered before releasing this information. For instance, the regulations require educational agencies and institutions and other parties that release de-identified education records to take into account information that is linked or linkable to a specific student as well as other reasonably available information about a student, so that the cumulative effect of multiple disclosures of student data does not allow a reasonable person in the school community to identify the student with reasonable certainty. We believe that the guidance will preserve students' privacy while also facilitating educational research and accountability.
Additionally, under FERPA, State educational authorities, such as SEAs and higher education commissions, may disclose education records in personally identifiable form, without consent, to contractors, consultants, and other parties to whom they have outsourced organizational services or functions, including evaluation of Federal or State supported education programs under § 99.35, provided that the State educational authority has direct control over that outside party. Under this provision of FERPA and the conditions explained in a January 30, 2003, memorandum from the Department (http://www.ed.gov/policy/gen/guid/fpco/pdf/ht031103.pdf [PDF, 12K]), a State educational authority may utilize the services of an outside researcher to evaluate education programs and provide that contractor with access to personally identifiable information from education records, including statistical information with unmodified small data cells. However, in order to be considered an "authorized representative" of the State educational authority under § 99.31(a) (3), an educational researcher or other outside party must be under the direct control of the State educational authority and subject to the same conditions on the use, redisclosure, and destruction of education records that apply to the State educational authority's own employees under § 99.35 and other applicable FERPA regulations. This means that the SEA or other State educational authority must ensure that its researchers and other authorized representatives use information disclosed to them as authorized representatives only for the purposes for which the information was disclosed to them and do not redisclose it to any other party in personally identifiable form.
Similarly, FERPA allows disclosures of personally identifiable information from education records without consent to school officials, including teachers, within an educational agency or institution – an LEA or its constituent schools – if the agency or institution has determined that the school officials have legitimate educational interests in the information. See 34 CFR § 99.31(a) (1). An LEA or school that discloses information under this exception must specify in its annual notification of FERPA rights the criteria it uses to determine who constitutes a school official and what constitutes legitimate educational interest. See 34 CFR § 99.7.
The final regulations clarify that the school officials' exception in FERPA may include contractors, consultants, and other outside parties to whom an educational agency or institution has outsourced institutional services or functions that it would otherwise use employees to perform, provided that the outside party is under the direct control of the agency or institution with respect to the use and maintenance of education records and subject to the same conditions governing the use and redisclosure of education records that apply to other school officials under § 99.33(a) of the regulations. The regulations also clarify that educational agencies and institutions are responsible for outside service providers' failures to comply with applicable FERPA requirements.
Safeguarding Privacy and Education Records
Definition of "Personally Identifiable Information"
The NPRM proposed to update the definition of "personally identifiable information" in § 99.3. The new definition adds "biometric record" to the list of personal identifiers that constitute personally identifiable information and adds other indirect identifiers, such as date and place of birth and mother's maiden name. In response to public comments on the NPRM, the final regulations also define "biometric record."
The final regulations remove from the definition a reference to "Other information that would make the student's identity easily traceable" because we believe the phrase is ambiguous. Instead, the definition of personally identifiable information in the final regulations includes "other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty." In addition, the updated definition prevents a school from disclosing information, even in redacted form, that is requested by a party if the school reasonably believes the party knows the identity of the student to whom the record relates. We believe these changes will make it easier for educational agencies and institutions to determine whether information is personally identifiable, and, consequently, whether it may be released without consent.
Section 99.32 requires an educational agency or institution to maintain with each student's education records a record of each request for access to and each disclosure of personally identifiable information from the student's records, including the names of the additional parties to which the receiving party may redisclose the information on behalf of the agency or institution. In response to public comments on the NPRM, the final regulations provide that State educational authorities and the specified Federal officials that may redisclose personally identifiable information from education records must record any further disclosures they make on behalf of the agency or institution if the agency or institution does not do so. The student's school district or institution remains responsible for obtaining the record of redisclosures from the State or Federal authority, as appropriate, and making it available upon the request of a parent or eligible student. We believe that this change will ease administrative burdens while preserving the rights of parents and students to obtain information about the disclosure of personally identifiable information from a student's education records.
Recommendations for Safeguarding Education Records
The preamble to the final regulations restates information and recommendations from the NPRM to help educational agencies and institutions meet the challenges of safeguarding education records, especially records contained in electronic data systems. The Secretary strongly encourages educational agencies and institutions to take these recommendations into consideration and utilize appropriate methods to protect education records.
Disclosures to State Auditors
In regard to proposed amendments clarifying that State auditors may have access to education records without consent in connection with an audit of Federal or State supported education programs, many commenters objected to the NPRM's narrow definition of "audit," which would have prevented State auditors from conducting "performance audits" addressed under State and Federal auditing standards. While we fully support States' efforts to improve program effectiveness and accountability, we are concerned that without the narrow definition of "audit," the broad proposed definition of "State auditor" would allow disclosures of education records in a manner not permitted by the statute. Expanding the definition of "audit," as commenters suggested, raised a number of important policy issues for which we did not have the benefit of public comment, and we therefore removed the relevant provisions from the final regulations.
You may download a copy of the final regulations at http://www.ed.gov/legislation/FedRegister/finrule/2008-4/120908a.pdf.
We hope that the final regulations will assist you as you continue to work towards our shared goals of ensuring that all students receive a quality education in a safe environment and with the knowledge that their privacy is protected.
Attachment (PDF, 12K)