Laws & Guidance GRANTS & CONTRACTS
Letter re: Applicability of FERPA to Virginia Sex Offender Registry Law Requiring Disclosure of Applicant Information by Postsecondary Institutions
Downloadable File MS Word (50 KB)

August 16, 2007

Mr. Jonathan D. Tarnow
Drinker, Biddle & Reath, LLP
1500 K Street, NW
Suite 1100
Washington, DC 20005-1209

Dear Mr. Tarnow:

This is in response to your February 16, 2007, letter in which you request guidance on the applicability of the Family Educational Rights and Privacy Act (FERPA) to the Commonwealth of Virginia's recently enacted sex offender reporting statute. This Office administers FERPA and provides technical assistance to educational agencies and institutions to ensure compliance with the statute and regulations, which are codified at 20 U.S.C. § 1232g and 34 CFR Part 99 respectively.


You explain that, in 2006, the Virginia General Assembly amended a number of provisions related to the State's Sex Offender and Crimes Against Minors Registry. You state:

One provision of the law, codified at Virginia Code Annotated § 23-2.2:1, requires both two-year and four-year institutions in Virginia to report to the Virginia State Police the following information for all applicants that are accepted for admission: (1) name; (2) social security number [SSN] or other identifying number; (3) date of birth; and (4) gender. This information is to be reported after acceptance for admission, but prior to the applicant becoming a "student in attendance." Specifically, according to guidelines jointly issued by the State Council on Higher Education for Virginia, the Virginia State Police, and the Virginia Community College System, institutions are to report this information within seven working days of granting an applicant acceptance or enrolling him or her in the institution. See Guidelines for Compliance with § 23-2.2:1. Reporting of enrollment information to Sex Offender and Crimes Against Minors Registry at 1 (hereinafter the "Guidelines"), attached.

Although the Virginia statute requires institutions to report information before applicants become students in attendance, the Guidelines anticipate that [it] may not be possible for some institutions with continuous enrollments. Hence, the Guidelines require reporting within seven business days of either granting acceptance or enrolling the student. See id. at 1, 5. The Guidelines also provide that "if an institution plans to transmit data after students are in attendance, it should consult with its legal counsel about designating data to be reported as 'directory information' under FERPA, by revising the institution's definition of directory information." Id. at 5.

This data is to be compared with information contained in the Virginia Criminal Information Network and the National Crime Information Center Convicted Sexual Offender Registry File.

You state that for your client, an institution of higher education in Virginia, and for other institutions that admit students on an on-going basis, "the Virginia statute and the interpretations provided in the Guidelines appear to create a significant dilemma." In this regard, you explain:

An institution that enrolls students on a continuing basis, such as our client, will always have new students beginning classes. In order to satisfy Virginia's reporting requirement, our client would thus have to provide the information required under the Virginia statute on a daily basis. Such a system is not operationally practical. Therefore, whenever our client reports the required data to Virginia, it will be reporting on some number of students that are already in attendance and will thus be implicating FERPA.

You also note that the Guidelines do not appear to recognize that FERPA does not require educational agencies and institutions to have a "directory information" policy, nor do the Guidelines account for the fact that FERPA permits students to "individually opt-out of an institution's directory information designations." Please note that we are providing guidance on the applicability of FERPA to these requirements. Concerns about the requirements imposing an administrative burden on institutions should be addressed to appropriate officials of the Commonwealth.

Applicable FERPA Provisions

Postsecondary institutions subject to FERPA may not have a policy or practice of permitting the disclosure of "education records, or personally identifiable information contained therein" without the written consent of eligible students. 20 U.S.C. § 1232g(b)(1) and (b)(2); 34 CFR § 99.30(a). (An "eligible student" is one who is at least 18 years of age or attends a postsecondary institution. See 34 CFR § 99.3.) Under FERPA, "education records" means those records that are:

  • Directly related to a student; and
  • Maintained by an educational agency or institution or by a party acting for the agency or institution.

34 CFR § 99.3 "Education records".

The term "personally identifiable information" is defined in the regulations as:

  • The student's name;
  • The name of the student's parent or other family member;
  • The address of the student or student's family;
  • A personal identifier, such as the student's social security number or student number;
  • A list of personal characteristics that would make the student's identity easily traceable; or
  • Other information that would make the student's identity easily traceable.

34 CFR § 99.3.

"Disclosure" means "to permit access to or the release, transfer, or other communication of personally identifiable information contained in education records to any party, by any means, including oral, written, or electronic means." See 34 CFR § 99.3.

One of the exceptions to FERPA's general consent requirement permits the disclosure of certain information that has been appropriately designated as "directory information" by the educational agency or institution, in accordance with § 99.37 of the regulations. FERPA defines directory information as information contained in an education record of a student which would not generally be considered harmful or an invasion of privacy if disclosed. Directory information could include information such as name, address, telephone listing, electronic mail address, date and place of birth, major field of study, dates of attendance, grade level, enrollment status, participation in officially recognized activities and sports, weight and height of members of athletic teams, degrees, honors and awards received, and the most recent educational agency or institution attended.

In contrast, SSNs, also listed as "personally identifiable information" under FERPA, are often used to obtain a variety of sensitive, non-public information about individuals, such as employment, credit, financial, health, motor vehicle, and educational information, that would be harmful or an invasion of privacy if disclosed. For these reasons, this Office has routinely advised that a student's SSN is the kind of personally identifiable information that may not be designated and disclosed as directory information. We have generally included "student ID numbers" in the same category because these numbers have historically been used much like SSNs, that is, as unique identifiers used by themselves to obtain access to non-directory information about a student, such as education records (or educational services). This Office has also historically advised that information such as race or gender may not be designated as "directory information" under FERPA.

A postsecondary institution may disclose directory information to third parties without consent if it has given public notice to students in attendance of the types of information which it has designated as "directory information," of the student's right to restrict the disclosure of such information, and of the period of time within which a student has to notify the school in writing that he or she does not want any or all of those types of information designated as "directory information." The means of notification could include publication in various sources, including in a newsletter, in a local newspaper, or in the student handbook. A school is not required to individually notify students regarding directory information.

It is important to understand the definition of "student" in this context of your questions. The term "student"

includes any person with respect to whom an educational agency or institution maintains education records or personally identifiable information, but does not include a person who has not been in attendance at such agency or institution.

20 U.S.C. § 1232g(a)(6). The FERPA regulations define the term "student" in this manner:

"Student," except as otherwise specifically provided in this part, means any individual who is or has been in attendance at an educational agency or institution and regarding whom the agency or institution maintains education records."

34 CFR § 99.3 ("Student"). Emphasis added.

Neither the statute nor the regulations offer guidance which would provide further clarification as to when a student would be considered "in attendance" for the purposes of FERPA. Historically, the Department has left it to each institution to determine when a student is considered to be "in attendance" at that particular institution. However, such a determination should be justified by some reasonable basis of fact, and the Department reserves the right ultimately to conclude whether, as a matter of Federal law, the facts on which the determination is based are relevant and reasonable and that such determination is applied consistently. Generally, a student should be considered "in attendance" no later than the first day of class.

Accordingly, applications of individuals who are not attending an educational agency or institution are generally not "education records" because the individuals are not "students" at the educational agency or institution. However, please note that an institution that receives information (such as a transcript) on an applicant from a high school or from another postsecondary institution is required to protect that information and may not redisclose the information except in accordance with § 99.33 of the FERPA regulations.


With regard to the Commonwealth of Virginia's recently enacted sex offender reporting statute, you specifically ask these two questions:

  1. Can the Virginia statute's reporting requirements be reconciled with the FERPA provisions (specifically 20 U.S.C. §§ 1232g(a)(5), (b)(1)) that permit but do not require institutions to designate student information as directory information for purposes of disclosure?
  2. Assuming that an institution chooses (or can be compelled by State statute) to designate certain items as directory information under FERPA, can the Virginia statute's reporting requirements be reconciled with 20 U.S.C. § 1232g(a)(5)(B), which allows students to opt-out of directory information disclosure?

While the implementation of a "directory information" policy under FERPA (20 U.S.C. §§ 1232g(a)(5), (b)(1) and 34 CFR §§ 99.31(a)(11) and 99.37) is permitted but not required under the Federal law, a State statute can require educational agencies and institution to implement and disclose "directory information" under certain conditions. However, FERPA would not permit a State to require that information that is considered harmful or an invasion of privacy - such as students' SSNs, race, or gender - be designated and disclosed as "directory information." Also, any State requirement concerning "directory information" would have to honor "opt-outs" by parents and eligible students at K-12 agencies and institutions and by eligible students at postsecondary institutions. That is, under FERPA, parents and eligible students have the right to refuse to let an educational agency or institution designate any or all of the types of information about the student designated as "directory information." See 34 CFR § 99.37(a)(1)-(2). Therefore, any requirement that institutions disclose "directory information" must take into account the fact that students have to be provided notice of the items designated as "directory information," be advised of their right to refuse the let the institution disclose "directory information," and be told the period of time that the student has to notify the institution in writing that he or she does not want the information disclosed ("opt-out"). It is also important to note that, under FERPA, "directory information" may not be disclosed if a student has opted out of the disclosure of "directory information" items.

While you do not provide a definition for the term "continuous enrollments" used in your inquiry, or the terms used in the Virginia statute ("rolling or instantaneous admissions policy"), we assume for the purposes of this discussion that these terms refer to "students already in attendance," a term that the Guidance uses. For those students already in attendance, FERPA would permit postsecondary institution to disclose only properly designated "directory information," and only on those students who have not opted-out. The Guidance notes, as discussed above, this Office excludes from the definition of "directory information" (34 CFR § 99.3 "Directory information") gender and SSNs. In this regard, the Guidance states:

Thus institutions transmitting data on students already in attendance are unable to transmit gender or social security number, and should transmit "other identifying numbers,["] and "U" in lieu of "M" or "F". The informational items designated by the institution to be directory information would include complete name, date of birth, first date of attendance and the "identifying number" used in lieu of social security number for transmitting the data to the State Police.

See Guidance, page 6. Accordingly, the Commonwealth of Virginia can require that postsecondary institutions designate and disclose certain information that has been properly designated as "directory information" under FERPA on students who have not opted out of the disclosure.

However, the Guidance also states that, for students already in attendance, institutions should use "other identifying number" in lieu of SSNs for transmitting to the State Police. It is not clear from the information provided if this number refers to a student ID number or a randomly assigned number just for the purpose of transmitting the data to the State Police. It is also not clear why the Commonwealth believes that this number can be disclosed as "directory information." We would need further information about this number before we could provide technical assistance on this part of your question.

With regard to applicants who are not yet "students" under FERPA, we note that the Guidance requires that all institutions of higher education located in the Commonwealth of Virginia have a "maximum of seven working days, excluding institutional, state and/or federal holidays, from the time an individual who is seeking academic credit is granted acceptance to, or enrolled in the institution, to collect and transmit the [required information] about the student data elements regarding all newly admitted applicants to the Virginia State Police. …" (Emphasis added.) Please note that it is not clear what the guidance means by "enrolled in the institution." As explained in our general discussion of FERPA requirements above, each institution must determine when an individual is considered "in attendance" in accordance with its own enrollment procedures. This Office would consider reasonable an institution's determination that an applicant is a student "in attendance" on the date that the applicant accepts an offer of admission. We would also consider reasonable a determination that an applicant who has been accepted is "in attendance" on the first day of classes, or the day that individual begins residency in a campus dormitory. We would not consider reasonable an institution's determination that an individual is not a student "in attendance" beyond the first day of classes.

Finally, 34 CFR § 99.61 requires an educational agency or institution to notify this Office if it determines that it cannot comply with FERPA due to a conflict with State or local law. To the extent that a Virginia institution of higher education determines that it is unable to comply with the requirements of Virginia Code Annotated § 23-2.2:1, it should notify us. Please note that when funding under federal "Spending Clause" legislation is knowingly accepted by a fund recipient, the law imposes enforceable, affirmative obligations on the recipient. See United States v. Miami University, 294 F.3d 797, 809-810 (6th Cir. 2002). The court explained that educational agencies and institutions are required to comply with all FERPA requirements as a condition for receipt of funding under programs administered by the Department. Once the conditions and funds are accepted, an agency or institution is prohibited from releasing education records without consent. Id. While it appears that the Commonwealth has attempted to take into consideration FERPA's privacy protections in crafting these reporting requirements, it would appear based on the information you have provided that institutions could not provide the State Police with an "identifying number" in lieu of the student's SSN as "directory information" under FERPA.

I trust this guidance is helpful to you in explaining how FERPA provisions relate to the Virginia statute.



LeRoy S. Rooker
Family Policy Compliance Office

Print this page Printable view Send this page Share this page
Last Modified: 10/27/2008