Subject: Notice of proposed rulemaking; FERP

Publication Date: April 8, 2011

Posted Date: April 12, 2011

Subject: Notice of proposed rulemaking; FERP

FR Type: Notice of Proposed Rulemaking (NPRM)

[Federal Register: April 8, 2011 (Volume 76, Number 68)]
[Proposed Rules]               
[Page 19726-19739]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr08ap11-17]                         

==================================================
--------------------------------------------------

DEPARTMENT OF EDUCATION

34 CFR Part 99

RIN 1880-AA86
[Docket ID ED-2011-OM-0002]

 
Family Educational Rights and Privacy

AGENCY: Office of Management, Department of Education.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Secretary proposes to amend the regulations implementing 
section 444 of the General Education Provisions Act, which is also 
known as the Family Educational Rights and Privacy Act of 1974, as 
amended (FERPA). These proposed amendments are necessary to ensure that 
the Department's implementation of FERPA continues to protect the 
privacy of education records, as intended by Congress, while allowing 
for the effective use of data in statewide longitudinal data systems 
(SLDS) as envisioned in the America Creating Opportunities to 
Meaningfully Promote Excellence in Technology, Education, and Science 
Act (COMPETES Act) and furthermore supported under the American 
Recovery and Reinvestment Act of 2009 (ARRA). Improved access to data 
contained within an SLDS will facilitate States' ability to evaluate 
education programs, to build upon what works and discard what does not, 
to increase accountability and transparency, and to contribute to a 
culture of innovation and continuous improvement in education. These 
proposed amendments would enable authorized representatives of State 
and local educational authorities, and organizations conducting 
studies, to use SLDS data to achieve these important outcomes while 
protecting privacy under FERPA through an expansion of the requirements 
for written agreements and the Department's enforcement mechanisms.

DATES: We must receive your comments on or before May 23, 2011. 
Comments received after this date will not be considered.

ADDRESSES: Submit your comments through the Federal eRulemaking Portal 
or via postal mail, commercial delivery, or hand delivery. We will not 
accept comments by fax or by e-mail. Please submit your comments only 
one time, in order to ensure that we do not receive duplicate copies. 
In addition, please include the Docket ID at the top of your comments.
     Federal eRulemaking Portal: Go to http://www.regulations.gov to

submit your comments electronically. Information 
on using Regulations.gov, including instructions for accessing agency 
documents, submitting comments, and viewing the docket, is available on 
the site under ``How To Use This Site.''
     Postal Mail, Commercial Delivery, or Hand Delivery. If you 
mail or deliver your comments about these proposed regulations, address 
them to Regina Miles, U.S. Department of Education, 400 Maryland 
Avenue, SW., Washington, DC 20202.

    Privacy Note: The Department's policy for comments received from 
members of the public (including those comments submitted by mail, 
commercial delivery, or hand delivery) is to make these submissions 
available for public viewing in their entirety on the Federal 
eRulemaking Portal at http://www.regulations.gov. Therefore, 
commenters should be careful to include in their comments only 
information that they wish to make publicly available on the 
Internet.


FOR FURTHER INFORMATION CONTACT: Ellen Campbell, U.S. Department of 
Education, 400 Maryland Avenue, SW., Washington, DC 20202. Telephone: 
(202) 260-3887 or via Internet: FERPA@ed.gov.
    If you use a telecommunications device for the deaf, call the 
Federal Relay Service (FRS), toll free, at 1-800-877-8339.
    Individuals with disabilities can obtain this document in an 
accessible format (e.g., braille, large print, audiotape, or computer 
diskette) on request to the contact person listed under FOR FURTHER 
INFORMATION CONTACT.

SUPPLEMENTARY INFORMATION:

Invitation to Comment

    We invite you to submit comments regarding these proposed 
regulations. To ensure that your comments have maximum effect in 
developing the final regulations, we urge you to identify clearly the 
specific section or sections of the proposed regulations that each of 
your comments addresses and to arrange your comments in the same order 
as the proposed regulations.
    We invite you to assist us in complying with the specific 
requirements of Executive Order 12866 and its overall requirement of 
reducing regulatory burden that might result from these proposed 
regulations. Please let us know of any further opportunities we should 
take to reduce potential costs or increase potential benefits while 
preserving the effective and efficient administration of the program.
    During and after the comment period, you may inspect all public 
comments about these proposed regulations by accessing http://www.regulations.gov.

You may also inspect the comments in person in 
room 6W243, 400 Maryland Avenue, SW., Washington, DC, 20202 between the 
hours of 8:30 a.m. and 4 p.m. Eastern time, Monday through Friday of 
each week except Federal holidays.

Assistance to Individuals With Disabilities in Reviewing the Rulemaking 
Record

    On request, we will supply an appropriate aid, such as a reader or 
print magnifier, to an individual with a disability who needs 
assistance to review the comments or other documents in the public 
rulemaking record for these proposed regulations. If you want to 
schedule an appointment for this type of aid, please contact the person 
listed under FOR FURTHER INFORMATION CONTACT.
    Background: On February 17, 2009, the President signed the ARRA 
(Pub. L.

[[Page 19727]]

111-5) into law. The ARRA includes significant provisions relating to 
the expansion and development of SLDS. Under title XIV of the ARRA, in 
order for a State to receive funding under the State Fiscal 
Stabilization Fund program (SFSF), the State's Governor must provide an 
assurance in the State's application for SFSF funding that the State 
will establish an SLDS that meets the requirements of section 
6401(e)(2)(D) of the COMPETES Act (20 U.S.C. 9871(e)(2)(D)).
    With respect to public preschool through grade 12 and postsecondary 
education, COMPETES requires that the SLDS include: (a) A unique 
statewide student identifier that, by itself, does not permit a student 
to be individually identified by users of the system; (b) student-level 
enrollment, demographic, and program participation information; (c) 
student-level information about the points at which students exit, 
transfer in, transfer out, drop out, or complete P-16 education 
programs; (d) the capacity to communicate with higher education data 
systems; and (e) a State data audit system assessing data quality, 
validity, and reliability.
    With respect to public preschool through grade 12 education, 
COMPETES requires that the SLDS include: (a) Yearly test records of 
individual students with respect to assessments under section 1111(b) 
of the Elementary and Secondary Education Act of 1965, as amended (20 
U.S.C. 6311(b)); (b) information on students not tested by grade and 
subject; (c) a teacher identifier system with the ability to match 
teachers to students; (d) student-level transcript information, 
including information on courses completed and grades earned; and (e) 
student-level college readiness test scores.
    With respect to postsecondary education, COMPETES requires that the 
SLDS include: (a) Information regarding the extent to which students 
transition successfully from secondary school to postsecondary 
education, including whether students enroll in remedial coursework; 
and (b) other information determined necessary to address alignment and 
adequate preparation for success in postsecondary education.
    Separate provisions in title VIII of the ARRA appropriated $250 
million for additional grants to State educational agencies (SEAs) 
under the Statewide Longitudinal Data Systems program, authorized under 
section 208 of the Educational Technical Assistance Act of 2002 (20 
U.S.C. 9601, et seq.) to support the expansion of SLDS to include 
postsecondary and workforce information.
    The extent of data sharing contemplated by these and other Federal 
initiatives prompted the Department to review the impact that its FERPA 
regulations could have on the development and use of SLDS. FERPA is a 
Federal law that protects student privacy by prohibiting educational 
agencies and institutions from having a practice or policy of 
disclosing personally identifiable information in student education 
records (``PII'') unless a parent or eligible student provides prior 
written consent or a statutory exception applies. In those 
circumstances in which educational agencies and institutions may 
disclose PII to third parties without consent, FERPA and its 
implementing regulations limit the redisclosure of PII by the 
recipients, except as set forth in Sec. Sec.  99.33(c) and (d) and 
99.35(c)(2) (see 20 U.S.C. 1232g(b)(3) and (b)(4)(B) and Sec. Sec.  
99.33 and 99.35(c)(2)). For example, State and local educational 
authorities that receive PII without consent from the parent or 
eligible student under the ``audit or evaluation'' exception may not 
make further disclosures of the PII on behalf of the educational agency 
or institution unless prior written consent from the parent or eligible 
student is obtained, Federal law specifically authorized the collection 
of the PII, or a statutory exception applies and the redisclosure and 
recordation requirements are met (see 20 U.S.C. 1232g(b)(3) and (b)(4) 
and Sec. Sec.  99.32(b)(2), 99.33(b)(1)), and 99.35(c)).
    In light of the ARRA, the Department has conducted a review of its 
FERPA regulations in 34 CFR part 99, including changes reflected in the 
final regulations published on December 9, 2008 (73 FR 74806). Further, 
the Department has reviewed its guidance interpreting FERPA, including 
statements made in the preamble discussion to the final regulations 
published on December 9, 2008 (73 FR 74806).
    Based on its review, the Department has determined that the 
Department's December 2008 changes to the FERPA regulations promote the 
development and expansion of robust SLDS in the following ways:
     Expanding the redisclosure authority in FERPA by amending 
Sec.  99.35 to permit State and local educational authorities and other 
officials listed in Sec.  99.31(a)(3) to make further disclosures of 
personally identifiable information from education records, without the 
consent of parents or eligible students, on behalf of the educational 
agency or institution from which the PII was obtained under specified 
conditions (see Sec. Sec.  99.33(b)(1) and 99.35(b)(1)).
     Permitting SEAs and other State educational authorities, 
as well as the other officials listed in Sec.  99.31(a)(3), to record 
their redisclosures at the time they are made and by groups (i.e., by 
the student's class, school district, or other appropriate grouping 
rather than by the name of each student whose record was redisclosed); 
and only requiring them to send these records of redisclosure to the 
educational agencies or institutions from which the PII was obtained 
upon the request of an educational agency or institution (see Sec.  
99.32(b)(2)).
    Notwithstanding these provisions in the Department's FERPA 
regulations and the preamble discussion relating to the December 2008 
changes to the regulations, the Department's review indicates that 
there are a small number of other regulatory provisions and policy 
statements that unnecessarily hinder the development and expansion of 
SLDS consistent with the ARRA. Because the Department has determined 
that these regulatory provisions and policies are not necessary to 
ensure privacy protections for PII, it proposes to amend 34 CFR part 99 
to make the changes described in the following section.

Significant Proposed Regulations

    We discuss substantive issues under the sections of the proposed 
regulations to which they pertain. Generally, we do not address 
proposed regulatory provisions that are technical or otherwise minor in 
effect.

Definitions (Sec.  99.3)

Authorized Representative (Sec. Sec.  99.3, 99.35)

    Statute: Sections (b)(1)(C), (b)(3) and (b)(5) of FERPA (20 U.S.C. 
1232g(b)(1)(C), (b)(3) and (b)(5)) permit educational agencies and 
institutions nonconsensually to disclose PII to ``authorized 
representatives'' of State and local educational authorities, the 
Secretary, the Attorney General of the United States, and the 
Comptroller General of the United States, as may be necessary in 
connection with the audit, evaluation, or the enforcement of Federal 
legal requirements related to Federal or State supported education 
programs. The statute does not define the term authorized 
representative.
    Current Regulations: The term authorized representative, which is 
used in current Sec. Sec.  99.31(a)(3) and 99.35(a)(1), is not defined 
in the current regulations. Current Sec. Sec.  99.31(a)(3) and 
99.35(a)(1), together, implement sections (b)(1)(C), (b)(3) and (b)(5) 
of FERPA (20 U.S.C. 1232g(b)(1)(C), (b)(3) and (b)(5)).

[[Page 19728]]

    Proposed Regulations: We propose to amend Sec.  99.3 to add a 
definition of the term authorized representative. Under the proposed 
definition, an authorized representative would mean any entity or 
individual designated by a State or local educational authority or 
agency headed by an official listed in Sec.  99.31(a)(3) to conduct--
with respect to Federal or State supported education programs--any 
audit, evaluation, or compliance or enforcement activity in connection 
with Federal legal requirements that relate to those programs.
    In order to help ensure proper implementation of FERPA requirements 
that protect student privacy, we also propose to amend Sec.  99.35 
(What conditions apply to disclosure of information for Federal or 
State program purposes?). Specifically, we would provide, in proposed 
Sec.  99.35(a)(2), that responsibility remains with the State or local 
educational authority or agency headed by an official listed in Sec.  
99.31(a)(3) to use reasonable methods to ensure that any entity 
designated as its authorized representative remains compliant with 
FERPA. We are not proposing to define ``reasonable methods'' in the 
proposed regulations in order to provide flexibility for a State or 
local educational authority or an agency headed by an official listed 
in Sec.  99.31(a)(3) to make these determinations. However, we are 
interested in receiving comments on what would be considered reasonable 
methods. The Department anticipates issuing non-regulatory guidance on 
this and other related matters when we issue the final regulations or 
soon thereafter.
    We also would amend Sec.  99.35 to require written agreements 
between a State or local educational authority or agency headed by an 
official listed in Sec.  99.31(a)(3) and its authorized representative, 
other than an employee (see proposed Sec.  99.35(a)(3)). We propose 
that these agreements: designate the individual or entity as an 
authorized representative; specify the information to be disclosed and 
that the purpose for which the PII is disclosed to the authorized 
representative is only to carry out an audit or evaluation of Federal 
or State supported education programs, or to enforce or to comply with 
Federal legal requirements that relate to those programs; require the 
return or destruction of the PII when no longer needed for the 
specified purpose in accordance with the requirements of Sec.  
99.35(b)(2); specify the time period in which the PII must be returned 
or destroyed; and establish policies and procedures (consistent with 
FERPA and other Federal and State confidentiality and privacy 
provisions) to protect the PII from further disclosure (except back to 
the disclosing entity) and unauthorized use, including limiting the use 
of PII to only those authorized representatives with legitimate 
interests (see proposed Sec.  99.35(a)(3)).
    We would propose a minor change to Sec.  99.35(b) to clarify that 
the requirement to protect PII from disclosure applies to authorized 
representatives.
    Finally, proposed Sec.  99.35(d) would clarify that if the 
Department's Family Policy Compliance Office (FPCO) finds that a State 
or local educational authority, an agency headed by an official listed 
in Sec.  99.31(a)(3), or an authorized representative of a State or 
local educational authority or agency headed by an official listed in 
Sec.  99.31(a)(3) improperly rediscloses PII in violation of FERPA, the 
educational agency or institution from which the PII originated would 
be prohibited from permitting the entity responsible for the improper 
redisclosure (i.e., the authorized representative, or the State or 
local educational authority or the agency headed by an officials listed 
in Sec.  99.31(a)(3), or both) access to the PII for at least five 
years (see 20 U.S.C. 1232g(b)(4)(B) and Sec.  99.33(e)).
    Reasons: Under current Sec. Sec.  99.31(a)(3) and 99.35(a)(1) and 
20 U.S.C. 1232g(b)(1)(C), (b)(3), and (b)(5), an educational agency or 
institution may disclose PII to an authorized representative of a State 
or local educational authority or an agency headed by an official 
listed in Sec.  99.31(a)(3), without prior written consent, for the 
purposes of conducting--with respect to Federal or State supported 
education programs--any audit, evaluation, or compliance or enforcement 
activity in connection with Federal legal requirements that relate to 
those education programs, provided that such disclosures are subject to 
the applicable privacy protections in FERPA. Although the term 
authorized representative is not defined in FERPA or the current 
regulations, the Department's longstanding interpretation of this term 
has been that it does not include other State or Federal agencies 
because these agencies are not under the direct control (e.g., they are 
not employees or contractors) of a State educational authority (or 
other agencies headed by officials listed in Sec.  99.31(a)(3)). 
(Memorandum from William D. Hansen, Deputy Secretary of Education, to 
State officials, January 30, 2003, (``Hansen memorandum'')). Under this 
interpretation of the term authorized representative, as it is used in 
current Sec. Sec.  99.31(a)(3) and 99.35(a)(1) (and 1232g(b)(1)(C), 
(b)(3), and (b)(5)), an SEA or other State educational authority may 
not make further disclosures of PII to other State agencies, such as 
State health and human services departments, because these agencies are 
not employees or contractors to which the State educational authority 
has outsourced the audit or evaluation of education programs (or other 
institutional services or functions). (This interpretation was later 
incorporated in the preamble to the final FERPA regulations published 
on December 9, 2008 (73 FR 74806, 74825).)
    As explained in further detail in the following paragraphs, the 
Department has concluded that FERPA does not require that an authorized 
representative be under the educational authority's direct control in 
order to receive PII for purposes of audit or evaluation. We also do 
not believe such a restrictive interpretation is warranted given 
Congress' intent in the ARRA to have States link data across sectors. 
Through these regulations, therefore, we are proposing to rescind the 
policy established in the January 30, 2003, Hansen memorandum and the 
preamble to the final FERPA regulations published on December 9, 2008 
(73 FR 74806, 74825). These proposed regulations also would expressly 
permit State and local educational authorities and other agencies 
headed by officials listed in Sec.  99.31(a)(3) to exercise the 
flexibility and discretion to designate other individuals and entities, 
including other governmental agencies, as their authorized 
representatives for evaluation, audit, or legal enforcement or 
compliance purposes of a Federal or State-supported education program, 
subject to the requirements in FERPA and its implementing regulations.
    We first note that nothing in FERPA prescribes which agencies, 
organizations, or individuals may serve as an authorized representative 
of a State or local educational authority or an agency headed by an 
official listed in Sec.  99.31(a)(3), or whether an authorized 
representative must be a public or private entity or official. 
Moreover, the Department believes that it is unnecessarily restrictive 
to interpret FERPA as prohibiting an individual or entity who is not an 
employee or contractor under the ``direct control'' of a State or local 
educational authority or agency headed by an official listed in Sec.  
99.31(a)(3) from serving as an authorized representative.
    One of the key purposes of FERPA is to ensure the privacy of 
personally identifiable information in student education records. 
Therefore, the determination of who can serve as an authorized 
representative should be

[[Page 19729]]

made in light of that purpose. Accordingly, we believe it is 
appropriate to require that any State or local educational authority or 
agency headed by an official listed in Sec.  99.31(a)(3) that 
designates an individual or entity as an authorized representative--
     Be responsible for using reasonable methods to ensure that 
the designated individual or entity--
    [cir] Uses PII only for purposes of the audit, evaluation, or 
compliance or enforcement activity in question;
    [cir] Destroys or returns PII when no longer needed for these 
purposes; and
    [cir] Protects PII from redisclosure (and use by any other third 
party), except as permitted in Sec.  99.35(b)(1) (i.e., back to the 
disclosing entity) (see proposed Sec.  99.35(a)(2)); and
     Use a written agreement that designates any authorized 
representative other than an employee and includes the privacy 
protections set forth in proposed Sec.  99.35(a)(3) (i.e., to use 
reasonable methods to limit its authorized representative's use of PII 
for these purposes, to require the return or destruction of PII when it 
is no longer needed for these purposes, and to establish policies and 
procedures consistent with FERPA and other Federal and State 
confidentiality and privacy provisions) to protect PII from further 
disclosure (except back to the disclosing entity). If a State or local 
educational authority or agency headed by an official listed in Sec.  
99.31(a)(3) is able to comply with these requirements (i.e., to use 
reasonable methods to limit its authorized representative's use of PII 
for these purposes, to establish policies and procedures to protect PII 
from further disclosure and to require the return or destruction of PII 
when it is no longer needed for these purposes), then there is no 
reason why a State health and human services or labor department, for 
example, should be precluded from serving as the authority's authorized 
representative and receiving non-consensual disclosures of PII to link 
education, workforce, health, family services, and other data for the 
purpose of evaluating, auditing, or enforcing Federal legal 
requirements related to, Federal or State supported education programs.
    Furthermore, under proposed Sec.  99.35(d), we would clarify that 
in the event that the Family Policy Compliance Office finds an improper 
redisclosure, the Department would prohibit the educational agency or 
institution from which the PII originated from permitting the party 
responsible for the improper redisclosure (i.e., the authorized 
representative, or the State or local educational authority or agency 
headed by an official listed in Sec.  99.31(a)(3), or both) access to 
the PII for at least five years.
    With these proposed changes to the privacy provisions in Sec.  
99.35, we believe that PII, including PII in SLDS, will be 
appropriately protected while giving each State the needed flexibility 
to house information in a SLDS that best meets the needs of the 
particular State. FERPA does not constrain State administrative choices 
regarding the data system architecture, data strategy, or technology 
for SLDS as long as the required designation, purpose, and privacy 
protections are in place. The proposed amendments to Sec.  99.35 would 
require that these protections are in place.

Directory Information (Sec.  99.3)

    Statute: Sections (a)(5)(A), (b)(1), and (b)(2) of FERPA (20 U.S.C. 
1232g(a)(5), (b)(1), and (b)(2)) permit educational agencies and 
institutions nonconsensually to disclose information defined as 
directory information, such as a student's name and address, telephone 
listing, date and place of birth, and major field of study, provided 
that specified public notice and opt out conditions have been met.
    Current Regulations: Directory information is defined in current 
Sec.  99.3 as information contained in an education record of a student 
that would not generally be considered harmful or an invasion of 
privacy if disclosed, and includes information listed in section 
(a)(5)(A) of FERPA (20 U.S.C. 1232g(a)(5)(A)) (e.g., a student's name 
and address, telephone listing) as well as other information, such as a 
student's electronic mail (e-mail) address, enrollment status, and 
photograph. Current regulations also specify that a student's Social 
Security Number (SSN) or student identification (ID) number may not be 
designated and disclosed as directory information. However, the current 
regulations state that a student ID number, user ID, or other unique 
personal identifier used by the student for purposes of accessing or 
communicating in electronic systems may be designated and disclosed as 
directory information if the identifier cannot be used to gain access 
to education records except when used in conjunction with one or more 
factors to authenticate the user's identity.
    Proposed Regulations: The proposed regulations would modify the 
definition of directory information to clarify that an educational 
agency or institution may designate as directory information and 
nonconsensually disclose a student ID number or other unique personal 
identifier that is displayed on a student ID card or badge if the 
identifier cannot be used to gain access to education records except 
when used in conjunction with one or more factors that authenticate the 
user's identity, such as a PIN, password, or other factor known or 
possessed only by the authorized user.
    Reasons: Directory information items, such as name, photograph, and 
student ID number, are the types of information that are typically 
displayed on a student ID card or badge. For the reasons outlined in 
our discussion later in this notice regarding the proposed changes in 
Sec.  99.37(c), the proposed change to the definition of directory 
information is needed to clarify that FERPA permits educational 
agencies and institutions to designate student ID numbers as directory 
information in the public notice provided to parents and eligible 
students in attendance at the agency or institution under Sec.  
99.37(a)(1). Including the designation of student ID numbers as a 
directory information item will permit schools to disclose as directory 
information a student ID number on a student ID card or badge if the 
student ID number cannot be used to gain access to education records 
except when used in conjunction with one or more factors that 
authenticate the user's identity. In situations where a student's 
social security number is used as the student's ID number, that number 
may not be designated as directory information, even for purposes of a 
student's ID card or badge.

Education Program (Sec. Sec.  99.3, 99.35)

    Statute: The statute does not define the term education program.
    Current Regulations: The term education program, which is used in 
current Sec.  99.35(a)(1), is not defined in the current regulations. 
Current Sec.  99.35(a)(1) provides that authorized representatives of 
the officials or agencies headed by officials listed in Sec.  
99.31(a)(3) may have non-consensual access to personally identifiable 
information from education records in connection with an audit or 
evaluation of Federal or State supported ``education programs'', or for 
the enforcement of or compliance with Federal legal requirements that 
relate to those programs.
    Proposed Regulations: We propose to define the term education 
program to mean any program that is principally engaged in the 
provision of education, including, but not limited to early childhood 
education, elementary and secondary education, postsecondary education, 
special education, job training, career and technical education,

[[Page 19730]]

and adult education, regardless of whether the program is administered 
by an educational authority.
    Reasons: The proposed definition of education program in Sec.  99.3 
is intended to establish that a program need not be administered by an 
educational agency or institution in order for it to be considered an 
education program for purposes of Sec.  99.35(a)(1) and 20 U.S.C. 
1232g(b)(1). The Secretary recognizes that education may begin before 
kindergarten and may involve learning outside of postsecondary 
institutions. However, in many States, programs that the Secretary 
would regard as education programs are not administered by SEAs or 
LEAs. For example, in many States, State-level health and human 
services departments administer early childhood education programs, 
including early intervention programs authorized under Part C of the 
Individuals with Disabilities Education Act (IDEA). Similarly, agencies 
other than SEAs may administer career and technical education or adult 
education programs. Because all of these programs could benefit from 
the type of rigorous data-driven evaluation that SLDS will facilitate, 
we are proposing to define the term education program to include these 
programs that are not administered by education agencies. This proposed 
change would provide greater access to information on students before 
entering or exiting the P-16 programs. The information could be used to 
evaluate these education programs and provide increased opportunities 
to build upon successful ones and improve less successful ones. In 
order to accomplish these objectives, and to give States the 
flexibility needed to develop and expand the SLDS contemplated under 
the ARRA, the Department proposes to interpret the term education 
program, as used in FERPA and its implementing regulations, to mean any 
program that is principally engaged in the provision of education, 
including, but not limited to, early childhood education, elementary 
and secondary education, postsecondary education, special education, 
job training, career and technical education, and adult education, even 
when agencies other than SEAs administer such a program.\1\ Thus, as an 
example, under the proposed definitions of the terms, authorized 
representative and education program, FERPA would permit a State 
educational authority to designate a State health and human services 
agency as its authorized representative in order to conduct an audit or 
an evaluation of any Federal or State supported education program, such 
as the Head Start program.
---------------------------------------------------------------------------

    \1\ We intend for the proposed definition of the term education 
program to include, but not be limited to, any applicable program, 
as that term is defined in section 400 of the General Education 
Provisions Act (20 U.S.C. 1221).
---------------------------------------------------------------------------

Research Studies (Sec.  99.31(a)(6))

    Statute: Section (b)(1)(F) of FERPA permits educational agencies 
and institutions non-consensually to disclose PII to organizations 
conducting studies for, or on behalf of, educational agencies and 
institutions to improve instruction, to administer student aid 
programs, or to develop, validate, or administer predictive tests.
    Current Regulations: Current Sec.  99.31(a)(6)(ii)(C) requires that 
an educational agency or institution enter into a written agreement 
with the organization conducting the study that specifies the purpose, 
scope, and duration of the study and the information to be disclosed 
and meets certain other requirements. Current regulations do not 
indicate whether State and local educational authorities and agencies 
headed by officials listed in Sec.  99.31(a)(3) that may redisclose PII 
on behalf of educational agencies and institutions under Sec.  99.33(b) 
may also enter into this type of written agreement.
    Proposed Regulations: The Secretary proposes to amend Sec.  99.31 
by redesignating paragraphs (a)(6)(ii) through (a)(6)(v) as paragraphs 
(a)(6)(iii) through (a)(6)(vi) and adding a new paragraph (a)(6)(ii). 
This new paragraph would clarify that nothing in FERPA or its 
implementing regulations prevents a State or local educational 
authority or agency headed by an official listed in Sec.  99.31(a)(3) 
from entering into agreements with organizations conducting studies 
under Sec.  99.31(a)(6)(i) and redisclosing PII on behalf of the 
educational agencies and institutions that provided the information in 
accordance with the requirements of Sec.  99.33(b). We also propose to 
amend Sec.  99.31(a)(6) to require written agreements between a State 
or local educational authority or agency headed by an official listed 
in Sec.  99.31(a)(3) and any organization conducting studies with 
redisclosed PII under this exception (see proposed Sec.  
99.31(a)(6)(iii)(C)). Under this amended regulatory provision, these 
agreements would need to contain the specific provisions currently 
required in agreements between educational agencies or institutions and 
such organizations under current Sec.  99.31(a)(6)(ii)(C). Thus, the 
only differences between proposed Sec.  99.31(a)(6)(iii)(C) and current 
Sec.  99.31(a)(6)(ii)(C) would be to make the written agreement 
requirements apply to State or local educational authorities or 
agencies headed by an official listed in Sec.  99.31(a)(3) as well as 
educational agencies and institutions. Finally, newly redesignated 
Sec.  99.31(a)(6)(iv) and (a)(6)(v) would be revised to ensure that 
these provisions apply to State and local educational authorities or 
agencies headed by an official listed in Sec.  99.31(a)(3)--not only 
educational agencies and institutions.
    Reasons: In the preamble to the FERPA regulations published in the 
Federal Register on December 9, 2008 (73 FR 74806, 74826), the 
Department explained that an SEA or other State educational authority 
that has legal authority to enter into agreements for LEAs or 
postsecondary institutions under its jurisdiction may enter into an 
agreement with an organization conducting a study for the LEA or 
institution under the studies exception in Sec.  99.31(a)(6). The 
preamble explained further that if the SEA or other State educational 
authority does not have the legal authority to act for or on behalf of 
an LEA or institution, then the SEA or other State educational 
authority would not be permitted to enter into an agreement with an 
organization under this exception. The changes reflected in proposed 
Sec.  99.31(a)(6)(ii) are necessary to clarify that while FERPA does 
not confer legal authority on State and Federal agencies to enter into 
agreements and act on behalf of or in place of LEAs and postsecondary 
institutions, nothing in FERPA prevents them from entering into these 
agreements and redisclosing PII on behalf of LEAs and postsecondary 
institutions to organizations conducting studies under Sec.  
99.31(a)(6) in accordance with the redisclosure requirements in Sec.  
99.33(b).
    As explained in the preamble to the December 2008 regulations (see 
73 FR 74806, 74821), the Department recognizes that the State and local 
educational authorities and Federal officials that receive PII without 
consent under Sec.  99.31(a)(3) are generally responsible for 
supervising and monitoring LEAs and postsecondary institutions. SEAs 
and State higher educational agencies, in particular, typically have 
the role and responsibility to perform and support research and 
evaluation of publicly funded education programs for the benefit of 
multiple educational agencies and institutions in their States. We 
understand further that these relationships generally provide 
sufficient authority for a State educational authority to enter into an

[[Page 19731]]

agreement with an organization conducting a study and to redisclose PII 
received from educational agencies and institutions that provided the 
information in accordance with Sec.  99.33(b). The proposed 
regulations, therefore, would clarify that studies supported by these 
State and Federal authorities of publicly funded education programs 
generally may be conducted, while simultaneously ensuring that any PII 
disclosed is appropriately protected by the organizations conducting 
the studies.
    In the event that an educational agency or institution objects to 
the redisclosure of PII it has provided, the State or local educational 
authority or agency headed by an official listed in Sec.  99.31(a)(3) 
may rely instead on any independent authority it has to further 
disclose the information on behalf of the agency or institution. The 
Department recognizes that this authority may be implied and need not 
be explicitly granted.

Authority To Audit or Evaluate (Sec.  99.35)

    Statute: Sections (b)(1)(C), (b)(3) and (b)(5) of FERPA (20 U.S.C. 
1232g(b)(1)(C), (b)(3) and (b)(5)) permit educational agencies and 
institutions non-consensually to disclose PII to authorized 
representatives of State and local educational authorities, the 
Secretary, the Attorney General of the United States, and the 
Comptroller General of the United States, as may be necessary in 
connection with the audit, evaluation, or the enforcement of Federal 
legal requirements related to Federal or State supported education 
programs.
    Current Regulations: Current Sec.  99.35(a)(2) provides that in 
order for a State or local educational authority or other agency headed 
by an official listed in Sec.  99.31(a)(3) to conduct an audit, 
evaluation, or compliance or enforcement activity, its authority to do 
so must be established under other Federal, State, or local authority 
because that authority is not conferred by FERPA.
    Proposed Regulations: The Secretary proposes to amend Sec.  
99.35(a)(2) by removing the provision that a State or local educational 
authority or other agency headed by an official listed in Sec.  
99.31(a)(3) must establish legal authority under other Federal, State 
or local law to conduct an audit, evaluation, or compliance or 
enforcement activity.
    Reasons: Current Sec. Sec.  99.33(b)(1) and 99.35(b)(1) permit 
State and local educational authorities and agencies headed by 
officials listed in Sec.  99.31(a)(3) to further disclose PII from 
education records on behalf of educational agencies or institutions to 
other authorized recipients under Sec.  99.31, including separate State 
educational authorities at different levels of education, provided that 
the redisclosure meets the requirements of Sec.  99.33(b)(1) and the 
recordkeeping requirements in Sec.  99.32(b). However, we believe that 
our prior guidance and statements made in the preambles to the notice 
of proposed rulemaking published on March 24, 2008 (73 FR 15574), and 
the final regulations published on December 9, 2008 (73 FR 74806), may 
have created some confusion about whether a State or local educational 
authority or agency headed by an official listed in Sec.  99.31(a)(3) 
that receives PII under the audit and evaluation exception must be 
authorized to conduct an audit or evaluation of a Federal or State 
supported education program, or enforcement or compliance activity in 
connection with Federal legal requirements related to the education 
program of the disclosing educational agency or institution or whether 
the PII may be disclosed in order for the recipient to conduct an 
audit, evaluation, or enforcement or compliance activity with respect 
to the recipient's own Federal or State supported education programs.
    By removing the language concerning legal authority from current 
Sec.  99.35(a)(2), the Department would clarify two things to eliminate 
this confusion. First, the Department would clarify that the authority 
for a State or local educational authority or Federal agency headed by 
an official listed in Sec.  99.31(a)(3) to conduct an audit, 
evaluation, enforcement or compliance activity may be express or 
implied. And, second, the Department would clarify that FERPA permits 
non-consensual disclosure of PII to a State or local educational 
authority or agency headed by an official listed in Sec.  99.31(a)(3) 
to conduct an audit, evaluation, or compliance or enforcement activity 
with respect to the Federal or State supported education programs of 
the recipient's own Federal or State supported education programs as 
well as those of the disclosing educational agency or the institution.
    The Department intends these clarifications to promote Federal 
initiatives to support the robust use of data by State and local 
educational authorities to evaluate the effectiveness of Federal or 
State supported education programs. The provision of postsecondary 
student data to P-12 data systems is vital to evaluating whether P-12 
schools are effectively preparing students for college. This proposed 
clarification would, for example, establish that FERPA does not 
prohibit a private postsecondary institution from non-consensually 
disclosing to an LEA PII on the LEA's former students who are now in 
attendance at the private postsecondary institution, as may be 
necessary for the LEA to evaluate the Federal or State supported 
education programs that the LEA administers. This proposed 
clarification similarly would establish that FERPA does not prohibit a 
postsecondary data system from non-consensually redisclosing PII to an 
SEA in connection with the SEA's evaluation of whether the State's LEAs 
effectively prepared their graduates to enroll, persist, and succeed in 
postsecondary education.

Directory Information (Sec.  99.37)

Section 99.37(c) (Student ID Cards and ID Badges)

    Statute: The statute does not address whether parents and eligible 
students may use their right to opt out of directory information 
disclosures to prevent school officials from requiring students to 
disclose ID cards or to wear ID badges.
    Current Regulations: Current regulations do not address whether 
parents and eligible students may use their right to opt out of 
directory information disclosures to prevent school officials from 
requiring students to disclose ID cards or to wear ID badges.
    Proposed Regulations: The proposed regulations would provide in 
Sec.  99.37(c) that parents or eligible students may not use their 
right to opt out of directory information disclosures to prevent an 
educational agency or institution from requiring students to wear or 
otherwise disclose student ID cards or badges that display information 
that may be designated as directory information under Sec.  99.3 and 
that has been properly designated by the educational agency or 
institution as directory information under Sec.  99.37(a)(1).
    Reasons: An increased awareness of school safety and security has 
prompted some educational agencies and institutions, especially school 
districts, to require students to wear and openly display a student ID 
badge that contains identifying information (typically, name, photo, 
and student ID number) when the student is on school property or 
participates in extracurricular activities. We have received inquiries 
about this issue, as well as complaints that the mandatory public 
display of identifying information on a student ID

[[Page 19732]]

badge violates the FERPA rights of parents and eligible students who 
have opted out of directory information disclosures. The proposed 
regulations are needed to clarify that the right to opt out of 
directory information disclosures is not a mechanism for students, when 
in school or at school functions, to refuse to wear student ID badges 
or to display student ID cards that display information that may be 
designated as directory information under Sec.  99.3 and that has been 
properly designated by the educational agency or institution as 
directory information under Sec.  99.37(a)(1). Because we recognize 
that the types of ID cards and badges that postsecondary institutions 
require may differ significantly from those required by elementary and 
secondary schools, we are requesting comments from postsecondary 
officials on whether this proposed change raises any particularized 
concerns for their institutions.
    The directory information exception is intended to facilitate 
communication among school officials, parents, students, alumni, and 
others, and permits schools to publicize and promote institutional 
activities to the general public. Many schools do so by publishing 
paper or electronic directories that contain student names, addresses, 
telephone listings, e-mail addresses, and other information the 
institution has designated as directory information. Some schools do 
not publish a directory but do release directory information on a more 
selective basis. FERPA allows a parent or eligible student to opt out 
of these disclosures (under the conditions specified in Sec.  
99.37(a)), whether the information is made available to the general 
public, limited to members of the school community, or released only to 
specified individuals.
    The Secretary believes, however, that the need for schools and 
college campuses to implement measures to ensure the safety and 
security of students is of the utmost importance and that FERPA should 
not be used as an impediment to achieving student safety. Thus, the 
right to opt out of the disclosure of directory information does not 
include the right to refuse to wear or otherwise disclose a student ID 
card or badge that displays directory information and, therefore, may 
not be used to impede a school's ability to monitor and control who is 
in school buildings or on school grounds or whether a student is where 
he or she should be. This proposed change would mean that, even when a 
parent or eligible student opts out of the disclosure of directory 
information, an educational agency or institution may nevertheless 
require the student to wear and otherwise disclose a student ID card or 
badge that displays information that may be designated as directory 
information under Sec.  99.3 and that has been properly designated by 
the educational agency or institution as directory information under 
Sec.  99.37(a)(1).

Section 99.37(d) (Limited Directory Information Policy)

    Statute: Under sections (a)(5), (b)(1), and (b)(2) of FERPA (20 
U.S.C. 1232g(a)(5), (b)(1), and (b)(2)), an educational agency or 
institution may disclose directory information without meeting FERPA's 
written consent requirements provided that it first notifies the 
parents or eligible students of the types of information that may be 
disclosed and allows them to opt out of the disclosure. The statute 
lists a number of items in the definition of directory information, 
including a student's name, address, and telephone listing. The statute 
does not otherwise address whether an educational agency or institution 
may have a limited directory information policy in which it specifies 
the exact parties who may receive directory information, the specific 
purposes for which the directory information may be disclosed, or both.
    Current Regulations: Section 99.37(a) requires an educational 
agency or institution to provide public notice to parents of students 
in attendance and eligible students in attendance of the types of 
directory information that may be disclosed and the parent's or 
eligible student's right to opt out.
    Proposed Regulations: Proposed Sec.  99.37(d) would clarify that an 
educational agency or institution may specify in the public notice it 
provides to parents and eligible students in attendance provided under 
Sec.  99.37(a) that disclosure of directory information will be limited 
to specific parties, for specific purposes, or both. We also propose to 
clarify that an educational agency or institution that adopts a limited 
directory information policy must limit its directory information 
disclosures only to those parties and purposes that were specified in 
the public notice provided under Sec.  99.37(a).
    Reasons: Some school officials have advised us that their 
educational agencies and institutions do not have a directory 
information policy under FERPA, due to concerns about the potential 
misuse by members of the public of personally identifiable information 
about students, including potential identity theft. Clarifying that the 
regulations permit educational agencies and institutions to have a 
limited directory information policy would give educational agencies 
and institutions greater discretion in protecting student privacy by 
permitting them to limit the release of directory information for 
specific purposes, to specific parties, or both. This proposed change 
also would provide a regulatory authority for FPCO to investigate and 
enforce a violation of a limited directory information policy by an 
educational agency or institution.
    However, in order not to impose additional administrative burdens 
on educational agencies and institutions, the Department is not 
proposing changes to the recordkeeping requirement in Sec.  
99.32(d)(4), which currently excepts educational agencies and 
institutions from having to record the disclosure of directory 
information. For similar reasons, the Department is not proposing to 
amend the redisclosure provisions in Sec.  99.33(c), which except the 
redisclosure of directory information from the general prohibition on 
redisclosure of personally identifiable information. While the 
Department is not proposing to regulate on the redisclosure of 
directory information by third parties that receive directory 
information from educational agencies or institutions under a limited 
directory information policy, we nevertheless strongly recommend that 
educational agencies and institutions that choose to adopt a limited 
directory information policy assess the need to protect the directory 
information from further disclosure by the third parties to which they 
disclose directory information; when a need to protect the information 
from further disclosure is identified, educational agencies and 
institutions should enter into non-disclosure agreements with the third 
parties.

Enforcement Procedures With Respect to Any Recipient of Department 
Funds That Students Do Not Attend (Sec.  99.60)

    Statute: Sections (f) and (g) of FERPA (20 U.S.C. 1232g(f) and (g)) 
authorize the Secretary to take appropriate actions to enforce and 
address violations of FERPA in accordance with part D of the General 
Education Provisions Act (20 U.S.C. 1234 through 1234i) and to 
establish or designate an office and review board within the Department 
for the purpose of investigating, processing, reviewing, and 
adjudicating alleged violations of FERPA.
    Current Regulations: Current Sec.  99.60(b) designates the FPCO as 
the office within the Department responsible for investigating, 
processing, and reviewing alleged

[[Page 19733]]

violations of FERPA. Current subpart E of the FERPA regulations 
(Sec. Sec.  99.60 through 99.67), however, only addresses alleged 
violations of FERPA committed by an educational agency or institution.
    Proposed Regulations: Proposed Sec.  99.60(a)(2) would provide 
that, solely for purposes of subpart E of the FERPA regulations, which 
addresses enforcement procedures, an ``educational agency or 
institution'' includes any public or private agency or institution to 
which FERPA applies under Sec.  99.1(a)(2), as well as any State 
educational authority (e.g., SEAs or postsecondary agency) or local 
educational authority or any other recipient to which funds have been 
made available under any program administered by the Secretary (e.g., a 
nonprofit organization, student loan guaranty agency, or a student loan 
lender), including funds provided by grant, cooperative agreement, 
contract, subgrant, or subcontract.
    Reasons: With the advent of SLDS, it is necessary for the 
Department to update our enforcement regulations to clearly set forth 
the Department's authority to investigate and enforce alleged 
violations of FERPA by State and local educational authorities or any 
other recipients of Department funds under a program administered by 
the Secretary. Current Sec. Sec.  99.60 through 99.67 only apply the 
enforcement provisions in FERPA to an ``educational agency or 
institution.'' Although the statute and the regulations broadly define 
the term ``educational agency or institution,'' the Department 
generally has not interpreted the term to include entities that 
students do not attend. The Department's interpretation is based upon 
the fact that FERPA defines ``education records'' as information 
directly related to a ``student,'' and that ``student'' is, in turn, 
defined as excluding a person who has not been in attendance at the 
educational agency or institution. 20 U.S.C. 1232g(a)(4) and (a)(6). 
Because students do not attend non-school types of entities the 
Department has generally not viewed these recipients of Department 
funds as being ``educational agencies or institutions'' under FERPA.
    Consequently, the current regulations do not clearly authorize FPCO 
to investigate, review, and process an alleged violation committed by 
recipients of Department funds under a program administered by the 
Secretary in which students do not attend. In addition, the regulations 
do not clearly authorize the Secretary to bring an enforcement action 
against these recipients. Further, it would not be fair to hold an LEA 
or institution of higher education (IHE) that originally disclosed the 
PII to a State or local educational authority responsible for violation 
of FERPA by the State or local educational authority because the LEA or 
IHE generally would not have an effective means to prevent such an 
improper redisclosure by a State or local educational authority.
    Therefore, the Department proposes to add a new Sec.  99.60(a)(2) 
that would clearly authorize the Department to hold State educational 
authorities(e.g., SEAs and State postsecondary agencies), local 
educational authorities, as well as other recipients of Department 
funds under any program administered by the Secretary (e.g., nonprofit 
organizations, student loan guaranty agencies, and student loan 
lenders), accountable for compliance with FERPA. The Department 
believes that this authority is especially important given the 
disclosures of PII needed to implement SLDS.
    Because the Department has generally not viewed these entities as 
being ``educational agencies or institutions'' under FERPA and 
consequently has not viewed most FERPA provisions as applying to them 
(e.g., the requirement in Sec.  99.7 to annually notify parents and 
eligible students of their rights under FERPA, and the requirement in 
Sec.  99.37 to give public notice to parents and eligible students 
about directory information, if it has a policy of disclosing directory 
information), we anticipate that most FERPA compliance issues involving 
these entities will concern whether they have complied with FERPA's 
redisclosure provision in Sec.  99.33.
    We expect that we will face few issues concerning these entities' 
compliance with the few additional FERPA provisions that may be 
applicable to them. For example, the FERPA requirements, in addition to 
those in Sec.  99.33, that may be applicable to entities that are not 
``educational agencies or institutions'' under FERPA include, but are 
not limited to, the right to inspect and review education records 
maintained by an SEA or any of its components under Sec.  99.10(a)(2), 
the requirement that organizations conducting studies under Sec.  
99.31(a)(6) must not permit the personal identification of parents and 
students by anyone other than representatives of that organization with 
legitimate interests in the information and must destroy or return 
personally identifiable information from education records when the 
information is no longer needed for the purposes for which the study 
was conducted, and the requirement in Sec.  99.35(b)(2) that personally 
identifiable information from education records that is collected by a 
State or local educational authority or agency headed by an official 
listed in Sec.  99.31(a)(3) in connection with an audit or evaluation 
of Federal or State supported education programs, or to enforce Federal 
legal requirements related to Federal or State supported education 
programs, must be destroyed when no longer needed for these purposes.

Executive Order 12866

    Under Executive Order 12866, the Secretary must determine whether 
this regulatory action is ``significant'' and therefore subject to the 
requirements of the Executive Order and subject to review by the Office 
of Management and Budget (OMB). Section 3(f) of Executive Order 12866 
defines a ``significant regulatory action'' as an action likely to 
result in a rule that may: (1) Have an annual effect on the economy of 
$100 million or more, or adversely affect a sector of the economy, 
productivity, competition, jobs, the environment, public health or 
safety, or State, local or Tribal governments or communities in a 
material way (also referred to as an ``economically significant'' 
rule); (2) create serious inconsistency or otherwise interfere with an 
action taken or planned by another agency; (3) materially alter the 
budgetary impacts of entitlement grants, user fees, or loan programs or 
the rights and obligations of recipients thereof; or (4) raise novel 
legal or policy issues arising out of legal mandates, the President's 
priorities, or the principles set forth in the Executive Order. The 
Secretary has determined that this regulatory action is significant 
under section 3(f) of the Executive order.
    In accordance with Executive Order 12866, the Secretary has 
assessed potential costs and benefits of this regulatory action and 
determined that the benefits justify the costs.

Need for Federal Regulatory Action

    These proposed regulations are needed to ensure that the 
Department's implementation of FERPA continues to protect the privacy 
of student education records, while allowing for the effective use of 
data in education records, particularly data in statewide longitudinal 
data systems.

Summary of Costs and Benefits

    Following is an analysis of the costs and benefits of the proposed 
changes to the FERPA regulations, which would make changes to 
facilitate the disclosure, without written consent, of education 
records, particularly data in

[[Page 19734]]

statewide longitudinal data systems, for the purposes of evaluating 
education programs and ensuring compliance with Federal and State 
requirements. In conducting this analysis, the Department examined the 
extent to which the proposed changes would add to or reduce the costs 
of educational agencies, other agencies, and institutions in complying 
with the FERPA regulations prior to these changes, and the extent to 
which the proposed changes are likely to provide educational benefit. 
Allowing data-sharing across agencies, because it increases the number 
of individuals who have access to personally identifiable information, 
may increase the risk of unauthorized disclosure. However, we do not 
believe that the staff in the additional agencies who will have access 
to the data are any more likely to violate FERPA than existing users, 
and the strengthened accountability and enforcement mechanisms will 
help to ensure better compliance overall. While there will be 
administrative costs associated with implementing data-sharing 
protocols, we believe that the relatively minimal administrative costs 
of establishing data-sharing protocols would be off-set by potential 
analytic benefits. Based on this analysis, the Secretary has concluded 
that the proposed modifications would result in savings to entities and 
have the potential to benefit the Nation by improving capacity to 
conduct analyses that will provide information needed to improve 
education.

Authorized Representative

    The proposed regulations would amend Sec.  99.3 by adding a 
definition of the term authorized representative that would include any 
individual or entity designated by an educational authority or certain 
other officials to carry out audits, evaluations, or enforcement or 
compliance activities relating to education programs. Under the current 
regulations, educational authorities may provide to authorized 
representatives PII for the purposes of conducting audits, evaluations, 
or enforcement and compliance activities relating to Federal and State 
supported education programs. The term ``authorized representative'' is 
not defined, but the Department's position has been that educational 
authorities may only disclose education records to entities over which 
they have direct control, such as an employee or a contractor of the 
authority. Therefore, SEAs have not been able to disclose PII to other 
State agencies, even for the purpose of evaluating education programs 
under the purview of the SEAs. For example, an SEA or LEA could not 
disclose PII to a State employment agency for the purpose of obtaining 
data on post-school outcomes such as employment for its former 
students. Thus, if an SEA or LEA wanted to match education records with 
State employment records for purposes of evaluating its secondary 
education programs, it would have to import the entire workforce 
database and do the match itself (or contract with a third party to do 
the same analysis). Similarly, if a State workforce agency wanted to 
use PII maintained by the SEA in its longitudinal educational data 
system, in combination with data it had on employment outcomes, to 
evaluate secondary vocational education programs, it would not be able 
to obtain the SEA's educational data in order to conduct the analyses. 
It would have to provide the workforce data to the SEA to conduct the 
analyses or to a third party (e.g., an entity under the direct control 
of the SEA) to construct the needed longitudinal administrative data 
systems. While feasible, these strategies force agencies to outsource 
their analyses to other agencies or entities, adding administrative 
cost, burden, and complexity. Moreover, preventing agencies from using 
data directly for conducting their own analytical work increases the 
likelihood that the work will not meet their expectations or get done 
at all. Finally, the current interpretation of the regulations exposes 
greater amounts of PII to risk of disclosure as a result of greater 
quantities of PII moving across organizations (e.g., the entire 
workforce database) than would be the case with a more targeted data 
request (e.g., graduates from a given year who appear in the workforce 
database). The proposed regulatory changes would permit educational 
agencies (and other entities listed in Sec.  99.31(a)(3)) to non-
consensually disclose PII to other State agencies or to house data in a 
common State data system, such as a data warehouse administered by a 
central State authority for the purposes of conducting audits or 
evaluations of Federal or State supported education programs, or for 
enforcement of and compliance with Federal legal requirements relating 
to Federal and State supported education programs (consistent with 
FERPA and other Federal and State confidentiality and privacy 
provisions).
    The Department also proposes to amend Sec.  99.35 to require that 
written agreements require PII to be used only to carry out an audit or 
an evaluation of Federal or State supported education program or for an 
enforcement or compliance activity in connection with Federal legal 
requirements that relate to those programs and protect PII from 
unauthorized disclosure. The cost of entering into such agreements 
should be minimal in relation to the benefits of being able to share 
data.

Education Program

    The proposed regulations would amend Sec.  99.3 by providing a 
definition of the term education program to clarify that an education 
program can include a program administered by a non-educational agency, 
e.g., an early childhood program administered by a human services 
agency or a career or technical training program administered by a 
workforce or labor agency. This proposed change, in combination with 
the proposed definition of the term authorized representative, would 
allow non-educational agencies to have easier access to PII in student 
education records that they could use to evaluate the education 
programs they administer. For example, this proposed change would 
permit nonconsensual disclosures of PII in elementary and secondary 
school education records to a non-educational agency that is 
administering an early childhood education program in order to evaluate 
the impact of its early childhood education program on its students' 
long-term educational outcomes. The potential benefits of this proposed 
change are substantial, including the benefits of non-educational 
agencies that are administering ``education programs'' being able to 
conduct their own analyses without incurring the prohibitive costs of 
obtaining consent for access to individual student records.

Research Studies

    Section (b)(1)(F) of FERPA permits educational agencies and 
institutions non-consensually to disclose PII to organizations 
conducting research studies for, or on behalf of, educational agencies 
or institutions that provided the PII, for statutorily-specified 
purposes. The proposed amendment to Sec.  99.31(a)(6) would permit any 
of the authorities listed in Sec.  99.31(a)(3), including SEAs, to 
enter into written agreements that provide for the disclosure of PII to 
research organizations for studies that would benefit the educational 
agencies or institutions that provided the PII to the SEA or other 
educational authorities, whether or not the educational authority has 
explicit authority to act on behalf of those agencies or institutions. 
The preamble to the final FERPA regulations published in the Federal 
Register on

[[Page 19735]]

December 9, 2008 (73 FR 74806, 74826) took the position that an SEA, 
for example, cannot re-disclose PII obtained from LEAs to a research 
organization unless the SEA had separate legal authority to act on an 
LEA's (or other educational institution's) behalf. Because, in 
practice, this authority may not be explicit in all States, we propose 
to amend Sec.  99.31 to specifically allow State educational 
authorities to enter into agreements with research organizations for 
studies that are for enumerated purposes under FERPA, such as studies 
to improve instruction (see proposed Sec.  99.31(a)(6)(ii)). The 
Department believes that this change will have benefits for education 
because it would reduce the administrative costs of, and reduce the 
barriers to, using student data, including data in SLDS, in order to 
conduct studies to improve education programs.

Authority to Evaluate

    Under current Sec.  99.35(a)(2), the authority for an SEA or LEA to 
conduct an audit, evaluation, or compliance or enforcement activity is 
not conferred by FERPA, but ``must be established under other Federal, 
State, or local authority.'' Lack of such explicit State or local 
authority has hindered the use of data in some States. The proposed 
amendments would remove the discussion of legal authority in order to 
clarify that FERPA and its implementing regulations do not require that 
a State or local educational authority have express legal authority to 
conduct audits, evaluations, or compliance or enforcement activities, 
but instead may obtain PII when they have implied authority to conduct 
evaluation, audit, and compliance activities of their own programs.
    This proposed change also would allow an SEA to receive PII from 
postsecondary institutions as needed to evaluate its own programs and 
determine whether its schools are adequately preparing students for 
higher education. The preamble to the final FERPA regulations published 
in the Federal Register on December 9, 2008 (73 FR 74806, 74822) 
suggested that PII in the records of postsecondary institutions could 
only be disclosed to an SEA if the SEA has legal authority to evaluate 
postsecondary institutions. This interpretation restricts SEAs from 
conducting analyses to determine how effectively they are preparing 
students for higher education and from identifying effective programs, 
and thus has hindered efforts to improve education. The primary benefit 
of this proposed change is that it would allow SEAs to conduct analyses 
(consistent with FERPA and other Federal and State confidentiality and 
privacy provisions) that they previously were unable to undertake, 
without incurring the prohibitive costs of obtaining consent from 
students or parents in order to obtain, without prior, written consent, 
PII for the purpose of program evaluations.

Educational Agency or Institution

    Sections (f) and (g) of FERPA authorize the Secretary to take 
appropriate actions to enforce and deal with FERPA violations, but 
subpart E of the FERPA regulations only addresses alleged violations of 
FERPA by an ``educational agency or institution.'' Because the 
Department has not interpreted that term to include agencies or 
institutions that students do not attend, the current FERPA regulations 
do not specifically permit the Secretary to bring an enforcement action 
against an SEA or other State or local educational authority that does 
not meet the definition of an ``educational agency or institution'' 
under FERPA. Thus, for example, if an SEA improperly redisclosed PII 
obtained from its LEAs, the Department would pursue enforcement actions 
against each of the LEAs, and not the SEA. Proposed Sec.  99.60(a)(2), 
which would define an ``educational agency or institution'' to include 
any State or local educational authority or other recipient that has 
received Department of Education funds, would allow the Department to 
pursue enforcement against a State agency or other recipient of 
Department funds that had allegedly disclosed the PII, rather than 
against the agency or institution that had provided the PII to the 
State agency or other recipient of Department funds.
    This change would result in some administrative savings and improve 
the efficiency of the enforcement process. Under the current 
regulations, if, for example, an SEA with 500 LEAs improperly 
redisclosed PII from its SLDS to an unauthorized party, the Department 
would need to investigate each of the 500 LEAs, which are unlikely to 
have knowledge relating to the disclosure. Under the proposed change, 
the LEAs would be relieved of any administrative costs associated with 
responding to the Department's request for information about the 
disclosure and the Department could immediately direct the focus of its 
investigation on the SEA, the agency most likely to have information on 
and bear responsibility for the disclosure of PII, without having to 
waste time and resources contacting the LEAs.
    We welcome public input and data to further inform and allow us to 
quantify the costs and benefits of these proposed changes. We 
particularly welcome information on the costs encountered by State 
agencies using education data maintained by SEAs and the impediments to 
using postsecondary education data.

2. Clarity of the Regulations

    Executive Order 12866 and the Presidential memorandum on ``Plain 
Language in Government Writing'' require each agency to write 
regulations that are easy to understand.
    The Secretary invites comments on how to make these proposed 
regulations easier to understand, including answers to questions such 
as the following:
     Are the requirements in the proposed regulations clearly 
stated?
     Do the proposed regulations contain technical terms or 
other wording that interferes with their clarity?
     Does the format of the proposed regulations (grouping and 
order of sections, use of headings, paragraphing, etc.) aid or reduce 
their clarity?
     Would the proposed regulations be easier to understand if 
we divided them into more (but shorter) sections? (A ``section'' is 
preceded by the symbol ``Sec.  '' and a numbered heading; for example, 
Sec.  99.35.)
     Could the description of the proposed regulations in the 
Supplementary Information section of this preamble be more helpful in 
making the proposed regulations easier to understand? If so, how?
     What else could we do to make the proposed regulations 
easier to understand?
    To send any comments that concern how the Department could make 
these proposed regulations easier to understand, see the instructions 
in the ADDRESSES section of this preamble.

Regulatory Flexibility Act Certification

    The Secretary certifies that this regulatory action will not have a 
significant economic impact on a substantial number of small entities.
    The small entities that this final regulatory action will affect 
are small LEAs. The Secretary believes that the costs imposed on 
applicants by these regulations would be limited to paperwork burden 
related to requirements concerning data-sharing agreements and that the 
benefits from ensuring that data from education records are collected, 
stored, and shared appropriately outweigh any costs incurred by 
applicants.
    The U.S. Small Business Administration Size Standards define as

[[Page 19736]]

``small entities'' for-profit or nonprofit institutions with total 
annual revenue below $7,000,000 or, if they are institutions controlled 
by small governmental jurisdictions (that are comprised of cities, 
counties, towns, townships, villages, school districts, or special 
districts), with a population of less than 50,000.
    According to estimates from the U.S. Census Bureau's Small Area 
Income and Poverty Estimates programs that were based on school 
district boundaries for the 2007-8 school year, there are 12,484 LEAs 
in the country that include fewer than 50,000 individuals within their 
boundaries and for which there is estimated to be at least one school-
age child. In its 1997 publication, Characteristics of Small and Rural 
School Districts, the National Center for Education Statistics defined 
a small school district as ``one having fewer students in membership 
than the sum of (a) 25 students per grade in the elementary grades it 
offers (usually K-8) and (b) 100 students per grade in the secondary 
grades it offers (usually 9-12).'' Using this definition, a district 
would be considered small if it had fewer than 625 students in 
membership. The Secretary believes that the 4,800 very small LEAs that 
meet this second definition are highly unlikely to enter into data-
sharing agreements directly with outside entities.
    The Department does not have reliable data with which to estimate 
how many of the remaining 7,684 small LEAs would enter into data-
sharing agreements. For small LEAs that enter into data-sharing 
agreements, we estimate that they would spend approximately 4 hours 
executing each agreement, using a standard data-sharing protocol. Thus, 
we assume the impact on the entities would be minimal. However, we 
invite comment from entities familiar with data-sharing in small 
districts on the number of entities likely to enter into agreements 
each year, the number of such agreements, and number of hours required 
to execute each agreement.

Federalism

    Executive Order 13132 requires us to ensure meaningful and timely 
input by State and local elected officials in the development of 
regulatory policies that have federalism implications.
    ``Federalism implications'' means substantial direct effects on the 
States, on the relationship between the national government and the 
States, or on the distribution of power and responsibilities among the 
various levels of government. The proposed regulations in Sec. Sec.  
99.3, 99.31(a)(6), and 99.35 may have federalism implications, as 
defined in Executive Order 13132, in that they will have some effect on 
the States and the operation of educational agencies and institutions 
subject to FERPA. We encourage State and local elected officials to 
review and provide comments on these proposed regulations. To 
facilitate review and comment by appropriate State and local officials, 
the Department will, aside from publication in the Federal Register, 
post the NPRM to the FPCO Web site and to the Privacy Technical 
Assistance Center (PTAC) Web site and make a specific e-mail posting 
via a special listserv that is sent to each State department of 
education superintendent and higher education commission director.

Paperwork Reduction Act of 1995

    Proposed Sec. Sec.  99.31(a)(6)(ii) and 99.35(a)(3) contain 
information collection requirements. Under the Paperwork Reduction Act 
of 1995 (44 U.S.C. 3507(d)), the Department of Education has submitted 
a copy of these sections to the Office of Management and Budget (OMB) 
for its review. (OMB Control Number 1875-0246.)
    The proposed regulations modify the information collection 
requirements in Sec.  99.31(a)(6)(ii) and Sec.  99.32(b)(2); however, 
the Department does not believe the proposed changes add any new burden 
to State or local educational authorities. Burdens associated with 
Sec. Sec.  99.31(a)(6)(ii) and 99.32(b)(2) were approved under OMB 
Control Number 1875-0246 when the December 9, 2008 regulations were 
published. The proposed change that would clarify that nothing in FERPA 
prevents a State or local educational authority or Federal agencies and 
officials listed in Sec.  99.31(a)(3) from entering into written 
agreements with organizations conducting studies, for or on behalf of 
educational agencies and institutions does not constitute a change or 
an increase in burden. This is because the provision would permit an 
organization conducting a study to enter into one written agreement 
with a State or local educational authority or Federal agency or 
official listed in Sec.  99.31(a)(3), rather than making the 
organization enter into many more written agreements with each school 
district or school that provided the data to the State or local 
educational authority or Federal agency or official listed in Sec.  
99.31(a)(3). The addition of the definition of the term authorized 
representative, which would permit a State or local educational 
authority, the Secretary, the Comptroller General of the United States, 
or the Attorney General of the United States to designate any entity or 
individual to conduct--with respect to Federal or State supported 
education programs--any audit, evaluation, or compliance or enforcement 
activity in connection with Federal legal requirements that related to 
those programs also does not constitute a change or an increase in 
burden because these entities are already required to record 
disclosures, pursuant to Sec.  99.32(b)(2).
    Section 99.35(a)(3) would be a new requirement that requires the 
agency headed by an official listed in Sec.  99.31(a)(3) to use a 
written agreement to designate any authorized representative other than 
an agency employee. Under the proposed regulations, the agreement would 
need to: (1) Designate the individual or entity as an authorized 
representative; (2) specify the information to be disclosed and the 
purpose for which the information is disclosed to the authorized 
representative (i.e., to carry out an audit or evaluation of Federal or 
State supported education programs, or for the enforcement of or 
compliance with Federal legal requirements that relate to those 
programs); (3) require the authorized representative to destroy or 
return to the State or local educational authority or agency headed by 
an official listed in Sec.  99.31(a)(3) personally identifiable 
information from education records when the information is no longer 
needed for the purpose specified; (4) specify the time period in which 
the information must be returned or destroyed; and (5) establish 
policies and procedures consistent with FERPA and other Federal and 
State privacy and confidentiality provisions to protect personally 
identifiable information from education records from further disclosure 
(except back to the disclosing entity) and unauthorized use, included 
limiting use of information by only those authorized representatives of 
the entity with legitimate interested. The burden for States under this 
provision is estimated at 40 hours annually for each educational 
authority (one for K-12 and one for postsecondary).
    If you want to comment on the proposed information collection 
requirements in these proposed regulations, please send your comments 
to the Office of Information and Regulatory Affairs, OMB, Attention: 
Desk Officer for the U.S. Department of Education. Send these comments 
by e-mail to OIRA_DOCKET@omb.eop.gov or by fax to (202) 395-6974. 
Commenters need only submit comments via one submission medium. You may 
also send a copy of these comments to the Department contact

[[Page 19737]]

named in the ADDRESSES section of this preamble.
    We consider your comments on these proposed collections of 
information in--
     Deciding whether the proposed collections are necessary 
for the proper performance of our functions, including whether the 
information will have practical use;
     Evaluating the accuracy of our estimate of the burden of 
the proposed collections, including the validity of our methodology and 
assumptions;
     Enhancing the quality, usefulness, and clarity of the 
information we collect; and
     Minimizing the burden on those who must respond. This 
includes exploring the use of appropriate automated, electronic, 
mechanical, or other technological collection techniques or other forms 
of information technology; e.g., permitting electronic submission of 
responses.
    OMB is required to make a decision concerning the collection of 
information contained in these proposed regulations between 30 and 60 
days after publication of this document in the Federal Register. 
Therefore, to ensure that OMB gives your comments full consideration, 
it is important that OMB receives the comments within 30 days of 
publication. This does not affect the deadline for your comments to us 
on the proposed regulations.

Intergovernmental Review

    This program is not subject to Executive Order 12372 and the 
regulations in 34 CFR part 79.

Assessment of Educational Impact

    In accordance with section 411 of the General Education Provisions 
Act, 20 U.S.C. 1221e-4, the Secretary particularly requests comments on 
whether these proposed regulations would require transmission of 
information that any other agency or authority of the United States 
gathers or makes available.

Electronic Access to This Document

    You may view this document, as well as all other Department of 
Education documents published in the Federal Register, in text or Adobe 
Portable Document Format (PDF) on the Internet at the following site: 
http://www.ed.gov/news/fedregister.
    To use PDF, you must have Adobe Acrobat Reader, which is available 
free at this site.

    Note: The official version of this document is the document 
published in the Federal Register. Free Internet access to the 
official edition of the Federal Register and the Code of Federal 
Regulations is available via the Federal Digital System at http://www.gpo.gov/fdsys.

(Category of Federal Domestic Assistance Number does not apply.)

List of Subjects in 34 CFR Part 99

    Administrative practice and procedure, Education records, Education 
research, Information, Personally identifiable information, Privacy, 
Records, Statewide longitudinal data systems.

    Dated: April 1, 2011.
Arne Duncan,
Secretary of Education.
    For the reasons discussed in the preamble, the Secretary proposes 
to amend part 99 of title 34 of the Code of Federal Regulations as 
follows:

PART 99--FAMILY EDUCATIONAL RIGHTS AND PRIVACY

    1. The authority citation for part 99 continues to read as follows:

    Authority: 20 U.S.C. 1232g, unless otherwise noted.

    2. Section 99.3 is amended by:
    A. Adding, in alphabetical order, definitions for ``authorized 
representative'' and ``education program''.
    B. Revising the definition of ``directory information''.
    The additions and revision read as follows:


Sec.  99.3  What definitions apply to these regulations?

* * * * *
    Authorized representative means any entity or individual designated 
by a State or local educational authority or an agency headed by an 
official listed in Sec.  99.31(a)(3) to conduct--with respect to 
Federal or State supported education programs--any audit, evaluation, 
or compliance or enforcement activity in connection with Federal legal 
requirements that relate to those programs.

(Authority: 20 U.S.C. 1232g(b)(1)(C), (3), and (5))

* * * * *
    Directory information means information contained in an education 
record of a student that would not generally be considered harmful or 
an invasion of privacy if disclosed.
    (a) Directory information includes, but is not limited to, the 
student's name; address; telephone listing; electronic mail address; 
photograph; date and place of birth; major field of study; grade level; 
enrollment status (e.g., undergraduate or graduate, full-time or part-
time); dates of attendance; participation in officially recognized 
activities and sports; weight and height of members of athletic teams; 
degrees, honors, and awards received; and the most recent educational 
agency or institution attended.
    (b) Directory information does not include a student's--
    (1) Social security number; or
    (2) Student identification (ID) number, except as provided in 
paragraph (c) of this section.
    (c) Directory information includes--
    (1) A student ID number, user ID, or other unique personal 
identifier used by a student for purposes of accessing or communicating 
in electronic systems, but only if the identifier cannot be used to 
gain access to education records except when used in conjunction with 
one or more factors that authenticate the user's identity, such as a 
personal identification number (PIN), password or other factor known or 
possessed only by the authorized user; and
    (2) A student ID number or other unique personal identifier that is 
displayed on a student ID badge, but only if the identifier cannot be 
used to gain access to education records except when used in 
conjunction with one or more factors that authenticate the user's 
identity, such as a PIN, password, or other factor known or possessed 
only by the authorized user.

(Authority: 20 U.S.C. 1232g(a)(5)(A))

* * * * *
    Education program means any program that is principally engaged in 
the provision of education, including, but not limited to, early 
childhood education, elementary and secondary education, postsecondary 
education, special education, job training, career and technical 
education, and adult education.

(Authority: 20 U.S.C. 1232g(b)(3), (5))

* * * * *
    3. Section 99.31 is amended by:
    A. Redesignating paragraphs (a)(6)(ii) through (v) as paragraphs 
(a)(6)(iii) through (vi), respectively.
    B. Adding a new paragraph (a)(6)(ii).
    C. Revising the introductory text of newly redesignated paragraph 
(a)(6)(iii).
    D. Revising the introductory text of newly redesignated paragraph 
(a)(6)(iii)(C).
    E. Revising newly redesignated paragraph (a)(6)(iii)(C)(4).
    F. Revising newly redesignated paragraph (a)(6)(iv).
    G. Revising newly redesignated paragraph (a)(6)(v).
    The addition and revisions read as follows:

[[Page 19738]]

Sec.  99.31  Under what conditions is prior consent not required to 
disclose information?

    (a) * * *
    (6) * * *
    (ii) Nothing in the Act or this part prevents a State or local 
educational authority or agency headed by an official listed in 
paragraph (a)(3) of this section from entering into agreements with 
organizations conducting studies under paragraph (a)(6)(i) of this 
section and redisclosing personally identifiable information from 
education records on behalf of educational agencies and institutions 
that disclosed the information to the State or local educational 
authority or agency headed by an official listed in paragraph (a)(3) of 
this section in accordance with the requirements of Sec.  99.33(b).
    (iii) An educational agency or institution may disclose personally 
identifiable information under paragraph (a)(6)(i) of this section, and 
a State or local educational authority or agency headed by an official 
listed in paragraph (a)(3) of this section may redisclose personally 
identifiable information under paragraph (a)(6)(i) and (a)(6)(ii) of 
this section, only if--
* * * * *
    (C) The educational agency or institution or the State or local 
educational authority or agency headed by an official listed in 
paragraph (a)(3) of this section enters into a written agreement with 
the organization that--
* * * * *
    (4) Requires the organization to destroy or return to the 
educational agency or institution or the State or local educational 
authority or agency headed by an official listed in paragraph (a)(3) of 
this section all personally identifiable information when the 
information is no longer needed for the purposes for which the study 
was conducted and specifies the time period in which the information 
must be returned or destroyed.
    (iv) An educational agency or institution or State or local 
educational authority or agency headed by an official listed in 
paragraph (a)(3) of this section is not required to initiate a study or 
agree with or endorse the conclusions or results of the study.
    (v) If the Family Policy Compliance Office determines that a third 
party, outside the educational agency or institution, or the State or 
local educational authority or agency headed by an official listed in 
paragraph (a)(3) of this section to which personally identifiable 
information is disclosed under paragraph (a)(6) of this section, 
violates paragraph (a)(6)(iii)(B) of this section, then the educational 
agency or institution, or the State or local educational authority or 
agency listed in paragraph (a)(3) of this section from which the 
personally identifiable information originated may not allow the third 
party responsible for the violation of paragraph (a)(6)(iii)(B) of this 
section access to personally identifiable information from education 
records for at least five years.
* * * * *
    4. Section 99.35 is amended by:
    A. Revising paragraph (a)(2).
    B. Adding a new paragraph (a)(3).
    C. Revising paragraph (b).
    D. Adding a new paragraph (d).
    E. Revising the authority citation at the end of the section.
    The additions and revisions read as follows:


Sec.  99.35  What conditions apply to disclosure of information for 
Federal or State program purposes?

    (a) * * *
    (2) The State or local educational authority or agency headed by an 
official listed in Sec.  99.31(a)(3) is responsible for using 
reasonable methods to ensure that any entity or individual designated 
as its authorized representative--
    (i) Uses personally identifiable information from education records 
only to carry out an audit, evaluation, or an activity for the purpose 
of enforcement of, or ensuring compliance with, Federal legal 
requirements related to Federal or State supported education programs;
    (ii) Protects the personally identifiable information from further 
disclosures or other uses, except as authorized in paragraph (b)(1) of 
this section; and
    (iii) Destroys the personally identifiable information in 
accordance with the requirements of paragraphs (b) and (c) of this 
section.
    (3) The State or local educational authority or agency headed by an 
official listed in Sec.  99.31(a)(3) must use a written agreement to 
designate any authorized representative, other than an employee. The 
written agreement must--
    (i) Designate the individual or entity as an authorized 
representative;
    (ii) Specify the information to be disclosed and that the purpose 
for which the information is disclosed to the authorized representative 
is to carry out an audit or evaluation of Federal or State supported 
education programs, or to enforce or to comply with Federal legal 
requirements that relate to those programs;
    (iii) Require the authorized representative to destroy or return to 
the State or local educational authority or agency headed by an 
official listed in Sec.  99.31(a)(3) personally identifiable 
information from education records when the information is no longer 
needed for the purpose specified;
    (iv) Specify the time period in which the information must be 
returned or destroyed; and
    (v) Establish policies and procedures, consistent with FERPA and 
other Federal and State confidentiality and privacy provisions, to 
protect personally identifiable information from education records from 
further disclosure (except back to the disclosing entity) and 
unauthorized use, including limiting use of personally identifiable 
information to only authorized representatives with legitimate 
interests.
    (b) Information that is collected under paragraph (a) of this 
section must--
    (1) Be protected in a manner that does not permit personal 
identification of individuals by anyone other than the authorities or 
agencies headed by officials referred to in paragraph (a) of this 
section and their authorized representatives, except that those 
authorities and agencies may make further disclosures of personally 
identifiable information from education records on behalf of the 
educational agency or institution in accordance with the requirements 
of Sec.  99.33(b); and
    (2) Be destroyed when no longer needed for the purposes listed in 
paragraph (a) of this section.
* * * * *
    (d) If the Family Policy Compliance Office finds that a State or 
local educational authority, an agency headed by an official listed in 
Sec.  99.31(a)(3), or an authorized representative of a State or local 
educational authority or an agency headed by an official listed in 
Sec.  99.31(a)(3), improperly rediscloses personally identifiable 
information from education records, the educational agency or 
institution from which the personally identifiable information 
originated may not allow the authorized representative, or the State or 
local educational authority or the agency headed by an official listed 
in Sec.  99.31(a)(3), or both, access to personally identifiable 
information from education records for at least five years.

(Authority: 20 U.S.C. 1232g(b)(1)(C), (3), and (5))


    5. Section 99.37 is amended by:
    A. Revising paragraph (c).
    B. Redesignating paragraph (d) as paragraph (e) and adding a new 
paragraph (d).
    The additions and revisions read as follows:

[[Page 19739]]

Sec.  99.37  What conditions apply to disclosing directory information?

* * * * *
    (c) A parent or eligible student may not use the right under 
paragraph (a)(2) of this section to opt out of directory information 
disclosures to--
    (1) Prevent an educational agency or institution from disclosing or 
requiring a student to disclose the student's name, identifier, or 
institutional e-mail address in a class in which the student is 
enrolled; or
    (2) Prevent an educational agency or institution from requiring a 
student to wear, to display publicly, or to disclose a student ID card 
or badge that exhibits information that may be designated as directory 
information under Sec.  99.3 and that has been properly designated by 
the educational agency or institution as directory information in the 
public notice provided under paragraph (a)(1) of this section.
    (d) In its public notice to parents and eligible students in 
attendance at the agency or institution that is described in paragraph 
(a) of this section, an educational agency or institution may specify 
that disclosure of directory information will be limited to specific 
parties, for specific purposes, or both. When an educational agency or 
institution specifies that disclosure of directory information will be 
limited to specific parties, for specific purposes, or both, the 
educational agency or institution must limit its directory information 
disclosures to those specified in its public notice that is described 
in paragraph (a) of this section.
* * * * *
    6. Section 99.60 is amended by redesignating paragraph (a) as 
paragraph (a)(1) and adding a new paragraph (a)(2) to read as follows:


Sec.  99.60  What functions has the Secretary delegated to the Office 
and to the Office of Administrative Law Judges?

    (a) * * *
    (2) Solely for the purposes of this subpart, an ``educational 
agency or institution'' includes any public or private agency or 
institution to which this part applies under Sec.  99.1(a)(2), as well 
as any State or local educational authority or any other recipient to 
which funds have been made available under any program administered by 
the Secretary, including funds provided by grant, cooperative 
agreement, contract, subgrant, or subcontract.
* * * * *
[FR Doc. 2011-8205 Filed 4-7-11; 8:45 am]
BILLING CODE 4000-01-P